€¦ · F-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX F Policy Object Manager User Interface Reference The Policy Object Manager is used to create and glob ally

OL-19983-01

A
P P E N D I X F Policy Object Manager User Interface Reference
The Policy Object Manager is used to create and globally manage all the policy objects configured with Cisco Security Manager. You use policy objects to simplify the creation of device-level and shared policies.

This chapter contains the following topics:

• Policy Object Manager Window, page F-1

• Policy Object Add or Edit Dialog Boxes, page F-4

• Object Selectors, page F-205

• Object Usage Dialog Box, page F-206

• Policy Object Overrides Window, page F-207

Policy Object Manager WindowUse the Policy Object Manager window to:

• View all the available objects grouped according to object type.

• Create, copy, edit, and delete policy objects.

• Generate usage reports, which describe how selected objects are being used by other Security Manager objects and policies.

Navigation Path

Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.

Related Topics

• Appendix F, “Policy Object Manager User Interface Reference”

• Creating Policy Objects, page 8-4

• Object Usage Dialog Box, page F-206

• Policy Object Overrides Window, page F-207

• Selecting Objects for Policies, page 8-2

• How Policy Objects are Provisioned as ASA/PIX/FWSM Object Groups, page 8-96

• Filtering Tables, page 2-16

F-1User Guide for Cisco Security Manager 3.3

Appendix F Policy Object Manager User Interface ReferencePolicy Object Manager Window

Field Reference

Table F-1 Policy Object Manager Window

Element Description

Object Type selector or table of contents

(Left pane.)

Lists the object types available in Security Manager. When you select an object type, all existing objects of that type are listed in the table in the right pane.

Policy Object Table (Right Pane)

The policy object table in the right pane lists existing objects of the type selected in the table of contents. Using this table, you create new objects and work with existing ones. You can use the buttons below the table, or right-click within the table to see additional commands (see Policy Object Manager Window Shortcut Menu, page F-3).

Except for the Access Control Lists (ACL) object, there is one table per object type. For ACLs, there are tabs to separate Extended, Standard, and Web ACLs. Select the appropriate tab to work with the desired object type.

The columns in the table vary based on the type of object you select. You can alter the columns displayed in the table by right-clicking the table heading and selecting or deselecting columns in the Show Columns command. You can also sort the information by the contents in a column by clicking the column heading; click the heading to toggle between alphabetical and reverse alphabetical sorting.

For detailed information on the settings that are displayed in the table, click the Create or Edit buttons below the table and click Help in the dialog box that is opened. Following is a description of the columns that you typically see.

Icon (unlabeled field) The icon displayed for a policy object type identifies objects of that type wherever they appear, such as in rules tables. If the icon includes the image of a pencil, you can edit it.

Name The name of the policy object.

Content A summary of the object definition that might not include all defined settings.

Permit For ACL objects, if the Access Control Entry (ACE) allows traffic, a check mark appears in the Permit column. If the action is deny, a red circle with a slash appears.

Category The category object that is assigned to the object, if any. Categories help you organize and identify rules and objects. For more information, see Using Category Objects, page 8-6.

Overridable Whether a user can override the object properties at the device level. A check mark indicates that the object can be overridden. Not all object types are overridable.

For more information about device overrides, see Managing Object Overrides, page 8-9.

Description If a paper icon appears in this column, there is a description for the object. Double-click the icon to view the description or mouse-over the icon.


OL-19983-01

Appendix F Policy Object Manager User Interface ReferencePolicy Object Manager Window

Policy Object Manager Window Shortcut MenuRight-clicking inside the policy object table in the Policy Object Manager Window, page F-1 displays a shortcut menu for performing various functions on the selected object type.

Field Reference

Buttons Below Table

Click the New Object button to create a new object. The same icon is used for any button that adds an item to a table.

Clicking this button opens a dialog box to create the object. Click the Help button in the dialog box for information on the selected object type. Also, see Creating Policy Objects, page 8-4.

Click the Edit Object button to edit the selected object. The same icon is used for editing any object in a table.

The dialog box used for editing the object is the same as the one used for creating the object. If you try to edit a system-defined default object, you are allowed only to view the object contents. Click the Help button in the dialog box for information on the settings. For more information, see Editing Objects, page 8-6.

Click the Delete Object button to delete the selected object. You can delete only user-defined objects that are not currently being used in a policy or another policy object. For more information, see Deleting Objects, page 8-8.

Table F-1 Policy Object Manager Window (Continued)

Element Description

Table F-2 Policy Object Manager Window Shortcut Menu

Menu Command Description

New Object Select this command to create a new policy object. Click Help in the dialog box that is opened for information specific to the object type. Also, see Creating Policy Objects, page 8-4.

Edit Object Select this command to edit the policy object selected in the table. If you select a system-defined default object, you are presented with a view-only look at the object definition. For more information, see Editing Objects, page 8-6.

Delete Object Select this command to delete the policy object selected in the table. You can delete only user-defined objects that are not being used in a policy or in another policy object. For more information, see Deleting Objects, page 8-8.

Edit Device Overrides Select this command to change the device-level overrides for this object using the Policy Object Overrides Window, page F-207. You can create, edit, and delete overrides. For more information, see Managing Object Overrides, page 8-9.

Create Duplicate Select this command to create a copy of the policy object. For more information, see Duplicating Objects, page 8-7.


OL-19983-01

Appendix F Policy Object Manager User Interface ReferencePolicy Object Add or Edit Dialog Boxes

Policy Object Add or Edit Dialog Boxes When you add or edit a policy object, a dialog box is opened that contains the settings for that type of policy object. Click Help in the dialog box for detailed information on the settings available for that type of object.

This section contains the following topics:

• AAA Server Group Dialog Box, page F-6

• Add or Edit AAA Server Dialog Box, page F-8

• Add or Edit Access List Dialog Boxes, page F-19

• ASA Group Policies Dialog Box, page F-25

• Category Editor Dialog Box, page F-43

• Add or Edit Secure Desktop Configuration Dialog Box, page F-44

• Credentials Dialog Box, page F-46

• Add and Edit File Object Dialog Boxes, page F-47

• Add or Edit FlexConfig Dialog Box, page F-48

• Add or Edit IKE Proposal Dialog Box, page F-53

• Interface Role Dialog Box, page F-56

• Add or Edit IPSec Transform Set Dialog Box, page F-57

• Add and Edit LDAP Attribute Map Dialog Boxes, page F-59

• Add or Edit Class Maps Dialog Boxes, page F-61

• Add or Edit Inspect Parameter Map Dialog Boxes, page F-74

• Add or Edit Protocol Info Parameter Map Dialog Boxes, page F-76

• Add or Edit Local Web Filter Parameter Map Dialog Boxes, page F-77

• Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes, page F-78

• Add or Edit Trend Parameter Map Dialog Boxes, page F-81

• Add or Edit URL Filter Parameter Map Dialog Boxes, page F-82

• Add or Edit URLF Glob Parameter Map Dialog Boxes, page F-84

• Add or Edit DCE/RPC Dialog Box, page F-86

• Add and Edit DNS Map Dialog Boxes, page F-87

Find Usage Select this command to generate a usage report for the selected object using the Object Usage Dialog Box, page F-206. The usage report tells you where the object is currently being used. for more information, see Generating Object Usage Reports, page 8-8.

View Object Select this command to view the definition of the object using a read-only version of the edit dialog box for the object. For more information, see Viewing Object Details, page 8-8.

Table F-2 Policy Object Manager Window Shortcut Menu (Continued)

Menu Command Description


OL-19983-01


• Add or Edit ESMTP Map Dialog Boxes, page F-92

• Add and Edit FTP Map Dialog Boxes, page F-95

• Add and Edit GTP Map Dialog Boxes, page F-99

• Add and Edit H.323 Map Dialog Boxes, page F-103

• Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107

• Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices, page F-115

• Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+), page F-121

• Add or Edit IM Map (IOS) Dialog Boxes, page F-124

• Add or Edit IPsec Pass Through Map Dialog Boxes, page F-125

• Add or Edit NetBIOS Map Dialog Boxes, page F-126

• Add or Edit SIP Map Dialog Boxes, page F-127

• Add or Edit Skinny Map Dialog Boxes, page F-131

• Add and Edit SNMP Map Dialog Boxes, page F-133

• Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies, page F-134

• Add and Edit Web Filter Map Dialog Boxes, page F-136

• Add and Edit Regular Expression Group Dialog Boxes, page F-138

• Add and Edit Regular Expression Dialog Boxes, page F-138

• Add and Edit TCP Map Dialog Boxes, page F-139

• Add or Edit Network/Host Dialog Box, page F-141

• PKI Enrollment Dialog Box, page F-142

• Add or Edit Port Forwarding List Dialog Boxes, page F-151

• Add or Edit Port List Dialog Box, page F-153

• Add and Edit Service Dialog Boxes, page F-154

• Add or Edit Single Sign On Server Dialog Boxes, page F-156

• Add or Edit SLA Monitor Dialog Box, page F-158

• Add or Edit Bookmarks Dialog Boxes, page F-159

• Add and Edit SSL VPN Customization Dialog Boxes, page F-163

• Add or Edit SSL VPN Gateway Dialog Box, page F-176

• Add and Edit Smart Tunnel List Dialog Boxes, page F-177

• Add or Edit Text Object Dialog Box, page F-181

• Add or Edit Time Range Dialog Box, page F-182

• Add and Edit Traffic Flow Dialog Boxes, page F-184

• Add or Edit User Group Dialog Box, page F-187

• Add or Edit WINS Server List Dialog Box, page F-203


OL-19983-01


AAA Server Group Dialog BoxUse the AAA Server Group dialog box to create, copy, and edit AAA server groups. When defining a policy that uses a AAA server for authentication, authorization, or accounting, you select the server by selecting the server group to which the server belongs.

Navigation Path

Select Tools > Policy Object Manager, then select AAA Server Groups from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating AAA Server Group Objects, page 8-22

• Understanding AAA Server and Server Group Objects, page 8-15


• Add or Edit AAA Server Dialog Box, page F-8


Field Reference

Table F-3 AAA Server Group Dialog Box

Element Description

Name The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported.

Consider the following important points:

• Cisco IOS routers do not support AAA server groups named RADIUS, TACACS, or TACACS+. In addition, we do not recommend using an abbreviation of one of these names, such as rad or tac.

• If you define this AAA server group as the RADIUS or TACACS+ default group, any name you define here is automatically replaced in the device configuration by the default name (RADIUS or TACACS+) upon deployment.

Description An optional description of the object.

Protocol The protocol used by the AAA servers in the group. For more information about these options, see Supported AAA Server Types, page 8-16 and Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.

AAA Servers The AAA server policy objects that comprise the server group. Enter the names of the objects or click Select to select them from a list that is filtered to show only those AAA server objects that use the selected protocol. Separate multiple objects with commas. You can also create new objects from the selection list.


OL-19983-01


Make this Group the Default AAA Server Group (IOS)

(IOS devices only.)

Whether to designate this AAA server group as the default group for the RADIUS or TACACS+ protocol. Select this option if you intend to use a single global group for the selected protocol for all policies on a specific device requiring AAA.

Do not select this option if you intend to create multiple RADIUS or TACACS+ AAA server groups. Multiple groups can be used to separate different AAA functions (for example, use one group for authentication and a different group for authorization) or to separate different customers in a VRF environment.

Note When you discover an IOS router, any AAA servers in the device configuration that are not members of a AAA server group are placed in special groups called CSM-rad-grp (for RADIUS) and CSM-tac-grp (for TACACS+), both of which are marked as default groups. These two groups are created solely to enable Security Manager to manage these servers. During deployment, the AAA servers in these special groups are deployed back to the device as individual servers. For more information, see Default AAA Server Groups and IOS Devices, page 8-19.

Max Failed Attempts

(PIX, ASA, FWSM devices only.)

The number of connection attempts that can fail before an unresponsive AAA server in the group is deactivated.

Values range from 1 to 5.

Reactivation Mode


The method to use when reactivating failed AAA servers in the group:

• Depletion—Reactivate failed servers only after all of the servers in the group fail. This is the default.

• Timed—Reactivate failed servers after 30 seconds of downtime.

Note You must use the Timed option when using Simultaneous as the Group Accounting Mode.

Reactivation Deadtime


When you select Depletion as the reactivation mode, the number of minutes that should elapse between the deactivation of the last server in the group and the reactivation of all the servers in the group. Values range from 0 to 1440 minutes (24 hours).

Group Accounting Mode


When using the RADIUS or TACACS+ protocols, the method for sending accounting messages to the AAA servers in the group:

• Simultaneous—Accounting messages are sent to all servers in the group simultaneously.

Note If you select this option, you must select Timed as the Reactivation Mode.

• Single—Accounting messages are sent to a single server in the group. This is the default.

Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Table F-3 AAA Server Group Dialog Box (Continued)

Element Description


OL-19983-01


Add or Edit AAA Server Dialog BoxUse Add or Edit AAA Server dialog box to create, copy, and edit a AAA server object. These objects are collected into AAA server group objects, and identify the AAA servers that you want to use when defining various AAA policies.

For a description of the protocols you can use, see Supported AAA Server Types, page 8-16 and Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.

Note You cannot edit the protocol if the object is already included in a AAA server group.

Navigation Path

Select Tools > Policy Object Manager, then select AAA Servers from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating AAA Server Objects, page 8-20



Field Reference

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Table F-3 AAA Server Group Dialog Box (Continued)

Element Description

Table F-4 AAA Server Dialog Box—General Settings

Element Description

Name The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.



OL-19983-01


Host The address of the AAA server to which authentication requests will be sent. Specify one of the following:

• IP Address—The IP address or (for ASA or PIX 7.2+ devices) host name of the AAA server. You can also enter the name of a network/host object that contains the host IP address, or click Select to select the object.

• DNS Name (For PIX/ASA 7.2+ devices only)—The DNS hostname of the AAA server, up to 128 characters. The hostname can contain alphanumeric characters and hyphens, but each element of the hostname must begin and end with an alphanumeric character.

Interface The interface whose IP address should be used for all outgoing RADIUS or TACACS packets (known as the source interface). Enter the name of an interface or interface role, or click Select select it from a list or to create a new interface role.

If you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name.

If you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces.

Note Only one source interface can be defined for the AAA servers in a AAA server group. An error is displayed when you submit your changes if different AAA servers in the group use different source interfaces. See Creating AAA Server Group Objects, page 8-22.

Timeout The amount of time to wait until the AAA server is considered unresponsive:

• Values for Cisco IOS routers range from 1-1000 seconds. The default is 5 seconds.

• Values for ASA/PIX 7.x+ devices is 1-60 seconds. The default is 10 seconds.

• Values for PIX devices running PIX 6.3 is 1-30 seconds. The default is 5 seconds.

Table F-4 AAA Server Dialog Box—General Settings (Continued)

Element Description


OL-19983-01


AAA Server Dialog Box—RADIUS Settings

Use the RADIUS settings in the AAA Server dialog box to configure a RADIUS AAA server object.

Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select RADIUS in the Protocol field.

Related Topics




Protocol The protocol used by the AAA server. The fields to the right of the protocol list change depending on your selection.

For specific information about the fields, see the topics indicated.

• The following protocols are supported for all device types:

– RADIUS—See AAA Server Dialog Box—RADIUS Settings, page F-10.

– TACACS+—See AAA Server Dialog Box—TACACS+ Settings, page F-12.

• The following protocols are supported for ASA/PIX 7.x+ and FWSM 3.1+ devices:

– Kerberos—See AAA Server Dialog Box—Kerberos Settings, page F-13.

– LDAP—See AAA Server Dialog Box—LDAP Settings, page F-14.

– NT—See AAA Server Dialog Box—NT Settings, page F-16.

– SDI—See AAA Server Dialog Box—SDI Settings, page F-16.

– HTTP-FORM—See AAA Server Dialog Box—HTTP-FORM Settings, page F-17.


Table F-4 AAA Server Dialog Box—General Settings (Continued)

Element Description


OL-19983-01


Field Reference

Table F-5 AAA Server Dialog Box—RADIUS Settings

Element Description

Key

Confirm

The shared secret that is used to encrypt data between the client and AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters (U.S. English). Spaces and special characters are permitted.

The key you define in this field must match the key on the RADIUS server. Enter the key again in the Confirm field.

Note the following:

• Activity validation fails if you try defining a key with a space on a PIX, ASA, or FWSM device.

• If you do not define a key, all traffic between the AAA server and its AAA clients is sent unencrypted.

Authentication/Authorization Port

The port on which AAA authentication and authorization are performed. The default is 1645.

Accounting Port The port on which AAA accounting is performed. The default is 1646.

RADIUS Password

Confirm

(ASA, PIX 7.x+, and FWSM 3.x+ devices only.)

The alphanumeric keyword that serves as the password to the RADIUS server (maximum of 128 characters; spaces are not allowed). Enter the password again in the Confirm field.

Retry Interval


The interval between attempts to contact the AAA server. Values are:

• ASA/FWSM devices—1 to 10 seconds.

• PIX devices—1 to 5 seconds.


OL-19983-01


AAA Server Dialog Box—TACACS+ Settings

Use the TACACS+ settings in the AAA Server dialog box to configure a TACACS+ AAA server object.

Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select TACACS+ in the Protocol field.

Related Topics




ACL Netmask Convert


The method for handling the netmask expressions that are contained in downloadable ACLs received from the RADIUS server:

• Standard—The security appliance assumes that all downloadable ACLs received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed. This is the default.

• Auto-Detect—The security appliance tries to determine the type of netmask expression used in the downloadable ACL. If it detects a wildcard netmask expression (used by Cisco IOS software), it converts it to a standard netmask expression.

• Wildcard—The security appliance assumes that all downloadable ACLs received from the RADIUS server contain only wildcard netmask expressions, which it converts to standard netmask expressions.

Some Cisco products, including Cisco IOS routers, require that downloadable ACLs be configured with wildcards instead of network masks. ASA devices, on the other hand, require that downloadable ACLs be configured with network masks. This feature allows the ASA device to internally convert a wildcard to a netmask. Translation of wildcard netmask expressions means that downloadable ACLs written for Cisco IOS routers can be used by ASA devices without altering the configuration of the ACLs on the RADIUS server.

Table F-5 AAA Server Dialog Box—RADIUS Settings (Continued)

Element Description


OL-19983-01


Field Reference

AAA Server Dialog Box—Kerberos Settings

Use the Kerberos settings in the AAA Server dialog box to configure a Kerberos AAA server object.

Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.

Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select Kerberos in the Protocol field.

Related Topics




Field Reference

Table F-6 AAA Server Dialog Box—TACACS+ Settings

Element Description

Key

Confirm

The shared secret that is used to encrypt data between the client and the AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters (U.S. English). Spaces and special characters are permitted.

The key you define in this field must match the key on the TACACS+ server. Enter the key again in the Confirm field.

Note the following:

• Activity validation fails if you try defining a key with a space on a PIX, ASA, or FWSM device.

• If you do not define a key, all traffic between the AAA server and its AAA clients is sent unencrypted.

Server Port The port used for communicating with the AAA server. The default is 49.

Table F-7 AAA Server Dialog Box—Kerberos Settings

Element Description


Kerberos Realm Name The name of the realm containing the Kerberos authentication server and ticket granting server (maximum of 64 characters).

Retry Interval The interval between attempts to contact the AAA server. Values range from 1 to 10 seconds.


OL-19983-01


AAA Server Dialog Box—LDAP Settings

Use the LDAP settings in the AAA Server dialog box to configure an LDAP AAA server object.


Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select LDAP in the Protocol field.

Related Topics




Field Reference

Table F-8 AAA Server Dialog Box—LDAP Settings

Element Description

Enable LDAP over SSL Whether to establish a secure SSL connection between the ASA/PIX/FWSM device and the LDAP server.

Tip You must select this option when using a Microsoft Active Directory LDAP server in order to enable password management.


LDAP Hierarchy Location The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request. For example, OU=Cisco. The maximum length is 128 characters.

The string is case-sensitive. Spaces are not permitted, but other special characters are allowed.

LDAP Scope The scope of LDAP searches:

• onelevel—Searches only one level beneath the base DN. This type of search scope is faster than a subtree search, because it is less comprehensive. This is the default.

• subtree—Searches all levels beneath the base DN.

LDAP Distinguished Name The DN and password that uniquely identify the ASA/PIX/FWSM device in the LDAP schema (maximum of 128 characters). The DN is similar to a unique key in a database or a fully qualified path for a file. These parameters are used only when the LDAP server requires them for authentication.


OL-19983-01


LDAP Login Directory The name of the directory object in the LDAP hierarchy used for authenticated binding (maximum of 128 characters). Authenticated binding is required by some LDAP servers (including the Microsoft Active Directory server) before other LDAP operations can be performed.

This string is case-sensitive. Spaces are not permitted in the string, but other special characters are allowed.

LDAP Login Password The case-sensitive, alphanumeric password for accessing the LDAP server (maximum of 64 characters). Spaces are not allowed.

SASL MD5 Authentication

SASL Kerberos Authentication

Kerberos Server Group

These options establish a Simple Authentication and Security Layer (SASL) mechanism to authenticate an LDAP client (the ASA/PIX/FWSM device) with an LDAP server.

You can define one or both SASL authentication mechanisms. When negotiating SASL authentication, the ASA/PIX/FWSM device retrieves the list of SASL mechanisms configured on the LDAP server and selects the strongest mechanism configured on both devices.

• SASL MD5 Authentication—Whether to have the device send the LDAP server an MD5 value computed from the username and password.

• SASL Kerberos Authentication—Whether to have the device send the LDAP server the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. This mechanism is stronger than the MD5 mechanism.

If you select Kerberos, you must also enter the name of the Kerberos AAA server group used for SASL authentication. The maximum length is 16 characters.

LDAP Server Type The type of LDAP server used for AAA:

• Auto-Detect—The ASA/PIX/FWSM device tries to determine the server type automatically. This is the default.

• Microsoft—The LDAP server is a Microsoft Active Directory server.

Note You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

• Sun—The LDAP server is a Sun Microsystems JAVA System Directory Server.

• OpenLDAP—The server is an Open LDAP server. You can use this only with ASA/PIX 8.0+ devices.

• Novell—The server is a Novell LDAP server. You can use this only with ASA/PIX 8.0+ devices.

Table F-8 AAA Server Dialog Box—LDAP Settings (Continued)

Element Description


OL-19983-01


AAA Server Dialog Box—NT Settings

Use the NT settings in the AAA Server dialog box to configure an NT AAA server object.


Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select NT in the Protocol field.

Related Topics




Field Reference

AAA Server Dialog Box—SDI Settings

Use the SDI settings in the AAA Server dialog box to configure an SDI AAA server object.


Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select SDI in the Protocol field.

LDAP Attribute Map The LDAP attribute configuration to bind to the LDAP server. Enter the name of an LDAP attribute map policy object or click Select to select it from a list or to create a new object.

LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. For more information, see Creating LDAP Attribute Map Objects, page 8-37.

Table F-8 AAA Server Dialog Box—LDAP Settings (Continued)

Element Description

Table F-9 AAA Server Dialog Box—NT Settings

Element Description


NT Authentication Host The name of the authentication domain controller hostname (maximum of 16 characters).


OL-19983-01


Related Topics




Field Reference

AAA Server Dialog Box—HTTP-FORM Settings

Use the HTTP-FORM settings in the AAA Server dialog box to configure an HTTP-Form AAA server object for single sign-on authentication (SSO).


Navigation Path

Go to the Add or Edit AAA Server Dialog Box, page F-8 and select HTTP-FORM in the Protocol field.

Related Topics




Table F-10 AAA Server Dialog Box—SDI Settings

Element Description


Retry Interval The interval between attempts to contact the AAA server. Values range from 1 to 10 seconds. The default is 10 seconds.

SDI Server Version The SDI server version:

• SDI-pre-5—All SDI versions before version 5.0

• SDI-5—SDI version 5.0 or later.

SDI pre-5 Slave Server (Optional) A secondary server to be used for authentication if the primary server fails when using an SDI version prior to 5.0. Enter the IP address or the name of a network/host object, or click Select to select an object or create a new one.


OL-19983-01


Field Reference

Table F-11 AAA Server Dialog Box—HTTP-Form Settings

Element Description

Start URL The URL from which the WebVPN server of the security appliance should retrieve an optional pre-login cookie. The maximum URL length is 1024 characters.

The authenticating web server might execute a pre-login sequence by sending a Set-Cookie header along with the login page content. The URL in this field defines the location from which the cookie is retrieved.

Note The actual login sequence starts after the pre-login cookie sequence.

Action URI The Uniform Resource Identifier (URI) that defines the location and name of the authentication program on the web server to which the security appliance sends HTTP POST requests for single sign-on (SSO) authentication.

The maximum length of the action URI is 2048 characters.

Tip You can discover the action URI on the authenticating web server by connecting to the web server’s login page directly with a browser. The URL of the login web page displayed in your browser is the action URI for the authenticating web server.

Username Parameter The name of the username parameter included in HTTP POST requests for SSO authentication. The maximum length is 128 characters.

At login, the user enters the actual name value, which is entered into the HTTP POST request and passed on to the authenticating web server.

Password Parameter The name of the password parameter included in HTTP POST requests for SSO authentication. The maximum length is 128 characters.

At login, the user enters the actual password value, which is entered into the HTTP POST request and passed on to the authenticating web server.

Hidden Values The hidden parameters included in HTTP POST requests for SSO authentication. They are referred to as hidden parameters because, unlike the username and password, they are not visible to the user.

The maximum length of the hidden parameters is 2048 characters.

Tip You can discover the hidden parameters that the authenticating web server expects in POST requests by using an HTTP header analyzer on a form received from the web server.

Authentication Cookie Name The name of the authentication cookie used for SSO by the security appliance. The maximum length is 128 characters.

If SSO authentication succeeds, the authenticating web server passes this authentication cookie to the client browser. The client browser then authenticates to other web servers in the SSO domain by presenting this cookie.


OL-19983-01


Add or Edit Access List Dialog Boxes Use the Add and Edit Access List dialog boxes to define access control entries (ACEs) for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.

The title of the dialog box indicates the type of ACL you are creating: Extended, Standard, or Web Type. The dialog boxes are essentially the same, the difference being the columns displayed in the ACE table.

Navigation Path

Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Select the tab for the type of ACL object you want to create, and then right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Access Control List Objects, page 8-23

• Creating Extended Access Control List Objects, page 8-23

• Creating Standard Access Control List Objects, page 8-25

• Creating Web Access Control List Objects, page 8-26

• Contiguous and Discontiguous Network Masks, page 8-65

• Understanding Network/Host Objects, page 8-65

• Understanding and Specifying Services and Service and Port List Objects, page 8-75

Field Reference

Table F-12 Add and Edit Access List Dialog Boxes

Element Description




OL-19983-01


Add and Edit Extended Access Control Entry Dialog Boxes

Use the Add or Edit Extended Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to an Extended ACL object.

Navigation Path

From the Add or Edit Access List Dialog Boxes, page F-19 for Extended ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.

Related Topics

• Creating Extended Access Control List Objects, page 8-23

• Understanding Access Rule Address Requirements and How Rules Are Deployed, page 11-19

Access Control Entry table The access control entries (ACEs) and ACL objects that are part of the ACL. The table displays the name of the entry or object, description, options, services, and other attributes of the entry.

In the Permit column, a green checkmark indicates that the entry permits traffic, whereas a red circle with a slash indicates that traffic is denied.

The source and, if applicable, destination addresses can be host IP addresses, network addresses, or network/host policy objects.

• To add an ACE, click the Add button and fill in the dialog box for the type of ACL you are creating:

– Add and Edit Extended Access Control Entry Dialog Boxes, page F-20

– Add and Edit Standard Access Control Entry Dialog Boxes, page F-22

– Add and Edit Web Access Control Entry Dialog Boxes, page F-23

• To edit an ACE, select it and click the Edit button.

• To delete an ACE, select it and click the Delete button.

• To change the position of an entry, select it and click the Up/Down arrow buttons as required. Entries are evaluated top to bottom, so correct positioning is crucial for you to get the results you intend.



Overrides

Edit button



Table F-12 Add and Edit Access List Dialog Boxes (Continued)

Element Description


OL-19983-01




• Filtering Items in Selectors, page 2-14

Field Reference

Table F-13 Add and Edit Extended Access Control Entry Dialog Boxes

Element Description

Type The type of entry you are adding. The fields on the dialog box change based on your selection.

• Access Control Entry—You want to define an ACE.

• ACL Objects—You want to include an existing ACL object. You are presented with a list of available ACL objects. Select the objects you want to include and click the >> button to move them to the list of selected objects. You can remove an object by selecting it and clicking <<. You can also edit objects in the selected objects list.

Action The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.


Source

Destination

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

• Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

• Host IP address, for example, 10.10.10.100.

• Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

• A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

• An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

Services The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.


OL-19983-01


Add and Edit Standard Access Control Entry Dialog Boxes

Use the Add or Edit Standard Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Standard ACL object.

Navigation Path

From the Add or Edit Access List Dialog Boxes, page F-19 for Standard ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.

Related Topics

• Creating Standard Access Control List Objects, page 8-25





Field Reference


Advanced button Click this button to define logging options for the entry:

• For PIX, ASA, and FWSM devices, you can enable:

– Default logging—If a packet is denied, message 106023 is generated. If a packet is permitted, no message is generated.

– Per ACE logging—If a packet is denied, message 106100 is generated. You can select the logging severity level for the messages, and the interval (in seconds from 1 to 600) for generating messages.

• For IOS devices, when you enable logging, informational messages about packets that match the entry are sent to the console. You can also elect to include the input interface and source MAC address or VC in the logging output.

Table F-13 Add and Edit Extended Access Control Entry Dialog Boxes (Continued)

Element Description

Table F-14 Add and Edit Standard Access Control Entry Dialog Boxes

Element Description





OL-19983-01


Add and Edit Web Access Control Entry Dialog Boxes

Use the Add or Edit Web Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Web Type ACL object.

Navigation Path

From the Add or Edit Access List Dialog Boxes, page F-19 for Web Type ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.

Related Topics

• Creating Web Access Control List Objects, page 8-26







Source The source of the traffic. You can enter more than one value by separating the items with commas.








Log Option Whether to create log entries when traffic meets the entry criteria. ACL logging generates syslog message 106023 for denied packets. Deny packets must be present to log denied packets.

Table F-14 Add and Edit Standard Access Control Entry Dialog Boxes (Continued)

Element Description


OL-19983-01


Field Reference

Table F-15 Add and Edit Web Access Control Entry Dialog Boxes

Element Description





Filter Destination Whether the entry specifies a network filter (host or network address) or a URL filter (web site address). Your selection changes the fields on the dialog box. The fields are described below.

Destination

(Network Filter only.)

The destination of the traffic. You can enter more than one value by separating the items with commas.







Ports

(Network Filter only.)

The port numbers or port list policy objects that define the port the traffic uses, if you want to use port identification. You can enter more than one value by separating the items with commas.

You can enter any combination of the following types:

• Port list object. Enter the name of the object or click Select to select it from a list. You can also create new port list objects from the selection list.

• Port number, for example, 80.

• A range of ports, for example, 80-90.


OL-19983-01


ASA Group Policies Dialog BoxUse the Add or Edit ASA Group Policies dialog box to create, copy, and edit an ASA user group policies object.

ASA group policies are configured on ASA security appliances in Easy VPN topologies, IPSec VPNs, and SSL VPNs. When you configure an Easy VPN, IPSec VPN or SSL VPN connection, you must create group policies to which remote clients will belong. A user group policy is a set of user-oriented attribute/value pairs for SSL VPN connections that are stored either internally (locally) on the device or externally on a AAA server. The tunnel group uses a user group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users rather than having to specify each attribute individually for each user.

Note You must select the technology (Easy VPN/IPSec VPN, SSL VPN, or Easy VPN/IPSec VPN and SSL VPN) for which you are creating the object. If you are editing an existing ASA group policies object, the technology is already selected, and you cannot change it. Depending on the selected technology, the appropriate settings are available for configuration.

URL Filter

(URL Filter only.)

The Universal Resource Locator (URL), or web address, of the traffic. You can use an asterisk as a match-all wildcard. For example, http://*.cisco.com matches all servers on the cisco.com network. You can specify any valid URL.

Logging The type of logging to use for this entry:

• Select Log Disabled to not create log entries.

• Select Default to use the default settings on the device.

• All other available options enable logging and identify the log level that will be used.

Logging Interval The interval of time, in seconds, used to generate logging messages, from 1 to 600. The default is 300. You can modify this field only if you select a logging level in the Logging field.

Time Range The time range policy object that defines the time range associated with the entry. The time range defines the access to the device and relies on the device’s system clock. For more information, see Creating Time Range Objects, page 8-92.

Enter the name of the object or click Select to select it from a list. You can also create new time range objects from the selection list.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.



Table F-15 Add and Edit Web Access Control Entry Dialog Boxes (Continued)

Element Description


OL-19983-01


Navigation Path

Select ASA Group Policies in the Policy Object Manager Window, page F-1. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Tip You can also access this dialog box from the Remote Access VPN > Group Policies policy.

Related Topics

• Creating ASA User Group Objects, page 8-28

• Creating Group Policies (ASA), page 10-30

Field Reference

Table F-16 Add or Edit ASA Group Policies Dialog Box, including Technology Settings

Element Description



Settings Pane

The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right.

You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents.

The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next.

Technology settings These settings control what you can define in the group policy:

• Group Policy Type—Whether you are storing the group policy on the ASA device itself (Internal) or on a AAA server (External). You cannot change this option when editing an object.

If you select External, the only attributes you can configure are the name of the AAA server group object that identifies the AAA server and its password.

• Technology—The types of VPN for which this object defines group policies. You cannot change this option when editing an object. You can configure settings for Easy VPN/IPSec VPN, SSL VPN, or both. The default is both.

• External Server Group—If you are storing the group policy attributes on an external AAA server, specify the AAA server group that will be used for authentication. Click Select to select the object from a list or to create a new object.

After you select an external server group, the Password and Confirm fields become active. Enter the alphanumeric password to use for authenticating with the server in both fields. The password can be a maximum of 128 characters; spaces are not allowed.


OL-19983-01


ASA Group Policies Client Configuration Settings

Use the Client Configuration settings page to configure the Cisco client parameters for the ASA group policy for Easy VPN or remote access VPN.

Navigation Path

Select Easy VPN/IPSec VPN > Client Configuration from the table of contents in the ASA Group Policies Dialog Box, page F-25.

DNS/WINS The DNS and WINS servers and the domain name that should be pushed to clients associated with the group. See ASA Group Policies DNS/WINS Settings, page F-40.

Split Tunneling Settings to allow a remote client to conditionally direct encrypted packets through a secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through a network interface. See ASA Group Policies Split Tunneling Settings, page F-41.

Easy VPN/IPSec VPN Settings for Easy VPN and remote access IPSec VPNs:

• Client Configuration—The Cisco client parameters for the group. See ASA Group Policies Client Configuration Settings, page F-27.

• Client Firewall Attributes—The firewall settings for VPN clients for the group. See ASA Group Policies Client Firewall Attributes, page F-28.

• Hardware Client Attributes—The VPN 3002 Hardware Client settings for the group. See ASA Group Policies Hardware Client Attributes, page F-30.

• IPSec—The tunneling protocols, filters, connection settings, and servers for the group. See ASA Group Policies IPSec Settings, page F-31.

SSL VPN Settings for SSL VPN:

• Clientless—Settings for the clientless mode of access to the corporate network in an SSL VPN. See ASA Group Policies SSL VPN Clientless Settings, page F-33.

• Full Client—Settings for the full client mode of access to the corporate network in an SSL VPN. See ASA Group Policies SSL VPN Full Client Settings, page F-35.

• Settings—The general settings that are required for clientless/port forwarding in an SSL VPN. See ASA Group Policies SSL VPN Settings, page F-37.

Connection Settings The connection settings for the group, such as the session and idle timeouts, including the banner text. See ASA Group Policies Connection Settings, page F-42.

Table F-16 Add or Edit ASA Group Policies Dialog Box, including Technology Settings

Element Description


OL-19983-01


Field Reference

ASA Group Policies Client Firewall Attributes

Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA group policy for Easy VPN or IPSec VPN. Only VPN clients running Microsoft Windows can use these firewall settings.

Navigation Path

Select Easy VPN/IPSec VPN > Client Firewall Attributes from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Table F-17 ASA Group Policies Client Configuration Settings

Element Description

Store Password on Client System

Whether to allow users to store a password on their local systems. Enable this feature only if you are certain that the local systems will be in secure sites.

Enable IPsec over UDP

UDP Port

Whether to allow a Cisco VPN client or hardware client to connect using UDP to a security appliance that is running NAT.

If you select this option, specify the UDP port number within the range of 4001-49151. In IPsec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.

Note The Cisco VPN client must also be configured to use IPsec over UDP, which is configured by default on certain devices.

IPsec Backup Servers

Servers List

Specify the backup server configuration:

• Keep Client Configuration—The security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

• Clear Client Configuration—The client uses no backup servers. The security appliance pushes a null server list.

• Use Specified Backup Servers—Use the backup servers you specify in the servers list. Enter the IP addresses of the servers, or the name of a network/host object. Click Select to select the object from a list or to create a new object.

You can configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.


OL-19983-01


Field Reference

Table F-18 ASA Group Policies Client Firewall Attributes

Element Description

Firewall Mode The firewall requirements for client systems for the group:

• No Firewall—Do not use a firewall. You cannot configure any other options on the page.

• Firewall Required—All users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.

Note Make sure the group does not include any clients other than Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to connect if you require a client firewall.

• Firewall Optional—Users can use a firewall but it is not required. This option allows all users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewalls and others do not. For example, you might have clients with systems that do not run Microsoft windows, or your clients have not all had the opportunity to install firewall software.

Firewall Type The type of firewall that you are making required or optional. The list shows all of the supported firewall software, which includes software from Cisco, Network ICE, Sygate, and Zone Labs.

• If you select Custom Firewall, you must fill in the fields in the Custom Firewall group. You also need to configure the policy source; select options only if they are supported by the vendor.

• Some firewall types require you to specify the source of the policy implemented by the firewall.

Policy Source Some types of firewall allow you to configure where the client firewall should obtain its policies:

• Get Policy From Remote Firewall—The policy is configured in the client firewall application. This is how most client firewalls work.

• Use Specified Policy—The policy you specify should be pushed to the client firewall application, which should use your policy.

You must enter the name of an extended access control list policy object, or click Select to select one from a list or to create a new one, in both in the Inbound Traffic Policy and Outbound Traffic Policy fields.


OL-19983-01


ASA Group Policies Hardware Client Attributes

Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA group policy in an Easy VPN or IPSec VPN.

Navigation Path

Select Easy VPN/IPSec VPN > Hardware Client Attributes from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Field Reference

Custom Firewall The attributes that define the required or optional firewall if you select custom firewall as the firewall type:

• Vendor ID—The number that identifies the vendor of the custom firewall. Values are 1-255.

• Product ID—The number that identifies the product or model of the custom firewall. Values are 1-32 or 255. Multiple ranges are allowed, for example, 4-12, 24-32. Use 255 for all supported products.

• Description—An optional description of the custom firewall, for example, the name of the vendor and product.

Table F-18 ASA Group Policies Client Firewall Attributes (Continued)

Element Description

Table F-19 ASA Group Policies Hardware Client Attributes

Element Description

Require Interactive Client Authentication

Whether to enable secure unit authentication, which provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. The hardware client does not have a saved username and password.

Note Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware clients use. If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Require Individual User Authentication

Whether to require that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure.

If you do not select this option, the security appliance allows inheritance of a value for user authentication from another group policy.

Enable Cisco IP Phone Bypass

Whether to allow IP phones behind hardware clients to connect without undergoing a user authentication processes. Secure unit authentication remains in effect for other users.


OL-19983-01


ASA Group Policies IPSec Settings

Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA group policy for Easy VPN or IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.

Navigation Path

Select Easy VPN/IPSec VPN > IPsec from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Enable LEAP Bypass Whether to enable Lightweight Extensible Authentication Protocol (LEAP) packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication.

Note LEAP is an 802.1X wireless authentication method that implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Allow Network Extension Mode

Whether to enable network extension mode for hardware clients.

Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Idle Timeout Mode How to handle periods of inactivity from individual clients:

• Specified Timeout—If there is no communication activity by a user behind a hardware client for the number of minutes you specify, the security appliance terminates the client’s access. Values are 1-35791394 minutes.

• Unlimited Timeout—User sessions are not terminated due to inactivity.

Table F-19 ASA Group Policies Hardware Client Attributes (Continued)

Element Description


OL-19983-01


Field Reference

Table F-20 ASA Group Policies IPSec Settings

Element Description

Enable Re-Authentication on IKE Re-Key

Whether the security appliance should prompt the user to enter a username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security. Reauthentication fails if no user is at the other end of the connection.

Enable IPsec Compression Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems.

Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, it is recommended that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users and enable compression only for them.

Enable Perfect Forward Secrecy (PFS)

Whether to enable the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.

Tunnel Group Lock Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting.

If you do not specify a tunnel name, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

Client Access Rules table The access rules for clients. These rules control which types of clients are denied access, if any. You can have up to 25 rules, and combined they are limited to 255 characters.

Tip If you define any rule, an implicit deny all rule is added. Thus, if a client matches no permit rule, the client is denied access. If you create rules, ensure that you have permit rules for all allowed clients. You can use * as a wildcard to match partial strings.

The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

• To add a rule, click the Add Row button to open the Add or Edit Client Access Rules Dialog Box, page F-33.

• To edit a rule, select it and click the Edit Row button.

• To delete a rule, select it and click the Delete button.


OL-19983-01


Add or Edit Client Access Rules Dialog Box

Use the Client Access Rules dialog box to create or edit the priority, action, VPN client type and VPN client version for a client access rule.

Navigation Path

From ASA Group Policies IPSec Settings, page F-31, click the Add Row button beneath the Client Access Rules table, or select a rule and click the Edit Row button.

Field Reference

ASA Group Policies SSL VPN Clientless Settings

Use the Clientless settings to configure the clientless mode of access to the corporate network in an SSL VPN for the ASA group policy object.

When a user connects to the SSL VPN in clientless mode, the user logs into the SSL VPN portal page. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers, depending on how you configure the portal.

Navigation Path

Select SSL VPN > Clientless from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Table F-21 Add or Edit Client Access Rules Dialog Box

Element Description

Priority The relative priority of the rule.

The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it. Values are 1-65535.

Action Whether this rule permits or denies traffic access to the client.

VPN Client Type

VPN Client Version

The type or version of VPN client to which this rule applies. Spaces are allowed.

You can use * as a wildcard to match zero or more characters. You can use n/a for clients that do not send their type or version. The strings you enter in these fields must match the strings displayed using the show vpn-sessiondb remote command on the ASA device.

Following are some examples, where priority, permit/deny, type, and version are shown in order:

• 3 Deny * version 3.* is a priority 3 rule that denies all client types with software version 3.x.

• 5 Permit VPN3002 * is a priority 5 rule that allows VPN3002 clients of all software versions.

• 255 Permit * * is a priority 255 rule that allows all types and versions of clients. This is useful if you are only trying to deny specific types of clients without wanting to create permit rules for all the other types.


OL-19983-01


Field Reference

Table F-22 ASA Group Policies SSL VPN Clientless Settings

Element Description

Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the web site URLs to display on the portal page. These web sites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.

Allow Users to Enter Websites

Whether to allow the remote user to enter web site URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal.

Enable File Server Browsing Whether to allow the remote user to browse for file shares on the CIFS file servers.

Enable File Server Entry Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares.

Enable Hidden Shares Whether to make hidden CIFS shares visible, and thus accessible, to users.

HTTP Proxy The type of access you want to allow to the external HTTP proxy server to which the security appliance forwards HTTP connections. You can enable access, disable access, or select Auto Start, which starts the proxy automatically upon user login.

Filter ACL The name of the web type access control list policy object to use to restrict user access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object.

Enable ActiveX Relay Whether to enable ActiveX relay, which allows users to start ActiveX programs from the portal page. This allows users to start Microsoft Office applications from the web browser and upload and download Office documents.

UNIX Authentication Group ID

The UNIX authentication group ID.

UNIX Authentication User ID

The UNIX authentication user ID.

Smart Tunnel The name of the smart tunnel list policy object assigned to this group. Click Select to select it from a list or to create a new object.

A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. Thus, smart tunnels do not require users to have administrator privileges. For more information, see Configuring SSL VPN Smart Tunnels for ASA Devices, page 8-87.


OL-19983-01


ASA Group Policies SSL VPN Full Client Settings

Use the Full Client settings to configure the full client mode of access to the corporate network in an SSL VPN for the ASA group policy object.

Full client mode enables access to the corporate network completely over an SSL VPN tunnel. In full client access mode, the tunnel connection is determined by the group policy configuration. The full client software, SSL VPN Client (SVC) or AnyConnect, is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.

Tip To enable full client access, you must configure the Remote Access VPN > SSL VPN > Other Settings policy on the device to identify AnyConnect image packages to install on the device. The images must be on the device so that users can download them. For more information, see Understanding SSL VPN Client Settings, page 10-54 and Add and Edit File Object Dialog Boxes, page F-47.

Navigation Path

Select SSL VPN > Full Client from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Field Reference

Auto Start Smart Tunnel Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page.

Auto sign-on supports only applications that use HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows operating system. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.

Port Forwarding List The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object.

Auto Start Port Forwarding Whether to start port forwarding automatically upon user login.

Port Forwarding Applet Name

The application name or short description to display on the Port Forwarding Java applet screen on the portal, up to 64 characters. This is the name of the applet users will download to act as a TCP proxy on the client machine for the services configured on the SSL VPN gateway.

Table F-22 ASA Group Policies SSL VPN Clientless Settings (Continued)

Element Description

Table F-23 ASA Group Policies SSL VPN Full Client Settings

Element Description

Enable Full Client Whether to enable full client mode.


OL-19983-01


Mode The mode in which to operate the SSL VPN:

• Use Other Access Modes if AnyConnect Client Download Fails—If the full client fails to download to the remote user, allow the user to make clientless or thin client access to the VPN.

• Full Client Only—Prohibit clientless or thin client access. The user must have the full client installed and functional to connect to the VPN.

Keep AnyConnect Client on Client System

Whether to leave the AnyConnect client installed on the client system after the client disconnects. If you do not leave the client installed, it must be download each time the user connects to the gateway.

Enable Compression Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems.

Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, it is recommended that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users and enable compression only for them.

Enable Keepalive Messages Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval results in the creation of a new tunnel using a backup device.

If you select this option, enter the time interval (in seconds) that the remote client waits between sending IKE keepalive packets in the Interval field.

Client Dead Peer Detection Timeout (sec)

The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user.

DPD is used to send keepalive messages between peer devices only when no incoming traffic is received and outbound traffic needs to be sent.

Gateway Dead Peer Detection Timeout (sec)

The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway.

Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user group client:

• Disabled—Disables the tunnel key refresh.

• Use Existing Tunnel—Renegotiates the SSL tunnel connection.

• Create New Tunnel—Initiates a new tunnel connection.

Enter the time interval (in minutes) between the tunnel refresh cycles in the Interval field.

Table F-23 ASA Group Policies SSL VPN Full Client Settings (Continued)

Element Description


OL-19983-01


ASA Group Policies SSL VPN Settings

Use the SSL VPN Settings to configure attributes that are required for clientless and port forwarding (thin client) access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules.

Navigation Path

Select SSL VPN > Settings from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Enable Datagram Transport Layer Security

Whether to enable Datagram Transport Layer Security (DTLS) connections for the group.

Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels, an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

AnyConnect Module The module that the AnyConnect client needs to enable optional features.

• vpngina—Select this module to enable the Start Before Logon (SBL) feature, which is a graphical identification and authentication (GINA) module for the AnyConnect client VPN connection.

• If other options are listed, see the release notes for the Cisco AnyConnect VPN Client for an explanation of the feature.

AnyConnect MTU The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client.

AnyConnect Profile Name The name of the AnyConnect profile to use for the group. You must configure this name and relate it to a profile in the Remote Access VPN > SSL VPN > Other Settings policy.

Prompt User to Choose Client

Time User Has to Choose

Default Location

Whether to ask the user to download the client. Enter the number of seconds the user has to make a selection in the Time User Has to Choose field. The default is 120 seconds.

If you do not select this option, the user is immediately taken to the default location. The user is also taken to the default location after the time to choose expires.

• Web Portal—The portal page is loaded in the web browser.

• AnyConnect Client—The AnyConnect client is downloaded.

Table F-23 ASA Group Policies SSL VPN Full Client Settings (Continued)

Element Description


OL-19983-01


Field Reference

Table F-24 ASA Group Policies SSL VPN Settings

Element Description

Home Page The URL of the SSL VPN home page. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed.

Authentication Failure Message

The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing. The default message is:

“Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.”

Minimum Keepalive Object Size (kilobytes)

The minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance.

Single Sign On Server The name of the single sign on (SSO) server policy object that identifies the server to use for this group, if any. An SSO server allows users to enter their username and password once and be able to access other server in the network without logging into each of them. If configure an SSO server, also configure the auto signon rules table.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring Single Sign-On Server Objects, page 8-77.

Enable HTTP Compression Whether to allow an HTTP compressed object to be cached on the security appliance.

Auto Signon Rules table If you configure a single sign on server, the auto signon rules table contains the rules that determine which internal servers are provided the user’s credentials. Thus, you can provide single sign on for some servers in your network but not others.

Each rule is an allow rule, and indicates the IP address, subnet, or Universal Resource Identifier (URI) that identifies the server, and the type of authentication that will be sent to the server when the user tries to access it (either basic HTML, NTLM, FTP, or all of these). The rules are processed in order, top to bottom, and the first match is applied. Therefore, be sure to order the rules correctly using the up and down arrow buttons.

If the user accesses a server that is not identified in one of these rules, the user must log into the server to gain access.

• To add a rule, click the Add Row button to open the Add or Edit Auto Signon Rules Dialog Box, page F-39.

• To edit a rule, select it and click the Edit Row button.

• To delete a rule, select it and click the Delete Row button.


OL-19983-01


Add or Edit Auto Signon Rules Dialog Box

Use the Add or Edit Auto Signon Rules dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server.

Navigation Path

Open the ASA Group Policies SSL VPN Settings, page F-37, then click Create, or select an item in the table and click Edit.

Related Topics

• ASA Group Policies Dialog Box, page F-25

• Configuring Single Sign-On Server Objects, page 8-77

Portal Page Customization The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79.

User Storage Location The location where personalized user information is stored between clientless SSL VPN sessions. If you do not specify a location, information is not stored between sessions. Stored information is encrypted.

Enter a file system designation in the following format:

protocol://username:password@host:port/path

Where protocol is the protocol of the server, username and password are a valid user account on the server, and host is the name of the server. Also indicate the port number (if you do not use the default for the protocol) and directory path of the location on the server to use. For example:

cifs://newuser:12345678@anyfiler02a/new_share

Storage Key The storage key used to protect data stored between sessions. Spaces are not supported.

Post Max Size The maximum size allowed for a posted object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent posting.

Upload Max Size The maximum size allowed for a uploaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent uploading.

Download Max Size The maximum size allowed for a downloaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent downloads.

Table F-24 ASA Group Policies SSL VPN Settings (Continued)

Element Description


OL-19983-01


Field Reference

ASA Group Policies DNS/WINS Settings

Use the DNS/WINS settings to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA group policy. These settings apply to Easy VPN, remote access IPSec VPN, and SSL VPN configurations.

Navigation Path

Select DNS/WINS from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Field Reference

Table F-25 Add or Edit Auto Signon Rules Dialog Box

Element Description

Allow IP Select this option to configure an IP address or subnet for the rule. Any server within this subnet is supplied the specified login credentials.

• To enter the IP address of a single server, enter the full IP address and use 255.255.255.255 as the subnet mask.

• To specify a subnet, enter the network address and subnet mask, for example, IP address 10.100.10.0 mask 255.255.255.0.

If you want the appliance to send credentials to any internal server the user tries to access, create rules for all of your internal networks. You might be able to do this with a single rule.

Allow URI Select this option to configure a Universal Resource Identifier (URI) for the rule. This identifies the internal server based on URI rather than IP address. For example, https://*.example.com/* creates a rule for all web pages on any server in the example.com domain. Use the asterisk as a wildcard to apply to zero or more characters.

Authentication Type The type of credentials that the security appliance will pass on to the servers covered by this rule: Basic HTML, NTLM (NT LAN Manager) authentication, FTP, or all of these methods.

The default option is All. Use the default unless you want to limit logins to a certain type.

Table F-26 ASA Group Policies DNS/WINS Settings

Element Description

Primary DNS Server The IP address of the primary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary DNS Server The IP address of the secondary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Primary WINS Server The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.


OL-19983-01


ASA Group Policies Split Tunneling Settings

Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. These settings apply to Easy VPN, remote access IPSec VPN, and SSL VPN configurations.

Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.

Tip For optimum security, we recommend that you not enable split tunneling.

Navigation Path

Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Field Reference

Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

DHCP Network Scope The scope of the DHCP network for the group. Enter the IP network address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Default Domain The default domain name for the group. The default, blank, is none.

Table F-26 ASA Group Policies DNS/WINS Settings (Continued)

Element Description

Table F-27 ASA Group Policies Split Tunneling Settings

Element Description

DNS Names A list of domain names to be resolved through the split tunnel. All other names are resolved using the public DNS server. If you do not enter a list, the list is inherited from the default group policy.

Separate multiple entries with spaces or commas. The entire string can be a maximum of 255 characters.


OL-19983-01


ASA Group Policies Connection Settings

Use the Connection Settings to configure the connection characteristics for the ASA group policy, including access control and session timeouts. These settings are used for Easy VPN, remote access VPN, or SSL VPN sessions.

Navigation Path

Select Connection Settings from the table of contents in the ASA Group Policies Dialog Box, page F-25.

Field Reference

Tunnel Option The policy you want to enable for split tunneling:

• Disabled—(Default) No traffic goes in the clear or to any other destination than the security appliance. Remote users reach networks through the corporate network and do not have access to local networks.

• Tunnel Specified Traffic—Tunnel all traffic from or to the networks permitted in the network ACL. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

• Exclude Specified Traffic—Traffic goes in the clear from and to the networks permitted in the network ACL. This is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client.

Networks The name of a standard access control list policy object that identifies the networks that require traffic to travel across the tunnel and those that do not require tunneling. How permit and deny are interpreted depends on your selection for Tunnel Option.

Enter the name of the object, or click Select to select it from a list or to create a new object. If you do not specify an ACL, the network list is inherited from the default group policy.

Table F-27 ASA Group Policies Split Tunneling Settings (Continued)

Element Description

Table F-28 ASA Group Policies Connection Settings

Element Description

Filter ACL The name of the extended access control list (ACL) policy object to use to restrict user access to the VPN. Enter the name of the object or click Select to select it from a list or to create a new object.

Banner Text The banner, or welcome text, to display on remote clients when they connect to the VPN. You can enter up to 500 characters.


OL-19983-01


Category Editor Dialog BoxUse the Category Editor dialog box to edit the name or description of a category object. Category objects help you categorize and readily identify rules and other objects.

Navigation Path

Select Tools > Policy Object Manager, select Categories from the Object Type Selector, and click Edit Object.

Related Topics

• Using Category Objects, page 8-6


Access hours The name of a time range policy object that specifies the times that users are allowed to access the VPN. If you do not specify a time range, users can access the VPN at all times. Specify a time range if you want to limit access to the network to certain hours, such as the typical work days and work hours for your organization.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Add or Edit Time Range Dialog Box, page F-182.

Max Simultaneous Logins The number of simultaneous logins a single user is allowed. Values are 0-2147483647. The default is 3. Specify 0 to disable logins and prevent user access.

Max Connection Time The maximum amount of time a user is allowed to be connected to the VPN. Select one of the following:

• Specified Connection time—Use the maximum time value that you enter. Values are 1-35791394 minutes. After the time is exceeded, the security appliance closes the connection.

• Unlimited Connection time—The security appliance does not close connections based on connection time.

Idle Timeout The amount of time a user is allowed to be connected to the VPN while the connection is idle, that is, there is no communication activity. Select one of the following:

• Specified Timeout—Use the time out value you enter. Values are 1-35791394 minutes. When the idle time is exceeded, the security appliance closes the connection. The default is 30 minutes.

• Unlimited Timeout—The security appliance does not close idle connections.

Table F-28 ASA Group Policies Connection Settings (Continued)

Element Description


OL-19983-01


Field Reference

Add or Edit Secure Desktop Configuration Dialog Box Use the Add or Edit Cisco Secure Desktop Configuration dialog box to create, copy, and edit Cisco Secure Desktop Configuration objects for IOS routers. You can configure the settings required for Windows clients who are connecting from different location types, enable or restrict web browsing and file access for Windows CE clients, and configure the cache cleaner for Macintosh and Linux clients.

Cisco Secure Desktop (CSD) secures network endpoints by providing a reliable means of eliminating all traces of sensitive data by providing a single, secure location for session activity and removal on the client system.

This policy object uses the Secure Desktop Manager application to configure the settings. For an example of configuring settings, see Cisco Secure Desktop on IOS Configuration Example Using SDM at http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml. The first part of the configuration example explains setting up SDM, which you can ignore. Instead, look for the sections that describe setting up Windows locations midway through the example. The screen shots will help you identify when you are looking at CSD configuration.

Navigation Path

Select Tools > Policy Object Manager, then select Cisco Secure Desktop (Router) from the Object Type Selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics

• Creating Cisco Secure Desktop Configuration Objects, page 8-73


Field Reference

Table F-29 Category Editor Dialog Box

Element Description

Label The color associated with the category.

Name The category name (up to 128 characters).

Description Additional information about the object (up to 1024 characters).

Table F-30 Add or Edit Secure Desktop Configuration Dialog Box

Element Description


Description An optional description of the object (up to 1024 characters).


OL-19983-01

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml


Windows Location Settings

Windows Locations The names of the locations that you want to configure for Windows clients connecting from specific locations, such as Work, Home, or Insecure.

When you create a location, an item for the location is added to the table of contents, where you can select the settings folders related to the location and configure its properties. The settings include a definition of how to determine if a client is connecting from that particular location.

For each location you want to configure, enter its name in the Location to Add field and click Add to move it to the Locations list.

You can reorder the locations using the Move Up/Move Down buttons. CSD checks locations in the order listed in this dialog box, and grants privileges to client PCs based on the first location definition they match. You can create a default location, such as Insecure, as the final location and configure the strictest security for it. For more information, see Creating Cisco Secure Desktop Configuration Objects, page 8-73.

Close all open browser windows after installation

Whether to close all the open browser windows after installing the Secure Desktop application.

VPN Feature Policy Select the check boxes to enable these features if installation or location matching fails:

• Web Browsing

• File Access

• Port Forwarding

• Full Tunneling

Windows CE

VPN Feature Policy The Windows CE options enable you to configure a VPN feature policy to enable or restrict web browsing and remote server file access for remote clients running Microsoft Windows CE. You cannot configure locations for these clients.

Mac and Linux Cache Cleaner

Launch Cleanup Upon Global Timeout

Whether to set a global timeout after which CSD launches the cache cleaner. Select a timeout (the default is 30 minutes), and select whether to allow the user to reset the timeout value.

Launch Cleanup Upon Exiting of Browser

Whether to start the cache cleaner when the user closes all web browser windows.

Enable Canceling of Cleaning

Whether to allow the remote user to cancel the cleaning of the cache.

Table F-30 Add or Edit Secure Desktop Configuration Dialog Box (Continued)

Element Description


OL-19983-01


Credentials Dialog BoxUse the Credentials dialog box to create, copy and edit Credential objects.

Credential objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth) when authenticating user access to the network and network services. When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, Xauth identifies the user who requests the IPsec connection. If the VPN server is configured for Xauth, the client waits for a “username/password” challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. You can save the Xauth credentials (username and password) on the device itself so you do not need to enter them manually each time the Easy VPN tunnel is established.

Navigation Path

Select Tools > Policy Object Manager, then select Credentials from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Credential Objects, page 8-30


• Easy VPN and IKE Extended Authentication (Xauth)

Field Reference

Secure Delete The number of passes for CSD to perform a secure cleanup. The default is 1 pass.

CSD encrypts and writes the cache to the remote client’s disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the cache to all 0’s, then to all 1’s, and then to randomized 0’s and 1’s.

Enable Web Browsing if Mac or Linux Installation Fails

Whether to allow web browsing (but not other remote access features) if the cache cleaner installation fails.

VPN Feature Policy Whether to allow web browsing, remote server file access, and port forwarding for Macintosh and Linux clients. Port forwarding permits the use of the Secure Desktop to connect a client application installed on the local PC to the TCP/IP port of a peer application on a remote server.


Table F-30 Add or Edit Secure Desktop Configuration Dialog Box (Continued)

Element Description

Table F-31 Credentials Dialog Box

Element Description



OL-19983-01


Add and Edit File Object Dialog BoxesUse the Add and Edit File Object dialog boxes to create, copy, and edit file objects. File objects represent files that are used in device configurations, typically for remote access VPN policies and policy objects. Such files include Anyconnect client profile and image files, image (graphic) files, plug-in jar files, and Cisco Secure Desktop package files.

Tip Before you can add a file to a file object, you must copy the file to the Security Manager server. You cannot select files from a network server or your workstation. Do not copy the file directly to the file repository.

When you create a file object, Security Manager makes a copy of the file in its storage system. These files are backed up whenever you create a backup of the Security Manager database, and they are restored if you restore the database. When you deploy configurations that specify a file object, the associated file is download to the device in the appropriate directory.

After you create a file object, you typically should not edit it. If you need to replace the file, edit the file object to select the new file, or create a new file object. If the file is editable, you can edit the file object to identify the file’s location in the file repository, and use the desired editor to open and edit the file outside of Security Manager. The file repository is the CSCOpx\MDC\FileRepository folder in the installation directory (typically, C:\Program Files). The files are organized in subfolders named for the file type.

When you delete a file object, the associated file is not deleted from the file repository.

Navigation Path

Select Tools > Policy Object Manager, then select File Objects from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.


Username The name that will be used to identify the user during Xauth authentication.

Password

Confirm

The password for the user, entered in both fields. The password must be alphanumeric and a maximum of 128 characters. Spaces are not allowed.



Overrides

Edit button



Table F-31 Credentials Dialog Box (Continued)

Element Description


OL-19983-01


Related Topics

• Creating File Objects, page 8-31

Field Reference

Add or Edit FlexConfig Dialog BoxUse the Add or Edit FlexConfig dialog box to create or edit FlexConfig policy objects. FlexConfig objects are small programs that allow you to add configuration commands before or after the configurations generated from Security Manager policies, so that you can extend the abilities of the product to configure your devices. You use these policy objects in FlexConfig device or shared policies.

Table F-32 Add and Edit File Object Dialog Boxes

Element Description


If you do not enter a name, the name of the file is used for the object name.


File Type The type of file. If you create the object while configuring a policy, the correct file type is pre-selected. Options are:

• Image—For graphic files.

• Cisco Secure Desktop Package

• Plug-In—For browser plug-in files.

• AnyConnect Profile

• AnyConnect Image

File The name and full path of the file. The file must be on the Security Manager server. Click Browse to select the file.

For file objects that you are editing, the path indicates the location in the Security Manager file repository.

Tip Security Manager comes with a number of files that you can use with SSL VPN configurations. If you are creating a file object for Anyconnect images or profiles, Cisco Secure Desktop clients, or plug-ins, you can find some files in the C:\Program Files\CSCOpx\objects\sslvpn folder.

File Name on Device The file name you want to use when the file is downloaded to the device when you deploy policies. The default is to use the same file name as the original file.

If the object was created by discovering policies from the device, this field uses the original name of the file as it existed on the device. This might not be the same name as it exists on the Security Manager server if the original name duplicated existing file names on the server.



OL-19983-01


Before creating FlexConfig policy objects, read the sections in Understanding FlexConfig Policies and Policy Objects, page 18-1.

Navigation Path

Select Tools > Policy Object Manager, then select FlexConfigs from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating FlexConfig Policy Objects, page 18-26

• Editing FlexConfig Policies, page 18-28

• Chapter 18, “Managing FlexConfigs”

Field Reference

Table F-33 FlexConfigs Editor Dialog Box

Element Description



Group The name of the group of FlexConfig objects to which this object belongs, if any. You can type in a name, or select an existing name from the list. This field is for informational purposes only, and can help you find a FlexConfig object in the FlexConfig Objects page in the Policy Object Manager.

Type Whether the commands in the object are prepended (put at the beginning) or appended (put at the end) of configurations.

Negate For The name of the FlexConfig object whose commands are undone in this FlexConfig object. This field is for informational purposes only and does not affect the processing of the object.

For example, if FlexConfig A has the command banner login, and FlexConfig B has the command no banner login, FlexConfig B negates the configuration for FlexConfig A.


OL-19983-01


FlexConfig Object Body

Object Body edit box The commands and instructions to produce the desired configuration file output. You can type in the following types of data:

• Scripting commands to control processing. For more information, see Using Scripting Language Instructions, page 18-3.

• CLI commands that are supported by the operating system running on the devices to which you will deploy the FlexConfig policy object. For more information, see Using CLI Commands in FlexConfig Policy Objects, page 18-2.

• Variables. You can insert variables using the right-click menu, which allows you to create simple single-value text variables (Create Text Object), select variables from existing policy objects (Insert Policy Object), or select system variables (Insert System Variable). For more information, see Understanding FlexConfig Object Variables, page 18-5.

Undo button Deletes the previous action.

Redo button Performs the previously undone action.

Cut button Deletes the highlighted text and copies it to the clipboard.

Copy button Copies the highlighted text to the clipboard.

Paste button Pastes previously cut or copied text.

Find button Locates the specified text string in the object body.

Validate FlexConfig button Checks the integrity and deployability of the FlexConfig object.

FlexConfig Object Variables

This table lists the variables that are used in the FlexConfig object.

Name The name of the variable. Click the cell to edit the name, which also changes the name in the FlexConfig object body.

Default Value The value to use when one is not provided. Click the cell to edit the value for user-defined variables. You cannot edit system-defined variables.

Note Except for optional variables, if a default value is not provided, you must provide a value for the variable.

Object Property The property of the object. The object property name is in the following format:

type.name.data.property

where

• Type—The type of object, for example Text, Network, AAA Server, and so on.

• Name—The name of the object.

• Data—Indicates that the property of the object is data.

• Property—The property of the data.

Table F-33 FlexConfigs Editor Dialog Box (Continued)

Element Description


OL-19983-01


Create Text Object Dialog Box

Use the Create Text Object dialog box as a shortcut to create text objects of dimension 0, which are single-value variables, for use in FlexConfig policy objects. Enter the name of the variable and the value to assign to it. When you click OK, the variable is added to the FlexConfig object at the cursor location and it is added to the list of variables for the object.

Navigation Path

In the Add or Edit FlexConfig Dialog Box, right-click in the object body field and select Create Text Object.

Tip If you want to create a multiple-value text object, right-click and select Insert Policy Object > Text Objects, and click the Add button under the available objects list. For more information, see Creating Text Objects, page 8-91.

FlexConfig Undefined Variables Dialog Box

Use the FlexConfig Undefined Variables dialog box to define variables used in the FlexConfig object that have not yet been defined. You can choose from a list of policy object types or add a new policy object to use.

Each row in the table represents a single undefined variable.

Tip You do not need to define local variables, those used by the scripting language for processing control. For more information about variables, see Understanding FlexConfig Object Variables, page 18-5.

Navigation Path

In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when you click OK, Security Manager displays a warning and asks if you want to define the variables. If you click Yes, this dialog box is opened.

Dimension The structure of the data in the variable. Possible values are:

• 0—scaler (a single string)

• 1—one-dimensional array (a list of strings)

• 2—two-dimensional table (a table of strings)

Optional Whether the variable is required to have a value.

Description A description of the contents of the object. Click the cell to edit the description.

Table F-33 FlexConfigs Editor Dialog Box (Continued)

Element Description


OL-19983-01


Field Reference

Property Selector Dialog Box

Use the Property Selector dialog box to select the specific property within a selected policy object that you want to assign to a variable within a FlexConfig policy object. The title of the dialog box indicates the type of policy object that you selected (for example, AAA Server Groups Property Selector).

For more information on variables, see Understanding FlexConfig Object Variables, page 18-5.

Navigation Path

• In the Add or Edit FlexConfig Dialog Box, right-click and select a specific policy object group type from the Insert Policy Object menu, select a specific policy object when prompted, and click OK.

• In the FlexConfig Undefined Variables Dialog Box, select a policy object type from the Object Type field, select a specific policy object when prompted, and click OK.

Field Reference

Table F-34 FlexConfig Undefined Variables Dialog Box

Element Description

Variable Name The name of the undefined variable that you used in the FlexConfig object.

Object Type The type of policy object that contains the value you want to assign to the variable. For local variables, use the Undefined object type.

For variables you want to define, you must select the specific policy object and value within that object to assign to the selected variable.

You start by selecting the type of policy object from this list. You are then prompted to select the specific policy object. When you click OK, you are prompted to select the specific property within that object that contains the desired value (see Property Selector Dialog Box, page F-52). When you select the value on the Property Selector dialog box and click OK, the value is assigned to the variable.

Object Property The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box.

Optional Whether the variable is required to have a value.

Table F-35 Property Selector Dialog Box

Element Description

Object Property The property of the object that contains the value you want to assign to the variable. For specific information on the properties, see the explanation of the fields for the dialog box used for adding or editing objects of that type. You can find a list of links to the relevant topics at Policy Object Add or Edit Dialog Boxes, page F-4.

Name The name of variable. This field is not available when you are defining undefined variables.

Description An optional description of the variable. This field is not available when you are defining undefined variables.


OL-19983-01


Add or Edit IKE Proposal Dialog BoxUse the IKE Proposal dialog box to create, copy, and edit an IKE proposal object.

Internet Key Exchange (IKE) proposal objects contain the parameters required for IKE proposals when defining remote access and site-to-site VPN policies. IKE is a key management protocol that facilitates the management of IPsec-based communications. It is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs).

The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes security associations (SAs) for other applications, such as IPsec. Both phases use proposals when they negotiate a connection. For more information about IKE proposals, see the following topics:

• Understanding IKE, page 9-45

• Deciding Which Encryption Algorithm to Use, page 9-45

• Deciding Which Hash Algorithm to Use, page 9-46

• Deciding Which Diffie-Hellman Group to Use, page 9-46

• Deciding Which Authentication Method to Use, page 9-47

Navigation Path

Select Tools > Policy Object Manager, then select IKE Proposals from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Tip You can also access this dialog box by selecting a device, selecting Remote Access VPN > IPSec VPN > IKE Proposal, and clicking the Add or Edit button.

Related Topics

• Creating IKE Proposal Objects, page 8-32


• Add or Edit IPSec Transform Set Dialog Box, page F-57


Field Reference

Table F-36 IKE Proposal Dialog Box

Element Description

Name The name of the policy object. A maximum of 128 characters is allowed.

Description A description of the policy object. A maximum of 1024 characters is allowed.


OL-19983-01


Priority The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.

Valid values range from 1 to 10000. The lower the number, the higher the priority. If you leave this field blank, Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.

Encryption Algorithm The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations:

• AES-128—Encrypts according to the Advanced Encryption Standard using 128-bit keys.



• DES—Encrypts according to the Data Encryption Standard using 56-bit keys.

• 3DES—Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use this option.

Hash Algorithm The hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Options are:

• SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

• MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA.

Table F-36 IKE Proposal Dialog Box (Continued)

Element Description


OL-19983-01


Modulus Group The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Options are:

• 1—Diffie-Hellman Group 1 (768-bit modulus).

• 2—Diffie-Hellman Group 2 (1024-bit modulus).

• 5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys, but group 14 is better).

• 7—Diffie-Hellman Group 7 (163-bit elliptical curve field size).

• 14—Diffie-Hellman Group 14 (2048-bit modulus, considered good protection for 128-bit keys).



Lifetime The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.

You can specify a value from 60 to 86400 seconds.

Authentication Method The method of authentication to use between the two peers:

• Preshared Key—Preshared keys allow for a secret key to be shared between two peers and used by IKE during the authentication phase. If one of the participating peers is not configured with the same preshared key, the IKE SA cannot be established.

• Certificate—An authentication method in which RSA key pairs are used to sign and encrypt IKE key management messages. This method provides non-repudiation of communication between two peers, meaning that it can be proved that the communication actually took place. When you use this authentication method, the peers are configured to obtain digital certificates from a Certification Authority (CA).


Table F-36 IKE Proposal Dialog Box (Continued)

Element Description


OL-19983-01


Interface Role Dialog BoxUse the Interface Role dialog box to create, copy, or edit an interface role object. Interface Role objects have the following uses:

• Specifying multiple interfaces— Interface role objects allow you to apply policies to specific interfaces on multiple devices without having to manually define the names of each interface.

• Zones—You use interface role objects to define the zones in a zone-based firewall rules policy.

Navigation Path

Select Tools > Policy Object Manager, then select Interface Roles from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics


• Creating Interface Role Objects, page 8-34

• Exceptional Cases When Using Interface Roles, page 8-35

• Specifying Interfaces During Policy Definition, page 8-35

• Understanding Interface Role Objects, page 8-33

• Understanding the Zone-based Firewall Rules, page 11-62


Field Reference

Table F-37 Interface Role Dialog Box

Element Description



Interface Name Patterns The names to include in this interface role. The names are the complete or partial names of interfaces, subinterfaces, and other virtual interfaces. Separate multiple name patterns with commas.

You can use these wildcards to create name patterns that apply to multiple interfaces:

• Use a period (.) as a wildcard for a single character.

To use a period as part of the pattern itself (for example, when defining subinterfaces), enter a backslash (\) before the period.

• Use an asterisk (*) as a wildcard for one or more characters at the end of the interface pattern. For example, FastEthernet* would include interfaces named FastEthernet0 and FastEthernet1.



OL-19983-01


Interface Name Conflict Dialog Box

When defining a policy requiring an interface, you might enter a name that corresponds to both an interface role and an actual interface on the device. When you save or update the policy, the Interface Name Conflict dialog box opens automatically so that you can select whether you want to specify the interface or the interface role. The dialog box lists only those names for which there are conflicts.

For more information about the exact circumstances that lead to this conflict, see Exceptional Cases When Using Interface Roles, page 8-35.

Related Topics

• Understanding Interface Role Objects, page 8-33

• Basic Interface Settings on Cisco IOS Routers, page 13-13

Add or Edit IPSec Transform Set Dialog Box Use the Add or Edit IPSec Transform Set dialog box to create, copy and edit IPSec transform set objects.

You can create IPSec transform set objects for use in IPSec proposals when defining IPSec-protected traffic in site-to-site and remote access VPNs. When you create an IPSec transform set object, you select the mode in which IPSec should operate, as well as define the required encryption and authentication types. Additionally, you can select whether to include compression in the transform set. During IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

Two different security protocols are included within the IPSec standard:

• Encapsulating Security Protocol (ESP)—Provides authentication, encryption, and anti-replay services. ESP is IP protocol type 50.

• Authentication Header (AH)—Provides authentication and anti-replay services. AH does not provide encryption and has largely been superseded by ESP. AH is IP protocol type 51.

Note We recommend using both encryption and authentication on IPSec tunnels.

Navigation Path

Select Tools > Policy Object Manager, then select IPSec Transform Sets from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.


Overrides

Edit button



Table F-37 Interface Role Dialog Box (Continued)

Element Description


OL-19983-01


Related Topics

• About Transform Sets, page 9-49

• Creating IPSec Transform Set Objects, page 8-36


• Add or Edit IKE Proposal Dialog Box, page F-53


Field Reference

Table F-38 IPSec Transform Set Dialog Box

Element Description



Mode The mode in which the IPSec tunnel operates:

• Tunnel—Tunnel mode encapsulates the entire IP packet. The IPSec header is added between the original IP header and a new IP header. This is the default.

Use tunnel mode when the firewall is protecting traffic to and from hosts positioned behind the firewall. Tunnel mode is the normal way regular IPSec is implemented between two firewalls (or other security gateways) that are connected over an untrusted network, such as the Internet.

• Transport—Transport mode encapsulates only the upper-layer protocols of an IP packet. The IPSec header is inserted between the IP header and the upper-layer protocol header (such as TCP).

Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet. Transport mode is generally used only when protecting a Layer 2 or Layer 3 tunneling protocol such as GRE, L2TP, and DLSW.


OL-19983-01


Add and Edit LDAP Attribute Map Dialog BoxesUse the Add and Edit LDAP (Lightweight Directory Access Protocol) Attribute Map dialog boxes to populate the attribute map with name mappings that translate Cisco LDAP attribute names to custom, user-defined attribute names.

If you are introducing a security appliance to an existing LDAP directory, your existing custom LDAP attribute names and values are probably different from the Cisco attribute names and values. Rather than renaming your existing attributes, you can create LDAP attribute maps that map your custom attribute names and values to Cisco attribute names and values. By using simple string substitution, the security

ESP Encryption The Encapsulating Security Protocol (ESP) encryption algorithm that the transform set should use:

• (Blank)—Do not use ESP encryption.

• DES—Encrypts according to the Data Encryption Standard using 56-bit keys.

• 3DES—Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. A 3DES license is required to use this option.




• ESP-Null—A null encryption algorithm. Transform sets defined with ESP-Null provide authentication without encryption; this is typically used for testing purposes only.

ESP Hash Algorithm

AH Hash Algorithm

The ESP or AH hash algorithm to use in the transform set for authentication. The default is to use SHA for ESP authentication and to not use AH authentication.

• None—Does not perform ESP or AH authentication.

• SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5, but requires more processing time.

• MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA, but is less secure.

Note We recommend using both encryption and authentication on IPSec tunnels.

Compression

(IOS devices only.)

Whether to compress the data in the IPSec tunnel using the Lempel-Ziv-Stac (LZS) algorithm.


Table F-38 IPSec Transform Set Dialog Box (Continued)

Element Description


OL-19983-01


appliance then presents you with only your own custom names and values. You can then bind these attribute maps to LDAP servers or remove them as needed. You can also delete entire attribute maps or remove individual name and value entries.

For more information regarding LDAP support on ASA, PIX, and FWSM devices, see Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.

Navigation Path

Select Tools > Policy Object Manager, then select LDAP Attribute Map from the Object Type selector. Right-click inside the table and select New Object, or right-click a row and select Edit Object.

Related Topics

• Creating LDAP Attribute Map Objects, page 8-37


• AAA Server Dialog Box—LDAP Settings, page F-14

Field Reference

Add and Edit LDAP Attribute Map Value Dialog Boxes

Use the Add and Edit LDAP Attribute Map Value dialog boxes to populate the attribute map with value mappings that apply user-defined attribute values to the custom attribute name and to the matching Cisco attribute name and value.

Table F-39 Add and Edit LDAP Attribute Map Dialog Boxes

Element Description



Attribute Map table The table shows the mapped values. Each entry shows the customer map name, Cisco map name, and the attribute mapping of customer name to Cisco name.

• To add a mapping, click the Add Row button to open the Add and Edit LDAP Attribute Map Value Dialog Boxes, page F-60.

• To edit a mapping, select it and click the Edit Row button.

• To delete a mapping, select it and click the Delete Row button.



Overrides

Edit button




OL-19983-01


Navigation Path

From the Add and Edit LDAP Attribute Map Dialog Boxes, page F-59, click the Add Row button to add a new mapping, or select a row and click the Edit Row button.

Field Reference

Add and Edit Map Value Dialog Boxes

Use the Add and Edit Map Value dialog boxes to map a customer LDAP attribute value to a Cisco map value. Enter the value from your LDAP map that you want to equate with a Cisco value.

Navigation Path

From the Add and Edit LDAP Attribute Map Value Dialog Boxes, page F-60, click the Add Row button to add a new mapping, or select a row and click the Edit Row button.

Add or Edit Class Maps Dialog Boxes Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same type. The name of the dialog box indicates the type of map you are creating.

A class map defines application traffic based on criteria specific to the application. You then select the class map in the corresponding policy map and configure the action to take for the selected traffic. Thus, each class map must contain traffic that you want to handle in the same way (for example, to allow it or to drop it).

You can create class maps for the following purposes:

• Devices running ASA/PIX 7.2 or higher—For inspection using Inspection rules. You can create classes for the inspection of the following types of traffic: DNS, FTP, H.323, HTTP, IM, and SIP.

You can also define class criteria in the related policy map. However, creating class maps allows you to reuse the map in multiple policy maps.

The following topics describe the available match criteria:

– DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-90

– FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-97

Table F-40 Add and Edit LDAP Attribute Map Value Dialog Boxes

Element Description

Customer Map Name The name of your attribute map that relates to the Cisco map.

Cisco Map Name The Cisco attribute map name you want to map to the customer map name.

Customer to Cisco Map Value table

The mappings of customer names to Cisco names.

• To add a mapping, click the Add Row button to open the Add and Edit Map Value Dialog Boxes, page F-61.




OL-19983-01


– H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-106

– HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes, page F-117

– IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes, page F-122

– SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-129

• Devices running Cisco IOS Software 12.4(6)T and higher—For inspection or web filtering using Zone-Based Firewall rules.

– For 12.4(6)T and higher, you can create classes for the inspection of the following types of traffic: H.323, HTTP, IMAP, POP3, SIP, SMTP, and Sun RPC. You can create classes for web filtering using the following class types: Local, N2H2 (SmartFilter), and WebSense. See the following topics for information on the match criteria:

– H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes, page F-65

– HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes, page F-65

– IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes, page F-67

– SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes, page F-68

– SMTP Class Maps Add or Edit Match Criterion Dialog Boxes, page F-69

– Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes, page F-72

– Local Web Filter Class Add or Edit Match Criterion Dialog Boxes, page F-72

– N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes, page F-73

– For 12.4(9)T and higher, you can create classes for the inspection of the following types of traffic: AOL, eDonkey, FastTrack, Gnutella, ICQ, Kazaa2, MSN Messenger, Windows Messenger, and Yahoo Messenger. See the following topics for information on the match criteria:

– Zone-Based Firewall IM Application Class Maps Add or Edit Match Condition Dialog Boxes, page F-64

– Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes, page F-64

– For 12.4(20)T and higher, you can create classes for web filtering using the Trend policy object. Match criteria for Trend Content Filter class maps is described in the table below.

Navigation Path

Select Tools > Policy Object Manager, then select any item in the folders in the Maps > Class Maps folder in the table of contents. Right-click inside the work area, then select New Object, or right-click a row, then select Edit Object.

Related Topics

• Understanding Map Objects, page 8-38

• Creating Class Map Objects, page 8-41

• Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57

• Configuring Maps for Content Filtering in Zone-Based Firewall Rules Policies, page 8-59


OL-19983-01


• Understanding Inspection Rules, page 11-33


Field Reference

Table F-41 Add or Edit Class Maps Dialog Boxes

Element Description



Match table

Match Type

(Except for Trend Content Filter class maps.)

The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.

The name of the table indicates whether every one of the criteria must be met for the traffic to match the class (Match All), or whether matching any of the listed criteria is sufficient (Match Any). For the HTTP (IOS) and SMTP classes, you can choose whether to match all or any. When using a Match All table, if you add more than one criteria, ensure that you are not defining a set of characteristics that no traffic can match.

Tip Match All works for devices running Cisco IOS Software version 12.4(20)T or higher only.

• To add a criterion, click the Add button and fill in the Match Criterion dialog box. For more information, see the topics referenced above.

• To edit a criterion, select it and click the Edit button.

• To delete a criterion, select it and click the Delete button.

Trend Content Filter Match Criteria

The match criteria for Trend Content Filter class maps differs from that of all other class maps. Instead of adding items to a table, you simply select the items you want from a list. Select the Enable checkbox for any of the Trend-Micro classifications on the following tabs. Traffic matches the class if it matches any of your selections.

• Productivity Categories—Matches the traffic to the category to which the URL belongs. For example, you can target traffic associated with gambling or pornography.

• Security Ratings—Matches the traffic to the security rating assigned to it by Trend-Micro. For example, you can target adware, which is traffic associated with advertising.

See the Trend-Micro documentation for specific information on these categories or security classifications.



OL-19983-01


Zone-Based Firewall IM Application Class Maps Add or Edit Match Condition Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the various instant messenger (IM) application classes used with zone-based firewall policies to define a match criterion and value for the class map.

You can match the following types of services:

• Any—Any type of traffic from the application except text chat traffic.

• Text-chat—Text chat traffic.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for AOL, ICQ, MSN Messenger, Windows Messenger, or Yahoo Messenger classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the various person-to-person (P2P) application classes used with zone-based firewall policies to define a match criterion and value for the class map.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for eDonkey, FastTrack, Gnutella, or Kazaa2 classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics






Overrides

Edit button



Table F-41 Add or Edit Class Maps Dialog Boxes (Continued)

Element Description


OL-19983-01


Field Reference

H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the H.323 (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map. You can match traffic based on the H.323 protocol message type. Select the message that you want to match.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the H.323 (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the HTTP (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map.

The fields on this dialog box change based on the criterion you select. You can use the following criteria:

• Request/Response Body Length, Request Body Length, Response Body Length—Specifies that the body length of the request, response, or both, is less than or greater than the specified number. This allows you to set a minimum or maximum message length.

• Request/Response Body, Request Body, Response Body—Applies a regular expression to match the body of the request, response, or both.

Table F-42 Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog

Boxes

Element Description

Criterion Specifies which criterion of traffic to match:

• File Transfer—Matches file transfer traffic.

• Search Filename—Matches the names of files for which the user is searching. You can use this criterion to block users from searching for particular files using eDonkey.

• Text Chat—Matches eDonkey text chat traffic.

Type Specifies that the map includes traffic that matches the criterion.

File Name The name of the file associated with the traffic. You can use regular expressions to specify a name pattern. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions, page 8-63.

Tip eDonkey does not require a file name.


OL-19983-01


• Request/Response Header, Request Header, Response Header—You can match a regular expression against the header, test for repeated fields, check the content type, or check the total length or number of records in the header.

• Request/Response Protocol Violation—Matches non-compliant HTTP traffic.

• Request Argument, Request URI—Matches the length or content (with a regular expression) of the argument (parameters) or uniform resource identifier (URI) in a request message.

• Request Port Misuse—Matches the misuse of ports by certain types of applications.

• Response Body Java Applet—Matches Java applets in an HTTP connection.

• Response Header Status Line—Applies a regular expression to match the content of the status line in the header.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the HTTP (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics






Field Reference

Table F-43 HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes

Element Description

Criterion Specifies which criterion of HTTP traffic to match. The criteria are described above.


Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Less Than Length The minimum length in bytes of the evaluated field. The criterion matches if the length is less than the specified number.

Greater Than Length The maximum length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number.

Header Option The type of header record. If you do not select a record type, the count or expression is applied to all records in the header. If you select a record type, those selections are applied only to the records of the selected type. If you select content type or transfer encoding, you can make additional selections related to those types.

Request Method The request method you want to match.


OL-19983-01


IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the Internet Message Access Protocol (IMAP) and Post Office Protocol 3 (POP3) classes used with zone-based firewall policies to define a match criterion and value for the class map.

Value (Content Type) If you select content-type in the Header Option field, you can select these types:

• Mismatch—Verifies the content-type of the response message against the accept field value of the request message.

• Unknown—The content type is not known. Select Unknown when you want to evaluate the item against all known MIME types.

• Violation—The content-type definition and the content type of the actual body do not match.

Encoding Type If you select transfer encoding in the Header Option field, you can select these types:

• All—All of the transfer encoding types.

• Chunked—The message body is transferred as a series of chunks; each chunk contains its own size indicator.

• Compress—The message body is transferred using UNIX file compression.

• Deflate—The message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

• GZIP—The message body is transferred using GNU zip (RFC 1952).

• Identity—No transfer encoding is performed.

Greater Than Count The maximum number of records allowed in the header. If you select a specific header option, the count applies to those types of records. If you do not select a specific header option, the count applies to the total number of records in the header without regard to type.

Regular Expression The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Port Misuse The type of request port misuse you want to match. Your options are:

• Any—Any of the listed types of misuse.

• IM—Instant messaging protocol applications subject to inspection.

• P2P—Peer-to-peer protocol applications subject to inspection.

• Tunneling—Tunneling applications subject to inspection: HTTPPort/HTTPHost.

Table F-43 HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued)

Element Description


OL-19983-01


You can select the following criteria to identify matching traffic:

• Invalid Command—Matches commands that are not valid on a POP3 server or IMAP connection.

• Login Clear Text—Matches non-secure logins, where the password is being provided in clear text.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the IMAP or POP3 classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the SIP (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map.

The fields on this dialog box change based on the criterion you select.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the SIP (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Field Reference

Table F-44 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes

Element Description

Criterion Specifies which criterion of traffic to match. You can select from the following:

• Protocol Violation—Matches traffic that violates the protocol.

• Request/Response Header Options—Matches a regular expression against the selected request or response header field.

• Request Options—Matches the request method or matches a regular expression against the selected request header field.

• Response Options—Matches a regular expression against the selected response header field or status message.



OL-19983-01


SMTP Class Maps Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the SMTP classes used with zone-based firewall policies to define a match criterion and value for the class map.

Variable Fields


Header The type of header in the request or response message. The regular expression is matched against the content of headers of the selected type.

Method The request method you want to inspect:

• ack—Acknowledges that the previous message is valid and accepted.

• bye—Signifies the intention to terminate a call.

• cancel—Terminates any pending request.

• info—Communicates mid-session signaling information along the signaling path for the call.

• invite—Sets up a call.

• message—Sends an instant message.

• notify—Informs subscribers of state changes.

• options—Queries the capabilities of another user agent or a proxy server.

• prack—Provides reliable transfer of provisional response messages.

• refer—Indicates that the recipient should contact a third party using the contact information provided in the request.

• register—Includes a contact address to which SIP requests for the address-of-record should be forwarded.

• subscribe—Requests notification of an event or set of events at a later time.

• update—Permits a client to update parameters of a session but has no impact on the state of a dialog.

Status The regular expression is matched against the status line in the response.


Table F-44 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued)

Element Description


OL-19983-01


Tip Only the Data Length criterion is available for routers running Cisco IOS Software lower than 12.4(20)T.


• Data Length—Specifies that the data length of the traffic is greater than the specified number. You can match the data length of the traffic to determine if the data transferred in an SMTP connection exceeds the specified length in bytes. By default, inspection keeps data length below 20.

• Body Regular Expression—Applies a regular expression to match the content types and content encoding types for text and HTML in the body of an e-mail message. Only text or HTML that uses 7-bit or 8-bit encoding is checked. The regular expression cannot be scanned in messages that use another encoding type (such as base64 or zip files).

• Command Line Length—Specifies that the length of the ESMTP command line not be greater than the specified number. Use this to thwart Denial of Service (DoS) attacks.

• Command Verb—Limits inspection to the selected SMTP or ESMTP command. If you configure inspection for SMTP, all commands are inspected unless you limit them.

• Header Length—Specifies that the length of the SMTP header is greater than the specified number. Use this to thwart DoS attacks by limiting the possible size of the header.

• Header Regular Expression—Applies a regular expression to match the content of the header of an e-mail message. For example, you can use this to test for particular patterns in the subject, from, or to fields.

• Mime Content-Type Regular Expression—Applies a regular expression to match the Multipurpose Internet Message Exchange (MIME) content type of an e-mail attachment. Use this to prevent the transmission of undesired types of attachments.

• Mime Encoding—Specifies the MIME encoding type for e-mail attachments that you want to inspect. You can use this to identify unknown or non-standard encodings to restrict their transmission.

• Recipient Address—Applies a regular expression to match the recipient of an e-mail message in the SMTP RCPT command. Use this to search for a non-existent recipient, which might help you identify the source of spam.

• Recipient Count—Specifies that the number of recipients for an e-mail message cannot be greater than the specified number. Use this to prevent spammers from sending e-mails to a large number of users.

• Recipient Invalid Count—Specifies that the number of invalid recipients for an e-mail message cannot be greater than the specified number. Use this prevent spammers from sending e-mails to a large number common names, where they are fishing for real addresses. SMTP typically replies with a “no such address” message when an address is invalid; by putting a limit on the number of invalid addresses, you can prevent these replies to spammers.

• Reply EHLO—Specifies the service extension parameter in an EHLO server reply. Use this to prevent a client from using a particular service extension.

• Sender Address—Applies a regular expression to match the sender of an e-mail message. Use this to block specific senders, such as known spammers, from sending e-mail messages through the device.


OL-19983-01


Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for SMTP classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Field Reference

Table F-45 SMTP Class Add or Edit Match Criterion Dialog Boxes

Element Description

Criterion Specifies which criterion of SMTP traffic to match. The criteria are described above.


Variable Fields


Greater Than Length The maximum length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number.

Greater Than Count The maximum number of recipients or invalid recipients allowed in the e-mail message. The criterion matches if the number is greater than the specified number.

Verb Option

User Defined Format

(For the Command Verb criterion.)

The SMTP or ESMTP command that you want to inspect. If you select User Defined, you must enter the text string that corresponds to a word in the body of the e-mail message. The word cannot include spaces or special characters; only alphanumeric characters.

Service Extension Parameter

User Defined Format

(For the Reply EHLO criterion.

The service extension parameter of an EHLO server reply that you want to inspect. Select one of the well-known parameters, or select User Defined to specify a private extension in the User Defined Format field.


OL-19983-01


Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the Sun Remote Procedure Call (RPC) classes used with zone-based firewall policies to define a match criterion and value for the class map. You can enter the RPC protocol number that you want to match. See the Sun RPC documentation for information about protocol numbers.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for Sun RPC classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Local Web Filter Class Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the Local web filter class to define a match criterion and value for the class map.

Encoding Format

User Defined Format

The MIME encoding format for which you want to test. Encoding types are:

• 7-bit—ASCII encoding.

• 8-bit—Used for the exchange of e-mail messages containing octets outside the 7-bit ASCII range.

• base64—Encodes binary data by treating it numerically and translating it into a base 64 representation.

• quoted-printable-Encoding that uses printable characters to transmit 8-bit data over a 7-bit data path.

• binary—Encodes using only 0 and 1.

• unknown—Encoding type is not known.

• x-uuencode-Nonstandard encoding.

• user defined—An encoding type you define. If you select User Defined, you must enter the text string that defines the encoding type you are looking for.


Table F-45 SMTP Class Add or Edit Match Criterion Dialog Boxes (Continued)

Element Description


OL-19983-01


Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the Local web filter class, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Field Reference

N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes

Use the Add or Edit Match Criterion dialog boxes for the N2H2 (SmartFilter) and Websense web filter classes to define a match criterion and value for the class map. The only match criterion available is to match any response from the SmartFilter or Websense server.

Navigation Path

From the Add or Edit Class Maps Dialog Boxes, page F-61 for the N2H2 or Websense web filter class, right-click inside the table and select Add Row or right-click a row and select Edit Row.

Related Topics





Table F-46 Local Web Filter Class Add or Edit Match Criterion Dialog Boxes

Element Description

Criterion Specifies which criterion of traffic to match. You can select from the following:

• Server Domain—Matches traffic based on the name of the server. The URLF Glob parameter map you select should specify server domain names such as *.cisco.com or www.cisco.com.

• URL Keyword—Matches traffic based on keywords in the URLs. A key word is any complete string that occurs between / characters in a URL. For example, in the URL segment www.cisco.com/en/US, en and US are examples of keywords.


URLF Glob Parameter Map The URLF Glob parameter map object that defines the URL patterns that you want to match. Ensure that the object you select has the appropriate content for the type of matching you selected.

Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new object.


OL-19983-01


Add or Edit Inspect Parameter Map Dialog Boxes Use the Add and Edit Inspect Parameter Map dialog boxes to define a parameter map for inspection for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Inspect or Content Filter, you can select an inspect parameter map to define connection, timeout, and other settings for the inspection action. If you do not select an inspect parameter map for a zone-based firewall rule, the system uses default values for these settings.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Inspect Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics





Field Reference

Table F-47 Add or Edit Inspect Parameter Map Dialog Boxes

Element Description



DNS Timeout The length of time, in seconds, for which a DNS lookup session is managed while there is no activity.

ICMP Timeout The length of time, in seconds, for which an inactive ICMP (Internet Control Message Protocol) session is maintained.

Max Incomplete Low

Max Incomplete High

The number of existing half-open sessions that will cause the software to start (at the high threshold) and stop (at the low threshold) deleting half-open sessions.

Ensure that you enter a lower number in the Low field than you enter in the High field, for example, 400 and 500. The default is unlimited half-open sessions.

One Minute Low

One Minute High

The number of new unestablished sessions that causes the system to start and stop deleting half-open sessions. Ensure that you enter a lower number in the Low field than you enter in the High field. The default is unlimited.

Max Sessions The maximum number of inspection sessions on a zone pair, for example, 200. The default is unlimited.

TCP FINWAIT Timeout How long to maintain TCP session state information after the firewall detects a FIN-exchange, in seconds. The FIN-exchange occurs when the TCP session is ready to close.


OL-19983-01


TCP SYNWAIT Timeout How long to wait for a TCP session to reach the established state before dropping the session, in seconds.

TCP Idle Timeout How long to maintain a TCP session while there is no activity in the session, in seconds.

TCP Max Incomplete Hosts

TCP Max Incomplete Block Time

The threshold and blocking time (in minutes) for TCP host-specific denial-of-service (DoS) detection and prevention.

The maximum incomplete hosts is the number of half-open TCP sessions with the same host destination address that can simultaneously exist before the software starts deleting half-open sessions to that host. An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host.

When the threshold is exceeded, half-open sessions are dropped based on the maximum incomplete block time:

• If the block time is 0, the software deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host never exceeds the threshold.

• If the block time is greater than 0, the software deletes all existing half-open sessions for the host and then blocks all new connection requests to the host. The software continues to block all new connection requests until the block time expires.

The software sends syslog messages whenever the specified threshold is exceeded and when blocking of connection initiations to a host starts or ends.

UDP Idle Timeout How long to maintain a UDP session while there is no activity in the session, in seconds.

When the software detects a valid UDP packet, the software establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

Enable Alert Whether to generate stateful packet inspection alert messages on the console.

Enable Audit Trail Whether audit trail messages are logged to the syslog server or router.


Table F-47 Add or Edit Inspect Parameter Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Add or Edit Protocol Info Parameter Map Dialog Boxes Use the Add and Edit Protocol Info Parameter Map dialog boxes to define a parameter map for the inspection of Instant Messaging (IM) applications or the Stun-ice protocol for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Inspect, you must select a protocol info parameter map when you configure any of these applications: AOL, ICQ, MSN Messenger, Windows Messenger, Yahoo Messenger, Stun-ice. The protocol info parameter map defines the DNS servers that interact with these applications, which helps the instant messenger application engine to recognize the instant messenger traffic and to enforce the configured policy for that instant messenger application.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Protocol Info Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics




Field Reference


Overrides

Edit button



Table F-47 Add or Edit Inspect Parameter Map Dialog Boxes (Continued)

Element Description

Table F-48 Add or Edit Protocol Info Parameter Map Dialog Boxes

Element Description



DNS Server Table The DNS servers for which traffic will be permitted (and inspected) or denied.

• To add servers, click the Add button and fill in the Add Server dialog box (see Add or Edit DNS Server for Protocol Info Parameters Dialog Box, page F-77).

• To edit a server, select it and click the Edit button.

• To delete a server, select it and click the Delete button.


OL-19983-01


Add or Edit DNS Server for Protocol Info Parameters Dialog Box

Use the Add or Edit DNS Server dialog box to identify DNS servers for which traffic will be permitted (and inspected) or denied. These servers are defined in a Protocol Info parameter map for use with the inspection of protocols that require them in a zone-based firewall policy.

You can identify a server using any of these types:

• Server Name—The name of the DNS server. You can use an asterisk (*) as a wildcard character to match one or more characters. For example, if you want to identify all DNS servers on the cisco.com domain, you can specify *.cisco.com.

• IP Address—The IP address of a single DNS server.

• IP Address Range—A range of IP addresses identifying any DNS server within the start and end addresses.

Navigation Path

From the Add or Edit Protocol Info Parameter Map Dialog Boxes, click the Add button beneath the server table, or select a server and click the Edit button.

Add or Edit Local Web Filter Parameter Map Dialog Boxes Use the Add and Edit Local Parameter Map dialog boxes to define a parameter map for local web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates a Local web filter parameter map (when you select Local for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes, page F-136.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Local in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics






Overrides

Edit button



Table F-48 Add or Edit Protocol Info Parameter Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Field Reference

Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes Use the Add and Edit N2H2 or Websense Parameter Map dialog boxes to define a parameter map for Smartfilter (N2H2) or Websense web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates an N2H2 or Websense web filter parameter map (when you select N2H2 or Websense for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes, page F-136.

Navigation Path

Select Tools > Policy Object Manager, then select N2H2 or WebSense from the Maps > Parameter Maps > Web Filter folder in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Table F-49 Add or Edit Local Web Filter Parameter Map Dialog Boxes

Element Description




Enable Allow Mode Whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked.

Block Page The web page you want to present to the user if the user attempts to access a page that you block. You can select from the following:

• None—The user is not presented with any information.

• Message—The user is presented with the text message you enter in the edit box.

• Redirect URL—The user is redirected to the URL you enter in the edit box.



Overrides

Edit button




OL-19983-01


Related Topics




Field Reference

Table F-50 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes

Element Description



URL Filtering Server Table The list of URL filtering servers and their attributes.

• To add servers, click the Add button and fill in the Add External Filter dialog box (see Add or Edit External Filter Dialog Box, page F-80).









Source Interface The interface whose IP address should be used as the source IP address when a TCP connection is established between the system and the URL filtering server.

Maximum Cache Entries The maximum number of entries to store in the categorization cache. The default is 5000.

Cache Life Time How long, in hours, an entry remains in the cache table. The default is 24.

Maximum Requests The maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.

Maximum Responses The maximum number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.


OL-19983-01


Add or Edit External Filter Dialog Box

Use the Add or Edit External Filter dialog box to add a URL filtering server to an N2H2, Websense, or URL Filter parameter map policy object.

Navigation Path

Click the Add button beneath the server table, or select a server and click the Edit button, from any of the following dialog boxes:

• Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes, page F-78

• Add or Edit URL Filter Parameter Map Dialog Boxes, page F-82

Field Reference

Truncate Hostname

Truncate Script Parameters

Whether to truncate the URLs:

• If you do not select an option, URLs are not truncated.

• If you select Hostname, URLs are truncated at the end of the domain name.

• If you select Script Parameters, URLs are truncated at the left-most question mark in the URL.

Tip Although you can select both options, it is illogical to do so.

Enable Server Log Whether to send information about HTTP requests to the URL filtering server’s log server. The information includes the URL, the hostname, the source IP address, and the destination IP address.



Overrides

Edit button



Table F-50 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes (Continued)

Element Description

Table F-51 Add or Edit External Filter Dialog Box

Element Description

Server The fully-qualified domain name or IP address of the URL filtering server.

Port The port that is listening for requests.

Retransmission Count The number of times the router retransmits the lookup request when a response is not received from the server. The range is from 1 to 10.

Timeout The number of seconds that the router waits for a response from the server. The range is from 1 to 300.


OL-19983-01


Add or Edit Trend Parameter Map Dialog Boxes Use the Add and Edit Trend Parameter Map dialog boxes to define a parameter map for Trend Micro web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates a Trend web filter parameter map (when you select Trend for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes, page F-136.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Trend in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics




Field Reference

Outside Whether the server is outside the network.

Table F-51 Add or Edit External Filter Dialog Box (Continued)

Element Description

Table F-52 Add or Edit Trend Parameter Map Dialog Boxes

Element Description











OL-19983-01


Add or Edit URL Filter Parameter Map Dialog Boxes Use the Add and Edit URL Filter Parameter Map dialog boxes to define the parameters and match criterion and values for an inspection map used in a zone-based firewall policy for a router.

If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a URL Filter parameter map to define web filtering parameters and match criteria. However, if the router is running Cisco IOS Software release 12.4(20)T or higher, the recommended approach is to configure a Web Filter policy map along with parameter and class maps for the appropriate server type (local, N2H2, Trend, or Websense). For more information, see Add and Edit Web Filter Map Dialog Boxes, page F-136.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URL Filter in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics




Field Reference

Truncate Hostname Whether to truncate URLs at the end of the domain name.



Overrides

Edit button



Table F-52 Add or Edit Trend Parameter Map Dialog Boxes (Continued)

Element Description

Table F-53 Add or Edit URL Filter Parameter Map Dialog Boxes

Element Description




OL-19983-01


Local Filtering Tab

The fields on this tab define the properties for local URL filtering.

Whitelisted and Blacklisted Domains tables

These tables define the domain names for which the software will not contact the external URL filtering server. Domain names on the whitelist are always allowed. Domain names on the blacklist are always blocked. Use these lists to identify entire domains that you want to allow without restriction (such as your company’s web site) or block completely (such as pornography sites).

Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either permitted or denied. You can also enter host IP addresses.

• To add a domain name, click the Add button and fill in the Add Server dialog box (see Add or Edit URL Domain Name Dialog Box for URL Filter Parameters, page F-84).

• To edit a domain name, select it and click the Edit button.

• To delete a domain name, select it and click the Delete button.


Enable Audit Trail Whether to log URL information to the syslog server or router.


External Filtering Tab

The fields on this tab define the properties for an external URL filtering server.

Server Type

Server Table

The type of external URL filtering server you are configuring, either SmartFilter (N2H2) or Websense.

• To add servers, click the Add button and fill in the Add External Filter dialog box (see Add or Edit External Filter Dialog Box, page F-80).



Source Interface The interface whose IP address should be used as the source IP address when a TCP connection is established between the system and the URL filtering server.

Maximum Cache Entries The maximum number of entries to store in the categorization cache. The default is 5000.



Table F-53 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Add or Edit URL Domain Name Dialog Box for URL Filter Parameters

Use the Add URL Domain Name dialog box to add web site domain names to the whitelisted (allowed) or blacklisted (not allowed) lists.

Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either permitted or denied. You can also enter host IP addresses.

Navigation Path

From the Add or Edit URL Filter Parameter Map Dialog Boxes, click the Add button beneath the whitelist or blacklist tables, or select a name and click the Edit button.

Add or Edit URLF Glob Parameter Map Dialog Boxes Use the Add and Edit URLF Glob Parameter Map dialog boxes to define a parameter map for the inspection of URLs in a Local web filter class map.

A single URLF Glob should contain only segments of URLs that you want to block or allow. Your goal is to create class maps of white listed (allowed) or blacklisted (blocked) URLs. You can then define Local web filter policy maps to allow or block the identified URLs.

Truncate Hostname

Truncate Script Parameters

Whether to truncate the URLs:

• If you do not select an option, URLs are not truncated.

• If you select Hostname, URLs are truncated at the end of the domain name.

• If you select Script Parameters, URLs are truncated at the left-most question mark in the URL.

Do not select any truncate options for devices running software releases lower than 12.4(15)T or you will receive a validation error.

Tip Although you can select both options, it is illogical to do so.

Enable Server Log Whether to send information about HTTP requests to the URL filtering server’s log server. The information includes the URL, the hostname, the source IP address, and the destination IP address.

Additional Fields



Overrides

Edit button



Table F-53 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued)

Element Description


OL-19983-01


A single URLF Glob must also be limited to one of these types of URL segments:

• Strings that appear in the server name of a URL, which includes the name of the server and the domain name of the network. For example, www.cisco.com.

• Strings that appear in URL keywords, which are the strings that appear between / characters in a URL, or which are the file names. For example, in the URL segment www.cisco.com/en/US/, both en and US are keywords. The file name in a URL, such as index.html, is also considered a keyword.

You cannot use the characters /, {, }, and ? in a URLF glob.

To match a server name or URL keyword, the string in the URL must match exactly the string included in the URLF glob unless you use wildcard metacharacters to specify a variable string pattern. You can use the following metacharacters for pattern matching for either server names or URL keywords:

• * (Asterisk). Matches any sequence of zero or more characters. For example, *.edu matches all servers in the education domain, and you could use hack* to block www.example.com/hacksite/123.html.

• [abc] (Character class). Matches any character in the brackets. The character matching is case sensitive. For example, [abc] matches a, b, or c, but not A, B, or C. Thus, you could use www.[ey]xample.com to block both www.example.com and www.yxample.com.

• [a-c] (Character range class). Matches any character in the range. The character matching is case sensitive. [a-z] matches any lowercase letter. You can mix characters and ranges; for example, [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].The dash (-) character is literal only if it is the last or the first character within the brackets, [abc-] or [-abc].

• [0-9] (Numerical range class). Matches any number in the brackets. For example [0-9] matches 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9. Thus, you can use www.example[0-9][0-9].com to block www.example01.com, www.example33.com, and www.example99.com (and so forth).

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URLF Glob Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics


• Local Web Filter Class Add or Edit Match Criterion Dialog Boxes, page F-72



Field Reference

Table F-54 Add or Edit URLF Glob Parameter Map Dialog Boxes

Element Description




OL-19983-01


Add or Edit DCE/RPC Dialog BoxUse the Add or Edit DCE/RPC Map dialog boxes to define a map for DCE/RPC inspection.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DCE/RPC from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating DCE/RPC Map Objects, page 8-42

Field Reference

Value The server domains or keywords for the URLs you are targeting. Enter only one type of glob: either all server domains, or all URL keywords, but not a mixture of both.

If you include more than one entry, separate the entries with new lines. For example, the following entries identify all government or education web servers:

*.gov*.edu



Overrides

Edit button



Table F-54 Add or Edit URLF Glob Parameter Map Dialog Boxes (Continued)

Element Description

Table F-55 Add and Edit DCE/RPC Dialog Boxes

Element Description



Pinhole Timeout The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.


OL-19983-01


Add and Edit DNS Map Dialog BoxesUse the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DNS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating DNS Map Objects, page 8-43


Field Reference

Enforce Endpoint Mapper Service

Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.

Enable Endpoint Mapper Service Lookup

Service Lookup Timeout

Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.



Overrides

Edit button



Table F-55 Add and Edit DCE/RPC Dialog Boxes (Continued)

Element Description

Table F-56 Add and Edit DNS Map Dialog Boxes

Element Description




OL-19983-01


DNS Map Protocol Conformance Tab

Use the Protocol Conformance tab to define DNS security settings and actions for a DNS map.

Navigation Path

Click the Protocol Conformance tab on the Add and Edit DNS Map Dialog Boxes.

Related Topics



Protocol Conformance Tab

Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab, page F-88.

Filtering Tab

Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab, page F-89.

Mismatch Rate Tab

The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:

• Threshold—The maximum number of mismatch instances before a system message log is sent. Values are 0 to 4294967295.

• Time Interval—The time period to monitor (in seconds). Values are 1 to 31536000.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-90).





Overrides

Edit button



Table F-56 Add and Edit DNS Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Field Reference

DNS Map Filtering Tab

Use the Filtering tab to define DNS filtering settings and actions for a DNS map.

Navigation Path

Click the Filtering tab on the Add and Edit DNS Map Dialog Boxes.

Related Topics



Field Reference

Table F-57 DNS Map Protocol Conformance Tab

Element Description

Enable DNS Guard Function Whether to perform a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

Generate Syslog for ID Mismatch

Whether to create syslog entries for excessive instances of DNS identifier mismatches.

Randomize the DNS Identifier for DNS Query

Whether to randomize the DNS identifier in the DNS query message.

Enable NAT Rewrite Function

Whether to enable IP address translation in the A record of the DNS response.

Enable Protocol Enforcement Whether to enable DNS message format check, including domain name, label length, compression, and looped pointer check.

Require Authentication Between DNS Server (RFC2845)

Action

Whether to require authentication between DNS servers as defined in RFC 2845. If you select this option, select the action to take when there is no authentication.

Table F-58 DNS Map Filtering Tab

Element Description

Drop Packets that Exceed Specified Length

Maximum Packet Length

Whether to drop packets that exceed the maximum length in bytes that you specify. This is a global setting.

Drop Packets Sent to Server that Exceed Specified Maximum Length

Maximum Length

Whether to drop packets sent to the server that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Server that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the server that exceed the length indicated by the resource record.


OL-19983-01


DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for DNS policy maps) dialog boxes to do the following:

• Define the match criterion and value for a DNS class map.

• Select a DNS class map when creating a DNS policy map.

• Define the match criterion, value, and action directly in a DNS policy map.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map Dialog Boxes, page F-87, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics




Field Reference

Drop Packets Sent to Client that Exceed Specified Length

Maximum Length

Whether to drop packets sent to a client that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Client that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the client that exceed the length indicated by the resource record.

Table F-58 DNS Map Filtering Tab (Continued)

Element Description

Table F-59 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing DNS class map or define a new DNS class map.

• Use Specified Values—You want to define the class map on this dialog box.

• Use Values in Class Map—You want to select an existing DNS class map policy object. Enter the name of the DNS class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.


OL-19983-01


Criterion Specifies which criterion of traffic to match:

• DNS Class—Matches a DNS query or resource record class.

• DNS Type—Matches a DNS query or resource record type.

• Domain Name—Matches a domain name from a DNS query or resource record.

• Header Flag—Matches a DNS flag in the header.

• Question—Matches a DNS question.

• Resource Record—Matches a DNS resource record.

Type Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.

• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields


Value

(for DNS Class criterion)

The DNS class you want to inspect:

• Internet—Matches the Internet DNS class.

• DNS Class Field Value—Matches the specified number.

• DNS Class Field Range—Matches the specified range of numbers.

Value

(for DNS Type criterion)

The DNS type you want to inspect:

• DNS Type Field Name—Matches the name of a DNS type:

– A—IPv4 address.

– AXFR—Full (zone) transfer.

– CNAME—Canonical name.

– IXFR—Incremental (zone) transfer.

– NS—Authoritative name server.

– SOA—Start of a zone of authority.

– TSIG—Transaction signature.

• DNS Type Field Value—Matches the specified number.

• DNS Type Field Range—Matches the specified range of numbers.


Element Description


OL-19983-01


Add or Edit ESMTP Map Dialog BoxesUse the Add and Edit ESMTP Map dialog boxes to define the match criterion and values for the ESMTP inspect map.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > ESMTP from the Object Type selector. Right-click inside the table, then select New Object or right-click a row and select Edit Object.

Value

(for Domain Name criterion)

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Options

Value

(for Header Flag criterion)

The header flag you want to inspect. Use the Options field to indicate whether you want an exact match (Equals) or a partial match (Contains).

• Header Flag Name—Matches the selected header flag names:

– AA (authoritative answer)

– QR (query)

– RA (recursion available)

– RD (recursion denied)

– TC (truncation) flag bits

• Header Flag Value—Matches the specified 16-bit hexadecimal value.

Resource Record Lists the sections to match:

• Additional—DNS additional resource record.

• Answer—DNS answer resource record.

• Authority—DNS authority resource record.


Element Description


OL-19983-01


Related Topics


• Creating ESMTP Map Objects, page 8-44

• Editing Objects, page 8-6

Field Reference

Table F-60 Add and Edit ESMTP Map Dialog Boxes

Element Description



Parameters tab

Mask Server Banner Whether to mask the server banner to prevent the client from discovering server information.

Configure Mail Relay

Domain Name

Action

Whether to have ESMTP inspection detect mail relay. When you select this option, enter the domain name you are inspecting and select the action you want to take when mail relay is detected.

Special Character (ASA7.2.3+/PIX7.2.3+)

Action

Whether you want to detect special characters in sender or receiver email addresses. If you select this option, select the action you want to take when special characters are detected.

Allow TLS (ASA7.2.3+, 8.0.3+/PIX7.2.3)

Action Log

Whether to allow a TLS proxy on the security appliance. If you select this option, you can also select Action Log to create a log entry when TLS is detected.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page F-94).





Overrides

Edit button




OL-19983-01


ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for an ESMTP policy map.


• Body Length—Matches the message body length.

• Body Line Length—Matches the length of a line in the message body.

• Commands—Matches ESMTP commands.

• Command Recipient Count—Matches the number of recipient email addresses.

• Command Line Length—Matches the number of characters of a command line.

• EHLO Reply Parameters—Matches the ESMTP EHLO reply parameters.

• Header Length—Matches the number of characters of the header.

• Header Line Length—Matches the number of characters of a line in the message header.

• To Recipients Count—Matches the number of recipients in the To field of the header.

• Invalid Recipients Count—Matches the number of invalid recipients in the header.

• MIME File Type—Matches the MIME file type.

• MIME Filename Length—Matches the number of characters of the filename.

• MIME Encoding—Matches the MIME encoding scheme.

• Sender Address—Matches the address of the sender.

• Sender Address Length—Matches the number of characters of the sender’s address.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit ESMTP Map Dialog Boxes, page F-92, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics


• Creating ESMTP Map Objects, page 8-44

Field Reference

Table F-61 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Criterion Specifies which criterion of ESMTP traffic to match. The criteria are described above.





OL-19983-01


Add and Edit FTP Map Dialog Boxes Use the Add and Edit FTP Map dialog boxes to define the match criterion and values for an FTP inspect map. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server. Security Manager uses the ftp-map command to configure the map on the device.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > FTP from the Object Type selector. Right-click inside the table, then select New Object or right-click a row, then select Edit Object.

Action The action you want the device to take for traffic that matches the defined criteria.

Variable Fields


Greater Than Length The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

The dialog box indicates the valid range for the length, except for Body Length and Header length, which can be 1 to 4294967295.

Commands The ESMTP command verbs you want to inspect.

Greater Than Count The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.

Parameters The ESMTP EHLO reply parameters you want to inspect.

Value The regular expression you want to evaluate. You can select one of the following:



MIME Encoding The type of MIME encoding schemes you want to inspect.

Table F-61 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description


OL-19983-01


Related Topics


• Creating FTP Map Objects, page 8-45

• Editing Objects, page 8-6

Field Reference

Table F-62 Add and Edit FTP Map Dialog Boxes

Element Description



Parameters tab

Mask Greeting Banner from Server

Whether to mask the greeting banner from the FTP server to prevent the client from discovering server information.

Mask Reply to SYST Command

Whether to mask the reply to the syst command to prevent the client from discovering server information.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-97).





Overrides

Edit button



Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.


OL-19983-01


FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit FTP Match Criterion (for FTP class maps) or Match Condition and Action (for FTP policy maps) dialog boxes to do the following:

• Define the match criterion and value for an FTP class map.

• Select an FTP class map when creating an FTP policy map.

• Define the match criterion, value, and action directly in an FTP policy map.


Navigation Path

When creating an FTP class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for FTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating an FTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit FTP Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics



• Creating FTP Map Objects, page 8-45

Field Reference

Table F-63 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing FTP class map or define a new FTP class map.


• Use Values in Class Map—You want to select an existing FTP class map policy object. Enter the name of the FTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion Specifies which criterion of FTP traffic to match:

• Request Command—Matches an FTP request command.

• Filename—Matches a filename for FTP transfer.

• File Type—Matches a file type for FTP transfer.

• Server—Matches an FTP server name.

• Username—Matches an FTP username.


OL-19983-01





Action

(Policy Map only)


Variable Fields


Request Commands The FTP commands you want to inspect:

• Append (APPE)—Appends to a file.

• Delete (DELE)—Deletes a file at the server site.

• Help (HELP)—Provides help information from the server.

• Put (PUT)—FTP client command for the stor (store a file) command.

• Rename From (RNFR)—Specifies rename-from filename.

• Server Specific Command (SITE)—Specifies commands that are server specific. Usually used for remote administration.

• Change to Parent (CDUP)—Changes to the parent directory of the current working directory.

• Get (GET)—FTP client command for the retr (retrieve a file) command.

• Create Directory (MKD)—Creates a directory.

• Remove Directory (RMD)—Removes a directory.

• Rename To (RNTO)—Specifies rename-to filename.

• Store File with Unique Name (STOU)—Stores a file with a unique filename.




Table F-63 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description


OL-19983-01


Add and Edit GTP Map Dialog Boxes Use the Add and Edit GTP Map dialog boxes to define the match criterion and values for a GTP inspect map.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > GTP from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics


• Creating GTP Map Objects, page 8-46

Field Reference

Table F-64 Add and Edit GTP Map Dialog Boxes

Element Description



Parameters tab

Country and Network Codes Table

The three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc) to include in the map. The codes are 000 to 999.

• To add codes, click the Add button and fill in the dialog box.

• To edit a row, select it and click the Edit button.

• To delete a row, select it and click the Delete button.

Permit Response Table The Network/Host policy objects for which you will allow GTP responses from a GSN that is different from the one to which the response was sent.

• To add objects, click the Add button and fill in the dialog box. For more information, see Add and Edit Permit Response Dialog Boxes, page F-100.

• To edit a row, select it and click the Edit button.

• To delete a row, select it and click the Delete button.

Request Queue The maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. The default is 200.

Tunnel Limit The maximum number of tunnels allowed.

Permit Errors Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped.


OL-19983-01


Add and Edit Country Network Codes Dialog Boxes

Use the Add and Edit Country Network Codes dialog boxes to add Mobile Country Code (mcc) and Mobile Network Code (mnc) values to the GTP policy map. The codes can be 000 to 999.

Navigation Path

From the Add and Edit GTP Map Dialog Boxes, click the Add button in the Country and Network codes table, or select a row and click the Edit button.

Add and Edit Permit Response Dialog Boxes

Use the Add and Edit Permit Response dialog boxes to permit GTP responses from a GSN that is different from the one to which the response was sent.

Enter the name of a Network/Host policy object that defines the destination (To Object Group) and source (From Object Group) of the traffic. You can click Select to select the object from a list, where you can also create an new object by clicking the Create button in the Object Selector dialog box.

You cannot use the Network/Host object named “any.”

Edit Timeouts button Click this button to configure time out values for various operations. For more information about the options, see GTP Map Timeouts Dialog Box, page F-101.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page F-101).





Overrides

Edit button



Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.

Table F-64 Add and Edit GTP Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Navigation Path

From the Add and Edit GTP Map Dialog Boxes, click the Add button in the Permit Response table, or select a row and click the Edit button.

GTP Map Timeouts Dialog Box

Use the GTP Map Timeouts dialog box to set timeout values for a GTP Map.

Navigation Path

From the Add and Edit GTP Map Dialog Boxes, click the Edit Timeouts button on the Parameters tab.

Field Reference

GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a GTP policy map.

The fields on this dialog box change based on the criterion you select.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit GTP Map Dialog Boxes, page F-99, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics


• Creating GTP Map Objects, page 8-46

Table F-65 GTP Map Timeouts Dialog Box

Element Description

GSN Timeout The period of inactivity (hh:mm:ss) after which a GSN is removed. The default is 30 minutes. Enter 0 to never tear down immediately.

PDP Context Timeout The maximum period of time allowed (hh:mm:ss) before beginning to receive the PDP context. The default is 30 minutes. Enter 0 to specify no limit.

Request Queue Timeout The maximum period of time allowed (hh:mm:ss) before beginning to receive the GTP message. The default is 60 seconds. Enter 0 to specify no limit.

Signaling Connections Timeout

The period of inactivity (hh:mm:ss) after which the GTP signaling is removed. The default is 30 minutes. Enter 0 to not remove the signal.

Tunnel Timeout The period of inactivity (hh:mm:ss) after which the GTP tunnel is torn down. The default is 60 seconds (when a Delete PDP Context Request is not received). Enter 0 to never tear down immediately.

T3 Response Timeout The maximum wait time for a response before removing the connection.


OL-19983-01


Field Reference

Table F-66 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Criterion Specifies which criterion of GTP traffic to match:

• Access Point Name—Matches the access point name so you can define the access points to drop when GTP application inspection is enabled.

• Message ID—Matches the numeric identifier for the message that you want to drop. By default, all valid message IDs are allowed.

• Message Length—Matches the length of the UDP packet. Use this criterion to change the default for the maximum allowed message length for the UDP payload.

• Version—Matches the GTP version.





• Drop Packet—By default, all invalid packets or packets that failed during parsing are dropped.

• Drop Packet and Log

• Rate Limit

Variable Fields


Access Point Name The access points to act on when GTP application inspection is enabled.

• Specified By—An access point name to be dropped. By default, all messages with valid APNs are inspected, and any APN is allowed.




OL-19983-01


Add and Edit H.323 Map Dialog BoxesUse the Add and Edit H.323 Map dialog boxes to define the match criterion and values for an H.323 inspect map.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > H.323 (ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics


• Creating H.323 Map Objects, page 8-47

Field Reference

ID Type The numeric identifier of the message that you want to act on.

• Value—A single message ID.

• Range—A range of message IDs.

Minimum Length The minimum number of bytes in the UDP payload.

Maximum Length The maximum number of bytes in the UDP payload.

Version Type The GTP version as a single value or range of values.

Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 2123, while Version 1 uses port 3386. By default all GTP versions are allowed.

Table F-66 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes (Continued)

Element Description

Table F-67 Add and Edit H.323 Map Dialog Boxes

Element Description



Parameters tab

HSI Group table The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table. Up to five HSI hosts per group, and up to ten end points per HSI group, are allowed.

• To add a group, click the Add button and fill in the dialog box (see Add or Edit HSI Group Dialog Boxes, page F-104).

• To edit a group, select it and click the Edit button.

• To delete a group, select it and click the Delete button.


OL-19983-01


Add or Edit HSI Group Dialog Boxes

Use the Add or Edit HSI group dialog boxes to add HSI groups to an H.323 policy inspection map.

Navigation Path

From the Parameters tab on the Add and Edit H.323 Map Dialog Boxes, click the Add Row button in the HSI group table, or select a row and click the Edit Row button.

Call Duration Limit The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.

Enforce Presence of Calling and Called Party Numbers

Whether to enforce calling and called party numbers used in call setup.

Check State Transition on H.225 Messages

Whether to enable state checking validation on H.225 messages.

Check State Transition on RAS Messages

Whether to enable state checking validation on RAS messages.

Check for H.245 Tunneling

Action

Whether to enforce H.245 tunnel blocking and perform the action you select in the Action list box.

Check RTP Packets for Protocol Conformance

Whether to check RTP packets flowing through the pinholes for protocol conformance.

Payload Type must be Audio or Video based on Signaling Exchange

Whether to enforce the payload type to be audio or video based on the signaling exchange.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-106).





Overrides

Edit button



Table F-67 Add and Edit H.323 Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Related Topics



Field Reference

Add or Edit HSI Endpoint IP Address Dialog Boxes

Us the Add or Edit HSI Endpoint IP Address dialog box to add end points to an HSI group.

Navigation Path

From the Add or Edit HSI Group Dialog Boxes, click the Add Row button in the end point table, or select a row and click the Edit Row button.

Related Topics



Field Reference

Table F-68 Add and Edit HSI Group Dialog Boxes

Element Description

Group ID The HSI group ID number (0 to 2147483647).

IP Address The IP address of the HSI host.

Endpoint table The end points associated with HSI group. You can add up to 10 end points per group. For each end point, you specify the IP address and interface policy group.

• To add an end point, click the Add button and fill in the dialog box (see Add or Edit HSI Endpoint IP Address Dialog Boxes, page F-105).

• To edit an end point, select it and click the Edit button.

• To delete an end point, select it and click the Delete button.

Table F-69 Add and Edit HSI Endpoint IP Address Dialog Boxes

Element Description

Network/Host The IP address of the end point host or network.

Interface The Interface policy group that identifies the interface connected to the security appliance. Enter the name of a policy group, or click Select to select it from a list, where you can also create new policy groups.


OL-19983-01


H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit H.323 Match Criterion (for H.323 class maps) or Match Condition and Action (for H.323 policy maps) dialog boxes to do the following:

• Define the match criterion and value for an H.323 class map.

• Select an H.323 class map when creating an H.323 policy map.

• Define the match criterion, value, and action directly in an H.323 policy map.


Navigation Path

When creating an H.323 class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for H.323, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating an H.323 policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit H.323 Map Dialog Boxes, page F-103, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics




Field Reference

Table F-70 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing H.323 class map or define a new H.323 class map.


• Use Values in Class Map—You want to select an existing H.323 class map policy object. Enter the name of the H.323 class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion Specifies which criterion of H.323 traffic to match:

• Called Party—Matches the called party address.

• Calling Party—Matches the calling party address.

• Media Type—Matches the media type.


OL-19983-01


Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices

Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x, and IOS devices.

The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.

When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses the http-map command to configure the map on the device.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.1.x/PIX 7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.




Action

(Policy Map only)


Variable Fields





Media Type The type of media you want to inspect, audio, video, or data.

Table F-70 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description


OL-19983-01


Related Topics


• Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS), page 8-49

Field Reference

HTTP Map General Tab

Use the General tab to define the action taken when non-compliant HTTP requests are received and to enable verification of content type.

Table F-71 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices

Element Description



General tab Defines the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the options, see HTTP Map General Tab, page F-108.

Entity Length tab Defines the action taken if the length of the HTTP content falls outside of configured targets. For a description of the options, see HTTP Map Entity Length Tab, page F-109.

RFC Request Method tab Defines the action that the security appliance should take when specific RFC request methods are used in the HTTP request. For a description of the options, see HTTP Map RFC Request Method Tab, page F-111.

Extension Request Method tab

Defines the action taken when specific extension request methods are used in the HTTP request. For a description of the options, see HTTP Map Extension Request Method Tab, page F-112.

Port Misuse tab Defines the action taken when specific undesirable applications are encountered. For a description of the options, see HTTP Map Port Misuse Tab, page F-113.

Transfer Encoding tab Defines the action taken when specific transfer encoding types are used in the HTTP request. For a description of the options, see HTTP Map Transfer Encoding Tab, page F-114.



Overrides

Edit button




OL-19983-01


Navigation Path

Click the General tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Field Reference

HTTP Map Entity Length Tab

Use the Entity Length tab to enable inspection based on the length of the HTTP content.

Table F-72 HTTP Map General Tab

Element Description

Take action for non-RFC 2616 compliant traffic

Whether you want to configure the action to be taken for traffic that does not comply with RFC 2616. Possible actions are:

• Allow Packet—Allow the message.

• Drop Packet—Close the connection.

• Reset Connection (default)—Send a TCP reset message to client and server.

You can also select Generate Syslog to write a message to the syslog if non-compliant traffic is encountered.

Verify Content-type field belongs to the supported internal content-type list.

Whether you want to configure the action to be taken for traffic whose content type does not belong to the supported internal content-type list. Possible actions are:




You can also select these options:

• Verify Content-type field for response matches the ACCEPT field of request—To also verify that the content type of the response matches the request.

• Generate Syslog—To write a message to the syslog if non-compliant traffic is encountered.

Override Global TCP Idle Timeout (IOS only)

Whether to change the TCP idle timeout default setting. An IOS device terminates a connection if there is no communication activity after this length of time. If you select this option, specify the desired timeout value in seconds.

Override Global Audit Trail Setting (IOS only)

Enable Audit Trail

Whether to change the audit trail setting for IOS devices. If you select this option, you can select Enable Audit Trail to generate audit trail messages.


OL-19983-01


Navigation Path

Click the Entity Length tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Field Reference

Table F-73 HTTP Map Entity Length Tab

Element Description

Inspect URI Length Whether to enable inspection based on the length of the URI. If you select this option, configure the following:

• Maximum—The desired maximum length, in bytes, of the URI, from 1 to 65535.

• Excessive URI Length Action—The action to take when the length is exceeded:

– Allow Packet—Allow the message.

– Drop Packet—Close the connection.

– Reset Connection—Send a TCP reset message to client and server.

• Generate Syslog—Whether to generate a syslog message when a violation occurs.

Inspect Maximum Header Length

Whether to enable inspection based on the length of the HTTP header. If you select this option, configure the following:

• Request—The desired maximum length, in bytes, of the request header, from 1 to 65535.

• Response—The desired maximum length, in bytes, of the response header, from 1 to 65535.

• Excessive Header Length Action—The action to take when the length is exceeded:






OL-19983-01


HTTP Map RFC Request Method Tab

Use the RFC Request Method tab to define the action to take when specific request methods are used in the HTTP request.

Navigation Path

Click the RFC Request Method tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Inspect Body Length Whether to enable inspection based on the length of the message body. If you select this option, configure the following:

• Minimum Threshold—The desired minimum length, in bytes, of the message body, from 1 to 65535.

• Maximum Threshold—The desired maximum length, in bytes, of the message body, from 1 to 65535.

• Body Length Threshold Action—The action to take when the message body falls outside of the configured boundaries:





Table F-73 HTTP Map Entity Length Tab (Continued)

Element Description


OL-19983-01


Field Reference

HTTP Map Extension Request Method Tab

Use the Extension Request Method tab to define the action taken when specific extension request methods are used in the HTTP request.

Navigation Path

Click the Extension Request Method tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Table F-74 HTTP Map RFC Request Method

Element Description

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.

The actions you can specify are:




Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


OL-19983-01


Field Reference

HTTP Map Port Misuse Tab

Use the Port Misuse tab to enable port misuse application firewall inspection. The application categories you can configure are:

• IM—Instant Messaging. The applications checked for are Yahoo! Messenger, AIM, and MSN IM.

• P2P—Peer-to-peer applications. The Kazaa application is checked.

• Tunneling—Tunneling applications. The applications checked for are HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru, and Http-tunnel.com Client.

Navigation Path

Click the Port Misuse tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Table F-75 HTTP Map Extension Request Method Tab

Element Description

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the extension request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.





Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


OL-19983-01


Field Reference

HTTP Map Transfer Encoding Tab

Use the Transfer Encoding tab to enable inspection based on the transfer encoding type. The encoding types that you can configure are:

• Chunked—Identifies the transfer encoding type in which the message body is transferred as a series of chunks.

• Compressed—Identifies the transfer encoding type in which the message body is transferred using UNIX file compression.

• Deflate—Identifies the transfer encoding type in which the message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

• GZIP—Identifies the transfer encoding type in which the message body is transferred using GNU zip (RFC 1952).

• Identity—Identifies connections in which no transfer encoding is performed in the message body.

Navigation Path

Click the Transfer Encoding tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices, page F-107.

Related Topics



Table F-76 HTTP Map Port Misuse Tab

Element Description

Available and Selected Application Categories

Action

Generate Syslog

The Available Application Categories list contains the categories for which you can define firewall inspection settings.

To configure an action for a category, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected application is encountered. Click the >> button to add it to the Selected Categories list. (To remove a category from the selected list, select it and click the << button.)

Tip You can select multiple categories at a time using Ctrl+click if the action and syslog requests are the same for each.





Specify the action to be applied for the remaining available categories above.

Whether to define a default action for the categories for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


OL-19983-01


Field Reference

Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ DevicesUse the Add and Edit HTTP Map dialog boxes to define the match criterion and values for the HTTP inspect map for ASA and PIX software releases 7.2 and higher.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics


• Configuring HTTP Policy Map Objects, page 8-49

• Creating HTTP Map Objects (ASA 7.2+/PIX 7.2+), page 8-50

Field Reference

Table F-77 HTTP Map Transfer Encoding Tab

Element Description

Available and Selected Encoding Types

Action

Generate Syslog

The Available Encoding Types list contains the types of transfer encoding for which you can define firewall inspection settings.

To configure an action for a type, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected type is encountered. Click the >> button to add it to the Selected Encoding Types list. (To remove a type from the selected list, select it and click the << button.)

Tip You can select multiple types at a time using Ctrl+click if the action and syslog requests are the same for each.





Specify the action to be applied for the remaining available encoding types above.

Whether to define a default action for the types for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.

Table F-78 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+)

Element Description



OL-19983-01



Parameters tab

Body Match Maximum The maximum number of characters in the body of an HTTP message that should be searched in a body match.

Tip A high value can have a significant impact on performance.

Check for protocol violations Whether to check for protocol violations.

Action The action to take based on the defined settings. You can drop, reset, or log the connection.

Spoof Server Enables you to replace the server HTTP header value with the specified string.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes, page F-117).





Overrides

Edit button



Overrides: None Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Understanding Policy Object Overrides for Individual Devices, page 8-9.

Note Selecting Allow Value Override per Device does not automatically set overrides.

Table F-78 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+) (Continued)

Element Description


OL-19983-01


HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit HTTP Match Criterion (for HTTP class maps) or Match Condition and Action (for HTTP policy maps) dialog boxes to do the following:

• Define the match criterion and value for an HTTP class map.

• Select an HTTP class map when creating an HTTP policy map.

• Define the match criterion, value, and action directly in an HTTP policy map.

These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map. You can use the following criteria:

• Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

• Request Arguments—Applies the regular expression match to the arguments of the request.

• Request Body—Applies the regular expression match to the body of the request.

• Request Body Length—Specifies that the body length of the request be matched as greater than or less than the specified number of bytes.

• Request Header Count—Specifies that the number of headers in the request be matched as greater than or less than the specified number.

• Request Header Length—Specifies that the header length of the request be matched as greater than or less than the specified number of bytes.

• Request Header Field—Applies the regular expression match to the header of the request.

• Request Header Field Count—Applies the regular expression match to the header of the request based on a specified number of header fields.

• Request Header Field Length—Applies the regular expression match to the header of the request based on a specified field length.

• Request Header Content Type—Specifies the content type to evaluate in the content-type header field of the request.

• Request Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the request.

• Request Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the request.

• Request Method—Specifies the method of the request to match.

• Request URI—Applies the regular expression match to the URI of the request.

• Request URI Length—Specifies that the URI length of the request be matched as greater than or less than the specified number of bytes.

• Response Body ActiveX—Specifies whether there is ActiveX content in the body of the request.

• Response Body Java Applet—Specifies whether there is a Java applet in the body of the request.

• Response Body—Applies the regular expression match to the body of the response.

• Response Body Length—Specifies that the body length of the response be matched as greater than or less than the specified number of bytes.


OL-19983-01


• Response Header Count—Specifies that the number of headers in the response be matched as greater than or less than the specified number.

• Response Header Length—Specifies that the header length of the response be matched as greater than or less than the specified number of bytes.

• Response Header Field—Applies the regular expression match to the header of the response.

• Response Header Field Count—Applies the regular expression match to the header of the response based on a specified number of header fields.

• Response Header Field Length—Applies the regular expression match to the header of the response based on a specified field length.

• Response Header Content Type—Specifies the content type to evaluate in the content-type header field of the response.

• Response Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the response.

• Response Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the response.

• Response Status Line—Applies the regular expression match to the status line of the response.

Navigation Path

When creating an HTTP class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for HTTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating an HTTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices, page F-115, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics


• Creating HTTP Map Objects (ASA 7.2+/PIX 7.2+), page 8-50


Field Reference

Table F-79 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and

Action Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing HTTP class map or define a new HTTP class map.


• Use Values in Class Map—You want to select an existing HTTP class map policy object. Enter the name of the HTTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion Specifies which criterion of HTTP traffic to match. The criteria are described above.


OL-19983-01



• Matches—Matches the criterion. For some criteria, this is the only available option.


Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria. The types of action depend on the criterion you select.

Variable Fields


Field Name The name of the header field to evaluate. You can select one of the following:

• Predefined—The predefined HTTP header fields.



Action Dialog Boxes (Continued)

Element Description


OL-19983-01





When you are evaluating the Request Header Transfer Encoding or Response Header Transfer Encoding criteria, you can also select these options:

• Specified By—One of the following predefined types of transfer encoding:

– Chunked—The message body is transferred as a series of chunks.

– Compressed—The message body is transferred using UNIX file compression.

– Deflate—The message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

– GZIP—The message body is transferred using GNU zip (RFC 1952).

– Identity—No transfer encoding is performed.

• Empty—The transfer-encoding field in request header is empty.


Greater Than Count The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.



Element Description


OL-19983-01


Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+)Use the Add and Edit IM Map dialog boxes to define settings for define an Instant Messenger (IM) inspect map for devices running ASA/PIX 7.2 or higher.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating IM Map Objects for Devices running ASA/PIX 7.2 and Higher, page 8-51

Field Reference

Content Type The content type to evaluate as specified in the content-type header field. You can select one of the following:

• Specified By—A predefined MIME type.

• Unknown—The MIME type is not known. Select Unknown when you want to evaluate the item against all known MIME types.

• Violation—The magic number in the body must correspond to the MIME type in the content-type header field.

• Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Request Method The specified request method to match. You can select one of the following:

• Specified By—The predefined request method.




Element Description

Table F-80 Add and Edit IM Map Dialog Boxes

Element Description




OL-19983-01


IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit IM Match Criterion (for IM class maps) or Match Condition and Action (for IM policy maps) dialog boxes to do the following:

• Define the match criterion and value for an IM class map.

• Select an IM class map when creating an IM policy map.

• Define the match criterion, value, and action directly in an IM policy map.

These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.


Navigation Path

When creating an IM class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for IM, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating an IM policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+), right-click inside the table, then select Add Row or right-click a row, then select Edit Row.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes, page F-122).





Overrides

Edit button



Table F-80 Add and Edit IM Map Dialog Boxes (Continued)

Element Description


OL-19983-01


Related Topics


• Creating IM Map Objects for Devices running ASA/PIX 7.2 and Higher, page 8-51


Field Reference

Table F-81 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)

Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing IM class map or define a new IM class map.


• Use Values in Class Map—You want to select an existing IM class map policy object. Enter the name of the IM class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion Specifies which criterion of IM traffic to match. The criteria are:

• Filename—Matches the filename from IM file transfer service.

• Client IP Address—Matches the source client IP address.

• Client Login Name—Matches the client login name from IM service.

• Peer IP Address—Matches the peer, or destination, IP address.

• Peer Login Name—Matches the peer, or destination, login name from IM service.

• Protocol—Matches IM protocols.

• Service—Matches IM services.

• File Transfer Service Version—Matches the IM file transfer service version.




Action

(Policy Map only)



OL-19983-01


Add or Edit IM Map (IOS) Dialog Boxes Use the Add and Edit IM Map (IOS) dialog boxes to configure Instant Messaging (IM) inspection policy map objects for IOS devices.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (IOS) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics


• Creating IM Map Objects for IOS Devices, page 8-52

Field Reference

Variable Fields





IP Address The IP address you want to match.

Protocol The IM protocol, either MSN Messenger or Yahoo! Messenger.

Services The IM services you want to inspect. Select one or more of the listed services.

Table F-81 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)

Dialog Boxes (Continued)

Element Description

Table F-82 Add and Edit IM Map (IOS) Dialog Boxes

Element Description




OL-19983-01


Add or Edit IPsec Pass Through Map Dialog BoxesUse the Add and Edit IPsec Pass Through Map dialog boxes to configure settings for the IPsec Pass Through Map policy object.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IPsec Pass Through from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


Service Tabs

The tabs represent different IM service providers. The settings available on each tab are identical. You must configure the settings separately for each service provider. The descriptions of the following fields apply to each of the services: Yahoo!, MSN, and AOL.

Text Chat How you want the text chat service to be handled, for example, allowed, denied, logged, or some combination.

Other Services How you want services other than text chat to be handled, for example, allowed, denied, logged, or some combination. IOS software recognizes all services other than text chat, such as voice-chat, video-chat, file sharing and transferring, and gaming as a single group.

Permit Servers The servers from which to permit traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Deny Servers The servers from which to deny traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Alert Whether you want to enable or disable alerts. The default is to use the default inspection settings.

Audit Whether you want to enable or disable an audit trail. The default is to use the default inspection settings.

Timeout A timeout for the service. You can use the default inspection settings, or you can elect to specify a timeout. If you select Specify Timeout, enter the timeout value in seconds.



Overrides

Edit button



Table F-82 Add and Edit IM Map (IOS) Dialog Boxes (Continued)

Element Description


OL-19983-01


• Creating IPSec Pass Through Map Objects, page 8-53

Field Reference

Add or Edit NetBIOS Map Dialog Boxes Use the Add or Edit NetBIOS Map dialog boxes to define maps for NetBIOS inspection.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > NetBIOS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating NetBIOS Map Objects, page 8-54

Table F-83 Add and Edit IPsec Pass Through Map Dialog Boxes

Element Description



Allow ESP

Maximum ESP Tunnels per Client

ESP Idle Timeout

Whether to allow ESP traffic. If you select this option, you can configure the maximum number of ESP tunnels that each client can have and the amount of time that an ESP tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).

Allow AH

Maximum AH Tunnels per Client

AH Idle Timeout

Whether to allow AH traffic. If you select this option, you can configure the maximum number of AH tunnels that each client can have and the amount of time that an AH tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).



Overrides

Edit button




OL-19983-01


Field Reference

Add or Edit SIP Map Dialog BoxesUse the Add and Edit SIP Map dialog boxes to configure values used for SIP application inspection.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SIP (ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating SIP Map Objects, page 8-55

Field Reference

Table F-84 Add or Edit NetBIOS Map Dialog Boxes

Element Description



Check for Protocol Violation

Action

Whether to check for NETBIOS protocol violations. If you select this option, select the action you want to take when violations occur.



Overrides

Edit button



Table F-85 Add and Edit SIP Map Dialog Box

Element Description



Parameters tab

Enable SIP Instant Messaging Extensions

Whether to enable Instant Messaging extensions.

Permit Non-SIP Traffic on SIP Port

Whether to permit non-SIP traffic on the SIP port.


OL-19983-01


Hide Server’s and Endpoint’s IP Address

Whether to hide the IP addresses, which enables IP address privacy.


Limit Payload to Audio or Video based on the Signaling Exchange

Whether to check RTP/RTCP packets flowing on the pinholes for protocol conformance. If you select this option, you can also elect to enforce the payload type to be audio/video based on the signaling exchange.

If Number of Hops to Destination is Greater Than 0

Whether to check if the value of Max-Forwards header is zero. When it is greater than zero, the action you select in the Action field is implemented. The default is to drop the packet.

If State Transition is Detected

Whether to check SIP state transitions. When a transition is detected, the action you select in the Action field is implemented. The default is to drop the packet.

If Header Fields Fail Strict Validation

Whether to take the action specified in the Action field if the SIP header fields are invalid. The default is to drop the packet.

Inspect Server’s and Endpoint’s Software Version

Whether to inspect the SIP endpoint software version in User-Agent and Server headers. The default is to mask the information.

If Non-SIP URI is Detected Whether to take the action specified in the Action field if a non-SIP URI is detected in the Alert-Info and Call-Info headers. The default is to mask the information.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page F-129).





Overrides

Edit button



Table F-85 Add and Edit SIP Map Dialog Box (Continued)

Element Description


OL-19983-01


SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit SIP Match Criterion (for SIP class maps) or Match Condition and Action (for SIP policy maps) dialog boxes to do the following:

• Define the match criterion and value for a SIP class map.

• Select a SIP class map when creating a SIP policy map.

• Define the match criterion, value, and action directly in a SIP policy map.


Navigation Path

When creating a SIP class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes, page F-61 for SIP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

When creating a SIP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit SIP Map Dialog Boxes, page F-127, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics



• Creating SIP Map Objects, page 8-55

Field Reference

Table F-86 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing SIP class map or define a new SIP class map.


• Use Values in Class Map—You want to select an existing SIP class map policy object. Enter the name of the SIP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.


OL-19983-01


Criterion Specifies which criterion of SIP traffic to match.

• Called Party—Matches the called party as specified in the To header.

• Calling Party—Matches the calling party as specified in the From header.

• Content Length—Matches the Content Length header.

• Content Type—Matches the Content Type header.

• IM Subscriber—Matches the SIP Instant Messenger subscriber.

• Message Path—Matches the SIP Via header.

• Third Party Registration—Matches the requester of a third-party registration

• URI Length—Matches a URI in the SIP headers.

• Request Method—Matches the SIP request method.




Action

(Policy Map only)


Variable Fields





URI Type The type of URI to match, either SIP or TEL.



Element Description


OL-19983-01


Add or Edit Skinny Map Dialog BoxesUse the Add or Edit Skinny Map dialog boxes to define Skinny maps for Skinny inspection.

Content Type The content type to evaluate as specified in the content-type header field. You can select one of the following:

• SDP—Matches an SDP SIP content header type.


Resource Method The request method you want to inspect:

• ack—Confirms that the client has received a final response to an INVITE request.

• bye—Terminates a call and can be sent by either the caller or the called party.

• cancel—Cancels any pending searches but does not terminate a call that has already been accepted.

• info—Communicates mid-session signaling information along the signaling path for the call.

• invite—Indicates a user or service is being invited to participate in a call session.

• message—Sends instant messages where each message is independent of any other message.

• notify—Notifies a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred.

• options—Queries the capabilities of servers.

• prack—Provisional response acknowledgment.

• refer—Requests that the recipient REFER to a resource provided in the request.

• register—Registers the address listed in the To header field with a SIP server.

• subscribe—Requests notification of an event or set of events at a later time.

• unknown—Uses a nonstandard extension that could have unknown security impacts on the network.

• update—Permits a client to update parameters of a session but has no impact on the state of a dialog.


Element Description


OL-19983-01


Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > Skinny from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics


• Creating Skinny Map Objects, page 8-56

Field Reference

Table F-87 Add and Edit Skinny Map Dialog Boxes

Element Description

Name The name of the Skinny map. A maximum of 40 characters is allowed.

Description A description of the Skinny map, up to 200 characters.

Parameters Tab

Enforce Endpoint Registration

Whether to enforce registration before calls can be placed.

Maximum SCCP Station Message ID 0x

The maximum SCCP station message ID allowed, in hexadecimal.


Enforce Payload Type to be Audio or Video based on Signaling Exchange

Whether to check RTP packets flowing through the pinholes for protocol conformance. If you select this option, you can also select whether to enforce the payload type.

Minimum SCCP Prefix Length

The minimum SCCP length allowed.

Maximum SCCP Prefix Length

The maximum SCCP length allowed.

Media Timeout The timeout value for media connections.

Signaling Timeout The timeout value for signaling connections.



• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page F-133).





OL-19983-01


Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a Skinny policy map.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit Skinny Map Dialog Boxes, page F-131, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.

Related Topics


• Creating Skinny Map Objects, page 8-56

Field Reference

Add and Edit SNMP Map Dialog BoxesUse the Add and Edit SNMP Map dialog boxes to define maps for SNMP inspection.


Overrides

Edit button



Table F-87 Add and Edit Skinny Map Dialog Boxes (Continued)

Element Description

Table F-88 Skinny Policy Maps Add and Edit Match Condition and Action Dialog Boxes

Element Description

Criterion Specifies which criterion of Skinny traffic to match.

Type Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on 0xFFFF, then any traffic that has the message ID 0xFFFF is excluded from the map.



ID Type The hexadecimal value for the message ID to inspect:

• Value—Matches a single hexadecimal value.

• Range—Matches a range of values.



OL-19983-01


Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SNMP from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics


• Creating SNMP Map Objects, page 8-57

Field Reference

Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall PoliciesUse the Add and Edit Policy Map dialog boxes for zone-based firewall policies to define the match criterion and values for an inspection map used in a zone-based firewall policy for a Cisco IOS router. You can create policy inspection maps for H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS), IMAP, P2P, POP3, SIP (IOS), SMTP, and Sun RPC inspection, and the name of the dialog box indicates the type of map you are creating.

When defining the inspection map, you select class maps of the same type and define the action to take for matching traffic. You can configure the required class maps before creating the policy maps or while you are creating them.

Table F-89 Add and Edit SNNP Map Dialog Boxes

Element Description



Disallowed SNMP Versions The versions of SNMP you want to prohibit.

• SNMP Version 1

• SNMP Version 2c (Community Based)

• SNMP Version 2 (Party Based)

• SNMP Version 3



Overrides

Edit button




OL-19983-01


Navigation Path

Select Tools > Policy Object Manager, then any of the following items in the Maps > Policy Maps > Inspect folder in the table of contents: H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS), IMAP, P2P, POP3, SIP (IOS), SMTP, and Sun RPC. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics





Field Reference

Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter Policies

Use the Add or Edit Match Condition and Action dialog boxes for zone-based firewall and web filter policies to select the class maps for inspection and to define the action to take for traffic that matches the class. This dialog box is used for the following types of policy maps: H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS), IMAP, P2P, POP3, SIP (IOS), SMTP, Sun RPC, Web Filter.

The fields on this dialog box differ slightly depending on the type of policy map you are defining.

Table F-90 Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies

Element Description



Match All table The Match All table lists class maps included in the policy map, and the action to take for traffic that matches the class. For traffic to match this class, all criteria defined in the selected class maps must be met.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter Policies, page F-135).





Overrides

Edit button




OL-19983-01


Navigation Path

From the Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies, right-click inside the match table and select Add Row or right-click a row and select Edit Row.

Related Topics





Field Reference

Add and Edit Web Filter Map Dialog BoxesUse the Add and Edit Web Filter Map dialog boxes to define the parameters and match criterion and values for an inspection map used in a zone-based firewall policy for a router.

If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map to define web filtering parameters and match criteria. You can select Web Filter policy maps only for routers running Cisco IOS Software release 12.4(20)T and higher. If you are configuring zone-based firewalls for routers running Cisco IOS Software release 12.4(6)T up to 12.4(20)T, you must configure a URL Filter parameter map instead of a Web Filter policy map. For more information, see Add or Edit URL Filter Parameter Map Dialog Boxes, page F-82.

You can configure a mix of local and server-based web filtering. To do this, you should select a parameter map appropriate for the type of server you are using, and for the match criteria, an appropriate mix of local and server class maps. Do not mix class and parameter maps for different types of servers.

Table F-91 Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall

Policies

Element Description

Match Type Indicates that you are selecting a class map. You must define class maps when creating policy maps for zone-based firewall policies.

Class Map

P2P, IM, and Web Filter class map types.

The name of the class map for the type of policy map you are creating. Click Select to select the map from a list or to create a new class map object.

For P2P, IM, and Web Filter policy maps, you must also select the type of policy map you are creating. For example, in a P2P map you must select between eDonkey, FastTrack, Gnutella, and Kazaa2. In an IM (Zone Based IOS) map, you must select between AOL, MSN Messenger, Yahoo Messenger, Windows Messenger, and ICQ. In a Web Filter map, you must select between Local, N2H2, WebSense, and Trend.

Action The action you want the device to take for traffic that matches the selected class.


OL-19983-01


Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Web Filter > Web Filter from the Object Type selector. Right-click inside the table and select New Object or right-click a row and select Edit Object.

Related Topics




Field Reference

Table F-92 Add and Edit FTP Map Dialog Boxes

Element Description



Parameters tab

Parameter Type

Parameter Map

The type of parameter map to include in the Web Filter policy map. Select None if you do not want to select a parameter map.

If you select a specific parameter type, enter the name of the parameter map in the Parameter Map field. Click Select to select the map from a list or to create a new parameter map object.


The Match All table lists class maps included in the policy map, and the action to take for traffic that matches the class. For traffic to match this class, all criteria defined in the selected class maps must be met.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter Policies, page F-135).





Overrides

Edit button




OL-19983-01


Add and Edit Regular Expression Group Dialog BoxesUse the Add and Edit Regular Expression Groups dialog boxes to define regular expression groups, which contain multiple regular expressions. Groups make it possible for you to create modular regular expressions and group them in multiple ways for various uses.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Regular Expressions Groups from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Regular Expression Group Objects, page 8-61

• Creating Regular Expression Objects, page 8-62



Field Reference

Add and Edit Regular Expression Dialog BoxesUse the Add and Edit Regular Expression dialog boxes to define regular expressions for use in class and policy inspection maps or in regular expression group policy objects.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Regular Expressions from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Table F-93 Add and Edit Regular Expression Class Map Dialog Boxes

Element Description



Regular Expressions The Regular Expression policy objects that include the expressions you want to include in the group. Enter the name of the objects or click Select to select them from a list or to create a new object.



Overrides

Edit button




OL-19983-01


Related Topics

• Creating Regular Expression Group Objects, page 8-61

• Creating Regular Expression Objects, page 8-62



Field Reference

Add and Edit TCP Map Dialog BoxesUse the Add and Edit TCP Map dialog boxes to define a TCP map for customizing inspection on TCP flows on PIX 7.x and higher and ASA devices. Security Manager uses the tcp-map command to configure the map on the device.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > TCP Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics


• Creating TCP Map Objects, page 8-64

Table F-94 Add and Edit Regular Expression Dialog Boxes

Element Description



Value The regular expression, up to 100 characters in length. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions, page 8-63.



Overrides

Edit button




OL-19983-01


Field Reference

Table F-95 Add and Edit TCP Map Dialog Boxes

Element Description



Queue Limit

(ASA devices only.)

The maximum number of out-of-order packets that can be queued for a TCP connection, between 1 and 250. Enter 0 to use the default system queue limit.

Time Out

(ASA 7.2(4)+ devices only.)

The maximum amount of time that out-of-order packets can remain in the buffer, between 1 and 20 seconds, before they are dropped. The default is 4 seconds.

This setting is ignored if you enter 0 for Queue Limit.

Verify TCP Checksum Whether to enable checksum verification.

Drop SYN Packets with Data Whether to drop SYN packets with data.

Drop Connection on Window Variation

Whether to drop a connection that changes its window size unexpectedly.

Drop Packets that Exceed Maximum Segment Size

Whether to drop packets that exceed the maximum segment size (MSS) set by a peer.

Check if Transmitted Data is the Same as Original

Whether to enable the retransmit data checks.

Clear Urgent Flag Whether to clear the URG (urgent) pointer through the TCP normalizer (security appliance).

Clear Selective Ack Whether to clear the selective acknowledgment mechanism (SACK) option.

Clear TCP Timestamp Whether to clear the timestamp option, which disables PAWS and RTT.

Clear Window Scale Whether to clear the window scale mechanism.

Enable TTL Evasion Protection

Whether to enable the TTL evasion protection offered by the TCP normalizer.

Reserved Bits How to handle reserved TCP options:

• Clear and Allow—Clear the TCP options through the TCP normalizer and allow the packet.

• Allow only—Allow the TCP options through the TCP normalizer.

• Drop—Drop the packet.


OL-19983-01


Add and Edit TCP Option Range Dialog Boxes

Use the Add and Edit TCP Option Range dialog boxes to define the option ranges for a TCP inspection map. The typical range numbers are 6-7 and 9-255.

Navigation Path

In the Add and Edit TCP Map Dialog Boxes, right-click inside the TCP Range Options table and select Add Row, or right-click a row and select Edit Row.

Related Topics


• Creating TCP Map Objects, page 8-64

Field Reference

Add or Edit Network/Host Dialog BoxUse the Add or Edit Network/Host dialog box to view, create, or edit network/host objects. A network/host object is a named collection of networks, hosts, or other network/host objects.

Navigation Path

Select Tools > Policy Object Manager, then select Networks/Hosts from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

TCP Range Options table The TCP Range Options table lists the ranges included in the policy map and the action to take on reserved bits for those ranges. The typical range numbers are 6-7 and 9-255.

• To add a range, click the Add button and fill in the TCP Option Range dialog box (see Add and Edit TCP Option Range Dialog Boxes, page F-141).

• To edit a range, select it and click the Edit button.

• To delete a range, select it and click the Delete button.


Table F-95 Add and Edit TCP Map Dialog Boxes (Continued)

Element Description

Table F-96 Add and Edit TCP Option Range Dialog Boxes

Element Description

Lower Identifies lower bound of the range.

Upper Identifies upper bound of the range.

Action The action to take for handing reserved bits.


OL-19983-01


Related Topics

• Creating Network/Host Objects, page 8-66


• Specifying IP Addresses During Policy Definition, page 8-68


• How Network/Host, Port List, and Service Objects are Named When Provisioned As ASA/PIX/FWSM Object Groups, page 8-97

Field Reference

PKI Enrollment Dialog BoxUse the PKI Enrollment dialog box to view, create, copy, or edit Public-Key Infrastructure (PKI) enrollment objects. A PKI enrollment object represents an external certification authority (CA) server that responds to certificate requests from devices in the network.

Table F-97 Network/Host Dialog Box

Element Description

Name The object name (up to 64 characters). Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.


Networks/Hosts The networks or hosts to include in the object. Separate multiple addresses with commas.

You can include host addresses, network addresses (with subnet masks entered after a / character, such as 10.100.10.0/24), a range of addresses (separate the starting and ending address with a hyphen, “-”, and optionally include a subnet mask), or other network/host objects (click Select to select other objects). For more specific information on supported formats, see Specifying IP Addresses During Policy Definition, page 8-68.

You can also create an object with no addresses. For these objects, you must also select Allow Value Override per Device and create overrides for every device that uses the object. For more information about using unspecified addresses, see Using Unspecified Network/Host Objects, page 8-67.



