-
Cisco Security Appliance Command Line Configuration GuideFor the
Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.1(1)
Corporate HeadquartersCisco Systems, Inc.170 West Tasman
DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408
526-4000
800 553-NETS (6387)Fax: 408 526-4100
Customer Order Number: N/A, Online onlyText Part Number:
OL-8629-01
http://www.cisco.com
-
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN
THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE
ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION
OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING
PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU
ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an
adaptation of a program developed by the University of California,
Berkeley (UCB) as part of UCBs public domain version of the UNIX
operating system. All rights reserved. Copyright 1981, Regents of
the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES
AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR
TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY
INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Cisco Security Appliance Command Line Configuration
GuideCopyright 2006 Cisco Systems, Inc. All rights reserved.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing,
and StackWise are trademarks of Cisco Systems, Inc.; Changing the
Way We Work, Live, Play, and Learn, and iQuick Study are service
marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX,
Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco
Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco
Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch,
Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet
Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness
Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers
logo, Networking Academy, Network Registrar, Packet, PIX,
Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare,
SlideCast, SMARTnet, The Fastest Way to Increase Your Internet
Quotient, and TransPath are registered trademarks of Cisco Systems,
Inc. and/or its affiliates in the United States and certain other
countries.
All other trademarks mentioned in this document or Website are
the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and
any other company. (0601R)
-
Cisco SOL-8629-01
C O N T E N T S
About This Guide xxvii
Document Objectives xxviiAudience xxviiRelated Documentation
xxviiiDocument Organization xxviiiDocument Conventions xxx
Obtaining Documentation xxxiCisco.com xxxiOrdering Documentation
xxxi
Documentation Feedback xxxii
Obtaining Technical Assistance xxxiiCisco Technical Support
Website xxxiiSubmitting a Service Request xxxiiiDefinitions of
Service Request Severity xxxiii
Obtaining Additional Publications and Information xxxiii
P A R T 1 Getting Started and General Information
C H A P T E R 1 Introduction to the Security Appliance 1-1
Firewall Functional Overview 1-1Security Policy Overview 1-2
Permitting or Denying Traffic with Access Lists 1-2Applying NAT
1-2Using AAA for Through Traffic 1-2Applying HTTP, HTTPS, or FTP
Filtering 1-3Applying Application Inspection 1-3Sending Traffic to
the Advanced Inspection and Prevention Security Services Module
1-3Applying QoS Policies 1-3Applying Connection Limits and TCP
Normalization 1-3
Firewall Mode Overview 1-3Stateful Inspection Overview 1-4
VPN Functional Overview 1-5
Intrusion Prevention Services Functional Overview 1-5
Security Context Overview 1-5
iecurity Appliance Command Line Configuration Guide
-
Contents
C H A P T E R 2 Getting Started 2-1
Accessing the Command-Line Interface 2-1
Setting Transparent or Routed Firewall Mode 2-2
Working with the Configuration 2-3Saving Configuration Changes
2-3Copying the Startup Configuration to the Running Configuration
2-3Viewing the Configuration 2-4Clearing and Removing Configuration
Settings 2-4Creating Text Configuration Files Offline 2-5
C H A P T E R 3 Enabling Multiple Context Mode 3-1
Security Context Overview 3-1Common Uses for Security Contexts
3-2Unsupported Features 3-2Context Configuration Files 3-2How the
Security Appliance Classifies Packets 3-3Sharing Interfaces Between
Contexts 3-6
Shared Interface Guidelines 3-7Cascading Security Contexts
3-9
Logging into the Security Appliance in Multiple Context Mode
3-10
Enabling or Disabling Multiple Context Mode 3-10Backing Up the
Single Mode Configuration 3-10Enabling Multiple Context Mode
3-10Restoring Single Context Mode 3-11
C H A P T E R 4 Configuring Ethernet Settings and Subinterfaces
4-1
Configuring and Enabling RJ-45 Interfaces 4-1
Configuring and Enabling Fiber Interfaces on the 4GE SSM 4-2
Configuring and Enabling Subinterfaces 4-3
C H A P T E R 5 Adding and Managing Security Contexts 5-1
Configuring a Security Context 5-1
Removing a Security Context 5-5
Changing the Admin Context 5-5
Changing Between Contexts and the System Execution Space 5-6
Changing the Security Context URL 5-6
iiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Reloading a Security Context 5-7Reloading by Clearing the
Configuration 5-7Reloading by Removing and Re-adding the Context
5-8
Monitoring Security Contexts 5-8Viewing Context Information
5-8Viewing Resource Usage 5-10
C H A P T E R 6 Configuring Interface Parameters 6-1
Security Level Overview 6-1
Configuring the Interface 6-2
Allowing Communication Between Interfaces on the Same Security
Level 6-5
C H A P T E R 7 Configuring Basic Settings 7-1
Changing the Enable Password 7-1
Setting the Hostname 7-2
Setting the Domain Name 7-2
Setting the Date and Time 7-2Setting the Time Zone and Daylight
Saving Time Date Range 7-3Setting the Date and Time Using an NTP
Server 7-4Setting the Date and Time Manually 7-4
Setting the Management IP Address for a Transparent Firewall
7-5
C H A P T E R 8 Configuring IP Routing and DHCP Services 8-1
Configuring Static and Default Routes 8-1Configuring a Static
Route 8-2Configuring a Default Route 8-3
Configuring OSPF 8-3OSPF Overview 8-4Enabling OSPF
8-5Redistributing Routes Between OSPF Processes 8-5
Adding a Route Map 8-6Redistributing Static, Connected, or OSPF
Routes to an OSPF Process 8-7
Configuring OSPF Interface Parameters 8-8Configuring OSPF Area
Parameters 8-10Configuring OSPF NSSA 8-11Configuring Route
Summarization Between OSPF Areas 8-12Configuring Route
Summarization When Redistributing Routes into OSPF 8-12Generating a
Default Route 8-13
iiiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Configuring Route Calculation Timers 8-13Logging Neighbors Going
Up or Down 8-14Displaying OSPF Update Packet Pacing 8-14Monitoring
OSPF 8-15Restarting the OSPF Process 8-15
Configuring RIP 8-16RIP Overview 8-16Enabling RIP 8-16
Configuring Multicast Routing 8-17Multicast Routing Overview
8-17Enabling Multicast Routing 8-18Configuring IGMP Features
8-18
Disabling IGMP on an Interface 8-19Configuring Group Membership
8-19Configuring a Statically Joined Group 8-19Controlling Access to
Multicast Groups 8-19Limiting the Number of IGMP States on an
Interface 8-20Modifying the Query Interval and Query Timeout
8-20Changing the Query Response Time 8-21Changing the IGMP Version
8-21
Configuring Stub Multicast Routing 8-21Configuring a Static
Multicast Route 8-21Configuring PIM Features 8-22
Disabling PIM on an Interface 8-22Configuring a Static
Rendezvous Point Address 8-22Configuring the Designated Router
Priority 8-23Filtering PIM Register Messages 8-23Configuring PIM
Message Intervals 8-23
For More Information about Multicast Routing 8-24
Configuring DHCP 8-24Configuring a DHCP Server 8-24
Enabling the DHCP Server 8-24Configuring DHCP Options 8-26Using
Cisco IP Phones with a DHCP Server 8-27
Configuring DHCP Relay Services 8-28Configuring the DHCP Client
8-29
ivCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
C H A P T E R 9 Configuring IPv6 9-1
IPv6-enabled Commands 9-1
Configuring IPv6 on an Interface 9-2
Configuring IPv6 Default and Static Routes 9-4
Configuring IPv6 Access Lists 9-4
Verifying the IPv6 Configuration 9-5The show ipv6 interface
Command 9-5The show ipv6 route Command 9-6
Configuring a Dual IP Stack on an Interface 9-7
IPv6 Configuration Example 9-7
C H A P T E R 10 Configuring AAA Servers and the Local Database
10-1
AAA Overview 10-1About Authentication 10-2About Authorization
10-2About Accounting 10-2
AAA Server and Local Database Support 10-3Summary of Support
10-3RADIUS Server Support 10-4
Authentication Methods 10-4Attribute Support 10-4RADIUS
Functions 10-4
TACACS+ Server Support 10-5SDI Server Support 10-6
