10% de réduction sur vos envois d'emailing --> CLIQUEZ ICI

Retour à l'accueil, cliquez ici

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2 Customer Order Number: N/A, Online only Text Part Number: OL-10088-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Security Appliance Command Line Configuration Guide Copyright © 2008 Cisco Systems, Inc. All rights reserved.iii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C O N T E N T S About This Guide xxxv Document Objectives xxxv Audience xxxv Related Documentation xxxvi Document Organization xxxvi Document Conventions xxxix Obtaining Documentation and Submitting a Service Request xxxix 1-xl P A R T 1 Getting Started and General Information C H A P T E R 1 Introduction to the Security Appliance 1-1 Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying NAT 1-2 Using AAA for Through Traffic 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Applying Application Inspection 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5 Intrusion Prevention Services Functional Overview 1-5 Security Context Overview 1-6 C H A P T E R 2 Getting Started 2-1 Getting Started with Your Platform Model 2-1 Factory Default Configurations 2-1 Restoring the Factory Default Configuration 2-2Contents iv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration 2-3 PIX 515/515E Default Configuration 2-4 Accessing the Command-Line Interface 2-4 Setting Transparent or Routed Firewall Mode 2-5 Working with the Configuration 2-6 Saving Configuration Changes 2-6 Saving Configuration Changes in Single Context Mode 2-7 Saving Configuration Changes in Multiple Context Mode 2-7 Copying the Startup Configuration to the Running Configuration 2-8 Viewing the Configuration 2-8 Clearing and Removing Configuration Settings 2-9 Creating Text Configuration Files Offline 2-9 C H A P T E R 3 Enabling Multiple Context Mode 3-1 Security Context Overview 3-1 Common Uses for Security Contexts 3-1 Unsupported Features 3-2 Context Configuration Files 3-2 Context Configurations 3-2 System Configuration 3-2 Admin Context Configuration 3-2 How the Security Appliance Classifies Packets 3-3 Valid Classifier Criteria 3-3 Invalid Classifier Criteria 3-4 Classification Examples 3-5 Cascading Security Contexts 3-8 Management Access to Security Contexts 3-9 System Administrator Access 3-9 Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 4-1 Interface Overview 4-1 Understanding ASA 5505 Ports and Interfaces 4-2Contents v Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Maximum Active VLAN Interfaces for Your License 4-2 Default Interface Configuration 4-4 VLAN MAC Addresses 4-4 Power Over Ethernet 4-4 Monitoring Traffic Using SPAN 4-4 Security Level Overview 4-5 Configuring VLAN Interfaces 4-5 Configuring Switch Ports as Access Ports 4-9 Configuring a Switch Port as a Trunk Port 4-11 Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13 C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1 Configuring and Enabling RJ-45 Interfaces 5-1 Configuring and Enabling Fiber Interfaces 5-3 Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3 C H A P T E R 6 Adding and Managing Security Contexts 6-1 Configuring Resource Management 6-1 Classes and Class Members Overview 6-1 Resource Limits 6-2 Default Class 6-3 Class Members 6-4 Configuring a Class 6-4 Configuring a Security Context 6-7 Automatically Assigning MAC Addresses to Context Interfaces 6-11 Changing Between Contexts and the System Execution Space 6-11 Managing Security Contexts 6-12 Removing a Security Context 6-12 Changing the Admin Context 6-13 Changing the Security Context URL 6-13 Reloading a Security Context 6-14 Reloading by Clearing the Configuration 6-14 Reloading by Removing and Re-adding the Context 6-15 Monitoring Security Contexts 6-15 Viewing Context Information 6-15 Viewing Resource Allocation 6-16 Viewing Resource Usage 6-19 Monitoring SYN Attacks in Contexts 6-20Contents vi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 7 Configuring Interface Parameters 7-1 Security Level Overview 7-1 Configuring the Interface 7-2 Allowing Communication Between Interfaces on the Same Security Level 7-6 C H A P T E R 8 Configuring Basic Settings 8-1 Changing the Login Password 8-1 Changing the Enable Password 8-1 Setting the Hostname 8-2 Setting the Domain Name 8-2 Setting the Date and Time 8-2 Setting the Time Zone and Daylight Saving Time Date Range 8-3 Setting the Date and Time Using an NTP Server 8-4 Setting the Date and Time Manually 8-5 Setting the Management IP Address for a Transparent Firewall 8-5 C H A P T E R 9 Configuring IP Routing 9-1 How Routing Behaves Within the ASA Security Appliance 9-1 Egress Interface Selection Process 9-1 Next Hop Selection Process 9-2 Configuring Static and Default Routes 9-2 Configuring a Static Route 9-3 Configuring a Default Route 9-4 Configuring Static Route Tracking 9-5 Defining Route Maps 9-7 Configuring OSPF 9-8 OSPF Overview 9-9 Enabling OSPF 9-10 Redistributing Routes Into OSPF 9-10 Configuring OSPF Interface Parameters 9-11 Configuring OSPF Area Parameters 9-13 Configuring OSPF NSSA 9-14 Configuring Route Summarization Between OSPF Areas 9-15 Configuring Route Summarization When Redistributing Routes into OSPF 9-16 Defining Static OSPF Neighbors 9-16 Generating a Default Route 9-17 Configuring Route Calculation Timers 9-17 Logging Neighbors Going Up or Down 9-18Contents vii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Displaying OSPF Update Packet Pacing 9-19 Monitoring OSPF 9-19 Restarting the OSPF Process 9-20 Configuring RIP 9-20 Enabling and Configuring RIP 9-20 Redistributing Routes into the RIP Routing Process 9-22 Configuring RIP Send/Receive Version on an Interface 9-22 Enabling RIP Authentication 9-23 Monitoring RIP 9-23 The Routing Table 9-24 Displaying the Routing Table 9-24 How the Routing Table is Populated 9-24 Backup Routes 9-26 How Forwarding Decisions are Made 9-26 Dynamic Routing and Failover 9-26 C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 10-7 Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. 10-8 Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 10-8 Example 5: Client Updates A RR; Server Updates PTR RR 10-9 Configuring Web Cache Services Using WCCP 10-9 WCCP Feature Support 10-9 WCCP Interaction With Other Features 10-10 Enabling WCCP Redirection 10-10 C H A P T E R 11 Configuring Multicast Routing 11-13 Multicast Routing Overview 11-13 Enabling Multicast Routing 11-14Contents viii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring IGMP Features 11-14 Disabling IGMP on an Interface 11-15 Configuring Group Membership 11-15 Configuring a Statically Joined Group 11-15 Controlling Access to Multicast Groups 11-15 Limiting the Number of IGMP States on an Interface 11-16 Modifying the Query Interval and Query Timeout 11-16 Changing the Query Response Time 11-17 Changing the IGMP Version 11-17 Configuring Stub Multicast Routing 11-17 Configuring a Static Multicast Route 11-17 Configuring PIM Features 11-18 Disabling PIM on an Interface 11-18 Configuring a Static Rendezvous Point Address 11-19 Configuring the Designated Router Priority 11-19 Filtering PIM Register Messages 11-19 Configuring PIM Message Intervals 11-20 Configuring a Multicast Boundary 11-20 Filtering PIM Neighbors 11-20 Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21 For More Information about Multicast Routing 11-22 C H A P T E R 12 Configuring IPv6 12-1 IPv6-enabled Commands 12-1 Configuring IPv6 12-2 Configuring IPv6 on an Interface 12-3 Configuring a Dual IP Stack on an Interface 12-4 Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4 Configuring IPv6 Duplicate Address Detection 12-4 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Multicast Listener Discovery Support 12-11 Configuring a Static IPv6 Neighbor 12-11 Verifying the IPv6 Configuration 12-11 The show ipv6 interface Command 12-12 The show ipv6 route Command 12-12Contents ix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 The show ipv6 mld traffic Command 12-13 C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1 AAA Overview 13-1 About Authentication 13-1 About Authorization 13-2 About Accounting 13-2 AAA Server and Local Database Support 13-2 Summary of Support 13-3 RADIUS Server Support 13-3 Authentication Methods 13-4 Attribute Support 13-4 RADIUS Authorization Functions 13-4 TACACS+ Server Support 13-4 SDI Server Support 13-4 SDI Version Support 13-5 Two-step Authentication Process 13-5 SDI Primary and Replica Servers 13-5 NT Server Support 13-5 Kerberos Server Support 13-5 LDAP Server Support 13-6 Authentication with LDAP 13-6 Authorization with LDAP for VPN 13-7 LDAP Attribute Mapping 13-8 SSO Support for WebVPN with HTTP Forms 13-9 Local Database Support 13-9 User Profiles 13-10 Fallback Support 13-10 Configuring the Local Database 13-10 Identifying AAA Server Groups and Servers 13-12 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 C H A P T E R 14 Configuring Failover 14-1 Understanding Failover 14-1Contents x Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Failover System Requirements 14-2 Hardware Requirements 14-2 Software Requirements 14-2 License Requirements 14-2 The Failover and Stateful Failover Links 14-3 Failover Link 14-3 Stateful Failover Link 14-5 Active/Active and Active/Standby Failover 14-6 Active/Standby Failover 14-6 Active/Active Failover 14-10 Determining Which Type of Failover to Use 14-15 Regular and Stateful Failover 14-15 Regular Failover 14-16 Stateful Failover 14-16 Failover Health Monitoring 14-16 Unit Health Monitoring 14-17 Interface Monitoring 14-17 Failover Feature/Platform Matrix 14-18 Failover Times by Platform 14-18 Configuring Failover 14-19 Failover Configuration Limitations 14-19 Configuring Active/Standby Failover 14-19 Prerequisites 14-20 Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20 Configuring LAN-Based Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-25 Configuring Active/Active Failover 14-27 Prerequisites 14-27 Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27 Configuring LAN-Based Active/Active Failover 14-29 Configuring Optional Active/Active Failover Settings 14-33 Configuring Unit Health Monitoring 14-39 Configuring Failover Communication Authentication/Encryption 14-39 Verifying the Failover Configuration 14-40 Using the show failover Command 14-40 Viewing Monitored Interfaces 14-48 Displaying the Failover Commands in the Running Configuration 14-48 Testing the Failover Functionality 14-49 Controlling and Monitoring Failover 14-49 Forcing Failover 14-49Contents xi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Disabling Failover 14-50 Restoring a Failed Unit or Failover Group 14-50 Monitoring Failover 14-50 Failover System Messages 14-51 Debug Messages 14-51 SNMP 14-51 P A R T 2 Configuring the Firewall C H A P T E R 15 Firewall Mode Overview 15-1 Routed Mode Overview 15-1 IP Routing Support 15-1 Network Address Translation 15-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3 An Inside User Visits a Web Server 15-3 An Outside User Visits a Web Server on the DMZ 15-4 An Inside User Visits a Web Server on the DMZ 15-6 An Outside User Attempts to Access an Inside Host 15-7 A DMZ User Attempts to Access an Inside Host 15-8 Transparent Mode Overview 15-8 Transparent Firewall Network 15-9 Allowing Layer 3 Traffic 15-9 Allowed MAC Addresses 15-9 Passing Traffic Not Allowed in Routed Mode 15-9 MAC Address Lookups 15-10 Using the Transparent Firewall in Your Network 15-10 Transparent Firewall Guidelines 15-10 Unsupported Features in Transparent Mode 15-11 How Data Moves Through the Transparent Firewall 15-13 An Inside User Visits a Web Server 15-14 An Outside User Visits a Web Server on the Inside Network 15-15 An Outside User Attempts to Access an Inside Host 15-16 C H A P T E R 16 Identifying Traffic with Access Lists 16-1 Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3Contents xii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Adding an Extended Access List 16-5 Extended Access List Overview 16-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6 Adding an Extended ACE 16-6 Adding an EtherType Access List 16-8 EtherType Access List Overview 16-8 Supported EtherTypes 16-8 Implicit Permit of IP and ARPs Only 16-9 Implicit and Explicit Deny ACE at the End of an Access List 16-9 IPv6 Unsupported 16-9 Using Extended and EtherType Access Lists on the Same Interface 16-9 Allowing MPLS 16-9 Adding an EtherType ACE 16-10 Adding a Standard Access List 16-11 Adding a Webtype Access List 16-11 Simplifying Access Lists with Object Grouping 16-11 How Object Grouping Works 16-12 Adding Object Groups 16-12 Adding a Protocol Object Group 16-13 Adding a Network Object Group 16-13 Adding a Service Object Group 16-14 Adding an ICMP Type Object Group 16-15 Nesting Object Groups 16-15 Using Object Groups with an Access List 16-16 Displaying Object Groups 16-17 Removing Object Groups 16-17 Adding Remarks to Access Lists 16-18 Scheduling Extended Access List Activation 16-18 Adding a Time Range 16-18 Applying the Time Range to an ACE 16-19 Logging Access List Activity 16-20 Access List Logging Overview 16-20 Configuring Logging for an Access Control Entry 16-21 Managing Deny Flows 16-22 C H A P T E R 17 Applying NAT 17-1 NAT Overview 17-1 Introduction to NAT 17-2 NAT Control 17-3Contents xiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 NAT Types 17-5 Dynamic NAT 17-5 PAT 17-7 Static NAT 17-7 Static PAT 17-8 Bypassing NAT When NAT Control is Enabled 17-9 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-13 Order of NAT Commands Used to Match Real Addresses 17-14 Mapped Address Guidelines 17-14 DNS and NAT 17-14 Configuring NAT Control 17-16 Using Dynamic NAT and PAT 17-17 Dynamic NAT and PAT Implementation 17-17 Configuring Dynamic NAT or PAT 17-23 Using Static NAT 17-26 Using Static PAT 17-27 Bypassing NAT 17-29 Configuring Identity NAT 17-30 Configuring Static Identity NAT 17-30 Configuring NAT Exemption 17-32 NAT Examples 17-33 Overlapping Networks 17-34 Redirecting Ports 17-35 C H A P T E R 18 Permitting or Denying Network Access 18-1 Inbound and Outbound Access List Overview 18-1 Applying an Access List to an Interface 18-2 C H A P T E R 19 Applying AAA for Network Access 19-1 AAA Performance 19-1 Configuring Authentication for Network Access 19-1 Authentication Overview 19-2 One-Time Authentication 19-2 Applications Required to Receive an Authentication Challenge 19-2 Security Appliance Authentication Prompts 19-2 Static PAT and HTTP 19-3 Enabling Network Access Authentication 19-3Contents xiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12 Configuring Accounting for Network Access 19-13 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14 C H A P T E R 20 Applying Filtering Services 20-1 Filtering Overview 20-1 Filtering ActiveX Objects 20-2 ActiveX Filtering Overview 20-2 Enabling ActiveX Filtering 20-2 Filtering Java Applets 20-3 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Enabling Filtering of Long HTTP URLs 20-7 Truncating Long HTTP URLs 20-7 Exempting Traffic from Filtering 20-8 Filtering HTTPS URLs 20-8 Filtering FTP Requests 20-9 Viewing Filtering Statistics and Configuration 20-9 Viewing Filtering Server Statistics 20-10 Viewing Buffer Configuration and Statistics 20-11 Viewing Caching Statistics 20-11 Viewing Filtering Performance Statistics 20-11 Viewing Filtering Configuration 20-12Contents xv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 21 Using Modular Policy Framework 21-1 Modular Policy Framework Overview 21-1 Modular Policy Framework Features 21-1 Modular Policy Framework Configuration Overview 21-2 Default Global Policy 21-3 Identifying Traffic (Layer 3/4 Class Map) 21-4 Default Class Maps 21-4 Creating a Layer 3/4 Class Map for Through Traffic 21-5 Creating a Layer 3/4 Class Map for Management Traffic 21-7 Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7 Inspection Policy Map Overview 21-8 Defining Actions in an Inspection Policy Map 21-8 Identifying Traffic in an Inspection Class Map 21-11 Creating a Regular Expression 21-12 Creating a Regular Expression Class Map 21-14 Defining Actions (Layer 3/4 Policy Map) 21-15 Layer 3/4 Policy Map Overview 21-15 Policy Map Guidelines 21-16 Supported Feature Types 21-16 Hierarchical Policy Maps 21-16 Feature Directionality 21-17 Feature Matching Guidelines within a Policy Map 21-17 Feature Matching Guidelines for multiple Policy Maps 21-18 Order in Which Multiple Feature Actions are Applied 21-18 Default Layer 3/4 Policy Map 21-18 Adding a Layer 3/4 Policy Map 21-19 Applying Actions to an Interface (Service Policy) 21-21 Modular Policy Framework Examples 21-21 Applying Inspection and QoS Policing to HTTP Traffic 21-22 Applying Inspection to HTTP Traffic Globally 21-22 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23 Applying Inspection to HTTP Traffic with NAT 21-24 C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1 Managing the AIP SSM 22-1 About the AIP SSM 22-1 Getting Started with the AIP SSM 22-2 Diverting Traffic to the AIP SSM 22-2 Sessioning to the AIP SSM and Running Setup 22-4Contents xvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Managing the CSC SSM 22-5 About the CSC SSM 22-5 Getting Started with the CSC SSM 22-7 Determining What Traffic to Scan 22-9 Limiting Connections Through the CSC SSM 22-11 Diverting Traffic to the CSC SSM 22-11 Checking SSM Status 22-13 Transferring an Image onto an SSM 22-14 C H A P T E R 23 Preventing Network Attacks 23-1 Configuring TCP Normalization 23-1 TCP Normalization Overview 23-1 Enabling the TCP Normalizer 23-2 Configuring Connection Limits and Timeouts 23-6 Connection Limit Overview 23-7 TCP Intercept Overview 23-7 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7 Dead Connection Detection (DCD) Overview 23-7 TCP Sequence Randomization Overview 23-8 Enabling Connection Limits and Timeouts 23-8 Preventing IP Spoofing 23-10 Configuring the Fragment Size 23-11 Blocking Unwanted Connections 23-11 Configuring IP Audit for Basic IPS Support 23-12 C H A P T E R 24 Configuring QoS 24-1 QoS Overview 24-1 Supported QoS Features 24-2 What is a Token Bucket? 24-2 Policing Overview 24-3 Priority Queueing Overview 24-3 Traffic Shaping Overview 24-4 How QoS Features Interact 24-4 DSCP and DiffServ Preservation 24-5 Creating the Standard Priority Queue for an Interface 24-5 Determining the Queue and TX Ring Limits 24-6 Configuring the Priority Queue 24-7 Identifying Traffic for QoS Using Class Maps 24-8Contents xvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Creating a QoS Class Map 24-8 QoS Class Map Examples 24-8 Creating a Policy for Standard Priority Queueing and/or Policing 24-9 Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11 Viewing QoS Statistics 24-13 Viewing QoS Police Statistics 24-13 Viewing QoS Standard Priority Statistics 24-14 Viewing QoS Shaping Statistics 24-14 Viewing QoS Standard Priority Queue Statistics 24-15 C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1 Inspection Engine Overview 25-2 When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite Works 25-14 Configuring DNS Rewrite 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Configuring DNS Rewrite with Three NAT Zones 25-19 Verifying and Monitoring DNS Inspection 25-20 Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20 ESMTP Inspection 25-23 Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24 FTP Inspection 25-26 FTP Inspection Overview 25-27Contents xviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Using the strict Option 25-27 Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28 Verifying and Monitoring FTP Inspection 25-31 GTP Inspection 25-32 GTP Inspection Overview 25-32 Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33 Verifying and Monitoring GTP Inspection 25-37 H.323 Inspection 25-38 H.323 Inspection Overview 25-38 How H.323 Works 25-38 Limitations and Restrictions 25-39 Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40 Configuring H.323 and H.225 Timeout Values 25-42 Verifying and Monitoring H.323 Inspection 25-43 Monitoring H.225 Sessions 25-43 Monitoring H.245 Sessions 25-43 Monitoring H.323 RAS Sessions 25-44 HTTP Inspection 25-44 HTTP Inspection Overview 25-44 Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45 Instant Messaging Inspection 25-49 IM Inspection Overview 25-49 Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49 ICMP Inspection 25-52 ICMP Error Inspection 25-52 ILS Inspection 25-53 IPSec Pass Through Inspection 25-54 IPSec Pass Through Inspection Overview 25-54 Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54 MGCP Inspection 25-56 MGCP Inspection Overview 25-56 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58 Configuring MGCP Timeout Values 25-59 Verifying and Monitoring MGCP Inspection 25-59 NetBIOS Inspection 25-60 Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60 PPTP Inspection 25-62 RADIUS Accounting Inspection 25-62Contents xix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63 RSH Inspection 25-63 RTSP Inspection 25-63 RTSP Inspection Overview 25-63 Using RealPlayer 25-64 Restrictions and Limitations 25-64 SIP Inspection 25-65 SIP Inspection Overview 25-65 SIP Instant Messaging 25-65 Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66 Configuring SIP Timeout Values 25-70 Verifying and Monitoring SIP Inspection 25-70 Skinny (SCCP) Inspection 25-71 SCCP Inspection Overview 25-71 Supporting Cisco IP Phones 25-71 Restrictions and Limitations 25-72 Verifying and Monitoring SCCP Inspection 25-72 Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73 SMTP and Extended SMTP Inspection 25-74 SNMP Inspection 25-76 SQL*Net Inspection 25-76 Sun RPC Inspection 25-77 Sun RPC Inspection Overview 25-77 Managing Sun RPC Services 25-77 Verifying and Monitoring Sun RPC Inspection 25-78 TFTP Inspection 25-79 XDMCP Inspection 25-80 C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1 Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 MAC Address Table Overview 26-3 Adding a Static MAC Address 26-3 Setting the MAC Address Timeout 26-4 Disabling MAC Address Learning 26-4Contents xx Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Viewing the MAC Address Table 26-4 P A R T 3 Configuring VPN C H A P T E R 27 Configuring IPsec and ISAKMP 27-1 Tunneling Overview 27-1 IPsec Overview 27-2 Configuring ISAKMP 27-2 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPsec over NAT-T 27-7 Using NAT-T 27-7 Enabling IPsec over TCP 27-8 Waiting for Active Sessions to Terminate Before Rebooting 27-9 Alerting Peers Before Disconnecting 27-9 Configuring Certificate Group Matching 27-9 Creating a Certificate Group Matching Rule and Policy 27-10 Using the Tunnel-group-map default-group Command 27-11 Configuring IPsec 27-11 Understanding IPsec Tunnels 27-11 Understanding Transform Sets 27-12 Defining Crypto Maps 27-12 Applying Crypto Maps to Interfaces 27-20 Using Interface Access Lists 27-20 Changing IPsec SA Lifetimes 27-22 Creating a Basic IPsec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPsec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 C H A P T E R 28 Configuring L2TP over IPSec 28-1 L2TP Overview 28-1Contents xxi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 IPSec Transport and Tunnel Modes 28-2 Configuring L2TP over IPSec Connections 28-2 Tunnel Group Switching 28-5 Viewing L2TP over IPSec Connection Information 28-5 Using L2TP Debug Commands 28-7 Enabling IPSec Debug 28-7 Getting Additional Information 28-8 C H A P T E R 29 Setting General IPSec VPN Parameters 29-1 Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Using Client Update to Ensure Acceptable Client Revision Levels 29-3 Understanding Load Balancing 29-5 Implementing Load Balancing 29-6 Prerequisites 29-6 Eligible Platforms 29-7 Eligible Clients 29-7 VPN Load-Balancing Cluster Configurations 29-7 Some Typical Mixed Cluster Scenarios 29-8 Scenario 1: Mixed Cluster with No WebVPN Connections 29-8 Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8 Configuring Load Balancing 29-9 Configuring the Public and Private Interfaces for Load Balancing 29-9 Configuring the Load Balancing Cluster Attributes 29-10 Configuring VPN Session Limits 29-11 C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1 Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Maximum Tunnel Groups 30-5 Default IPSec Remote Access Tunnel Group Configuration 30-5Contents xxii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring IPSec Tunnel-Group General Attributes 30-6 Configuring IPSec Remote-Access Tunnel Groups 30-6 Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6 Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7 Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10 Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12 Configuring LAN-to-LAN Tunnel Groups 30-13 Default LAN-to-LAN Tunnel Group Configuration 30-13 Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14 Configuring LAN-to-LAN Tunnel Group General Attributes 30-14 Configuring LAN-to-LAN IPSec Attributes 30-15 Configuring WebVPN Tunnel Groups 30-17 Specifying a Name and Type for a WebVPN Tunnel Group 30-17 Configuring WebVPN Tunnel-Group General Attributes 30-17 Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20 Customizing Login Windows for WebVPN Users 30-23 Configuring Microsoft Active Directory Settings for Password Management 30-24 Using Active Directory to Force the User to Change Password at Next Logon 30-25 Using Active Directory to Specify Maximum Password Age 30-27 Using Active Directory to Override an Account Disabled AAA Indicator 30-28 Using Active Directory to Enforce Minimum Password Length 30-29 Using Active Directory to Enforce Password Complexity 30-30 Group Policies 30-31 Default Group Policy 30-32 Configuring Group Policies 30-34 Configuring an External Group Policy 30-34 Configuring an Internal Group Policy 30-35 Configuring Group Policy Attributes 30-35 Configuring WINS and DNS Servers 30-35 Configuring VPN-Specific Attributes 30-36 Configuring Security Attributes 30-39 Configuring the Banner Message 30-41 Configuring IPSec-UDP Attributes 30-41 Configuring Split-Tunneling Attributes 30-42 Configuring Domain Attributes for Tunneling 30-43 Configuring Attributes for VPN Hardware Clients 30-45 Configuring Backup Server Attributes 30-48 Configuring Microsoft Internet Explorer Client Parameters 30-49 Configuring Network Admission Control Parameters 30-51 Configuring Address Pools 30-54Contents xxiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring Firewall Policies 30-55 Configuring Client Access Rules 30-58 Configuring Group-Policy WebVPN Attributes 30-59 Configuring User Attributes 30-70 Viewing the Username Configuration 30-71 Configuring Attributes for Specific Users 30-71 Setting a User Password and Privilege Level 30-71 Configuring User Attributes 30-72 Configuring VPN User Attributes 30-72 Configuring WebVPN for Specific Users 30-76 C H A P T E R 31 Configuring IP Addresses for VPNs 31-1 Configuring an IP Address Assignment Method 31-1 Configuring Local IP Address Pools 31-2 Configuring AAA Addressing 31-2 Configuring DHCP Addressing 31-3 C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1 Summary of the Configuration 32-1 Configuring Interfaces 32-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3 Configuring an Address Pool 32-4 Adding a User 32-4 Creating a Transform Set 32-4 Defining a Tunnel Group 32-5 Creating a Dynamic Crypto Map 32-6 Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7 C H A P T E R 33 Configuring Network Admission Control 33-1 Uses, Requirements, and Limitations 33-1 Configuring Basic Settings 33-1 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Enabling and Disabling Clientless Authentication 33-5Contents xxiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Changing the Login Credentials Used for Clientless Authentication 33-6 Configuring NAC Session Attributes 33-7 Setting the Query-for-Posture-Changes Timer 33-8 Setting the Revalidation Timer 33-9 C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1 Specifying the Client/Server Role of the Cisco ASA 5505 34-1 Specifying the Primary and Secondary Servers 34-2 Specifying the Mode 34-3 NEM with Multiple Interfaces 34-3 Configuring Automatic Xauth Authentication 34-4 Configuring IPSec Over TCP 34-4 Comparing Tunneling Options 34-5 Specifying the Tunnel Group or Trustpoint 34-6 Specifying the Tunnel Group 34-6 Specifying the Trustpoint 34-7 Configuring Split Tunneling 34-7 Configuring Device Pass-Through 34-8 Configuring Remote Management 34-8 Guidelines for Configuring the Easy VPN Server 34-9 Group Policy and User Attributes Pushed to the Client 34-9 Authentication Options 34-11 C H A P T E R 35 Configuring the PPPoE Client 35-1 PPPoE Client Overview 35-1 Configuring the PPPoE Client Username and Password 35-2 Enabling PPPoE 35-3 Using PPPoE with a Fixed IP Address 35-3 Monitoring and Debugging the PPPoE Client 35-4 Clearing the Configuration 35-5 Using Related Commands 35-5 C H A P T E R 36 Configuring LAN-to-LAN IPsec VPNs 36-1 Summary of the Configuration 36-1 Configuring Interfaces 36-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2 Creating a Transform Set 36-4Contents xxv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring an ACL 36-4 Defining a Tunnel Group 36-5 Creating a Crypto Map and Applying It To an Interface 36-6 Applying Crypto Maps to Interfaces 36-7 C H A P T E R 37 Configuring WebVPN 37-1 Getting Started with WebVPN 37-1 Observing WebVPN Security Precautions 37-2 Understanding Features Not Supported for WebVPN 37-2 Using SSL to Access the Central Site 37-3 Using HTTPS for WebVPN Sessions 37-3 Configuring WebVPN and ASDM on the Same Interface 37-3 Setting WebVPN HTTP/HTTPS Proxy 37-4 Configuring SSL/TLS Encryption Protocols 37-4 Authenticating with Digital Certificates 37-5 Enabling Cookies on Browsers for WebVPN 37-5 Managing Passwords 37-5 Using Single Sign-on with WebVPN 37-6 Configuring SSO with HTTP Basic or NTLM Authentication 37-6 Configuring SSO Authentication Using SiteMinder 37-7 Configuring SSO with the HTTP Form Protocol 37-9 Authenticating with Digital Certificates 37-15 Creating and Applying WebVPN Policies 37-15 Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16 Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16 