Page 1
Cisco ASA Series CLI Configuration Guide Software Version 9.0 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.
Page 4
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Page 5
ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. Advanced Inspection and Prevention. For example, the AIP SSM or AIP SSC, which runs IPS software. Cisco ASA Series CLI Configuration Guide GL-1...
Page 6
BPDU Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet. Cisco ASA Series CLI Configuration Guide GL-2...
Page 7
Compression can reduce the size of transferring packets and increase communication performance. configuration, config, A file on the ASA that represents the equivalent of settings, preferences, and properties administered config file ASDM or the CLI. Cisco ASA Series CLI Configuration Guide GL-3...
Page 8
CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bidirectional NAT. This protocol enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the ASA.
Page 9
See also encryption. Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),...
Page 10
Enhanced Interior Gateway Routing Protocol. The ASA does not support EIGRP. EMBLEM Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications. encryption Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those unauthorized to see the information.
Page 11
Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the Internet. Cisco ASA Series CLI Configuration Guide GL-7...
Page 12
A hash algorithm is a one-way function that operates on a message of arbitrary length to create a Algorithm fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco uses both SHA-1 hashes within our implementation of the IPsec framework.
Page 13
The use of where the IP address is also the IP address of the outside interface. See Dynamic PAT, Static PAT. Internet The global network that uses IP. Not a LAN. See also intranet. Cisco ASA Series CLI Configuration Guide GL-9...
Page 14
Internet Service Provider. An organization that provides connection to the Internet via their services, such as modem dial in over telephone voice lines or DSL. JTAPI Java Telephony Application Programming Interface. A Java-based API supporting telephony functions. See also TAPI. Cisco ASA Series CLI Configuration Guide GL-10...
Page 15
Layer Two Tunneling Protocol. An IETF standards track protocol defined in RFC 2661 that provides tunneling of PPP. L2TP is an extension to the PPP. L2TP merges the older Cisco Layer Two Forwarding (L2F) protocol with PPTP. L2TP can be used with IPsec encryption and is considered more secure against attack than PPTP.
Page 16
Mode Config IKE Mode Configuration. Modular Policy A means of configuring ASA features in a manner similar to Cisco IOS software Modular CLI. Framework mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services.
Page 17
IMSI. See also IMSI. NSSA not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco IOS software release 11.2. It is a nonproprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.
Page 18
See also PIM-SM. PIM-SM Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host. See also PIM.
Page 19
These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the Internet. Cisco ASA Series CLI Configuration Guide GL-15...
Page 20
(named after its inventors, Rivest, Shamir, and Adelman) with a variable key length. The main weakness of RSA is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES. The Cisco implementation of uses a Diffie-Hellman exchange to get the secret keys.
Page 21
SA is used by only, and unlike the IPsec SA, it is bidirectional. SCCP Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and Cisco VoIP phones. SCEP Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as enrolling) certificates from CAs.
Page 22
ASA is sent through an IPsec tunnel. All traffic originating from the client is sent to the outside interface through a tunnel, and client access to the Internet from its remote site is denied. Cisco ASA Series CLI Configuration Guide GL-18...
Page 23
See also AAA, RADIUS. TAPI Telephony Application Programming Interface. A programming interface in Microsoft Windows that supports telephony functions. Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. Cisco ASA Series CLI Configuration Guide GL-19...
Page 24
Transport mode is less secure than tunnel mode. TAPI Service Provider. See also TAPI. tunnel mode IPsec encryption mode that encrypts both the header and data portion (payload) of each packet. Tunnel mode is more secure than transport mode. Cisco ASA Series CLI Configuration Guide GL-20...
Page 25
IP address that matches the correct source interface according to the routing table. Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. user EXEC mode The lowest privilege level at the ASA CLI. The user EXEC mode prompt appears as follows when you first access the ASA: hostname>...
Page 26
This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A...
Page 27
IKE Extended Authentication. xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another. Cisco ASA Series CLI Configuration Guide GL-23...
Page 28
Glossary Cisco ASA Series CLI Configuration Guide GL-24...
Page 30
Clientless SSL VPN actions application access using WebVPN command replication 77-69 and hosts file errors configuration synchronization 77-70 quitting properly device initialization application inspection primary unit 45-1 about secondary unit 45-6 applying triggers 45-6 configuring Cisco ASA Series CLI Configuration Guide IN-2...
Page 31
Ethernet TCP state bypass 11-8, 11-10 9-19 protected switch ports asymmetric routing support 11-2 Security Plus license attacks 74-1 62-10 server (headend) DNS request for all records 11-4 62-10 SPAN DNS zone transfer Cisco ASA Series CLI Configuration Guide IN-3...
Page 32
Auto-MDI/MDIX 60-7 updates auto-signon 60-19 70-84 examples group policy attribute for Clientless SSL VPN 60-22 feature history 70-101 username attribute for Clientless SSL VPN 84-28 graylist Auto-Update, configuring 60-2 description 60-13 dropping traffic Cisco ASA Series CLI Configuration Guide IN-4...
Page 33
Cisco Trust Agent caching 85-2 Cisco UMA. See Cisco Unified Mobility. capturing packets Cisco Unified Mobility 67-23 cascading access lists 53-2 architecture CA server 50-2, 50-3 40-4 ASA role Digicert 53-5 40-4 certificate Geotrust Cisco ASA Series CLI Configuration Guide IN-5...
Page 34
EtherChannels, configuring on paging 6-22 switch syntax formatting 6-46 executing a command cluster-wide client 6-23 failover 69-4 VPN 3002 hardware, forcing client update 6-63 feature history 69-4 Windows, client update notification Cisco ASA Series CLI Configuration Guide IN-6...
Page 36
66-1 about 65-4 64-21, 64-23, 66-14 loading an image 66-10 sending traffic to 66-3 what to scan 66-19 CSC SSM feature history 80-18 date and time in messages 70-78 custom firewall 16-2 DDNS Cisco ASA Series CLI Configuration Guide IN-8...
Page 37
DSCP preservation 15-6 12-2 Cisco IP Phones dual IP stack, configuring 15-5 25-6 options dual-ISP support 15-8 10-12, 11-5 relay duplex, configuring 15-4 67-35 server dynamic crypto map 41-5 72-12 transparent firewall creating Cisco ASA Series CLI Configuration Guide IN-9...
Page 50
B-11 TCP and UDP 65-3 PRSM port translation 40-2 public key cryptography 32-4 about posture validation 73-11 exemptions 73-10 revalidation timer 73-1 uses, requirements, and limitations 57-1, 57-3 11-4 about power over Ethernet Cisco ASA Series CLI Configuration Guide IN-22...
Page 52
See also SAs 39-12, 39-14, 39-15, 39-18, 40-10, 42-4 keys, generating 70-64 security attributes, group policy RTSP inspection security contexts 47-15 about about 47-15 configuring 5-19 adding rules admin context 42-10 ICMP about Cisco ASA Series CLI Configuration Guide IN-24...
Page 53
Clientless SSL VPN 80-12 sending messages to a Telnet or SSH session SIP inspection 80-11 47-19 sending messages to the console port about 80-9 47-18 sending messages to the internal log buffer configuring Cisco ASA Series CLI Configuration Guide IN-25...
Page 54
77-16 to ?? reload SSO with WebVPN 64-24, 66-16 reset configuring HTTP Basic and NTLM 77-17 authentication 64-10 routing 77-23 configuring HTTP form protocol 64-13 sessioning to 77-18, 77-20 configuring SiteMinder 64-23, 66-17 shutdown Cisco ASA Series CLI Configuration Guide IN-26...
Page 55
80-16 address range by message class 80-1, 80-6 determining output destinations 80-6 dotted decimal syslog message server 80-6 number of hosts Telnet or SSH session Cisco ASA Series CLI Configuration Guide IN-27...
Page 56
56-5 unsupported features B-15 timestamp reply, ICMP message 62-6, 62-9 TCP SYN+FIN flags attack B-15 timestamp request, ICMP message Telnet 77-7 TLS1, used to access the security appliance Cisco ASA Series CLI Configuration Guide IN-28...
C H A P T E R Introduction to the Cisco ASA The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device, and for some models, integrated services modules such as IPS. The ASA includes many advanced...
When using Java 6 for accessing the splash screen in a browser, by default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support DES for SSL; therefore without the strong encryption license (3DES/AES), see the following workarounds: Cisco ASA Series CLI Configuration Guide...
To change the security setting, open System Preferences, and click Security & Privacy. On the General tab, under Allow applications downloaded from, click Anywhere. Hardware and Software Compatibility For a complete list of supported hardware and software, see the Cisco ASA Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html VPN Specifications See Supported VPN Platforms, Cisco ASA 5500 Series: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html...
The active cluster member count • The output of the show cluster info command and the show cluster history command on the cluster master New Features in ASA 9.0(2)/ASDM 7.1(2) Released: February 25, 2013 Cisco ASA Series CLI Configuration Guide...
Page 67
See the following limitations: • Secure Desktop (Vault) is not supported with Windows 8. Dynamic Access Policies: ASDM was updated to enable selection of Windows 8 in the DAP Operating Windows 8 Support System attribute. Cisco ASA Series CLI Configuration Guide...
Page 68
Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASASM (see the session command).
Page 69
Released: October 29, 2012 Table 1-5 lists the new features for ASA Version 9.0(1)/ASDM Version 7.0(1). Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(1) unless they are explicitly listed in this table. Cisco ASA Series CLI Configuration Guide...
Page 70
IP addresses. The ASA can utilize the Cisco TrustSec solution for other types of security group based policies, such as application inspection; for example, you can configure a class map containing an access policy based on a security group.
Page 71
New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued) Feature Description Cisco Cloud Web Security (ScanSafe) Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. Note Clientless SSL VPN is not supported with Cloud Web Security;...
Page 72
Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists. Also available in 8.4(4.1). Cisco ASA Series CLI Configuration Guide 1-10...
Page 73
We modified the following commands: set connection conn-max, set connection embryonic-conn-max, set connection per-client-embryonic-max, set connection per-client-max. We modified the following screen: Configuration > Firewall > Service Policy Rules > Connection Settings. Also available in 8.4(5) High Availability and Scalability Features Cisco ASA Series CLI Configuration Guide 1-11...
Page 74
For EIGRP, bulk synchronization, route synchronization, and spanned EtherChannels are supported in the clustering environment. Multicast routing supports clustering. We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster. Cisco ASA Series CLI Configuration Guide 1-12...
Page 75
This release of the ASA continues to support IPv6 VPN traffic on its inside interface using the SSL protocol as it has in the past. This release does not provide IKEv2/IPsec protocol on the inside interface. Cisco ASA Series CLI Configuration Guide 1-13...
Page 76
IKEv2/IPsec protocol. We introduced the following command: ipv6-split-tunnel-policy. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > Split Tunneling. Cisco ASA Series CLI Configuration Guide 1-14...
Page 77
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol. We introduced the following command: gateway-fqdn. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > AnyConnect. Cisco ASA Series CLI Configuration Guide 1-15...
Page 81
(767001) when unsupported inspections receive and drop IPv6 traffic. We modified the following command: service-policy fail-close. We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Service Policy. Remote Access Features Cisco ASA Series CLI Configuration Guide 1-19...
Page 82
Remote File Explorer network from their web browser. When users click the Remote File System icon on the Cisco SSL VPN portal page, an applet is launched on the user's system displaying the remote file system in a tree and folder view.
Page 83
Custom attributes can benefit AnyConnect clients configured for either IKEv2/IPsec or SSL protocols. We added the following command: anyconnect-custom-attr. A new screen was added: Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes. Cisco ASA Series CLI Configuration Guide 1-21...
Page 85
You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1). Module Features ASA Services Module support on the Cisco The Cisco 7600 series now supports the ASASM. For specific hardware and 7600 switch software requirements, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. Cisco ASA Series CLI Configuration Guide...
We did not modify any screens. How the ASA Services Module Works with the Switch You can install the ASASM in the Catalyst 6500 series and Cisco 7600 series switches with Cisco IOS software on both the switch supervisor and the integrated MSFC.
Page 87
MSFC/Router In Front of the ASASM Internet Internet Router VLAN 100 VLAN 200 MSFC/Router ASASM VLAN 200 VLAN 201 ASASM MSFC/Router VLAN 201 VLAN 301 VLAN 303 VLAN 203 Inside Inside VLAN 302 VLAN 202 Cisco ASA Series CLI Configuration Guide 1-25...
Because the ASA lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only. Cisco ASA Series CLI Configuration Guide 1-26...
You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Cisco ASA Series CLI Configuration Guide 1-27...
Page 90
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic. Cisco ASA Series CLI Configuration Guide 1-28...
Page 91
Configuring Cisco Unified Communications The Cisco ASA 5500 series is a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.
Page 92
These protocols include FTP, H.323, and SNMP. • Is this an established connection? Cisco ASA Series CLI Configuration Guide 1-30...
Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. Cisco ASA Series CLI Configuration Guide 1-31...
(management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. You perform all configuration (aside from the bootstrap configuration) on the master unit only; the configuration is then replicated to the member units. Cisco ASA Series CLI Configuration Guide 1-32...
Page 95
Configuring the Switch for Use with the ASA Services Module This chapter describes how to configure the Catalyst 6500 series or Cisco 7600 series switch for use with the ASASM. Before completing the procedures in this chapter, configure the basic properties of your switch, including assigning VLANs to switch ports, according to the documentation that came with your switch.
Configuring the Switch for Use with the ASA Services Module Guidelines and Limitations To view a matrix of hardware and software compatibility for the ASASM and Cisco IOS versions, see the Cisco ASA 5500 Series Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Some ASASM features interact with Cisco IOS features.
You can assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.
ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI). This section includes the following topics: • Information About SVIs, page 1-6 • Configuring SVIs, page 1-8 Cisco ASA Series ASDM Configuration Guide...
Page 100
For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC. (See Figure 1-1.) Figure 1-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside Cisco ASA Series ASDM Configuration Guide...
Page 101
IPX traffic to pass on VLAN 201. Figure 1-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside IPX Host IP Host Cisco ASA Series ASDM Configuration Guide...
Page 102
Allows you to add more than one SVI to the ASASM. firewall multiple-vlan-interfaces Example: Router(config)# firewall multiple-vlan-interfaces Step 2 Adds a VLAN interface to the MSFC. interface vlan vlan_number Example: Router(config)# interface vlan 55 Cisco ASA Series ASDM Configuration Guide...
Assigning VLANs to the Secondary ASA Services Module, page 1-10 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 1-10 • Ensuring Compatibility with Transparent Firewall Mode, page 1-10 • Enabling Autostate Messaging for Rapid Link Failure Detection, page 1-10 Cisco ASA Series ASDM Configuration Guide...
Page 104
The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. Detailed Steps Command Purpose Enables autostate messaging in Cisco IOS software. firewall autostate Autostate messaging is disabled by default. Example: Router(config)# firewall autostate Cisco ASA Series ASDM Configuration Guide...
Displays all configured VLAN groups. show firewall vlan-group Displays the status and information about the configured show interface vlan VLAN interface. Examples The following is sample output from the show firewall module [mod-num] state command: Cisco ASA Series ASDM Configuration Guide 1-11...
Page 106
Router# show firewall module Module Vlan-groups 50,52 51,52 The following is sample output from the show firewall module [mod-num] version command: Router# show firewall module 2 version ASA Service Module 2: Sw Version: 100.7(8)19 Cisco ASA Series ASDM Configuration Guide 1-12...
We introduced or modified the following commands: firewall transparent, mac address auto, firewall autostate (IOS), interface vlan. ASA Services Module support on the Cisco 9.0(1) The Cisco 7600 series now supports the ASASM. 7600 switch Cisco ASA Series ASDM Configuration Guide 1-13...
Page 108
Chapter 1 Configuring the Switch for Use with the ASA Services Module Feature History for the Switch for Use with the ASA Services Module Cisco ASA Series ASDM Configuration Guide 1-14...
Press the Enter key to see the following prompt: hostname> This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. Step 3 To access privileged EXEC mode, enter the following command: hostname> enable Cisco ASA Series CLI Configuration Guide...
Later, you can configure remote access directly to the ASASM using Telnet or SSH according to the “Configuring ASA Access for ASDM, Telnet, or SSH” section on page 1-1. This section includes the following topics: • Information About Connection Methods, page 1-3 Cisco ASA Series CLI Configuration Guide...
Page 111
You must use a direct serial connection to return the console to the switch prompt. In this case, either change the terminal server or switch escape character in Cisco IOS, or use the Telnet session command instead. Note Because of the persistence of the console connection, if you do not properly log out of the ASASM, the connection may exist longer than intended.
Page 112
Enter the login password to the ASASM. Set the password using the passwd command. 9.0(1): The default password is “cisco.” 9.0(2) and later: There is no default password. You access user EXEC mode. Step 2...
(^) character as a standalone character, you can temporarily or permanently change the escape character to a different character. In Cisco IOS, before you session to the ASASM, use the terminal escape-character ascii_number command (to change temporarily) or the default escape-character ascii_number command (to change permanently).
Accessing ASDM Using the Factory Default Configuration With a factory default configuration (see the “Factory Default Configurations” section on page 1-18), ASDM connectivity is pre-configured with default network settings. Connect to ASDM using the following interface and network settings: Cisco ASA Series CLI Configuration Guide...
Page 115
Step 1 Enables transparent firewall mode. This command clears your (Optional) configuration. firewall transparent Example: hostname(config)# firewall transparent Step 2 Do one of the following to configure a management interface, depending on your mode: Cisco ASA Series CLI Configuration Guide...
Page 116
DHCP range. You can later change the 192.168.1.5-192.168.1.254 inside IPS module management address using the ASA if hostname(config)# dhcpd enable inside required. Step 5 Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Cisco ASA Series CLI Configuration Guide...
Page 117
If you do not have a factory default configuration, or want to change the firewall or context mode, perform the following steps. Prerequisites Access the CLI according to the “Accessing the Appliance Command-Line Interface” section on page 1-1. Cisco ASA Series CLI Configuration Guide...
Page 118
Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Step 6 Allows the management host to access ASDM. http ip_address mask interface_name Example: hostname(config)# http 192.168.1.0 255.255.255.0 management Cisco ASA Series CLI Configuration Guide 1-10...
“Assigning VLANs to the ASA Services Module” section on page 1-4. • Connect to the ASASM and access global configuration mode according to the “Accessing the ASA Services Module Command-Line Interface” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-11...
Page 120
Enables DHCP for the management host on the management interface network. Make sure you do not include the management dhcpd address ip_address-ip_address address in the range. interface_name dhcpd enable interface_name Example: hostname(config)# dhcpd address 192.168.1.2-192.168.1.254 inside hostname(config)# dhcpd enable inside Cisco ASA Series CLI Configuration Guide 1-12...
Page 121
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, and enables ASDM for a management host: firewall transparent interface bvi 1 ip address 192.168.1.1 255.255.255.0 interface vlan 1 bridge-group 1 nameif inside Cisco ASA Series CLI Configuration Guide 1-13...
Where interface_ip_address is the management IP address of the ASA. See the “Configuring ASDM Access for Appliances” section on page 1-6 or the “Configuring ASDM Access for the ASA Services Module” section on page 1-11 for more information about management access. Cisco ASA Series CLI Configuration Guide 1-14...
Page 123
With HTTPS authentication enabled, enter your username and associated password. If there is a new version of ASDM on the ASA, the ASDM Launcher automatically downloads the new version and requests that you update the current version before starting ASDM. Cisco ASA Series CLI Configuration Guide 1-15...
Page 124
Step 1 Start the Java Web Start application. Step 2 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears. Step 3 Enter the username and password, and click OK. For a factory default configuration, leave these fields empty.
Page 125
Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 4 Check the Run in Demo Mode check box. The Demo Mode window appears.
Getting Started Factory Default Configurations Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new ASAs. • ASA 5505—The factory default configuration configures interfaces and NAT so that the ASA is ready to use in your network immediately.
Page 127
Ethernet 0/0 assigned to outside. • IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24. • Network address translation (NAT)—All inside IP addresses are translated when accessing the outside using interface PAT. Cisco ASA Series CLI Configuration Guide 1-19...
Page 128
Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown Cisco ASA Series CLI Configuration Guide 1-20...
Page 129
IP addresses—The IP addresses configured should be changed to match the network to which you are connecting. • Static routes—For some kinds of traffic, static routes are required. See the “MAC Address vs. Route Lookups” section on page 1-6. Cisco ASA Series CLI Configuration Guide 1-21...
Additional information about contexts is in Chapter 1, “Configuring Multiple Context Mode.” This section includes the following topics: • Saving Configuration Changes, page 1-24 • Copying the Startup Configuration to the Running Configuration, page 1-25 Cisco ASA Series CLI Configuration Guide 1-23...
URL, except for an HTTP or HTTPS hostname# write memory URL, which do not let you save the configuration to the server. Note The copy running-config startup-config command is equivalent to the write memory command. Cisco ASA Series CLI Configuration Guide 1-24...
Page 133
The context 'context a' could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of the following options. Cisco ASA Series CLI Configuration Guide 1-25...
Page 134
Example: For example, to remove a specific nat command, enter enough of the hostname(config)# no nat (inside) 1 command to identify it uniquely as follows: hostname(config)# no nat (inside) 1 Cisco ASA Series CLI Configuration Guide 1-26...
To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. To disconnect connections, enter one of the following commands. Cisco ASA Series CLI Configuration Guide 1-27...
Reloading the ASA To reload the ASA, enter the following command: Command Purpose Reloads the ASA. reload Note In multiple context mode, you can only reload from the system Example: execution space. hostname (config)# reload Cisco ASA Series CLI Configuration Guide 1-28...
Page 137
The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet. The ASA supports multiple dynamic routing protocols. However, we recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the ASA for extensive routing needs. Cisco ASA Series CLI Configuration Guide...
Page 138
Using the Transparent Firewall in Your Network The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. Cisco ASA Series CLI Configuration Guide...
Page 139
For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. Cisco ASA Series CLI Configuration Guide...
ACL. Note Broadcast and multicast traffic can be passed using access rules. See the “Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules” section on page 7-6 for more information. Cisco ASA Series CLI Configuration Guide...
Page 141
EtherType access list to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes. See the “Transparent Firewall Mode Requirements” section on page 9-14 for more information. Cisco ASA Series CLI Configuration Guide...
Page 142
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Cisco ASA Series CLI Configuration Guide...
The default timeout value for dynamic MAC address table entries is 5 minutes. • By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds corresponding entries to the MAC address table. Cisco ASA Series CLI Configuration Guide...
ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the ASA using the console port in any case. • Set the mode within the context. Cisco ASA Series CLI Configuration Guide...
If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Note The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the ASA, such as management traffic. Cisco ASA Series CLI Configuration Guide 1-10...
Page 147
Examples For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: hostname(config)# arp-inspection outside enable no-flood Cisco ASA Series CLI Configuration Guide 1-11...
To change the timeout, enter the following command: Command Purpose Sets the MAC address entry timeout. mac-address-table aging-time timeout_value The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default. Example: hostname(config)# mac-address-table aging-time 10 Cisco ASA Series CLI Configuration Guide 1-12...
The following is sample output from the show mac-address-table command that shows the entire table: hostname# show mac-address-table interface mac address type Time Left ----------------------------------------------------------------------- outside 0009.7cbe.2100 static inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Cisco ASA Series CLI Configuration Guide 1-13...
Page 150
An Inside User Visits a Web Server on the DMZ, page 1-17 • An Outside User Attempts to Access an Inside Host, page 1-17 • A DMZ User Attempts to Access an Inside Host, page 1-19 Cisco ASA Series CLI Configuration Guide 1-14...
Page 151
The ASA performs NAT by untranslating the global destination address to the local user address, 10.1.2.27. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-15...
Page 152
The ASA performs NAT by translating the local source address to 209.165.201.3. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-16...
Page 153
The ASA forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 1-6 shows an outside user attempting to access the inside network. Cisco ASA Series CLI Configuration Guide 1-17...
Page 154
The packet is denied, and the ASA drops the packet and logs the connection attempt. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-18...
Page 155
The ASA receives the packet and because it is a new session, the ASA verifies if the packet is allowed according to the security policy (access lists, filters, AAA). The packet is denied, and the ASA drops the packet and logs the connection attempt. Cisco ASA Series CLI Configuration Guide 1-19...
Page 156
An Inside User Visits a Web Server Using NAT, page 1-22 • An Outside User Visits a Web Server on the Inside Network, page 1-23 • An Outside User Attempts to Access an Inside Host, page 1-24 Cisco ASA Series CLI Configuration Guide 1-20...
