Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
28-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1002 400002 IP options-Timestamp Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). 1003 400003 IP options-Security Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options). 1004 400004 IP options-Loose Source Route Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route). 1005 400005 IP options-SATNET ID Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier). 1006 400006 IP options-Strict Source Route Informational Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 9(Strict Source Routing). 1100 400007 IP Fragment Attack Attack Triggers when any IP datagram is received with an offset value less than 5 but greater than 0 indicated in the offset field. 1102 400008 IP Impossible Packet Attack Triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack. 1103 400009 IP Overlapping Fragments (Teardrop) Attack Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram. This could mean that fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments, which is how the Teardrop attack works to create a DoS. 2000 400010 ICMP Echo Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply). 2001 400011 ICMP Host Unreachable Informational Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable). Table 28-1 Signature IDs and System Message Numbers (continued) Signature IDMessage Number Signature Title Signature Type Description
![](/img/blank.gif)
28-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2002 400012 ICMP Source Quench Informational Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). 2003 400013 ICMP Redirect Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect). 2004 400014 ICMP Echo Request Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request). 2005 400015 ICMP Time Exceeded for a Datagram Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 11(Time Exceeded for a Datagram). 2006 400016 ICMP Parameter Problem on DatagramInformational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 12 (Parameter Problem on Datagram). 2007 400017 ICMP Timestamp Request Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request). 2008 400018 ICMP Timestamp Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply). 2009 400019 ICMP Information Request Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 15 (Information Request). 2010 400020 ICMP Information Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 16 (ICMP Information Reply). 2011 400021 ICMP Address Mask Request Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request). 2012 400022 ICMP Address Mask Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 18 (Address Mask Reply). Table 28-1 Signature IDs and System Message Numbers (continued) Signature IDMessage Number Signature Title Signature Type Description
![](/img/blank.gif)
28-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2150 400023 Fragmented ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field. 2151 400024 Large ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length > 1024. 2154 400025 Ping of Death Attack Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and (IP offset * 8) + (IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. 3040 400026 TCP NULL flags Attack Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. 3041 400027 TCP SYN+FIN flags Attack Triggers when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host. 3042 400028 TCP FIN only flags Attack Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host. 3153 400029 FTP Improper Address Specified Informational Triggers if a port command is issued with an address that is not the same as the requesting host. 3154 400030 FTP Improper Port Specified Informational Triggers if a port command is issued with a data port specified that is 65535. 4050 400031 UDP Bomb attack Attack Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt. 4051 400032 UDP Snork attack Attack Triggers when a UDP packet with a source port of either 135, 7, or 19 and a destination port of 135 is detected. 4052 400033 UDP Chargen DoS attack Attack This signature triggers when a UDP packet is detected with a source port of 7 and a destination port of 19. 6050 400034 DNS HINFO Request Informational Triggers on an attempt to access HINFO records from a DNS server. Table 28-1 Signature IDs and System Message Numbers (continued) Signature IDMessage Number Signature Title Signature Type Description
![](/img/blank.gif)
28-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6051 400035 DNS Zone Transfer Informational Triggers on normal DNS zone transfers, in which the source port is 53. 6052 400036 DNS Zone Transfer from High Port Informational Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53. 6053 400037 DNS Request for All Records Informational Triggers on a DNS request for all records. 6100 400038 RPC Port Registration Informational Triggers when attempts are made to register new RPC services on a target host. 6101 400039 RPC Port Unregistration Informational Triggers when attempts are made to unregister existing RPC services on a target host. 6102 400040 RPC Dump Informational Triggers when an RPC dump request is issued to a target host. 6103 400041 Proxied RPC Request Attack Triggers when a proxied RPC request is sent to the portmapper of a target host. 6150 400042 ypserv (YP server daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port. 6151 400043 ypbind (YP bind daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port. 6152 400044 yppasswdd (YP password daemon) Portmap RequestInformational Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. 6153 400045 ypupdated (YP update daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port. 6154 400046 ypxfrd (YP transfer daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. 6155 400047 mountd (mount daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the mount daemon (mountd) port. 6175 400048 rexd (remote execution daemon) Portmap RequestInformational Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port. Table 28-1 Signature IDs and System Message Numbers (continued) Signature IDMessage Number Signature Title Signature Type Description
![](/img/blank.gif)
28-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6180 400049 rexd (remote execution daemon) AttemptInformational Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources. 6190 400050 statd Buffer Overflow Attack Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources. Table 28-1 Signature IDs and System Message Numbers (continued) Signature IDMessage Number Signature Title Signature Type Description
![](/img/blank.gif)
28-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support
![](/img/blank.gif)
CH A P T E R 29-1 Cisco ASA Series Firewall ASDM Configuration Guide 29 Configuring Filtering Services This chapter describes how to use filtering services to provide greater control over traffic passing through the ASA and includes the following sections: Information About Web Traffic Filtering, page 29-1 Configuring Filtering Rules, page 29-6 Filtering the Rule Table, page 29-11 Defining Queries, page 29-12 Filtering URLs and FTP Requests with an External Server, page 29-2 Information About Web Traffic Filtering You can use web traffic filtering in two distinct ways: Filtering ActiveX objects or Java applets Filtering with an external filtering server Instead of blocking access altogether, you can remove specific undesirable objects from web traffic, such as ActiveX objects or Java applets, that may pose a security threat in certain situations. You can use web traffic filtering to direct specific traffic to an external filtering server, such an Secure Computing SmartFilter (formerly N2H2) or the Websense filtering server. You can enable long URL, HTTPS, and FTP filtering using either Websense or Secure Computing SmartFilter for web traffic filtering. Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy. NoteURL caching will only work if the version of the URL server software from the URL server vendor supports it. Because web traffic filtering is CPU-intensive, using an external filtering server ensures that the throughput of other traffic is not affected. However, depending on the speed of your network and the capacity of your web traffic filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server. Model License Requirement All models Base License.
