Cisco ASA 5505 User Manual
Cisco Hardware
Advertising
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
526-4000
800 553-NETS (6387)
Fax: 408
527-0883
Cisco ASA 5500 Series Configuration
Guide using the CLI
Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA
5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012
Text Part Number: N/A, Online only
Advertising
This manual is related to the following products:
Table of contents
Document Outline
- About This Guide
- Getting Started with the ASA
- Introduction to the Cisco ASA 5500 Series
- Hardware and Software Compatibility
- VPN Specifications
- New Features
- Firewall Functional Overview
- Security Policy Overview
- Permitting or Denying Traffic with Access Lists
- Applying NAT
- Protecting from IP Fragments
- Using AAA for Through Traffic
- Applying HTTP, HTTPS, or FTP Filtering
- Applying Application Inspection
- Sending Traffic to the IPS Module
- Sending Traffic to the Content Security and Control Module
- Applying QoS Policies
- Applying Connection Limits and TCP Normalization
- Enabling Threat Detection
- Enabling the Botnet Traffic Filter
- Configuring Cisco Unified Communications
- Firewall Mode Overview
- Stateful Inspection Overview
- Security Policy Overview
- VPN Functional Overview
- Security Context Overview
- Getting Started
- Accessing the Appliance Command-Line Interface
- Configuring ASDM Access for Appliances
- Starting ASDM
- Factory Default Configurations
- Working with the Configuration
- Applying Configuration Changes to Connections
- Managing Feature Licenses
- Supported Feature Licenses Per Model
- Information About Feature Licenses
- Guidelines and Limitations
- Configuring Licenses
- Monitoring Licenses
- Feature History for Licensing
- Introduction to the Cisco ASA 5500 Series
- Configuring Firewall and Security Context Modes
- Configuring the Transparent or Routed Firewall
- Configuring the Firewall Mode
- Configuring ARP Inspection for the Transparent Firewall
- Customizing the MAC Address Table for the Transparent Firewall
- Firewall Mode Examples
- Configuring Multiple Context Mode
- Information About Security Contexts
- Licensing Requirements for Multiple Context Mode
- Guidelines and Limitations
- Default Settings
- Configuring Multiple Contexts
- Changing Between Contexts and the System Execution Space
- Managing Security Contexts
- Monitoring Security Contexts
- Configuration Examples for Multiple Context Mode
- Feature History for Multiple Context Mode
- Configuring the Transparent or Routed Firewall
- Configuring Interfaces
- Starting Interface Configuration (ASA 5510 and Higher)
- Information About Starting ASA 5510 and Higher Interface Configuration
- Licensing Requirements for ASA 5510 and Higher Interfaces
- Guidelines and Limitations
- Default Settings
- Starting Interface Configuration (ASA 5510 and Higher)
- Task Flow for Starting Interface Configuration
- Converting In-Use Interfaces to a Redundant or EtherChannel Interface
- Enabling the Physical Interface and Configuring Ethernet Parameters
- Configuring a Redundant Interface
- Configuring an EtherChannel
- Configuring VLAN Subinterfaces and 802.1Q Trunking
- Enabling Jumbo Frame Support (Supported Models)
- Monitoring Interfaces
- Configuration Examples for ASA 5510 and Higher Interfaces
- Where to Go Next
- Feature History for ASA 5510 and Higher Interfaces
- Starting Interface Configuration (ASA 5505)
- Completing Interface Configuration (Routed Mode)
- Information About Completing Interface Configuration in Routed Mode
- Licensing Requirements for Completing Interface Configuration in Routed Mode
- Guidelines and Limitations
- Default Settings
- Completing Interface Configuration in Routed Mode
- Monitoring Interfaces
- Configuration Examples for Interfaces in Routed Mode
- Feature History for Interfaces in Routed Mode
- Completing Interface Configuration (Transparent Mode)
- Information About Completing Interface Configuration in Transparent Mode
- Licensing Requirements for Completing Interface Configuration in Transparent Mode
- Guidelines and Limitations
- Default Settings
- Completing Interface Configuration in Transparent Mode
- Monitoring Interfaces
- Configuration Examples for Interfaces in Transparent Mode
- Feature History for Interfaces in Transparent Mode
- Starting Interface Configuration (ASA 5510 and Higher)
- Configuring Basic Settings
- Configuring Basic Settings
- Configuring DHCP
- Configuring Dynamic DNS
- Information About DDNS
- Licensing Requirements for DDNS
- Guidelines and Limitations
- Configuring DDNS
- Configuration Examples for DDNS
- Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
- Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration
- Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
- Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
- Example 5: Client Updates A RR; Server Updates PTR RR
- DDNS Monitoring Commands
- Feature History for DDNS
- Configuring Objects and Access Lists
- Configuring Objects
- Configuring Objects and Groups
- Configuring Regular Expressions
- Scheduling Extended Access List Activation
- Information About Scheduling Access List Activation
- Licensing Requirements for Scheduling Access List Activation
- Guidelines and Limitations for Scheduling Access List Activation
- Configuring and Applying Time Ranges
- Configuration Examples for Scheduling Access List Activation
- Feature History for Scheduling Access List Activation
- Information About Access Lists
- Adding an Extended Access List
- Adding an EtherType Access List
- Information About EtherType Access Lists
- Licensing Requirements for EtherType Access Lists
- Guidelines and Limitations
- Default Settings
- Configuring EtherType Access Lists
- What to Do Next
- Monitoring EtherType Access Lists
- Configuration Examples for EtherType Access Lists
- Feature History for EtherType Access Lists
- Adding a Standard Access List
- Adding a Webtype Access List
- Adding an IPv6 Access List
- Information About IPv6 Access Lists
- Licensing Requirements for IPv6 Access Lists
- Prerequisites for Adding IPv6 Access Lists
- Guidelines and Limitations
- Default Settings
- Configuring IPv6 Access Lists
- Monitoring IPv6 Access Lists
- Configuration Examples for IPv6 Access Lists
- Where to Go Next
- Feature History for IPv6 Access Lists
- Configuring Logging for Access Lists
- Configuring Objects
- Configuring IP Routing
- Routing Overview
- Configuring Static and Default Routes
- Defining Route Maps
- Configuring OSPF
- Information About OSPF
- Licensing Requirements for OSPF
- Guidelines and Limitations
- Configuring OSPF
- Customizing OSPF
- Redistributing Routes Into OSPF
- Configuring Route Summarization When Redistributing Routes Into OSPF
- Configuring Route Summarization Between OSPF Areas
- Configuring OSPF Interface Parameters
- Configuring OSPF Area Parameters
- Configuring OSPF NSSA
- Defining Static OSPF Neighbors
- Configuring Route Calculation Timers
- Logging Neighbors Going Up or Down
- Restarting the OSPF Process
- Configuration Example for OSPF
- Monitoring OSPF
- Feature History for OSPF
- Configuring RIP
- Configuring Multicast Routing
- Information About Multicast Routing
- Licensing Requirements for Multicast Routing
- Guidelines and Limitations
- Enabling Multicast Routing
- Customizing Multicast Routing
- Configuration Example for Multicast Routing
- Additional References
- Feature History for Multicast Routing
- Configuring EIGRP
- Information About EIGRP
- Licensing Requirements for EIGRP
- Guidelines and Limitations
- Configuring EIGRP
- Customizing EIGRP
- Defining a Network for an EIGRP Routing Process
- Configuring Interfaces for EIGRP
- Configuring the Summary Aggregate Addresses on Interfaces
- Changing the Interface Delay Value
- Enabling EIGRP Authentication on an Interface
- Defining an EIGRP Neighbor
- Redistributing Routes Into EIGRP
- Filtering Networks in EIGRP
- Customizing the EIGRP Hello Interval and Hold Time
- Disabling Automatic Route Summarization
- Configuring Default Information in EIGRP
- Disabling EIGRP Split Horizon
- Restarting the EIGRP Process
- Monitoring EIGRP
- Configuration Example for EIGRP
- Feature History for EIGRP
- Configuring IPv6 Neighbor Discovery
- Information About IPv6 Neighbor Discovery
- Licensing Requirements for IPv6 Neighbor Discovery
- Guidelines and Limitations
- Default Settings for IPv6 Neighbor Discovery
- Configuring the Neighbor Solicitation Message Interval
- Configuring the Neighbor Reachable Time
- Configuring the Router Advertisement Transmission Interval
- Configuring the Router Lifetime Value
- Configuring DAD Settings
- Configuring IPv6 Addresses on an Interface
- Suppressing Router Advertisement Messages
- Configuring the IPv6 Prefix
