Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0 Customer Order Number: N/A, Online only Text Part Number: OL-12172-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco Security Appliance Command Line Configuration Guide Copyright © 2007 Cisco Systems, Inc. All rights reserved. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) 3 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 CONTENTS About This Guide 39 Document Objectives 39 Audience 39 Related Documentation 40 Document Organization 40 Document Conventions 43 Obtaining Documentation, Obtaining Support, and Security Guidelines 43 PART 1 Getting Started and General Information CHAPTER 1 Introduction to the Security Appliance 1 Firewall Functional Overview 1 Security Policy Overview 2 Permitting or Denying Traffic with Access Lists 2 Applying NAT 2 Using AAA for Through Traffic 2 Applying HTTP, HTTPS, or FTP Filtering 3 Applying Application Inspection 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 3 Sending Traffic to the Content Security and Control Security Services Module 3 Applying QoS Policies 3 Applying Connection Limits and TCP Normalization 3 Enabling Threat Detection 3 Firewall Mode Overview 4 Stateful Inspection Overview 4 VPN Functional Overview 5 Intrusion Prevention Services Functional Overview 6 Security Context Overview 6 CHAPTER 2 Getting Started 1 Getting Started with Your Platform Model 1 Factory Default Configurations 1 Contents 4 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 Restoring the Factory Default Configuration 2 ASA 5505 Default Configuration 2 ASA 5510 and Higher Default Configuration 3 PIX 515/515E Default Configuration 4 Accessing the Command-Line Interface 4 Setting Transparent or Routed Firewall Mode 5 Working with the Configuration 6 Saving Configuration Changes 6 Saving Configuration Changes in Single Context Mode 7 Saving Configuration Changes in Multiple Context Mode 7 Copying the Startup Configuration to the Running Configuration 8 Viewing the Configuration 8 Clearing and Removing Configuration Settings 9 Creating Text Configuration Files Offline 9 CHAPTER 3 Enabling Multiple Context Mode 1 Security Context Overview 1 Common Uses for Security Contexts 2 Unsupported Features 2 Context Configuration Files 2 Context Configurations 2 System Configuration 2 Admin Context Configuration 3 How the Security Appliance Classifies Packets 3 Valid Classifier Criteria 3 Invalid Classifier Criteria 4 Classification Examples 5 Cascading Security Contexts 8 Management Access to Security Contexts 9 System Administrator Access 9 Context Administrator Access 10 Enabling or Disabling Multiple Context Mode 10 Backing Up the Single Mode Configuration 10 Enabling Multiple Context Mode 10 Restoring Single Context Mode 11 CHAPTER 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 1 Interface Overview 1 Contents 5 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 Understanding ASA 5505 Ports and Interfaces 2 Maximum Active VLAN Interfaces for Your License 2 Default Interface Configuration 4 VLAN MAC Addresses 4 Power Over Ethernet 4 Monitoring Traffic Using SPAN 4 Security Level Overview 5 Configuring VLAN Interfaces 5 Configuring Switch Ports as Access Ports 9 Configuring a Switch Port as a Trunk Port 11 Allowing Communication Between VLAN Interfaces on the Same Security Level 13 CHAPTER 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces 1 Configuring and Enabling RJ-45 Interfaces 1 RJ-45 Interface Overview 1 Default State of Physical Interfaces 2 Connector Types 2 Auto-MDI/MDIX Feature 2 Configuring the RJ-45 Interface 2 Configuring and Enabling Fiber Interfaces 3 Default State of Physical Interfaces 3 Configuring the Fiber Interface 4 Configuring a Redundant Interface 4 Redundant Interface Overview 5 Default State of Redundant Interfaces 5 Redundant Interfaces and Failover Guidelines 5 Redundant Interface MAC Address 5 Physical Interface Guidelines 5 Adding a Redundant Interface 6 Changing the Active Interface 7 Configuring VLAN Subinterfaces and 802.1Q Trunking 7 Subinterface Overview 7 Default State of Subinterfaces 7 Maximum Subinterfaces 8 Preventing Untagged Packets on the Physical Interface 8 Adding a Subinterface 8 Contents 6 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 CHAPTER 6 Adding and Managing Security Contexts 1 Configuring Resource Management 1 Classes and Class Members Overview 1 Resource Limits 2 Default Class 3 Class Members 4 Configuring a Class 4 Configuring a Security Context 7 Automatically Assigning MAC Addresses to Context Interfaces 11 Changing Between Contexts and the System Execution Space 12 Managing Security Contexts 12 Removing a Security Context 12 Changing the Admin Context 13 Changing the Security Context URL 13 Reloading a Security Context 14 Reloading by Clearing the Configuration 14 Reloading by Removing and Re-adding the Context 15 Monitoring Security Contexts 15 Viewing Context Information 15 Viewing Resource Allocation 16 Viewing Resource Usage 19 Monitoring SYN Attacks in Contexts 20 CHAPTER 7 Configuring Interface Parameters 1 Security Level