Page 157
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-21...
Page 158
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA performs NAT by untranslating the mapped address to the real address, 10.1.2.27. Cisco ASA Series CLI Configuration Guide 1-22...
Page 159
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-23...
Page 160
The packet is denied because there is no access list permitting the outside host, and the ASA drops the packet. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-24...
You can set the firewall mode independently for each context mode security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. Cisco ASA Series CLI Configuration Guide 1-25...
Page 162
Chapter 1 Configuring the Transparent or Routed Firewall Feature History for the Firewall Mode Cisco ASA Series CLI Configuration Guide 1-26...
Page 163
VPN License and Feature Compatibility, page 1-23 Licenses Per Model This section lists the feature licenses available for each model: • ASA 5505, page 1-3 • ASA 5510, page 1-4 • ASA 5520, page 1-5 Cisco ASA Series CLI Configuration Guide...
Page 164
If you have a No Payload Encryption model, then some of the features below are not supported. See the “No Payload Encryption Models” section on page 1-32 for a list of unsupported features. For detailed information about licenses, see the “License Notes” section on page 1-18. Cisco ASA Series CLI Configuration Guide...
Page 165
Use the show local-host command to view host limits. 3. For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models. Cisco ASA Series CLI Configuration Guide...
Page 166
Ethernet 0/2, 0/3, 0/4 (and others): Fast Eth. Security Contexts No support Optional licenses: Clustering No support No support VLANs, Maximum 1. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA Series CLI Configuration Guide...
Page 167
Other VPN (sessions) VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 168
Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 964 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 169
Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 170
Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide...
Page 171
Opt. lic.: Strong (3DES/AES) Failover No support Active/Standby or Active/Active Interfaces of all types, Max. 716 Security Contexts No support Optional licenses: IPS Module Disabled Optional license: Available Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 172
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 916 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-10...
Page 173
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1316 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-11...
Page 174
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1716 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-12...
Page 175
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 2516 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-13...
Page 176
Base License: Disabled; fiber ifcs run at 1 GE Security Plus License: Enabled; fiber ifcs run at 10 GE Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 4612 Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 Cisco ASA Series CLI Configuration Guide 1-14...
Page 177
Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-15...
Page 178
Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-16...
Page 179
Security Contexts Optional licenses: Clustering No support VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-17...
Page 180
• SSL VPN • IPsec remote access VPN using IKEv2 This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license. Note With the AnyConnect Essentials license, VPN users can use a web browser to log in, and download and start (WebLaunch) the AnyConnect client.
Page 181
To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only strong encryption. Failover, Active/Active You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover. Cisco ASA Series CLI Configuration Guide 1-19...
Page 182
IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
Page 183
1 session is used in total. However, if you start the AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used. Cisco ASA Series CLI Configuration Guide 1-21...
Page 184
IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 185
This section includes the following topics: • Preinstalled License, page 1-24 • Permanent License, page 1-24 • Time-Based Licenses, page 1-24 • Shared AnyConnect Premium Licenses, page 1-27 Cisco ASA Series CLI Configuration Guide 1-23...
Page 186
For example, if an evaluation license includes the Botnet Traffic Filter and a 1000-session AnyConnect Premium license, you cannot also activate a standalone time-based 2500-session AnyConnect Premium license. Cisco ASA Series CLI Configuration Guide 1-24...
Page 187
For licenses with numerical tiers, the higher value is used. Typically, you will not install a time-based license that has less capability than the permanent license, but if you do so, then the permanent license is used. Cisco ASA Series CLI Configuration Guide 1-25...
Page 188
1000-session AnyConnect Premium license (inactive), and a permanent 500-session AnyConnect Premium license. While the 2500-session license expires, the ASA activates the 1000-session license. After the 1000-session license expires, the ASA uses the 500-session permanent license. Cisco ASA Series CLI Configuration Guide 1-26...
Page 189
Note The shared licensing server can also participate in the shared license pool. It does not need a participant license as well as the server license to participate. Cisco ASA Series CLI Configuration Guide 1-27...
Page 190
When the main server comes back up, the backup server starts to increment again day-by-day. For example, if the main server is down for 20 days, with the backup server active during Cisco ASA Series CLI Configuration Guide 1-28...
Page 191
The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server. In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA Series CLI Configuration Guide 1-29...
Page 192
If you have licenses on multiple units, they combine into a single running ASA cluster license. The exceptions to this rule include: • Clustering license—Each unit must have a clustering license. • Encryption license—Each unit must have the same encryption license. Cisco ASA Series CLI Configuration Guide 1-30...
Page 193
If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted from all unit licenses, if installed. They are treated as separate licenses and do not benefit from the combined license. The time elapsed includes the 30-day grace period. Cisco ASA Series CLI Configuration Guide 1-31...
Page 194
No Payload Encryption Models You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA series. The ASA software senses a No Payload Encryption model, and disables the following features: •...
Page 195
Shared licenses are not supported in Active/Active mode. See the “Failover and Shared Licenses” section on page 1-29 for more information. • Failover units do not require the same license on each unit. Cisco ASA Series CLI Configuration Guide 1-33...
Page 196
(except in the case of a hardware failure). If you have to replace your device due to a hardware failure, and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your existing license transferred to the new serial number. The Cisco Licensing Team will ask for the Product Authorization Key reference number and existing serial number.
Page 197
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional AnyConnect Premium sessions.
Page 198
Any other keys are made inactive. – If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even if the keys are matching, the license used will no longer be a combined license. Cisco ASA Series CLI Configuration Guide 1-36...
Page 199
Configuring the Shared Licensing Participant, page 1-39 Configuring the Shared Licensing Server This section describes how to configure the ASA to be a shared licensing server. Prerequisites The server must have a shared licensing server key. Cisco ASA Series CLI Configuration Guide 1-37...
Page 201
What to Do Next See the “Configuring the Shared Licensing Participant” section on page 1-39. Configuring the Shared Licensing Participant This section configures a shared licensing participant to communicate with the shared licensing server. Cisco ASA Series CLI Configuration Guide 1-39...
Page 202
If you have a No Payload Encryption model, then you view the license, VPN and Unified Communications licenses will not be listed. See the “No Payload Encryption Models” section on page 1-32 for more information. Cisco ASA Series CLI Configuration Guide 1-40...
Page 203
The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 646 days 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Total UC Proxy Sessions : 10 62 days Cisco ASA Series CLI Configuration Guide 1-41...
Page 204
Total UC Proxy Sessions perpetual Botnet Traffic Filter : Enabled 39 days Intercompany Media Engine : Disabled perpetual The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: Cisco ASA Series CLI Configuration Guide 1-42...
Page 206
The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. Cisco ASA Series CLI Configuration Guide 1-44...
Page 207
This platform has an ASA 5520 VPN Plus license. Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-45...
Page 208
: Enabled perpetual 3DES-AES : Enabled perpetual Security Contexts : 50 perpetual GTP/GPRS : Enabled perpetual Botnet Traffic Filter : Enabled 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. Cisco ASA Series CLI Configuration Guide 1-46...
Page 209
Output in a Cluster for show activation-key hostname# show activation-key Serial Number: JMX1504L2TD Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-47...
Page 210
Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual...
Page 212
Increased interfaces for the Base license on the 7.2(2) For the Base license on the ASA 5510, the maximum ASA 5510 number of interfaces was increased from 3 plus a management interface to unlimited interfaces. Cisco ASA Series CLI Configuration Guide 1-50...
Page 213
Advanced Endpoint Assessment License 8.0(2) The Advanced Endpoint Assessment license was introduced. As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connections, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates.
Page 214
The AnyConnect Essentials License was introduced. This license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.
Page 215
We modified the following commands: show activation-key and show version. Discrete activation and deactivation of 8.3(1) You can now activate or deactivate time-based licenses time-based licenses. using a command. We modified the following commands: activation-key [activate | deactivate]. Cisco ASA Series CLI Configuration Guide 1-53...
Page 216
No Payload Encryption hardware for export 8.4(1) For models available with No Payload Encryption (for example, the ASA 5585-X), the ASA software disables Unified Communications and VPN features, making the ASA available for export to certain countries. Cisco ASA Series CLI Configuration Guide 1-54...
Page 217
(you can use two SSPs of the same level in the same SSP-60); VPN support for Dual SSPs chassis). VPN is now supported when using dual SSPs. We did not modify any commands. Cisco ASA Series CLI Configuration Guide 1-55...
Page 218
Chapter 1 Managing Feature Licenses Feature History for Licensing Cisco ASA Series CLI Configuration Guide 1-56...
Page 219
A R T Configuring High Availability and Scalability...
Page 221
How the ASA Classifies Packets, page 1-3 • Cascading Security Contexts, page 1-6 • Management Access to Security Contexts, page 1-7 • Information About Resource Management, page 1-8 • Information About MAC Addresses, page 1-11 Cisco ASA Series CLI Configuration Guide...
This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco ASA Series CLI Configuration Guide...
Page 223
If you disable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA Series CLI Configuration Guide...
Page 224
GE 0/0.1 (Shared Interface) Classifier MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA Series CLI Configuration Guide...
Page 225
Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA Series CLI Configuration Guide...
Page 226
Cascading contexts requires unique MAC addresses for each context interface (the default setting). Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA Series CLI Configuration Guide...
Page 227
“enable_15” user, or you can log in as a different name for which you provide sufficient privileges. To log in with a new username, enter the login command. For Cisco ASA Series CLI Configuration Guide...
Page 228
ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service Cisco ASA Series CLI Configuration Guide...
Page 229
SSH sessions—5 sessions. (The maximum per context.) • IPsec sessions—5 sessions. (The maximum per context.) • MAC addresses—65,535 entries. (The maximum per context.) • VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.) Cisco ASA Series CLI Configuration Guide...
Page 230
Figure 1-6 Resource Oversubscription Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Cisco ASA Series CLI Configuration Guide 1-10...
Page 231
MAC address. This section includes the following topics: • Default MAC Address, page 1-12 • Interaction with Manual MAC Addresses, page 1-12 • Failover MAC Addresses, page 1-12 • MAC Address Format, page 1-12 Cisco ASA Series CLI Configuration Guide 1-11...
Page 232
For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form: A24D.00zz.zzzz Cisco ASA Series CLI Configuration Guide 1-12...
Page 233
Base License: 2 contexts. SSP-20, -40, and -60 Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. ASASM Base License: 2 contexts. Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. Cisco ASA Series CLI Configuration Guide 1-13...
Page 234
If you store context configurations in the root directory of flash memory, on some models you might run out of room in that directory, even though there is available memory. In this case, create a subdirectory for your configuration files. Background: some models, such as the ASA 5585-X, use Cisco ASA Series CLI Configuration Guide 1-14...
Page 235
“Automatically Assigning MAC Addresses to Context Interfaces” section on page 1-25. Step 6 Complete interface configuration in the context. See Chapter 1, “Completing Interface Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” Cisco ASA Series CLI Configuration Guide 1-15...
Page 236
Enabling or Disabling Multiple Context Mode Your ASA might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you need to convert from single mode to multiple mode, follow the procedures in this section.
Page 237
Prerequisites Perform this procedure in the system execution space. Guidelines Table 1-1 lists the resource types and the limits. See also the show resource types command. Cisco ASA Series CLI Configuration Guide 1-17...
1-1 for the Other model limit. The sessions you assign for this VPN sessions available resource are guaranteed to the context. for your model. Concurrent 1 minimum SSH sessions. 5 maximum Cisco ASA Series CLI Configuration Guide 1-18...
Page 239
2 All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold hostname(config-class)# limit-resource mac-addresses 10000 hostname(config-class)# limit-resource conns 15% Cisco ASA Series CLI Configuration Guide 1-19...
Page 240
Although this context does not exist yet in your configuration, you can subsequently enter the context name command to continue the admin context configuration. Cisco ASA Series CLI Configuration Guide 1-20...
Page 241
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used. Step 2 (Optional) Adds a description for this context. description text Example: hostname(config-ctx)# description Administrator Context Cisco ASA Series CLI Configuration Guide 1-21...
Page 242
Specify visible to see the real interface ID in the show interface command if you set a mapped name. The default invisible keyword shows only the mapped name. Cisco ASA Series CLI Configuration Guide 1-22...
Page 243
[mapped_name] [default] See the “Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 1-16 for detailed information about virtual sensors. Example: hostname(config-ctx)# allocate-ips sensor1 highsec Cisco ASA Series CLI Configuration Guide 1-23...
Page 244
Example: indicate from which organization the request comes. The hostname(config-ctx)# scansafe authentication key is a 16-byte hexidecimal number. “Configuring the ASA for Cisco Cloud Web Security” section on page 1-1 for detailed information about ScanSafe. Examples The following example sets the admin context to be “administrator,” creates a context called “administrator”...
Page 245
For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Cisco ASA Series CLI Configuration Guide 1-25...
Page 246
URL location. Removes all contexts (including the admin context). The context clear context configuration files are not removed from the config URL locations. Cisco ASA Series CLI Configuration Guide 1-26...
Page 247
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. Cisco ASA Series CLI Configuration Guide 1-27...
Page 248
This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces. This section includes the following topics: • Reloading by Clearing the Configuration, page 1-29 Cisco ASA Series CLI Configuration Guide 1-28...
100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% silver 10.00% bronze All Contexts: 20.00% Telnet default Cisco ASA Series CLI Configuration Guide 1-32...
Page 253
The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco ASA Series CLI Configuration Guide 1-33...
Page 254
The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for six contexts. hostname# show resource usage summary Cisco ASA Series CLI Configuration Guide 1-34...
Page 255
ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. Cisco ASA Series CLI Configuration Guide 1-35...
Page 257
You can view auto-generated MAC addresses within the system configuration or within the context. This section includes the following topics: • Viewing MAC Addresses in the System Configuration, page 1-38 • Viewing MAC Addresses Within a Context, page 1-39 Cisco ASA Series CLI Configuration Guide 1-37...
Page 258
Management0/0 a2d2.0400.125a a2d2.0400.125b config-url disk0:/admin.cfg context CTX1 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5 mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1 mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5 mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9 Cisco ASA Series CLI Configuration Guide 1-38...
Page 259
The show interface command shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA Series CLI Configuration Guide 1-39...
Page 260
Cisco ASA Series CLI Configuration Guide 1-40...
Page 261
50 to 100. The maximum for the ASA 5580 was increased from 50 to 250. Automatic MAC address assignment enabled by 8.5(1) Automatic MAC address assignment is now enabled by default default. We modified the following command: mac-address auto. Cisco ASA Series CLI Configuration Guide 1-41...
Page 262
A new resource type, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-42...
Page 263
New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-43...
Page 264
Chapter 1 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA Series CLI Configuration Guide 1-44...
Page 265
ASA Cluster Interfaces, page 1-4 • Cluster Control Link, page 1-6 • High Availability within the ASA Cluster, page 1-9 • Configuration Replication, page 1-10 • ASA Cluster Management, page 1-10 • Load Balancing Methods, page 1-12 Cisco ASA Series CLI Configuration Guide...
Page 266
70% of 80 Gbps (8 units x 10 Gbps): 56 Gbps. Cluster Members • ASA Hardware and Software Requirements, page 1-3 • Bootstrap Configuration, page 1-3 • Master and Slave Unit Roles, page 1-3 • Master Unit Election, page 1-3 Cisco ASA Series CLI Configuration Guide...
Page 267
Any other units with a higher priority respond to the election request; the priority is set between 1 and 100, where 1 is the highest priority. If after 45 seconds, a unit does not receive a response from another unit with a higher priority, then it becomes master. Cisco ASA Series CLI Configuration Guide...
IP address is assigned to the bridge group, not to the interface. The EtherChannel inherently provides load balancing as part of basic operation. See also the “Spanned EtherChannel (Recommended)” section on page 1-12. Cisco ASA Series CLI Configuration Guide...
Page 269
“Load Balancing Methods” section on page 1-12. Note We recommend Spanned EtherChannels instead of Individual interfaces because Individual interfaces rely on routing protocols to load-balance traffic, and routing protocols often have slow convergence during a link failure. Cisco ASA Series CLI Configuration Guide...
Page 270
Each unit must dedicate at least one hardware interface as the cluster control link. • Cluster Control Link Traffic Overview, page 1-7 • Cluster Control Link Network, page 1-7 • Sizing the Cluster Control Link, page 1-7 • Cluster Control Link Redundancy, page 1-8 Cisco ASA Series CLI Configuration Guide...
Page 271
When membership changes, the cluster needs to rebalance a large number of connections, thus temporarily using a large amount of cluster control link bandwidth. A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership changes and prevents throughput bottlenecks. Cisco ASA Series CLI Configuration Guide...
Page 272
IP pool. However if you reload, and the unit is still inactive in the cluster, the management interface is not accessible (because it then uses the Main IP address, which is the same as the master unit). You must use the console port for any further configuration. Cisco ASA Series CLI Configuration Guide...
Page 273
TCP/UDP state information, so that the connection can be seamlessly transferred to a new owner in case of a failure. Cisco ASA Series CLI Configuration Guide...
For the management interface, we recommend using one of the dedicated management interfaces. You can configure the management interfaces as Individual interfaces (for both routed and transparent modes) or as a Spanned EtherChannel interface. Cisco ASA Series CLI Configuration Guide 1-10...
Page 275
Main cluster IP address using ASDM, then a warning message about a mismatched IP address appears because the certificate uses the Local IP address, and not the Main cluster IP address. Cisco ASA Series CLI Configuration Guide 1-11...
Page 276
IP address (the default) or the source and destination port as the hashing algorithm. • Use the same type of line cards when connecting the ASAs to the switch so that hashing algorithms applied to all packets are the same. Cisco ASA Series CLI Configuration Guide 1-12...
Page 277
16 links in the EtherChannel. The active links are shown as solid lines, while the inactive links are dotted. cLACP load-balancing can automatically choose the best 8 links to be active in the EtherChannel. As shown, cLACP helps achieve load balancing at the link level. Cisco ASA Series CLI Configuration Guide 1-13...
Page 278
ASA. For example, if you have a Cisco router, redundancy can be achieved by using IOS PBR with Object Tracking. IOS Object Tracking monitors each ASA using ICMP ping. PBR can then enable or disable route maps based on reachability of a particular ASA.
Page 279
A connection can have multiple forwarders; the most efficient throughput is achieved by a good load-balancing method where there are no forwarders and all packets of a connection are received by the owner. Cisco ASA Series CLI Configuration Guide 1-15...
Page 280
If packets are delivered to any additional units, it will query the director for the owner and establish a flow. Any state change for the flow results in a state update from the owner to the director. Cisco ASA Series CLI Configuration Guide 1-16...
Page 282
Authentication and Authorization for network access. Accounting is decentralized. • Filtering Services Features Applied to Individual Units These features are applied to each ASA unit, instead of the cluster as a whole or to the master unit. Cisco ASA Series CLI Configuration Guide 1-18...
If a routing packet arrives at a slave, it is redirected to the master unit. Figure 1-1 Dynamic Routing in Spanned EtherChannel Mode Only master unit uses OSPF with neighboring routers. EtherChannel Slave units are invisible. Load Balancing Cluster members Router B Cisco ASA Series CLI Configuration Guide 1-19...
Multicast Routing in Spanned EtherChannel Mode In Spanned EtherChannel mode, the master unit handles all multicast routing packets and data packets until fast-path forwarding is established. After the connection is established, each slave can forward multicast data packets. Cisco ASA Series CLI Configuration Guide 1-20...
Page 285
“Per-Session PAT vs. Multi-Session PAT” section on page 1-9 in the firewall configuration guide. • No static PAT for the following inspections— – – PPTP – – SQLNET – TFTP – XDMCP – All Voice-over-IP applications Cisco ASA Series CLI Configuration Guide 1-21...
Page 286
For connections to an Individual interface when using PBR or ECMP, you must always connect to the Main cluster IP address, not a Local address. VPN-related keys and certificates are replicated to all units. Cisco ASA Series CLI Configuration Guide 1-22...
IP address. – Except for the IP address used by the master unit (typically the first unit you add to the cluster), these management IP addresses are for temporary use only. Cisco ASA Series CLI Configuration Guide 1-23...
PortFast on the switch ports connected to the ASA to speed up the join process for new units. • When you see slow bundling of a Spanned EtherChannel on the switch, you can enable LACP rate fast for an Individual interface on the switch. Cisco ASA Series CLI Configuration Guide 1-24...
Page 290
ASA cluster. These messages can result in some units of the ASA cluster experiencing high CPU, which can affect performance. We recommend that you throttle ICMP error messages. Cisco ASA Series CLI Configuration Guide 1-26...
Page 291
Configure the security policy on the master unit. See the chapters in this guide to configure supported features on the master unit. The configuration is replicated to the slave units. For a list of supported and unsupported features, see the “ASA Features and Clustering” section on page 1-17. Cisco ASA Series CLI Configuration Guide 1-27...
VLAN subinterface of the EtherChannel. Using subinterfaces lets both inside and outside interfaces take advantage of the benefits of an EtherChannel. • 1 Management interface. You have one switch for both the inside and outside networks. Cisco ASA Series CLI Configuration Guide 1-28...
Page 293
VLAN 200 for the inside and VLAN 201 for the outside. Management interface Management 0/0 4 ports total Place all interfaces on the same isolated management VLAN, for example VLAN 100. Cisco ASA Series CLI Configuration Guide 1-29...
Page 294
(rare), the mode is changed and the configuration is preserved. If you do not want to clear your configuration, you can exit the command by typing n. To remove the interface mode, enter the no cluster interface-mode command. Cisco ASA Series CLI Configuration Guide 1-30...
Page 295
For a redundant interface, see the “Configuring a Redundant Interface” section on page 1-26. Management-only interfaces cannot be redundant interfaces. – For subinterfaces, see the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 1-31. Cisco ASA Series CLI Configuration Guide 1-31...
Page 296
DHCP, PPPoE, and IPv6 autoconfiguration are not supported; you ipv6 address ipv6-address/prefix-length must manually configure the IP addresses. cluster-pool poolname Example: hostname(config-if)# ip address 192.168.1.1 255.255.255.0 cluster-pool ins hostname(config-if)# ipv6 address 2001:DB8::1002/32 cluster-pool insipv6 Cisco ASA Series CLI Configuration Guide 1-32...
Page 297
Mode on Each Unit” section on page 1-30. • For multiple context mode, start this procedure in the system execution space. If you are not already in the System configuration mode, enter the changeto system command. Cisco ASA Series CLI Configuration Guide 1-33...
Page 298
• For detailed EtherChannel guidelines, limitations, and prerequisites, see the “Configuring an EtherChannel” section on page 1-28. • See also the “EtherChannel Guidelines” section on page 1-11. Cisco ASA Series CLI Configuration Guide 1-34...
Page 299
ASAs to the VSS (or vPC) pair are span-cluster balanced. You must configure the vss-id keyword in the channel-group command for each member interface before enabling load balancing (see Step Cisco ASA Series CLI Configuration Guide 1-35...
Page 300
Sets the IPv4 and/or IPv6 address. DHCP, PPPoE, and IPv6 autoconfig are not supported. (IPv4) ip address ip_address [mask] (IPv6) ipv6 address ipv6-prefix/prefix-length Example: hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# ipv6 address 2001:DB8::1001/32 Cisco ASA Series CLI Configuration Guide 1-36...
Page 301
Prerequisites, page 1-38 • Enabling the Cluster Control Link Interface, page 1-38 • Configuring Basic Bootstrap Settings and Enabling Clustering, page 1-40 • Configuring Advanced Clustering Settings, page 1-42 • Examples, page 1-43 Cisco ASA Series CLI Configuration Guide 1-37...
Page 302
You cannot use a Management x/x interface as the cluster control link, either alone or as an EtherChannel. • For the ASA 5585-X with an ASA IPS or ASA CX module, you cannot use the module interfaces for the cluster control link. Cisco ASA Series CLI Configuration Guide 1-38...
Page 303
Step 4 Repeat for each additional interface you want to add to the interface interface_id channel-group channel_id mode on EtherChannel. no shutdown Example: hostname(config)# interface tengigabitethernet 0/7 hostname(config-if)# channel-group 1 mode hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-39...
Page 304
Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 1 Cisco ASA Series CLI Configuration Guide 1-40...
Page 305
Cryptochecksum (changed): f16b7fc2 want to remove the unit from the cluster entirely (and thus a742727e e40bc0b0 cd169999 want to have active data interfaces), see the “Leaving the INFO: Done Cluster” section on page 1-49. Cisco ASA Series CLI Configuration Guide 1-41...