Overrides

Edit button




OL-19983-01


You can create PKI enrollment objects to define the properties of a CA server used when devices exchange certificates as part of an IPsec network. When you create a PKI enrollment object, you define a name for the server and the URL for enrollment. You must specify whether the devices you wish to enroll with this server should retrieve the CA server’s own certificate using the Simple Certificate Enrollment Process (SCEP) or use a certificate that you have entered manually into the device configuration. You must also select the method of support used by the CA server for revocation checking.

Note You do not have to define enrollment parameters in order to create or import a trustpoint in Security Manager.

In addition, you can optionally define the following:

• Whether the CA server is acting as a Registration Authority (RA) server.

• Enrollment parameters, including retry settings and RSA key pair settings.

• Additional attributes to include in the certificate request.

• The list of trusted CA servers located above this server in the PKI hierarchy.

Navigation Path

Select Tools > Policy Object Manager, then select PKI Enrollments from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Tip You can also open this dialog box from the Remote Access VPN > Public Key Infrastructure policy.

Related Topics

• Creating PKI Enrollment Objects, page 8-69

• Understanding Public Key Infrastructure Policies, page 9-57

• Configuring Public Key Infrastructure Policies, page 10-32 (remote access VPN)

• Prerequisites for Successful PKI Enrollment, page 9-59

• Configuring Public Key Infrastructure Policies, page 9-61 (site-to-site VPN)


Field Reference

Table F-98 PKI Enrollment Dialog Box

Element Description



CA Information tab Use this tab to enter settings related to the Certificate Authority server, its certificate, and its level of revocation checking support. For information on the specific settings, see PKI Enrollment Dialog Box—CA Information Tab, page F-144.


OL-19983-01


PKI Enrollment Dialog Box—CA Information Tab

Use the CA Information tab of the PKI Enrollment Dialog Box, page F-142 to:

• Define the name and location of the external certificate authority (CA) server.

• Manually paste the certificate, if known.

• Define the server’s level of support for revocation checking.

Navigation Path

Go to the PKI Enrollment Dialog Box, page F-142 and click the CA Information tab.

Related Topics


• PKI Enrollment Dialog Box—Enrollment Parameters Tab, page F-148

• PKI Enrollment Dialog Box—Certificate Subject Name Tab, page F-150

• PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page F-151

Enrollment Parameters tab Use this tab to enter settings related to PKI enrollment. For information on the specific settings, see PKI Enrollment Dialog Box—Enrollment Parameters Tab, page F-148.


Certificate Subject Name tab Use this tab to enter optional information to be included in the certificate, including subject attributes. For information on the specific settings, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page F-150.

Trusted CA Hierarchy tab Use this tab to define trusted CA servers that are arranged in a hierarchical framework. For information on the specific settings, see PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page F-151.



Overrides

Edit button



Table F-98 PKI Enrollment Dialog Box (Continued)

Element Description


OL-19983-01


Field Reference

Table F-99 PKI Enrollment Dialog Box—CA Information Tab

Element Description

CA Server Nickname The name used to identify the CA server in the certificate request. If you leave this field blank, the domain name is used. You must leave this field blank for Verisign CAs. Also, keep the following in mind:

• You cannot configure two CA servers with the same name but different URLs on the same device.

• The CA name cannot match the name of a trusted CA configured as part of the same PKI enrollment object (as defined on the PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page F-151).

• When the device is configured as part of a VPN, do not configure a device-level override that uses the same CA name as that of the CA server used by any of the peers. (This is not a problem when the device and its peers use a tiered PKI hierarchy.)

Enrollment Type The type of enrollment you want to perform. Security Manager completes the enrollment only if you configure URL enrollment. If you select another type, you must complete the enrollment using your own methods.

• Self-Signed Certificate (ASA only)—To configure the enrollment self command.

• Terminal (ASA only)—To configure the enrollment terminal command.

• URL—To configure the URL for the CA server so that you can complete automatic enrollment.

• None—Do not configure any enrollment command.

Enrollment URL The URL of the CA server to which devices should attempt to enroll. The URL can be in the following formats:

• SCEP—Uses an HTTP URL in the form of http://CA_name:port, where CA_name is the host DNS name or IP address of the CA server. The port number is mandatory.

• TFTP—Uses the format tftp://certserver/file_specification. Use this option when you do not have direct access to the CA server. The TFTP server transfers certificate requests and certificates.

• Other supported formats include: bootflash, cns, flash, ftp, null, nvram, rcp, scp, system.

Note If the CA cgi-bin script location at the CA is not the default (/cgi-bin/pkiclient.exe), you must also include the nonstandard script location in the URL, in the form of http://CA_name:port/script_location, where script_location is the full path to the CA scripts.


OL-19983-01


CA Certificate Source

Fingerprint

Certificate

(URL enrollment only.)

How to obtain the certificate:

• Retrieve CA Certificate Using SCEP (the default)—Have the router retrieve the certificate from the CA server using the Simple Certificate Enrollment Process (SCEP). Enter the fingerprint for the CA server in hexadecimal format. If the value you enter does not match the fingerprint on the certificate, the certificate is rejected.

Using the fingerprint to verify the authenticity of the CA’s certificate helps prevent an unauthorized party from substituting a fake certificate in place of the real one.

Tip You can obtain the CA’s fingerprint by contacting the server directly, or by entering the following address in a web browser: http://URLHostName/certsrv/mscep/mscep.dll.

• Enter CA Certificate from CA Server Manually—Copy and Paste up to three certificates from another device into the Certificate field (using your browser’s Paste function or the Ctrl-V keyboard shortcut). Each certificate must begin with the word “certificate” and end with the word “quit”. Use this option when you want the PKI enrollment object to represent predefined certificates.

Table F-99 PKI Enrollment Dialog Box—CA Information Tab (Continued)

Element Description


OL-19983-01


Revocation Check Support The type of certificate revocation checking to be performed:

• Checking Not Performed—This is the default. The device does not perform any revocation checking, even if a CRL is on the device.

• CRL Check Required—The device must check a CRL. If no CRL exists on the device and the device cannot obtain one, certificates are rejected and a tunnel cannot be established. This is the default.

• OCSP Check Required—The device must check revocation status from an OCSP server. If this check fails, certificates are rejected.

• CRL Check Attempted—The device tries to download the latest CRL from the specified LDAP server. If the download fails, however, certificates are accepted.

• OCSP Check Attempted—The device tries to check revocation status from an OCSP server. If this fails, however, certificates are accepted.

• CRL or OCSP Check Required—The device first checks for a CRL. If a CRL does not exist or cannot be obtained, the device tries to check revocation status from an OCSP server. If both options fail, certificates are rejected.

• OCSP or CRL Check Required—The device first tries to check revocation status from an OCSP server. If this fails, the device checks for a CRL. If both options fail, certificates are rejected.

• CRL and OCSP Checks Attempted—The device first checks for a CRL. If a CRL does not exist or cannot be obtained, the device tries to check revocation status from an OCSP server. If both options fail, however, certificates are accepted.

• OCSP and CRL Checks Attempted—The device first tries to check revocation status from an OCSP server. If this fails, the device tries to download the latest CRL. If both options fail, however, certificates are accepted.

OCSP Server URL The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://

CRL Server URL The URL of the LDAP server from which the CRL can be downloaded if you require CRL checks. This URL must start with ldap://

Note You must include a port number in the URL when using this AAA server on ASA devices, otherwise LDAP will fail.

Enable Registration Authority Mode (PIX 6.3)

For PIX 6.3 devices, whether the CA server operates in RA (Registration Authority) mode. A Registration Authority is a server that acts as a proxy for the actual CA so that CA operations can continue when the CA server is offline.

Note Cisco IOS routers configure RA mode automatically, if required.

Table F-99 PKI Enrollment Dialog Box—CA Information Tab (Continued)

Element Description


OL-19983-01


PKI Enrollment Dialog Box—Enrollment Parameters Tab

Use the Enrollment Parameters tab of the PKI Enrollment Dialog Box, page F-142 to define the retry settings to use when the device contacts the CA server as well as the settings for generating the RSA key pair to associate with the certificate.

If the PKI enrollment object represents a Microsoft CA, you can define the challenge password required to validate the router’s identity.


Navigation Path

Go to the PKI Enrollment Dialog Box, page F-142 and click the Enrollment Parameters tab.

Related Topics


• PKI Enrollment Dialog Box—CA Information Tab, page F-144



Field Reference

Table F-100 PKI Enrollment Dialog Box—Enrollment Parameters Tab

Element Description

Challenge Password The password used by the CA server to validate the identity of the device. This password is mandatory for PIX 6.3 devices, but optional for PIX/ASA 7.0+ devices and Cisco IOS routers.

You can obtain the password by contacting the CA server directly or by entering the following address in a web browser: http://URLHostName/certsrv/mscep/mscep.dll. The password is good for 60 minutes from the time you obtain it from the CA server. Therefore, it is important that you deploy the password as soon as possible after you create it.

Note Each password is valid for a single enrollment by a single device. Therefore, we do not recommend that you assign a PKI enrollment object where this field is defined to a VPN, unless you first configure a device-level override for each device in the VPN. For more information, see Understanding Policy Object Overrides for Individual Devices, page 8-9.

Retry Period The interval between certificate request attempts, in minutes. Values can be 1 to 60 minutes. The default is 1 minute.

Retry Count The number of retries that should be made if no certificate is issued upon the first request. Values can be 1 to 100. The default is 10.


OL-19983-01


Certificate Auto-Enrollment

(IOS devices only.)

The percentage of the current certificate’s lifetime after which the router requests a new certificate. For example, if you enter 70, the router requests a new certificate after 70% of the lifetime of the current certificate has been reached. Values range from 10% to 100%.

If you do not specify a value, the router requests a new certificate after the old certificate expires.

Include Device’s Serial Number

Whether to include the serial number of the device in the certificate.

Tip The CA uses the serial number to either authenticate certificates or to later associate a certificate with a particular device. If you are in doubt, include the serial number, as it is useful for debugging purposes.

RSA Key Pair Name

(PIX 7.0+, ASA, IOS devices only.)

If the key pair you want to associate with the certificate already exists, this field specifies the name of that key pair.

If the key pair does not exist, this field specifies the name to assign to the key pair that will be generated during enrollment.

Note If you do not specify an RSA key pair, the fully qualified domain name (FQDN) key pair is used instead. On PIX and ASA devices, the key pair must exist on the device before deployment.

RSA Key Size

(IOS devices only.)

If the key pair does not exist, defines the desired key size (modulus), in bits. If you want a modulus between 512 and 1024, enter an integer that is a multiple of 64. If you want a value higher than 1024, enter 1536 or 2048. The recommended size is 1024.

Note The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged.

RSA Encryption Key Size

(IOS devices only.)

The size of the second key, which is used to request separate encryption, signature keys, and certificates.

Source Interface

(IOS devices only.)

The source address for all outgoing connections sent to a CA or LDAP server during authentication, enrollment, and when obtaining a revocation list. This parameter may be necessary when the CA server or LDAP server cannot respond to the address from which the connection originated (for example, due to a firewall).

If you do not define a value in this field, the address of the outgoing interface is used.

Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Table F-100 PKI Enrollment Dialog Box—Enrollment Parameters Tab (Continued)

Element Description


OL-19983-01


PKI Enrollment Dialog Box—Certificate Subject Name Tab

Use the Certificate Subject Name tab of the PKI Enrollment Dialog Box, page F-142 to optionally define additional information about the device in certificate requests sent to the CA server. This information is placed in the certificate and can be viewed by any party who receives the certificate from the router.

Enter all information using the standard LDAP X.500 format.

Navigation Path

Go to the PKI Enrollment Dialog Box, page F-142 and click the Certificate Subject Name tab.

Related Topics





Field Reference

Table F-101 PKI Enrollment Dialog Box—Certificate Subject Name Tab

Element Description

Include Device’s FQDN Whether to include the device’s fully qualified domain name (FQDN) in the certificate request.

Include Device’s IP Address The interface whose IP address is included in the certificate request.

Enter the name of the interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Common Name (CN) The X.500 common name to include in the certificate.

Organization Unit (OU) The name of the organization unit (for example, a department name) to include in the certificate.

Note When you configure PKI server objects for Cisco EzVPN Remote components, this field must contain the name of the client group to which the component connects. Otherwise, the component will not be able to connect. Although this information is not required for the EzVPN Server, including it does not create configuration problems. For more information about EzVPN, see Understanding Easy VPN, page 9-71.

Organization (O) The organization or company name to include in the certificate.

Locality (L) The locality to include in the certificate.

State (ST) The state or province to include in the certificate.

Country (C) The country to include in the certificate.

Email (E) The email address to include in the certificate.


OL-19983-01


PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab

Use the Trusted CA Hierarchy tab of the PKI Enrollment Dialog Box, page F-142 to define the trusted CA servers within a hierarchical PKI framework. Within this framework, all enrolled peers can validate each other’s certificates if they share a trusted root CA certificate or a common subordinate CA.

Select the CA servers (as defined as PKI enrollment objects) to include in the hierarchy in the Available Servers list and click >> to move them to the selected list. You can do the reverse to remove servers.

If the PKI enrollment object you need is not yet defined, click the Create (+) button beneath the available servers list to create the object. You can also select an object and click the Edit button to change its definition, if needed.

Navigation Path

Go to the PKI Enrollment Dialog Box, page F-142 and click the Trusted CA Hierarchy tab.

Related Topics





Add or Edit Port Forwarding List Dialog BoxesUse the Port Forwarding List dialog box to create, copy and edit port forwarding list policy objects. You can create port forwarding list objects to use when you are configuring the thin client access mode for SSL VPN.

Port forwarding allows users to access applications (such as Telnet, e-mail, VNC, SSH, and Terminal services) inside the enterprise through an SSL VPN session. When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. A port forwarding list object defines the mappings of port numbers on the remote client to the application’s IP address and port behind the SSL VPN gateway.

Navigation Path

Select Tools > Policy Object Manager, then select Port Forwarding List from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Port Forwarding List Objects, page 8-71



OL-19983-01


Field Reference

Add or Edit A Port Forwarding Entry Dialog Box

Use the Add or Edit A Port Forwarding Entry dialog boxes to create a new port forwarding list entry or edit an existing one.

Navigation Path

Go to the Add or Edit Port Forwarding List Dialog Boxes, page F-151 and click the Add Row button or select an entry and click the Edit Row button beneath the Port Forwarding List table.

Field Reference

Table F-102 Port Forwarding List Dialog Box

Element Description



Port Forwarding List table The port forwarding entries that are defined in the object. The entries show the mapping of the local port to the remote server and port.

• To add a mapping, click the Add Row button to open the Add or Edit A Port Forwarding Entry Dialog Box, page F-152.



Include Port Forwarding Lists

The names of other port forwarding list objects to include in the object. Enter the name of the object or click Select to select it from a list or to create a new object. Separate multiple entries with commas.

When you add other port forwarding lists, the entries from those lists are treated as if they were directly entered into this object, and the names of the included objects are not reflected in the device configuration commands during deployment.



Overrides

Edit button



Table F-103 Add or Edit A Port Forwarding Entry Dialog Box

Element Description

Local TCP Port The port number to which the local application is mapped (between 1 and 65535).


OL-19983-01


Add or Edit Port List Dialog BoxUse the Port List dialog box to create, edit, or copy a port list object. Each port list object can contain one or more ports or port ranges (for example, 1-1000 and 2000-2500). Additionally, a port list object can include other port list objects.

You typically use port list objects when defining services, but you can also use them in various policies to identify a port rather than typing in the port number. For more information about using port lists in service definitions, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Tip The predefined Default Range port list object includes either all ports (1-65535) or all secure ports (1024-65535), depending on the setting you select in the Security Manager Administration window (select Tools > Security Manager Administration > Policy Objects and see Policy Objects Page, page A-35).

Navigation Path

Select Tools > Policy Object Manager, then select Services > Port Lists from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics


• Add and Edit Service Dialog Boxes, page F-154

Field Reference

Remote Server

IP Address

Name

The IP address or fully qualified domain name of the remote server. Select the type of entry and enter the IP address or name.

For the IP address, you can enter the name of a network/host object that specifies the remote server’s IP address, or click Select to select it from a list or to create a new object.

Remote TCP Port The port number of the application for which port forwarding is configured (between 1 and 65535).

Description A description of the port forwarding entry. This information is mandatory on Cisco IOS devices.

Table F-103 Add or Edit A Port Forwarding Entry Dialog Box (Continued)

Element Description

Table F-104 Port List Dialog Box

Element Description




OL-19983-01


Add and Edit Service Dialog BoxesUse the Add and Edit Service dialog boxes to create or edit service objects. You can create service objects to describe a type of traffic carried by the devices in your network. When creating a service object, you must select the protocol used by the service.

Security Manager has many predefined service objects. Before creating an object, see if an existing object fits your needs. Although you can duplicate a predefined object, you cannot edit it.

Navigation Path

Select Tools > Policy Object Manager, then select Services > Services from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Ports The ports or ranges included in the port list object, for example, 443, or 1-1000. You can define a single port, a range of ports, multiple port ranges, or any combination of single ports and ranges. Separate multiple entries with commas. Port values range from 1 to 65535.

You can use the following operators to identify ranges:

• gt—Greater than. For example, gt 1000.

• lt—Less than. For example, lt 1000.

• eq—Equals. For example, eq 1000. However, eq 1000 has the same meaning as simply entering 1000.

• neq—Does not equal. For example, neq 1000.

If you use this operator, you can include only the neq value in the Ports field. However, you can include port ranges in the object. Thus, if you want to create an object that specifies all ports from 1000-1200 except for 1150, create a port list object for the 1000-1200 range, and another object that specifies neq 1150 and that includes the other port list object.

Port Lists The other port list objects included in the object, if any. Enter the name of the port lists or click Select to select them from a list or to create new objects. Separate multiple entries with commas.



Overrides

Edit button



Table F-104 Port List Dialog Box (Continued)

Element Description


OL-19983-01


Related Topics



Field Reference

Table F-105 Add and Edit Service Dialog Boxes

Element Description

Name The object name. If you are using the object for ASA or PIX devices running software version 8.x, limit the length of the name to 64 characters. For other devices the name can be up to 128 characters.

Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.


Services The services to include in this object. You can enter more than one service by separating services with commas. You can specify services using the following formats. As you type, Security Manager might prompt you with text-completion options related to your entry. If you enter a service that translates directly to a predefined service object, the entry is converted to the predefined object name; for example, TCP / 80 is converted to HTTP.

• protocol, where the protocol is 1-255 or a well known protocol name such as tcp, udp, gre, icmp, and so forth. If you enter a number, Security Manager might convert it to the associated name.

• icmp/message_type, where the message type is 1-255 or a well-known message type name such as echo.

• {tcp | udp | tcp&udp}/{destination_port_number | port_list_object} where the destination port number is 1-65535 or the name of a port list object. You can enter a range of ports using a hyphen, for example, 10-20. The source port number is the Default Range port list object (which is 1-65535).

• {tcp | udp | tcp&udp}/{source_port_number | port_list_object}/ {destination_port_number | port_list_object}, where the source and destination port numbers are 1-65535 or the name of a port list object. You can enter a range of ports using a hyphen, for example, 10-20.

• service_object_name, which is the name of another existing service object. Specifying other objects lets you nest object definitions. Click Select to select a service object or to create a new object.



Overrides

Edit button




OL-19983-01


Add or Edit Single Sign On Server Dialog BoxesUse the Add or Edit Single Sign On Server dialog box to create, copy, and edit single sign on (SSO) server objects for use with SSL VPNs (as configured in ASA user group objects).

Single sign-on lets users access different secure services on different servers without entering a username and password more than once. In the authentication, the security appliance acts as a proxy for the SSL VPN user to the SSO server. You can configure this object to identify either a Computer Associates SiteMinder SSO server or a Security Assertion Markup Language (SAML) Browser Post Profile version 1.1 server. For more information, see Configuring Single Sign-On Server Objects, page 8-77.

The SSO mechanism starts as part of the AAA process or just after successful user authentication to an AAA server. The SSL VPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server. If the server approves the authentication request, it returns an SSO authentication cookie to the SSL VPN server. The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure web sites within the domain protected by the SSO server.

If you want to configure SSO for an SSL VPN group, you must also configure a AAA server, such as a RADIUS or LDAP server.

Note The SAML Browser Artifact profile method of exchanging assertions is not supported.

Navigation Path

Select Single Sign On Servers in the Policy Object Manager Window, page F-1. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

You can also create the object when configuring an ASA user group object for SSL VPN (see ASA Group Policies Dialog Box, page F-25).

Related Topics

• Configuring Single Sign-On Server Objects, page 8-77

Field Reference

Table F-106 Add or Edit Single Sign-On Server Dialog Box

Element Description

Name The object name, which must be 4 to 31 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.


Authentication Type The type of SSO server to use with clientless SSL VPN connections. The other attributes on the page change based on your selection.

• SiteMinder—Computer Associates SiteMinder SSO server.

• SAML POST—Security Assertion Markup Language (SAML) Browser Post Profile server.


OL-19983-01


URL

(SiteMinder only.)

The URL of the SiteMinder SSO server to which the security appliance makes authentication requests. Select whether to use HTTP or HTTPS and enter the URL.

Tip For HTTPS communication, make sure that the SSL encryption settings match on both the security appliance and the SiteMinder server. On the security appliance, you can verify this with the ssl encryption command.

Secret Key

Confirm

(SiteMinder only.)

The key used to encrypt authentication communications with the SiteMinder server, if any. The key can contain any alphanumeric characters. There is no minimum or maximum number of characters. Enter the same key in both fields.

Tip If you enter a secret key, you must configure the same key in the SiteMinder server using the Cisco Java plug-in authentication scheme.

Assertion URL

(SAML POST only.)

The URL for the SAML-type SSO assertion consumer service. Select whether to use HTTP or HTTPS and enter the URL, which must be fewer than 255 characters.

Assertion Issuer

(SAML POST only.)

The name of the security device that is sending assertions to a SAML-type SSO server. This is usually the name of the security appliance, for example, asa.example.com. The name must be fewer than 65 characters.

Trustpoint

(SAML POST only.)

The name of the PKI enrollment policy object that identifies the certificate authority (CA) server that acts as the trustpoint that contains the certificate to use to sign the SAML-type browser assertion. Enter the name or click Select to select it from a list or to create a new object.

Max Retries The number of times the security appliance retries a failed SSO authentication attempt before the authentication times out. The range is 1 to 5 retries, and the default is 3 retries.

Request Timeout The number of seconds before a failed SSO authentication attempt times out. The range is 1 to 30 seconds, and the default is 5 seconds.



Overrides

Edit button



Table F-106 Add or Edit Single Sign-On Server Dialog Box (Continued)

Element Description


OL-19983-01


Add or Edit SLA Monitor Dialog BoxUse the Add or Edit SLA (Service Level Agreement) Monitor dialog box to create, edit, and copy SLA monitor objects. Each SLA monitor defines a connectivity policy to a monitored address and tracks the availability of a route to the address. The route is periodically checked for availability by sending ICMP echo requests and waiting for the response. If the requests time out, the route is removed from the routing table and replaced with a backup route.

You can configure SLA monitors only for security appliances running PIX/ASA version 7.2 or higher. SLA monitoring jobs start immediately after deployment and continue to run unless you remove the SLA monitor from the device configuration (that is, they do not age out).

For more information about configuring and using SLA monitor objects, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77.

Navigation Path

Select Tools > Policy Object Manager, then select SLA Monitors from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77


Field Reference

Table F-107 SLA Monitor Dialog Box

Element Description



SLA Monitor ID The ID number of the SLA operation. Values range from 1 to 2147483647. You can create a maximum of 2000 SLA operations on a device. Each ID number must be unique to the policy and the device configuration.

Monitored Address The IP address that is being monitored for availability by the SLA operation. For recommendations on selecting an address to monitor, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77.

Interface The source interface for all ICMP echo requests sent to the monitored address to test its availability. Enter the name of an interface or interface role, or click Select to select an it from a list or to create a new interface role.

Frequency The frequency of ICMP echo request transmissions, in seconds. Values range from 1 to 604800 seconds (7 days). The default is 60 seconds.

Note The frequency cannot be less than the timeout value; you must convert frequency to milliseconds to compare the values.


OL-19983-01


Add or Edit Bookmarks Dialog BoxesUse the Add and Edit Bookmarks dialog boxes to configure browser-based clientless SSL VPN bookmarks (URL lists) for an SSL VPN Bookmark object. From this dialog box, you can change the order of the bookmark entries within the table, create, copy, edit, and delete SSL VPN Bookmark objects.

Threshold The amount of time that must pass after an ICMP echo request before a rising threshold is declared, in milliseconds. Values range from 0 to 2147483647 milliseconds. The default is 5000 milliseconds.

The threshold value is used only to indicate events that exceed the defined value. You can use these events to evaluate the proper timeout value. It is not a direct indicator of the reachability of the monitored address.

Note The threshold value should not exceed the timeout value.

Time out The amount of time that the SLA operation waits for a response to the ICMP echo requests, in milliseconds. Values range from 0 to 604800000 milliseconds (7 days). The default is 5000 milliseconds.

If a response is not received from the monitored address within the amount of time defined in this field, the static route is removed from the routing table and replaced by the backup route.

Note The timeout value cannot exceed the frequency value (adjust the frequency value to milliseconds to compare the numbers).

Request Data Size The size of the ICMP request packet payload, in bytes. Values range from 0 to 16384 bytes. The default is 28 bytes, which creates a total ICMP packet of 64 bytes. Do not set this value higher than the maximum allowed by the protocol or the Path Maximum Transmission Unit (PMTU).

For purposes of reachability, you might need to increase the default data size to detect PMTU changes between the source and the target. A low PMTU can affect session performance and, if detected, might indicate that the secondary path should be used.

ToS The type of service (ToS) defined in the IP header of the ICMP request packet. Values range from 0 to 255. The default is 0.

This field contains information such as delay, precedence, reliability, and so on. It can be used by other devices on the network for policy routing and features such as committed access rate.

Number of Packets The number of packets that are sent. Values range from 1 to 100. The default is 1 packet.

Tip Increase the default number of packets if you are concerned that packet loss might falsely cause the security appliance to believe that the monitored address cannot be reached.


Table F-107 SLA Monitor Dialog Box (Continued)

Element Description


OL-19983-01


An SSL VPN Bookmark object defines the URLs that are displayed on the portal page after a successful login.

Navigation Path

Select Tools > Policy Object Manager, then select SSL VPN Bookmarks from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics

• Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 8-84

• Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 8-86

• Localizing SSL VPN Web Pages for ASA Devices, page 8-82

Field Reference

Table F-108 Add and Edit Bookmarks Dialog Boxes

Element Description



Bookmarks Heading (IOS)

(IOS devices only)

The heading that is displayed above the URLs listed on the portal page of an SSL†VPN hosted on an IOS device.

Bookmarks The list of bookmark entries for the object.

• To change the order of an entry, select it and click the Move Up or Move Down arrow buttons. The order of entries in the table defines the order in which the bookmarks are presented to the user.

• To add an entry, click the Add button and fill in the Add Bookmark Entry dialog box (see Add and Edit Bookmark Entry Dialog Boxes, page F-161).

• To edit an entry, select it and click the Edit button.

• To delete an entry, select it and click the Delete button.



Overrides

Edit button




OL-19983-01


Add and Edit Bookmark Entry Dialog Boxes

Use the Add and Edit Bookmark Entry dialog boxes to create or edit a bookmark to be included in an SSL VPN Bookmark object.

You can use non-English, non-ASCII languages for the text to display for bookmarks if you are configuring the object for use on an ASA device. For more information about how you can configure the SSL VPN portal in local languages, see Localizing SSL VPN Web Pages for ASA Devices, page 8-82.

Navigation Path

In the Policy Object Manager, from the Add or Edit Bookmarks Dialog Boxes, right-click inside the Bookmarks table, then select Add Row or right-click a row, then select Edit Row.

Related Topics



Field Reference

Table F-109 Add and Edit Bookmark Entry Dialog Boxes

Element Description

Bookmark Option Select whether you want to define a new SSL VPN Bookmark entry or use the entries from an existing object:

• Enter Bookmark—You want to define a bookmark entry.

• Include Existing Bookmarks—You want to include bookmark entries defined in an existing SSL VPN Bookmark object. Enter the name of the object or click Select to select it from a list or to create a new object.

Title The text label that the user sees for the bookmark.

URL The Universal Resource Locator address for the bookmark. Select the protocol for the bookmark and enter the rest of the URL in the edit box.

Advanced Group

The settings in the Advanced group are applicable only to SSL VPN portals hosted on ASA devices running software version 8.x. Do not configure these settings for SSL VPN Bookmark objects that you will use on other devices.

Subtitle An additional user-visible title that describes the bookmark entry.

Thumbnail The File object that represents an icon you want to associate with the bookmark on the Portal. Enter the name of the File object or click Select to select it from a list or to create a new object.

Authentication Access Whether to display the thumbnail only on the Portal page. If you deselect this option, the thumbnail is also displayed on the Logon page.

Enable Favorite URL Option Whether to display the bookmark entry on the portal home page. Deselect the check box if you want the bookmark entry to appear on the application page only.

Enable Smart Tunnel Option Whether to open the bookmark in a new window that uses the smart tunnel functionality to pass data to and from the security appliance.


OL-19983-01


Add and Edit Post Parameter Dialog Boxes

Use the Add and Edit Post Parameter dialog boxes to create a new Post parameter entry or edit an existing one in the table. For a detailed discussion of Post parameters, see Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 8-86.

Navigation Path

In the Policy Object Manager, from the Add and Edit Bookmark Entry Dialog Boxes, right-click inside the Post Parameters table, then select Add Row or right-click a row, then select Edit Row.

Related Topics



Field Reference

URL Method Select the required URL method from the list:

• Get—Select this option if you want simple data retrieval.

• Post—Select this option when processing the data might involve changes to it, for example, storing or updating data, ordering a product, or sending e-mail. If you select this option, you must configure the Post parameters in the Post Parameters table.

Post Parameters The list of the names and values of the Post parameters for the bookmark entry.

• To add a parameter, click the Add button and fill in the Add Post Parameter dialog box (see Add and Edit Post Parameter Dialog Boxes, page F-162).

• To edit a parameter, select it and click the Edit button.

• To delete a parameter, select it and click the Delete button.

Table F-109 Add and Edit Bookmark Entry Dialog Boxes (Continued)

Element Description

Table F-110 Add and Edit Post Parameter Dialog Boxes

Element Description

Name The name of the post parameter exactly as defined in the corresponding HTML form. For example, param_name in <input name=“param_name” value=“param_value”>.

Value The value of the post parameter exactly as defined in the corresponding HTML form. For example, param_value in <input name=“param_name” value=“param_value”>.


OL-19983-01


Add and Edit SSL VPN Customization Dialog BoxesUse the Add and Edit SSL VPN Customization dialog boxes to create, copy, and edit SSL VPN Customization objects. An SSL VPN Customization policy object describes how to customize web pages for a browser-based clientless SSL VPN hosted on an ASA 8.x device. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79.

You can use non-English, non-ASCII languages for the text to display on these pages. For more information about how you can configure the SSL VPN portal in local languages, see Localizing SSL VPN Web Pages for ASA Devices, page 8-82.

Navigation Path

Select Tools > Policy Object Manager, then select SSL VPN Customization from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics

• Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79


• Creating Your Own SSL VPN Logon Page for ASA Devices, page 8-83

Field Reference

Table F-111 Add and Edit SSL VPN Customization Dialog Boxes

Element Description



Settings Pane

The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. Before configuring settings, click the Preview button to see the default settings to help you determine what, if anything, you want to change.

The top folders in the table of contents represent the SSL VPN web pages that you can customize, and are explained next.


OL-19983-01


Logon Page The Logon web page is the one users see first when connecting to the SSL VPN portal. It is used for logging into the VPN. Select the following items in the Logon Page folder in the table of contents to view and change the settings:

• Logon Page—The Browser Window Title field defines the title of the web page, which is displayed in the browser’s title bar.

• Title Panel—The title displayed in the web page itself. For more information about the settings, see SSL VPN Customization Dialog Box—Title Panel, page F-165.

• Language—The languages you will support for the Logon, Portal, and Logout pages. For more information about the settings, see SSL VPN Customization Dialog Box—Language, page F-166.

• Logon Form—The labels and colors used in the form that accepts user logon information. For more information about the settings, see SSL VPN Customization Dialog Box—Logon Form, page F-168.