Enabling Features for Group Policies and Users 37-16 Assigning Users to Group Policies 37-16 Using the Security Appliance Authentication Server 37-16 Using a RADIUS Server 37-16 Configuring WebVPN Tunnel Group Attributes 37-17 Configuring WebVPN Group Policy and User Attributes 37-17 Configuring Application Access 37-18 Downloading the Port-Forwarding Applet Automatically 37-18 Closing Application Access to Prevent hosts File Errors 37-18 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-19 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-20 Configuring File Access 37-22Contents xxvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring Access to Citrix MetaFrame Services 37-24 Using WebVPN with PDAs 37-25 Using E-Mail over WebVPN 37-26 Configuring E-mail Proxies 37-26 E-mail Proxy Certificate Authentication 37-27 Configuring MAPI 37-27 Configuring Web E-mail: MS Outlook Web Access 37-27 Optimizing WebVPN Performance 37-28 Configuring Caching 37-28 Configuring Content Transformation 37-28 Configuring a Certificate for Signing Rewritten Java Content 37-29 Disabling Content Rewrite 37-29 Using Proxy Bypass 37-29 Configuring Application Profile Customization Framework 37-30 APCF Syntax 37-30 APCF Example 37-32 WebVPN End User Setup 37-32 Defining the End User Interface 37-32 Viewing the WebVPN Home Page 37-33 Viewing the WebVPN Application Access Panel 37-33 Viewing the Floating Toolbar 37-34 Customizing WebVPN Pages 37-35 Using Cascading Style Sheet Parameters 37-35 Customizing the WebVPN Login Page 37-36 Customizing the WebVPN Logout Page 37-37 Customizing the WebVPN Home Page 37-38 Customizing the Application Access Window 37-40 Customizing the Prompt Dialogs 37-41 Applying Customizations to Tunnel Groups, Groups and Users 37-42 Requiring Usernames and Passwords 37-43 Communicating Security Tips 37-44 Configuring Remote Systems to Use WebVPN Features 37-44 Capturing WebVPN Data 37-50 Creating a Capture File 37-51 Using a Browser to Display Capture Data 37-51 C H A P T E R 38 Configuring SSL VPN Client 38-1 Installing SVC 38-1 Platform Requirements 38-1Contents xxvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Installing the SVC Software 38-2 Enabling SVC 38-3 Enabling Permanent SVC Installation 38-4 Enabling Rekey 38-5 Enabling and Adjusting Dead Peer Detection 38-5 Enabling Keepalive 38-6 Using SVC Compression 38-6 Viewing SVC Sessions 38-7 Logging Off SVC Sessions 38-8 Updating SVCs 38-8 C H A P T E R 39 Configuring Certificates 39-1 Public Key Cryptography 39-1 About Public Key Cryptography 39-1 Certificate Scalability 39-2 About Key Pairs 39-2 About Trustpoints 39-3 About Revocation Checking 39-3 About CRLs 39-3 About OCSP 39-4 Supported CA Servers 39-5 Certificate Configuration 39-5 Preparing for Certificates 39-5 Configuring Key Pairs 39-6 Generating Key Pairs 39-6 Removing Key Pairs 39-7 Configuring Trustpoints 39-7 Obtaining Certificates 39-9 Obtaining Certificates with SCEP 39-9 Obtaining Certificates Manually 39-11 Configuring CRLs for a Trustpoint 39-13 Exporting and Importing Trustpoints 39-14 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 P A R T 4 System AdministrationContents xxviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 40 Managing System Access 40-1 Allowing Telnet Access 40-1 Allowing SSH Access 40-2 Configuring SSH Access 40-2 Using an SSH Client 40-3 Allowing HTTPS Access for ASDM 40-3 Configuring ASDM and WebVPN on the Same Interface 40-4 Configuring AAA for System Administrators 40-5 Configuring Authentication for CLI Access 40-5 Configuring Authentication To Access Privileged EXEC Mode 40-6 Configuring Authentication for the Enable Command 40-6 Authenticating Users Using the Login Command 40-6 Configuring Command Authorization 40-7 Command Authorization Overview 40-7 Configuring Local Command Authorization 40-8 Configuring TACACS+ Command Authorization 40-11 Configuring Command Accounting 40-14 Viewing the Current Logged-In User 40-14 Recovering from a Lockout 40-15 Configuring a Login Banner 40-16 C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1 Managing Licenses 41-1 Obtaining an Activation Key 41-1 Entering a New Activation Key 41-2 Viewing Files in Flash Memory 41-2 Retrieving Files from Flash Memory 41-3 Downloading Software or Configuration Files to Flash Memory 41-3 Downloading a File to a Specific Location 41-4 Downloading a File to the Startup or Running Configuration 41-4 Configuring the Application Image and ASDM Image to Boot 41-5 Configuring the File to Boot as the Startup Configuration 41-6 Performing Zero Downtime Upgrades for Failover Pairs 41-6 Upgrading an Active/Standby Failover Configuration 41-7 Upgrading and Active/Active Failover Configuration 41-8 Backing Up Configuration Files 41-8 Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9 Backing Up a Context Configuration in Flash Memory 41-9Contents xxix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-10 Configuring Auto Update Support 41-10 Configuring Communication with an Auto Update Server 41-10 Configuring Client Updates as an Auto Update Server 41-12 Viewing Auto Update Status 41-13 C H A P T E R 42 Monitoring the Security Appliance 42-1 Using SNMP 42-1 SNMP Overview 42-1 Enabling SNMP 42-3 Configuring and Managing Logs 42-5 Logging Overview 42-5 Logging in Multiple Context Mode 42-5 Enabling and Disabling Logging 42-6 Enabling Logging to All Configured Output Destinations 42-6 Disabling Logging to All Configured Output Destinations 42-6 Viewing the Log Configuration 42-6 Configuring Log Output Destinations 42-7 Sending System Log Messages to a Syslog Server 42-7 Sending System Log Messages to the Console Port 42-8 Sending System Log Messages to an E-mail Address 42-9 Sending System Log Messages to ASDM 42-10 Sending System Log Messages to a Telnet or SSH Session 42-11 Sending System Log Messages to the Log Buffer 42-12 Filtering System Log Messages 42-14 Message Filtering Overview 42-15 Filtering System Log Messages by Class 42-15 Filtering System Log Messages with Custom Message Lists 42-17 Customizing the Log Configuration 42-18 Customizing the Log Configuration 42-18 Configuring the Logging Queue 42-19 Including the Date and Time in System Log Messages 42-19 Including the Device ID in System Log Messages 42-19 Generating System Log Messages in EMBLEM Format 42-20 Disabling a System Log Message 42-20 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23Contents xxx Cisco Security Appliance Command Line Configuration Guide OL-10088-02 System Log Message Format 42-23 Severity Levels 42-23 C H A P T E R 43 Troubleshooting the Security Appliance 43-1 Testing Your Configuration 43-1 Enabling ICMP Debug Messages and System Messages 43-1 Pinging Security Appliance Interfaces 43-2 Pinging Through the Security Appliance 43-4 Disabling the Test Configuration 43-5 Traceroute 43-6 Packet Tracer 43-6 Reloading the Security Appliance 43-6 Performing Password Recovery 43-7 Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7 Password Recovery for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the SSM Hardware Module 43-10 Other Troubleshooting Tools 43-10 Viewing Debug Messages 43-11 Capturing Packets 43-11 Viewing the Crash Dump 43-11 Common Problems 43-11 P A R T 2 Reference Supported Platforms and Feature Licenses A-1 Security Services Module Support A-9 VPN Specifications A-10 Cisco VPN Client Support A-11 Cisco Secure Desktop Support A-11 Site-to-Site VPN Compatibility A-11 Cryptographic Standards A-12 Example 1: Multiple Mode Firewall With Outside Access B-1 Example 1: System Configuration B-2 Example 1: Admin Context Configuration B-4 Example 1: Customer A Context Configuration B-4 Example 1: Customer B Context Configuration B-4 Example 1: Customer C Context Configuration B-5 Example 2: Single Mode Firewall Using Same Security Level B-6Contents xxxi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Example 3: Shared Resources for Multiple Contexts B-8 Example 3: System Configuration B-9 Example 3: Admin Context Configuration B-9 Example 3: Department 1 Context Configuration B-10 Example 3: Department 2 Context Configuration B-11 Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12 Example 4: System Configuration B-13 Example 4: Admin Context Configuration B-14 Example 4: Customer A Context Configuration B-15 Example 4: Customer B Context Configuration B-15 Example 4: Customer C Context Configuration B-16 Example 5: WebVPN Configuration B-16 Example 6: IPv6 Configuration B-18 Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20 Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21 Example 8: Primary Unit Configuration B-21 Example 8: Secondary Unit Configuration B-22 Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22 Example 9: Primary Unit Configuration B-23 Example 9: Primary System Configuration B-23 Example 9: Primary admin Context Configuration B-24 Example 9: Primary ctx1 Context Configuration B-25 Example 9: Secondary Unit Configuration B-25 Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26 Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27 Example 11: Primary Unit Configuration B-27 Example 11: Secondary Unit Configuration B-28 Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28 Example 12: Primary Unit Configuration B-29 Example 12: Primary System Configuration B-29 Example 12: Primary admin Context Configuration B-30 Example 12: Primary ctx1 Context Configuration B-31 Example 12: Secondary Unit Configuration B-31 Example 13: Dual ISP Support Using Static Route Tracking B-31 Example 14: ASA 5505 Base License B-33 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35 Example 15: Primary Unit Configuration B-35 Example 15: Secondary Unit Configuration B-37Contents xxxii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Example 16: Network Traffic Diversion B-37 Inspecting All Traffic with the AIP SSM B-43 Inspecting Specific Traffic with the AIP SSM B-44 Verifying the Recording of Alert Events B-45 Troubleshooting the Configuration B-47 Firewall Mode and Security Context Mode C-1 Command Modes and Prompts C-2 Syntax Formatting C-3 Abbreviating Commands C-3 Command-Line Editing C-3 Command Completion C-4 Command Help C-4 Filtering show Command Output C-4 Command Output Paging C-5 Adding Comments C-6 Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-7 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7 IPv4 Addresses and Subnet Masks D-1 Classes D-1 Private Networks D-2 Subnet Masks D-2 Determining the Subnet Mask D-3 Determining the Address to Use with the Subnet Mask D-3 IPv6 Addresses D-5 IPv6 Address Format D-5 IPv6 Address Types D-6 Unicast Addresses D-6 Multicast Address D-8 Anycast Address D-9 Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11Contents xxxiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 TCP and UDP Ports D-11 Local Ports and Protocols D-14 ICMP Types D-15 Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1 Understanding Policy Enforcement of Permissions and Attributes E-2 Configuring an External LDAP Server E-2 Reviewing the LDAP Directory Structure and Configuration Procedure E-3 Organizing the Security Appliance LDAP Schema E-3 Searching the Hierarchy E-4 Binding the Security Appliance to the LDAP Server E-5 Defining the Security Appliance LDAP Schema E-5 Cisco -AV-Pair Attribute Syntax E-14 Example Security Appliance Authorization Schema E-15 Loading the Schema in the LDAP Server E-18 Defining User Permissions E-18 Example User File E-18 Reviewing Examples of Active Directory Configurations E-19 Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19 Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 Security Appliance TACACS+ Attributes E-32 GL O S S A R Y I N D E XContents xxxiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02xxxv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes the following sections: • Document Objectives, page xxxv • Audience, page xxxv • Related Documentation, page xxxvi • Document Organization, page xxxvi • Document Conventions, page xxxix • , page xxxix Document Objectives The purpose of this guide is to help you configure the security appliance using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios. You can also configure and monitor the security appliance by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550). Throughout this guide, the term “security appliance” applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not supported. Audience This guide is for network managers who perform any of the following tasks: • Manage network security • Install and configure firewalls/security appliances • Configure VPNs • Configure intrusion detection softwarexxxvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Related Documentation For more information, refer to the following documentation: • Cisco PIX Security Appliance Release Notes • Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • Migrating to ASA for VPN 3000 Series Concentrator Administrators • Cisco Security Appliance Command Reference • Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide • Cisco ASA 5500 Series Release Notes • Cisco Security Appliance Logging Configuration and System Log Messages • Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators Document Organization This guide includes the chapters and appendixes described in Table 1. Table 1 Document Organization Chapter/Appendix Definition Part 1: Getting Started and General Information Chapter 1, “Introduction to the Security Appliance” Provides a high-level overview of the security appliance. Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and work with the configuration. Chapter 3, “Enabling Multiple Context Mode” Describes how to use security contexts and enable multiple context mode. Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance” Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive security appliance. Chapter 5, “Configuring Ethernet Settings and Subinterfaces” Describes how to configure Ethernet settings for physical interfaces and add subinterfaces. Chapter 6, “Adding and Managing Security Contexts” Describes how to configure multiple security contexts on the security appliance. Chapter 7, “Configuring Interface Parameters” Describes how to configure each interface and subinterface for a name, security, level, and IP address. Chapter 8, “Configuring Basic Settings” Describes how to configure basic settings that are typically required for a functioning configuration. Chapter 9, “Configuring IP Routing” Describes how to configure IP routing.xxxvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Chapter 10, “Configuring DHCP, DDNS, and WCCP Services” Describes how to configure the DHCP server and DHCP relay. Chapter 11, “Configuring Multicast Routing” Describes how to configure multicast routing. Chapter 12, “Configuring IPv6” Describes how to enable and configure IPv6. Chapter 13, “Configuring AAA Servers and the Local Database” Describes how to configure AAA servers and the local database. Chapter 14, “Configuring Failover” Describes the failover feature, which lets you configure two security appliances so that one will take over operation if the other one fails. Part 2: Configuring the Firewall Chapter 15, “Firewall Mode Overview” Describes in detail the two operation modes of the security appliance, routed and transparent mode, and how data is handled differently with each mode. Chapter 16, “Identifying Traffic with Access Lists” Describes how to identify traffic with access lists. Chapter 17, “Applying NAT” Describes how address translation is performed. Chapter 18, “Permitting or Denying Network Access” Describes how to control network access through the security appliance using access lists. Chapter 19, “Applying AAA for Network Access” Describes how to enable AAA for network access. Chapter 20, “Applying Filtering Services” Describes ways to filter web traffic to reduce security risks or prevent inappropriate use. Chapter 21, “Using Modular Policy Framework” Describes how to use the Modular Policy Framework to create security policies for TCP, general connection settings, inspection, and QoS. Chapter 22, “Managing AIP SSM and CSC SSM” Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC SSM, how to check the status of an SSM, and how to update the software image on an intelligent SSM. Chapter 23, “Preventing Network Attacks” Describes how to configure protection features to intercept and respond to network attacks. Chapter 24, “Configuring QoS” Describes how to configure the network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Application Layer Protocol Inspection” Describes how to use and configure application inspection. Chapter 26, “Configuring ARP Inspection and Bridging Parameters” Describes how to enable ARP inspection and how to customize bridging operations. Part 3: Configuring VPN Chapter 27, “Configuring IPsec and ISAKMP” Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN “tunnels,” or secure connections between remote users and a private corporate network. Table 1 Document Organization (continued) Chapter/Appendix Definitionxxxviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Chapter 28, “Configuring L2TP over IPSec” Describes how to configure IPSec over L2TP on the security appliance. Chapter 29, “Setting General IPSec VPN Parameters” Describes miscellaneous VPN configuration procedures. Chapter 30, “Configuring Tunnel Groups, Group Policies, and Users” Describes how to configure VPN tunnel groups, group policies, and users. Chapter 31, “Configuring IP Addresses for VPNs” Describes how to configure IP addresses in your private network addressing scheme, which let the client function as a tunnel endpoint. Chapter 32, “Configuring Remote Access IPSec VPNs” Describes how to configure a remote access VPN connection. Chapter 33, “Configuring Network Admission Control” Describes how to configure Network Admission Control (NAC). Chapter 34, “Configuring Easy VPN Services on the ASA 5505” Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance. Chapter 35, “Configuring the PPPoE Client” Describes how to configure the PPPoE client provided with the security appliance. Chapter 36, “Configuring LAN-to-LAN IPsec VPNs” Describes how to build a LAN-to-LAN VPN connection. Chapter 37, “Configuring WebVPN” Describes how to establish a secure, remote-access VPN tunnel to a security appliance using a web browser. Chapter 38, “Configuring SSL VPN Client” Describes how to install and configure the SSL VPN Client. Chapter 39, “Configuring Certificates” Describes how to configure a digital certificates, which contains information that identifies a user or device. Such information can include a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the public key for the user or device. Part 4: System Administration Chapter 40, “Managing System Access” Describes how to access the security appliance for system management through Telnet, SSH, and HTTPS. Chapter 41, “Managing Software, Licenses, and Configurations” Describes how to enter license keys and download software and configurations files. Chapter 42, “Monitoring the Security Appliance” Describes how to monitor the security appliance. Chapter 43, “Troubleshooting the Security Appliance” Describes how to troubleshoot the security appliance. Part 4: Reference Appendix A, “Feature Licenses and Specifications” Describes the feature licenses and specifications. Appendix B, “Sample Configurations” Describes a number of common ways to implement the security appliance. Table 1 Document Organization (continued) Chapter/Appendix Definitionxxxix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Document Conventions Command descriptions use these conventions: • Braces ({ }) indicate a required choice. • Square brackets ([ ]) indicate optional elements. • Vertical bars ( | ) separate alternative, mutually exclusive elements. • Boldface indicates commands and keywords that are entered literally as shown. • Italics indicate arguments for which you supply values. Examples use these conventions: • Examples depict screen displays and the command line in screen font. • Information you need to enter in examples is shown in boldface screen font. • Variables for which you must supply a value are shown in italic screen font. Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. Appendix C, “Using the Command-Line Interface” Describes how to use the CLI to configure the the security appliance. Appendix D, “Addresses, Protocols, and Ports” Provides a quick reference for IP addresses, protocols, and applications. Appendix E, “Configuring an External Server for Authorization and Authentication” Provides information about configuring LDAP and RADIUS authorization servers. “Glossary” Provides a handy reference for commonly-used terms and acronyms. “Index” Provides an index for the guide. Table 1 Document Organization (continued) Chapter/Appendix Definitionxl Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide P A R T 1 Getting Started and General InformationC H A P T E R 1-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 1 Introduction to the Security Appliance The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM or an integrated content security and control module called the CSC SSM. The security appliance includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes. Note The Cisco PIX 501 and PIX 506E security appliances are not supported. This chapter includes the following sections: • Firewall Functional Overview, page 1-1 • VPN Functional Overview, page 1-5 • Intrusion Prevention Services Functional Overview, page 1-5 • Security Context Overview, page 1-6 Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server. When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the security appliance lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only.1-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview This section includes the following topics: • Security Policy Overview, page 1-2 • Firewall Mode Overview, page 1-3 • Stateful Inspection Overview, page 1-4 Security Policy Overview A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the security appliance allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy. This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-2 • Applying NAT, page 1-2 • Using AAA for Through Traffic, page 1-2 • Applying HTTP, HTTPS, or FTP Filtering, page 1-3 • Applying Application Inspection, page 1-3 • Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3 • Sending Traffic to the Content Security and Control Security Services Module, page 1-3 • Applying QoS Policies, page 1-3 • Applying Connection Limits and TCP Normalization, page 1-3 Permitting or Denying Traffic with Access Lists You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside. For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic. Applying NAT Some of the benefits of NAT include the following: • You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview Applying HTTP, HTTPS, or FTP Filtering Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet. We recommend that you use the security appliance in conjunction with a separate server running one of the following Internet filtering products: • Websense Enterprise • Secure Computing SmartFilter Applying Application Inspection Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection. Sending Traffic to the Advanced Inspection and Prevention Security Services Module If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM for inspection. Sending Traffic to the Content Security and Control Security Services Module If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it. Applying QoS Policies Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic. Applying Connection Limits and TCP Normalization You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed • Transparent 1-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview In routed mode, the security appliance is considered to be a router hop in the network. In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The security appliance connects to the same network on its inside and outside interfaces. You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list. Stateful Inspection Overview All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the security appliance, however, takes into consideration the state of a packet: • Is this a new connection? If it is a new connection, the security appliance has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.” The session management path is responsible for the following tasks: – Performing the access list checks – Performing route lookups – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” Note The session management path and the fast path make up the “accelerated security path.” Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP. • Is this an established connection? If the connection is already established, the security appliance does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: – IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments1-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance VPN Functional Overview For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path. Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection. VPN Functional Overview A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The security appliance invokes various standard protocols to accomplish these functions. The security appliance performs the following functions: • Establishes tunnels • Negotiates tunnel parameters • Authenticates users • Assigns user addresses • Encrypts and decrypts data • Manages security keys • Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.1-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Security Context Overview Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts. Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only.C H A P T E R 2-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 2 Getting Started This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections: • Getting Started with Your Platform Model, page 2-1 • Factory Default Configurations, page 2-1 • Accessing the Command-Line Interface, page 2-4 • Setting Transparent or Routed Firewall Mode, page 2-5 • Working with the Configuration, page 2-6 Getting Started with Your Platform Model This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration. For these hardware-based differences, the platforms or models supported are noted directly in each section. Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive security appliance does not support security contexts. This guide might not list each supported model when discussing a feature. To determine the features that are supported for your model before you start your configuration, see the “Supported Platforms and Feature Licenses” section on page A-1 for a detailed list of the features supported for each model. Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances. For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately.2-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Factory Default Configurations The factory default configuration is available only for routed firewall mode and single context mode. See Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. See the “Setting Transparent or Routed Firewall Mode” section on page 2-5 for more information about routed and transparent firewall mode. This section includes the following topics: • Restoring the Factory Default Configuration, page 2-2 • ASA 5505 Default Configuration, page 2-2 • ASA 5510 and Higher Default Configuration, page 2-3 • PIX 515/515E Default Configuration, page 2-4 Restoring the Factory Default Configuration To restore the factory default configuration, enter the following command: hostname(config)# configure factory-default [ip_address [mask]] If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared. Note This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot. To configure additional settings that are useful for a full configuration, see the setup command. ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: • An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. • An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. • The default route is also derived from DHCP. • All inside IP addresses are translated when accessing the outside using interface PAT. • By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside.2-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Factory Default Configurations • The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface Ethernet 0/0 switchport access vlan 2 no shutdown interface Ethernet 0/1 switchport access vlan 1 no shutdown interface Ethernet 0/2 switchport access vlan 1 no shutdown interface Ethernet 0/3 switchport access vlan 1 no shutdown interface Ethernet 0/4 switchport access vlan 1 no shutdown interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational ASA 5510 and Higher Default Configuration The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following: • The management interface, Management 0/0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. • The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.2-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Accessing the Command-Line Interface The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management PIX 515/515E Default Configuration The default factory configuration for the PIX 515/515E security appliance configures the following: • The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. • The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface ethernet 1 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management Accessing the Command-Line Interface For initial configuration, access the command-line interface directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter 40, “Managing System Access.” If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the 2-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Setting Transparent or Routed Firewall Mode ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow the steps in this section to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command. To access the command-line interface, perform the following steps: Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide that came with your security appliance for more information about the console cable. Step 2 Press the Enter key to see the following prompt: hostname> This prompt indicates that you are in user EXEC mode. Step 3 To access privileged EXEC mode, enter the following command: hostname> enable The following prompt appears: Password: Step 4 Enter the enable password at the prompt. By default, the password is blank, and you can press the Enter key to continue. See the “Changing the Enable Password” section on page 8-1 to change the enable password. The prompt changes to: hostname# To exit privileged mode, enter the disable, exit, or quit command. Step 5 To access global configuration mode, enter the following command: hostname# configure terminal The prompt changes to the following: hostname(config)# To exit global configuration mode, enter the exit, quit, or end command. Setting Transparent or Routed Firewall Mode You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space.2-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. See the “Backing Up Configuration Files” section on page 41-8. For multiple context mode, the system configuration is erased. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Be sure to recreate your context configurations for the correct mode before you re-add them, or add new contexts with new paths for the new configurations. If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration. See the “Downloading Software or Configuration Files to Flash Memory” section on page 41-3 for information about downloading text files. • To set the mode to transparent, enter the following command in the system execution space: hostname(config)# firewall transparent This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context. • To set the mode to routed, enter the following command in the system execution space: hostname(config)# no firewall transparent Working with the Configuration This section describes how to work with the configuration. The security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal Flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 41, “Managing Software, Licenses, and Configurations.”) When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot. The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 3, “Enabling Multiple Context Mode.” This section includes the following topics: • Saving Configuration Changes, page 2-6 • Copying the Startup Configuration to the Running Configuration, page 2-8 • Viewing the Configuration, page 2-8 • Clearing and Removing Configuration Settings, page 2-9 • Creating Text Configuration Files Offline, page 2-9 Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: • Saving Configuration Changes in Single Context Mode, page 2-72-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • Saving Configuration Changes in Multiple Context Mode, page 2-7 Saving Configuration Changes in Single Context Mode To save the running configuration to the startup configuration, enter the following command: hostname# write memory Note The copy running-config startup-config command is equivalent to the write memory command. Saving Configuration Changes in Multiple Context Mode You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics: • Saving Each Context and System Separately, page 2-7 • Saving All Context Configurations at the Same Time, page 2-7 Saving Each Context and System Separately To save the system or context configuration, enter the following command within the system or context: hostname# write memory Note The copy running-config startup-config command is equivalent to the write memory command. For multiple context mode, context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server. Saving All Context Configurations at the Same Time To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space: hostname# write memory all [/noconfirm] If you do not enter the /noconfirm keyword, you see the following prompt: Are you sure [Y/N]: After you enter Y, the security appliance saves the system configuration and each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server. After the security appliance saves each context, the following message appears: ‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’ Sometimes, a context is not saved because of an error. See the following information for errors: • For contexts that are not saved because of low memory, the following message appears: The context 'context a' could not be saved due to Unavailability of resources2-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • For contexts that are not saved because the remote destination is unreachable, the following message appears: The context 'context a' could not be saved due to non-reachability of destination • For contexts that are not saved because the context is locked, the following message appears: Unable to save the configuration for the following contexts as these contexts are locked. context ‘a’ , context ‘x’ , context ‘z’ . A context is only locked if another user is already saving the configuration or in the process of deleting the context. • For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages: Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . • For contexts that are not saved because of bad sectors in the Flash memory, the following message appears: The context 'context a' could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of these options: • To merge the startup configuration with the running configuration, enter the following command: hostname(config)# copy startup-config running-config A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. • To load the startup configuration and discard the running configuration, restart the security appliance by entering the following command: hostname# reload Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot: hostname/contexta(config)# clear configure all hostname/contexta(config)# copy startup-config running-config Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config2-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • To view the running configuration of a specific command, enter the following command: hostname# show running-config command • To view the startup configuration, enter the following command: hostname# show startup-config Clearing and Removing Configuration Settings To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand. For example, to clear the configuration for all aaa commands, enter the following command: hostname(config)# clear configure aaa To clear the configuration for only aaa authentication commands, enter the following command: hostname(config)# clear configure aaa authentication • To disable the specific parameters or options of a command, enter the following command: hostname(config)# no configurationcommand [level2configurationcommand] qualifier In this case, you use the no command to remove the specific configuration identified by qualifier. For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows: hostname(config)# no nat (inside) 1 • To erase the startup configuration, enter the following command: hostname(config)# write erase • To erase the running configuration, enter the following command: hostname(config)# clear configure all Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running. Creating Text Configuration Files Offline This guide describes how to use the CLI to configure the security appliance; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the security appliance internal Flash memory. See Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance.2-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “hostname(config)#”: hostname(config)# context a In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.”C H A P T E R 3-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 3 Enabling Multiple Context Mode This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections: • Security Context Overview, page 3-1 • Enabling or Disabling Multiple Context Mode, page 3-10 Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. This section provides an overview of security contexts, and includes the following topics: • Common Uses for Security Contexts, page 3-1 • Unsupported Features, page 3-2 • Context Configuration Files, page 3-2 • How the Security Appliance Classifies Packets, page 3-3 • Cascading Security Contexts, page 3-8 • Management Access to Security Contexts, page 3-9 Common Uses for Security Contexts You might want to use multiple security contexts in the following situations: • You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. • You are a large enterprise or a college campus and want to keep departments completely separate. • You are an enterprise that wants to provide distinct security policies to different departments. • You have any network that requires more than one security appliance.3-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Unsupported Features Multiple context mode does not support the following features: • Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode. • VPN • Multicast Context Configuration Files This section describes how the security appliance implements multiple context mode configurations and includes the following sections: • Context Configurations, page 3-2 • System Configuration, page 3-2 • Admin Context Configuration, page 3-2 Context Configurations The security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal Flash memory or the external Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server. System Configuration The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. Admin Context Configuration The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.3-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview How the Security Appliance Classifies Packets Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. This section includes the following topics: • Valid Classifier Criteria, page 3-3 • Invalid Classifier Criteria, page 3-4 • Classification Examples, page 3-5 Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context. Valid Classifier Criteria This section describes the criteria used by the classifier, and includes the following topics: • Unique Interfaces, page 3-3 • Unique MAC Addresses, page 3-3 • NAT Configuration, page 3-3 Unique Interfaces If only one context is associated with the ingress interface, the security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times. Unique MAC Addresses If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the “Configuring the Interface” section on page 7-2), or you can automatically generate MAC addresses (see the “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11). NAT Configuration If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: • Context A:3-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 • Context B: static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 • Context C: static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0 Note For management traffic destined for an interface, the interface IP address is used for classification. Invalid Classifier Criteria The following configurations are not used for packet classification: • NAT exemption—The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. • Routing table—If a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route.3-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Classification Examples Figure 3-2 shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet. Figure 3-1 Packet Classification with a Shared Interface using MAC Addresses Classifier Context A Context B MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC GE 0/1.2 GE 0/1.3 GE 0/0.1 (Shared Interface) Admin Context GE 0/1.1 Host 209.165.201.1 Host 209.165.200.225 Host 209.165.202.129 Packet Destination: 209.165.201.1 via MAC 000C.F142.4CDC Internet Inside Customer A Inside Customer B Admin Network 1533673-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address. Figure 3-2 Packet Classification with a Shared Interface using NAT Note that all new incoming traffic must be classified, even from inside networks. Figure 3-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B. Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major restrictions. The classifier relies on the address translation configuration to classify the packet within a context, and you must translate the destination addresses of the traffic. Because you do not usually perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not always possible; the outside network is large, (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Classifier Context A Context B GE 0/1.2 GE 0/1.3 GE 0/0.1 (Shared Interface) Admin Context GE 0/1.1 Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Dest Addr Translation 209.165.201.3 Packet Destination: 209.165.201.3 10.1.1.13 Internet Inside Customer A Inside Customer B Admin Network 923993-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-3 Incoming Traffic from Inside Networks Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Classifier Context A Context B GE 0/1.2 GE 0/1.3 GE 0/0.1 Admin Context GE 0/1.1 Inside Customer A Inside Customer B Internet Admin Network 923953-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview For transparent firewalls, you must use unique interfaces. Figure 3-4 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B. Figure 3-4 Transparent Firewall Contexts Cascading Security Contexts Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context. Note Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Host 10.1.3.13 Host 10.1.2.13 Host 10.1.1.13 Context A Context B GE 1/0.2 GE 1/0.3 Admin Context GE 1/0.1 GE 0/0.1 GE 0/0.3 GE 0/0.2 Classifier Inside Customer A Inside Customer B Internet Admin Network 924013-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-5 shows a gateway context with two contexts behind the gateway. Figure 3-5 Cascading Contexts Management Access to Security Contexts The security appliance provides system administrator access in multiple context mode as well as access for individual context administrators. The following sections describe logging in as a system administrator or as a a context administrator: • System Administrator Access, page 3-9 • Context Administrator Access, page 3-10 System Administrator Access You can access the security appliance as a system administrator in two ways: • Access the security appliance console. From the console, you access the system execution space. • Access the admin context using Telnet, SSH, or ASDM. See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access. As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default “enable_15” username. If you configured command authorization in that context, you need to either configure authorization privileges for the “enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the Admin Context Context A Gateway Context GE 1/1.43 GE 0/0.2 Outside GE 1/1.8 GE 0/0.1 (Shared Interface) Internet Inside Inside Outside Inside Outside 1533663-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as “admin” by entering the login command. When you change to context B, you must again enter the login command to log in as “admin.” The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins. Context Administrator Access You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access and to configure management authentication. Enabling or Disabling Multiple Context Mode Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI. This section includes the following topics: • Backing Up the Single Mode Configuration, page 3-10 • Enabling Multiple Context Mode, page 3-10 • Restoring Single Context Mode, page 3-11 Backing Up the Single Mode Configuration When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding. Enabling Multiple Context Mode The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.” To enable multiple mode, enter the following command: hostname(config)# mode multiple3-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode You are prompted to reboot the security appliance. Restoring Single Context Mode If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy. To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space: Step 1 To copy the backup version of your original running configuration to the current startup configuration, enter the following command in the system execution space: hostname(config)# copy flash:old_running.cfg startup-config Step 2 To set the mode to single mode, enter the following command in the system execution space: hostname(config)# mode single The security appliance reboots.3-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context ModeC H A P T E R 4-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance. Note To configure interfaces of other models, see Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” and Chapter 7, “Configuring Interface Parameters.” This chapter includes the following sections: • Interface Overview, page 4-1 • Configuring VLAN Interfaces, page 4-5 • Configuring Switch Ports as Access Ports, page 4-9 • Configuring a Switch Port as a Trunk Port, page 4-11 • Allowing Communication Between VLAN Interfaces on the Same Security Level, page 4-13 Interface Overview This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes the following topics: • Understanding ASA 5505 Ports and Interfaces, page 4-2 • Maximum Active VLAN Interfaces for Your License, page 4-2 • Default Interface Configuration, page 4-4 • VLAN MAC Addresses, page 4-4 • Power Over Ethernet, page 4-4 • Security Level Overview, page 4-54-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: • Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the “Power Over Ethernet” section on page 4-4 for more information. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch. • Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN Interfaces for Your License” section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business, and Internet VLANs. To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs. Note Subinterfaces are not available for the ASA 5505 adaptive security appliance. Maximum Active VLAN Interfaces for Your License In transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured.4-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business. Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to accomodate multiple VLANs per port. Note The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover. See Figure 4-2 for an example network. Figure 4-2 ASA 5505 Adaptive Security Appliance with Security Plus License ASA 5505 with Base License Business Internet Home 153364 ASA 5505 with Security Plus License Failover ASA 5505 Inside Backup ISP Primary ISP DMZ Failover Link 1533654-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Default Interface Configuration If your adaptive security appliance includes the default factory configuration, your interfaces are configured as follows: • The outside interface (security level 0) is VLAN 2. Ethernet0/0 is assigned to VLAN 2 and is enabled. The VLAN 2 IP address is obtained from the DHCP server. • The inside interface (security level 100) is VLAN 1 Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled. VLAN 1 has IP address 192.168.1.1. Restore the default factory configuration using the configure factory-default command. Use the procedures in this chapter to modify the default configuration, for example, to add VLAN interfaces. If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other parameters are configured. VLAN MAC Addresses In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated MAC addresses if desired by manually assigning MAC addresses. Power Over Ethernet Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the switch ports. If you shut down the switch port using the shutdown command, you disable power to the device. Power is restored when you enter no shutdown. See the “Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring. The port for which you enable SPAN (called the destination port) receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port. 4-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 0. Other networks, such as a home network can be in-between. You can assign interfaces to the same security level. The level controls the following behavior: • Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. • If you enable communication for same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower. See the “Allowing Communication Between VLAN Interfaces on the Same Security Level” section on page 4-13 for more information. • Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. – NetBIOS inspection engine—Applied only for outbound connections. – SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the adaptive security appliance. • Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. • established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions. Configuring VLAN Interfaces For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface “inside” and you do not set the security level explicitly, then the adaptive security appliance sets the security level to 100. For information about how many VLANs you can configure, see the “Maximum Active VLAN Interfaces for Your License” section on page 4-2.4-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover communications. See Chapter 14, “Configuring Failover,” to configure the failover link. If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. To configure a VLAN interface, perform the following steps: Step 1 To specify the VLAN ID, enter the following command: hostname(config)# interface vlan number Where the number is between 1 and 4090. For example, enter the following command: hostname(config)# interface vlan 100 To remove this VLAN interface and all associated configuration, enter the no interface vlan command. Because this interface also includes the interface name configuration, and the name is used in other commands, those commands are also removed. Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command: hostname(config-if)# no forward interface vlan number Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic. With the Base license, you can only configure a third VLAN if you use this command to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network. If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance. Note If you upgrade to the Security Plus license, you can remove this command and achieve full functionality for this interface. If you leave this command in place, this interface continues to be limited even after upgrading. Step 3 To name the interface, enter the following command: hostname(config-if)# nameif name The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. Step 4 To set the security level, enter the following command: hostname(config-if)# security-level number4-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Where number is an integer between 0 (lowest) and 100 (highest). Step 5 (Routed mode only) To set the IP address, enter one of the following commands. Note To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3. To set the management IP address for transparent firewall mode, see the “Setting the Management IP Address for a Transparent Firewall” section on page 8-5. In transparent mode, you do not set the IP address for each interface, but rather for the whole adaptive security appliance or context. For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not supported. • To set the IP address manually, enter the following command: hostname(config-if)# ip address ip_address [mask] [standby ip_address] The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. • To obtain an IP address from a DHCP server, enter the following command: hostname(config-if)# ip address dhcp [setroute] Reenter this command to reset the DHCP lease and request a new lease. If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent. • To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.” Step 6 (Optional) To assign a private MAC address to this interface, enter the following command: hostname(config-if)# mac-address mac_address [standby mac_address] By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes. Step 7 (Optional) To set an interface to management-only mode, so that it does not allow through traffic, enter the following command: hostname(config-if)# management-only Step 8 By default, VLAN interfaces are enabled. To enable the interface, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. The following example configures seven VLAN interfaces, including the failover interface which is configured separately using the failover lan command: hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.04-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 201 hostname(config-if)# nameif dept1 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 202 hostname(config-if)# nameif dept2 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.3.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 The following example configures three VLAN interfaces for the Base license. The third home interface cannot forward traffic to the business interface. hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address dhcp hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# no forward interface vlan 200 hostname(config-if)# nameif home hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown4-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports Configuring Switch Ports as Access Ports By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access port. To create a trunk port to carry multiple VLANs, see the “Configuring a Switch Port as a Trunk Port” section on page 4-11. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop. To configure a switch port, perform the following steps: Step 1 To specify the switch port you want to configure, enter the following command: hostname(config)# interface ethernet0/port Where port is 0 through 7. For example, enter the following command: hostname(config)# interface ethernet0/1 Step 2 To assign this switch port to a VLAN, enter the following command: hostname(config-if)# switchport access vlan number Where number is the VLAN ID, between 1 and 4090. Note You might assign multiple switch ports to the primary or backup VLANs if the Internet access device includes Layer 2 redundancy. Step 3 (Optional) To prevent the switch port from communicating with other protected switch ports on the same VLAN, enter the following command: hostname(config-if)# switchport protected You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. Step 4 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100}4-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. Step 5 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. If you set the duplex to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. Step 6 To enable the switch port, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the switch port, enter the shutdown command. The following example configures five VLAN interfaces, including the failover interface which is configured using the failover lan command: hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 hostname(config)# interface ethernet 0/0 hostname(config-if)# switchport access vlan 100 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/34-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500 hostname(config-if)# no shutdown Configuring a Switch Port as a Trunk Port By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. To create an access port, where an interface is assigned to only one VLAN, see the “Configuring Switch Ports as Access Ports” section on page 4-9. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. To configure a trunk port, perform the following steps: Step 1 To specify the switch port you want to configure, enter the following command: hostname(config)# interface ethernet0/port Where port is 0 through 7. For example, enter the following command: hostname(config)# interface ethernet0/1 Step 2 To assign VLANs to this trunk, enter one or more of the following commands. • To assign native VLANs, enter the following command: hostname(config-if)# switchport trunk native vlan vlan_id where the vlan_id is a single VLAN ID between 1 and 4090. Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that egress the port are not modified with an 802.1Q header. Frames which ingress (enter) this port and have no 802.1Q header are put into VLAN 2. Each port can only have one native VLAN, but every port can have either the same or a different native VLAN. • To assign VLANs, enter the following command: hostname(config-if)# switchport trunk allowed vlan vlan_range where the vlan_range (with VLANs between 1 and 4090) can be identified in one of the following ways: A single number (n) A range (n-x) Separate numbers and ranges by commas, for example:4-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port 5,7-10,13,45-100 You can enter spaces instead of commas, but the command is saved to the configuration with commas. You can include the native VLAN in this command, but it is not required; the native VLAN is passed whether it is included in this command or not. This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native. Step 3 To make this switch port a trunk port, enter the following command: hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command. Step 4 (Optional) To prevent the switch port from communicating with other protected switch ports on the same VLAN, enter the following command: hostname(config-if)# switchport protected You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. Step 5 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100} The auto setting is the default. Step 6 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. Step 7 To enable the switch port, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the switch port, enter the shutdown command. The following example configures seven VLAN interfaces, including the failover interface which is configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1. hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 201 hostname(config-if)# nameif dept14-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 202 hostname(config-if)# nameif dept2 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.3.