Overview 1 Configuring Interface Parameters 2 Interface Parameters Overview 2 Default State of Interfaces 3 Default Security Level 3 Multiple Context Mode Guidelines 3 Configuring the Interface 3 Allowing Communication Between Interfaces on the Same Security Level 7 CHAPTER 8 Configuring Basic Settings 1 Changing the Login Password 1 Changing the Enable Password 1 Setting the Hostname 2 Setting the Domain Name 2 Contents 7 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 Setting the Date and Time 2 Setting the Time Zone and Daylight Saving Time Date Range 3 Setting the Date and Time Using an NTP Server 4 Setting the Date and Time Manually 4 Setting the Management IP Address for a Transparent Firewall 5 CHAPTER 9 Configuring IP Routing 1 Configuring Static and Default Routes 1 Configuring a Static Route 2 Configuring a Default Static Route 3 Configuring Static Route Tracking 4 Defining Route Maps 6 Configuring OSPF 7 OSPF Overview 8 Enabling OSPF 8 Redistributing Routes Into OSPF 9 Configuring OSPF Interface Parameters 10 Configuring OSPF Area Parameters 13 Configuring OSPF NSSA 13 Configuring Route Summarization Between OSPF Areas 15 Configuring Route Summarization When Redistributing Routes into OSPF 15 Defining Static OSPF Neighbors 16 Generating a Default Route 16 Configuring Route Calculation Timers 17 Logging Neighbors Going Up or Down 17 Displaying OSPF Update Packet Pacing 18 Monitoring OSPF 18 Restarting the OSPF Process 19 Configuring RIP 19 Enabling and Configuring RIP 19 Redistributing Routes into the RIP Routing Process 21 Configuring RIP Send/Receive Version on an Interface 21 Enabling RIP Authentication 22 Monitoring RIP 22 Configuring EIGRP 23 EIGRP Routing Overview 23 Enabling and Configuring EIGRP Routing 24 Enabling and Configuring EIGRP Stub Routing 25 Enabling EIGRP Authentication 26 Contents 8 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 Defining an EIGRP Neighbor 27 Redistributing Routes Into EIGRP 27 Configuring the EIGRP Hello Interval and Hold Time 28 Disabling Automatic Route Summarization 29 Configuring Summary Aggregate Addresses 29 Disabling EIGRP Split Horizon 29 Changing the Interface Delay Value 30 Monitoring EIGRP 30 Disabling Neighbor Change and Warning Message Logging 31 The Routing Table 31 Displaying the Routing Table 31 How the Routing Table is Populated 32 Backup Routes 33 How Forwarding Decisions are Made 33 Dynamic Routing and Failover 34 CHAPTER 10 Configuring DHCP, DDNS, and WCCP Services 1 Configuring a DHCP Server 1 Enabling the DHCP Server 2 Configuring DHCP Options 3 Using Cisco IP Phones with a DHCP Server 4 Configuring DHCP Relay Services 5 Configuring Dynamic DNS 6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 7 Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 7 Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. 8 Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 8 Example 5: Client Updates A RR; Server Updates PTR RR 9 Configuring Web Cache Services Using WCCP 9 WCCP Feature Support 9 WCCP Interaction With Other Features 10 Enabling WCCP Redirection 10 CHAPTER 11 Configuring Multicast Routing 13 Multicast Routing Overview 13 Enabling Multicast Routing 14 Contents 9 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 Configuring IGMP Features 14 Disabling IGMP on an Interface 15 Configuring Group Membership 15 Configuring a Statically Joined Group 15 Controlling Access to Multicast Groups 15 Limiting the Number of IGMP States on an Interface 16 Modifying the Query Interval and Query Timeout 16 Changing the Query Response Time 17 Changing the IGMP Version 17 Configuring Stub Multicast Routing 17 Configuring a Static Multicast Route 18 Configuring PIM Features 18 Disabling PIM on an Interface 18 Configuring a Static Rendezvous Point Address 19 Configuring the Designated Router Priority 19 Filtering PIM Register Messages 19 Configuring PIM Message Intervals 20 Configuring a Multicast Boundary 20 Filtering PIM Neighbors 20 Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 21 For More Information about Multicast Routing 22 CHAPTER 12 Configuring IPv6 1 IPv6-enabled Commands 1 Configuring IPv6 2 Configuring IPv6 on an Interface 3 Configuring a Dual IP Stack on an Interface 4 Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 4 Configuring IPv6 Duplicate Address Detection 4 Configuring IPv6 Default and Static Routes 5 Configuring IPv6 Access Lists 6 Configuring IPv6 Neighbor Discovery 7 Configuring Neighbor Solicitation Messages 7 Configuring Router Advertisement Messages 9 Configuring a Static IPv6 Neighbor 11 Verifying the IPv6 Configuration 11 The show ipv6 interface Command 11 The show ipv6 route Command 12 Contents 10 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 CHAPTER 13 Configuring AAA Servers and the Local Database 1 AAA Overview 1 About Authentication 2 About Authorization 2 About Accounting 2 AAA Server and Local Database Support 3 Summary of Support 3 RADIUS Server Support 4 Authentication Methods 4 Attribute Support 4 RADIUS Authorization Functions 4 TACACS+ Server Support 4 SDI Server Support 