SDI Version Support 10-6Two-step Authentication Process 10-7SDI
Primary and Replica Servers 10-7
NT Server Support 10-7Kerberos Server Support 10-7LDAP Server
Support 10-8
Authentication with LDAP 10-8Authorization with LDAP 10-9LDAP
Attribute Mapping 10-10
SSO Support for WebVPN with HTTP Forms 10-11Local Database
Support 10-11
User Profiles 10-11Local Database Functions 10-12Fallback
Support 10-12
vCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Configuring the Local Database 10-13
Identifying AAA Server Groups and Servers 10-14
Using Certificates and User Login Credentials 10-17Using User
Login Credentials 10-18Using certificates 10-18
C H A P T E R 11 Configuring Failover 11-1
Understanding Failover 11-1Failover System Requirements 11-2
Hardware Requirements 11-2Software Requirements 11-2License
Requirements 11-2
The Failover and Stateful Failover Links 11-3Failover Link
11-3Stateful Failover Link 11-4
Active/Active and Active/Standby Failover 11-5Active/Standby
Failover 11-5Active/Active Failover 11-9Determining Which Type of
Failover to Use 11-13
Regular and Stateful Failover 11-13Regular Failover
11-13Stateful Failover 11-13
Failover Health Monitoring 11-14Unit Health Monitoring
11-14Interface Monitoring 11-15
Configuring Failover 11-16Configuring Active/Standby Failover
11-16
Prerequisites 11-16Configuring Cable-Based Active/Standby
Failover (PIX Security Appliance Only) 11-16Configuring LAN-Based
Active/Standby Failover 11-18Configuring Optional Active/Standby
Failover Settings 11-21
Configuring Active/Active Failover 11-23Prerequisites
11-23Configuring Cable-Based Active/Active Failover (PIX security
appliance Only) 11-23Configuring LAN-Based Active/Active Failover
11-25Configuring Optional Active/Active Failover Settings 11-29
Configuring Failover Communication Authentication/Encryption
11-32
viCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Verifying the Failover Configuration 11-33Using the show
failover Command 11-33Viewing Monitored Interfaces 11-41Displaying
the Failover Commands in the Running Configuration 11-41Testing the
Failover Functionality 11-42
Controlling and Monitoring Failover 11-42Forcing Failover
11-42Disabling Failover 11-43Restoring a Failed Unit or Failover
Group 11-43Monitoring Failover 11-44
Failover System Messages 11-44Debug Messages 11-44SNMP 11-44
Failover Configuration Examples 11-44Cable-Based Active/Standby
Failover Example 11-45LAN-Based Active/Standby Failover Example
11-46LAN-Based Active/Active Failover Example 11-48
P A R T 2 Configuring the Firewall
C H A P T E R 12 Firewall Mode Overview 12-1
Routed Mode Overview 12-1IP Routing Support 12-2Network Address
Translation 12-2How Data Moves Through the Security Appliance in
Routed Firewall Mode 12-3
An Inside User Visits a Web Server 12-4An Outside User Visits a
Web Server on the DMZ 12-5An Inside User Visits a Web Server on the
DMZ 12-6An Outside User Attempts to Access an Inside Host 12-7A DMZ
User Attempts to Access an Inside Host 12-8
Transparent Mode Overview 12-8Transparent Firewall Features
12-9Using the Transparent Firewall in Your Network 12-10Transparent
Firewall Guidelines 12-10Unsupported Features in Transparent Mode
12-11How Data Moves Through the Transparent Firewall 12-12
An Inside User Visits a Web Server 12-13An Outside User Visits a
Web Server on the Inside Network 12-14An Outside User Attempts to
Access an Inside Host 12-15
viiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
C H A P T E R 13 Identifying Traffic with Access Lists 13-1
Access List Overview 13-1Access List Types 13-2Access Control
Entry Order 13-2Access Control Implicit Deny 13-3IP Addresses Used
for Access Lists When You Use NAT 13-3
Adding an Extended Access List 13-5Extended Access List Overview
13-5
Allowing Special IP Traffic through the Transparent Firewall
13-5Adding an Extended ACE 13-6
Adding an EtherType Access List 13-7
Adding a Standard Access List 13-9
Adding a Webtype Access List 13-9
Simplifying Access Lists with Object Grouping 13-9How Object
Grouping Works 13-10Adding Object Groups 13-10
Adding a Protocol Object Group 13-10Adding a Network Object
Group 13-11Adding a Service Object Group 13-12Adding an ICMP Type
Object Group 13-13
Nesting Object Groups 13-13Using Object Groups with an Access
List 13-14Displaying Object Groups 13-15Removing Object Groups
13-15
Adding Remarks to Access Lists 13-16
Scheduling Extended Access List Activation 13-16Adding a Time
Range 13-16Applying the Time Range to an ACE 13-17
Logging Access List Activity 13-18Access List Logging Overview
13-18Configuring Logging for an Access Control Entry 13-19Managing
Deny Flows 13-20
C H A P T E R 14 Applying NAT 14-1
NAT Overview 14-1Introduction to NAT 14-2NAT Control 14-3
viiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
NAT Types 14-5Dynamic NAT 14-5PAT 14-6Static NAT 14-7Static PAT
14-7Bypassing NAT when NAT Control is Enabled 14-8
Policy NAT 14-9NAT and Same Security Level Interfaces 14-12Order
of NAT Commands Used to Match Real Addresses 14-13Mapped Address
Guidelines 14-13DNS and NAT 14-14
Configuring NAT Control 14-15
Using Dynamic NAT and PAT 14-16Dynamic NAT and PAT
Implementation 14-16Configuring Dynamic NAT or PAT 14-22
Using Static NAT 14-25
Using Static PAT 14-26
Bypassing NAT 14-29Configuring Identity NAT 14-29Configuring
Static Identity NAT 14-30Configuring NAT Exemption 14-31
NAT Examples 14-32Overlapping Networks 14-33Redirecting Ports
14-34
C H A P T E R 15 Permitting or Denying Network Access 15-1
Inbound and Outbound Access List Overview 15-1
Applying an Access List to an Interface 15-4
C H A P T E R 16 Applying AAA for Network Access 16-1
AAA Performance 16-1
Configuring Authentication for Network Access 16-1Authentication
Overview 16-2Enabling Network Access Authentication 16-3Enabling
Secure Authentication of Web Clients 16-4
Configuring Authorization for Network Access 16-6Configuring
TACACS+ Authorization 16-6Configuring RADIUS Authorization 16-7
ixCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Configuring a RADIUS Server to Send Downloadable Access Control
Lists 16-8Configuring a RADIUS Server to Download Per-User Access
Control List Names 16-11
Configuring Accounting for Network Access 16-12
Using MAC Addresses to Exempt Traffic from Authentication and
Authorization 16-13
C H A P T E R 17 Applying Filtering Services 17-1
Filtering Overview 17-1
Filtering ActiveX Objects 17-1ActiveX Filtering Overview
17-2Enabling ActiveX Filtering 17-2
Filtering Java Applets 17-3
Filtering URLs and FTP Requests with an External Server 17-3URL
Filtering Overview 17-4Identifying the Filtering Server
17-4Buffering the Content Server Response 17-5Caching Server
Addresses 17-6Filtering HTTP URLs 17-6
Configuring HTTP Filtering 17-6Enabling Filtering of Long HTTP
URLs 17-7Truncating Long HTTP URLs 17-7Exempting Traffic from
Filtering 17-7
Filtering HTTPS URLs 17-7Filtering FTP Requests 17-8
Viewing Filtering Statistics and Configuration 17-9Viewing
Filtering Server Statistics 17-9Viewing Buffer Configuration and
Statistics 17-10Viewing Caching Statistics 17-10Viewing Filtering
Performance Statistics 17-10Viewing Filtering Configuration
17-11
C H A P T E R 18 Using Modular Policy Framework 18-1
Modular Policy Framework Overview 18-1Default Global Policy
18-2
Identifying Traffic Using a Class Map 18-2
Defining Actions Using a Policy Map 18-4Policy Map Overview
18-4Default Policy Map 18-6Adding a Policy Map 18-6
xCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Applying a Policy to an Interface Using a Service Policy
18-8
Modular Policy Framework Examples 18-8Applying Inspection and
QoS Policing to HTTP Traffic 18-9Applying Inspection to HTTP
Traffic Globally 18-9Applying Inspection and Connection Limits to
HTTP Traffic to Specific Servers 18-10Applying Inspection to HTTP
Traffic with NAT 18-11
C H A P T E R 19 Managing AIP SSM and CSC SSM 19-1
Managing the AIP SSM 19-1About the AIP SSM 19-1Getting Started
with the AIP SSM 19-2Diverting Traffic to the AIP SSM
19-2Sessioning to the AIP SSM and Running Setup 19-4
Managing the CSC SSM 19-5About the CSC SSM 19-5Getting Started
with the CSC SSM 19-7Determining What Traffic to Scan 19-9Limiting
Connections Through the CSC SSM 19-11Diverting Traffic to the CSC
SSM 19-11
Checking SSM Status 19-13
Transferring an Image onto an SSM 19-14
C H A P T E R 20 Preventing Network Attacks 20-1
Configuring TCP Normalization 20-1
Configuring Connection Limits and Timeouts 20-4
Preventing IP Spoofing 20-5
Configuring the Fragment Size 20-6
Blocking Unwanted Connections 20-6