- Configuring a Static IPv6 Neighbor
- Monitoring IPv6 Neighbor Discovery
- Additional References
- Feature History for IPv6 Neighbor Discovery
- Configuring Network Address Translation
- Information About NAT
- Configuring Network Object NAT
- Information About Network Object NAT
- Licensing Requirements for Network Object NAT
- Prerequisites for Network Object NAT
- Guidelines and Limitations
- Default Settings
- Configuring Network Object NAT
- Monitoring Network Object NAT
- Configuration Examples for Network Object NAT
- Providing Access to an Inside Web Server (Static NAT)
- NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
- Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
- Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
- DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
- DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)
- Feature History for Network Object NAT
- Configuring Twice NAT
- Configuring Service Policies Using the Modular Policy Framework
- Configuring a Service Policy Using the Modular Policy Framework
- Information About Service Policies
- Licensing Requirements for Service Policies
- Guidelines and Limitations
- Default Settings
- Task Flows for Configuring Service Policies
- Identifying Traffic (Layer 3/4 Class Maps)
- Defining Actions (Layer 3/4 Policy Map)
- Applying Actions to an Interface (Service Policy)
- Monitoring Modular Policy Framework
- Configuration Examples for Modular Policy Framework
- Feature History for Service Policies
- Configuring Special Actions for Application Inspections (Inspection Policy Map)
- Configuring a Service Policy Using the Modular Policy Framework
- Configuring Access Control
- Configuring Access Rules
- Information About Access Rules
- Licensing Requirements for Access Rules
- Prerequisites
- Guidelines and Limitations
- Default Settings
- Configuring Access Rules
- Monitoring Access Rules
- Configuration Examples for Permitting or Denying Network Access
- Feature History for Access Rules
- Configuring AAA Servers and the Local Database
- Information About AAA
- Information About Authentication
- Information About Authorization
- Information About Accounting
- Summary of Server Support
- RADIUS Server Support
- TACACS+ Server Support
- RSA/SDI Server Support
- NT Server Support
- Kerberos Server Support
- LDAP Server Support
- HTTP Forms Authentication for Clientless SSL VPN
- Local Database Support, Including as a Falback Method
- How Fallback Works with Multiple Servers in a Group
- Using Certificates and User Login Credentials
- Licensing Requirements for AAA Servers
- Guidelines and Limitations
- Configuring AAA
- Task Flow for Configuring AAA
- Configuring AAA Server Groups
- Configuring Authorization with LDAP for VPN
- Configuring LDAP Attribute Maps
- Adding a User Account to the Local Database
- Managing User Passwords
- .Changing User Passwords
- Authenticating Users with a Public Key for SSH
- Differentiating User Roles Using AAA
- Monitoring AAA Servers
- Additional References
- Feature History for AAA Servers
- Information About AAA
- Configuring the Identity Firewall
- Configuring Management Access
- Configuring ASA Access for ASDM, Telnet, or SSH
- Configuring CLI Parameters
- Configuring ICMP Access
- Configuring Management Access Over a VPN Tunnel
- Configuring AAA for System Administrators
- Information About AAA for System Administrators
- Licensing Requirements for AAA for System Administrators
- Prerequisites
- Guidelines and Limitations
- Default Settings
- Configuring Authentication for CLI and ASDM Access
- Configuring Authentication to Access Privileged EXEC Mode (the enable Command)
- Limiting User CLI and ASDM Access with Management Authorization
- Configuring Command Authorization
- Configuring Management Access Accounting
- Viewing the Currently Logged-In User
- Recovering from a Lockout
- Setting a Management Session Quota
- Feature History for Management Access
- Configuring AAA Rules for Network Access
- AAA Performance
- Licensing Requirements for AAA Rules
- Guidelines and Limitations
- Configuring Authentication for Network Access
- Configuring Authorization for Network Access
- Configuring Accounting for Network Access
- Using MAC Addresses to Exempt Traffic from Authentication and Authorization
- Feature History for AAA Rules
- Configuring Filtering Services
- Information About Web Traffic Filtering
- Configuring ActiveX Filtering
- Licensing Requirements for ActiveX Filtering
- Configuring Java Applet Filtering
- Filtering URLs and FTP Requests with an External Server
- Monitoring Filtering Statistics
- Configuring Web Cache Services Using WCCP
- Configuring Digital Certificates
- Information About Digital Certificates
- Licensing Requirements for Digital Certificates
- Prerequisites for Local Certificates
- Guidelines and Limitations
- Configuring Digital Certificates
- Configuring Key Pairs
- Removing Key Pairs
- Configuring Trustpoints
- Configuring CRLs for a Trustpoint
- Exporting a Trustpoint Configuration
- Importing a Trustpoint Configuration
- Configuring CA Certificate Map Rules
- Obtaining Certificates Manually
- Obtaining Certificates Automatically with SCEP
- Configuring Proxy Support for SCEP Requests
- Enabling the Local CA Server
- Configuring the Local CA Server
- Customizing the Local CA Server
- Debugging the Local CA Server
- Disabling the Local CA Server
- Deleting the Local CA Server
- Configuring Local CA Certificate Characteristics
- Configuring the Issuer Name
- Configuring the CA Certificate Lifetime
- Configuring the User Certificate Lifetime
- Configuring the CRL Lifetime
- Configuring the Server Keysize
- Setting Up External Local CA File Storage
- Downloading CRLs
- Storing CRLs
- Setting Up Enrollment Parameters
- Adding and Enrolling Users
- Renewing Users
- Restoring Users
- Removing Users
- Revoking Certificates
- Maintaining the Local CA Certificate Database
- Rolling Over Local CA Certificates
- Archiving the Local CA Server Certificate and Keypair
- Monitoring Digital Certificates
- Feature History for Certificate Management
- Configuring Access Rules
- Configuring Application Inspection
- Getting Started with Application Layer Protocol Inspection
- Configuring Inspection of Basic Internet Protocols
- DNS Inspection
- FTP Inspection
- HTTP Inspection
- ICMP Inspection
- ICMP Error Inspection
- Instant Messaging Inspection
- IP Options Inspection
- IPsec Pass Through Inspection
- IPv6 Inspection
- NetBIOS Inspection
- PPTP Inspection
- SMTP and Extended SMTP Inspection
- TFTP Inspection
- Configuring Inspection for Voice and Video Protocols
- CTIQBE Inspection
- H.323 Inspection
- MGCP Inspection
- RTSP Inspection
- SIP Inspection
- Skinny (SCCP) Inspection
- Configuring Inspection of Database and Directory Protocols
- Configuring Inspection for Management Application Protocols
- Configuring Unified Communications
- Information About Cisco Unified Communications Proxy Features
- Configuring the Cisco Phone Proxy
- Information About the Cisco Phone Proxy
- Licensing Requirements for the Phone Proxy
- Prerequisites for the Phone Proxy
- Media Termination Instance Prerequisites
- Certificates from the Cisco UCM
- DNS Lookup Prerequisites
- Cisco Unified Communications Manager Prerequisites
- Access List Rules
- NAT and PAT Prerequisites
- Prerequisites for IP Phones on Multiple Interfaces
- 7960 and 7940 IP Phones Support
- Cisco IP Communicator Prerequisites
- Prerequisites for Rate Limiting TFTP Requests
- About ICMP Traffic Destined for the Media Termination Address
- End-User Phone Provisioning
- Phone Proxy Guidelines and Limitations
- Configuring the Phone Proxy
- Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
- Importing Certificates from the Cisco UCM
- Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
- Creating Trustpoints and Generating Certificates
- Creating the CTL File
- Using an Existing CTL File
- Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster
- Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
- Creating the Media Termination Instance
- Creating the Phone Proxy Instance
- Enabling the Phone Proxy with SIP and Skinny Inspection
- Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
- Troubleshooting the Phone Proxy
- Debugging Information from the Security Appliance
- Debugging Information from IP Phones
- IP Phone Registration Failure
- TFTP Auth Error Displays on IP Phone Console
- Configuration File Parsing Error
- Configuration File Parsing Error: Unable to Get DNS Response
- Non-configuration File Parsing Error
- Cisco UCM Does Not Respond to TFTP Request for Configuration File
- IP Phone Does Not Respond After the Security Appliance Sends TFTP Data
- IP Phone Requesting Unsigned File Error
- IP Phone Unable to Download CTL File
- IP Phone Registration Failure from Signaling Connections
- SSL Handshake Failure
- Certificate Validation Errors
- Media Termination Address Errors
- Audio Problems with IP Phones
- Saving SAST Keys
- Configuration Examples for the Phone Proxy
- Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
- Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
- Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
- Example 4: Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary and TFTP Server on Different Servers
- Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
- Example 6: VLAN Transversal
- Feature History for the Phone Proxy
- Configuring the TLS Proxy for Encrypted Voice Inspection
- Information about the TLS Proxy for Encrypted Voice Inspection
- Licensing for the TLS Proxy
- Prerequisites for the TLS Proxy for Encrypted Voice Inspection
- Configuring the TLS Proxy for Encrypted Voice Inspection
- Monitoring the TLS Proxy
- Feature History for the TLS Proxy for Encrypted Voice Inspection
- Configuring Cisco Mobility Advantage
- Configuring Cisco Unified Presence
- Configuring Cisco Intercompany Media Engine Proxy
- Information About Cisco Intercompany Media Engine Proxy
- Licensing for Cisco Intercompany Media Engine
- Guidelines and Limitations
- Configuring Cisco Intercompany Media Engine Proxy
- Task Flow for Configuring Cisco Intercompany Media Engine
- Configuring NAT for Cisco Intercompany Media Engine Proxy
- Configuring PAT for the Cisco UCM Server
- Creating Access Lists for Cisco Intercompany Media Engine Proxy
- Creating the Media Termination Instance
- Creating the Cisco Intercompany Media Engine Proxy
- Creating Trustpoints and Generating Certificates
- Creating the TLS Proxy
- Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
- (Optional) Configuring TLS within the Local Enterprise
- (Optional) Configuring Off Path Signaling
- Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
- Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard
- Troubleshooting Cisco Intercompany Media Engine Proxy
- Feature History for Cisco Intercompany Media Engine Proxy
- Configuring Connection Settings and QoS
- Configuring Connection Settings
- Configuring QoS
- Information About QoS
- Licensing Requirements for QoS
- Guidelines and Limitations
- Configuring QoS
- Monitoring QoS
- Feature History for QoS
- Configuring Advanced Network Protection
- Configuring the Botnet Traffic Filter
- Information About the Botnet Traffic Filter
- Licensing Requirements for the Botnet Traffic Filter
- Guidelines and Limitations
- Default Settings
- Configuring the Botnet Traffic Filter
- Monitoring the Botnet Traffic Filter
- Configuration Examples for the Botnet Traffic Filter
- Where to Go Next
- Feature History for the Botnet Traffic Filter
- Configuring Threat Detection
- Using Protection Tools
- Configuring the Botnet Traffic Filter
- Configuring Modules
- Configuring the ASA IPS Module
- Information About the ASA IPS module
- Licensing Requirements for the ASA IPS module
- Guidelines and Limitations
- Default Settings
- Configuring the ASA IPS module
- Task Flow for the ASA IPS Module
- Connecting Management Interface Cables
- Sessioning to the Module from the ASA
- Configuring Basic IPS Module Network Settings
- (ASA 5512-X through ASA 5555-X) Installing the Software Module
- Configuring the Security Policy on the ASA IPS module
- Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
- Diverting Traffic to the ASA IPS module
- Monitoring the ASA IPS module
- Troubleshooting the ASA IPS module
- Configuration Examples for the ASA IPS module
- Feature History for the ASA IPS module
- Configuring the ASA CX Module
- Information About the ASA CX Module
- Licensing Requirements for the ASA CX Module
- Guidelines and Limitations
- Default Settings
- Configuring the ASA CX Module
- Task Flow for the ASA CX Module
- Connecting Management Interface Cables
- Configuring the ASA CX Management IP Address
- Configuring Basic ASA CX Settings at the ASA CX CLI
- Configuring the Security Policy on the ASA CX Module Using PRSM
- (Optional) Configuring the Authentication Proxy Port
- Redirecting Traffic to the ASA CX Module
- Monitoring the ASA CX Module
- Troubleshooting the ASA CX Module
- Configuration Examples for the ASA CX Module
- Feature History for the ASA CX Module
- Configuring the ASA CSC Module