5 SDI Version Support 5 Two-step Authentication Process 5 SDI Primary and Replica Servers 5 NT Server Support 5 Kerberos Server Support 5 LDAP Server Support 6 SSO Support for WebVPN with HTTP Forms 6 Local Database Support 6 User Profiles 6 Fallback Support 7 Configuring the Local Database 7 Identifying AAA Server Groups and Servers 9 Configuring an LDAP Server 12 Authentication with LDAP 12 Authorization with LDAP for VPN 14 LDAP Attribute Mapping 14 Using Certificates and User Login Credentials 16 Using User Login Credentials 16 Using certificates 16 Supporting a Zone Labs Integrity Server 17 Overview of Integrity Server and Security Appliance Interaction 17 Configuring Integrity Server Support 18 CHAPTER 14 Configuring Failover 1 Understanding Failover 1 [...]... Using the Command- Line Interface C 1 Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting 1 2 3 Abbreviating Commands 3 Command- Line Editing 3 Command Completion 4 Command Help 4 Filtering show Command Output Command Output Paging Adding Comments 4 5 6 Text Configuration Files 6 How Commands Correspond with Lines in the Text File 6 Command- Specific Configuration Mode Commands... 43 Troubleshooting the Security Appliance 23 1 Testing Your Configuration 1 Enabling ICMP Debug Messages and System Log Messages Pinging Security Appliance Interfaces 2 Pinging Through the Security Appliance 4 1 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 33 Contents Disabling the Test Configuration Traceroute 6 Packet Tracer 6 Reloading the Security Appliance 5 6 Performing... Managing the AIP SSM AIP SSM Overview 21 1 1 1 Cisco Security Appliance Command Line Configuration Guide 16 OL-12172-01 Contents How the AIP SSM Works with the Adaptive Security Appliance Operating Modes 2 Using Virtual Sensors 3 AIP SSM Procedure Overview 4 Sessioning to the AIP SSM 5 Configuring the Security Policy on the AIP SSM 6 Assigning Virtual Sensors to Security Contexts 6 Diverting Traffic to the... Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface Configuring AAA for System Administrators 5 Configuring Authentication for CLI and ASDM Access 5 Configuring Authentication To Access Privileged EXEC Mode (the enable Command) 6 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 31 5 Contents Configuring Authentication for the enable Command. .. Customization Template 58 Importing a Customization Object 63 55 Cisco Security Appliance Command Line Configuration Guide 28 OL-12172-01 Contents Applying Customizations to Connection Profiles, Group Policies and Users 64 Customizing Help 65 Customizing a Help File Provided By Cisco 66 Creating Help Files for Languages Not Provided by Cisco 66 Importing a Help File to Flash Memory 67 Exporting a Previously... Applying an Access List to an Interface 1 2 Cisco Security Appliance Command Line Configuration Guide 14 OL-12172-01 Contents CHAPTER 19 Applying AAA for Network Access AAA Performance 1 1 Configuring Authentication for Network Access 1 Authentication Overview 2 One-Time Authentication 2 Applications Required to Receive an Authentication Challenge Security Appliance Authentication Prompts 2 Static PAT... Commands 9 Using a Script to Back Up and Restore Files 10 Prerequisites 10 Running the Script 11 Sample Script 11 8 Configuring Auto Update Support 19 Configuring Communication with an Auto Update Server 20 Configuring Client Updates as an Auto Update Server 22 Viewing Auto Update Status 23 Cisco Security Appliance Command Line Configuration Guide 32 OL-12172-01 Contents CHAPTER 42 Monitoring the Security. .. Authentication/Encryption 39 Verifying the Failover Configuration 40 Using the show failover Command 40 Viewing Monitored Interfaces 48 Displaying the Failover Commands in the Running Configuration 48 Testing the Failover Functionality 49 Controlling and Monitoring Failover Forcing Failover 49 49 Cisco Security Appliance Command Line Configuration Guide OL-12172-01 11 20 Contents Disabling Failover 50 Restoring... DCERPC Inspection 13 11 12 Cisco Security Appliance Command Line Configuration Guide 18 OL-12172-01 Contents DCERPC Overview 12 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control DNS Inspection 13 How DNS Application Inspection Works 14 How DNS Rewrite Works 14 Configuring DNS Rewrite 15 Using the Static Command for DNS Rewrite 16 Using the Alias Command for DNS Rewrite 16... Crypto Map and Applying It To an Interface Applying Crypto Maps to Interfaces 7 CHAPTER 37 Configuring Clientless SSL VPN Getting Started 2 6 1 1 Cisco Security Appliance Command Line Configuration Guide 26 OL-12172-01 Contents Observing Clientless SSL VPN Security Precautions 2 Understanding Features Not Supported in Clientless SSL VPN 3 Using SSL to Access the Central Site 3 Using HTTPS for Clientless . VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 1 Interface Overview 1 Contents 5 Cisco Security Appliance Command Line Configuration Guide. Configuration 11 The show ipv6 interface Command 11 The show ipv6 route Command 12 Contents 10 Cisco Security Appliance Command Line Configuration Guide OL-12172-01