![](/img/blank.gif)
29-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Filtering URLs and FTP Requests with an External Server This section describes how to filter URLs and FTP requests with an external server and includes the following topics: Information About URL Filtering, page 29-2 Licensing Requirements for URL Filtering, page 29-3 Guidelines and Limitations for URL Filtering, page 29-3 Identifying the Filtering Server, page 29-3 Configuring Additional URL Filtering Settings, page 29-4 Feature History for URL Filtering, page 29-12 Information About URL Filtering You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve ASA performance by using a separate server running one of the following Internet filtering products: Websense Enterprise for filtering HTTP, HTTPS, and FTP. McAfee SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL filtering. In long URLs, the URL in the Referer field might contain a “host:” text string, which could cause the HTTP GET header to be incorrectly parsed as containing the HTTP Host parameter. The ASA, however, correctly parses the Referer field even when it contains a “host:” text string and forwards the header to the McAfee SmartFilter server with the correct Referer URL. NoteURL caching will only work if the version of the URL server software from the URL server vendor supports it. Although ASA performance is less affected when using an external server, you might notice longer access times to websites or FTP servers when the filtering server is remote from the ASA. When filtering is enabled and a request for content is directed through the ASA, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the ASA forwards the response from the content server to the originating client. If the filtering server denies the connection, the ASA drops the response and sends a message or return code indicating that the connection was not successful. If user authentication is enabled on the ASA, then the ASA also sends the username to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting about usage.
![](/img/blank.gif)
29-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Licensing Requirements for URL Filtering The following table shows the licensing requirements for URL filtering: Guidelines and Limitations for URL Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Does not support IPv6. Identifying the Filtering Server You can identify up to four filtering servers per context. The ASA uses the servers in order until a server responds. In single mode, a maximum of 16 of the same type of filtering servers are allowed. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration. NoteYou must add the filtering server before you can configure filtering for HTTP or HTTPS. To specify the external filtering server, perform the following steps: Step 1In the ASDM main window, choose Configuration > Firewall > URL Filtering Servers. Step 2In the URL Filtering Server Type area, click one of the following options: We b s e n s e Secure Computing SmartFilter Step 3If you chose the second option, enter the Secure Computing SmartFilter port number if it is different than the default port number, which is 4005. Step 4In the URL Filtering Servers area, click Add. If you chose the Websense option, the Add Parameters for Websense URL Filtering dialog box appears. Choose the interface on which the URL filtering server is connected from the drop-down list. Enter the IP address of the URL filtering server. Table 29-1 Licensing Requirements Model License Requirement All models Base License.
![](/img/blank.gif)
29-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Enter the number of seconds after which the request to the URL filtering server times out. The default is 30 seconds. In the Protocol area, to specify which TCP version to use to communicate with the URL filtering server, click one of the following radio buttons: –TCP 1 –TCP 4 –UDP 4 Enter the maximum number of TCP connections allowed for communicating with the URL filtering server, and click OK. The new Websense URL filtering server properties appear in the URL Filtering Servers pane. To change these properties, click Edit. To add more Websense URL filtering servers after you have added the first Websense URL filtering server, click Add or Insert. To remove a Websense URL filtering server, click Delete. If you chose the Secure Computing SmartFilter URL Filtering option, the Add Parameters for Secure Computing SmartFilter URL Filtering dialog box appears. Choose the interface on which the URL filtering server is connected from the drop-down list. Enter the IP address of the URL filtering server. Enter the number of seconds after which the request to the URL filtering server times out. The default is 30 seconds. In the Protocol area, to specify which protocol type to use to communicate with the URL filtering server, click one of the following radio buttons: –TCP –UDP Enter the maximum number of TCP connections allowed for communicating with the URL filtering server, and click OK. The new Secure Computing SmartFilter URL filtering server properties appear in the URL Filtering Servers pane. To change these properties, click Edit. To add more Secure Computing SmartFilter URL filtering servers after you have defined the first Secure Computing SmartFilter URL filtering server, click Add or Insert. To remove a Secure Computing SmartFilter URL filtering server, click Delete. Configuring Additional URL Filtering Settings After you have accessed a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again to obtain the server address. NoteRequests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports. This section describes how to configure additional URL filtering settings and includes the following topics: