Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 9-1 Cisco ASA Series Firewall ASDM Configuration Guide 9 Configuring Public Servers This section describes how to configure public servers, and includes the following topics: Information About Public Servers, page 9-1 Licensing Requirements for Public Servers, page 9-1 Guidelines and Limitations, page 9-1 Adding a Public Server that Enables Static NAT, page 9-2 Adding a Public Server that Enables Static NAT with PAT, page 9-2 Editing Settings for a Public Server, page 9-3 Feature History for Public Servers, page 9-4 Information About Public Servers The Public Servers pane enables an administrator to provide internal and external users access to various application servers. This pane displays a list of public servers. internal and external addresses, the interfaces to which the internal or external addresses apply, the ability to translate the addresses, and the service that is exposed. You can add, edit, delete, or modify settings for existing public servers. Licensing Requirements for Public Servers Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Model License Requirement All models Base License.
9-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Configuring Public Servers Adding a Public Server that Enables Static NAT Firewall Mode Guidelines Supported in routed and transparent firewall mode. Adding a Public Server that Enables Static NAT To add a public server that enables static NAT and creates a fixed translation of a real address to a mapped address, perform the following steps: Step 1In the Configuration > Firewall > Public Servers pane, click Add to add a new server. The Add Public Server dialog box appears. Step 2From the Private Interface drop-down menu, select the name of the private interface to which the real server is connected. Step 3In the Private IP address field, enter the real IP address of the server (IPv4 only). Step 4In the Private Service field, click Browse to display the Browse Service dialog box, choose the actual service that is exposed to the outside, and click OK. Optionally, from the Browse Service dialog box you can click Add to create a new service or service group. Multiple services from various ports can be opened to the outside. For more information about service objects and service groups, see the “Configuring Service Objects and Service Groups” section on page 20-7 in the general operations configuration guide. Step 5From the Public Interface drop-down menu, enter the interface through which users from the outside can access the real server. Step 6In the Public Address field, enter the mapped IP address of the server, which is the address that is seen by the outside user. Step 7(Optional) To enable static PAT, check the Specify if Public Service is different from private service check box . Step 8Click OK. The configuration appears in the main pane. Step 9Click Apply to generate static NAT and a corresponding access rule for the traffic flow and to save the configuration. For information about static NAT, see the “Information About Static NAT” section on page 3-3. Adding a Public Server that Enables Static NAT with PAT To add a public server that lets you specify a real and mapped protocol (TCP or UDP) to a port, perform the following steps: Step 1Choose Configuration > Firewall > Public Servers, then click Add. The Add Public Server dialog box appears. Step 2From the Private Interface drop-down menu, choose the name of the private interface to which the real server is connected. Step 3In the Private IP address field, enter the real IP address of the server (only IPv4 is supported).
9-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Configuring Public Servers Editing Settings for a Public Server Step 4In the Private Service field, click Browse to display the Browse Service dialog box Step 5Choose the actual service that is exposed to the outside, and click OK. Optionally, from the Browse Service dialog box, click Add to create a new service or service group. Multiple services from various ports can be opened to the outside. For more information about service objects and service groups, see the “Configuring Service Objects and Service Groups” section on page 20-7 in the general operations configuration guide. Step 6From the Public Interface drop-down menu, enter the interface through which users from the outside can access the real server. Step 7In the Public Address field, enter the mapped IP address of the server, which is the address that the outside user sees. Step 8Check the Specify Public Service if different from Private Service check box to enable static PAT. Step 9In the Public Service field, enter the mapped protocol (TCP or UDP only), or click Browse to choose a protocol from the list. Step 10Click OK. Step 11Click Apply to generate static NAT with PAT and a corresponding access rule for the traffic flow, and to save the configuration. For information about static NAT with port address translation, see the “Information About Static NAT with Port Translation” section on page 3-4. Editing Settings for a Public Server To edit the settings for a public server, perform the following steps: Step 1Choose Configuration > Firewall > Public Servers, choose an existing public server, then click Edit. The Edit Public Server dialog box appears. Step 2Make any necessary changes to the following settings: Private Interface—The interface to which the real server is connected. Private IP Address—The real IP address of the server. Private Service—The actual service that is running on the real server. Public Interface—The interface through which outside users can access the real server. Public Address—The IP address that is seen by outside users. Public Service—The service that is running on the translated address. Click the Information icon to view information about supported public services. Step 3Click OK, then click Apply to save your changes.
9-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Configuring Public Servers Feature History for Public Servers Feature History for Public Servers Ta b l e 9 - 1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 9-1 Feature History for Public Servers Feature NamePlatform Releases Feature Information Public Servers 8.3(1) Public servers provide internal and external users access to various application servers. We introduced the following screen: Configuration > Firewall > Public Servers
CH A P T E R 10-1 Cisco ASA Series Firewall ASDM Configuration Guide 10 Getting Started with Application Layer Protocol Inspection This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path (see the “Stateful Inspection Overview” section on page 1-24 in the general operations configuration guide for more information about the fast path). As a result, inspection engines can affect overall throughput. Several common inspection engines are enabled on the ASA by default, but you might need to enable others depending on your network. This chapter includes the following sections: Information about Application Layer Protocol Inspection, page 10-1 Guidelines and Limitations, page 10-3 Default Settings and NAT Limitations, page 10-4 Configuring Application Layer Protocol Inspection, page 10-7 Information about Application Layer Protocol Inspection This section includes the following topics: How Inspection Engines Work, page 10-1 When to Use Application Protocol Inspection, page 10-2 How Inspection Engines Work As illustrated in Figure 10-1, the ASA uses three databases for its basic operation: ACLs—Used for authentication and authorization of connections based on specific networks, hosts, and services (TCP/UDP port numbers). Inspections—Contains a static, predefined set of application-level inspection functions. Connections (XLATE and CONN tables)—Maintains state and other information about each established connection. This information is used by the Adaptive Security Algorithm and cut-through proxy to efficiently forward traffic within established sessions.
10-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection Figure 10-1 How Inspection Engines Work In Figure 10-1, operations are numbered in the order they occur, and are described as follows: 1.A TCP SYN packet arrives at the ASA to establish a new connection. 2.The ASA checks the ACL database to determine if the connection is permitted. 3.The ASA creates a new entry in the connection database (XLATE and CONN tables). 4.The ASA checks the Inspections database to determine if the connection requires application-level inspection. 5.After the application inspection engine completes any required operations for the packet, the ASA forwards the packet to the destination system. 6.The destination system responds to the initial request. 7.The ASA receives the reply packet, looks up the connection in the connection database, and forwards the packet because it belongs to an established session. The default configuration of the ASA includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. When to Use Application Protocol Inspection When a user establishes a connection, the ASA checks the packet against ACLs, creates an address translation, and creates an entry for the session in the fast path, so that further packets can bypass time-consuming checks. However, the fast path relies on predictable port numbers and does not perform address translations inside a packet. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. Other applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the ASA. If you use applications like these, then you need to enable application inspection. 132875 1 7 6 5 2 34 ClientACL XLATE CONNInspectionServer ASA
10-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable application inspection for a service that embeds IP addresses, the ASA translates embedded addresses and updates any checksum or other fields that are affected by the translation. When you enable application inspection for a service that uses dynamically assigned ports, the ASA monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Failover Guidelines State information for multimedia sessions that require inspection are not passed over the state link for stateful failover. The exception is GTP, which is replicated over the state link. IPv6 Guidelines Supports IPv6 for the following inspections: DNS FTP HTTP ICMP SIP SMTP IPsec pass-through IPv6 Supports NAT64 for the following inspections: DNS FTP HTTP ICMP Additional Guidelines and Limitations Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security interfaces. See “Default Settings and NAT Limitations” for more information about NAT support. For all the application inspections, the ASA limits the number of simultaneous, active data connections to 200 connections. For example, if an FTP client opens multiple secondary connections, the FTP inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive security appliance generates a system error message.
10-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections is not automatically replicated. While these connections are replicated to the standby unit, there is a best-effort attempt to re-establish a TCP state. Default Settings and NAT Limitations By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. Table 10-1 lists all inspections supported, the default ports used in the default class map, and the inspection engines that are on by default, shown in bold. This table also notes any NAT limitations. Table 10-1 Supported Application Inspection Engines Application1Default Port NAT Limitations Standards2Comments CTIQBE TCP/2748 No extended PAT. No NAT64. (Clustering) No static PAT.—— DCERPC TCP/135 No NAT64.—— DNS over UDP UDP/53 No NAT support is available for name resolution through WINS.RFC 1123— FTPTCP/21 (Clustering) No static PAT. RFC 959 — GTP UDP/3386 UDP/2123No extended PAT. No NAT64.— Requires a special license. H.323 H.225 and RASTCP/1720 UDP/1718 UDP (RAS) 1718-1719No dynamic NAT or PAT. Static PAT may not work. (Clustering) No static PAT. No extended PAT. No per-session PAT. No NAT on same security interfaces. No outside NAT. No NAT64.ITU-T H.323, H.245, H225.0, Q.931, Q.932— HTTP TCP/80 — RFC 2616 Beware of MTU limitations stripping ActiveX and Java. If the MTU is too small to allow the Java or ActiveX tag to be included in one packet, stripping may not occur. ICMP — — ——