Page 306
VSS or vPC) you should disable the health check feature. When the topology change is complete, and the configuration change is synced to all units, you can re-enable the health check feature. Cisco ASA Series CLI Configuration Guide 1-42...
Page 307
1 mode on no shutdown cluster group pod1 local-unit unit1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Configuring Slave Unit Bootstrap Settings Perform the following procedures to configure the slave units. Cisco ASA Series CLI Configuration Guide 1-43...
Page 308
0/6 Step 2 Enables the interface. You only need to enable the interface; do no shutdown not configure a name for the interface, or any other parameters. Example: hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-44...
Page 309
Configure the slave unit bootstrap settings. See the Configuring Bootstrap Settings and Joining the Cluster, page 1-45. Configuring Bootstrap Settings and Joining the Cluster Perform the following steps to configure bootstrap settings and join the cluster as a slave unit. Cisco ASA Series CLI Configuration Guide 1-45...
Page 310
Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 2 Cisco ASA Series CLI Configuration Guide 1-46...
192.168.1.2 255.255.255.0 priority 2 key chuntheunavoidable enable as-slave Managing ASA Cluster Members • Becoming an Inactive Member, page 1-48 • Inactivating a Member, page 1-48 Cisco ASA Series CLI Configuration Guide 1-47...
Page 312
When an ASA becomes inactive, all data interfaces are shut down; only the management-only interface can send and receive traffic. To resume traffic flow, re-enable clustering; or you can remove the unit altogether from the cluster. See the “Leaving the Cluster” section on page 1-49. The management Cisco ASA Series CLI Configuration Guide 1-48...
Page 313
You must use the console port; when you remove the cluster configuration, all interfaces are shut down, including the management interface and cluster control link. Moreover, you cannot enable or disable clustering from a remote CLI connection. Cisco ASA Series CLI Configuration Guide 1-49...
Page 314
Note, however, that for centralized features, if you force a master unit change using this procedure, then all connections are dropped, and you have to re-establish the connections on the new master unit. See the “Centralized Features” section on page 1-18 for a list of centralized features. Cisco ASA Series CLI Configuration Guide 1-50...
Page 315
The following sample output for the cluster exec show port-channel summary command shows EtherChannel information for each member in the cluster: hostname# cluster exec show port-channel summary primary(LOCAL):*********************************************************** Number of channel-groups in use: 2 Group Port-channel Protocol Span-cluster Ports ------+-------------+-----------+----------------------------------------------- LACP Gi0/0(P) LACP Gi0/1(P) Cisco ASA Series CLI Configuration Guide 1-51...
This command is useful for datapath troubleshooting. Example 1-1 show cluster info hostname# show cluster info Cluster stbu: On This is "C" in state SLAVE Version : 100.8(0.52) Cisco ASA Series CLI Configuration Guide 1-52...
Page 318
See the “Capturing Packets” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-54...
Page 319
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, Cisco ASA Series CLI Configuration Guide 1-55...
Page 325
1 mode on no shutdown interface tengigabitethernet 0/7 channel-group 1 mode on no shutdown interface port-channel 1 description CCL cluster group cluster1 local-unit asa1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Cisco ASA Series CLI Configuration Guide 1-61...
Page 326
2 mode active no shutdown interface port-channel 2 port-channel span-cluster nameif inside ip address 10.10.10.5 255.255.255.0 ipv6 address 2001:DB8:1::5/64 mac-address 000C.F142.4CDE interface tengigabitethernet 0/9 channel-group 3 mode active no shutdown interface port-channel 3 Cisco ASA Series CLI Configuration Guide 1-62...
Page 327
Interface Mode on Each Unit cluster interface-mode individual force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-63...
Page 328
Master Interface Configuration ip local pool mgmt 10.1.1.2-10.1.1.5 ipv6 local pool mgmtipv6 2001:DB8::1002/64 4 interface management 0/0 channel-group 2 mode active no shutdown interface management 0/1 channel-group 2 mode active no shutdown Cisco ASA Series CLI Configuration Guide 1-64...
Page 329
VSS/vPC is used. The following diagram shows what happens when the total number of links grows as more units join the cluster: Cisco ASA Series CLI Configuration Guide 1-65...
Page 330
The principle is to first maximize the number of active ports in the channel, and secondly keep the number of active primary ports and the number of active secondary ports in balance. Note that when a 5th unit joins the cluster, traffic is not balanced evenly between all units. Cisco ASA Series CLI Configuration Guide 1-66...
Page 331
Link or device failure is handled with the same principle. You may end up with a less-than-perfect load balancing situation. The following figure shows a 4-unit cluster with a single link failure on one of the units. ASA1 ASA2 ASA3 ASA4 Cisco ASA Series CLI Configuration Guide 1-67...
Page 332
0/7 channel-group 1 mode on no shutdown interface tengigabitethernet 0/8 channel-group 1 mode on no shutdown interface tengigabitethernet 0/9 channel-group 1 mode on no shutdown interface port-channel 1 description CCL Cisco ASA Series CLI Configuration Guide 1-68...
Page 333
1 description CCL cluster group cluster1 local-unit asa3 cluster-interface port-channel1 ip 192.168.1.3 255.255.255.0 priority 3 key chuntheunavoidable enable as-slave ASA4 Slave Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-69...
Page 334
4 mode active vss-id 1 no shutdown interface tengigabitethernet 1/9 channel-group 4 mode active vss-id 2 no shutdown interface port-channel 4 port-channel span-cluster vss-load-balance nameif outside ip address 209.165.201.1 255.255.255.224 mac-address 000C.F142.5CDE Cisco ASA Series CLI Configuration Guide 1-70...
(interface), mac-address pool, mtu cluster, port-channel span-cluster, priority (cluster group), prompt cluster-unit, show asp cluster counter, show asp table cluster chash-table, show cluster, show cluster info, show cluster user-identity, show lacp cluster, show running-config cluster. Cisco ASA Series CLI Configuration Guide 1-71...
Page 336
Chapter 1 Configuring a Cluster of ASAs Feature History for ASA Clustering Cisco ASA Series CLI Configuration Guide 1-72...
Page 337
C H A P T E R Information About Failover This chapter provides an overview of the failover features that enable you to achieve high availability on the Cisco 5500 series ASAs. For information about configuring high availability, see Chapter 1, “Configuring Active/Active Failover”...
The two units in a failover configuration do not need to have identical licenses; the licenses combine to make a failover cluster license. See the “Failover or ASA Cluster Licenses” section on page 1-30 more information. Cisco ASA Series CLI Configuration Guide...
Page 339
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX. Cisco ASA Series CLI Configuration Guide...
Page 340
MDIX. Enable the PortFast option on Cisco switch ports that connect directly to the ASA. If you use a data interface as the Stateful Failover link, you receive the following warning when you...
Page 341
Subsequently, the failover operation is suspended until the health of the failover link is restored. Cisco ASA Series CLI Configuration Guide...
Page 342
Switch 1 outside outside Primary Secondary inside inside Switch 2 Failover link Failover link Figure 1-4 Connecting with a Cable Switch 1 outside outside Primary Secondary inside inside Failover link Failover link Ethernet cable Cisco ASA Series CLI Configuration Guide...
Page 343
Switch 1 Switch 2 outside outside Switch 3 Active redundant Active redundant Primary Secondary failover link failover link Switch 4 Standby redundant Standby redundant failover link failover link Switch 5 Switch 6 inside inside Cisco ASA Series CLI Configuration Guide...
Page 344
The type of failover you choose depends upon your ASA configuration and how you plan to use the ASAs. If you are running the ASA in single mode, then you can use only Active/Standby failover. Active/Active failover is only available to ASAs running in multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 345
VPN failover subsystem, which is part of Stateful Failover. You must use Stateful Failover to synchronize these elements between the members of the failover pair. Stateless (regular) failover is not recommended for clientless SSL VPN. Cisco ASA Series CLI Configuration Guide...
Page 346
The call must be re-established. The following clientless SSL VPN features are not supported with Stateful Failover: • Smart Tunnels • Port Forwarding • Plugins • Java Applets Cisco ASA Series CLI Configuration Guide 1-10...
Page 347
Citrix authentication (Citrix users must reauthenticate after failover) Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Cisco CallManager.
Page 348
ASASM redundancy configuration. The trunk between the two switches carries the failover ASASM VLANs (VLANs 10 and 11). Note ASASM failover is independent of the switch failover operation; however, ASASM works in any switch failover scenario. Cisco ASA Series CLI Configuration Guide 1-12...
Page 349
Normal Operation Internet VLAN 100 Switch Switch VLAN 200 Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 ASA SM ASA SM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Cisco ASA Series CLI Configuration Guide 1-13...
Page 350
ASASM Failure Internet VLAN 100 Switch Switch VLAN 200 Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 ASA SM ASA SM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Cisco ASA Series CLI Configuration Guide 1-14...
Page 351
STP blocking mode. • Trunk mode—Block BPDUs on the ASA on both the inside and outside interfaces: access-list id ethertype deny bpdu access-group id in interface inside_name access-group id in interface outside_name Cisco ASA Series CLI Configuration Guide 1-15...
Page 352
The primary unit retrieves the appropriate files from the HTTP server using the URL from the Auto Update Server. The primary unit copies the image to the standby unit and then updates the image on itself. Cisco ASA Series CLI Configuration Guide 1-16...
Page 353
Fover copyfile, seq = 4 type = 1, pseq = 2001, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 2501, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 3001, len = 1024 Cisco ASA Series CLI Configuration Guide 1-17...
Page 354
The ASA monitors each unit for overall health and for interface health. See the following sections for more information about how the ASA performs tests to determine the state of each unit: • Unit Health Monitoring, page 1-19 • Interface Monitoring, page 1-19 Cisco ASA Series CLI Configuration Guide 1-18...
Page 355
5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If an interface has IPv4 and IPv6 addresses configured on it, the ASA uses the IPv4 addresses to perform the health monitoring. Cisco ASA Series CLI Configuration Guide 1-19...
Page 356
If the failover condition persists, however, the unit will fail again. Failover Times Table 1-2 shows the minimum, default, and maximum failover times. Table 1-2 Cisco ASA 5500 Series ASA Failover Times Failover Condition Minimum Default Maximum Active unit loses power or stops normal operation.
Page 357
SNMP To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. See Chapter 1, “Configuring SNMP”...
Page 358
Chapter 1 Information About Failover Failover Messages Cisco ASA Series CLI Configuration Guide 1-22...
Page 359
IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. Cisco ASA Series CLI Configuration Guide...
Page 360
The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses. Cisco ASA Series CLI Configuration Guide...
Page 361
The following commands that are not replicated to the standby ASA: • All forms of the copy command except for copy running-config startup-config • All forms of the write command except for write memory • debug • failover lan unit • firewall Cisco ASA Series CLI Configuration Guide...
Page 362
The unit has a hardware failure or a power failure. • The unit has a software failure. • Too many monitored interfaces fail. • You force a failover. (See the “Forcing Failover” section on page 1-16.) Cisco ASA Series CLI Configuration Guide...
Page 363
No action Mark standby as When the standby unit is marked as unit above threshold failed failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed. Cisco ASA Series CLI Configuration Guide...
Page 364
This section includes the guidelines and limitations for this feature. Context Mode Guidelines • Supported in single and multiple context mode. • For multiple context mode, perform all steps in the system execution space unless otherwise noted. Cisco ASA Series CLI Configuration Guide...
Page 365
This section describes how to configure Active/Standby failover. This section includes the following topics: • Task Flow for Configuring Active/Standby Failover, page 1-8 • Configuring the Primary Unit, page 1-8 • Configuring the Secondary Unit, page 1-11 • Configuring Optional Active/Standby Failover Settings, page 1-12 Cisco ASA Series CLI Configuration Guide...
Page 366
Chapter 1, “Completing Interface Configuration (Transparent Mode).” • For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Cisco ASA Series CLI Configuration Guide...
Page 367
IP address stays with the folink 2001:a0a:b00::a0a:b70/64 standby secondary unit. 2001:a0a:b00::a0a:b71 Step 4 Enables the interface. interface interface_id no shutdown Example: hostname(config)# interface vlan100 hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide...
Page 368
If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface. Example: hostname(config)# interface vlan100 hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-10...
Page 369
Enter this command exactly as you entered it on the primary unit when you configured the failover interface hostname(config)# failover interface ip on the primary unit (including the same IP address). folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71 Cisco ASA Series CLI Configuration Guide 1-11...
Page 370
You can configure the optional Active/Standby failover settings when initially configuring the primary unit in a failover pair (see Configuring the Primary Unit, page 1-8) or on the active unit in the failover pair after the initial configuration. Cisco ASA Series CLI Configuration Guide 1-12...
Page 371
To enable or disable health monitoring for specific interfaces on units in single configuration mode, enter one of the following commands. Alternately, for units in multiple configuration mode, you must enter the commands within each security context. Do one of the following: Cisco ASA Series CLI Configuration Guide 1-13...
Page 372
Decreasing the poll and hold times enables the ASA to detect and respond to interface failures more quickly but may consume more system resources. Increasing the poll and hold times prevents the ASA from failing over on networks with higher latency. Cisco ASA Series CLI Configuration Guide 1-14...
Page 373
You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP addresses for those links do not change during failover. To configure the virtual MAC addresses for an interface, enter the following command on the active unit: Cisco ASA Series CLI Configuration Guide 1-15...
Page 374
Forces a failover when entered on the active unit in a failover pair. The no failover active active unit becomes the standby unit. Example: hostname# no failover active Disabling Failover To disable failover, enter the following command: Cisco ASA Series CLI Configuration Guide 1-16...
Page 375
ASA considers its status to be OK, although it is not receiving hello packets from the peer. To simulate interface holdtime, shut down the VLAN on the switch to prevent peers from receiving hello packets from each other. Cisco ASA Series CLI Configuration Guide 1-17...
Page 376
Displays information about the monitored interface. show monitor-interface Displays the failover commands in the running configuration. show running-config failover For more information about the output of the monitoring commands, refer to the Cisco ASA 5500 Series Command Reference. Feature History for Active/Standby Failover Table 1-2 lists the release history for this feature.
Page 377
You can create a maximum of two failover groups. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. Cisco ASA Series CLI Configuration Guide...
Page 378
When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following occurs: – A failover occurs. Cisco ASA Series CLI Configuration Guide...
Page 379
Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. Cisco ASA Series CLI Configuration Guide...
Page 380
The command is replicated to the peer unit and cause the configuration to be saved to flash memory on the peer unit. Failover Triggers In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs: • The unit has a hardware failure. Cisco ASA Series CLI Configuration Guide...
Page 381
Formerly active failover group No failover No action No action Unless failover group preemption is recovers configured, the failover groups remain active on their current unit. Cisco ASA Series CLI Configuration Guide...
Page 382
Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco ASA Series CLI Configuration Guide...
Page 383
Version 7.0(1) to Version 7.9(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility. • The same software configuration. • The same mode (multiple context mode). • The proper license. Cisco ASA Series CLI Configuration Guide...
Page 384
IPv6 Guidelines IPv6 failover is supported. Model Guidelines Active/Active failover is not available on the Cisco ASA 5505. Additional Guidelines and Limitations No two interfaces in the same context should be configured in the same ASR group. Configuring port security on the switch(es) connected to an ASA failover pair can cause communication problems when a failover event occurs.
Page 385
Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” • Complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Cisco ASA Series CLI Configuration Guide...
Page 386
Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASASM, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the failover link). Cisco ASA Series CLI Configuration Guide 1-10...
Page 387
{1 | 2} Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group Example: hostname(config)# context Eng hostname(config-context)# join-failover-group 1 hostname(config-context) exit Cisco ASA Series CLI Configuration Guide 1-11...
Page 388
IP address stays with the folink 2001:a0a:b00::a0a:b70/64 standby secondary unit. 2001:a0a:b00::a0a:b71 Step 3 Enables the interface. interface phy_if no shutdown Example: hostname(config-if)# interface GigabitEthernet0/3 Cisco ASA Series CLI Configuration Guide 1-12...
Page 389
When the other unit comes online, any failover groups that have the unit as a priority do not become active on that unit unless manually forced over, unless a Cisco ASA Series CLI Configuration Guide 1-13...
Page 390
100 seconds after the units become available. hostname(config)# failover group 1 hostname(config-fover-group)# primary hostname(config-fover-group)# preempt 100 hostname(config-fover-group)# exit hostname(config)# failover group 2 hostname(config-fover-group)# secondary hostname(config-fover-group)# preempt 100 hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012 hostname(config-fover-group)# exit hostname(config)# Cisco ASA Series CLI Configuration Guide 1-14...
Page 391
Normal—The interface is receiving traffic. • Testing—Hello messages are not heard on the interface for five poll times. • Link Down—The interface or VLAN is administratively down. • No Link—The physical link for the interface is down. Cisco ASA Series CLI Configuration Guide 1-15...
Page 392
Valid values for the hold time are from 5 to 75 seconds. You cannot enter a hold time that is less than 5 times the poll time. Cisco ASA Series CLI Configuration Guide 1-16...
Page 393
Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual MAC addresses, then they are computed as follows: • Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01 • Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02 Cisco ASA Series CLI Configuration Guide 1-17...
Page 394
The following partial example shows a possible configuration for a failover group: hostname(config)# failover group 1 hostname(config-fover-group)# primary hostname(config-fover-group)# preempt 100 hostname(config-fover-group)# exit hostname(config)# failover group 2 hostname(config-fover-group)# secondary hostname(config-fover-group)# preempt 100 hostname(config-fover-group)# mac address gigabitethernet1/0 0000.a000.a011 0000.a000.a012 hostname(config-fover-group)# exit hostname(config)# Cisco ASA Series CLI Configuration Guide 1-18...
Page 395
You must enter the command on the unit where the context is in the active state so that the command is replicated to the standby failover group. For more information about command replication, Command Replication, page 1-3. hostname/ctx(config)# interface phy_if hostname/ctx(config-if)# asr-group num Cisco ASA Series CLI Configuration Guide 1-19...
Page 396
SecAppA in the diagram is the primary unit in the failover pair. Example 1-1 Primary Unit System Configuration hostname primary interface GigabitEthernet0/1 description LAN/STATE Failover Interface interface GigabitEthernet0/2 no shutdown interface GigabitEthernet0/3 no shutdown interface GigabitEthernet0/4 no shutdown interface GigabitEthernet0/5 no shutdown failover Cisco ASA Series CLI Configuration Guide 1-20...
Page 397
Normally the return traffic would be dropped because there is no session information for the traffic on interface 192.168.2.2. However, the interface is configured with the command asr-group 1. The unit looks for the session on any other interface configured with the same ASR group ID. Cisco ASA Series CLI Configuration Guide 1-21...
Page 398
Commands that cause a command mode change do not change the prompt for the current session. You must use the show failover exec command to display the command mode the command is executed in. Changing Command Modes, page 1-23, for more information. Cisco ASA Series CLI Configuration Guide 1-22...
Page 399
Active unit Failover EXEC is at interface sub-command mode hostname(config)# sh failover exec standby Standby unit Failover EXEC is at config mode hostname(config)# sh failover exec mate Active unit Failover EXEC is at interface sub-command mode Cisco ASA Series CLI Configuration Guide 1-23...
• Restoring a Failed Unit or Failover Group, page 1-25 Forcing Failover Enter the following command in the system execution space of the unit where the failover group is in the standby state: Cisco ASA Series CLI Configuration Guide 1-24...
Page 401
Step 3 Use FTP to send another file between the same two hosts. Step 4 If the test was not successful, enter the show failover command to check the failover status. Cisco ASA Series CLI Configuration Guide 1-25...
Page 402
Displays the failover commands in the running show running-config failover configuration. For more information about the output of the monitoring commands, see the Cisco ASA 5500 Series Command Reference. Feature History for Active/Active Failover Table 1-3 lists the release history for this feature.
Page 405
• Monitoring Interfaces, page 1-34 • Configuration Examples for ASA 5510 and Higher Interfaces, page 1-34 • Where to Go Next, page 1-35 • Feature History for ASA 5510 and Higher Interfaces, page 1-36 Cisco ASA Series CLI Configuration Guide...
Page 406
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X, page 1-4 Management Interface Overview You can manage the ASA by connecting to: • Any through-traffic interface • A dedicated Management Slot/Port interface (if available for your model) Cisco ASA Series CLI Configuration Guide...
Page 407
Management 0/0 interface as the ASA. Using Any Interface for Management-Only Traffic You can use any interface as a dedicated management-only interface by configuring it for management traffic, including an EtherChannel interface (see the management-only command). Cisco ASA Series CLI Configuration Guide...
Page 408
(by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the ASA updates the MAC address table to use the management interface to access the switch, instead of the data interface.
Page 409
TCP and UDP port numbers and vlan numbers. Connecting to an EtherChannel on Another Device The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch. Cisco ASA Series CLI Configuration Guide...
1 Primary Firewall Secondary Firewall Link Aggregation Control Protocol The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices. Cisco ASA Series CLI Configuration Guide...
Page 411
If an active interface goes down and is not replaced by a standby interface, then traffic is rebalanced between the remaining links. The failure is masked from both Spanning Tree at Layer 2 and the routing table at Layer 3, so the switchover is transparent to other network devices. Cisco ASA Series CLI Configuration Guide...
Page 412
Base License: 150. Interfaces of all types Base License: 764 ASA 5540 VLANs Base License: 200 Interfaces of all types Base License: 964 ASA 5550 VLANs Base License: 400 Interfaces of all types Base License: 1764 Cisco ASA Series CLI Configuration Guide...
Page 413
Interfaces of all types Base and Security Plus License: 4612 1. For an interface to count against the VLAN limit, you must assign a VLAN to it. For example: interface gigabitethernet 0/0.100 vlan 100 Cisco ASA Series CLI Configuration Guide...
Page 414
• Although you can configure the failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic. Cisco ASA Series CLI Configuration Guide 1-10...
Page 415
The ASA does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the ASA will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch. In multiple context mode, these messages are not included in a packet capture, so you cannot diagnose the issue effectively.
Page 416
RJ-45 and fiber SFP. RJ-45 is the default. You can configure the ASA to use the fiber SFP connectors. Default MAC Addresses By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. Cisco ASA Series CLI Configuration Guide 1-12...
Page 417
(Multiple context mode only) To complete the configuration of interfaces in the system execution space, perform the following tasks that are documented in Chapter 1, “Configuring Multiple Context Mode”: • To assign interfaces to contexts, see the “Configuring a Security Context” section on page 1-20. Cisco ASA Series CLI Configuration Guide 1-13...
Page 418
Copy the running configuration by entering the more system:running-config command and copying the display output to a text editor. Be sure to save an extra copy of the old configuration in case you make an error when you edit it. Cisco ASA Series CLI Configuration Guide 1-14...
Page 419
GigabitEthernet0/3 shutdown no nameif no security-level no ip address interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address interface Management0/0 nameif mgmt Cisco ASA Series CLI Configuration Guide 1-15...
Page 421
Step 7 Enable each formerly unused interface that is now part of a logical interface by adding no in front of the shutdown command. For example, your final EtherChannel configuration is: Cisco ASA Series CLI Configuration Guide 1-17...
Page 422
1 nameif outside security-level 0 ip address 10.86.194.225 255.255.255.0 interface port-channel 2 nameif inside security-level 100 ip address 192.168.1.3 255.255.255.0 interface port-channel 3 nameif mgmt security-level 100 ip address 10.1.1.5 255.255.255.0 Cisco ASA Series CLI Configuration Guide 1-18...
Page 423
• Clearing the running system configuration and immediately applying a new configuration will minimize the downtime of your interfaces. You will not be waiting to configure the interfaces in real time. Cisco ASA Series CLI Configuration Guide 1-19...
Page 424
0 ip address 10.86.194.225 255.255.255.0 interface int2 nameif inside security-level 100 ip address 192.168.1.3 255.255.255.0 no shutdown interface mgmt nameif mgmt security-level 100 ip address 10.1.1.5 255.255.255.0 management-only Cisco ASA Series CLI Configuration Guide 1-20...
Page 425
GigabitEthernet0/3 channel-group 1 mode active no shutdown interface GigabitEthernet0/4 channel-group 2 mode active no shutdown interface GigabitEthernet0/5 channel-group 2 mode active no shutdown interface Management0/0 channel-group 3 mode active no shutdown Cisco ASA Series CLI Configuration Guide 1-21...