Configuring IP Audit for Basic IPS Support 20-7
C H A P T E R 21 Applying QoS Policies 21-1
Overview 21-1
QoS Concepts 21-2
Implementing QoS 21-2
Identifying Traffic for QoS 21-4
Defining a QoS Policy Map 21-5
Applying Rate Limiting 21-6
xiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Activating the Service Policy 21-7
Applying Low Latency Queueing 21-8Configuring Priority Queuing
21-8Sizing the Priority Queue 21-8Reducing Queue Latency 21-9
Configuring QoS 21-9
Viewing QoS Configuration 21-12Viewing QoS Service Policy
Configuration 21-12Viewing QoS Policy Map Configuration
21-13Viewing the Priority-Queue Configuration for an Interface
21-13
Viewing QoS Statistics 21-14Viewing QoS Police Statistics
21-14Viewing QoS Priority Statistics 21-14Viewing QoS Priority
Queue Statistics 21-15
C H A P T E R 22 Applying Application Layer Protocol Inspection
22-1
Application Inspection Engine Overview 22-2How Inspection
Engines Work 22-2Supported Protocols 22-3Application Engine
Defaults 22-4
Applying Application Inspection to Selected Traffic 22-5Overview
22-6Identifying Traffic with a Traffic Class Map 22-7Using an
Application Inspection Map 22-9Defining Actions with a Policy Map
22-10Applying a Security Policy to an Interface 22-11
CTIQBE Inspection 22-11CTIQBE Inspection Overview
22-11Limitations and Restrictions 22-11Enabling and Configuring
CTIQBE Inspection 22-12Verifying and Monitoring CTIQBE Inspection
22-13
DNS Inspection 22-14How DNS Application Inspection Works
22-15How DNS Rewrite Works 22-15Configuring DNS Rewrite 22-16
Using the Alias Command for DNS Rewrite 22-17Using the Static
Command for DNS Rewrite 22-17Configuring DNS Rewrite with Two NAT
Zones 22-17
xiiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
DNS Rewrite with Three NAT Zones 22-18Configuring DNS Rewrite
with Three NAT Zones 22-20
Configuring DNS Inspection 22-21Verifying and Monitoring DNS
Inspection 22-22
FTP Inspection 22-23FTP Inspection Overview 22-23Using the
strict Option 22-23The request-command deny Command
22-24Configuring FTP Inspection 22-25Verifying and Monitoring FTP
Inspection 22-27
GTP Inspection 22-28GTP Inspection Overview 22-28GTP Maps and
Commands 22-29Enabling and Configuring GTP Inspection 22-30Enabling
and Configuring GSN Pooling 22-32Verifying and Monitoring GTP
Inspection 22-34
H.323 Inspection 22-35H.323 Inspection Overview 22-35How H.323
Works 22-35Limitations and Restrictions 22-36Enabling and
Configuring H.323 Inspection 22-37Configuring H.323 and H.225
Timeout Values 22-38Verifying and Monitoring H.323 Inspection
22-38
Monitoring H.225 Sessions 22-38Monitoring H.245 Sessions
22-39Monitoring H.323 RAS Sessions 22-40
HTTP Inspection 22-40HTTP Inspection Overview 22-40Enhanced HTTP
Inspection Commands 22-41Enabling and Configuring Advanced HTTP
Inspection 22-41
ICMP Inspection 22-43
ILS Inspection 22-43
MGCP Inspection 22-43MGCP Inspection Overview 22-44Configuring
MGCP Call Agents and Gateways 22-45Configuring and Enabling MGCP
Inspection 22-46Configuring MGCP Timeout Values 22-48Verifying and
Monitoring MGCP Inspection 22-48
NetBIOS Inspection 22-49
xiiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
PPTP Inspection 22-49
RSH Inspection 22-49
RTSP Inspection 22-49RTSP Inspection Overview 22-49Using
RealPlayer 22-50Restrictions and Limitations 22-50Enabling and
Configuring RTSP Inspection 22-51
SIP Inspection 22-52SIP Inspection Overview 22-52SIP Instant
Messaging 22-53Enabling and Configuring SIP Inspection
22-54Configuring SIP Timeout Values 22-55Verifying and Monitoring
SIP Inspection 22-56
Skinny (SCCP) Inspection 22-56SCCP Inspection Overview
22-57Supporting Cisco IP Phones 22-57Restrictions and Limitations
22-57Configuring and Enabling SCCP Inspection 22-58Verifying and
Monitoring SCCP Inspection 22-59
SMTP and Extended SMTP Inspection 22-60SMTP and Extended SMTP
Inspection Overview 22-60Enabling and Configuring SMTP and Extended
SMTP Application Inspection 22-61
SNMP Inspection 22-63SNMP Inspection Overview 22-63Enabling and
Configuring SNMP Application Inspection 22-63
SQL*Net Inspection 22-65
Sun RPC Inspection 22-65Sun RPC Inspection Overview
22-65Enabling and Configuring Sun RPC Inspection 22-65Managing Sun
RPC Services 22-67Verifying and Monitoring Sun RPC Inspection
22-68
TFTP Inspection 22-69
XDMCP Inspection 22-69
xivCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
C H A P T E R 23 Configuring ARP Inspection and Bridging
Parameters 23-1
Configuring ARP Inspection 23-1ARP Inspection Overview
23-1Adding a Static ARP Entry 23-2Enabling ARP Inspection 23-2
Customizing the MAC Address Table 23-3MAC Address Table Overview
23-3Adding a Static MAC Address 23-3Setting the MAC Address Timeout
23-3Disabling MAC Address Learning 23-4Viewing the MAC Address
Table 23-4
P A R T 3 Configuring VPN
C H A P T E R 24 Configuring IPSec and ISAKMP 24-1
Tunneling Overview 24-1
IPSec Overview 24-2
Configuring ISAKMP 24-2ISAKMP Overview 24-3Configuring ISAKMP
Policies 24-5Enabling ISAKMP on the Outside Interface 24-6Disabling
ISAKMP in Aggressive Mode 24-6Determining an ID Method for ISAKMP
Peers 24-6Enabling IPSec over NAT-T 24-7
Using NAT-T 24-7Enabling IPSec over TCP 24-8Waiting for Active
Sessions to Terminate Before Rebooting 24-8Alerting Peers Before
Disconnecting 24-9
Configuring Certificate Group Matching 24-9Creating a
Certificate Group Matching Rule and Policy 24-10Using the
Tunnel-group-map default-group Command 24-11
Configuring IPSec 24-11Understanding IPSec Tunnels
24-11Understanding Transform Sets 24-12Defining Crypto Maps
24-12Applying Crypto Maps to Interfaces 24-20Using Interface Access
Lists 24-20Changing IPSec SA Lifetimes 24-22Creating a Basic IPSec
Configuration 24-23
xvCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Using Dynamic Crypto Maps 24-25Providing Site-to-Site Redundancy
24-27Viewing an IPSec Configuration 24-27
Clearing Security Associations 24-27
Clearing Crypto Map Configurations 24-28
C H A P T E R 25 Setting General IPSec VPN Parameters 25-1
Configuring VPNs in Single, Routed Mode 25-1
Configuring IPSec to Bypass ACLs 25-1
Permitting Intra-Interface Traffic 25-2NAT Considerations for
Intra-Interface Traffic 25-3
Setting Maximum Active IPSec VPN Sessions 25-3
Using Client Update to Ensure Acceptable Client Revision Levels
25-3
Understanding Load Balancing 25-5Implementing Load Balancing
25-6Prerequisites 25-6Eligible Platforms 25-7Eligible Clients
25-7VPN Load-Balancing Cluster Configurations 25-7Some Typical
Mixed Cluster Scenarios 25-8
Scenario 1: Mixed Cluster with No WebVPN Connections
25-8Scenario 2: Mixed Cluster Handling WebVPN Connections 25-8
Configuring Load Balancing 25-9Configuring the Public and
Private Interfaces for Load Balancing 25-9Configuring the Load
Balancing Cluster Attributes 25-10
Configuring VPN Session Limits 25-11
C H A P T E R 26 Configuring Tunnel Groups, Group Policies, and
Users 26-1
Overview of Tunnel Groups, Group Policies, and Users 26-1
Tunnel Groups 26-2General Tunnel-Group Connection Parameters
26-2IPSec Tunnel-Group Connection Parameters 26-3WebVPN
Tunnel-Group Connection Parameters 26-4
Configuring Tunnel Groups 26-5Default IPSec Remote Access Tunnel
Group Configuration 26-5Configuring IPSec Tunnel-Group General
Parameters 26-6
xviCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Configuring IPSec Remote-Access Tunnel Groups 26-6Specifying a
Name and Type for the IPSec Remote Access Tunnel Group
26-6Configuring IPSec Remote-Access Tunnel Group General Attributes
26-6Configuring IPSec Remote-Access Tunnel Group IPSec Attributes
26-9
Configuring LAN-to-LAN Tunnel Groups 26-10Default LAN-to-LAN
Tunnel Group Configuration 26-10Specifying a Name and Type for a
LAN-to-LAN Tunnel Group 26-11Configuring LAN-to-LAN Tunnel Group
General Attributes 26-11Configuring LAN-to-LAN IPSec Attributes
26-12
Configuring WebVPN Tunnel Groups 26-13Specifying a Name and Type
for a WebVPN Tunnel Group 26-13Configuring WebVPN Tunnel-Group
General Attributes 26-13Configuring WebVPN Tunnel-Group WebVPN
Attributes 26-15
Customizing Login Windows for WebVPN Users 26-18
Group Policies 26-19Default Group Policy 26-20Configuring Group
Policies 26-21
Configuring an External Group Policy 26-21Configuring an
Internal Group Policy 26-22Configuring Group Policy Attributes
26-23Configuring WINS and DNS Servers 26-23Configuring VPN-Specific
Attributes 26-24Configuring Security Attributes 26-26Configuring
the Banner Message 26-28Configuring IPSec-UDP Attributes
26-28Configuring Split-Tunneling Attributes 26-29Configuring Domain
Attributes for Tunneling 26-31Configuring Attributes for VPN
Hardware Clients 26-32Configuring Backup Server Attributes
26-35Configuring Firewall Policies 26-36Configuring Client Access
Rules 26-38Configuring Group-Policy WebVPN Attributes 26-40
Configuring User Attributes 26-50Viewing the Username
Configuration 26-50Configuring Attributes for Specific Users
26-51
Setting a User Password and Privilege Level 26-51Configuring
User Attributes 26-52Configuring VPN User Attributes
26-53Configuring WebVPN for Specific Users 26-57
xviiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
C H A P T E R 27 Configuring IP Addresses for VPNs 27-1
Configuring an IP Address Assignment Method 27-1Configuring
Local IP Address Pools 27-2Configuring AAA Addressing
27-2Configuring DHCP Addressing 27-3
C H A P T E R 28 Configuring Remote Access IPSec VPNs 28-1
Summary of the Configuration 28-1
Configuring Interfaces 28-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside
Interface 28-3
Configuring an Address Pool 28-4
Adding a User 28-4
Creating a Transform Set 28-4
Defining a Tunnel Group 28-5
Creating a Dynamic Crypto Map 28-6
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
28-7
C H A P T E R 29 Configuring LAN-to-LAN IPSec VPNs 29-1
Summary of the Configuration 29-1
Configuring Interfaces 29-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside
Interface 29-2
Creating a Transform Set 29-4
Configuring an ACL 29-4
Defining a Tunnel Group 29-5
Creating a Crypto Map and Applying It To an Interface
29-6Applying Crypto Maps to Interfaces 29-7
C H A P T E R 30 Configuring WebVPN 30-1
Getting Started with WebVPN 30-1Observing WebVPN Security
Precautions 30-2Understanding Features Not Supported for WebVPN
30-3Using SSL to Access the Central Site 30-3
Using HTTPS for WebVPN Sessions 30-3Configuring WebVPN and ASDM
on the Same Interface 30-4Setting WebVPN HTTP/HTTPS Proxy
30-4Configuring SSL/TLS Encryption Protocols 30-4
Authenticating with Digital Certificates 30-4
xviiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
Enabling Cookies on Browsers for WebVPN 30-5Managing Passwords
30-5Using Single Sign-on with WebVPN 30-5
Configuring SSO with HTTP Basic or NTLM Authentication
30-6Configuring SSO Authentication Using SiteMinder 30-7Configuring
SSO with the HTTP Form Protocol 30-9
Authenticating with Digital Certificates 30-15
Creating and Applying WebVPN Policies 30-15Creating Port
Forwarding, URL, and Access Lists in Global Configuration Mode
30-15Assigning Lists to Group Policies and Users in Group-Policy or
User Mode 30-15Enabling Features for Group Policies and Users
30-15Assigning Users to Group Policies 30-15
Using the Security Appliance Authentication Server 30-16Using a
RADIUS Server 30-16
Configuring WebVPN Tunnel Group Attributes 30-16
Configuring WebVPN Group Policy and User Attributes 30-17
Configuring Application Access 30-17Downloading the
Port-Forwarding Applet Automatically 30-17Closing Application
Access to Prevent hosts File Errors 30-18Recovering from hosts File
Errors When Using Application Access 30-18
Understanding the hosts File 30-18Stopping Application Access
Improperly 30-19Reconfiguring a hosts File 30-19
Configuring File Access 30-21
Configuring Access to Citrix MetaFrame Services 30-24
Using WebVPN with PDAs 30-24
Using E-Mail over WebVPN 30-25Configuring E-mail Proxies
30-25
E-mail Proxy Certificate Authentication 30-26Configuring MAPI
30-26Configuring Web E-mail: MS Outlook Web Access 30-27
Optimizing WebVPN Performance 30-27Configuring Caching
30-27Configuring Content Transformation 30-28
Disabling Content Rewrite 30-28Using Proxy Bypass
30-28Configuring Application Profile Customization Framework
30-29APCF Syntax 30-29APCF Example 30-31
xixCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Understanding WebVPN End User Setup 30-31Defining the End User
Interface 30-31
Viewing the WebVPN Home Page 30-32Viewing the WebVPN Application
Access Panel 30-33Viewing the Floating Toolbar 30-34
Customizing WebVPN Pages 30-34Using Cascading Style Sheet
Parameters 30-35Customizing the WebVPN Login Page 30-36Customizing
the WebVPN Logout Page 30-38Customizing the WebVPN Home Page
30-39Customizing the Application Access Window 30-41Customizing the
Prompt Dialogs 30-42Applying Customizations to Tunnel Groups,
Groups and Users 30-43
Requiring Usernames and Passwords 30-44Communicating Security
Tips 30-44Configuring Remote Systems to Use WebVPN Features
30-45
Capturing WebVPN Data 30-50Creating a Capture File 30-51Using a
Browser to Display Capture Data 30-51
C H A P T E R 31 Configuring SSL VPN Client 31-1
Installing SVC 31-2Platform Requirements 31-2Installing the SVC
Software 31-2
Enabling SVC 31-3
Enabling Permanent SVC Installation 31-5
Enabling Rekey 31-5
Enabling and Adjusting Dead Peer Detection 31-6
Enabling Keepalive 31-6
Using SVC Compression 31-7
Viewing SVC Sessions 31-8
Logging Off SVC Sessions 31-8
Updating SVCs 31-9
xxCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
C H A P T E R 32 Configuring Certificates 32-1
Public Key Cryptography 32-1About Public Key Cryptography
32-1Certificate Scalability 32-2About Key Pairs 32-2About
Trustpoints 32-3About CRLs 32-3Supported CA Servers 32-4
Certificate Configuration 32-4Preparing for Certificates
32-4Configuring Key Pairs 32-5
Generating Key Pairs 32-5Removing Key Pairs 32-6
Configuring Trustpoints 32-6Obtaining Certificates 32-8
Obtaining Certificates with SCEP 32-8Obtaining Certificates
Manually 32-10
Configuring CRLs for a Trustpoint 32-12Exporting and Importing
Trustpoints 32-14
Exporting a Trustpoint Configuration 32-14Importing a Trustpoint
Configuration 32-14
Configuring CA Certificate Map Rules 32-15
P A R T 4 System Administration
C H A P T E R 33 Managing System Access 33-1
Allowing Telnet Access 33-1
Allowing SSH Access 33-2Configuring SSH Access 33-2Using an SSH
Client 33-3Changing the Login Password 33-3
Allowing HTTPS Access for ASDM 33-4
AAA for System Administrators 33-5Configuring Authentication for
CLI Access 33-5Configuring Authentication To Access Privileged EXEC
Mode 33-6
Configuring Authentication for the Enable Command
33-6Authenticating Users Using the Login Command 33-6
Configuring Command Authorization 33-7Command Authorization
Overview 33-7
xxiCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
Configuring Local Command Authorization 33-7Configuring TACACS+
Command Authorization 33-11
Configuring Command Accounting 33-14Viewing the Current
Logged-In User 33-14Recovering from a Lockout 33-15
Configuring a Login Banner 33-16
C H A P T E R 34 Managing Software, Licenses, and Configurations
34-1
Managing Licenses 34-1Obtaining an Activation Key 34-1Entering a
New Activation Key 34-2
Viewing Files in Flash Memory 34-2
Downloading Software or Configuration Files to Flash Memory
34-3Downloading a File to a Specific Location 34-3Downloading a
File to the Startup or Running Configuration 34-4
Configuring the Application Image and ASDM Image to Boot
34-5
Configuring the File to Boot as the Startup Configuration
34-5
Performing Zero Downtime Upgrades for Failover Pairs
34-6Upgrading an Active/Standby Failover Configuration
34-6Upgrading and Active/Active Failover Configuration 34-7
Backing Up Configuration Files 34-8Backing up the Single Mode
Configuration or Multiple Mode System Configuration 34-8Backing Up
a Context Configuration in Flash Memory 34-9Backing Up a Context
Configuration within a Context 34-9Copying the Configuration from
the Terminal Display 34-9
Configuring Auto Update Support 34-9Configuring Communication
with an Auto Update Server 34-10Viewing Auto Update Status
34-11
C H A P T E R 35 Monitoring the Security Appliance 35-1Using
System Log Messages 35-1Using SNMP 35-1
SNMP Overview 35-1Enabling SNMP 35-3
xxiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
C H A P T E R 36 Troubleshooting the Security Appliance 36-1
Testing Your Configuration 36-1Enabling ICMP Debug Messages and
System Messages 36-1Pinging Security Appliance Interfaces
36-3Pinging Through the Security Appliance 36-4Disabling the Test
Configuration 36-6
Reloading the Security Appliance 36-6
Performing Password Recovery 36-6Performing Password Recovery
for the ASA 5500 Series Adaptive Security Appliance 36-7Password
Recovery for the PIX 500 Series Security Appliance 36-8Disabling
Password Recovery 36-9
Other Troubleshooting Tools 36-10Viewing Debug Messages
36-10Capturing Packets 36-10Viewing the Crash Dump 36-10
Common Problems 36-10
P A R T 5 Reference
A P P E N D I X A Feature Licenses and Specifications A-1
Supported Platforms A-1
Platform Feature Licenses A-1
Security Services Module Support A-6
VPN Specifications A-6Cisco VPN Client Support A-7Cisco Secure
Desktop Support A-7Site-to-Site VPN Compatibility A-7Cryptographic
Standards A-8
A P P E N D I X B Sample Configurations B-1
Example 1: Multiple Mode Firewall With Outside Access B-1Example
1: System Configuration B-2Example 1: Admin Context Configuration
B-3Example 1: Customer A Context Configuration B-4Example 1:
Customer B Context Configuration B-4Example 1: Customer C Context
Configuration B-5
Example 2: Single Mode Firewall Using Same Security Level
B-5
Example 3: Shared Resources for Multiple Contexts B-7
xxiiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
Example 3: System Configuration B-8Example 3: Admin Context
Configuration B-9Example 3: Department 1 Context Configuration
B-10Example 3: Department 2 Context Configuration B-11
Example 4: Multiple Mode, Transparent Firewall with Outside
Access B-12Example 4: System Configuration B-13Example 4: Admin
Context Configuration B-14Example 4: Customer A Context
Configuration B-14Example 4: Customer B Context Configuration
B-14Example 4: Customer C Context Configuration B-15
Example 5: WebVPN Configuration B-15
A P P E N D I X C Using the Command-Line Interface C-1
Firewall Mode and Security Context Mode C-1
Command Modes and Prompts C-2
Syntax Formatting C-3
Abbreviating Commands C-3
Command-Line Editing C-3
Command Completion C-3
Command Help C-4
Filtering show Command Output C-4
Command Output Paging C-5
Adding Comments C-5
Text Configuration Files C-6How Commands Correspond with Lines
in the Text File C-6Command-Specific Configuration Mode Commands
C-6Automatic Text Entries C-6Line Order C-7Commands Not Included in
the Text Configuration C-7Passwords C-7Multiple Security Context
Files C-7
A P P E N D I X D Addresses, Protocols, and Ports D-1
IPv4 Addresses and Subnet Masks D-1Classes D-2Private Networks
D-2
xxivCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
Contents
Subnet Masks D-2Determining the Subnet Mask D-3Determining the
Address to Use with the Subnet Mask D-3
IPv6 Addresses D-5IPv6 Address Format D-5IPv6 Address Types
D-6
Unicast Addresses D-6Multicast Address D-8Anycast Address
D-9Required Addresses D-10
IPv6 Address Prefixes D-10
Protocols and Applications D-11
TCP and UDP Ports D-12
Local Ports and Protocols D-14
ICMP Types D-15
A P P E N D I X E Configuring an External Server for
Authorization and Authentication E-1
Selecting LDAP, RADIUS, or Local Authentication and
Authorization E-1
Understanding Policy Enforcement of Permissions and Attributes
E-2
Configuring an External LDAP Server E-2Reviewing the LDAP
Directory Structure and Configuration Procedure E-3Organizing the
Security Appliance LDAP Schema E-3
Searching the Hierarchy E-4Binding the Security appliance to the
LDAP Server E-5
Defining the Security Appliance LDAP Schema E-5Cisco -AV-Pair
Attribute Syntax E-14Example Security Appliance Authorization
Schema E-15
Loading the Schema in the LDAP Server E-18Defining User
Permissions E-18
Example User File E-18Reviewing Examples of Active Directory
Configurations E-19
Example 1: Configuring LDAP Authorization with Microsoft Active
Directory (ASA/PIX) E-19Example 2: Configuring LDAP Authentication
with Microsoft Active Directory E-21Example 3: LDAP Authentication
and LDAP Authorization with Microsoft Active Directory E-23
Configuring an External RADIUS Server E-26Reviewing the RADIUS
Configuration Procedure E-26Security Appliance RADIUS Authorization
Attributes E-26
xxvCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Contents
G L O S S A R Y
I N D E X
xxviCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
About This Guide
This preface introduce the Cisco Security Appliance Command Line
Configuration Guide, and includes the following sections:
Document Objectives, page xxvii
Obtaining Documentation, page xxxi
Documentation Feedback, page xxxii
Obtaining Technical Assistance, page xxxii
Obtaining Additional Publications and Information, page
xxxiii
Document ObjectivesThe purpose of this guide is to help you
configure the security appliance using the command-line interface.
This guide does not cover every feature, but describes only the
most common configuration scenarios.
You can also configure and monitor the security appliance by
using ASDM, a web-based GUI application. ASDM includes
configuration wizards to guide you through some common
configuration scenarios, and online Help for less common scenarios.
For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
This guide applies to the Cisco PIX 500 series security
appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500
series security appliances (ASA 5510, ASA 5520, and ASA 5540).
Throughout this guide, the term security appliance applies
generically to all supported models, unless specified otherwise.
The PIX 501, PIX 506E, and PIX 520 security appliances are not
supported in software Version 7.0.
Audience This guide is for network managers who perform any of
the following tasks:
Manage network security
Install and configure firewalls/security appliances
Configure VPNs
Configure intrusion detection software
xxviiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
-
About This Guide Document Objectives
Related Documentation For more information, refer to the
following documentation:
Cisco PIX Security Appliance Release Notes
Cisco ASDM Release Notes
Cisco PIX 515E Quick Start Guide
Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX
Software Version 7.0
Migrating to ASA for VPN 3000 Series Concentrator
Administrators
Cisco Security Appliance Command Reference
Cisco ASA 5500 Series Adaptive Security Appliance Getting
Started Guide
Cisco ASA 5500 Series Release Notes
Cisco Security Appliance Logging Configuration and System Log
Messages
Cisco Secure Desktop Configuration Guide for Cisco ASA 5500
Series Administrators
Document Organization This guide includes the chapters and
appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Definition
Part 1: Getting Started and General Information
Chapter 1, Introduction to the Security Appliance
Provides a high-level overview of the security appliance.
Chapter 2, Getting Started Describes how to access the
command-line interface, configure the firewall mode, and work with
the configuration.
Chapter 3, Enabling Multiple Context Mode
Describes how to use security contexts and enable multiple
context mode.
Chapter 4, Configuring Ethernet Settings and Subinterfaces
Describes how to configure Ethernet settings for physical
interfaces and add subinterfaces.
Chapter 5, Adding and Managing Security Contexts
Describes how to configure multiple security contexts on the
security appliance.
Chapter 6, Configuring Interface Parameters
Describes how to configure each interface and subinterface for a
name, security, level, and IP address.
Chapter 7, Configuring Basic Settings
Describes how to configure basic settings that are typically
required for a functioning configuration.
Chapter 8, Configuring IP Routing and DHCP Services
Describes how to configure IP routing and DHCP.
Chapter 9, Configuring IPv6 Describes how to enable and
configure IPv6.
Chapter 10, Configuring AAA Servers and the Local Database
Describes how to configure AAA servers and the local
database.
xxviiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
About This Guide Document Objectives
Chapter 11, Configuring Failover
Describes the failover feature, which lets you configure two
security appliances so that one will take over operation if the
other one fails.
Part 2: Configuring the Firewall
Chapter 12, Firewall Mode Overview
Describes in detail the two operation modes of the security
appliance, routed and transparent mode, and how data is handled
differently with each mode.
Chapter 13, Identifying Traffic with Access Lists
Describes how to identify traffic with access lists.
Chapter 14, Applying NAT Describes how address translation is
performed.
Chapter 15, Permitting or Denying Network Access
Describes how to control network access through the security
appliance using access lists.
Chapter 16, Applying AAA for Network Access
Describes how to enable AAA for network access.
Chapter 17, Applying Filtering Services
Describes ways to filter web traffic to reduce security risks or
prevent inappropriate use.
Chapter 18, Using Modular Policy Framework
Describes how to use the Modular Policy Framework to create
security policies for TCP, general connection settings, inspection,
and QoS.
Chapter 19, Managing the AIP SSM and CSC SSM
Describes how to configure the security appliance to send
traffic to an AIP SSM or a CSC SSM, how to check the status of an
SSM, and how to update the software image on an intelligent
SSM.
Chapter 20, Preventing Network Attacks
Describes how to configure protection features to intercept and
respond to network attacks.
Chapter 21, Applying QoS Policies
Describes how to configure the network to provide better service
to selected network traffic over various technologies, including
Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1
networks, SONET, and IP routed networks.
Chapter 22, Applying Application Layer Protocol Inspection
Describes how to use and configure application inspection.
Chapter 23, Configuring ARP Inspection and Bridging
Parameters
Describes how to enable ARP inspection and how to customize
bridging operations.
Part 3: Configuring VPN
Chapter 24, Configuring IPSec and ISAKMP
Describes how to configure ISAKMP and IPSec tunneling to build
and manage VPN tunnels, or secure connections between remote users
and a private corporate network.
Chapter 25, Setting General IPSec VPN Parameters
Describes miscellaneous VPN configuration procedures.
Chapter 26, Configuring Tunnel Groups, Group Policies, and
Users
Describes how to configure VPN tunnel groups, group policies,
and users.
Chapter 27, Configuring IP Addresses for VPNs
Describes how to configure IP addresses in your private network
addressing scheme, which let the client function as a tunnel
endpoint.
Chapter 28, Configuring Remote Access IPSec VPNs
Describes how to configure a remote access VPN connection.
Table 1 Document Organization (continued)
Chapter/Appendix Definition
xxixCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
-
About This Guide Document Objectives
Document ConventionsCommand descriptions use these
conventions:
Braces ({ }) indicate a required choice.
Square brackets ([ ]) indicate optional elements.
Vertical bars ( | ) separate alternative, mutually exclusive
elements.
Boldface indicates commands and keywords that are entered
literally as shown.
Chapter 29, Configuring LAN-to-LAN IPSec VPNs
Describes how to build a LAN-to-LAN VPN connection.
Chapter 30, Configuring WebVPN
Describes how to establish a secure, remote-access VPN tunnel to
a security appliance using a web browser.
Chapter 31, Configuring SSL VPN Client
Describes how to install and configure the SSL VPN Client.
Chapter 32, Configuring Certificates
Describes how to configure a digital certificates, which
contains information that identifies a user or device. Such
information can include a name, serial number, company, department,
or IP address. A digital certificate also contains a copy of the
public key for the user or device.
Part 4: System Administration
Chapter 33, Managing System Access
Describes how to access the security appliance for system
management through Telnet, SSH, and HTTPS.
Chapter 34, Managing Software, Licenses, and Configurations
Describes how to enter license keys and download software and
configurations files.
Chapter 35, Monitoring the Security Appliance
Describes how to monitor the security appliance.
Chapter 36, Troubleshooting the Security Appliance
Describes how to troubleshoot the security appliance.
Part 4: Reference
Appendix A, Feature Licenses and Specifications
Describes the feature licenses and specifications.
Appendix B, Sample Configurations
Describes a number of common ways to implement the security
appliance.
Appendix C, Using the Command-Line Interface
Describes how to use the CLI to configure the the security
appliance.
Appendix D, Addresses, Protocols, and Ports
Provides a quick reference for IP addresses, protocols, and
applications.
Appendix E, Configuring an External Server for Authorization and
Authentication
Provides information about configuring LDAP and RADIUS
authorization servers.
Table 1 Document Organization (continued)
Chapter/Appendix Definition
xxxCisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
About This Guide Obtaining Documentation
Italics indicate arguments for which you supply values.
Examples use these conventions:
Examples depict screen displays and the command line in screen
font.
Information you need to enter in examples is shown in boldface
screen font.
Variables for which you must supply a value are shown in italic
screen font.
Note Means reader take note. Notes contain helpful suggestions
or references to material not covered in the manual.
Obtaining DocumentationCisco documentation and additional
literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources.
These sections explain how to obtain technical information from
Cisco Systems.
Cisco.comYou can access the most current Cisco documentation at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering DocumentationYou can find instructions for ordering
documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order
Cisco product documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Nonregistered Cisco.com users can order documentation through a
local account representative by calling Cisco Systems Corporate
Headquarters (California, USA) at 408 526-7208 or, elsewhere in
North America, by calling 1 800 553-NETS (6387).
xxxiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.comhttp://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/en/US/partner/ordering/index.shtml
-
About This Guide Documentation Feedback
Documentation FeedbackYou can send comments about technical
documentation to [email protected].
You can submit comments by using the response card (if present)
behind the front cover of your document or by writing to the
following address:
Cisco SystemsAttn: Customer Document Ordering170 West Tasman
DriveSan Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical AssistanceFor all customers, partners,
resellers, and distributors who hold valid Cisco service contracts,
Cisco Technical Support provides 24-hour-a-day, award-winning
technical assistance. The Cisco Technical Support Website on
Cisco.com features extensive online support resources. In addition,
Cisco Technical Assistance Center (TAC) engineers provide telephone
support. If you do not hold a valid Cisco service contract, contact
your reseller.
Cisco Technical Support WebsiteThe Cisco Technical Support
Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
The website is available 24 hours a day, 365 days a year, at this
URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website
requires a Cisco.com user ID and password. If you have a valid
service contract but do not have a user ID or password, you can
register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate
your product serial number before submitting a web or phone request
for service. You can access the CPI tool from the Cisco Technical
Support Website by clicking the Tools & Resources link under
Documentation & Tools. Choose Cisco Product Identification Tool
from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI
tool offers three search options: by product ID or model name; by
tree view; or for certain products, by copying and pasting show
command output. Search results show an illustration of your product
with the serial number label location highlighted. Locate the
serial number label on your product and record the information
before placing a service call.
xxxiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
http://www.cisco.com/techsupporthttp://tools.cisco.com/RPF/register/register.do
-
About This Guide Obtaining Additional Publications and
Information
Submitting a Service RequestUsing the online TAC Service Request
Tool is the fastest way to open S3 and S4 service requests. (S3 and
S4 service requests are those in which your network is minimally
impaired or for which you require product information.) After you
describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the
recommended resources, your service request is assigned to a Cisco
TAC engineer. The TAC Service Request Tool is located at this
URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet
access, contact the Cisco TAC by telephone. (S1 or S2 service
requests are those in which your production network is down or
severely degraded.) Cisco TAC engineers are assigned immediately to
S1 and S2 service requests to help keep your business operations
running smoothly.
To open a service request by telephone, use one of the following
numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)EMEA:
+32 2 704 55 55USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request SeverityTo ensure that all
service requests are reported in a standard format, Cisco has
established severity definitions.
Severity 1 (S1)Your network is down, or there is a critical
impact to your business operations. You and Cisco will commit all
necessary resources around the clock to resolve the situation.
Severity 2 (S2)Operation of an existing network is severely
degraded, or significant aspects of your business operation are
negatively affected by inadequate performance of Cisco products.
You and Cisco will commit full-time resources during normal
business hours to resolve the situation.
Severity 3 (S3)Operational performance of your network is
impaired, but most business operations remain functional. You and
Cisco will commit resources during normal business hours to restore
service to satisfactory levels.
Severity 4 (S4)You require information or assistance with Cisco
product capabilities, installation, or configuration. There is
little or no effect on your business operations.
Obtaining Additional Publications and InformationInformation
about Cisco products, technologies, and network solutions is
available from various online and printed sources.
Cisco Marketplace provides a variety of Cisco books, reference
guides, and logo merchandise. Visit Cisco Marketplace, the company
store, at this URL:
http://www.cisco.com/go/marketplace/
The Cisco Product Catalog describes the networking products
offered by Cisco Systems, as well as ordering and customer support
services. Access the Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
xxxiiiCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
http://www.cisco.com/techsupport/servicerequesthttp://www.cisco.com/techsupport/contactshttp://www.cisco.com/go/marketplace/http://cisco.com/univercd/cc/td/doc/pcat/
-
About This Guide Obtaining Additional Publications and
Information
Cisco Press publishes a wide range of general networking,
training and certification titles. Both new and experienced users
will benefit from these publications. For current Cisco Press
titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
Packet magazine is the Cisco Systems technical user magazine for
maximizing Internet and networking investments. Each quarter,
Packet delivers coverage of the latest industry trends, technology
breakthroughs, and Cisco products and solutions, as well as network
deployment and troubleshooting tips, configuration examples,
customer case studies, certification and training information, and
links to scores of in-depth online resources. You can access Packet
magazine at this URL:
http://www.cisco.com/packet
iQ Magazine is the quarterly publication from Cisco Systems
designed to help growing companies learn how they can use
technology to increase revenue, streamline their business, and
expand services. The publication identifies the challenges facing
these companies and the technologies to help solve them, using
real-world case studies and business strategies to help readers
make sound technology investment decisions. You can access iQ
Magazine at this URL:
http://www.cisco.com/go/iqmagazine
Internet Protocol Journal is a quarterly journal published by
Cisco Systems for engineering professionals involved in designing,
developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this
URL:
http://www.cisco.com/ipj
World-class networking training is available from Cisco. You can
view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
xxxivCisco Security Appliance Command Line Configuration
Guide
OL-8629-01
http://cisco.com/univercd/cc/td/doc/pcat/http://www.ciscopress.comhttp://www.cisco.com/packethttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/ipjhttp://www.cisco.com/en/US/learning/index.html
-
P A R T 1
Getting Started and General Information
-
Cisco Security AppliaOL-8629-01
C H A P T E R 1
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and
VPN concentrator functionality in one device, and for some models,
an integrated intrusion prevention module called the AIP SSM. The
security appliance includes many advanced features, such as
multiple security contexts (similar to virtualized firewalls),
transparent (Layer 2) firewall or routed (Layer 3) firewall
operation, advanced inspection engines, IPSec and WebVPN support,
and many more features. See Appendix A, Feature Licenses and
Specifications, for a list of supported platforms and features. For
a list of new features, see the Cisco ASA 5500 Series Release Notes
or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not
supported in software Version 7.0.
This chapter includes the following sections:
Firewall Functional Overview, page 1-1
VPN Functional Overview, page 1-5
Intrusion Prevention Services Functional Overview, page 1-5
Security Context Overview, page 1-5
Firewall Functional OverviewFirewalls protect inside networks
from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by
keeping a human resources network separate from a user network. If
you have network resources that need to be available to an outside
user, such as a web or FTP server, you can place these resources on
a separate network behind the firewall, called a demilitarized zone
(DMZ). The firewall allows limited access to the DMZ, but because
the DMZ only includes the public servers, an attack there only
affects the servers and does not affect the other inside networks.
You can also control when inside users access outside networks (for
example, access to the Internet), by allowing only certain
addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside
network is in front of the firewall, the inside network is
protected and behind the firewall, and a DMZ, while behind the
firewall, allows limited access to outside users. Because the
security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and
even many outside interfaces if desired, these terms are used in a
general sense only.
1-1nce Command Line Configuration Guide
-
Chapter 1 Introduction to the Security Appliance Firewall
Functional Overview
This section includes the following topics:
Security Policy Overview, page 1-2
Firewall Mode Overview, page 1-3
Stateful Inspection Overview, page 1-4
Security Policy OverviewA security policy determines which
traffic is allowed to pass through the firewall to access another
network. By default, the security appliance allows traffic to flow
freely from an inside network (higher security level) to an outside
network (lower security level). You can apply actions to traffic to
customize the security policy. This section includes the following
topics:
Permitting or Denying Traffic with Access Lists, page 1-2
Applying NAT, page 1-2
Using AAA for Through Traffic, page 1-2
Applying HTTP, HTTPS, or FTP Filtering, page 1-3
Applying Application Inspection, page 1-3
Sending Traffic to the Advanced Inspection and Prevention
Security Services Module, page 1-3
Applying QoS Policies, page 1-3
Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to
outside, or allow traffic from outside to inside. For transparent
firewall mode, you can also apply an EtherType access list to allow
non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
You can use private addresses on your inside networks. Private
addresses are not routable on the Internet.
NAT hides the local addresses from other networks, so attackers
cannot learn the real address of a host.
NAT can resolve IP routing problems by supporting overlapping IP
addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain
types of traffic, for example, for HTTP. The security appliance
also sends accounting information to a RADIUS or TACACS+
server.
1-2Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 1 Introduction to the Security Appliance Firewall
Functional Overview
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to
specific websites or FTP servers, configuring and managing web
usage this way is not practical because of the size and dynamic
nature of the Internet. We recommend that you use the security
appliance in conjunction with a separate server running one of the
following Internet filtering products:
Websense Enterprise
Sentian by N2H2
Applying Application Inspection
Inspection engines are required for services that embed IP
addressing information in the user data packet or that open
secondary channels on dynamically assigned ports. These protocols
require the security appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention
Security Services Module
If your model supports the AIP SSM for intrusion prevention,
then you can send traffic to the AIP SSM for inspection.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot
tolerate long latency times. QoS is a network feature that lets you
give priority to these types of traffic. QoS refers to the
capability of a network to provide better service to selected
network traffic over various technologies for the best overall
services with limited bandwidth of the underlying technologies.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections.
Limiting the number of connections and embryonic connections
protects you from a DoS attack. The security appliance uses the
embryonic limit to trigger TCP Intercept, which protects inside
systems from a DoS attack perpetrated by flooding an interface with
TCP SYN packets. An embryonic connection is a connection request
that has not finished the necessary handshake between source and
destination.
TCP normalization is a feature consisting of advanced TCP
connection settings designed to drop packets that do not appear
normal.
Firewall Mode OverviewThe security appliance runs in two
different firewall modes:
Routed
Transparent
In routed mode, the security appliance is considered to be a
router hop in the network.
In transparent mode, the security appliance acts like a bump in
the wire, or a stealth firewall, and is not considered a router
hop. The security appliance connects to the same network on its
inside and outside interfaces.
1-3Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 1 Introduction to the Security Appliance Firewall
Functional Overview
You might use a transparent firewall to simplify your network
configuration. Transparent mode is also useful if you want the
firewall to be invisible to attackers. You can also use a
transparent firewall for traffic that would otherwise be blocked in
routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection OverviewAll traffic that goes through the
security appliance is inspected using the Adaptive Security
Algorithm and either allowed through or dropped. A simple packet
filter can check for the correct source address, destination
address, and ports, but it does not check that the packet sequence
or flags are correct. A filter also checks every packet against the
filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes
into consideration the state of a packet:
Is this a new connection?
If it is a new connection, the security appliance has to check
the packet against access lists and perform other tasks to
determine if the packet is allowed or denied. To perform this
check, the first packet of the session goes through the session
management path, and depending on the type of traffic, it might
also pass through the control plane path.
The session management path is responsible for the following
tasks:
Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the fast path
Note The session management path and the fast path make up the
accelerated security path.
Some packets that require Layer 7 inspection (the packet payload
must be inspected or altered) are passed on to the control plane
path. Layer 7 inspection engines are required for protocols that
have two or more channels: a data channel, which uses well-known
port numbers, and a control channel, which uses different port
numbers for each session. These protocols include FTP, H.323, and
SNMP.
Is this an established connection?
If the connection is already established, the security appliance
does not need to re-check packets; most matching packets can go
through the fast path in both directions. The fast path is
responsible for the following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
For UDP or other connectionless protocols, the security
appliance creates connection state information so that it can also
use the fast path.
Data packets for protocols that require Layer 7 inspection can
also go through the fast path.
1-4Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 1 Introduction to the Security Appliance VPN Functional
Overview
Some established session packets must continue to go through the
session management path or the control plane path. Packets that go
through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through
the control plane path include the control packets for protocols
that require Layer 7 inspection.
VPN Functional OverviewA VPN is a secure connection across a
TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The security
appliance uses tunneling protocols to negotiate security
parameters, create and manage tunnels, encapsulate packets,
transmit or receive them through the tunnel, and unencapsulate
them. The security appliance functions as a bidirectional tunnel
endpoint: it can receive plain packets, encapsulate them, and send
them to the other end of the tunnel where they are unencapsulated
and sent to their final destination. It can also receive
encapsulated packets, unencapsulate them, and send them to their
final destination. The security appliance invokes various standard
protocols to accomplish these functions.
The security appliance performs the following functions:
Establishes tunnels
Negotiates tunnel parameters
Authenticates users
Assigns user addresses
Encrypts and decrypts data
Manages security keys
Manages data transfer across the tunnel
Manages data transfer inbound and outbound as a tunnel endpoint
or router
The security appliance invokes various standard protocols to
accomplish these functions.
Intrusion Prevention Services Functional OverviewThe Cisco ASA
5500 series adaptive security appliance supports the AIP SSM, an
intrusion prevention services module that monitors and performs
real-time analysis of network traffic by looking for anomalies and
misuse based on an extensive, embedded signature library. When the
system detects unauthorized activity, it can terminate the specific
connection, permanently block the attacking host, log the incident,
and send an alert to the device manager. Other legitimate
connections continue to operate independently without interruption.
For more information, see Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface.
Security Context OverviewYou can partition a single security
appliance into multiple virtual devices, known as security
contexts. Each context is an independent device, with its own
security policy, interfaces, and administrators. Multiple contexts
are similar to having multiple standalone devices. Many features
are supported in multiple context mode, including routing tables,
firewall features, IPS, and management. Some features are not
supported, including VPN and dynamic routing protocols.
1-5Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 1 Introduction to the Security Appliance Security
Context Overview
In multiple context mode, the security appliance includes a
configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a
standalone device. The system administrator adds and manages
contexts by configuring them in the system configuration, which,
like a single mode configuration, is the startup configuration. The
system configuration identifies basic settings for the security
appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system
needs to access network resources (such as downloading the contexts
from the server), it uses one of the contexts that is designated as
the admin context.
The admin context is just like any other context, except that
when a user logs into the admin context, then that user has system
administrator rights and can access the system and all other
contexts.
Note You can run all your contexts in routed mode or transparent
mode; you cannot run some contexts in one mode and others in
another.
Multiple context mode supports static routing only.
1-6Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Cisco Security AppliaOL-8629-01
C H A P T E R 2
Getting Started
This chapter describes how to access the command-line interface,
configure the firewall mode, and work with the configuration. This
chapter includes the following sections:
Accessing the Command-Line Interface, page 2-1
Setting Transparent or Routed Firewall Mode, page 2-2
Working with the Configuration, page 2-3
Accessing the Command-Line InterfaceFor initial configuration,
access the command-line interface directly from the console port.
Later, you can configure remote access using Telnet or SSH
according to Chapter 33, Managing System Access. If your system is
already in multiple context mode, then accessing the console port
places you in the system execution space. See Chapter 3, Enabling
Multiple Context Mode, for more information about multiple context
mode.
Note If you want to use ASDM to configure the security appliance
instead of the command-line interface, you can connect to the
default management address of 192.168.1.1 (if your security
appliance includes a factory default configuration). On the ASA
5500 series adaptive security appliance, the interface to which you
connect with ASDM is Management 0/0. For the PIX 500 series
security appliance, the interface to which you connect with ASDM is
Ethernet 1. If you do not have a factory default configuration,
follow the steps in this section to access the command-line
interface. You can then configure the minimum parameters to access
ASDM by entering the setup command.
To access the command-line interface, perform the following
steps:
Step 1 Connect a PC to the console port using the provided
console cable, and connect to the console using a terminal emulator
set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow
control.
See the hardware guide that came with your security appliance
for more information about the console cable.
Step 2 Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode.
2-1nce Command Line Configuration Guide
-
Chapter 2 Getting Started Setting Transparent or Routed Firewall
Mode
Step 3 To access privileged EXEC mode, enter the following
command:
hostname> enable
The following prompt appears:
Password:
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter
key to continue. See the Changing the Enable Password section on
page 7-1 to change the enable password.
The prompt changes to:
hostname#
To exit privileged mode, enter the disable, exit, or quit
command.
Step 5 To access global configuration mode, enter the following
command:
hostname# configure terminal
The prompt changes to the following:
hostname(config)#
To exit global configuration mode, enter the exit, quit, or end
command.
Setting Transparent or Routed Firewall ModeYou can set the
security appliance to run in routed firewall mode (the default) or
transparent firewall mode.
For multiple context mode, you can use only one firewall mode
for all contexts. You must set the mode in the system execution
space.
When you change modes, the security appliance clears the
configuration because many commands are not supported for both
modes. If you already have a populated configuration, be sure to
back up your configuration before changing the mode; you can use
this backup for reference when creating your new configuration.
If you download a text configuration to the security appliance
that changes the mode with the firewall transparent command, be
sure to put the command at the top of the configuration; the
security appliance changes the mode as soon as it reads the command
and then continues reading the configuration you downloaded. If the
command is later in the configuration, the security appliance
clears all the preceding lines in the configuration.
To set the mode to transparent, enter the following command in
the system execution space:
hostname(config)# firewall transparent
This command also appears in each context configuration for
informational purposes only; you cannot enter this command in a
context.
To set the mode to routed, enter the following command in the
system execution space:
hostname(config)# no firewall transparent
2-2Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 2 Getting Started Working with the Configuration
Working with the ConfigurationThis section describes how to work
with the configuration. The security appliance loads the
configuration from a text file, called the startup configuration.
This file resides by default as a hidden file in internal Flash
memory. You can, however, specify a different path for the startup
configuration. (For more information, see Chapter 34, Managing
Software, Licenses, and Configurations.)
When you enter a command, the change is made only to the running
configuration in memory. You must manually save the running
configuration to the startup configuration for your changes to
remain after a reboot.
The information in this section applies to both single and
multiple security contexts, except where noted. Additional
information about contexts is in Chapter 3, Enabling Multiple
Context Mode.
This section includes the following topics:
Saving Configuration Changes, page 2-3
Copying the Startup Configuration to the Running Configuration,
page 2-3
Viewing the Configuration, page 2-4
Clearing and Removing Configuration Settings, page 2-4
Creating Text Configuration Files Offline, page 2-5
Saving Configuration ChangesTo save your running configuration
to the startup configuration, enter the following command:
hostname# write memory
For multiple context mode, you must enter this command within
each context. Context startup configurations can reside on external
servers. In this case, the security appliance saves the
configuration back to the server you identified in the context URL,
except for an HTTP or HTTPS URL, which do not let you save the
configuration to the server.
Note The copy running-config startup-config command is
equivalent to the write memory command.
Copying the Startup Configuration to the Running
ConfigurationCopy a new startup configuration to the running
configuration using one of these options:
To merge the startup configuration with the running
configuration, enter the following command:
hostname(config)# copy startup-config running-config
To load the startup configuration and discard the running
configuration, restart the security appliance by entering the
following command:
hostname# reload
Alternatively, you can use the following commands to load the
startup configuration and discard the running configuration without
requiring a reboot:
hostname/contexta(config)# clear configure
allhostname/contexta(config)# copy startup-config
running-config
2-3Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 2 Getting Started Working with the Configuration
Viewing the ConfigurationThe following commands let you view the
running and startup configurations.
To view the running configuration, enter the following
command:
hostname# show running-config
To view the running configuration of a specific command, enter
the following command:
hostname# show running-config command
To view the startup configuration, enter the following
command:
hostname# show startup-config
Clearing and Removing Configuration SettingsTo erase settings,
enter one of the following commands.
To clear all the configuration for a specified command, enter
the following command:
hostname(config)# clear configure configurationcommand
[level2configurationcommand]
This command clears all the current configuration for the
specified configuration command. If you only want to clear the
configuration for a specific version of the command, you can enter
a value for level2configurationcommand.
For example, to clear the configuration for all aaa commands,
enter the following command:
hostname(config)# clear configure aaa
To clear the configuration for only aaa authentication commands,
enter the following command:
hostname(config)# clear configure aaa authentication
To disable the specific parameters or options of a command,
enter the following command:
hostname(config)# no configurationcommand
[level2configurationcommand] qualifier
In this case, you use the no command to remove the specific
configuration identified by qualifier.
For example, to remove a specific nat command, enter enough of
the command to identify it uniquely as follows:
hostname(config)# no nat (inside) 1
To erase the startup configuration, enter the following
command:
hostname(config)# write erase
To erase the running configuration, enter the following
command:
hostname(config)# clear configure all
Note In multiple context mode, if you enter clear configure all
from the system configuration, you also remove all contexts and
stop them from running.
2-4Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 2 Getting Started Working with the Configuration
Creating Text Configuration Files OfflineThis guide describes
how to use the CLI to configure the security appliance; when you
save commands, the changes are written to a text file. Instead of
using the CLI, however, you can edit a text file directly on your
PC and paste a configuration at the configuration mode command-line
prompt in its entirety, or line by line. Alternatively, you can
download a text file to the security appliance internal Flash
memory. See Chapter 34, Managing Software, Licenses, and
Configurations, for information on downloading the configuration
file to the security appliance.
In most cases, commands described in this guide are preceded by
a CLI prompt. The prompt in the following example is
hostname(config)#:
hostname(config)# context a
In the text configuration file you are not prompted to enter
commands, so the prompt is omitted as follows:
context a
For additional information about formatting the file, see
Appendix C, Using the Command-Line Interface.
2-5Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Chapter 2 Getting Started Working with the Configuration
2-6Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
-
Cisco Security AppliaOL-8629-01
C H A P T E R 3
Enabling Multiple Context Mode
This chapter describes how to use security contexts and enable
multiple context mode. This chapter includes the following
sections:
Security Context Overview, page 3-1
Enabling or Disabling Multiple Context Mode, page 3-10
Security Context OverviewYou can partition a single security
appliance into multiple virtual devices, known as security
contexts. Each context is an independent device, with its own
security policy, interfaces, and administrators. Multiple contexts
are similar to having multiple standalone devices. Many features
are supported in multiple context mode, including routing tables,
firewall features, IPS, and management. Some features are not
supported, including VPN and dynamic routing protocols.
In multiple context mode, the security appliance includes a
configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a
standalone device. The system administrator adds and manages
contexts by configuring them in the system configuration, which,
like a single mode configuration, is the startup configuration. The
system configuration identifies basic settings for the security
appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system
needs to access network resources (such as downloading the contexts
from the server), it uses one of the contexts that is designated as
the admin context.
The admin context is just like any other context, except that
when a user logs in to the admin context, then that user has system
ad