- Information About the CSC SSM
- Licensing Requirements for the CSC SSM
- Prerequisites for the CSC SSM
- Guidelines and Limitations
- Default Settings
- Configuring the CSC SSM
- Monitoring the CSC SSM
- Troubleshooting the CSC Module
- Configuration Examples for the CSC SSM
- Where to Go Next
- Additional References
- Feature History for the CSC SSM
- Configuring the ASA IPS Module
- Configuring High Availability
- Information About High Availability
- Introduction to Failover and High Availability
- Failover System Requirements
- Failover and Stateful Failover Links
- Active/Active and Active/Standby Failover
- Stateless (Regular) and Stateful Failover
- Transparent Firewall Mode Requirements
- Auto Update Server Support in Failover Configurations
- Failover Health Monitoring
- Failover Times
- Failover Messages
- Configuring Active/Standby Failover
- Information About Active/Standby Failover
- Licensing Requirements for Active/Standby Failover
- Prerequisites for Active/Standby Failover
- Guidelines and Limitations
- Configuring Active/Standby Failover
- Controlling Failover
- Monitoring Active/Standby Failover
- Feature History for Active/Standby Failover
- Configuring Active/Active Failover
- Information About Active/Active Failover
- Licensing Requirements for Active/Active Failover
- Prerequisites for Active/Active Failover
- Guidelines and Limitations
- Configuring Active/Active Failover
- Remote Command Execution
- Controlling Failover
- Monitoring Active/Active Failover
- Feature History for Active/Active Failover
- Information About High Availability
- Configuring VPN
- Configuring IPsec and ISAKMP
- Information About Tunneling, IPsec, and ISAKMP
- Licensing Requirements for Remote Access IPsec VPNs
- Guidelines and Limitations
- Configuring ISAKMP
- Configuring IKEv1 and IKEv2 Policies
- Enabling IKE on the Outside Interface
- Disabling IKEv1 Aggressive Mode
- Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
- Enabling IPsec over NAT-T
- Enabling IPsec with IKEv1 over TCP
- Waiting for Active Sessions to Terminate Before Rebooting
- Alerting Peers Before Disconnecting
- Configuring Certificate Group Matching for IKEv1
- Configuring IPsec
- Understanding IPsec Tunnels
- Understanding IKEv1 Transform Sets and IKEv2 Proposals
- Defining Crypto Maps
- Applying Crypto Maps to Interfaces
- Using Interface Access Lists
- Changing IPsec SA Lifetimes
- Creating a Basic IPsec Configuration
- Using Dynamic Crypto Maps
- Providing Site-to-Site Redundancy
- Viewing an IPsec Configuration
- Clearing Security Associations
- Clearing Crypto Map Configurations
- Supporting the Nokia VPN Client
- Configuring L2TP over IPsec
- Setting General VPN Parameters
- Configuring VPNs in Single, Routed Mode
- Configuring IPsec to Bypass ACLs
- Permitting Intra-Interface Traffic (Hairpinning)
- Setting Maximum Active IPsec or SSL VPN Sessions
- Using Client Update to Ensure Acceptable IPsec Client Revision Levels
- Understanding Load Balancing
- Configuring Load Balancing
- Configuring VPN Session Limits
- Configuring Connection Profiles, Group Policies, and Users
- Overview of Connection Profiles, Group Policies, and Users
- Connection Profiles
- Configuring Connection Profiles
- Maximum Connection Profiles
- Default IPsec Remote Access Connection Profile Configuration
- Configuring IPsec Tunnel-Group General Attributes
- Configuring Remote-Access Connection Profiles
- Configuring LAN-to-LAN Connection Profiles
- Configuring Connection Profiles for Clientless SSL VPN Sessions
- Customizing Login Windows for Users of Clientless SSL VPN sessions
- Configuring Microsoft Active Directory Settings for Password Management
- Using Active Directory to Force the User to Change Password at Next Logon
- Using Active Directory to Specify Maximum Password Age
- Using Active Directory to Override an Account Disabled AAA Indicator
- Using Active Directory to Enforce Minimum Password Length
- Using Active Directory to Enforce Password Complexity
- Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
- Group Policies
- Default Group Policy
- Configuring Group Policies
- Configuring an External Group Policy
- Configuring an Internal Group Policy
- Configuring Group Policy Attributes
- Configuring WINS and DNS Servers
- Configuring VPN-Specific Attributes
- Configuring Security Attributes
- Configuring the Banner Message