• Informational Panel—An extra informational panel for conveying information to users. For more information about the settings, see SSL VPN Customization Dialog Box—Informational Panel, page F-169.

• Copyright Panel—The copyright information on the logon page. For more information about the settings, see SSL VPN Customization Dialog Box—Copyright Panel, page F-170.

• Full Customization—If you do not want to use the security appliance’s built-in logon page, even customized, you can instead enable full customization and supply your own web page. For more information about creating a custom Logon page and the settings, see Creating Your Own SSL VPN Logon Page for ASA Devices, page 8-83 and SSL VPN Customization Dialog Box—Full Customization, page F-170.

Table F-111 Add and Edit SSL VPN Customization Dialog Boxes (Continued)

Element Description


OL-19983-01


SSL VPN Customization Dialog Box—Title Panel

Use the Title Panel page of the SSL VPN Customization dialog box to determine whether the Logon page or Portal page will have a title displayed in the web page itself. If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors used. You can also select a File object that identifies a logo graphic.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Title Panel in the table of contents to configure the title of the Logon page, or Portal Page > Title Panel to configure the title of the Portal page.

Portal Page The Portal web page is the one users see after logging into the SSL VPN; it is the home page. Select the following items in the Portal Page folder in the table of contents to view and change the settings:

• Portal Page—The Browser Window Title field defines the title of the web page, which is displayed in the browser’s title bar.

• Title Panel—The title displayed in the web page itself. For more information about the settings, see SSL VPN Customization Dialog Box—Title Panel, page F-165.

• Toolbar—The toolbar displayed above the main part of the Portal page. For more information about the settings, see SSL VPN Customization Dialog Box—Toolbar, page F-171.

• Applications—The application buttons that will appear on the page. For more information about the settings, see SSL VPN Customization Dialog Box—Applications, page F-172.

• Custom Panes—The layout of the main part of the Portal page. The default is a single column with no internal panes. For more information about the settings, see SSL VPN Customization Dialog Box—Custom Panes, page F-172.

• Home Page—How and whether to display URL lists on the home page. For more information about the settings, see SSL VPN Customization Dialog Box—Home Page, page F-174.

Logout Page The Logout web page is the one users see after logging out of the SSL VPN. For more information about the settings, see SSL VPN Customization Dialog Box—Logout Page, page F-175.



Overrides

Edit button



Table F-111 Add and Edit SSL VPN Customization Dialog Boxes (Continued)

Element Description


OL-19983-01


Related Topics



Field Reference

SSL VPN Customization Dialog Box—Language

Use the Language page of the SSL VPN Customization dialog box identify the languages you will support on the browser-based clientless SSL VPN portal. If you want to configure translation tables for other languages on the ASA device and use them, you can configure the supported languages and allow users to choose their language. Before you configure these settings, read Localizing SSL VPN Web Pages for ASA Devices, page 8-82.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Language in the table of contents.

Table F-112 SSL VPN Customization Dialog Box—Title Panel

Element Description

Display Title Panel Whether to display a title panel within the web page. The default is to not display a title. If you select this option, you can configure the title using the other fields on this page.

Gradient Whether to have the background color change in a gradual progression.

Title Text The text to display in the title panel.

Font Weight

Font Size

Font Color

The characteristics of the font used for the title text. You can select a weight, font size, and color. Click Select to choose a font color.

Background Color The color of the background of the title panel. Click Select to choose a color.

Style (CSS) Cascading Style Sheet (CSS) parameters that define the style characteristics of the title panel. You can include a maximum of 256 characters.

Tip For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Logo Image The File policy object that identifies the logo image you want to include in the title panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object.

Tip The image file can be a GIF, JPG, or PNG file, and it can be up to 100 kilobytes in size.

For more information about File objects, see Creating File Objects, page 8-31.


OL-19983-01

http://www.w3.org


Related Topics




Field Reference

Add and Edit Language Dialog Boxes

Use the Add and Edit Language dialog boxes to add or edit an entry for a language you will support for automatic browser language selection or in the Language Selector drop-down list.

Table F-113 SSL VPN Customization Dialog Box—Language

Element Description

Automatic Browser Language Selection

This table lists the languages you will support on the web pages for automatic browser language selection. Automatic browser language select allows the ASA device to negotiate with the user’s web browser to determine the language in which to present the web pages. You must configure a translation table on the ASA device for any language you list here. For more detailed information about automatic browser language selection, see Localizing SSL VPN Web Pages for ASA Devices, page 8-82.

Languages are listed by their abbreviation in the table. The languages are evaluated top to bottom until a match is found. The language that is indicated as the default language (indicated as True in the table) is used if the device is unable to negotiate a different language with the browser. If you do not specify a default, English is the default.

• To add a language, click the Add Row button below the table.

• To edit a language, select it and click the Edit Row button.

• To delete a language, select it and click the Delete Row button.

Enable Language Selector Whether to display the Language Selector on the Logon page. The Language Selector allows users to select their preferred language. The Language Selector is complementary to the automatic browser language selection capability.

Language Selector Prompt The text label for the Language Selector prompt.

Language Table The list of languages included in the Language Selector drop-down list. You must configure a translation table on the ASA device for any language you list here. For more detailed information, see Localizing SSL VPN Web Pages for ASA Devices, page 8-82.

The table lists the languages by abbreviation and title, or the common name of the language. The title is the text displayed in the drop-down list. You can change the language title but not the abbreviation.

• To add a language, click the Add Row button below the table.

• To edit a language, select it and click the Edit Row button.

• To delete a language, select it and click the Delete Row button.


OL-19983-01


Navigation Path

From the SSL VPN Customization Dialog Box—Language page, click the Add Row button for either the Automatic Browser Language Selection table or the Language Selector table, or select a row and click the Edit Row button.

Related Topics



Field Reference

SSL VPN Customization Dialog Box—Logon Form

Use the Logon Form settings of the SSL VPN Customization dialog box to customize the title of the login box, login prompts of the SSL VPN page (including username, password, and group prompts), login buttons, and style elements of the login box that appears to browser-based clientless SSL VPN users when they initially connect to the security appliance.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Logon Form in the table of contents.

Related Topics


Field Reference

Table F-114 Add and Edit Language Dialog Boxes

Element Description

Language The list of languages that you can support on the browser-based clientless SSL VPN web pages, listed by their abbreviation.

Default

(Automatic Browser Language Selection only)

Whether the language should be defined as the default language for the portal. The default language is used if the ASA device cannot negotiate a language with the client’s browser.

Title

(Language Selector only)

The name of the language that should appear in the Language Selector on the Logon page.

Table F-115 SSL VPN Customization Dialog Box—Logon Page

Element Description

Title The text displayed as the title of the login box.

Message The message that appears in the login box above the username and password fields. You can enter a maximum of 256 characters.

Username Prompt The text of the prompt for the username entry field.

Password Prompt The text of the prompt for the password entry field.


OL-19983-01


SSL VPN Customization Dialog Box—Informational Panel

Use the Informational Panel page of the SSL VPN Customization dialog box to customize the appearance of the Informational panel in the Logon page. The Informational panel is an area where you can provide extra information to the user, and is optional.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Informational Panel in the table of contents.

Related Topics



Field Reference

Secondary Username Prompt

Secondary Password Prompt

The prompts for a second username and password if you require two login credentials. You can enable secondary authentication only if the Connection Profile policy is configured to require it.

The secondary username and password prompt are displayed only if you configure them. If you leave the username prompt blank, the primary username is used and the secondary password must be associated with the primary username.

Internal Password Prompt The text of the prompt for the internal password entry field.

Show Internal Password First Whether the prompt for the internal password should be placed above the password prompt. The internal password is required when using a clientless SSL VPN to access an internal protected website.

Group Selector Prompt The text of the prompt for the Group Selector drop-down list.

Button Text The name of the button the user clicks to log onto the SSL VPN.

Border Color The color of the border of the login box. Click Select to choose a color.

Title Font Color The color of the font for the login box title. Click Select to choose a color.

Title Background Color The background color for the Title area of the login box. Click Select to choose a color.

Font Color The color of the font of the login form. Click Select to choose a color.

Background Color The background color for the login form. Click Select to choose a color.

Table F-115 SSL VPN Customization Dialog Box—Logon Page (Continued)

Element Description

Table F-116 SSL VPN Customization Dialog Box—Informational Panel

Element Description

Display Informational Panel Whether to display the Informational panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page.


OL-19983-01


SSL VPN Customization Dialog Box—Copyright Panel

Use the Copyright Panel page of the SSL VPN Customization dialog box to customize the appearance of the Copyright panel in the Logon page. The Copyright panel provides your copyright information, appears at the bottom of the page, and is optional.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Copyright Panel in the table of contents.

Related Topics



Field Reference

SSL VPN Customization Dialog Box—Full Customization

Use the Full Customization page of the SSL VPN Customization dialog box to identify your own custom Logon page. The custom page replaces the Logon page settings available on the dialog box. For information on creating a custom Logon page, see Creating Your Own SSL VPN Logon Page for ASA Devices, page 8-83.

Panel Position The location of the Informational panel, either to the left of the Logon box or to the right of it.

Text The text that appears in the Informational panel. You can enter a maximum of 256 characters.

Logo Image The File policy object that identifies the logo image you want to include in the Informational panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object.

Tip The image file can be a GIF, JPG, or PNG file, and it can be up to 100 kilobytes in size.

For more information about File objects, see Creating File Objects, page 8-31.

Image Position The position of the logo image in the panel, either above the text or below it.

Table F-116 SSL VPN Customization Dialog Box—Informational Panel (Continued)

Element Description

Table F-117 SSL VPN Customization Dialog Box—Copyright Panel

Element Description

Display Copyright Panel Whether to display the Copyright panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page.

Text The text that appears in the copyright panel. You can enter a maximum of 256 characters.


OL-19983-01


Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Full Customization in the table of contents.

Related Topics


Field Reference

SSL VPN Customization Dialog Box—Toolbar

Use the Toolbar page of the SSL VPN Customization dialog box to customize the appearance of the toolbar in the Portal page. The toolbar appears above the main body of the Portal page and includes a field to allow users to enter URLs to browse. The toolbar is optional.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Toolbar in the table of contents.

Related Topics


Field Reference

Table F-118 SSL VPN Customization Dialog Box—Full Customization

Element Description

Enable Full Customization Whether you want to use your own custom Logon page. If you enable full customization, all of the other Logon page configuration settings are ignored.

Custom Page The custom Logon page. You must copy the file to the Security Manager server before specifying it here. Click Browse to select the file. For information on selecting files, see Selecting or Specifying a File or Directory on the Server File System, page 2-19.

Table F-119 SSL VPN Customization Dialog Box—Toolbar

Element Description

Display Toolbar Whether to display the toolbar. The default is to not display the toolbar. If you select this option, you can configure the toolbar using the other fields on this page.

Prompt Box Title The text of the prompt for the field where users select the protocol of the target web page and enter the URL.

Browse Button Text The name of the button the user clicks to go to the target URL.

Logout Prompt The text of the prompt for logging out of the SSL VPN.


OL-19983-01


SSL VPN Customization Dialog Box—Applications

Use the Applications page of the SSL VPN Customization dialog box to customize the application links that appear in the Portal page. This page lists all the application links that you can display in the navigational panel on the left side of the SSL VPN portal page.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Applications in the table of contents.

Related Topics


Field Reference

SSL VPN Customization Dialog Box—Custom Panes

Use the Custom Panes page of the SSL VPN Customization dialog box to customize the appearance of the main body of the Portal page. By creating custom panes and specifying a column layout, you can create a grid of information that can help you present portal information effectively to your end users.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Custom Panes in the table of contents.

Related Topics


Table F-120 SSL VPN Customization Dialog Box—Applications

Element Description

No.

Move Up and Move Down buttons (below the table)

The sequential number of the application in the table. To change the order of an application, select it and click the Move Up or Move down buttons to the desired position. The applications appear on the Portal page in the order represented here.

Applications The graphic associated with an application.

Title The name of the application. Standard applications include Home, Web Applications, Browse Networks, Application Access, and AnyConnect Client. Also listed are the browser plug-ins that you create when you configure the SSL VPN global settings are also available for selection from this page.

Double-click a title to make it editable so that you can change the name.

Enable Whether the application is included on the Portal page.


OL-19983-01


Field Reference

Add and Edit Column Dialog Boxes

Use the Add or Edit Column dialog box to create or edit columns in the main body of the Portal page for browser-based clientless SSL VPNs. Enter the desired width of the column as a percentage of the total area in the Percentage field.

Navigation Path

From the SSL VPN Customization Dialog Box—Custom Panes page, click the Add Row button in the Column table, or select a column and click the Edit Row button.

Add or Edit Custom Pane Dialog Boxes

Use the Add or Edit Custom Pane dialog box to create or edit a pane to display in the main body or the Portal page of a browser-based clientless SSL VPN.

Navigation Path

From the SSL VPN Customization Dialog Box—Custom Panes page, click the Add Row button in the Custom Pane table, or select a pane and click the Edit Row button.

Table F-121 SSL VPN Customization Dialog Box—Custom Panes

Element Description

Columns table The list of columns that the main body of the Portal page should be divided into. You define the column based on a percentage of the width of the page. The percentages should add up to 100. If they do not add up to 100, the device will adjust the column widths.

Create the columns as you want them to appear, left to right, on the Portal page.

• To add a column, click the Add Row button below the table.

• To edit a column, select it and click the Edit Row button.

• To delete a column, select it and click the Delete Row button.

Custom Panes table The custom panes that should appear in the main body of the Portal page. The table shows whether a pane is enabled to appear, the type of pane, its characteristics, and the column and row in which it will appear on the page. The panes can display plain text or include a URL for HTML, image, or RSS links.

For more detailed information about the settings, see Add or Edit Custom Pane Dialog Boxes, page F-173.

• To add a custom pane, click the Add Row button below the table.

• To edit a custom pane, select it and click the Edit Row button.

• To delete a custom pane, select it and click the Delete Row button.


OL-19983-01


Field Reference

SSL VPN Customization Dialog Box—Home Page

Use the Home Page page in the SSL VPN Customization dialog box to customize the appearance of the URL and file lists on the Portal page and the content of the main body of the Portal page. URL lists are considered to be default elements on the portal home page unless they are explicitly disabled.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Home Page in the table of contents.

Related Topics


Field Reference

Table F-122 Add and Edit Custom Pane Dialog Boxes

Element Description

Enable Whether to display the custom pane on the Portal page.

Type The type of content to show in the pane, one of:

• Text—Plain text. You can include HTML mark up.

• HTML—HTML content provided by a URL.

• Image—An Image provided by a URL.

• RSS—An RSS feed provided by a URL.

Show Title

Title

Whether to display a title in the pane. If you select this option, enter the title in the Title field.

Show Border Whether to display a border around the pane.

Column

Row

The column and row numbers in which the pane should appear. Select or enter the number for each to specify the desired grid location.

Height The height of the pane in pixels.

URL

(HTML, Image, and RSS content only.)

The URL that hosts the content you want to display in the pane.

Text

(Text content only.)

The text you want to display in the pane. You can include HTML markup in the text.

Table F-123 SSL VPN Customization Dialog Box—Home Page

Element Description

Enable Custom Intranet Web Page

Whether to display a custom Intranet web page, which also enables URL bookmarks to be displayed on the Portal page. If you select this option, you can configure the panel using the other fields on this page.


OL-19983-01


SSL VPN Customization Dialog Box—Logout Page

Use the Logout Page page of the SSL VPN Customization dialog box to customize the appearance of the Logout page for browser-based clientless SSL VPNs. The Logout page appears after the user logs out of the VPN.

Navigation Path

From the Add and Edit SSL VPN Customization Dialog Boxes, select Logout Page in the table of contents.

Related Topics


Field Reference

URL List Mode How you want to display URL lists on the home page. If you display URL lists, they are displayed in the column cells that are not occupied by custom panes (as configured on Portal Page > Custom Panes). The options are:

• Group By Application—Bookmarks are grouped by application type. For example, Web Bookmarks, File Bookmarks.

• No Group—URL lists are shown as separate panes.

• Do Not Display—URL lists are not shown.

Custom Intranet Web Page URL

The URL of the custom web page that you want to be loaded as the home page. This page is displayed in the main body of the Portal page.

If you specify a custom page, the settings on the Custom Panes page are ignored, and bookmark lists appear on the application pages that are accessed through the navigation panel on the left of the Portal page.

Table F-123 SSL VPN Customization Dialog Box—Home Page (Continued)

Element Description

Table F-124 SSL VPN Customization Dialog Box—Logout Page

Element Description

Title The text to display in the title panel.

Text The message to display on the Logout page. Click Preview to see the default logout message. You can enter a maximum of 256 characters.

Show Login Button

Login Button Text

Whether to display the Login button on the page. Displaying the button makes it easier for the user to log back into the portal.

If you enable the button, you can specify the name of the button in the Login Button Text field.

Border Color The color of the border around the logout box. Click Select to choose a color.

Title Font Color

Title Background Color

The color of the font and background for the title area of the page. Click Select to choose a color.


OL-19983-01


Add or Edit SSL VPN Gateway Dialog BoxUse the Add or Edit SSL VPN Gateway dialog box to create, copy and edit SSL VPN gateway objects. You use these objects when you are configuring an SSL VPN connection on an IOS device. For more information, see Gateway and Context Page (IOS), page H-10.

An SSL VPN gateway acts as a proxy for connections to protected resources that are accessed through an SSL-encrypted connection between the gateway and a web-enabled browser on a remote device. You can configure only one gateway per SSL VPN.

Navigation Path

Select Tools > Policy Object Manager, then select SSL VPN Gateway from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating SSL VPN Gateway Objects, page 8-90


Field Reference

Font Color

Background Color

The font and background color of the message that appears in the logout box. Click Select to choose a color.

Table F-124 SSL VPN Customization Dialog Box—Logout Page (Continued)

Element Description

Table F-125 Add and Edit SSL VPN Gateway Dialog Boxes

Element Description



IP Address The IP address for the gateway, which is the address to which remote users connect:

• Use Static IP Address—Specify the address that you want to use. You must also configure this address on an interface on the router.

• Obtained from Interface—Specify the interface role that resolves to a single interface on the device. The IP address configured for the interface is used. This option allows you to identify the external interface you want to use for connections without having to explicitly enter the IP address. If you have to change the address on the interface, you do not have to also reconfigure this object.

Port The number of the port that will carry the HTTPS traffic. You can also enter the name of a port list object that specifies the single port number, or click Select to select the object from a list. The default is the HTTPS object, which specifies port 443. If you do not use port 443, you can enter another port number between 1025 and 65535.


OL-19983-01


Add and Edit Smart Tunnel List Dialog BoxesUse the Add and Edit Smart Tunnel Lists dialog boxes to create, copy, and edit SSL VPN smart tunnel objects.

Trustpoint The digital certificate required to establish the secure connection. A self-signed certificate is generated when an SSL VPN gateway is activated.

Enable Gateway Whether to activate the SSL VPN gateway.

Specify SSL Encryption Algorithms

Whether to restrict the encryption algorithms used for the connection, or to specify a different order of use. The default is to make all algorithms available in this order of preference: 3DES and SHA1, AES and SHA1, RC4 and MD5.

Select the priority order for the algorithms. Select None to eliminate one or two algorithms.

Redirect HTTP Traffic

HTTP Port

Whether to have the gateway redirect HTTP traffic over secure HTTP (HTTPS). Traffic that comes to this port is redirected to the port you specify in the Port field.

Enter the port number for HTTP traffic in the HTTP Port field. You can enter a number or the name of a port list object, or click Select to select an object from a list or to create a new object.

The HTTP port is normally 80. However, you can enter any other number that is used in your network between 1025-65535.

Hostname The hostname for the gateway.

• Do Not Specify—No hostname is assigned; the IP address to the gateway is used.

• Use the host and domain names of the device—These are defined in the Platform > Device Admin > Hostname policy.

• Use the Object—The hostname is the value defined in a text policy object. Enter the name of the object or click Select to select it from a list or to create a new object.



Overrides

Edit button



Table F-125 Add and Edit SSL VPN Gateway Dialog Boxes (Continued)

Element Description


OL-19983-01


An SSL VPN smart tunnel list object lists the applications that are eligible for smart tunnel access to a private site. You can configure the clientless settings of an ASA group policy with a smart tunnel list to allow users to access the specified applications through the SSL VPN portal. For an explanation of the types of applications that support smart tunnel access, see Configuring SSL VPN Smart Tunnels for ASA Devices, page 8-87.

You can include other SSL VPN smart tunnel list objects in an object. Thus, you can create a smaller set of objects that identify your basic list of applications, then create other objects that create the required combination of applications. For example, you might want all three of your ASA group policies to allow smart tunnel access to applications A and B, but the remaining applications are unique for each group. By creating a single object that specifies A and B, you can include that object in each of the SSL VPN smart tunnel list objects for the group policies, and these objects need only specify their unique applications in the applications table.

Navigation Path

Select Tools > Policy Object Manager, then select SSL VPN Smart Tunnel Lists from the Object Type selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.

Related Topics

• ASA Group Policies SSL VPN Clientless Settings, page F-33

• Configuring SSL VPN Smart Tunnels for ASA Devices, page 8-87


Field Reference

Table F-126 Add and Edit Smart Tunnel Lists Dialog Boxes

Element Description

Name The object name, which can be up to 64 characters. Spaces are not allowed. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.


Smart Tunnel Entries table The applications to which users will be allowed smart tunnel access through the SSL VPN, including the name of the application and its location on client workstations.

• To add an application, click the Add Row button to open the Add and Edit A Smart Tunnel Entry Dialog Boxes, page F-179.

• To edit an application, select it and click the Edit Row button.

• To delete an application, select it and click the Delete Row button.

Include Smart Tunnel Lists The other SSL VPN smart tunnel list objects that you want to include in this object, if any. Enter the names of the objects or click Select to select them from a list or to create new objects. Separate multiple entries with commas.



OL-19983-01


Add and Edit A Smart Tunnel Entry Dialog Boxes

Use the Add and Edit A Smart Tunnel Entry dialog boxes to create a new smart tunnel entry or edit an existing entry in the table in the SSL VPN Smart Tunnel Lists dialog box.

Navigation Path

From Add and Edit Smart Tunnel List Dialog Boxes, page F-177, click the Add Row button beneath the Smart Tunnel Entries table, or select an entry and click the Edit Row button.

Related Topics

• Configuring SSL VPN Smart Tunnels for ASA Devices, page 8-87


Field Reference


Overrides

Edit button



Table F-126 Add and Edit Smart Tunnel Lists Dialog Boxes (Continued)

Element Description

Table F-127 Add and Edit Smart Tunnel Entry Dialog Boxes

Element Description

App Name The name of the application to which you are allowing smart tunnel access. The name can be up to 64 characters. Consider including the version number of the application if you are allowing more than one version smart tunnel access.


OL-19983-01


App Path The filename and optionally, the path, of the application. This entry can be up to 128 characters. Use one of the following:

• Filename—For example, outlook.exe. By only specifying the file name, it does not matter where users install the application on their workstations. However, the file name must match exactly.

• Full path and filename—For example, C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE. This allows the application smart tunnel access only if it is installed in the specified directory, which you can use to enforce organizational standards.

Tips

• If you specify the full path, and the smart tunnel application stops working after it had been working for a while, it is likely that a product upgrade changed the installation path. Add a new entry that accounts for the new path.

• If you are granting smart tunnel access to an application that is started from the command line, create one entry for cmd.exe (the Windows command line), and another entry for the application.

Table F-127 Add and Edit Smart Tunnel Entry Dialog Boxes (Continued)

Element Description


OL-19983-01


Add or Edit Text Object Dialog BoxUse the Add or Edit Text Object dialog box to create, edit, duplicate, and view text objects. Create a text object if you need textual data to be referenced and acted upon by another policy object that accepts text objects.

Text objects are a type of policy object variable. They are a name and value pair, where the value can be a single string, a list of strings, or a table of strings. You can enter any type of textual data to be referenced and acted upon by FlexConfig policies.

Create the variable by first selecting the dimension: a simple single-value variable (dimension 0), a list of variables (dimension 1) or a table or variables (dimension 2). After you create the desired grid by selecting the dimension and if applicable, the number of rows and columns, enter the data into each cell by first clicking in the cell.

Navigation Path

Select Tools > Policy Object Manager, then select Text Objects from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Hash Value (Optional) The hash value for the application. By specifying a hash value, you can ensure that the user does not rename another application to use a supported filename and thus start an unsupported and undesired application over the smart tunnel.

To obtain the hash value, enter the checksum of the application (that is, the checksum of the executable file) into a utility that calculates a hash using the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. Place a temporary copy of the application to be hashed on a path that contains no spaces (for example, c:\temp) and then enter fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash. Copy and paste the value into this field.

The SHA-1 hash is always 40 hexadecimal characters. Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash of the application matching the App Name. It qualifies the application for smart tunnel access if the result matches the value of hash.

Because the checksum varies with each version or patch of an application, the hash you enter can match only one version or patch on the remote host. To specify a hash for more than one version of an application, create a unique smart tunnel entry for each hash value.

Tip Hash values require maintenance. You must update the smart tunnel list if you want to support future versions or patches of an application for which you supply a hash value. A sudden problem with smart tunnel access might be an indication that the application list containing hash values is not up-to-date with an application upgrade. You can avoid this problem by not entering a hash.

Table F-127 Add and Edit Smart Tunnel Entry Dialog Boxes (Continued)

Element Description


OL-19983-01

http://support.microsoft.com/kb/841290/


Related Topics

• Creating Text Objects, page 8-91

• Chapter 18, “Managing FlexConfigs”

Field Reference

Add or Edit Time Range Dialog BoxUse the Add or Edit Time Range dialog box to create, edit, or copy a time range object.

You can create time range objects for use when creating time-based ACLs and some firewall rules. While similar to extended ACLs in function, time-based ACLs allow for access control based on time considerations. The time range applies to specific rules, and makes those rules active for the specific time period defined in the range. For example, you can implement a rule for typical work hours to allow or prevent certain types of access.

You can also use time range objects when defining ASA user groups to restrict VPN access to specific times during the week. For more information, see ASA Group Policies SSL VPN Settings, page F-37.

Time range objects can rely on the device’s system clock, but they work best when using Network Time Protocol (NTP) synchronization.

Table F-128 Text Object Dialog Box

Element Description



Dimension The structure of the data in the variable:

• 0—scalar (a single string)

• 1—one-dimensional array (a list of strings)

• 2—two-dimensional table (a table of strings)

Number of Rows The number of data rows in the variable if the dimension is 1 or 2.

Number of Columns The number of data columns in the variable if the dimension is 2.

[text field] The content of the text object. Click the cell and enter the data.



Overrides

Edit button




OL-19983-01


Navigation Path

Select Tools > Policy Object Manager, then select Time Ranges from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Time Range Objects, page 8-92


Field Reference

Recurring Ranges Dialog Box

Use the Recurring Ranges dialog box to add or edit recurring time intervals that are defined as part of a time range object. You can define as many recurring ranges as required.

Navigation Path

Go to the Add or Edit Time Range Dialog Box, page F-182 and click the New Recurring Range button under Recurring Ranges, or select a range and click Edit Recurring Range.

Table F-129 Time Range Dialog Box

Element Description



Start Time

End Time

The overall starting and ending time for the time range object:

• Start Now—Defines the time of deployment as the start time.

• Never End—Defines no end time for the range.

• Start At, End At—Defines a specific start or end date and time. Click the calendar icon to display a tool for selecting the date. Enter the time in the Time field using the 24-hour clock format, HH:MM.

Recurring Ranges Recurring time periods that happen within the overall start and end times, if any. For example, if you want to create a time range object that defines work hours, you could select Start Now and Never End for the overall range, and enter a recurring range of weekdays from 08:00 to 18:00 hours.

• To add a range, click the New Recurring Range button and fill in the Recurring Ranges Dialog Box, page F-183.

• To edit a range, select it and click the Edit Recurring Range button.

• To delete a range, select it and click the Delete Recurring Range button.



OL-19983-01


Related Topics

• Creating Time Range Objects, page 8-92

Field Reference

Add and Edit Traffic Flow Dialog BoxesUse the Add and Edit Traffic Flow dialog boxes to configure traffic match type classifications. Traffic flows map to class maps (the class map command) in the IPS, QoS and Connection Rules service policy for PIX, ASA, and FWSM devices to configure network policies on devices. Traffic flow objects are used with devices running the PIX 7.0+, ASA 7.0+, and FWSM 3.2+ operating systems. For more information on configuring the policy, see Configuring Service Policy Rules on Firewall Devices, page 14-79.

Navigation Path

Select Tools > Policy Object Manager, then select Traffic Flows from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

• Creating Traffic Flow Objects, page 8-93

• Creating Access Control List Objects, page 8-23

Field Reference

Table F-130 Recurring Ranges Dialog Box

Element Description

Specify days of the week and times during which this recurring range will be active

Defines a recurring range that is based on specific days and times of the week. You can select from:

• Every day

• Weekdays

• Weekends

• On these days of the week—Select the specific days to include in the range.

Also select the starting and ending time during the day. The default is all day.

Specify a weekly interval during which this recurring range will be active

Defines a recurring range for every week. Select the starting and ending day and time. For example, you can start the weekly period on Sunday and end it on Thursday.

Table F-131 Add and Edit Traffic Flow Dialog Boxes

Element Description

Name The name of the policy object. A maximum of 40 characters is allowed. The name space for class maps is local to a security context. Therefore, the same name may be used in multiple security contexts. The maximum number of class maps per security context is 255.


OL-19983-01



Traffic Match Type The type of traffic to define in the class map. The option you select changes the fields on the dialog box, and those fields are explained later in this table. The options are:

• Any Traffic—Matches any traffic.

• Source and Destination IP Address (access-list)—Matches the source and destination IP addresses in a packet based on the access control list object that you select.

• Default Inspection Traffic—Matches default inspection traffic. For a list of default settings, see Default Inspection Traffic, page F-186.

• Default Inspection Traffic with access list—Matches default inspection traffic limited by the access control list object that you select.

• TCP or UDP Destination Port—Matches the destination port associated with the traffic flow, 0 to 65535.

• RTP Range—Matches the range of UDP destination ports (2000-65535) associated with the traffic flow.

• Tunnel Group—Matches the destination address based on flows of VPN tunnels belonging to a tunnel group.

• IP Precedence Bits—Matches the precedence associated with the traffic flow. You can select a maximum of 4 values.

• IP DiffServe Code Points (DSCP) Values—Matches the DSCP values associated with the traffic flow. You can select a maximum of 8 values.

Variable Fields

The following fields vary based on what you select in the Traffic Match Type field. This list is a super-set of the fields you might see.

Available ACLs A list of the access control list objects that you can select for the map. Select the object that defines the target traffic, or click the Create button to add a new object. You can also select an object and click Edit to change its definition. if the list of objects is large, use the Filter field to limit the display (see Create Filter Dialog Box, page C-1 and Filtering Items in Selectors, page 2-14).

TCP or UDP

TCP/UDP Port or Port Range

The protocol (either TCP or UDP) and port number or range of numbers to use when you are matching traffic based on the port.

You can specify a single port value or range of port values associated with the traffic flow, for example, 0-2000. Values are 0-65535.

Table F-131 Add and Edit Traffic Flow Dialog Boxes (Continued)

Element Description


OL-19983-01


Default Inspection Traffic

When you create a Traffic Flow policy object, you can choose to include the default inspection traffic. For more information, see Creating Traffic Flow Objects, page 8-93.

RTP Port Range The range of destination ports associated with the traffic flow. You must enter a port range within the range of 2000-65535.

Note When you close the dialog box, the port range you entered is converted to port-span values by subtracting the start value from the end value. For example, if you enter the range 2001-3000 in the dialog box, RTP port 2001 range 999 appears in the Match Value column of the Traffic Flows policy object table. Port-span values are expected by the device.

Tunnel group name

Match Flow IP Destination Address

Lists available tunnel groups. Select one or enter the name of a group. You can also select Match Flow IP Destination Address to recognize the destination address as the match type.

Tip You can use FlexConfig objects and policies to predefine a VPN tunnel group on a PIX 7.0+ device. For more information, see Understanding FlexConfig Policies and Policy Objects, page 18-1.

Available IP Precedence

Match on IP Precedence

The IP precedence numbers. Select the ones you want to match and click>>. You can select a maximum of 4 values.