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 hostname(config)# interface ethernet 0/0 hostname(config-if)# switchport access vlan 100 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200-202 hostname(config-if)# switchport trunk native vlan 5 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/3 hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500 hostname(config-if)# no shutdown Allowing Communication Between VLAN Interfaces on the Same Security Level By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists.4-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT and same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command.C H A P T E R 5-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 5 Configuring Ethernet Settings and Subinterfaces This chapter describes how to configure and enable physical Ethernet interfaces and how to add subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the inteface media type. In single context mode, complete the procedures in this chapter and then continue your interface configuration in Chapter 7, “Configuring Interface Parameters.” In multiple context mode, complete the procedures in this chapter in the system execution space, then assign interfaces and subinterfaces to contexts according to Chapter 6, “Adding and Managing Security Contexts,” and finally configure the interface parameters within each context according to Chapter 7, “Configuring Interface Parameters.” Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: • Configuring and Enabling RJ-45 Interfaces, page 5-1 • Configuring and Enabling Fiber Interfaces, page 5-3 • Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking, page 5-3 Configuring and Enabling RJ-45 Interfaces This section describes how to configure Ethernet settings for physical interfaces, and how to enable the interface. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration according to this procedure. By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate. The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive security appliance includes two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. If you want to configure the security appliance to use the fiber SFP connectors, see the “Configuring and Enabling Fiber Interfaces” section on page 5-3. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation 5-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling RJ-45 Interfaces phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you cannot disable it. To enable the interface, or to set a specific speed and duplex, perform the following steps: Step 1 To specify the interface you want to configure, enter the following command: hostname(config)# interface physical_interface The physical_interface ID includes the type, slot, and port number as type[slot/]port. The physical interface types include the following: • ethernet • gigabitethernet For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1. The ASA 5500 series adaptive security appliance also includes the following type: • management The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode. Step 2 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100 | 1000 | nonegotiate} The auto setting is the default. The speed nonegotiate command disables link negotiation. Step 3 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. Step 4 To enable the interface, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it.5-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling Fiber Interfaces Configuring and Enabling Fiber Interfaces This section describes how to configure Ethernet settings for physical interfaces, and how to enable the interface. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration according to this procedure. By default, the connectors used on the 4GE SSM or for built-in interfaces in slot 1 on the ASA 5550 adaptive security appliance are the RJ-45 connectors. To use the fiber SFP connectors, you must set the media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the interface to negotiate link parameters (the default) or not to negotiate. To enable the interface, set the media type, or to set negotiation settings, perform the following steps: Step 1 To specify the interface you want to configure, enter the following command: hostname(config)# interface gigabitethernet 1/port The 4GE SSM interfaces are assigned to slot 1, as shown in the interface ID in the syntax (the interfaces built into the chassis are assigned to slot 0). Step 2 To set the media type to SFP, enter the following command: hostname(config-if)# media-type sfp To restore the defaukt RJ-45, enter the media-type rj45 command. Step 3 (Optional) To disable link negotiation, enter the following command: hostname(config-if)# speed nonegotiate For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000 Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed nonegotiate command disables link negotiation. Step 4 To enable the interface, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking This section describes how to configure and enable a VLAN subinterface. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk.5-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking You must enable the physical interface before any traffic can pass through an enabled subinterface (see the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1 or the “Configuring and Enabling Fiber Interfaces” section on page 5-3). For multiple context mode, if you allocate a subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration with this procedure. Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or security appliances. This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual. See the “Configuring Interface Parameters” section on page 7-1 for more information about completing the interface configuration. To add a subinterface and assign a VLAN to it, perform the following steps: Step 1 To specify the new subinterface, enter the following command: hostname(config)# interface physical_interface.subinterface See the “Configuring and Enabling RJ-45 Interfaces” section for a description of the physical interface ID. The subinterface ID is an integer between 1 and 4294967293. For example, enter the following command: hostname(config)# interface gigabitethernet0/1.100 Step 2 To specify the VLAN for the subinterface, enter the following command: hostname(config-subif)# vlan vlan_id The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID. Step 3 To enable the subinterface, enter the following command: hostname(config-subif)# no shutdown To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it.C H A P T E R 6-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 6 Adding and Managing Security Contexts This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections: • Configuring Resource Management, page 6-1 • Configuring a Security Context, page 6-7 • Automatically Assigning MAC Addresses to Context Interfaces, page 6-11 • Changing Between Contexts and the System Execution Space, page 6-11 • Managing Security Contexts, page 6-12 For information about how contexts work and how to enable multiple context mode, see Chapter 3, “Enabling Multiple Context Mode.” Configuring Resource Management By default, all security contexts have unlimited access to the resources of the security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. This section includes the following topics: • Classes and Class Members Overview, page 6-1 • Configuring a Class, page 6-4 Classes and Class Members Overview The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 • Default Class, page 6-3 • Class Members, page 6-46-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Resource Limits When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service to other contexts. You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value. You can oversubscribe the security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.) Figure 6-1 Resource Oversubscription If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the security appliance, then the performance of the security appliance might be impaired. The security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned” connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Total Number of System Connections = 999,900 Maximum connections allowed. Connections denied because system limit was reached. Connections in use. 1 2 3 4 5 6 7 8 9 10 Max. 20% (199,800) 16% (159,984) 12% (119,988) 8% (79,992) 4% (39,996) Contexts in Class 1048956-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Figure 6-2 Unlimited Resources Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class. By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: • Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Maximum connections allowed. Connections denied because system limit was reached. Connections in use. A B C 1 2 3 1% 2% 3% 5% 4% Contexts Silver Class Contexts Gold Class 50% 43% 1532116-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class. Figure 6-3 Resource Classes Class Members To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class. Configuring a Class To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space: hostname(config)# class name The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options: • To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: hostname(config-resmgmt)# limit-resource all 0 Default Class Class Gold (All Limits Set) Class Silver (Some Limits Set) Class Bronze (Some Limits Set) Context A Context B Context C Context D 1046896-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management For example, you might want to create a class that includes the admin context that has no limitations. The default class has all resources set to unlimited by default. • To set a particular resource limit, enter the following command: hostname(config-resmgmt)# limit-resource [rate] resource_name number[%] For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. For resources that do not have a system limit, you cannot set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for resources for which you can set the rate per second and which to not have a system limit. Table 6-1 lists the resource types and the limits. See also the show resource types command.6-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Table 6-1 Resource Names and Limits Resource Name Rate or Concurrent Minimum and Maximum Number per Context System Limit 1 1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource. Description mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the number of MAC addresses allowed in the MAC address table. conns Concurrent or Rate N/A Concurrent connections: See the “Supported Platforms and Feature Licenses” section on page A-1 for the connection limit for your platform. Rate: N/A TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. inspects Rate N/A N/A Application inspections. hosts Concurrent N/A N/A Hosts that can connect through the security appliance. asdm Concurrent 1 minimum 5 maximum 32 ASDM management sessions. Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions. ssh Concurrent 1 minimum 5 maximum 100 SSH sessions. syslogs Rate N/A N/A System log messages. telnet Concurrent 1 minimum 5 maximum 100 Telnet sessions. xlates Concurrent N/A N/A Address translations.6-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context hostname(config-class)# limit-resource mac-addresses 10000 hostname(config-class)# limit-resource conns 15% hostname(config-class)# limit-resource rate conns 1000 hostname(config-class)# limit-resource rate inspects 500 hostname(config-class)# limit-resource hosts 9000 hostname(config-class)# limit-resource asdm 5 hostname(config-class)# limit-resource ssh 5 hostname(config-class)# limit-resource rate syslogs 5000 hostname(config-class)# limit-resource telnet 5 hostname(config-class)# limit-resource xlates 36000 Configuring a Security Context The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use. Note If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration. To add or change a context in the system configuration, perform the following steps: Step 1 To add or modify a context, enter the following command in the system execution space: hostname(config)# context name The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen. “System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used. Step 2 (Optional) To add a description for this context, enter the following command: hostname(config-ctx)# description text Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces. • To allocate a physical interface, enter the following command: hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]6-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context You can enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration. Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic. Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table. You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces. The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context. A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names: int0 inta int_0 For subinterfaces, you can specify a range of mapped names. If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges: • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails. • The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces: gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100 If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails. Specify visible to see physical interface properties in the show interface command even if you set a mapped name. The default invisible keyword specifies to only show the mapped name. The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int86-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context Step 4 To identify the URL from which the system downloads the context configuration, enter the following command: hostname(config-ctx)# config-url url When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available. Note Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail. See the following URL syntax: • disk:/[path/]filename This URL indicates the internal Flash memory. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL disk:/url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to Flash memory. Note The admin context file must be stored on the internal Flash memory. • ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx] The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode – ip—(Default) Binary passive mode – in—Binary normal mode The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL ftp://url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the FTP server. • http[s]://[user[:password]@]server[:port]/[path/]filename The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config6-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context If you change to the context and configure the context at the CLI, you cannot save changes back to HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server. • tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name] The server must be accessible from the admin context. Specify the interface name if you want to override the route to the server address. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL tftp://url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the TFTP server. To change the URL, reenter the config-url command with a new URL. See the “Changing the Security Context URL” section on page 6-13 for more information about changing the URL. For example, enter the following command: hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg Step 5 (Optional) To assign the context to a resource class, enter the following command: hostname(config-ctx)# member class_name If you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class. For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator” on the internal Flash memory, and then adds two contexts from an FTP server: hostname(config)# admin-context administrator hostname(config)# context administrator hostname(config-ctx)# allocate-interface gigabitethernet0/0.1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.1 hostname(config-ctx)# config-url flash:/admin.cfg hostname(config-ctx)# context test hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8 hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg hostname(config-ctx)# member gold hostname(config-ctx)# context sample hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int86-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Automatically Assigning MAC Addresses to Context Interfaces hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg hostname(config-ctx)# member silver Automatically Assigning MAC Addresses to Context Interfaces To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the “How the Security Appliance Classifies Packets” section on page 3-3 for information about classifying packets. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. You can automatically assign private MAC addresses to each shared context interface by entering the following command in the system configuration: hostname(config)# mac-address auto For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1. The MAC address is generated using the following format: • Active unit MAC address: 12_slot.port_subid.contextid. • Standby unit MAC address: 02_slot.port_subid.contextid. For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31: • Active: 1200.0131.0001 • Standby: 0200.0131.0001 In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the “Configuring the Interface” section on page 7-2 to manually set the MAC address. Changing Between Contexts and the System Execution Space If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, 6-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. To change between the system execution space and a context, or between contexts, see the following commands: • To change to a context, enter the following command: hostname# changeto context name The prompt changes to the following: hostname/name# • To change to the system execution space, enter the following command: hostname/admin# changeto system The prompt changes to the following: hostname# Managing Security Contexts This section describes how to manage security contexts, and includes the following topics: • Removing a Security Context, page 6-12 • Changing the Admin Context, page 6-13 • Changing the Security Context URL, page 6-13 • Reloading a Security Context, page 6-14 • Monitoring Security Contexts, page 6-15 Removing a Security Context You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command. Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Use the following commands for removing contexts: • To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. • To remove all contexts (including the admin context), enter the following command in the system execution space:6-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts hostname(config)# clear context Changing the Admin Context The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. You can set any context to be the admin context, as long as the configuration file is stored in the internal Flash memory. To set the admin context, enter the following command in the system execution space: hostname(config)# admin-context context_name Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context. Note A few system commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface. Changing the Security Context URL You cannot change the security context URL without reloading the configuration from the new URL. The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL. To change the URL for a context, perform the following steps: Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by entering the following commands. If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all Step 2 If required, change to the system execution space by entering the following command: hostname/name(config)# changeto system6-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Step 3 To enter the context configuration mode for the context you want to change, enter the following command: hostname(config)# context name Step 4 To enter the new URL, enter the following command: hostname(config)# config-url new_url The system immediately loads the context so that it is running. Reloading a Security Context You can reload the context in two ways: • Clear the running configuration and then import the startup configuration. This action clears most attributes associated with the context, such as connections and NAT tables. • Remove the context from the system configuration. This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces. This section includes the following topics: • Reloading by Clearing the Configuration, page 6-14 • Reloading by Removing and Re-adding the Context, page 6-15 Reloading by Clearing the Configuration To reload the context by clearing the context configuration, and reloading the configuration from the URL, perform the following steps: Step 1 To change to the context that you want to reload, enter the following command: hostname# changeto context name Step 2 To access configuration mode, enter the following command: hostname/name# configure terminal Step 3 To clear the running configuration, enter the following command: hostname/name(config)# clear configure all This command clears all connections. Step 4 To reload the configuration, enter the following command: hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.6-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Reloading by Removing and Re-adding the Context To reload the context by removing the context and then re-adding it, perform the steps in the following sections: 1. “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 2. “Configuring a Security Context” section on page 6-7 Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: • Viewing Context Information, page 6-15 • Viewing Resource Allocation, page 6-16 • Viewing Resource Usage, page 6-19 • Monitoring SYN Attacks in Contexts, page 6-20 Viewing Context Information From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL. From the system execution space, view all contexts by entering the following command: hostname# show context [name | detail| count] The detail option shows additional information. See the following sample displays below for more information. If you want to show information for a particular context, specify the name. The count option shows the total number of contexts. The following is sample output from the show context command. The following sample display shows three contexts: hostname# show context Context Name Interfaces URL *admin GigabitEthernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 disk0:/contexta.cfg GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 disk0:/contextb.cfg GigabitEthernet0/1.301 Total active Security Contexts: 3 Table 6-2 shows each field description. Table 6-2 show context Fields Field Description Context Name Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. URL The URL from which the security appliance loads the context configuration.6-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts The following is sample output from the show context detail command: hostname# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: disk0:/admin.cfg Real Interfaces: Management0/0 Mapped Interfaces: Management0/0 Flags: 0x00000013, ID: 1 Context "ctx", has been created, but initial ACL rules not complete Config URL: ctx.cfg Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20, GigabitEthernet0/2.30 Mapped Interfaces: int1, int2, int3 Flags: 0x00000011, ID: 2 Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Control0/0, GigabitEthernet0/0, GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10, GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30, GigabitEthernet0/3, Management0/0, Management0/0.1 Flags: 0x00000019, ID: 257 Context "null", is a system resource Config URL: ... null ... Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2 Viewing Resource Allocation From the system execution space, you can view the allocation for each resource across all classes and class members. To view the resource allocation, enter the following command: hostname# show resource allocation [detail] This command shows the resource allocation, but does not show the actual resources being used. See the “Viewing Resource Usage” section on page 6-19 for more information about actual resource usage. The detail argument shows additional information. See the following sample displays for more information. The following sample display shows the total allocation of each resource as an absolute value and as a percentage of the available system resources: hostname# show resource allocation Resource Total % of Avail Conns [rate] 35000 N/A Inspects [rate] 35000 N/A Syslogs [rate] 10500 N/A Conns 305000 30.50% Hosts 78842 N/A6-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts SSH 35 35.00% Telnet 35 35.00% Xlates 91749 N/A All unlimited Table 6-3 shows each field description. The following is sample output from the show resource allocation detail command: hostname# show resource allocation detail Resource Origin: A Value was derived from the resource 'all' C Value set in the definition of this class D Value set in default class Resource Class Mmbrs Origin Limit Total Total % Conns [rate] default all CA unlimited gold 1 C 34000 34000 N/A silver 1 CA 17000 17000 N/A bronze 0 CA 8500 All Contexts: 3 51000 N/A Inspects [rate] default all CA unlimited gold 1 DA unlimited silver 1 CA 10000 10000 N/A bronze 0 CA 5000 All Contexts: 3 10000 N/A Syslogs [rate] default all CA unlimited gold 1 C 6000 6000 N/A silver 1 CA 3000 3000 N/A bronze 0 CA 1500 All Contexts: 3 9000 N/A Conns default all CA unlimited gold 1 C 200000 200000 20.00% silver 1 CA 100000 100000 10.00% bronze 0 CA 50000 All Contexts: 3 300000 30.00% Hosts default all CA unlimited gold 1 DA unlimited silver 1 CA 26214 26214 N/A bronze 0 CA 13107 All Contexts: 3 26214 N/A SSH default all C 5 gold 1 D 5 5 5.00% Table 6-3 show resource allocation Fields Field Description Resource The name of the resource that you can limit. Total The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display. % of Avail The percentage of the total system resources that is allocated across all contexts, if the resource has a hard system limit. If a resource does not have a system limit, this column shows N/A.6-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts silver 1 CA 10 10 10.00% bronze 0 CA 5 All Contexts: 3 20 20.00% Telnet default all C 5 gold 1 D 5 5 5.00% silver 1 CA 10 10 10.00% bronze 0 CA 5 All Contexts: 3 20 20.00% Xlates default all CA unlimited gold 1 DA unlimited silver 1 CA 23040 23040 N/A bronze 0 CA 11520 All Contexts: 3 23040 N/A mac-addresses default all C 65535 gold 1 D 65535 65535 100.00% silver 1 CA 6553 6553 9.99% bronze 0 CA 3276 All Contexts: 3 137623 209.99% Table 6-4 shows each field description. Table 6-4 show resource allocation detail Fields Field Description Resource The name of the resource that you can limit. Class The name of each class, including the default class. The All contexts field shows the total values across all classes. Mmbrs The number of contexts assigned to each class. Origin The origin of the resource limit, as follows: • A—You set this limit with the all option, instead of as an individual resource. • C—This limit is derived from the member class. • D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be “C” instead of “D.” The security appliance can combine “A” with “C” or “D.” Limit The limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display. Total The total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank. % of Avail The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A.6-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Viewing Resource Usage From the system execution space, you can view the resource usage for each context and display the system resource usage. From the system execution space, view the resource usage for each context by entering the following command: hostname# show resource usage [context context_name | top n | all | summary | system] [resource {resource_name | all} | detail] [counter counter_name [count_threshold]] By default, all context usage is displayed; each context is listed separately. Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option. The summary option shows all context usage combined. The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits. For the resource resource_name, see Table 6- 1 for available resource names. See also the show resource type command. Specify all (the default) for all types. The detail option shows the resource usage of all resources, including those you cannot manage. For example, you can view the number of TCP intercepts. The counter counter_name is one of the following keywords: • current—Shows the active concurrent instances or the current rate of the resource. • denied—Shows the number of instances that were denied because they exceeded the resource limit shown in the Limit column. • peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted. • all—(Default) Shows all statistics. The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage. Note To show all resources, set the count_threshold to 0. The following is sample output from the show resource usage context command, which shows the resource usage for the admin context: hostname# show resource usage context admin Resource Current Peak Limit Denied Context Telnet 1 1 5 0 admin Conns 44 55 N/A 0 admin Hosts 45 56 N/A 0 admin The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 N/A 0 Summary Conns 584 763 280000(S) 0 Summary6-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Xlates 8526 8966 N/A 0 Summary Hosts 254 254 N/A 0 Summary Conns [rate] 270 535 N/A 1704 Summary Inspects [rate] 270 535 N/A 0 Summary S = System: Combined context limits exceed the system limit; the system limit is shown. The following is sample output from the show resource usage summary comman