Page 427
Enable pause frames for flow control Prerequisites For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Cisco ASA Series CLI Configuration Guide 1-23...
Page 428
Sets the duplex for copper interfaces. The auto setting is the default. duplex {auto | full | half} Note The duplex setting for an EtherChannel interface must be Full or Auto. Example: hostname(config-if)# duplex full Cisco ASA Series CLI Configuration Guide 1-24...
Page 429
1-31. Required Tasks: • For multiple context mode, assign interfaces to contexts and automatically assign unique MAC addresses to context interfaces. See the “Configuring Multiple Contexts” section on page 1-15. Cisco ASA Series CLI Configuration Guide 1-25...
Page 430
Caution If you are using a physical interface already in your configuration, removing the name will clear any configuration that refers to the interface. Cisco ASA Series CLI Configuration Guide 1-26...
Page 431
See the “Configuring Multiple Contexts” section on page 1-15. • For single context mode, complete the interface configuration. See the Chapter 1, “Completing Interface Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” Cisco ASA Series CLI Configuration Guide 1-27...
Page 432
All interfaces in the channel group must be the same type, speed, and duplex. Half duplex is not supported. • You cannot add a physical interface to the channel group if you configured a name for it. You must first remove the name using the no nameif command. Cisco ASA Series CLI Configuration Guide 1-28...
Page 433
Each interface in the channel group must be the same type and want to add to the channel group. speed. Half duplex is not supported. If you add an interface that does not match, it will be placed in a suspended state. Cisco ASA Series CLI Configuration Guide 1-29...
Page 434
1 and 8. The default is 1. If the active interfaces in the channel group falls Example: below this value, then the port-channel interface goes down, and hostname(config-if)# port-channel could trigger a device-level failover. min-bundle 2 Cisco ASA Series CLI Configuration Guide 1-30...
Page 435
ASAs. This feature is particularly useful in multiple context mode so that you can assign unique interfaces to each context. Cisco ASA Series CLI Configuration Guide 1-31...
Page 436
VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID. Cisco ASA Series CLI Configuration Guide 1-32...
Page 437
The following example enables jumbo frame reservation, saves the configuration, and reloads the ASA: hostname(config)# jumbo-frame reservation WARNING: this command will take effect after the running-config is saved and the system has been rebooted. Command accepted. hostname(config)# write memory Building configuration... Cisco ASA Series CLI Configuration Guide 1-33...
Page 438
Multiple Context Mode Example, page 1-35 • EtherChannel Example, page 1-35 Physical Interface Parameters Example The following example configures parameters for the physical interface in single mode: interface gigabitethernet 0/1 speed 1000 duplex full no shutdown Cisco ASA Series CLI Configuration Guide 1-34...
Page 439
Assign interfaces to contexts and automatically assign unique MAC addresses to context interfaces. See Chapter 1, “Configuring Multiple Context Mode.” Complete the interface configuration according to Chapter 1, “Completing Interface Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” Cisco ASA Series CLI Configuration Guide 1-35...
Page 440
Jumbo packet support for the ASA 5580 8.1(1) The Cisco ASA 5580 supports jumbo frames. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes.
Page 441
We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel. Note EtherChannel is not supported on the ASA 5505. Cisco ASA Series CLI Configuration Guide 1-37...
Page 442
Chapter 1 Starting Interface Configuration (ASA 5510 and Higher) Feature History for ASA 5510 and Higher Interfaces Cisco ASA Series CLI Configuration Guide 1-38...
Page 443
• Maximum Active VLAN Interfaces for Your License, page 1-2 • VLAN MAC Addresses, page 1-4 • Power over Ethernet, page 1-4 • Monitoring Traffic Using SPAN, page 1-4 • Auto-MDI/MDIX Feature, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 444
Base license—2 active VLANs in 1 bridge group. • Security Plus license—3 active VLANs: 2 active VLANs in 1 bridge group, and 1 active VLAN for the failover link. Note An active VLAN is a VLAN with a nameif command configured. Cisco ASA Series CLI Configuration Guide...
Page 445
The ASA 5505 supports Active/Standby failover, but not Stateful Failover. Figure 1-2 for an example network. Figure 1-2 ASA 5505 with Security Plus License Backup ISP Primary ISP ASA 5505 Failover with Security Plus ASA 5505 License Failover Link Inside Cisco ASA Series CLI Configuration Guide...
Enabling Switch Ports as Access Ports” section on page 1-7 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
Page 447
This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see the “Factory Default Configurations” section on page 1-18. Default State of Interfaces Interfaces have the following default states: Cisco ASA Series CLI Configuration Guide...
Page 448
This section describes how to configure VLAN interfaces. For more information about ASA 5505 interfaces, see the “Information About ASA 5505 Interfaces” section on page 1-1. Guidelines We suggest that you finalize your interface configuration before you enable Easy VPN. Cisco ASA Series CLI Configuration Guide...
Page 449
“ASA 5505 Default Configuration” section on page 1-19 check if you want to change the default interface settings according to this procedure. For more information about ASA 5505 interfaces, see the “Information About ASA 5505 Interfaces” section on page 1-1. Cisco ASA Series CLI Configuration Guide...
Page 450
PoE ports Ethernet 0/6 or duplex {auto | full | half} 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with Example: power.
Page 451
You can include the native VLAN in this command, but it is not required; the native VLAN is passed whether it is included in this command or not. Cisco ASA Series CLI Configuration Guide...
Page 452
PoE ports Ethernet 0/6 or duplex {auto | full | half} 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with Example: power.
Page 454
50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 hostname(config)# interface ethernet 0/0 hostname(config-if)# switchport access vlan 100 Cisco ASA Series CLI Configuration Guide 1-12...
Page 455
Easy VPN configuration. Native VLAN support for the ASA 5505 7.2(4)/8.0(4) You can now include the native VLAN in an ASA 5505 trunk port. We introduced the following command: switchport trunk native vlan. Cisco ASA Series CLI Configuration Guide 1-13...
Page 456
Chapter 1 Starting Interface Configuration (ASA 5505) Feature History for ASA 5505 Interfaces Cisco ASA Series CLI Configuration Guide 1-14...
Page 457
Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the “Allowing Same Security Level Communication” Cisco ASA Series CLI Configuration Guide...
Page 458
IPv4 configuration commands and IPv6 configuration commands as you normally would. Make sure you configure a default route for both IPv4 and IPv6. Licensing Requirements for Completing Interface Configuration in Routed Mode Cisco ASA Series CLI Configuration Guide...
Page 459
Base License: 150. Interfaces of all types Base License: 764 ASA 5540 VLANs Base License: 200 Interfaces of all types Base License: 964 ASA 5550 VLANs Base License: 400 Interfaces of all types Base License: 1764 Cisco ASA Series CLI Configuration Guide...
Page 460
Interfaces of all types Base and Security Plus License: 4612 1. For an interface to count against the VLAN limit, you must assign a VLAN to it. For example: interface gigabitethernet 0/0.100 vlan 100 Cisco ASA Series CLI Configuration Guide...
Page 461
Active/Standby Failover” section on page 1-7 or the “Configuring Active/Active Failover” section on page 1-9 to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines Supports IPv6. Cisco ASA Series CLI Configuration Guide...
Page 462
Task Flow for Completing Interface Configuration, page 1-7 • Configuring General Interface Parameters, page 1-7 • Configuring the MAC Address and MTU, page 1-10 • Configuring IPv6 Addressing, page 1-12 • Allowing Same Security Level Communication, page 1-16 Cisco ASA Series CLI Configuration Guide...
Page 463
Stateful Failover communications. See the “Configuring Active/Standby Failover” section on page 1-7 or the “Configuring Active/Active Failover” section on page 1-9 to configure the failover and state links. Restrictions • PPPoE is not supported in multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 464
Do not enter the no form, because hostname(config-if)# nameif inside that command causes all commands that refer to that name to be deleted. Step 3 Do one of the following: Cisco ASA Series CLI Configuration Guide...
Page 465
100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 The following example configures parameters in multiple context mode for the context configuration. The interface ID is a mapped name. hostname/contextA(config)# interface int1 Cisco ASA Series CLI Configuration Guide...
Page 466
MAC address. Information About the MTU The MTU is the maximum datagram size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent. Cisco ASA Series CLI Configuration Guide 1-10...
Page 467
“Configuring Multiple Contexts” section on page 1-15. • In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, enter the changeto context name command. Cisco ASA Series CLI Configuration Guide 1-11...
Page 468
(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 1-12. Configuring IPv6 Addressing This section describes how to configure IPv6 addressing. For more information about IPv6, see the “IPv6 Addresses” section on page 1-5. Cisco ASA Series CLI Configuration Guide 1-12...
Page 469
Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address. Configuring a Global IPv6 Address To configure a global IPv6 address, perform the following steps. Cisco ASA Series CLI Configuration Guide 1-13...
Page 470
Append the subinterface ID to the physical or redundant interface hostname(config)# interface ID separated by a period (.). gigabithethernet 0/0 In multiple context mode, enter the mapped_name if one was assigned using the allocate-interface command. Step 2 Do one of the following: Cisco ASA Series CLI Configuration Guide 1-14...
Page 471
See the “Modified EUI-64 Interface IDs” section on page 1-13 more information. Configuring IPv6 Neighbor Discovery Chapter 1, “Configuring IPv6 Neighbor Discovery,” to configure IPv6 neighbor discovery. Cisco ASA Series CLI Configuration Guide 1-15...
Page 472
ASA MAC address instead of being sent directly through the switch to the destination host. Figure 1-1 shows a network where hosts on the same interface need to communicate. Cisco ASA Series CLI Configuration Guide 1-16...
Page 473
10.6.36.0 10.6.35.0 Host Host SVI, Vlan20 10.6.34.0 The following sample configuration shows the Cisco IOS route-map commands used to enable policy routing in the network shown in Figure 1-1: route-map intra-inter3 permit 0 match ip address 103 set interface Vlan20 set ip next-hop 10.6.34.7...
Page 474
ASA 5505 Example, page 1-18 ASA 5505 Example The following example configures three VLAN interfaces for the Base license. The third home interface cannot forward traffic to the business interface. hostname(config)# interface vlan 100 Cisco ASA Series CLI Configuration Guide 1-18...
Page 475
VLAN limits were also increased for the ASA 5510 (from 10 to 50 for the Base license, and from 25 to 100 for the Security Plus license), the ASA 5520 (from 100 to 150), the ASA 5550 (from 200 to 250). Cisco ASA Series CLI Configuration Guide 1-19...
Page 476
Jumbo packet support for the ASA 5580 8.1(1) The Cisco ASA 5580 supports jumbo frames. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all interfaces by increasing the amount of memory to process Ethernet frames.
Information About Completing Interface Configuration in Transparent Mode This section includes the following topics: • Bridge Groups in Transparent Mode, page 1-2 • Security Levels, page 1-2 Cisco ASA Series CLI Configuration Guide...
Page 478
If you enable communication for same security interfaces, you can configure established commands for both directions. Cisco ASA Series CLI Configuration Guide...
Page 479
Interfaces of all types Base License: 364 Security Plus License: 564 ASA 5520 VLANs Base License: 150. Interfaces of all types Base License: 764 ASA 5540 VLANs Base License: 200 Interfaces of all types Base License: 964 Cisco ASA Series CLI Configuration Guide...
Page 480
Base License: 100 Interfaces of all types Base License: 916 ASA 5525-X VLANs Base License: 200 Interfaces of all types Base License: 1316 ASA 5545-X VLANs Base License: 300 Interfaces of all types Base License: 1716 Cisco ASA Series CLI Configuration Guide...
Page 481
“Configuring the Switch for Use with the ASA Services Module.” The ASA 5505 does not support multiple context mode. • You can only configure context interfaces that you already assigned to the context in the system configuration using the allocate-interface command. Cisco ASA Series CLI Configuration Guide...
Page 482
In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines • Supports IPv6. • No support for IPv6 anycast addresses in transparent mode. Cisco ASA Series CLI Configuration Guide...
Page 483
• Configuring a Management Interface (ASA 5510 and Higher), page 1-12 • Configuring the MAC Address and MTU, page 1-13 • Configuring IPv6 Addressing, page 1-16 • Allowing Same Security Level Communication, page 1-18 Cisco ASA Series CLI Configuration Guide...
Page 484
Note For a separate management interface (for supported models), a non-configurable bridge group (ID 101) is automatically added to your configuration. This bridge group is not included in the bridge group limit. Cisco ASA Series CLI Configuration Guide...
Page 485
Higher)” section on page 1-12. For the ASA 5510 and higher, you must configure interface parameters for the following interface types: • Physical interfaces • VLAN subinterfaces • Redundant interfaces • EtherChannel interfaces Cisco ASA Series CLI Configuration Guide...
Page 486
“Configuring Multiple Contexts” section on page 1-15. • In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, enter the changeto context name command. Cisco ASA Series CLI Configuration Guide 1-10...
Page 487
(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and MTU” section on page 1-13. • (Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 1-16. Cisco ASA Series CLI Configuration Guide 1-11...
Page 488
You can change the name by reentering this command with a new value. Do not enter the no form, because hostname(config-if)# nameif management that command causes all commands that refer to that name to be deleted. Cisco ASA Series CLI Configuration Guide 1-12...
Page 489
MAC address of the interface that is now listed first. If you assign a MAC address to the redundant interface using this command, then it is used regardless of the member interface MAC addresses. Cisco ASA Series CLI Configuration Guide 1-13...
Page 490
ASA 5510 and higher—Chapter 1, “Starting Interface Configuration (ASA 5510 and Higher).” – 5505—Chapter 1, “Starting Interface Configuration (ASA 5505).” – ASASM—Chapter 1, “Configuring the Switch for Use with the ASA Services Module.” Cisco ASA Series CLI Configuration Guide 1-14...
Page 491
1500, then you need to enable jumbo frame support. See the “Enabling Jumbo Frame Support (Supported Models)” section on page 1-33. What to Do Next (Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 1-16. Cisco ASA Series CLI Configuration Guide 1-15...
Page 492
MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated: Cisco ASA Series CLI Configuration Guide 1-16...
Page 493
“Configuring Multiple Contexts” section on page 1-15. • In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, enter the changeto context name command. Cisco ASA Series CLI Configuration Guide 1-17...
Page 494
Allowing interfaces on the same security level to communicate with each other is useful if you want traffic to flow freely between all same security interfaces without access lists. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Cisco ASA Series CLI Configuration Guide 1-18...
Page 495
Monitoring Interfaces To monitor interfaces, enter one of the following commands: Command Purpose Displays interface statistics. show interface Displays interface IP addresses and status. show interface ip brief Shows bridge group information. show bridge-group Cisco ASA Series CLI Configuration Guide 1-19...
Page 496
1/2 nameif dmz2 security-level 50 bridge-group 2 no shutdown interface bvi 2 ip address 10.3.5.8 255.255.255.0 standby 10.3.5.9 interface management 0/0 nameif mgmt security-level 100 ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2 no shutdown Cisco ASA Series CLI Configuration Guide 1-20...
Page 497
Native VLAN support for the ASA 5505 7.2(4)/8.0(4) You can now include the native VLAN in an ASA 5505 trunk port. We introduced the following command: switchport trunk native vlan. Cisco ASA Series CLI Configuration Guide 1-21...
Page 498
Feature Information Jumbo packet support for the ASA 5580 8.1(1) The Cisco ASA 5580 supports jumbo frames. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all interfaces by increasing the amount of memory to process Ethernet frames.
Setting the Login Password, page 1-2 • Changing the Enable Password, page 1-2 • Setting the Hostname, page 1-3 • Setting the Domain Name, page 1-3 • Feature History for the Hostname, Domain Name, and Passwords, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 502
To set the login password, enter the following command: Command Purpose Sets the login password. 9.0(1): The default password is “cisco.” 9.0(2) and {passwd | password} password [encrypted] later: There is no default password. You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric and special characters.
Page 503
“jupiter.example.com.” The default domain name is default.domain.invalid. For multiple context mode, you can set the domain name for each context, as well as within the system execution space. Cisco ASA Series CLI Configuration Guide...
Telnet user authentication (the aaa authentication telnet console command). Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASASM (see the session command).
Page 505
The hh:mm value sets the hour and minutes in 24-hour time. The offset value sets the number of minutes to change the time for daylight savings time. By default, the value is 60 minutes. Cisco ASA Series CLI Configuration Guide...
Page 506
2 over a server of stratum 3 that is preferred. You can identify multiple servers; the ASA uses the most accurate server. Note In multiple context mode, set the time in the system configuration only. Cisco ASA Series CLI Configuration Guide...
Page 507
The master passphrase allows you to securely store plain text passwords in encrypted format and provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. Features that use the master passphrase include the following: • OSPF Cisco ASA Series CLI Configuration Guide...
Page 508
Adding or Changing the Master Passphrase This procedure will only be accepted in a secure session, for example by console, SSH, or ASDM via HTTPS. To add or change the master passphrase, perform the following steps: Cisco ASA Series CLI Configuration Guide...
Page 509
Alternatively, use the write memory all command in the system context to save all configurations. Cisco ASA Series CLI Configuration Guide...
Page 510
You must know the current master passphrase to disable it. If you do not know the passphrase, see the “Recovering the Master Passphrase” section on page 1-11. This procedure will only be accepted in a secure session, that is, by Telnet, SSH, or ASDM via HTTPS. Cisco ASA Series CLI Configuration Guide 1-10...
Page 511
Removes the master key and the configuration that includes the write erase encrypted passwords. Example: hostname(config)# write erase Step 2 Reloads the ASA with the startup configuration, without any reload master key or encrypted passwords. Example: hostname(config)# reload Cisco ASA Series CLI Configuration Guide 1-11...
Page 512
Detailed Steps Command Purpose Step 1 Enables the ASA to send DNS requests to a DNS server to perform a dns domain-lookup interface_name name lookup for supported commands. Example: hostname(config)# dns domain-lookup inside Cisco ASA Series CLI Configuration Guide 1-12...
Page 513
Do you wish to change this configuration? y/n [n]: y Step 6 Record the current configuration register value, so you can restore it later. Step 7 At the prompt, enter Y to change the value. Cisco ASA Series CLI Configuration Guide 1-13...
Page 514
To disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA, enter the following command: Command Purpose Disables password recovery. no service password-recovery Example: hostname (config)# no service password-recovery Cisco ASA Series CLI Configuration Guide 1-14...
Page 515
To monitor the DNS cache, enter the following command: Command Purpose Show the DNS cache, which includes dynamically learned show dns-hosts entries from a DNS server as well as manually entered name and IP addresses using the name command. Cisco ASA Series CLI Configuration Guide 1-15...
Page 516
Chapter 1 Configuring Basic Settings Monitoring DNS Cache Cisco ASA Series CLI Configuration Guide 1-16...
• The DHCPv6 relay service and server listen for messages on UDP port 547. The ASA DHCPv6 relay agent listens on both UDP port 547 and the All_DHCP_Relay_Agents_and_Servers multicast address. Cisco ASA Series CLI Configuration Guide...
Page 518
209.165.200.1, the server sends that pool in the offer message to the ASA. Use the following guidelines to configure the DHCP relay service: • DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router. Cisco ASA Series CLI Configuration Guide...
Page 519
This section describes how to configure a DHCP server provided by the ASA and includes the following topics: • Enabling the DHCP Server, page 1-4 • Configuring DHCP Options, page 1-5 • Using Cisco IP Phones with a DHCP Server, page 1-6 Cisco ASA Series CLI Configuration Guide...
Page 520
The management interface does not route traffic. 10.10.1.1 Step 8 Enables the DHCP daemon within the ASA to listen for DHCP dhcpd enable interface_name client requests on the enabled interface. Example: hostname(config)# dhcpd enable outside Cisco ASA Series CLI Configuration Guide...
Page 521
2 ascii examplestring Options that Return a Hexadecimal Value Command Purpose Configures a DHCP option that returns a hexadecimal value. dhcpd option code hex value Example: hostname(config)# dhcpd option 2 hex 22.0011.01.FF1111.00FF.0000.AAAA.1111.1111 .1111.11 Cisco ASA Series CLI Configuration Guide...
Page 522
Using Cisco IP Phones with a DHCP Server Cisco IP phones download their configuration from a TFTP server. When a Cisco IP phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.
Page 523
150 ip 10.10.1.1 To send information to use for option 3, enter the following command: Command Purpose Sets the default route. dhcpd option 3 ip router_ip1 Example: hostname(config)# dhcpd option 3 ip 10.10.1.1 Cisco ASA Series CLI Configuration Guide...
Page 524
This action allows the client to set its default route to point to the ASA even if the DHCP server specifies a different router. hostname(config)# dhcprelay setroute inside If there is no default router option in the packet, the ASA adds one containing the interface address. Cisco ASA Series CLI Configuration Guide...
Page 525
Additional References For additional information related to implementing DHCPv6, see the following section: • RFCs, page 1-9 RFCs Title 2132 DHCP Options and BOOTP Vendor Extensions 2462 IPv6 Stateless Address Autoconfiguration 5510 DHCP for IPv6 Cisco ASA Series CLI Configuration Guide...
Page 526
Cisco ASA Series CLI Configuration Guide 1-10...
• The dynamic value specified in the OPT RR field: message-length maximum client auto If the three commands are present at the same time, the ASA enforces the minimum of the three specified values. Cisco ASA Series CLI Configuration Guide...
The two most common DDNS update configurations are the following: • The DHCP client updates the A RR, while the DHCP server updates the PTR RR. • The DHCP server updates both the A RR and PTR RR. Cisco ASA Series CLI Configuration Guide...
Page 529
The following example shows how to configure the DHCP client to request that it update both the A and PTR RRs, and the DHCP server to honor these requests. To configure this scenario, perform the following steps: Cisco ASA Series CLI Configuration Guide...
Page 530
Step 4 To configure the DHCP server to override the client update requests, enter the following command: hostname(if-config)# dhcpd update dns both override Cisco ASA Series CLI Configuration Guide...
Page 531
Ethernet0 hostname(config-if)# dhcp client update dns hostname(config-if)# ddns update ddns-2 hostname(config-if)# ddns update hostname asa Step 3 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns hostname(config-if)# dhcpd domain example.com Cisco ASA Series CLI Configuration Guide...
Page 532
Feature Name Releases Feature Information DDNS 7.0(1) We introduced this feature. We introduced the following commands: ddns, ddns update, dhcp client update dns, dhcpd update dns, show running-config ddns, and show running-config dns server-group. Cisco ASA Series CLI Configuration Guide...
Page 533
A R T Configuring Objects and Access Lists...
Page 535
IP address. Licensing Requirements for Objects Model License Requirement All models Base License. Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 536
A network object can contain a host, a network IP address, or a range of IP addresses, a fully qualified domain name (FQDN). You can also enable NAT rules on the object (excepting FQDN objects). (See Chapter 1, “Configuring Network Object NAT,” for more information.) Cisco ASA Series CLI Configuration Guide...
Page 537
Network object groups can contain multiple network objects as well as inline networks. Network object groups can support a mix of both IPv4 and IPv6 addresses. Restrictions You cannot use a mixed IPv4 and IPv6 object group for NAT, or object groups that include FQDN objects. Cisco ASA Series CLI Configuration Guide...
Page 538
(config-protocol)# network-object host 10.2.2.78 hostname (config-protocol)# network-object host 10.2.2.34 Create network object groups for privileged users from various departments by entering the following commands: hostname (config)# object-group network eng hostname (config-network)# network-object host 10.1.1.5 Cisco ASA Series CLI Configuration Guide...
Page 539
• Configuring an ICMP Group, page 1-10 • Configuring an ICMP Group, page 1-10 Configuring a Service Object The service object can contain a protocol, ICMP, ICMPv6, TCP or UDP port or port ranges. Cisco ASA Series CLI Configuration Guide...
Page 540
(config-service-object)# service tcp source eq www destination eq ssh Configuring a Service Group A service object group includes a mix of protocols, if desired, including optional source and destination ports for TCP or UDP. Cisco ASA Series CLI Configuration Guide...
Page 541
The optional icmp_code specifies an ICMP code, between 1 and Example: 255. hostname(config-service)# port-object eq domain Specifies a service object name, created with the object service service-object object name command. Example: hostname(config-service)# port-object eq domain Cisco ASA Series CLI Configuration Guide...
Page 542
EIGRP hostname(config-service-object-group)# service-object object HTTPS Configuring a TCP or UDP Port Service Group A TCP or UDP service group includes a group of ports for a specific protocol (TCP, UDP, or TCP-UDP). Cisco ASA Series CLI Configuration Guide...