- Configuring IPsec-UDP Attributes for IKEv1
- Configuring Split-Tunneling Attributes
- Configuring Domain Attributes for Tunneling
- Configuring Attributes for VPN Hardware Clients
- Configuring Backup Server Attributes
- Configuring Browser Client Parameters
- Configuring Network Admission Control Parameters
- Configuring Address Pools
- Configuring Firewall Policies
- Supporting a Zone Labs Integrity Server
- Configuring User Attributes
- Configuring IP Addresses for VPNs
- Configuring Remote Access IPsec VPNs
- Information About Remote Access IPsec VPNs
- Licensing Requirements for Remote Access IPsec VPNs
- Guidelines and Limitations
- Configuring Remote Access IPsec VPNs
- Configuring Interfaces
- Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
- Configuring an Address Pool
- Adding a User
- Creating an IKEv1 Transform Set or IKEv2 Proposal
- Defining a Tunnel Group
- Creating a Dynamic Crypto Map
- Creating a Crypto Map Entry to Use the Dynamic Crypto Map
- Saving the Security Appliance Configuration
- Configuration Examples for Remote Access IPsec VPNs
- Feature History for Remote Access VPNs
- Configuring Network Admission Control
- Information about Network Admission Control
- Licensing Requirements
- Prerequisites for NAC
- Guidelines and Limitations
- Viewing the NAC Policies on the Security Appliance
- Adding, Accessing, or Removing a NAC Policy
- Configuring a NAC Policy
- Assigning a NAC Policy to a Group Policy
- Changing Global NAC Framework Settings
- Configuring Easy VPN Services on the ASA 5505
- Specifying the Client/Server Role of the Cisco ASA 5505
- Specifying the Primary and Secondary Servers
- Specifying the Mode
- Configuring Automatic Xauth Authentication
- Configuring IPsec Over TCP
- Comparing Tunneling Options
- Specifying the Tunnel Group or Trustpoint
- Configuring Split Tunneling
- Configuring Device Pass-Through
- Configuring Remote Management
- Guidelines for Configuring the Easy VPN Server
- Configuring the PPPoE Client
- Configuring LAN-to-LAN IPsec VPNs
- Configuring Clientless SSL VPN
- Information About Clientless SSL VPN
- Licensing Requirements
- Prerequisites for Clientless SSL VPN
- Guidelines and Limitations
- Observing Clientless SSL VPN Security Precautions
- Using SSL to Access the Central Site
- Configuring Application Helper
- Using Single Sign-on with Clientless SSL VPN
- Encoding
- Creating and Applying Clientless SSL VPN Policies for Accessing Resources
- Using the Security Appliance Authentication Server
- Configuring Connection Profile Attributes for Clientless SSL VPN
- Configuring Group Policy and User Attributes for Clientless SSL VPN
- Configuring Browser Access to Plug-ins
- Why a Microsoft Kerberos Constrained Delegation Solution
- Understanding How KCD Works
- Configuring Application Access
- Logging Off Smart TunnelConfiguring Smart Tunnel Access
- About Smart Tunnels
- Why Smart Tunnels?
- Adding Applications to Be Eligible for Smart Tunnel Access
- Assigning a Smart Tunnel List
- Configuring and Applying Smart Tunnel Policy
- Configuring and Applying a Smart Tunnel Tunnel Policy
- Specifying Servers for Smart Tunnel Auto Sign-on
- Adding or Editing a Smart Tunnel Auto Sign-on Server Entry
- Automating Smart Tunnel Access
- Logging Off Smart Tunnel
- Logging Off Smart TunnelConfiguring Smart Tunnel Access
- Configuring Port Forwarding
- Application Access User Notes
- Configuring File Access
- Ensuring Clock Accuracy for SharePoint Access
- Using Clientless SSL VPN with PDAs
- Using E-Mail over Clientless SSL VPN
- Configuring Portal Access Rules
- Optimizing Clientless SSL VPN Performance
- Clientless SSL VPN End User Setup
- Customizing Clientless SSL VPN Pages
- Configuring Browser Access to Client-Server Plug-ins
- Communicating Security Tips
- Configuring Remote Systems to Use Clientless SSL VPN Features
- Translating the Language of User Messages
- Capturing Data
- Configuring AnyConnect VPN Client Connections
- Information About AnyConnect VPN Client Connections
- Licensing Requirements for AnyConnect Connections
- Guidelines and Limitations
- Configuring AnyConnect Connections
- Configuring the ASA to Web-Deploy the Client
- Enabling Permanent Client Installation
- Configuring DTLS
- Prompting Remote Users
- Enabling AnyConnect Client Profile Downloads
- Enabling Additional AnyConnect Client Features
- Enabling Start Before Logon
- Translating Languages for AnyConnect User Messages
- Configuring Advanced AnyConnect Features
- Updating AnyConnect Client Images
- Enabling IPv6 VPN Access
- Monitoring AnyConnect Connections
- Logging Off AnyConnect VPN Sessions
- Configuration Examples for Enabling AnyConnect Connections
- Feature History for AnyConnect Connections
- Configuring AnyConnect Host Scan
- Configuring IPsec and ISAKMP
- Configuring Logging, SNMP, and Smart Call Home
- Configuring Logging
- Information About Logging
- Licensing Requirements for Logging
- Prerequisites for Logging
- Guidelines and Limitations
- Configuring Logging
- Enabling Logging
- Configuring an Output Destination
- Sending Syslog Messages to an External Syslog Server
- Sending Syslog Messages to the Internal Log Buffer
- Sending Syslog Messages to an E-mail Address
- Sending Syslog Messages to ASDM
- Sending Syslog Messages to the Console Port
- Sending Syslog Messages to an SNMP Server
- Sending Syslog Messages to a Telnet or SSH Session
- Creating a Custom Event List
- Generating Syslog Messages in EMBLEM Format to a Syslog Server
- Generating Syslog Messages in EMBLEM Format to Other Output Destinations
- Changing the Amount of Internal Flash Memory Available for Logs
- Configuring the Logging Queue
- Sending All Syslog Messages in a Class to a Specified Output Destination
- Enabling Secure Logging
- Including the Device ID in Non-EMBLEM Format Syslog Messages
- Including the Date and Time in Syslog Messages
- Disabling a Syslog Message
- Changing the Severity Level of a Syslog Message
- Limiting the Rate of Syslog Message Generation
- Monitoring the Logs
- Configuration Examples for Logging
- Feature History for Logging
- Configuring NetFlow Secure Event Logging (NSEL)
- Information About NSEL
- Licensing Requirements for NSEL
- Prerequisites for NSEL
- Guidelines and Limitations
- Configuring NSEL
- Configuring NSEL Collectors
- Configuring Flow-Export Actions Through Modular Policy Framework
- Configuring Template Timeout Intervals
- Changing the Time Interval for Sending Flow-Update Events to a Collector
- Delaying Flow-Create Events
- Disabling and Reenabling NetFlow-related Syslog Messages
- Clearing Runtime Counters
- Monitoring NSEL
- Configuration Examples for NSEL
- Where to Go Next
- Additional References
- Feature History for NSEL
- Configuring SNMP
- Information About SNMP
- Licensing Requirements for SNMP
- Prerequisites for SNMP
- Guidelines and Limitations
- Configuring SNMP
- Troubleshooting Tips
- Monitoring SNMP
- Configuration Examples for SNMP
- Where to Go Next
- Additional References
- Feature History for SNMP
- Configuring Anonymous Reporting and Smart Call Home
- Information About Anonymous Reporting and Smart Call Home
- Licensing Requirements for Anonymous Reporting and Smart Call Home
- Prerequisites for Smart Call Home and Anonymous Reporting
- Guidelines and Limitations
- Configuring Anonymous Reporting and Smart Call Home
- Monitoring Smart Call Home
- Configuration Example for Smart Call Home
- Feature History for Anonymous Reporting and Smart Call Home
- Configuring Logging
- System Administration
- Managing Software and Configurations
- Managing the Flash File System
- Downloading Software or Configuration Files to Flash Memory
- Configuring the Application Image and ASDM Image to Boot
- Configuring the File to Boot as the Startup Configuration
- Deleting Files from a USB Drive on the ASA 5500-X Series
- Performing Zero Downtime Upgrades for Failover Pairs
- Backing Up Configuration Files or Other Files
- Backing up the Single Mode Configuration or Multiple Mode System Configuration
- Backing Up a Context Configuration or Other File in Flash Memory
- Backing Up a Context Configuration within a Context
- Copying the Configuration from the Terminal Display
- Backing Up Additional Files Using the Export and Import Commands
- Using a Script to Back Up and Restore Files
- Configuring Auto Update Support
- Downgrading Your Software
- Troubleshooting
- Managing Software and Configurations
- Reference
- Using the Command-Line Interface
- Addresses, Protocols, and Ports
- Configuring an External Server for Authorization and Authentication
- Understanding Policy Enforcement of Permissions and Attributes
- Configuring an External LDAP Server
- Configuring an External RADIUS Server
- Configuring an External TACACS+ Server
- Glossary
- Index