To deselect a value, select it in the match table and click <<.

Available DSCP Values

Match on DSCP

The IP DiffServe Code Points (DSCP) numbers. Select the ones you want to match and click>>. You can select a maximum of 8 values.

To deselect a value, select it in the match table and click <<.


Table F-131 Add and Edit Traffic Flow Dialog Boxes (Continued)

Element Description

Table F-132 Default Inspection Traffic

Value Port

ctiqbe (TCP) 2748

cuseeme (UDP) 7648

DNS (UDP) 53

FTP (TCP) 21

GTP (UDP) 2123, 3386

h323, h225 (TCP) 1720

h323 ras (UDP) 1718, 1719

HTTP (TCP) 80

ICMP icmp

ils (TCP) 389


OL-19983-01


Add or Edit User Group Dialog Box Use the Add or Edit User Group dialog box to create or edit a user group object. User group objects are used in Easy VPN topologies, remote access VPNs, and SSL VPNs for IOS devices.

When you configure a remote access VPN, SSL VPN, or Easy VPN server, you can create user groups to which remote clients belong. The remote clients must be configured with the same group name as the user group on the VPN server in order to connect to the server; otherwise, no connection is established. When the remote client connects to the VPN server successfully, the group policies for that particular user group are pushed to all remote clients belonging to the user group.

For more information about user groups, see:

• Understanding User Group Policies (IOS), page 10-41

• Configuring User Group Policies, page 10-42

• Configuring a User Group Policy for Easy VPN, page 9-77

• Configuring an SSL VPN Policy (IOS), page 10-58

Note You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN) for which you are creating the user group object. If you are editing an existing user group object, the technology is already selected and you cannot change it. Depending on the selected technology, the appropriate settings are available for configuration.

Navigation Path

Select Tools > Policy Object Manager, then select User Groups from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Tip You can also access this dialog box from the Remote Access VPN > IPSec VPN > User Groups or the Remote Access VPN > SSL VPN policies.

MGCP (UDP) 2427, 2727

netbios (UDP) 137, 138

rpc (UDP) 111

rsh (TCP) 514

RTSP (TCP) 554

SIP (TCP) 5060

SIP (UDP) 5060

skinny (TCP) 2000

SMTP (TCP) 25

sqlnet (TCP) 1521

TFTP (UDP) 69

XDMCP (UDP) 177

Table F-132 Default Inspection Traffic (Continued)

Value Port


OL-19983-01


Related Topics

• Creating User Group Objects, page 8-94


Field Reference

Table F-133 User Group Dialog Box

Element Description



Settings Pane

The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right.

You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents.

The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next.

Technology settings These settings control what you can define in the group policy:

• Group Name—The name for the user group (up to 128 characters). Configure the same user group name within the remote client or device to ensure that the appropriate group attributes are downloaded.

• Technology—The types of VPN for which this object defines group policies. You cannot change this option when editing an object, or if you are creating the user group object while editing a VPN policy. You can configure settings for Easy VPN/Remote Access IPSec VPN or SSL VPN, but not both.

Easy VPN/Remote Access IPSec VPN pages

When you select Easy VPN/Remote Access IPSec VPN as the technology, you can configure settings on the following pages:

• User Group Dialog Box—General Settings, page F-189

• User Group Dialog Box—DNS/WINS Settings, page F-190

• User Group Dialog Box—Split Tunneling, page F-191

• User Group Dialog Box—IOS Client Settings, page F-192

• User Group Dialog Box—IOS Xauth Options, page F-194

• User Group Dialog Box—IOS Client VPN Software Update, page F-195

• User Group Dialog Box—Advanced PIX Options, page F-196


OL-19983-01


User Group Dialog Box—General Settings

The general settings you configure for your user group include the authentication method, IP address pool information, and connection attributes for PIX 6.3 Firewalls.

Note These settings apply in Easy VPN and remote access IPSec VPN configurations.

Navigation Path

Select General from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


• Configuring Preshared Key Policies, page 9-57

SSL VPN pages When you select SSL VPN as the technology, you can configure settings on the following pages:

• User Group Dialog Box—Clientless Settings, page F-197

• User Group Dialog Box—Thin Client Settings, page F-198

• User Group Dialog Box—SSL VPN Full Tunnel Settings, page F-198

• User Group Dialog Box—DNS/WINS Settings, page F-190

• User Group Dialog Box—SSL VPN Split Tunneling, page F-200

• User Group Dialog Box—Browser Proxy Settings, page F-201

• User Group Dialog Box—SSL VPN Connection Settings, page F-202


Table F-133 User Group Dialog Box (Continued)

Element Description


OL-19983-01


Field Reference

User Group Dialog Box—DNS/WINS Settings

Configure the DNS/WINS settings for your user group to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the user group.

Note The DNS/WINS settings you configure for a user group apply in Easy VPN, remote access VPN, and SSL VPN configurations.

Table F-134 User Group Dialog Box—General Settings

Element Description

Preshared Key The preshared key that will be used to authenticate the clients associated to the user group.

Note You do not have to enter a preshared key if you are using digital certificates for group authentication.

In regular IPsec VPNs, preshared keys allow for one or more peers to use individual shared secrets to authenticate encrypted tunnels. A preshared key must be configured on each participating peer. If one of the participating peers is not configured with the same preshared key, the IKE SA cannot be established.

In Easy VPN authentication, the same Easy VPN server key is used for the spoke configuration to ensure that the server/client keys match.

In remote access IPSec VPN authentication, the same key is used to negotiate a VPN connection between the remote access VPN server and the remote clients.

IP Address Pool Subnet/Ranges

The IP address ranges for a local pool that will be used to allocate an internal IP address to a client. Remote clients are assigned IP addresses from this pool. Separate multiple entries with commas. The default is 172.16.0.1-172.16.4.254.

Backup Servers IP Address The IP address of the servers to be used as backups for the Easy VPN or remote access IPSec VPN server. The router tries to connect to these servers if the primary connection to the Easy VPN or remote access VPN server fails. Separate multiple entries with commas.

PIX Only Attributes These attributes apply only to PIX 6.3 devices.

• Idle Time—The timeout period for VPN connections, in seconds. If no communication occurs on the connection during this period, the device terminates the connection. The minimum is 60 seconds, and the maximum time is 35791394 minutes. The default is 30 minutes.

• Max Time—The maximum amount of time for VPN connections, in seconds. At the end of the time, the device terminates the connection. The minimum is 60 seconds, and the maximum is 35791394 minutes. There is no default.


OL-19983-01


Navigation Path

Select DNS/WINS from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Field Reference

User Group Dialog Box—Split Tunneling

Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.

The split tunneling policy is applied to a specific network. When you configure split tunneling, you can transmit both secured and unsecured traffic on the same interface. You must specify which traffic will be secured and what the destination of that traffic is, so that you have a secure tunnel to the central site, while the clear (unsecured) traffic is transmitted across the public network.


Note Split tunneling can be applied in Easy VPN, remote access VPN, and SSL VPN configurations. For information about configuring split tunneling for SSL VPN, see User Group Dialog Box—SSL VPN Split Tunneling, page F-200.

Navigation Path

Select Split Tunneling from the table of contents in the Add or Edit User Group Dialog Box, page F-187 when configuring Easy VPN/Remote Access IPSec VPN.

Table F-135 User Group Dialog Box—DNS/WINS Settings

Element Description

Primary DNS Server The IP address of the primary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary DNS Server The IP address of the secondary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Domain Name The domain name of the DNS server you want to configure on the user group.

Primary WINS Server The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.


OL-19983-01


Related Topics


Field Reference

User Group Dialog Box—IOS Client Settings

Configure IOS client settings to define Cisco IOS specific options for your user group, including firewall settings for VPN clients.

Note These settings apply in Easy VPN and remote access IPSec VPN configurations.

Navigation Path

Select Client Settings (IOS) from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Table F-136 User Group Dialog Box—Split Tunneling

Element Description

Split Tunneling The networks for which you want to tunnel traffic. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider. You can identify the networks using one of these options:

• Protected Networks—Specify the networks by network addresses. Enter the addresses or network/host objects, or click Select to select the objects from a list or to create new objects. For information on specifying addresses, see Specifying IP Addresses During Policy Definition, page 8-68.

• ACL—Specify the networks using an extended access control list policy object. Enter the name of the object or click Select to select the object from a list or to create a new object.

Split DNS A list of domain names that must be tunneled or resolved to the private network. All other names will be resolved through the public DNS server.

You can enter multiple domain names separated by commas.


OL-19983-01


Field Reference

Table F-137 User Group Dialog Box—Client Settings (IOS)

Element Description

Enable Firewall Are-You-There

(Not available on 7600 series or ASR routers.)

This feature may be used if a VPN client is running the Black Ice or Zone Alarm personal firewall.

When selected, it ensures that the personal firewall is running at connection time and throughout the connection. The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if the server prompts them to do so. If the personal firewall stops running, the connection is terminated. If this feature is enabled and there is no personal firewall running on the server, the connection is never established.

Mode A Central Policy Push (CPP) firewall policy on a server allows or denies a tunnel on the basis of whether the remote device has a required firewall for a local AAA server.

The Mode option specifies whether the Central Policy Push (CPP) policy is optional or mandatory, as follows:

• Optional—If the CPP policy is defined as optional, and is included in the Easy VPN server configuration, the tunnel setup is continued even if the client does not confirm the defined policy.

• Required—If the CPP policy is defined as mandatory and is included in the Easy VPN server configuration, the tunnel setup is allowed only if the client confirms this policy. Otherwise, the tunnel is terminated.

Firewall Type The type of firewall that you are making required or optional. The list shows all of the supported firewall software, which includes software from Cisco and Zone Labs.

Policy Type Specifies the CPP firewall policy type:

• Check Presence—Instructs the server to check for the presence of the specified firewall type.

• Central Policy Push—The actual policy, such as the input and output access lists, that must be applied by the specified client firewall type. Specify the following:

– The access control list to be used. Enter the name of the extended ACL object or click Select to select it from a list or to create a new object.

– The direction of the access control list—Inbound or Outbound.

Include Local LAN Whether to allow a non split-tunneling connection to access the local LAN at the same time as the client.

Perfect Forward Secrecy Whether to enable Perfect Forward Secrecy (PFS). If PFS is enabled, the server is configured to notify the client of the central-site policy about whether PFS is required for any IPsec SA. The Diffie-Hellman (D-H) group that is proposed for PFS is the same that was negotiated in Phase 1 of the IKE negotiation.


OL-19983-01


User Group Dialog Box—IOS Xauth Options

IOS Xauth options configure IKE Extended Authentication (Xauth) user authentication and connection parameters for the user group, including the banner text.

Note These settings apply in Easy VPN and remote access VPN configurations.

Navigation Path

Select Xauth Options (IOS) from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Field Reference

Table F-138 User Group Dialog Box—IOS Xauth Options

Element Description

Banner The banner text that is displayed to Easy VPN remote clients during Xauth and web-based activation the first time the Easy VPN tunnel is brought up. A maximum of 1024 characters is allowed.

Maximum Logins Per User The maximum number of connections a user can establish simultaneously. The maximum is 10.

Maximum Connections The maximum number of client connections to the Easy VPN Server from this group. The maximum is 5000 per group.

Enable Group-Lock Whether to enable group lock, which requires that the user enter the extended Xauth username in one of the following formats:

• username/groupname

• username\groupname

• username@groupname

• username%groupname

The group that is specified after the delimiter is then compared to the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.

Note Do not select this option if you are using RSA signature authentication mechanisms such as certificates.

Enable Save Password Whether to allow users to save their Xauth password locally on the client. On subsequent authentications, users can activate the password by using the check box on the software client or by adding the username and password to the Cisco IOS hardware client profile. After users activate the password, their username and password are sent to the server automatically during Xauth.

This option is useful only if users have static passwords, that is, they are not one-time passwords such as those that are generated by a token.


OL-19983-01


User Group Dialog Box—IOS Client VPN Software Update

Client VPN Software Update (IOS) settings configure, for an IOS VPN client, the platform type, VPN Client revisions, and image URL for each client VPN software package installed, for your user group.

The Client Update feature is supported on IOS routers version 12.4(2)T and later, and Catalyst 6500/7600 devices version 12.2(33)SRA and later.

• To add a client, click the Add Row button to open the Add/Edit Client Update Dialog Box, page F-195.

• To edit a client, select it and click the Edit Row button.

• To delete a client, select it and click the Delete Row button.


Navigation Path

Select Client VPN Software Update (IOS) from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Add/Edit Client Update Dialog Box

Use the Add or Edit Client Update dialog box to configure the platform type, image URL, and VPN Client revisions for a client VPN software package.

Navigation Path

Open the User Group Dialog Box—IOS Client VPN Software Update, page F-195, then click Add Row, or select an item in the table and click Edit Row.

Related Topics

• Add or Edit User Group Dialog Box, page F-187

Field Reference

Table F-139 Add or Edit Client Update Dialog Box

Element Description

System Type The platform on which the IOS VPN client operates.

• All Windows (Default)—This option includes any Windows platform for which a VPN client is available.

• Macintosh OS X

IOS Image URL Enter the URL from where the client can be downloaded. The URL must start with http:// or https://.

IOS VPN Client Revisions Enter the revision level of the VPN client. You can specify more than one client revision separated by commas.


OL-19983-01


User Group Dialog Box—Advanced PIX Options

The Advanced PIX Options are specifically for PIX 6.3 Firewalls in your user group.


Navigation Path

Select Advanced Options (PIX) from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Field Reference

Table F-140 User Group Dialog Box—Advanced PIX Options

Element Description

User Idle Timeout (sec) The length of time that a VPN tunnel can remain open without user activity, in seconds. Values range from 60-86400 seconds.

User Authentication Server The AAA server to which remote devices send user authentication requests. Enter the name of the server group or click Select to select it from a list or to create a new group. See Understanding AAA Server and Server Group Objects, page 8-15.

Enable Device Pass-Through Whether to use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP phones, that do not support AAA authentication.

When MAC-based AAA exemption is enabled, the device bypasses the AAA server for traffic that matches both the MAC address of the device and the IP address that was dynamically assigned by a DHCP server. Authorization services are disabled automatically when you bypass authentication. Accounting records continue to be generated (if enabled), but the username is not displayed.

Enable Secure Unit Authentication

Whether to provide increased security when allowing access to the device from a remote client.

With Secure Unit Authentication (SUA), you can use one-time passwords, two-factor authentication, and similar authentication schemes to authenticate the remote device during Extended Authentication (Xauth).

SUA is specified in the VPN policy on the device and is downloaded to the remote client. This enables SUA and determines the connection behavior of the remote client.

Enable User Authentication Whether to enable Individual User Authentication (IUA), which supports individually authenticating clients on the inside network of the remote access VPN, based on the IP address of each inside client. IUA supports both static and OTP authentication mechanisms.


OL-19983-01


User Group Dialog Box—Clientless Settings

Use the Clientless settings to configure the clientless mode of access to the corporate network in an SSL VPN.

In clientless access mode, once a user is authenticated and a session is established, an SSL VPN portal page and toolbar is displayed on the user’s web browser. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers.

Navigation Path

Select Clientless from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics

• Clientless and Thin Client Access Modes Page, page H-9


Field Reference

Table F-141 User Group Dialog Box—Clientless Settings

Element Description

Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the web site URLs to display on the portal page. These web sites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.

Allow Users to Enter Websites

Whether to allow the remote user to enter web site URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal.

Enable Common Internet File System (CIFS)

In Clientless mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the web browser. When you enable the Common Internet File System (CIFS), a list of file server and directory links are displayed on the portal page after login.

The CIFS protocol lets you customize permissions on the SSL VPN gateway to allow shared files to be accessed or modified by the remote client, as follows:

• Enable File Browsing—Whether to allow the remote user to browse for file shares on the CIFS file servers.

• Enable File Entry—Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares.

WINS Server List The name of the WINS server list policy object that identifies the WINS/NetBIOS servers to use for resolving file server names. You should supply an object if you enable CIFS. Enter the name of the object or click Select to select if from a list or to create a new object.

Enable Citrix Whether to enable remote clients to run Citrix-enabled applications, such as Microsoft Word or Excel, through the SSL VPN as if the application were locally installed, without the need for client software. The Citrix software must be installed on one or more servers on a network that the router can reach.


OL-19983-01


User Group Dialog Box—Thin Client Settings

Use the Thin Client settings to enable the thin client, or port forwarding, mode of access to the corporate network in an SSL VPN. Port forwarding allows users to access applications (such as Telnet, e-mail, VNC, SSH, and Terminal services) inside the enterprise through an SSL VPN session. A port forwarding list object defines the mappings of port numbers on the remote client to the application’s IP address and port behind the SSL VPN gateway.

In thin client access mode, the remote user downloads a Java applet that acts as a TCP proxy on the client machine for the services configured on the SSL VPN gateway. The proxy provides the port forwarding services.

Navigation Path

Select Thin Client from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


• Clientless and Thin Client Access Modes Page, page H-9

Field Reference

User Group Dialog Box—SSL VPN Full Tunnel Settings

Use the SSL VPN Full Tunnel settings to enable the full tunnel client access mode in your SSL VPN. When you enable full tunnel access, you should also define DNS/WINS server settings, browser proxy settings, and split tunneling for the user group.

In full tunnel client access mode, the tunnel connection is determined by the group policy configuration. The full tunnel client software, SSL VPN Client (SVC), must be downloaded to the remote client so that a tunnel connection can be established when the remote user logs in to the SSL VPN gateway.

Tip For full tunnel client access to work, you must install the client software on the gateway. The user downloads the client when connecting to the gateway.

Table F-142 User Group Dialog Box—Thin Client Settings

Element Description

Enable Thin Client Whether to allow thin client access to the SSL VPN.

Port Forward List The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object.

Download Port Forwarding Applet on Client Login

Whether the port forwarding Java applet should be automatically downloaded to the client when a user logs into the SSL VPN. If you do not automatically download the applet, users must download it manually after login.


OL-19983-01


Navigation Path

Select Full Tunnel > Settings from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


• Full Tunnel Dialog Box, page H-7

Field Reference

Table F-143 User Group Dialog Box—Full Tunnel Settings

Element Description

Enable Full Tunnel Whether to enable full tunnel client access to the SSL VPN.

Use Other Access Modes if SSL VPN Client Download Fails

Full Tunnel Only

Whether to allow users to connect to the SSL VPN even if a problem prevents the client from downloading, installing, and starting correctly on the user’s system.

If you select Full Tunnel Only, a user cannot connect to the SSL VPN if the download fails, which locks the user out of the network. Select Use Other Access Modes to allow clientless or thin client access if there is a download problem.

Client IP Address Pool The IP address ranges of the address pool that full tunnel clients will draw from when they log on. The address pool must be in the same subnet as one of the device’s interface IP addresses.

Enter the address range separating the first and last IP address with a hyphen, for example, 10.100.10.2-10.100.10.255. If you enter a single address, the pool has just one address. Do not enter subnet designations.

You can also enter the name of a network/host policy object that defines the range, or click Select to select the object from a list or to create a new object. Separate multiple ranges with commas.

Filter ACL The name of an extended access control list (ACL) object that restricts access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object.

Keep SSL VPN Client on Client Computer

Whether to leave the full client installed on the user’s workstation after the user disconnects. If you do not allow the client to remain on the user’s system, the client must be downloaded each time the user establishes a connection to the SSL VPN gateway.

Home Page URL The web address of the login home page for the full client.

Client Dead Peer Detection Timeout

The time interval that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user. Enter a value in the range 1-3600 seconds.

Gateway Dead Peer Detection Timeout

The time interval that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway. Enter a value in the range 1-3600 seconds.


OL-19983-01


User Group Dialog Box—SSL VPN Split Tunneling

Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet for SSL VPNs.

Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.


Navigation Path

Select Full Tunnel > Split Tunneling from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user group client:

• Disabled—Disables the tunnel key refresh.

• Create New Tunnel—Initiates a new tunnel connection. Enter the time interval (in seconds) between the tunnel refresh cycles in the Interval field.

Table F-143 User Group Dialog Box—Full Tunnel Settings (Continued)

Element Description


OL-19983-01


Field Reference

User Group Dialog Box—Browser Proxy Settings

Use the Browser Proxy settings to configure proxy bypass for full tunnel access in an SSL VPN.

A security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers, which act as intermediaries between users and the Internet. Proxy bypass is an alternative method of content rewriting that makes minimal changes to the original content. It is useful with custom web applications.

Table F-144 User Group Dialog Box—Split Tunneling Settings

Element Description

Tunnel Option Whether to allow split tunneling and if so, which traffic should be secured or transmitted unencrypted across the public network:

• Disabled—(Default) No traffic goes in the clear or to any other destination than the gateway. Remote users reach networks through the corporate network and do not have access to local networks.

• Tunnel Specified Traffic—Tunnel all traffic from or to the addresses listed in the Destinations field. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

• Exclude Specified Traffic—Traffic goes in the clear from and to the addresses listed in the Destinations field. This is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.

Destinations The IP addresses for hosts or networks that identify the networks that require traffic to travel across the tunnel and those that do not require tunneling. Whether traffic to these addresses is encrypted and tunneled to the gateway, or sent in the clear, is determined by your selection for Tunnel Option.

Enter network addresses such as 10.100.10.0/24 or host addresses such as 10.100.10.12. You can also enter the name of a network/host policy object, or click Select to select the object from a list or to create a new object. Separate multiple addresses with commas.

Exclude Local LANs Whether to exclude local LANs from the encrypted tunnel. This option is available only if you selected the Exclude Specified Traffic tunnel option. By selecting this option, you do not have to enter local LAN addresses into the destinations field to allow users to communicate with systems (such as printers) that are attached to their LAN.

When selected, this attribute disallows a non split-tunneling connection to access the local subnetwork at the same time as the client.

Split DNS Names A list of domain names to be resolved through the split tunnel to the private network. All other names are resolved using the public DNS server.

Enter up to 10 entries in the list of domains, separated by commas. The entire string can be no longer than 255 characters.


OL-19983-01


Tip The browser proxy settings work only for Microsoft Internet Explorer; they do not work for other types of browsers.

Navigation Path

Select Full Tunnel > Browser Proxy Settings from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


• Defining Proxies and Proxy Bypass Rules, page 10-50

Field Reference

User Group Dialog Box—SSL VPN Connection Settings

Use this SSL VPN Connection Settings page to configure the SSL VPN session connection settings for the user group, including the banner text. An SSL VPN session is disconnected if the client is connected longer than the session timeout or if it is idle longer than the idle timeout.

Table F-145 User Group Dialog Box—Browser Proxy Settings

Element Description

Browser Proxy Option Whether and how to configure proxy settings on the remote client’s browser:

• Blank—Do not configure proxy settings.

• Do Not Use Proxy Server—Configure the browser to not use a proxy.

• Automatically Detect Settings—Configure the browser to automatically detect proxy settings.

• Bypass Proxy Server for Local Addresses—Configure the browser to bypass proxy settings configured by the user.

Proxy Server The address of the proxy server:

• IP address—The IP address or the name of a network/host object that specifies the address. Click Select to select the object from a list.

• Name—The fully qualified domain name, for example, proxy.example.com.

Proxy Server Port The port number on the server that is used for proxy traffic, for example, 80. Enter a value in the range 1-65535.

Do Not Use Proxy Server for Addresses Beginning With

If you configured a proxy, you can identify specific hosts for which the proxy should be bypassed. If the user opens these hosts in the browser, the proxy is not used in the connection.

Enter full IP addresses or fully qualified domain names. For example, 10.100.10.14 or www.cisco.com.


OL-19983-01


Navigation Path

Select Connection Settings from the table of contents in the Add or Edit User Group Dialog Box, page F-187.

Related Topics


Field Reference

Add or Edit WINS Server List Dialog BoxUse the WINS Server Lists dialog box to create, copy, and edit WINS server list objects. A WINS Server List object defines a list of Windows Internet Naming Server (WINS) servers, which are used to translate Windows file server names to IP addresses.

Navigation Path

Select Tools > Policy Object Manager, then select WINS Server Lists from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.

Related Topics

• Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs, page 8-89


Field Reference

Table F-146 User Group Dialog Box—Connection Settings

Element Description

Idle Timeout The idle timeout period for the SSL VPN session. The session is disconnected if the client is idle longer than the specified idle timeout. Values range from 0-3600 seconds.

Session Timeout The timeout period for the SSL VPN session. The session is disconnected when this timeout is reached even if the user is still active. Values range from 1-1209600 seconds.

Banner Text The banner, for example, a welcome message, that is displayed to remote users when they connect to the SSL VPN.

You cannot use double quotes or new lines (carriage returns) in the banner text. However, you can include HTML tags to create the desired layout.

Table F-147 WINS Server Lists Dialog Box

Element Description




OL-19983-01


Add or Edit WINS Server Dialog Box

Use the Add/Edit WINS Server dialog box to create a new WINS server entry or edit an existing entry in the table in the WINS Server Lists dialog box.

Navigation Path

From the Add or Edit WINS Server List Dialog Box, click the Add button beneath the WINS Server List table, or select a server in the table and click the Edit button.

Related Topics

• Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs, page 8-89

Field Reference

WINS Server List The WINS servers that are defined for the object.

• To add a server, click the Add button and fill in the Add WINS Server dialog box (see Add or Edit WINS Server Dialog Box, page F-204).





Overrides

Edit button



Table F-147 WINS Server Lists Dialog Box (Continued)

Element Description

Table F-148 Add/Edit WINS Server Dialog Box

Element Description

Server The IP address of the WINS server used to translate Windows file server names to IP addresses. You can also enter the name of a network/host policy object that identifies the server. Click Select to choose a network/hosts object or to create a new object.

Set as Master Browser Whether to server is a master browser. The master browser maintains the list of computers and shared resources.

Timeout The period of time the security appliance waits for a response to a WINS query before sending the query again to the same server (if it is the only one), or to the next server (if there is more than one).

The default timeout is 2 seconds. The range is between 1 and 30 seconds.


OL-19983-01

Appendix F Policy Object Manager User Interface ReferenceObject Selectors

Object SelectorsUse object selectors to select one or more objects when defining a policy or another object. You can also use object selectors to create and edit objects on the fly as an alternative to using the Policy Object Manager Window.

There are two types of object selectors:

• Single-object selectors—Used to select a single object of the required type.

• Multi-object selectors—Used to select one or more objects of the required type.

Tip You can quickly find an object inside a selector by clicking in the list box and then starting to type the name of the object.

Navigation Path

Click Select for a field on any page or dialog box that requires you to define a policy object as part of the policy or object definition, or perform another action that requires Security Manager to prompt you to select an object.

Related Topics

• Selecting Objects for Policies, page 8-2

• Allowing a Policy Object to Be Overridden, page 8-10

• Policy Objects Page, page A-35


Retries The number of times to retry sending WINS queries to the configured servers. The security appliance recycles through the list of servers this number of times before sending an error message.

The default is 2. The range is between 0 and 10.

Table F-148 Add/Edit WINS Server Dialog Box (Continued)

Element Description


OL-19983-01

Appendix F Policy Object Manager User Interface ReferenceObject Usage Dialog Box

Field Reference

Object Usage Dialog BoxUse the Object Usage dialog box to view a list of all the places where a selected object is referenced, including your current activity and the data committed to the database.

Table F-149 Object Selectors

Element Description

Type The type of object to display in the selector, if there is an option. For example:

• You can choose between network/host objects and interface roles when configuring sources and destinations in some rule-based policies.

• You can choose between standard and extended ACL objects when configuring some ACLs (for example, when configuring VLAN ACLs on Catalyst 6500/7600 devices).

Note After you close the selector, your selections are displayed in separate tabs in the page or dialog box in which the objects are defined.

Available [object type] Displays all objects that are relevant to the policy or object you are configuring.

Note When selecting interfaces, be aware that there may be interfaces and interface roles with the same name. They can be distinguished by the icon displayed next to the name. For more information, see Specifying Interfaces During Policy Definition, page 8-35.

Selected [object type] Displays the objects that you selected to apply to the policy or object that you are editing.

Multi-Object Selector Buttons

>> button

<< button

Moves the selected objects from one list to the other list in the direction indicated. You can select multiple objects by using Ctrl+click.

You can also move objects between lists by double-clicking them or by selecting them and pressing Enter.

Up/Down arrow buttons Moves the selected object up or down one row.

Applies only to selector types, such as AAA server groups, where the order of the objects is important to the configuration.

Common Buttons

Create button Click this button to create an object of this type. For example, if you click this button in the object selector for networks, the Add Network/Host dialog box is displayed.

Edit button Click this button to edit the selected user-defined object. If you try to edit a system-defined object, it is opened in read-only mode.


OL-19983-01

Appendix F Policy Object Manager User Interface ReferencePolicy Object Overrides Window

Navigation Path

Do one of the following:

• Right-click an object in the Policy Object Manager Window, page F-1 and select Find Usage.

• Left-click an object in a firewall rules table, then right-click and select Find Usage.

Field Reference

Policy Object Overrides WindowUse the Policy Object Overrides window to view a list of all device-level overrides that are defined for the selected object. The content displayed in the table differs depending on the type of object, but it always includes the device name, object description, and category. Sometimes the content of the object is shown, including the overrides.

• To add an override, click the Create Override button, select the devices to which you want to apply the override, and define the override.

The dialog boxes for creating and editing the override are the same ones used to create the object; click the Help button for information specific to the type of object.

The override you create applies to all policies on the device that use the object; you cannot override the object for one policy but not for another policy.

• To edit an override, select it and click the Edit Override button.

• To delete an override, select it and click the Delete Override button.

Table F-150 Object Usage Dialog Box

Element Description

Used By The name of the device, policy, VPN, or object that is referencing the selected object.

Type The type of item that is referencing the selected object. This can be a device, policy, or another object.

Usage Indicates how the object is being referenced. For example, if a device is referencing the selected object, this column will indicate that it is a policy assigned to the device that is referencing the object.

Proximity Indicates the relationship between the selected object and the item that it using it. For example:

• A policy that includes a network/host object in its definition has a direct relationship with the object and an indirect relationship with any other network/host objects contained within the object.

• A device on which this policy is assigned references the network/host object directly and any other network/host objects contained within the object indirectly.

Devices

Policies

Other Objects

The types of references you want to view. For example, you can deselect Devices and Policies to view only references to the object from other objects.


OL-19983-01

Appendix F Policy Object Manager User Interface ReferencePolicy Object Overrides Window

Deleting an override does not delete the object or remove the object from its device assignment. When you delete the override, the policies on the device that use the object start using the global definition for the object. This changes the meaning of the policies.

Tip You can also create and edit device-level overrides from the Device Properties window of a selected device. Using the Device Properties windows makes it easy for you to manage the overrides for all objects used by a single device. For more information, see Creating or Editing Object Overrides for a Single Device, page 8-11.

Navigation Path

Open the Policy Object Manager Window, page F-1. Select an object type that can be overridden (its object page contains a column called Overridable), then do one of the following:

• Double-click the green checkmark in the Overridable column.

• Right-click the object and select Edit Device Overrides.

• Edit the overridable object and click Edit next to the Overrides field.

Related Topics

• Understanding Policy Object Overrides for Individual Devices, page 8-9

• Allowing a Policy Object to Be Overridden, page 8-10

• Creating or Editing Object Overrides for a Single Device, page 8-11

• Creating or Editing Object Overrides for Multiple Devices At A Time, page 8-11

• Deleting Device-Level Object Overrides, page 8-12

• Filtering Tables, page 2-16

• Using Category Objects, page 8-6

Create Overrides for Device Dialog BoxUse the Create Overrides for Device dialog box to choose the devices for which you want to create device-level overrides for a selected object.

The available devices list shows the devices that have not already had overrides defined for the object. Devices with overrides are shown greyed out in the selected devices list.

To create a new override, select the devices from the available list and click >> to move them to the selected list. When you click OK, you are presented with the dialog box for defining your override, which applies to all newly selected devices. (You are not changing the override of the greyed out devices).

For more information, see Creating or Editing Object Overrides for Multiple Devices At A Time, page 8-11. For information on filtering the available devices list, see Filtering Items in Selectors, page 2-14.

Navigation Path

Open the Policy Object Overrides Window, page F-207 and click the Create Override button.


OL-19983-01

€¦ · F-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX F Policy Object Manager User Interface Reference The Policy Object Manager is used to create and glob ally

Documents