Page 543
(config)# object-group service services2 udp hostname (config-service)# description RADIUS Group hostname (config-service)# port-object eq radius hostname (config-service)# port-object eq radius-acct hostname (config)# object-group service services3 tcp hostname (config-service)# description LDAP Group hostname (config-service)# port-object eq ldap Cisco ASA Series CLI Configuration Guide...
Page 544
Create an ICMP type group that includes echo-reply and echo (for controlling ping) by entering the following commands: hostname (config)# object-group icmp-type ping hostname (config-service)# description Ping Group hostname (config-service)# icmp-object echo hostname (config-service)# icmp-object echo-reply Cisco ASA Series CLI Configuration Guide 1-10...
Page 545
You can create local user groups for use in features that support the identity firewall (IDFW) by including the group in an extended ACL, which in turn can be used in an access rule, for example. Cisco ASA Series CLI Configuration Guide 1-11...
Page 546
Example: hostname(config-network)# group-object Engineering_groups Step 3 (Optional) Adds a description. The description can be up to 200 description text characters. Example: hostname(config-protocol)# description New Group Cisco ASA Series CLI Configuration Guide 1-12...
Page 547
Configuring Security Group Object Groups You can create security group object groups for use in features that support Cisco TrustSec by including the group in an extended ACL, which in turn can be used in an access rule, for example.
Page 548
As an optimization, the ASA searches on the deobfuscated URL. Deobfuscation compresses multiple forward slashes (/) into a single slash. For strings that commonly use double slashes, like “http://”, be sure to search for “http:/” instead. Cisco ASA Series CLI Configuration Guide 1-14...
Page 549
[abc-] or [-abc]. “” Quotation marks Preserves trailing or leading spaces in the string. For example, “ test” preserves the leading space when it looks for a match. Caret Specifies the beginning of a line. Cisco ASA Series CLI Configuration Guide 1-15...
Page 550
Where the name argument can be up to 40 characters in length. The regular_expression argument can be up to 100 characters in length. Examples The following example creates two regular expressions for use in an inspection policy map: Cisco ASA Series CLI Configuration Guide 1-16...
Page 551
Traffic matches the class map if it includes the string “example.com” or “example2.com.” hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2 Cisco ASA Series CLI Configuration Guide 1-17...
Page 552
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006. Because no end time and date are specified, the time range is in effect indefinitely. Cisco ASA Series CLI Configuration Guide 1-18...
Page 553
User Object Groups for Identity Firewall 8.4(2) User object groups for identity firewall were introduced. We introduced the following commands: object-network user, user. Cisco ASA Series CLI Configuration Guide 1-19...
Page 554
Extended ACLand object enhancement to filter 9.0(1) ICMP traffic can now be permitted/denied based on ICMP ICMP traffic by ICMP code code. We introduced or modified the following commands: access-list extended, service-object, service. Cisco ASA Series CLI Configuration Guide 1-20...
Page 555
C H A P T E R Information About Access Lists Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your network by preventing certain traffic from entering or exiting. This chapter describes access lists and shows how to add them to your network configuration.
Page 556
ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are checked, and the packet is forwarded. Cisco ASA Series CLI Configuration Guide...
Page 557
Chapter 1, “Adding an Extended Access Control List” • Chapter 1, “Adding an EtherType Access List” • Chapter 1, “Adding a Standard Access Control List” • Chapter 1, “Adding a Webtype Access Control List” • Chapter 1, “Configuring Access Rules” Cisco ASA Series CLI Configuration Guide...
Page 558
Chapter 1 Information About Access Lists Where to Go Next Cisco ASA Series CLI Configuration Guide...
Page 559
After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an ACL that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. Cisco ASA Series CLI Configuration Guide...
Page 560
NAT configuration changes, you do not need to change the ACLs. Note For ACL migration information, see the Cisco ASA 5500 Migration to Version 8.3 and Later. Features That Use Real IP Addresses The following commands and features use real IP addresses in the ACLs: •...
Page 561
TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP. • When you specify a network mask, the method is different from the Cisco IOS software access-list command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Page 562
Object groups contain multiple objects or inline entries. Guidelines To delete an ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration. To remove the entire ACL, use the clear configure access-list command. Cisco ASA Series CLI Configuration Guide...
Page 563
(an ACL applied with the access-group command). • Activation—Inactivates or enables a time range that the ACE is active; see the time-range command for information about defining a time range. Cisco ASA Series CLI Configuration Guide...
Page 564
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP. • object-group service_grp_id—Specifies a service object group created using the object-group service command. Cisco ASA Series CLI Configuration Guide...
Page 565
Adding an ACE for User-Based Policy (Identity Firewall) If you configure the identity firewall feature, you can control traffic based on user identity. Prerequisites Chapter 1, “Configuring the Identity Firewall,” to enable IDFW. Cisco ASA Series CLI Configuration Guide...
Page 566
Although not shown in the syntax at left, you can also use TrustSec security group arguments. Adding an ACE for Security Group-Based Policy (TrustSec) If you configure the Cisco TrustSec feature, you can control traffic based on security groups. Prerequisites Chapter 1, “Configuring the ASA to Integrate with Cisco TrustSec,”...
Page 567
OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any hostname(config)# access-list OUT remark - this is the hr admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any Cisco ASA Series CLI Configuration Guide...
Page 568
The following example temporarily disables an ACL that permits traffic from one group of network objects (A) to another group of network objects (B): hostname(config)# access-list 104 permit ip host object-group A object-group B inactive Cisco ASA Series CLI Configuration Guide 1-10...
Page 569
209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Cisco ASA Series CLI Configuration Guide 1-11...
Page 570
Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended. Cisco ASA Series CLI Configuration Guide 1-12...
Page 571
Extended ACLand object enhancement to filter 9.0(1) ICMP traffic can now be permitted/denied based on ICMP ICMP traffic by ICMP code code. We introduced or modified the following commands: access-list extended, service-object, service. Cisco ASA Series CLI Configuration Guide 1-13...
Page 572
Chapter 1 Adding an Extended Access Control List Feature History for Extended ACLs Cisco ASA Series CLI Configuration Guide 1-14...
Page 573
For information about creating an access rule with the EtherType access list, see Chapter 1, “Configuring Access Rules.” Licensing Requirements for EtherType Access Lists The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Cisco ASA Series CLI Configuration Guide...
Page 574
Task Flow for Configuring EtherType Access Lists, page 1-2 • Adding EtherType Access Lists, page 1-3 • Adding Remarks to Access Lists, page 1-4 Task Flow for Configuring EtherType Access Lists Use the following guidelines to create and implement an access list: Cisco ASA Series CLI Configuration Guide...
Page 575
16-bit hexadecimal number greater than or equal to 0x600. (See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of EtherTypes.) Note To remove an EtherType ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration. Cisco ASA Series CLI Configuration Guide...
Page 576
Monitoring EtherType Access Lists To monitor EtherType access lists, enter one of the following commands: Command Purpose Displays the access list entries by number. show access-list Displays the current running access-list show running-config access-list configuration. Cisco ASA Series CLI Configuration Guide...
Page 577
Feature History for EtherType Access Lists Feature Name Releases Feature Information EtherType access lists 7.0(1) EtherType access lists control traffic based upon its EtherType. We introduced the feature and the following command: access-list ethertype. Cisco ASA Series CLI Configuration Guide...
Page 578
Chapter 1 Adding an EtherType Access List Feature History for EtherType Access Lists Cisco ASA Series CLI Configuration Guide...
Page 579
The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature: • Context Mode Guidelines, page 1-2 • Firewall Mode Guidelines, page 1-2 Cisco ASA Series CLI Configuration Guide...
Page 580
The ASA denies all packets on the originating interface unless you specifically permit access. Access list logging generates system log message 106023 for denied packets. Deny packets must be present to log denied packets. Cisco ASA Series CLI Configuration Guide...
Page 581
The line line-num option specifies the line number at which to insert an ACE. The permit keyword permits access if the conditions are matched. To remove an ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration. Cisco ASA Series CLI Configuration Guide...
Page 582
Displays the current running access-list show running-config access-list configuration. Configuration Examples for Standard Access Lists The following example shows how to deny IP traffic through the ASA: hostname(config)# access-list 77 standard deny Cisco ASA Series CLI Configuration Guide...
Page 583
Standard access lists 7.0(1) Standard access listsidentify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution. We introduced the feature and the following command: access-list standard. Cisco ASA Series CLI Configuration Guide...
Page 584
Chapter 1 Adding a Standard Access Control List Feature History for Standard Access Lists Cisco ASA Series CLI Configuration Guide...
Page 585
This section includes the guidelines and limitations for this feature: • Context Mode Guidelines, page 1-1 • Firewall Mode Guidelines, page 1-2 • Additional Guidelines and Limitations, page 1-2 Context Mode Guidelines Supported in single and multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 586
Dynamic ACLs have been extended to support IPv6 ACLs. If you configure both an IPv4 ACL and an IPv6 ACL, they are converted to dynamic ACLs. • If you use the Access Control Server (ACS), you must configure IPv6 ACLs using the cisco-av-pair attribute; downloadable ACLs are not supported in the ACS GUI. Default Settings Table 1-1 lists the default settings for Webtype access lists parameters.
Page 587
To match any http URL, you must enter http://*/* instead of the former method of entering http://*. To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration. Cisco ASA Series CLI Configuration Guide...
Page 588
The time_range name option specifies a keyword for attaching the time-range option to this access list element. To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration. Cisco ASA Series CLI Configuration Guide...
Page 589
Displays the access-list configuration running on show running-config access list the ASA. Configuration Examples for Webtype Access Lists The following example shows how to deny access to a specific company URL: hostname(config)# access-list acl_company webtype deny url http://*.example.com Cisco ASA Series CLI Configuration Guide...
Page 590
The following example matches URLs such as http://www.example.com/ and http://www.example.net/: access-list test webtype permit url http://www.**ample.com/ • The following example matches URLs such as http://www.cisco.com and ftp://wwz.example.com: access-list test webtype permit url *://ww?.c*co*/ • The following example matches URLs such as http://www.cisco.com:80 and https://www.cisco.com:81: access-list test webtype permit url *://ww?.c*co*:8[01]/...
Page 591
Existing IPv6 ACLs are migrated to extended ACLs. See the release notes for more information about migration. We modified the following commands: access-list extended, access-list webtype. We removed the following commands: ipv6 access-list, ipv6 access-list webtype, ipv6-vpn-filter Cisco ASA Series CLI Configuration Guide...
Page 592
Chapter 1 Adding a Webtype Access Control List Feature History for Webtype Access Lists Cisco ASA Series CLI Configuration Guide...
Page 593
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We recommend that you instead enable logging using syslog message 106100, which provides statistics for each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can disable all logging. Cisco ASA Series CLI Configuration Guide...
Page 594
The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 595
This sections describes how to configure access list logging. Note For complete access list command syntax, see the “Configuring Extended ACLs” section on page 1-4 and the “Using Webtype Access Lists” section on page 1-2. Cisco ASA Series CLI Configuration Guide...
Page 596
• default—Enables logging to message 106023. This setting is the same as having no log option. (See the access-list command in the Cisco Security Appliance Command Reference for more information about command options.) Monitoring Access Lists To monitor access lists, enter one of the following commands:...
Page 597
Licensing Requirements for Managing Deny Flows, page 1-6 • Guidelines and Limitations, page 1-6 • Managing Deny Flows, page 1-7 • Monitoring Deny Flows, page 1-7 • Feature History for Managing Deny Flows, page 1-8 Cisco ASA Series CLI Configuration Guide...
Page 598
Firewall Mode Guidelines Supported only in routed and transparent firewall modes. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations The ASA places a limit on the number of concurrent deny flows only—not permit flows. Cisco ASA Series CLI Configuration Guide...
Page 599
200 Monitoring Deny Flows To monitor access lists, enter one of the following commands: Command Purpose Displays access list entries by number. show access-list Displays the current running access list show running-config access-list configuration. Cisco ASA Series CLI Configuration Guide...
Page 600
Feature Information Managing Deny Flows 7.0(1) You can configure the maximum number of deny flows and set the interval between deny flow alert messages. We introduced the following commands: access-list deny-flow and access-list alert-interval. Cisco ASA Series CLI Configuration Guide...
Page 603
If the router does not know how to forward the packet, it typically drops the packet. If the router knows how to forward the packet, however, it changes the destination physical address to that of the next hop and transmits the packet. Cisco ASA Series CLI Configuration Guide...
Page 604
There are several route types that a router can use. The ASA uses the following route types: • Static Versus Dynamic, page 1-3 • Single-Path Versus Multipath, page 1-3 • Flat Versus Hierarchical, page 1-3 • Link-State Versus Distance Vector, page 1-3 Cisco ASA Series CLI Configuration Guide...
Page 605
In link-state algorithms, each router builds a picture of the entire network in its routing tables. Distance vector algorithms (also known as Bellman-Ford algorithms) call for each router to send all or some portion of its routing table, but only to its neighbors. In essence, link-state Cisco ASA Series CLI Configuration Guide...
Page 606
XLATE times out. It may be either forwarded to the wrong interface or dropped with a level 6 syslog message 110001 generated (no route to host), if the old route was removed from the old interface and attached to another one by the routing process. Cisco ASA Series CLI Configuration Guide...
Page 607
• Enhanced Interior Gateway Routing Protocol (EIGRP) EIGRP is a Cisco proprietary protocol that provides compatibility and seamless interoperation with IGRP routers. An automatic-redistribution mechanism allows IGRP routes to be imported into Enhanced IGRP, and vice versa, so it is possible to add Enhanced IGRP gradually into an existing IGRP network.
If the ASA learns about multiple paths to the same destination from a single routing protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is entered into the routing table. Cisco ASA Series CLI Configuration Guide...
Page 609
OSPF, that change would only affect the routing table for the ASA on which the command was entered. The administrative distance is not advertised in routing updates. Cisco ASA Series CLI Configuration Guide...
Page 610
192.168.32.0/24 network. It also falls within the other route in the routing table, but the 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet. Cisco ASA Series CLI Configuration Guide...
Page 611
When existing routing entries are removed because of a network topology change, the removed entries are also synchronized to all slave units. Cisco ASA Series CLI Configuration Guide...
Page 612
Two instances are supported per context. context. It is disabled in the system context. Two contexts may use the same Two contexts may use the same or different autonomous system or different area IDs. numbers. Cisco ASA Series CLI Configuration Guide 1-10...
Page 613
VPN clients towards the internal hosts will go to the wrong interface and will get dropped. In this case, you need to disable proxy ARPs for the interface on which you do not want proxy ARPs. To disable proxy ARPs, enter the following command: Cisco ASA Series CLI Configuration Guide 1-11...
Page 615
ASA knows out of which interface to send traffic. Traffic that originates on the ASA might include communications to a Cisco ASA Series CLI Configuration Guide...
Page 616
This section explains how to configure a static route and a static default route and includes the following topics: • Configuring a Static Route, page 1-3 • Configuring a Default Static Route, page 1-4 • Configuring IPv6 Default and Static Routes, page 1-5 Cisco ASA Series CLI Configuration Guide...
Page 617
The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static route takes precedence. Connected routes always take precedence over static or dynamically discovered routes. Cisco ASA Series CLI Configuration Guide...
Page 618
• You cannot define more than one default route with the tunneled option. • ECMP for tunneled traffic is not supported. To add or edit a tunneled default static route, enter the following command: Cisco ASA Series CLI Configuration Guide...
Page 619
The example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1, and with Example: an administrative distance of 110. hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 [110] Cisco ASA Series CLI Configuration Guide...
Page 620
You can configure static route tracking for statically defined routes or default routes obtained through DHCP or PPPoE. You can only enable PPPoE clients on multiple interfaces with route tracking configured. To configure static route tracking, perform the following steps: Cisco ASA Series CLI Configuration Guide...
Page 621
Tracks a static route. route if_name dest_ip mask gateway_ip [admin_distance] track track_id You cannot use the tunneled option with the route command in static route tracking. Example: hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] track track_id Cisco ASA Series CLI Configuration Guide...
Page 622
ASA for which there is no static or learned route is passed to the gateway with the IP address 192.168.2.4. The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface: hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1 Cisco ASA Series CLI Configuration Guide...
Page 623
Feature History for Static and Default Routes Platform Feature Name Releases Feature Information Routing 7.0(1) Static and default routing were introduced. We introduced the route command. Clustering 9.0(1) Supports static route monitoring on the master unit only. Cisco ASA Series CLI Configuration Guide...
Page 624
Chapter 1 Configuring Static and Default Routes Feature History for Static and Default Routes Cisco ASA Series CLI Configuration Guide 1-10...
Page 625
• Route maps are more flexible than ACLs and can verify routes based on criteria which ACLs can not verify. For example, a route map can verify if the type of route is internal. Cisco ASA Series CLI Configuration Guide...
Page 626
Scanning of the route map continues until a clause is found whose match command(s), or Match Clause as set from the Match Clause tab in ASDM, match the route or until the end of the route map is reached. Cisco ASA Series CLI Configuration Guide...
Page 627
This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode and multiple context mode. Firewall Mode Guidelines Supported only in routed firewall mode. Transparent firewall mode is not supported. IPv6 Guidelines Does not support IPv6. Cisco ASA Series CLI Configuration Guide...
Page 628
ASA uses the order in hostname(config)# route-map name {permit} which you add route map entries. [12] Step 2 Enter one of the following match commands to match routes to a specified destination address: Cisco ASA Series CLI Configuration Guide...
Page 629
Configuring the Metric Values for a Route Action If a route matches the match commands, then the following set commands determine the action to perform on the route before redistributing it. Cisco ASA Series CLI Configuration Guide...
Page 631
(EIGRP, OSPF, and RIP) and show debug route. debugging of general routing-related operations We modified the following command: show route. Dynamic Routing in Multiple Context Mode 9.0(1) Route maps are supported in multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 632
Chapter 1 Defining Route Maps Feature History for Route Maps Cisco ASA Series CLI Configuration Guide...
The advantages of OSPF over RIP include the following: • OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly, rather than gradually, as stale information is timed out. Cisco ASA Series CLI Configuration Guide...
Page 634
ASA. Also, you should not mix public and private networks on the same ASA interface. You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the ASA at the same time. Cisco ASA Series CLI Configuration Guide...
Page 635
This section includes the guidelines and limitations for this feature. Context Mode Guidelines OSPFv2 supports single and multiple context mode. OSPFv3 supports single mode only. Firewall Mode Guidelines OSPF supports routed firewall mode only. OSPF does not support transparent firewall mode. Cisco ASA Series CLI Configuration Guide...
Page 636
When the cluster is enabled, the router ID compatibility checks are repeated. If any incompatibility is detected, then the cluster enable command fails. The administrator needs to correct the incompatible router ID configuration before the cluster can be enabled. Cisco ASA Series CLI Configuration Guide...
Page 637
IDs associated with that range of IP addresses. You can enable up to two OSPFv2 process instances. Each OSPFv2 process has its own associated areas and networks. Cisco ASA Series CLI Configuration Guide...
Page 638
See “Configuring Static and Default Routes” section on page 1-2, and then define a route map according Cisco ASA Series CLI Configuration Guide...
Page 639
5 ASA redistributes these routes as external LSAs with a metric of hostname(config-route-map)# set 5 and a metric type of Type 1. metric-type type-1 hostname(config-route-map)# router ospf 2 hostname(config-rtr)# redistribute ospf 1 route-map 1-to-2 Cisco ASA Series CLI Configuration Guide...
Page 640
This configuration decreases the size of the OSPF link-state database. Routes that match the specified IP address mask pair can be suppressed. The tag value can be used as a match value for controlling redistribution through route maps. Cisco ASA Series CLI Configuration Guide...
Page 641
Sets the address range. area area-id range ip-address mask [advertise | not-advertise] In this example, the address range is set between OSPF areas. Example: hostname(config)# router ospf 1 hostname(config-rtr)# area 17 range 12.1.0.0 255.255.0.0 Cisco ASA Series CLI Configuration Guide...
Page 642
A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. Cisco ASA Series CLI Configuration Guide 1-10...
Page 643
The range is from 1 to 65535 seconds. The default value retransmit-interval seconds is 5 seconds. In this example, the retransmit-interval value is set to 15. Cisco ASA Series CLI Configuration Guide 1-11...
Page 644
ID on any other device; it is for internal use only. You can use a maximum of two processes. Step 2 Do one of the following to configure optional OSPF area parameters: Cisco ASA Series CLI Configuration Guide 1-12...
Page 645
Type 7 default into the NSSA or the NSSA area boundary router. • Every router within the same area must agree that the area is NSSA; otherwise, the routers cannot communicate with each other. Cisco ASA Series CLI Configuration Guide 1-13...
Page 646
In this example, the summary address 10.1.0.0 includes addresses 10.1.0.0 255.255.0.0 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the 10.1.0.0 address is advertised in an external link-state advertisement. Note OSPF does not support summary-address 0.0.0.0 0.0.0.0. Cisco ASA Series CLI Configuration Guide 1-14...
Page 647
If the OSPF v2neighbor is not on the same network as hostname(config-rtr)# neighbor 255.255.0.0 [interface my_interface] any of the directly connected interfaces, you must specify the interface. Cisco ASA Series CLI Configuration Guide 1-15...
Page 648
The log-adj-changes command provides a higher level view of the peer relationship with less output. Configure the log-adj-changes detail command if you want to see messages for each state change. Cisco ASA Series CLI Configuration Guide 1-16...
Page 649
Calculating Summary Route Costs, page 1-38 • Generating a Default External Route into an OSPFv3 Routing Domain, page 1-38 • Configuring an IPv6 Summary Prefix, page 1-39 • Redistributing IPv6 Routes, page 1-40 Cisco ASA Series CLI Configuration Guide 1-17...
Page 650
Step 2 Creates the OSPFv3 routing process with the ipv6 ospf process-id area area_id specified process ID and an area for OSPFv3 with the specified area ID. Example: hostname(config)# ipv6 ospf 200 area 100 Cisco ASA Series CLI Configuration Guide 1-18...
Page 656
1 to 65535. This ID does not have to match the ID on any other device; it is for internal administrative use only. You can use a maximum of two processes. Step 2 Do one of the following to configure optional OSPFv3 router parameters: Cisco ASA Series CLI Configuration Guide 1-24...
Page 657
Configures the redistribution of routes from one routing domain redistribute into another according to the following parameters: Example: • connected—Specifies connected routes. hostname(config-rtr)# redistribute ospf • ospf—Specifies OSPFv3 routes. • static—Specifies static routes. Cisco ASA Series CLI Configuration Guide 1-25...
Page 658
Do one of the following to configure optional OSPFv3 area parameters: Sets the summary default cost of an NSSA area or a stub area. area area-id default-cost cost Example: hostname(config-rtr)# area 1 default-cost nssa Cisco ASA Series CLI Configuration Guide 1-26...
Page 659
OSPF SPF calculations to determine the shortest paths to the destination. Valid values range from 0 to 16777215. Specifies an NSSA area. area area-id nssa Example: hostname(config-rtr)# area 1 nssa Cisco ASA Series CLI Configuration Guide 1-27...
Page 660
Valid values range from 1 to 8192. The ttl-security hops keyword configures the time-to-live (TTL) security on a virtual link. The hop-count argument value can range from 1 to 254. Cisco ASA Series CLI Configuration Guide 1-28...
Page 661
OSPFv3. The inter-area keyword specifies the inter-area routes hostname(config-rtr)# distance ospf for OSPVv3. The intra-area keyword specifies the intra-area external 200 routes for OSPFv3. The distance argument specifies the administrative distance, which is an integer from 10 to 254. Cisco ASA Series CLI Configuration Guide 1-29...
Page 662
The milliseconds argument specifies the time in milliseconds at Example: which LSAs in the flooding queue are paced in between updates. The configurable range is from 5 to 100 milliseconds. The default hostname(config-rtr)# timers lsa flood 20 value is 33 milliseconds. Cisco ASA Series CLI Configuration Guide 1-30...
Page 663
The milliseconds argument specifies the time in milliseconds at Example: which LSAs in the retransmission queue are paced. The configurable range is from 5 to 200 milliseconds. The default hostname(config-rtr)# timers pacing retransmission 100 value is 66 milliseconds. Cisco ASA Series CLI Configuration Guide 1-31...
Page 664
1 to 65535. This ID does not have to match the ID on any other device; it is for internal administrative use only. You can use a maximum of two processes. Step 2 Choose one of the following options: Cisco ASA Series CLI Configuration Guide 1-32...
Page 665
GRE tunnel. Before you begin, you must create a static route to the OSPFv3 neighbor. See Chapter 1, “Configuring Static and Default Routes,” for more information about creating static routes. Cisco ASA Series CLI Configuration Guide 1-33...
Page 667
The redistribute keyword redistributes IPv6 prefixes from another routing protocol. The router-id keyword specifies the router ID for the specified routing process. The summary-prefix keyword specifies the IPv6 summary prefix. The timers keyword specifies the OSPFv3 timers. Cisco ASA Series CLI Configuration Guide 1-35...
Page 668
You can use a maximum of two processes. Step 2 Suppresses the sending of syslog messages when the router ignore lsa mospf receives unsupported LSA Type 6 MOSPF packets. Example: hostname(config-rtr)# ignore lsa mospf Cisco ASA Series CLI Configuration Guide 1-36...
Page 669
• 2—Type 2 external route The default is the type 2 external route. The route-map map-name keyword-argument pair specifies the routing process that generates the default route if the route map is satisfied. Cisco ASA Series CLI Configuration Guide 1-37...
Page 670
The tag tag-value keyword-argument pair specifies the tag hostname(config-rtr)# router-id value that can be used as a match value for controlling 192.168.3.3 redistribution through route maps. This keyword applies to hostname(config-rtr)# summary-prefix OSPFv3 only. FECO::/24 hostname(config-rtr)# redistribute static Cisco ASA Series CLI Configuration Guide 1-38...
Page 671
Chapter 1 Configuring OSPF Configuring OSPFv3 Redistributing IPv6 Routes To redistribute connected routes into an OSPFv3 process, perform the following steps: Detailed Steps Cisco ASA Series CLI Configuration Guide 1-39...
Page 672
If this keyword is not specified, all routes are redistributed. If this keyword is specified, but no route map tags are listed, no routes are imported. The map-tag argument identifies a configured route map. Cisco ASA Series CLI Configuration Guide 1-40...
Page 674
Configuration Examples for OSPFv3 The following example shows how to enable and configure OSPFv3 at the interface level: hostname (config)# interface GigabitEthernet3/1 hostname (config-if)# ipv6 enable hostname (config-if)# ipv6 ospf 1 area 1 Cisco ASA Series CLI Configuration Guide 1-42...
Page 675
(config)# passive-interface fda hostname (config)# log-adjacency-changes hostname (config)# redistribute connected metric 100 metric-type 1 tag 700 For an example of how to configure an OSPFv3 virtual link, see the following URL: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080b8fd06.shtm Cisco ASA Series CLI Configuration Guide 1-43...
Page 676
Displays a list of all LSAs waiting to be resent. if_name Displays a list of all summary address show ospf [process-id] summary-address redistribution information configured under an OSPFv2 process. Cisco ASA Series CLI Configuration Guide 1-44...
Page 677
You also can display the LSAs waiting to be sent out of an interface. Pacing enables OSPFv3 update and retransmission packets to be sent more efficiently. There are no configuration tasks for this feature; it occurs automatically. Cisco ASA Series CLI Configuration Guide 1-45...
Page 678
IPv6 reconvergence timer status, and IPv6 routing entries sequence number in a cluster. Additional References For additional information related to implementing OSPF, see the following section: • RFCs RFCs Title 2328 OSPFv2 4552 OSPFv3 Authentication 5340 OSPF for IPv6 Cisco ASA Series CLI Configuration Guide 1-46...
Page 679
Cisco ASA Series CLI Configuration Guide 1-47...
Page 680
Chapter 1 Configuring OSPF Feature History for OSPF Cisco ASA Series CLI Configuration Guide 1-48...
Page 681
Feature History for EIGRP, page 1-20 Information About EIGRP EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Key...
Page 682
For information about using clustering with EIGRP, see the “Dynamic Routing and Clustering” section on page 1-9. Licensing Requirements for EIGRP The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Cisco ASA Series CLI Configuration Guide...
Page 683
This section describes how to enable the EIGRP process on your system. After you have enabled EIGRP, see the following sections to learn how to customize the EIGRP process on your system. • Enabling EIGRP, page 1-4 • Enabling EIGRP Stub Routing, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 684
The stub router depends on the distribution router to send the correct updates to all peers. Cisco ASA Series CLI Configuration Guide...
Page 685
• Configuring the Summary Aggregate Addresses on Interfaces, page 1-9 • Changing the Interface Delay Value, page 1-10 • Enabling EIGRP Authentication on an Interface, page 1-10 • Defining an EIGRP Neighbor, page 1-12 Cisco ASA Series CLI Configuration Guide...
Page 686
If you have an interface that you do not want to have participate in EIGRP routing, but that is attached to a network that you want advertised, see the “Configuring Passive Interfaces” section on page 1-8. Cisco ASA Series CLI Configuration Guide...
Page 687
2 md5 following error message: % Asystem(100) specified does not exist See the “Enabling EIGRP Authentication on an Interface” section on page 1-10 for more information on this particular option. Cisco ASA Series CLI Configuration Guide...
Page 688
Creates an EIGRP routing process and enters router configuration router eigrp as-num mode for this EIGRP process. Example: The as-num argument is the autonomous system number of the EIGRP routing process. hostname(config)# router eigrp 2 Cisco ASA Series CLI Configuration Guide...
Page 689
By default, EIGRP summary addresses that you define have an administrative distance of 5. You can change this value by Example: specifying the optional distance argument in the hostname(config-if)# summary-address eigrp summary-address command. 2 address mask [20] Cisco ASA Series CLI Configuration Guide...
Page 690
EIGRP message authentication must be configured with the same authentication mode and key for adjacencies to be established. Note Before you can enable EIGRP route authentication, you must enable EIGRP. To enable EIGRP authentication on an interface, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-10...
Page 691
ASA returns the following error message: % Asystem(100) specified does not exist% The key argument can include up to 16 characters. The key-id argument is a number that can range from 0 to 255. Cisco ASA Series CLI Configuration Guide 1-11...
Page 692
RIP routing process. See Chapter 1, “Defining Route Maps,” for more information about creating a route map. To redistribute routes into the EIGRP routing process, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-12...
Page 694
If you have an interface that you do not want to have participate in EIGRP routing, but that is attached to a network that you want advertised, see the “Configuring Interfaces for EIGRP” section on page 1-7. Cisco ASA Series CLI Configuration Guide 1-14...
Page 695
To configure the hello interval and advertised hold time, perform the following steps: Detailed Steps Command Purpose Step 1 Enters interface configuration mode for the interface on which interface phy_if you are configuring the hello interval or advertised hold time. Example: hostname(config)# interface inside Cisco ASA Series CLI Configuration Guide 1-15...
Page 696
Configuring the ASA to disallow default information to be sent disables the setting of the default route bit in advertised routes. To configure default routing information, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-16...
Page 697
For these situations, including networks in which you have EIGRP configured, you may want to disable split horizon. If you disable split horizon on an interface, you must disable it for all routers and access servers on that interface. Cisco ASA Series CLI Configuration Guide 1-17...
Page 698
[as-number] events [{start end} | type] Displays the interfaces participating in EIGRP show eigrp [as-number] interfaces [if-name] [detail] routing. Displays the EIGRP neighbor table. show eigrp [as-number] neighbors [detail | static] [if-name] Cisco ASA Series CLI Configuration Guide 1-18...
Page 699
To configure the interfaces and networks that participate in EIGRP routing, enter the following command: hostname(config-router)# network 10.0.0.0 255.0.0.0 Step 5 To change the interface delay value used in EIGRP distance calculations, enter the following commands: hostname(config-router)# exit hostname(config)# interface phy_if hostname(config-if)# delay 200 Cisco ASA Series CLI Configuration Guide 1-19...
Page 700
For EIGRP, bulk synchronization, route synchronization, and layer 2 load balancing are supported in the clustering environment. We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster. Cisco ASA Series CLI Configuration Guide 1-20...
Page 701
RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcasts with neighboring devices to dynamically learn about and advertise routes. Cisco ASA Series CLI Configuration Guide...
Page 702
Generally, it is set to 30 seconds, with a small random amount of time added whenever the timer is reset. This is done to help prevent congestion, which could result from all routers Cisco ASA Series CLI Configuration Guide...
Page 703
When RIP Version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP Version 2 configuration is removed from an interface, that multicast address is unregistered. Limitations RIP has the following limitations: • The ASA cannot pass RIP updates between interfaces. Cisco ASA Series CLI Configuration Guide...
Page 704
Configuring the RIP Send and Receive Version on an Interface, page 1-6 • Configuring Route Summarization, page 1-7 • Filtering Networks in RIP, page 1-8 • Redistributing Routes into the RIP Routing Process, page 1-8 • Enabling RIP Authentication, page 1-9 Cisco ASA Series CLI Configuration Guide...
Page 705
Enter one of the following numbers to customize an interface to participate in RIP routing: Specifies the version of RIP used by the ASA. version [1 | 2] You can override this setting on a per-interface basis. Example: In this example, Version 1 is entered. hostname(config-router):# version [1] Cisco ASA Series CLI Configuration Guide...
Page 706
Enters interface configuration mode for the interface that you are interface phy_if configuring. Example: hostname(config)# interface phy_if Step 2 Do one of the following to send or receive RIP updates on a per-interface basis. Cisco ASA Series CLI Configuration Guide...
Page 707
Command Purpose Step 1 Enables the RIP routing process and places you in router router rip configuration mode. Example: hostname(config)# router rip Step 2 Disables automatic route summarization. no auto-summarize Example: hostname(config-router):# no auto-summarize Cisco ASA Series CLI Configuration Guide...
Page 708
RIP routing process. See Chapter 1, “Defining a Route Map,” for more information about creating a route map. To redistribute a route into the RIP routing process, enter one of the following commands: Cisco ASA Series CLI Configuration Guide...
Page 709
RIP route authentication is configured on a per-interface basis. All RIP neighbors on interfaces configured for RIP message authentication must be configured with the same authentication mode and key for adjacencies to be established. Cisco ASA Series CLI Configuration Guide...
Page 710
Removes the entire RIP configuration that you have enabled. After the clear rip pid {process | redistribution | counters [neighbor [neighbor-interface] configuration is cleared, you must reconfigure RIP again using the router [neighbor-id]]} rip command. Example: hostname(config)# clear rip Cisco ASA Series CLI Configuration Guide 1-10...
Page 711
The following example shows how to enable and configure RIP with various optional processes: hostname(config)# router rip 2 hostname(config-router)# default-information originate hostname(config-router)# version [1] hostname(config-router)# network 225.25.25.225 hostname(config-router)# passive-interface [default] hostname(config-router)# redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Cisco ASA Series CLI Configuration Guide 1-11...
Page 712
For RIP, bulk synchronization, route synchronization, and layer 2 load balancing are supported in the clustering environment. We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster. Cisco ASA Series CLI Configuration Guide 1-12...
Page 713
Multicast packets are replicated in the network by Cisco routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols resulting in the most efficient delivery of data to multiple receivers possible.
After fast-path forwarding is established, slave units may forward multicast data packets. All data flows are full flows. Stub forwarding flows are also supported. Because only one unit receives multicast packets in Layer 2 Cisco ASA Series CLI Configuration Guide...
Page 715
Hosts join multicast groups by sending IGMP report messages. PIM is used to maintain forwarding tables to forward multicast datagrams. Note Only the UDP transport layer is supported for multicast routing. To enable multicast routing, enter the following command: Cisco ASA Series CLI Configuration Guide...
Page 716
To forward the host join and leave messages, enter the following command from the interface attached to the stub area: Cisco ASA Series CLI Configuration Guide...
Page 717
IGMP messages to their local multicast router. Under IGMP, routers listen to IGMP messages and periodically send out queries to discover which groups are active or inactive on a particular subnet. Cisco ASA Series CLI Configuration Guide...
Page 718
Command Purpose Disables IGMP on an interface. no igmp To reenable IGMP on an interface, use the igmp command. Example: hostname(config-if)# no igmp Note Only the no igmp command appears in the interface configuration. Cisco ASA Series CLI Configuration Guide...
Page 719
To configure a statically joined multicast group on an interface,enter the following command: Command Purpose Configures the ASA statically to join a multicast group on an interface. igmp static-group The group-address argument is the IP address of the group. Example: hostname(config-if)# igmp static-group group-address Cisco ASA Series CLI Configuration Guide...
Page 720
50 commands) are still permitted. The no form of this command restores the default value. Modifying the Query Messages to Multicast Groups Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2. Cisco ASA Series CLI Configuration Guide...
Page 721
2 hosts on the subnet works; the ASA running IGMP Version 2 works correctly when IGMP Version 1 hosts are present. To control which version of IGMP is running on an interface, enter the following command: Cisco ASA Series CLI Configuration Guide...
Page 722
Enables or reenables PIM on a specific interface. Example: hostname(config-if)# pim Step 2 Disables PIM on a specific interface. no pim Example: hostname(config-if)# no pim Note Only the no pim command appears in the interface configuration. Cisco ASA Series CLI Configuration Guide 1-10...
Page 723
By default, the ASA has a DR priority of 1. To change this value, enter the following command: Command Purpose Changes the designated router priority. pim dr-priority num The num argument can be any number ranging from 1 to 4294967294. Example: hostname(config-if)# pim dr-priority 500 Cisco ASA Series CLI Configuration Guide 1-11...
Page 724
• Prevent unauthorized routers from becoming PIM neighbors. • Prevent attached stub routers from participating in PIM. To define neighbors that can become a PIM neighbor, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-12...
Page 725
If a denied neighbor supports bidir, then the DF election does not occur. • If a denied neighbor does not support bidir, the DF election can occur. To define the neighbors that can become a PIM bidirectional neighbor filter, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-13...
Page 726
Auto-RP message before the Auto-RP message is forwarded. To configure a multicast boundary, enter the following command: Command Purpose Configures a multicast boundary. multicast boundary acl [filter-autorp] Example: hostname(config-if)# multicast boundary acl1 [filter-autorp] Cisco ASA Series CLI Configuration Guide 1-14...
Page 727
Configure the ASA to be a member of a multicast group: hostname(config)# interface hostname(config-if)# igmp join-group group-address Additional References For additional information related to routing, see the following sections: • Related Documents, page 1-16 • RFCs, page 1-16 Cisco ASA Series CLI Configuration Guide 1-15...
Page 728
We introduced the multicast-routing command. Clustering support 9.0(1) Support was added for clustering. We introduced the following commands: debug mfib cluster, show mfib cluster. Cisco ASA Series CLI Configuration Guide 1-16...
Page 729
This section includes the following topics: • Neighbor Solicitation Messages, page 1-2 • Neighbor Reachable Time, page 1-2 • Duplicate Address Detection, page 1-2 • Router Advertisement Messages, page 1-3 • Static IPv6 Neighbors, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 730
IPv6 addresses on the interface. When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated: %ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface Cisco ASA Series CLI Configuration Guide...
Page 731
The IPv6 network prefixes in use on the link. • Whether or not an interface transmits router advertisement messages. Unless otherwise noted, the router advertisement message settings are specific to an interface and are entered in interface configuration mode. Cisco ASA Series CLI Configuration Guide...
Page 732
IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value. • The ipv6 nd prefix command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised. Cisco ASA Series CLI Configuration Guide...
Page 733
ICMP syslogs are being generated. The refresh time for IPV6 neighbor entry is configurable on the regular data interface, but not configurable on the failover interface. However, the CPU impact for this ICMP neighbor discovery traffic is minimal. Cisco ASA Series CLI Configuration Guide...
Page 734
Configuring the IPv6 Prefix in Router Advertisements, page 1-12 • Configuring a Static IPv6 Neighbor, page 1-13 Entering Interface Configuration Mode Configure neighbor discovery settings per interface. To enter interface configuration mode, perform the following steps. Cisco ASA Series CLI Configuration Guide...
Page 735
This information is also sent in router advertisement messages. Examples The following example configures an IPv6 neighbor solicitation transmission interval of 9000 milliseconds for GigabitEthernet 0/0: hostname (config)# interface gigabitethernet 0/0 hostname (config-if)# ipv6 nd ns-interval 9000 Cisco ASA Series CLI Configuration Guide...
Page 736
For more information, see the “Configuring the Router Lifetime Value” section on page 1-9. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value. Cisco ASA Series CLI Configuration Guide...
Page 737
IPv6 addresses are detected in the network on a link basis. Example: Valid values for the value argument range from 0 to 600. A zero value hostname (config-if)# ipv6 nd dad attempts disables DAD processing on the specified interface. Cisco ASA Series CLI Configuration Guide...
Page 738
IPv6 router. Examples The following example suppresses an IPv6 router advertisement transmission for the specified interface, which is GigabitEthernet 0/0: hostname (config)# interface gigabitethernet 0/0 hostname (config-if)# ipv6 nd suppress-ra 900 Cisco ASA Series CLI Configuration Guide 1-10...
Page 739
Sets the Other Address Config flag in the IPv6 router advertisement packet. ipv6 nd other-config-flag This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain additional information from DHCPv6, such as the DNS Example: server address. hostname (config-if)# ipv6 nd other-config-flag Cisco ASA Series CLI Configuration Guide 1-11...
Page 740
IPv6 prefix is advertised as being valid. Valid values range from 0 to 4294967295 seconds. The maximum value represents infinity, which can also be specified with infinite. The default is 2592000 (30 days). Cisco ASA Series CLI Configuration Guide 1-12...
Page 741
The following example adds a static entry for an inside host with an IPv6 address of 3001:1::45A and a MAC address of 002.7D1a.9472 to the neighbor discovery cache: hostname(config-if)# ipv6 neighbor 3001:1::45A inside 002.7D1A.9472 Cisco ASA Series CLI Configuration Guide 1-13...
Page 742
The neighbor discovery reachable time that is being used. Additional References For additional information related to implementing IPv6 prefixes, see the following topics: • Related Documents for IPv6 Prefixes, page 1-15 • RFCs for IPv6 Prefixes and Documentation, page 1-15 Cisco ASA Series CLI Configuration Guide 1-14...
Page 743
Address Config Flags for IPv6 DHCP Relay 9.0(1) We introduced the following commands: ipv6 nd managed-config-flag, ipv6 nd other-config-flag. Cisco ASA Series CLI Configuration Guide 1-15...
Page 744
Chapter 1 Configuring IPv6 Neighbor Discovery Feature History for IPv6 Neighbor Discovery Cisco ASA Series CLI Configuration Guide 1-16...
Page 745
A R T Configuring Network Address Translation...
Page 747
RFC 1918 defines the private IP addresses you can use internally that should not be advertised: • 10.0.0.0 through 10.255.255.255 • 172.16.0.0 through 172.31.255.255 • 192.168.0.0 through 192.168.255.255 Cisco ASA Series CLI Configuration Guide...
Page 748
NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. Cisco ASA Series CLI Configuration Guide...
Page 749
(if an access rule exists that allows it). With dynamic NAT and PAT, on the other hand, each host uses a different address or port for each subsequent translation, so bidirectional initiation is not supported. Cisco ASA Series CLI Configuration Guide...
Page 750
IP address is mapped to a different value in both cases. The translation is always active so both translated and remote hosts can initiate connections. Figure 1-2 Typical Static NAT with Port Translation Scenario Security Appliance 10.1.1.1:23 209.165.201.1:23 10.1.1.2:8080 209.165.201.2:80 Inside Outside Cisco ASA Series CLI Configuration Guide...
Page 751
IP/1st mapped IP is technically the only bidirectional translation. Figure 1-3 One-to-Many Static NAT Security Appliance 10.1.2.27 209.165.201.3 10.1.2.27 209.165.201.4 10.1.2.27 209.165.201.5 Inside Outside Cisco ASA Series CLI Configuration Guide...
Page 752
TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique). Cisco ASA Series CLI Configuration Guide...
Page 753
Figure 1-6 shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. Figure 1-6 Dynamic NAT Security Appliance 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Cisco ASA Series CLI Configuration Guide...
Page 754
Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. Cisco ASA Series CLI Configuration Guide...
Page 755
Dynamic PAT may also create a large number of connections appearing to come from a single IP address, and servers might interpret the traffic as a DoS attack. You can configure a PAT pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation. Cisco ASA Series CLI Configuration Guide...
Page 756
You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode and includes the following topics: • NAT in Routed Mode, page 1-11 • NAT in Transparent Mode, page 1-11 Cisco ASA Series CLI Configuration Guide 1-10...
Page 757
NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. Cisco ASA Series CLI Configuration Guide 1-11...
Page 758
10.1.1.3 based on the ASA static route for 192.168.1.0/24. See the “Transparent Mode Routing Requirements for Remote Networks” section on page 1-21 for more information about required routes. Cisco ASA Series CLI Configuration Guide 1-12...
Page 759
NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable. • How source and destination NAT is implemented. Cisco ASA Series CLI Configuration Guide 1-13...
Page 760
(identity NAT), or you can map it to a different address. The destination mapping is always a static mapping. Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition. Cisco ASA Series CLI Configuration Guide 1-14...
Page 761
Figure 1-11 Twice NAT with Different Destination Addresses Server 1 Server 2 209.165.201.11 209.165.200.225 209.165.201.0/27 209.165.200.224/27 Translation Translation 10.1.2.27 209.165.202.129 10.1.2.27 209.165.202.130 Inside 10.1.2.0/24 Packet Packet Dest. Address: Dest. Address: 209.165.201.11 209.165.200.225 10.1.2.27 Cisco ASA Series CLI Configuration Guide 1-15...
Page 762
Figure 1-12 Twice NAT with Different Destination Ports Web and Telnet server: 209.165.201.11 Internet Translation Translation 10.1.2.27:80 209.165.202.129 10.1.2.27:23 209.165.202.130 Inside 10.1.2.0/24 Web Packet Telnet Packet Dest. Address: Dest. Address: 209.165.201.11:80 209.165.201.11:23 10.1.2.27 Cisco ASA Series CLI Configuration Guide 1-16...
Page 764
NAT rule to section 3 when you add the rule. For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) Cisco ASA Series CLI Configuration Guide 1-18...
Page 765
ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the ASA does not have to be the gateway for any additional networks. This solution is ideal if the outside network contains an adequate number of Cisco ASA Series CLI Configuration Guide 1-19...
Page 766
NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA (see Figure 1-14). Cisco ASA Series CLI Configuration Guide 1-20...
Page 767
Transparent Mode Routing Requirements for Remote Networks When you use NAT in transparent mode,some types of traffic require static routes. See the “MAC Address vs. Route Lookups” section on page 4-5 for more information. Cisco ASA Series CLI Configuration Guide 1-21...
Page 768
NAT for VPN • NAT and Remote Access VPN, page 1-23 • NAT and Site-to-Site VPN, page 1-24 • NAT and VPN Management Access, page 1-26 • Troubleshooting NAT and VPN, page 1-28 Cisco ASA Series CLI Configuration Guide 1-22...
Page 769
PAT rule by using an identity NAT rule between those networks. Identity NAT simply translates an address to the same address. Cisco ASA Series CLI Configuration Guide 1-23...
Page 770
10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address. Cisco ASA Series CLI Configuration Guide 1-24...
Page 771
See the following sample NAT configuration for ASA1 (Boulder): ! Enable hairpin for VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: Cisco ASA Series CLI Configuration Guide 1-25...
Page 772
ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface. Cisco ASA Series CLI Configuration Guide 1-26...
Page 773
10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface Cisco ASA Series CLI Configuration Guide 1-27...
Page 774
DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10).
Page 775
DMZ network. The ASA translates the address inside the DNS reply to 10.1.3.14. If the user needs to access ftp.cisco.com using the real address, then no further configuration is required. If there is also Cisco ASA Series CLI Configuration Guide...
Page 776
Static Translation 2 209.165.201.10 on Inside to: Security Device 192.168.1.10 ftp.cisco.com DNS Reply Modification 1 10.1.3.14 209.165.201.10 10.1.3.14 Translation DNS Reply Modification 2 Inside 192.168.1.10 10.1.3.14 10.1.3.14 192.168.1.10 FTP Request DNS Reply 192.168.1.10 192.168.1.10 User Cisco ASA Series CLI Configuration Guide 1-30...
Page 777
FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for...
Page 778
Information About NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts.
Page 779
Inside Reverse DNS Query 10.1.2.56? User 10.1.2.27 Where to Go Next To configure network object NAT, see Chapter 33, “Configuring Network Object NAT.” To configure twice NAT, see Chapter 34, “Configuring Twice NAT.” Cisco ASA Series CLI Configuration Guide 1-33...
Page 780
Chapter 1 Information About NAT Where to Go Next Cisco ASA Series CLI Configuration Guide 1-34...
Page 781
“How NAT is Implemented” section on page 1-13. Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the “NAT Rule Order” section on page 1-18. Cisco ASA Series CLI Configuration Guide...
Page 782
When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6. Cisco ASA Series CLI Configuration Guide...
Page 783
Packets” section on page 1-19 for more information. Configuring Network Object NAT This section describes how to configure network object NAT and includes the following topics: • Adding Network Objects for Mapped Addresses, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 784
If you use an object, the object or group can contain a host, range, or subnet. • Identity NAT – Instead of using an object, you can configure an inline address. – If you use an object, the object must match the real addresses you want to translate. Cisco ASA Series CLI Configuration Guide...
Page 785
1-4. Step 2 Configures a network object for which you want to configure NAT, object network obj_name or enters object network configuration mode for an existing network object. Example: hostname(config)# object network my-host-obj1 Cisco ASA Series CLI Configuration Guide...
Page 786
PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address. hostname(config)# object network nat-range1 hostname(config-network-object)# range 10.10.10.10 10.10.10.20 hostname(config-network-object)# object network pat-ip1 Cisco ASA Series CLI Configuration Guide...
Page 787
For extended PAT for a PAT pool: • Many application inspections do not support extended PAT. See the “Default Settings” section on page 1-4 Chapter 1, “Getting Started with Application Layer Protocol Inspection,” for a complete list of unsupported inspections. Cisco ASA Series CLI Configuration Guide...
Page 788
If you are creating a new network object, defines the real IP {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} address(es) (either IPv4 or IPv6) that you want to translate. Example: hostname(config-network-object)# range 10.1.1.1 10.1.1.90 Cisco ASA Series CLI Configuration Guide...
Page 789
PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on. (continued) Cisco ASA Series CLI Configuration Guide...
Page 790
(inside,outside) dynamic 10.2.2.2 The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address: hostname(config)# object network my-inside-net hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic interface Cisco ASA Series CLI Configuration Guide 1-10...
Page 791
1-4. Step 2 Configures a network object for which you want to configure object network obj_name NAT, or enters object network configuration mode for an existing network object. Example: hostname(config)# object network my-host-obj1 Cisco ASA Series CLI Configuration Guide 1-11...
Page 792
If you are creating a new network object, defines the real IP {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} address(es) (IPv4 or IPv6) that you want to translate. Example: hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0 Cisco ASA Series CLI Configuration Guide 1-12...
Page 793
• No Proxy ARP—(Optional) Specify no-proxy-arp to disable proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 1-19 for more information. Cisco ASA Series CLI Configuration Guide 1-13...
Page 794
NAT, or enters object network configuration mode for an existing network object. This network object has a different name Example: from the mapped network object (see Step 1) even though they hostname(config)# object network both contain the same IP addresses. my-host-obj1 Cisco ASA Series CLI Configuration Guide 1-14...
Page 795
1-22 for more information. Example The following example maps a host address to itself using an inline mapped address: hostname(config)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.1.1.1 Cisco ASA Series CLI Configuration Guide 1-15...
Page 796
Cisco ASA Series CLI Configuration Guide 1-16...
Page 797
Command Purpose Shows NAT statistics, including hits for each NAT rule. show nat Shows NAT pool statistics, including the addresses and ports allocated, show nat pool and how many times they were allocated. Cisco ASA Series CLI Configuration Guide 1-17...
Page 798
DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification), page 1-25 • IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification), page 1-26 Cisco ASA Series CLI Configuration Guide 1-18...
Page 799
The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. (See Figure 1-2). Cisco ASA Series CLI Configuration Guide 1-19...
Page 800
Create a network object for the outside web server: hostname(config)# object network myWebServ Step 5 Define the web server address: hostname(config-network-object)# host 209.165.201.12 Step 6 Configure static NAT for the web server: hostname(config-network-object)# nat (outside,inside) static 10.1.2.20 Cisco ASA Series CLI Configuration Guide 1-20...
Page 801
Create a network object for the load balancer: hostname(config)# object network myLBHost Step 3 Define the load balancer address: hostname(config-network-object)# host 10.1.2.27 Step 4 Configure static NAT for the load balancer: hostname(config-network-object)# nat (inside,outside) static myPublicIPs Cisco ASA Series CLI Configuration Guide 1-21...
Page 802
HTTP_SERVER Step 4 Define the HTTP server address, and configure static NAT with identity port translation for the HTTP server: hostname(config-network-object)# host 10.1.2.28 hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp http http Cisco ASA Series CLI Configuration Guide 1-22...
Page 803
1-5.) In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
Page 804
Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 805
FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.201.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification...
Page 806
In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation.
Page 807
Create a network object for the inside IPv6 network. hostname(config)# object network IPv6_INSIDE Define the IPv6 network address, and configure dynamic NAT using a PAT pool. hostname(config-network-object)# subnet 2001:DB8::/96 hostname(config-network-object)# nat (inside,outside) dynamic pat-pool IPv4_POOL Cisco ASA Series CLI Configuration Guide 1-27...
Page 808
PAT IP address if ports are available. We did not modify any commands. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series CLI Configuration Guide 1-28...
Page 809
65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. We modifed the following command: nat dynamic [pat-pool mapped_object [extended]]. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series CLI Configuration Guide 1-29...
Page 810
Note Because of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: •...
Page 811
PAT xlate. For traffic that requires multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule. We introduced the following commands: xlate per-session, show nat pool. Cisco ASA Series CLI Configuration Guide 1-31...
Page 812
Chapter 1 Configuring Network Object NAT Feature History for Network Object NAT Cisco ASA Series CLI Configuration Guide 1-32...
Page 813
The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping. Cisco ASA Series CLI Configuration Guide...
Page 814
IP addresses. You also cannot use the management IP address as a mapped address. • In transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. Cisco ASA Series CLI Configuration Guide...
Page 815
IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was mapped from an Cisco ASA Series CLI Configuration Guide...
Page 816
Adding Network Objects for Real and Mapped Addresses For each NAT rule, configure up to four network objects or groups for: • Source real address • Source mapped address • Destination real address • Destination mapped address Cisco ASA Series CLI Configuration Guide...
Page 817
For static interface NAT with port translation (routed mode only), you can specify the interface keyword instead of a network object/group for the mapped address. For more information, see “Static Interface NAT with Port Translation” section on page 1-5. Cisco ASA Series CLI Configuration Guide...
Page 818
The “not equal” (neq) operator is not supported. • For identity port translation, you can use the same service object for both the real and mapped ports. • Source Dynamic NAT—Source Dynamic NAT does not support port translation. Cisco ASA Series CLI Configuration Guide...
Page 819
MAPPED_SRC_SVC hostname(config-service-object)# service tcp source eq 8080 Configuring Dynamic NAT This section describes how to configure twice NAT for dynamic NAT. For more information, see the “Dynamic NAT” section on page 1-7. Cisco ASA Series CLI Configuration Guide...
Page 820
Step 2 (Optional) Create service objects for the: See the “(Optional) Adding Service Objects for Real and Mapped Ports” section on page 1-6. • Destination real ports • Destination mapped ports Cisco ASA Series CLI Configuration Guide...
Page 821
IPv6 address of the interface is used. After the mapped IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. Cisco ASA Series CLI Configuration Guide...
Page 822
To reactivate it, reenter the whole command without the inactive keyword. • Description—Optional) Provide a description up to 200 characters using the description keyword. Cisco ASA Series CLI Configuration Guide 1-10...
Page 823
SERVERS_2 SERVERS_2 Configuring Dynamic PAT (Hide) This section describes how to configure twice NAT for dynamic PAT (hide). For more information, see “Dynamic PAT” section on page 1-8. Guidelines For a PAT pool: Cisco ASA Series CLI Configuration Guide 1-11...
Page 824
Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools. Cisco ASA Series CLI Configuration Guide 1-12...
Page 825
Step 2 (Optional) Create service objects for the: See the “(Optional) Adding Service Objects for Real and Mapped Ports” section on page 1-6. • Destination real ports • Destination mapped ports Cisco ASA Series CLI Configuration Guide 1-13...
Page 826
PAT fallback. After the PAT IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. (continued) Cisco ASA Series CLI Configuration Guide 1-14...
Page 827
512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword. (continued) Cisco ASA Series CLI Configuration Guide 1-15...
Page 828
To reactivate it, reenter the whole command without the inactive keyword. • Description—(Optional) Provide a description up to 200 characters using the description keyword. Cisco ASA Series CLI Configuration Guide 1-16...
Page 830
(Optional) Create service objects for the: See the “(Optional) Adding Service Objects for Real and Mapped Ports” section on page 1-6. • Source or Destination real ports • Source or Destination mapped ports Cisco ASA Series CLI Configuration Guide 1-18...
Page 831
For this option, you must configure a specific interface for the real_ifc. – Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses. Cisco ASA Series CLI Configuration Guide 1-19...
Page 832
:65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is “any.” Because static NAT is bidirectional, “source” and “destination” refers primarily Cisco ASA Series CLI Configuration Guide 1-20...
Page 833
OUTSIDE_IPv4_NW OUTSIDE_IPv4_NW Configuring Identity NAT This section describes how to configure an identity NAT rule using twice NAT. For more information about identity NAT, see the “Identity NAT” section on page 1-10. Cisco ASA Series CLI Configuration Guide 1-21...
Page 834
(Optional) Create service objects for the: See the “(Optional) Adding Service Objects for Real and Mapped Ports” section on page 1-6. • Source or Destination real ports • Source or Destination mapped ports Cisco ASA Series CLI Configuration Guide 1-22...
Page 835
For identity port translation, simply use the same service object for both the real and mapped ports (source and/or destination ports, depending on your configuration). Cisco ASA Series CLI Configuration Guide 1-23...
Page 836
Shows current NAT session information. show xlate Configuration Examples for Twice NAT This section includes the following configuration examples: • Different Translation Depending on the Destination (Dynamic PAT), page 1-25 Cisco ASA Series CLI Configuration Guide 1-24...
Page 837
DMZnetwork1 DMZnetwork1 Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the real and mapped destination addresses. Cisco ASA Series CLI Configuration Guide 1-25...
Page 838
Web and Telnet server: 209.165.201.11 Internet Translation Translation 10.1.2.27:80 209.165.202.129 10.1.2.27:23 209.165.202.130 Inside 10.1.2.0/24 Web Packet Telnet Packet Dest. Address: Dest. Address: 209.165.201.11:80 209.165.201.11:23 10.1.2.27 Step 1 Add a network object for the inside network: Cisco ASA Series CLI Configuration Guide 1-26...
Page 839
Add a service object for HTTP: hostname(config)# object service HTTPObj hostname(config-network-object)# service tcp destination eq http Step 8 Configure the second twice NAT rule: hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2 destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj Cisco ASA Series CLI Configuration Guide 1-27...
Page 840
PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy. We modified the following command: nat source dynamic [pat-pool mapped_object [round-robin]]. Cisco ASA Series CLI Configuration Guide 1-28...
Page 841
65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. We modified the following command: nat source dynamic [pat-pool mapped_object [extended]]. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series CLI Configuration Guide 1-29...
Page 842
Note Because of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: •...
Page 843
PAT xlate. For traffic that requires multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule. We introduced the following commands: xlate per-session, show nat pool. Cisco ASA Series CLI Configuration Guide 1-31...
Page 844
Chapter 1 Configuring Twice NAT Feature History for Twice NAT Cisco ASA Series CLI Configuration Guide 1-32...
Page 845
A R T Configuring AAA Servers and the Local Database...
Page 847
This section includes the following topics: • Information About Authentication, page 1-2 • Information About Authorization, page 1-2 • Information About Accounting, page 1-3 • Summary of Server Support, page 1-3 • RADIUS Server Support, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 848
The ASA caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the ASA does not resend the request to the authorization server. Cisco ASA Series CLI Configuration Guide...
Page 849
For example, the ASA can proxy to an RSA/SDI and/or LDAP server via a RADIUS server. Authentication via digital certificates and/or digital certificates with the AAA combinations listed in the table are also supported. Cisco ASA Series CLI Configuration Guide...
Page 850
Microsoft VSAs, defined in RFC 2548. • Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with 1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level. The second level (enable) allows CLI configuration privileges.
Page 851
SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The agent first sends a lock request to the SecurID server before sending the user authentication request. The server Cisco ASA Series CLI Configuration Guide...
Page 852
LDAP server in plain text. The ASA supports the following SASL mechanisms, listed in order of increasing strength: • Digest-MD5—The ASA responds to the LDAP server with an MD5 value computed from the username and password. Cisco ASA Series CLI Configuration Guide...
Page 853
The ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust relationship (bind) with an LDAP server. For more information, see the “Binding the ASA to the LDAP Server” section on page 1-4. Cisco ASA Series CLI Configuration Guide...
Page 854
ASA tries server 2. If both servers in the group do not respond, and the ASA is configured to fall back to the local database, the ASA tries to authenticate to the local database. Cisco ASA Series CLI Configuration Guide...
Page 855
If authentication is disabled and authorization is enabled, the ASA uses the primary DN field for authorization. • Authentication – DISABLED (set to None) by the authentication server group setting – No credentials used • Authorization – Enabled by the authorization server group setting Cisco ASA Series CLI Configuration Guide...
Page 856
Configuring LDAP Attribute Maps, page 1-20 • Adding a User Account to the Local Database, page 1-22 • Authenticating Users with a Public Key for SSH, page 1-29 • Differentiating User Roles Using AAA, page 1-29 Cisco ASA Series CLI Configuration Guide 1-10...
Page 857
If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers. Cisco ASA Series CLI Configuration Guide 1-11...
Page 858
Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Detailed Steps Cisco ASA Series CLI Configuration Guide 1-12...
Page 859
Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Cisco ASA Series CLI Configuration Guide 1-13...
Page 860
As a result, the test aaa-server {authentication | authorization} aaa-server-group command is not available when a RADIUS server group that is not configured using the ad-agent-mode option is specified. Cisco ASA Series CLI Configuration Guide 1-14...
Page 861
ACL entries should be placed after the Cisco AV pair entries. This option applies only to VPN connections. For VPN users, ACLs can be in the form of Cisco AV pair ACLs, downloadable ACLs, and an ACL that is configured on the ASA. This option determines whether...
Page 864
For example, if you use an SDI or certificate server for authentication, no authorization information is passed back. For user authorizations in this case, you can query an LDAP directory after successful authentication, accomplishing authentication and authorization in two steps. Cisco ASA Series CLI Configuration Guide 1-18...
Page 866
LDAP user attributes to Cisco ASA attribute names. You can then bind these attribute maps to LDAP servers or remove them, as needed. You can also show or clear attribute maps.
Page 867
Purpose Step 1 Creates an unpopulated LDAP attribute map table. ldap attribute-map map-name Example: hostname(config)# ldap attribute-map att_map_1 Step 2 Maps the user-defined attribute name department to the Cisco map-name user-attribute-name Cisco-attribute-name attribute. Example: hostname(config-ldap-attribute-map)# map-name department IETF-Radius-Class Step 3...
Page 868
CN=Administrator,CN=Users,DC=cisco,DC=local hostname(config-aaa-server-host)# server-type auto-detect hostname(config-aaa-server-host)# ldap-attribute-map MGMT The following example shows how to display the complete list of Cisco LDAP attribute names: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name att_map_1? ldap mode commands/options: cisco-attribute-names: Access-Hours...
Page 869
Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Limitations You cannot use the local database for network access authorization. Cisco ASA Series CLI Configuration Guide 1-23...
Page 870
Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Detailed Steps Cisco ASA Series CLI Configuration Guide 1-24...
Page 871
Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Cisco ASA Series CLI Configuration Guide 1-25...
Page 872
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are cutting and pasting a configuration file for use in another ASA, and you are using the same password. Cisco ASA Series CLI Configuration Guide 1-26...
Page 873
Configure LDAP users with a privilege level between 0 and 15, and then map the LDAP attribute to Cisco VAS CVPN3000-Privilege-Level using the ldap map-attributes command. • See the privilege command for information about setting command privilege levels. Cisco ASA Series CLI Configuration Guide 1-27...
Page 874
The following example enables management authorization, creates a user account with a password, enters username attributes configuration mode, and specifies the service-type attribute: hostname(config)# aaa authorization exec authentication-server hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes hostname(config-username)# service-type nas-prompt Cisco ASA Series CLI Configuration Guide 1-28...
Page 875
ASA. To differentiate user roles, use the service-type attribute in username configuration mode. For RADIUS and LDAP (with the ldap-attribute-map command), you can use a Cisco Vendor-Specific Attribute (VSA), Cisco-Priv-Level, to assign a privilege level to an authenticated user.
Page 876
Using LDAP Authentication When users are authenticated through LDAP, the native LDAP attributes and their values can be mapped to Cisco ASA attributes to provide specific authorization features. For the supported list of LDAP VSAs used for authorization, see Table 1-2 on page 1-5.
Page 877
To clear AAA server statistics, enter the clear configure aaa-server command. show running-config all ldap attribute-map Shows all LDAP attribute maps in the running configuration. To clear all LDAP attribute maps in the running configuration, use the clear configuration ldap attribute-map command. Cisco ASA Series CLI Configuration Guide 1-31...
Page 878
To clear the Zone Labs Integrity server configuration, use the clear configure zonelabs-integrity command. show ad-groups [filter Applies only to AD servers using LDAP, and shows groups that are listed name string on an AD server. Cisco ASA Series CLI Configuration Guide 1-32...
Page 879
RADIUS Accounting 2548 Microsoft Vendor-specific RADIUS Attributes 2868 RADIUS Attributes for Tunnel Protocol Support Feature History for AAA Servers Table 1-3 lists each feature change and the platform release in which it was implemented. Cisco ASA Series CLI Configuration Guide 1-33...
Page 880
All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes. Cisco ASA Series CLI Configuration Guide 1-34...
Page 881
IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped user names instead of network IP addresses. Cisco ASA Series CLI Configuration Guide...
Page 882
Active Directory (AD) Agent The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2. Note Windows 2003 R2 is not supported for the AD Agent server. Cisco ASA Series CLI Configuration Guide...
Page 883
AD Agent for each new IP address or by maintaining a local copy of the entire user identity and IP address database. • Supports host group, subnet, or IP address for the destination of a user identity policy. Cisco ASA Series CLI Configuration Guide...
Scenario 1 shows a simple installation without component redundancy. Scenario 2 also shows a simple installation without redundancy. However, in that deployment scenario, the Active Directory server and AD Agent are co-located on one Windows server. Cisco ASA Series CLI Configuration Guide...
Page 885
Figure 1-4, all Identity Firewall components—Active Directory server, the AD Agent, and the clients—are installed and communicate on the LAN. Figure 1-4 LAN -based Deployment Client NetBIOS Probe mkg.example.com 10.1.1.2 AD Servers AD Agent Cisco ASA Series CLI Configuration Guide...
Page 886
The clients access these components locally when logging into network resources located at the main site. The remote Active Directory server must synchronize its data with the central Active Directory servers located at the main site. Cisco ASA Series CLI Configuration Guide...
Page 887
When you have failover configured, you must configure the AD Agent to communicate with both the active and standby ASA devices. See the Installation and Setup Guide for the Active Directory Agent for the steps to configure the ASA on the AD Agent server. Cisco ASA Series CLI Configuration Guide...
Page 888
(except VPN filter) – • When you use the Cisco Context Directory Agent (CDA) in conjunction with the ASA or Cisco Ironport Web Security Appliance (WSA), make sure that you open the following ports: – Authentication port for UDP—1645 –...
Page 889
Before running the AD Agent Installer, you must install the following patches on every Microsoft Active Directory server that the AD Agent monitors. These patches are required even when the AD Agent is installed directly on the domain controller server. See the README First for the Cisco Active Directory Agent.
Page 890
Directory and uses it as the base DN. Step 4 Specifies the extent of the search in the LDAP hostname(config-aaa-server-host)# ldap-scope subtree hierarchy that the server should make when it receives an authorization request. Cisco ASA Series CLI Configuration Guide 1-10...
Page 891
389; if ldap-over-ssl is Examples: enabled, the default server-port is 636. hostname(config-aaa-server-host)# server-port 389 hostname(config-aaa-server-host)# server-port 636 Step 11 Sets the amount of time before LDAP queries time hostname(config-aaa-server-host)# group-search-timeout seconds out. Examples: hostname(config-aaa-server-host)# group-search-timeout 300 Cisco ASA Series CLI Configuration Guide 1-11...
Page 892
RADIUS as the communication protocol, and should specify key attribute for the shared secret between ASA and AD Agent. Step 5 Tests the communication between the ASA and the hostname(config-aaa-server-host)# test aaa-server ad-agent AD Agent server. Cisco ASA Series CLI Configuration Guide 1-12...
Page 893
AD Agent and Microsoft Active Directory. See Prerequisites, page 1-8 requirements for the AD Agent and Microsoft Active Directory installation. To configure the Identity Options for the Identity Firewall, perform the following steps: Cisco ASA Series CLI Configuration Guide 1-13...
Page 894
[!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first character. If the domain name contains a space, you must enclose that space character in quotation marks. The domain name is not case sensitive. Cisco ASA Series CLI Configuration Guide 1-14...
Page 895
ASA runs an inactive timer even when the NetBIOS Logout Probe is configured. By default, the idle timeout is set to 60 minutes. Note The Idle Timeout option does not apply to VPN or cut through proxy users. Cisco ASA Series CLI Configuration Guide 1-15...
Page 896
Additionally, the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user-identity user command. By default, this command is disabled. Cisco ASA Series CLI Configuration Guide 1-16...
Page 897
When the ASA registers a change request with the AD Agent, the AD Agent sends a new event to the ASA. Cisco ASA Series CLI Configuration Guide 1-17...
Page 898
AAA rule. Then, configure a AAA rule that denies Any users (these users are not subject to the AAA rule, and were handled already by the access rule), but permits all None users: access-list 100 ex permit ip user CISCO\xyz any any Cisco ASA Series CLI Configuration Guide...
Page 899
Chapter 1 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall access-list 100 ex deny ip user CISCO\abc any any access-list 100 ex permit ip user NONE any any ----> these users will match AAA rule access-list 100 ex deny any any access-group 100 in interface inside access-list 200 ex deny ip user ANY any any ----->...
Page 900
Note that all VPN users will be stored under domain LOCAL. Therefore, it is only meaningful to apply the rules over LOCAL users or object-group containing LOCAL users. Note: IDFW rules can only be aplpied to vpn-filter under group-policy and are not available in all the other group-policy features. Cisco ASA Series CLI Configuration Guide 1-20...
Page 901
This section contains the following topics: • Monitoring AD Agents, page 1-22 • Monitoring Groups, page 1-22 • Monitoring Memory Usage for the Identity Firewall, page 1-22 • Monitoring Users for the Identity Firewall, page 1-23 Cisco ASA Series CLI Configuration Guide 1-21...
Page 902
You specify whether the ASA uses on demand retrieval or full download retrieval. Selecting On Demand has the benefit of using less memory as only users of Cisco ASA Series CLI Configuration Guide 1-22...
Page 903
If the commands user-identity action domain-controller-down domain_name disable-user-identity-rule is configured and the specified domain is down, or if user-identity action ad-agent-down disable-user-identity-rule is configured and AD Agent is down, all the logged on users have the status disabled. Cisco ASA Series CLI Configuration Guide 1-23...
Page 904
Cisco ASA Series CLI Configuration Guide 1-24...
Page 905
This chapter includes the following sections: • Information About the ASA Integrated with Cisco TrustSec, page 1-1 • Licensing Requirements when Integrating the ASA with Cisco TrustSec, page 1-7 • Prerequisites for Integrating the ASA with Cisco TrustSec, page 1-8 •...
Page 906
(RBACL). Device and user credentials acquired during authentication are used to classify packets by security groups. Every packet entering the Cisco TrustSec cloud is tagged with an security group tag (SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce security policies along the data path.
Page 907
The PDP provides features such as 802.1x, MAB, and Web authentication. The PDP supports authorization and enforcement through VLAN, DACL, and security group access (SGACL/SXP/SGT). In the Cisco TrustSec solution, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco ISE provides identity and access control policy functionality. •...
Page 908
Chapter 1, “Configuring the Identity Firewall” for information about configuring user-based security policies. As part of configuring the ASA to function with Cisco TrustSec, you must import a Protected Access Credential (PAC) file from the ISE. Importing a Protected Access Credential (PAC) File, page 1-13.
Page 909
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Information About the ASA Integrated with Cisco TrustSec Figure 1-2 Security Policy Enforcement AD (PIP) ISE (PDP/PAP) Authentication User Network Data Flow Access Firewall End-Point Switch Switch (PEP) (AR) (PEP)
Page 910
ASA starts the reconcile timer; then, the ASA updates the IP-SGT mapping database to learn the latest mappings. Features of the ASA-Cisco TrustSec Integration The ASA leverages Cisco TrustSec as part of its identity-based firewall feature. The integrating the ASA with Cisco TrustSec provides the following key features. Flexibility •...
Page 911
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Licensing Requirements when Integrating the ASA with Cisco TrustSec Table 1-1 Capacity Numbers for IP-SGT Mappings ASA Platform Number of IP-SGT Mapped Entries 5505 5510 1000 5520 2500 5540 5000...
Page 912
Generate the PAC file on the ISE to import into the ASA. Registering the ASA with the ISE The ASA must be configured as a recognized Cisco TrustSec network device in the ISE before the ASA can successfully import a PAC file.
Page 913
Supports a list of servers via configuration. If the first server is unreachable, the ASA will try to contact the second server in the list, and so on. However, the server list downloaded as part of the Cisco TrustSec environment data is ignored.
Page 914
(SXP peer A) - - - - (ASA) - - - (SXP peer B) Therefore, when configuring the ASA to integrate with Cisco TrustSec, you must enable the no-NAT, no-SEQ-RAND, and MD5-AUTHENTICATION TCP options on the ASA to configure SXP connections.
Page 915
Configuring the Security Policy, page 1-20. Configuring the AAA Server for Cisco TrustSec Integration As part of configuring the ASA to integrate with Cisco TrustSec, you must configure the ASA so that it can communicate with the ISE. See also the “Configuring AAA Server Groups”...
Page 916
Step 1 Exits from the AAA server host configuration mode. hostname(config-aaa-server-host)# exit Step 2 Identifies the AAA server group that is used by Cisco hostname(config)# cts server-group AAA-server-group-name TrustSec for environment data retrieval. Where AAA-server-group-name is the name of the...
Page 917
Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration Examples The following example shows how to configure the ASA to communicate with the ISE server for Cisco TrustSec integration: hostname(config)# aaa-server ISEserver protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server ISEserver (inside) host 192.0.2.1...
Page 918
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration To import a PAC file, perform the following steps: Command Purpose Step 1 Imports a Cisco TrustSec PAC file. hostname(config)# cts import-pac filepath password...
Page 919
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration To configure SXP, perform the following steps: Command Purpose Step 1 If necessary, enables SXP on the ASA. By default, hostname(config)# cts sxp enable SXP is disabled.
Page 920
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration Command Purpose Step 4 Specifies the default time interval between ASA hostname(config)# cts sxp retry period timervalue attempts to set up new SXP connections between Example: SXP peers.
Page 921
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration hostname(config)# cts sxp retry period 60 hostname(config)# cts sxp reconcile period 60 Adding an SXP Connection Peer SXP connections between peers are point-to-point and use TCP as the underlying transport protocol.
Page 922
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration To add an SXP connection peer, perform the following steps: Command Purpose Step 1 If necessary, enables SXP on the ASA. By default, hostname(config)# cts sxp enable SXP is disabled.
Page 923
ASA. Prerequisites The ASA must be configured as a recognized Cisco TrustSec network device in the ISE and the ASA must have successfully imported a PAC file, so that the changes made for Cisco TrustSec are applied to the ASA.
Page 924
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration Configuring the Security Policy You can incorporate TrustSec policy in many ASA features. Any feature that uses extended ACLs (unless listed in this chapter as unsupported) can take advantage of TrustSec. You can now add security group arguments to extended ACLs, as well as traditional network-based parameters.
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Configuration Example ! If user Tom or object_group security objgrp-hr-admin needs to be matched, multiple ACEs can be defined as follows: access-list idfw-acl2 permit ip user CSCO\Tom 10.1.1.0 255.255.255.0 object-group-security objgrp-hr-servers any access-list idfw-acl2 permit ip object-group-security objgrp-hr-admin 10.1.1.0 255.255.255.0...
Page 926
Displaying the Cisco TrustSec Configuration for the ASA Syntax: show running-config cts Description: Specify the show running-config cts command to display the configured default values for the Cisco TrustSec infrastructure and the SXP commands. Output: This example displays the basic Cisco TrustSec configuration settings:...
Page 927
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec peer peer_addr Displays only connections with the matched peer IP address. local local_addr Displays only connections with the matched local IP address. ipv4 Displays only IPv4 connections.
Page 928
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec Peer IP Local IP Conn Status Duration (dd:hr:mm:sec) ----------------------------------------------------------------------------- 2.2.2.1 2.2.2.2 0:00:02:14 3.3.3.1 3.3.3.2 0:00:02:14 ------------------------------------------------------------------------------------------ Peer IP Local IP Conn Status Duration...
Page 929
Description: This command displays the Cisco TrustSec environment information contained in security group table on the ASA. This information includes the expiry timeout and security group name table. The security group table is populated with data from the ISE when you import the PAC file.
Page 930
Payroll 54321 multicast (reserved) Monitoring Cisco TrustSec IP-SGT Mappings This section contains the following topics about monitoring Cisco TrustSec IP-SGT mappings: • To display IP-SGT Manager entries in the control plane, page 1-26 • To display IP-SGT mappings learned via SXP, page 1-27 •...
Page 931
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec Total number of SXP bindings = 2 Total number of active bindings = 2 This example shows detailed information, including the security group names, about IP-SGT mappings...
Page 932
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec Note The show cts sgt-map command displays the IP-SGT Manager entries in control path; while the show cts sxp sgt-map command displays more detailed information like instance number and peer IP address.
Page 933
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec To display the IP-SGT mappings database in the datapath Syntax: show asp table cts sgt-map [address ipv4_addr|address ipv6_addr|ipv4|ipv6|sgt value] Description: This command displays the IP-SGT mappings from the IP-SGT mappings database maintained in the datapath.
Page 934
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Monitoring the ASA Integrated with Cisco TrustSec Monitoring the PAC File Syntax: show cts pac Description: This command displays information about the PAC file imported into the ASA from the ISE.
Page 935
In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement. Access policies within the Cisco TrustSec domain are topology-independent, based on the roles of source and destination devices rather than on network IP addresses.
Page 936
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Feature History for the ASA-Cisco TrustSec Integration Cisco ASA Series CLI Configuration Guide 1-32...
Page 937
This section includes the following topics: • Public Key Cryptography, page 1-2 • Certificate Scalability, page 1-2 • Key Pairs, page 1-2 • Trustpoints, page 1-3 • Revocation Checking, page 1-4 • The Local CA, page 1-6 Cisco ASA Series CLI Configuration Guide...
Page 938
CA, so that CA functions can continue when the CA is unavailable. Key Pairs Key pairs are RSA keys, which have the following characteristics: • RSA keys can be used for SSH or SSL. • SCEP enrollment supports the certification of RSA keys. Cisco ASA Series CLI Configuration Guide...
Page 939
The ASA supports this feature only with an AnyConnect SSL or IKEv2 VPN session. It supports all SCEP-compliant CAs, including IOS CS, Windows Server 2003 CA, and Windows Server 2008 CA. Clientless (browser-based) access does not support SCEP proxy, although WebLaunch—clientless-initiated AnyConnect—does support it. Cisco ASA Series CLI Configuration Guide...
Page 940
Supported CA Servers The ASA supports the following CA servers: Cisco IOS CS, ASA Local CA, and third-party X.509 compliant CA vendors including, but not limited • Baltimore Technologies •...
Page 941
CA certificate. Then you configure the match certificate command in the client certificate validating trustpoint to use the trustpoint that includes the self-signed OCSP responder certificate to validate the responder certificate. Use the same procedure for Cisco ASA Series CLI Configuration Guide...
Page 942
CRL inquiries coming from other certificate validating devices and ASAs. Local CA database and configuration files are maintained either on the ASA flash memory (default storage) or on a separate storage device. Cisco ASA Series CLI Configuration Guide...
Page 943
Prerequisites for SCEP Proxy Support Configuring the ASA as a proxy to submit requests for third-party certificates has the following requirements: • AnyConnect Secure Mobility Client 3.0 or later must be running at the endpoint. Cisco ASA Series CLI Configuration Guide...
Page 944
Identity certificates that are automatically generated with SCEP are regenerated after each reboot, so make sure that you manually install your own identity certificates. For an example of this procedure that applies only to SSL, see the following URL: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91 .shtml. Cisco ASA Series CLI Configuration Guide...
Page 945
Customizing the Local CA Server, page 1-25 • Debugging the Local CA Server, page 1-26 • Disabling the Local CA Server, page 1-26 • Deleting the Local CA Server, page 1-26 • Configuring Local CA Certificate Characteristics, page 1-27 Cisco ASA Series CLI Configuration Guide...
Page 946
WARNING: All RSA keys will be removed. WARNING: All device certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no] y Cisco ASA Series CLI Configuration Guide 1-10...
Page 947
Example: hostname/contexta(config-ca-trustpoint)# crl configure Step 5 During enrollment, asks the CA to include the email address specified e-mail address in the Subject Alternative Name extension of the certificate. Example: hostname/contexta(config-ca-trustpoint)# email example.com Cisco ASA Series CLI Configuration Guide 1-11...
Page 948
Step 14 Specifies a challenge phrase that is registered with password string the CA during enrollment. The CA usually uses this phrase to authenticate a subsequent revocation Example: request. hostname/contexta(config-ca-trustpoint)# password mypassword Cisco ASA Series CLI Configuration Guide 1-12...
Page 949
To set all CRL configuration parameters to default values, use the default command. At hostname (config-ca-trustpoint)# crl configure any time during CRL configuration, reenter this command to restart the procedure. Step 3 Do one of the following: Cisco ASA Series CLI Configuration Guide 1-13...
Page 950
Do one of the following: Requires the NextUpdate field in CRLs. This is the enforcenextupdate default setting. Example: hostname (config-ca-crl)# enforcenextupdate Allows the NextUpdate field to be absent in CRLs. no enforcenextupdate Example: hostname (config-ca-crl)# no enforcenextupdate Cisco ASA Series CLI Configuration Guide 1-14...
Page 951
The following example exports PKCS12 data for the trustpoint Main with the passphrase Wh0zits: hostname (config)# crypto ca export Main pkcs12 Wh0zits Exported pkcs12 follows: [ PKCS12 data omitted ] ---End - This line not part of the pkcs12--- Cisco ASA Series CLI Configuration Guide 1-15...
Page 952
% The fully-qualified domain name in the certificate will be: securityappliance.example.com Enter the base 64 encoded certificate. End with a blank line or the word “quit” on a line by itself [ certificate data omitted ] quit INFO: Certificate successfully imported Cisco ASA Series CLI Configuration Guide 1-16...
Page 953
• nc—No part of the field or attribute can match the value given. Step 4 Saves the running configuration. write memory Example: hostname (config)# write memory Cisco ASA Series CLI Configuration Guide 1-17...
Make sure that the certificate is in base-64 MIIBoDCCAQkCAQAwIzEhMB8GCSqGSIb3DQEJAhYSRmVyYWxQaXgu format. Y2lzY28uY29t [ certificate request data omitted ] jF4waw68eOxQxVmdgMWeQ+RbIOYmvt8g6hnBTrd0GdqjjVLt ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: n Cisco ASA Series CLI Configuration Guide 1-18...
Page 955
CA certificate for the trustpoint. Example: hostname(config)# show crypto ca server certificate Main Step 5 Saves the running configuration. write memory Repeat these steps for each trustpoint that you Example: configure for manual enrollment. hostname(config)# write memory Cisco ASA Series CLI Configuration Guide 1-19...
Page 956
Note If the ASA reboots after you have issued the crypto ca enroll command but before you have received the certificate, reenter the crypto ca enroll command and notify the CA administrator. Cisco ASA Series CLI Configuration Guide 1-20...
Page 957
Once the endpoint has the use-common-password secret certificate, AnyConnect disconnects, then reconnects to the ASA to qualify for a DAP policy that provides access to internal network resources. Cisco ASA Series CLI Configuration Guide 1-21...
Page 958
After you enable the local CA server, save the configuration to make sure that the local CA certificate and keypair are not lost after a reboot occurs. Examples The following example enables the local CA server: hostname (config)# crypto ca server Cisco ASA Series CLI Configuration Guide 1-22...
Page 959
CA uses as a from address when sending e-mail messages that deliver OTPs for an Example: enrollment invitation to users. hostname (config-ca-server) # smtp from-address SecurityAdmin@example.com Cisco ASA Series CLI Configuration Guide 1-23...
Page 960
The following example shows how to configure and enable the local CA server using the predefined default values for all required parameters: hostname (config)# crypto ca server hostname (config-ca-server) # smtp from-address SecurityAdmin@example.com hostname (config-ca-server)# subject-name-default cn=engineer, o=asc Systems, c=US hostname (config-ca-server)# no shutdown Cisco ASA Series CLI Configuration Guide 1-24...
Page 961
SN = Surname • ST = State/Province Note If you do not specify a subject-name-default to serve as a standard subject-name default, you must specify a DN each time that you add a user. Cisco ASA Series CLI Configuration Guide 1-25...
Page 962
INFO: Local CA Server has been shutdown. passphrase. Deleting the Local CA Server To delete an existing local CA server (either enabled or disabled), enter one of the following commands: Command Purpose Do one of the following: Cisco ASA Series CLI Configuration Guide 1-26...
Page 963
• Revoking Certificates, page 1-40 • Maintaining the Local CA Certificate Database, page 1-40 • Rolling Over Local CA Certificates, page 1-40 • Archiving the Local CA Server Certificate and Keypair, page 1-41 Cisco ASA Series CLI Configuration Guide 1-27...
Page 964
To configure the local CA server certificate lifetime, perform the following commands: Command Purpose Step 1 Enters local ca server configuration mode. Allows crypto ca server you to configure and manage a local CA. Example: hostname (config)# crypto ca server Cisco ASA Series CLI Configuration Guide 1-28...
Page 965
OTP for certificate renewal. Make sure that you limit the validity period of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038. Cisco ASA Series CLI Configuration Guide 1-29...
Page 966
After you have enabled the local CA, you cannot change the local CA keysize, because all issued certificates would be invalidated. To change the local CA keysize, you must delete the current local CA and reconfigure a new one. Cisco ASA Series CLI Configuration Guide 1-30...
Page 967
Only the user who mounts a file system can Example: unmount it with the no mount command. hostname (config-mount-cifs)# mount mydata type cifs server 10.1.1.10 share myshare domain example.com username user6 password ******** status enable Cisco ASA Series CLI Configuration Guide 1-31...
Page 968
-rwx 229 13:07:49 Jan 20 2007 LOCAL-CA-SERVER.cdb -rwx 0 01:09:28 Jan 20 2007 LOCAL-CA-SERVER.udb -rwx 232 19:09:10 Jan 20 2007 LOCAL-CA-SERVER.crl -rwx 1603 01:09:28 Jan 20 2007 LOCAL-CA-SERVER.p12 127119360 bytes total (79693824 bytes free) Cisco ASA Series CLI Configuration Guide 1-32...
Page 969
ASA matches the path, /user8/my_crl_file to the configured CDP URL. When the path matches, the ASA returns the stored CRL file. Note The protocol must be HTTP, so the prefix displayed is http://. Cisco ASA Series CLI Configuration Guide 1-33...
Page 970
Revocation checking is performed when a validating party needs to validate a user certificate by retrieving the revocation status from an external server, which might be the CA that issued the certificate or a server designated by the CA. Cisco ASA Series CLI Configuration Guide 1-34...
Page 971
After the enrollment retrieval time expires, the user certificate and keypair are no longer available. The only way a user may receive a certificate is for the administrator to reinitialize certificate enrollment and allow a user to log in again. Cisco ASA Series CLI Configuration Guide 1-35...
Page 972
When an administrator wants to notify a user hostname (config-ca-server)# crypto ca server user-db email-otp exampleuser1 through e-mail, the administrator must specify the e-mail address in the username field or in the e-mail field when adding that user. Cisco ASA Series CLI Configuration Guide 1-36...
Page 973
PKCS12 file is removed from storage automatically and is no longer available to download. Note If the enrollment period expires before the user retrieves the PKCS12 file that includes the user certificate, enrollment is not permitted. Cisco ASA Series CLI Configuration Guide 1-37...
Page 974
Therefore, if an administrator does not want to allow a user to renew automatically, the administrator must remove the user from the database before the renewal time period. Cisco ASA Series CLI Configuration Guide 1-38...
Page 975
Removes a user from the user database and allows crypto ca server user-db remove username revocation of any valid certificates that were issued to that user. Example: hostname (config)# crypto ca server user-db remove user1 Cisco ASA Series CLI Configuration Guide 1-39...
Page 976
The local CA certificate rolls over automatically after expiration using the same keypair. The rollover certificate is available for export in base 64 format. Examples The following example shows a base 64 encoded local CA certificate: MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKo ZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphsUM+IG3SDOiDwZG9 n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzwcRhl1KEZTS1E4L0fSaC3 uMTxJq2NUHYWmoc8pi4CIeLj3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwPEdPQxaWZPrzoG1J8BFqdPa1j BGhAzzuSmElm3j/2dQ3Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI 0b2AfCr6PbwfC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3 qAXy1GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj…. Cisco ASA Series CLI Configuration Guide 1-40...
Page 977
Shows users without certificates who are not allowed to enroll. show crypto ca server user-db on-hold Shows key pairs that you have generated. show crypto key name of key Shows local CA certificate map rules. show running-config Cisco ASA Series CLI Configuration Guide 1-41...
Page 978
(config)# The following example shows output of the show running-config command, in which local CA certificate map rules appear: crypto ca certificate map 1 issuer-name co asc subject-name attr ou eq Engineering Cisco ASA Series CLI Configuration Guide 1-42...
Page 979
Certificate management 7.2(1 We introduced the following commands: issuer-name DN-string, revocation-check crl none, revocation-check crl, revocation-check none. We deprecated the following commands: crl {required | optional | nocheck}. Cisco ASA Series CLI Configuration Guide 1-43...
Page 980
We introduced the following commands: crypto ikev2 enable outside client-services port portnumber, scep-enrollment enable, scep-forwarding-url value URL, secondary-pre-fill-username clientless hide use-common-password password, secondary-pre-fill-username ssl-client hide use-common-password password, secondary-username-from-certificate {use-entire-name | use-script | {primary_attr [secondary-attr]}} [no-certificate-fallback cisco-secure-desktop machine-unique-id]. Cisco ASA Series CLI Configuration Guide 1-44...
Page 983
For transparent mode only, an EtherType rule controls network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType. This section includes the following topics: • General Information About Rules, page 1-2 • Information About Extended Access Rules, page 1-4 Cisco ASA Series CLI Configuration Guide...
Page 984
“Inbound and Outbound Rules” section on page 1-3. Using Access Rules and EtherType Rules on the Same Interface You can apply one access rule and one EtherType rule to each direction of an interface. Cisco ASA Series CLI Configuration Guide...
Page 985
(See Figure 1-1.) The outbound access list prevents any other hosts from reaching the outside network. Cisco ASA Series CLI Configuration Guide...
Page 986
Access Rules for Returning Traffic For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections. Cisco ASA Series CLI Configuration Guide...
Page 987
Information About EtherType Rules This section describes EtherType rules and includes the following topics: • Supported EtherTypes and Other Traffic, page 1-6 • Access Rules for Returning Traffic, page 1-6 • Allowing MPLS, page 1-6 Cisco ASA Series CLI Configuration Guide...
Page 988
IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ASA.
Page 989
The log option in the per-user access list has no effect. Default Settings See the “Implicit Permits” section on page 1-2. Configuring Access Rules To apply an access rule, perform the following steps. Cisco ASA Series CLI Configuration Guide...
Page 990
The access-list command lets any host access the global address using port 80. The access-group command specifies that the access-list command applies to traffic entering the outside interface. • Cisco ASA Series CLI Configuration Guide...
Page 991
1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside The following example uses object groups to permit specific traffic on the inside interface: Cisco ASA Series CLI Configuration Guide...
Page 992
Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended. Cisco ASA Series CLI Configuration Guide 1-10...
Page 993
Extended ACLand object enhancement to filter 9.0(1) ICMP traffic can now be permitted/denied based on ICMP ICMP traffic by ICMP code code. We introduced or modified the following commands: access-list extended, service-object, service. Cisco ASA Series CLI Configuration Guide 1-11...
Page 994
Chapter 1 Configuring Access Rules Feature History for Access Rules Cisco ASA Series CLI Configuration Guide 1-12...
Page 995
Using an SSH Client, page 1-5 • Configuring HTTPS Access for ASDM, page 1-6 Licensing Requirements for ASA Access for ASDM, Telnet, or SSH The following table shows the licensing requirements for this feature: Cisco ASA Series CLI Configuration Guide...
Page 996
If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method. Cisco ASA Series CLI Configuration Guide...
To gain access to the ASA CLI using Telnet, enter the login password set by the password command. (9.0(2) and later) The default Telnet login password was removed; you must manually set the password before using Telnet. See the “Setting the Login Password” section on page 16-2. Cisco ASA Series CLI Configuration Guide...
Page 998
30 have been completed. Step 7 (Optional) Limits access to SSH version 1 or 2. By default, SSH allows both versions 1 and 2. ssh version version_number Example: hostname(config)# ssh version 2 Cisco ASA Series CLI Configuration Guide...
Page 999
SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the ASA is busy and has not hung. Cisco ASA Series CLI Configuration Guide...
Page 1000
Licensing Requirements for CLI Parameters, page 1-7 • Guidelines and Limitations, page 1-7 • Configuring a Login Banner, page 1-7 • Customizing a CLI Prompt, page 1-8 • Changing the Console Timeout, page 1-9 Cisco ASA Series CLI Configuration Guide...
You have logged in to a secure device. If you are not authorized to access this device, log out immediately or risk possible criminal consequences. • See RFC 2196 for guidelines about banner messages. To configure a login banner, perform the following steps: Cisco ASA Series CLI Configuration Guide...
Page 1002
(Single and multiple mode) Displays the cluster unit name. Each unit in a cluster can have a unique name. context (Multiple mode only) Displays the name of the current context. domain Displays the domain name. hostname Displays the hostname. Cisco ASA Series CLI Configuration Guide...
Page 1003
Specifies the idle time in minutes (0 through 60) after which the privileged console timeout number session ends. The default timeout is 0, which means the session does not time out. Example: hostname(config)# console timeout 0 Cisco ASA Series CLI Configuration Guide...
Page 1004
ICMP packet and generates a syslog message. An exception is when an ICMP rule is not configured; in that case, a permit statement is assumed. Licensing Requirements for ICMP Access The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Cisco ASA Series CLI Configuration Guide 1-10...
Page 1005
If you cannot ping the ASA interface, make sure that you enable ICMP to the ASA for your IP address using the icmp command. Default Settings By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6. Cisco ASA Series CLI Configuration Guide 1-11...
Page 1006
The following example shows how to permit host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface: hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outside hostname(config)# ipv6 icmp permit 2001::/64 echo-reply outside hostname(config)# ipv6 icmp permit any packet-too-big outside Cisco ASA Series CLI Configuration Guide 1-12...
Page 1007
IP address. To allow only VPN client users access to ASDM or HTTP (and deny access to all other users), enter the following commands: hostname(config)# http server enable hostname(config)# http 192.168.10.0 255.255.255.0 management_interface Cisco ASA Series CLI Configuration Guide 1-13...
Viewing the Currently Logged-In User, page 1-31 • Recovering from a Lockout, page 1-32 Information About AAA for System Administrators This section describes AAA for system administrators and includes the following topics: • Information About Management Authentication, page 1-15 Cisco ASA Series CLI Configuration Guide 1-14...
Page 1009
However, if you configure Telnet or serial authentication in the admin context, then authentication also applies to sessions from the switch to the ASASM. The admin context AAA server or local user database is used in this instance. Cisco ASA Series CLI Configuration Guide 1-15...