Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 754
    							 
    30-31
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 30      Configuring the ASA CX Module
      Monitoring the ASA CX Module
    ciscoasa# show asp drop
    Frame drop:
      CXSC Module received packet with bad TLVs (cxsc-bad-tlv-received)           2
      CXSC Module requested drop (cxsc-request)                                    1
      CXSC card is down (cxsc-fail-close)                                          1
      CXSC config removed for flow (cxsc-fail)                                     3
      CXSC Module received malformed packet (cxsc-malformed-packet)                1
      
    Last clearing: 18:12:58 UTC May 11 2012 by enable_15
    Flow drop:
      Flow terminated by CXSC (cxsc-request)                                       2
      Flow reset by CXSC (reset-by-cxsc)                                           1
      CXSC fail-close (cxsc-fail-close)                                            1
    Last clearing: 18:12:58 UTC May 11 2012 by enable_15
    The following is sample output from the show asp event dp-cp cxsc-msg command:
    ciscoasa# show asp event dp-cp cxsc-msg
    DP-CP EVENT QUEUE                  QUEUE-LEN  HIGH-WATER
    Punt Event Queue                           0           5
    Identity-Traffic Event Queue               0           0
    General Event Queue                        0           4
    Syslog Event Queue                         4          90
    Non-Blocking Event Queue                   0           2
    Midpath High Event Queue                   0          53
    Midpath Norm Event Queue                8074        8288
    SRTP Event Queue                           0           0
    HA Event Queue                             0           0
    Threat-Detection Event Queue               0           3
    ARP Event Queue                            0        2048
    IDFW Event Queue                           0           0
    CXSC Event Queue                           0           1
    EVENT-TYPE          ALLOC ALLOC-FAIL ENQUEUED ENQ-FAIL  RETIRED 15SEC-RATE
    cxsc-msg                1          0        1        0        1          0
    The following is sample output from the show conn detail command:
    ciscoasa# show conn detail 
    0 in use, 105 most used
    Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
           B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
           D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
           G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
           i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
           k - Skinny media, M - SMTP data, m - SIP media, n - GUP
           O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
           q - SQL*Net data, R - outside acknowledged FIN,
           R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
           s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
           V - VPN orphan, W - WAAS,
           X - inspected by service module
    TCP outside 208.80.152.2:80 inside 192.168.1.20:59928, idle 0:00:10, bytes 79174, flags 
    XUIO 
    						
    							 
    30-32
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 30      Configuring the ASA CX Module
      Troubleshooting the ASA CX Module
    Capturing Module Traffic
    To configure and view packet captures for the ASA CX module, enter one of the following commands:
    NoteCaptured packets contain an additional AFBP header that your PCAP viewer might not understand; be 
    sure to use the appropriate plugin to view these packets.
    Troubleshooting the ASA CX Module
    Problems with the Authentication Proxy, page 30-32
    Problems with the Authentication Proxy
    If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot 
    your configuration and connections:
    1.Check your configurations.
    On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command 
    and make sure there are rules installed and that they are correct.
    In PRSM, ensure the directory realm is created with the correct credentials and test the connection 
    to make sure you can reach the authentication server; also ensure that a policy object or objects are 
    configured for authentication.
    2.Check the output of the show service-policy cxsc command to see if any packets were proxied.
    3.Perform a packet capture on the backplane, and check to see if traffic is being redirected on the 
    correct configured port. See the “Capturing Module Traffic” section on page 30-32. You can check 
    the configured port using the show running-config cxsc command or the show asp table classify 
    domain cxsc-auth-proxy command.
    NoteIf you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only 
    configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module, 
    including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the 
    ASA only performs the authentication proxy on the interface to which the service policy is applied, 
    because this feature is ingress-only.
    Example 30-1 Make sure port 2000 is used consistently:
    1.
    Check the authentication proxy port: Command Purpose
    capture name interface asa_dataplane Captures packets between ASA CX module and the ASA on the 
    backplane.
    copy captureCopies the capture file to a server.
    show captureShows the capture at the ASA console. 
    						
    							 
    30-33
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 30      Configuring the ASA CX Module
      Feature History for the ASA CX Module
    ciscoasa# show running-config cxsc 
    cxsc auth-proxy port 2000
    2.Check the authentication proxy rules:
    ciscoasa# show asp table classify domain cxsc-auth-proxy 
    Input Table
    in  id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
    hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
    input_ifc=inside, output_ifc=identity
    3.In the packet captures, the redirect request should be going to destination port 2000.
    Feature History for the ASA CX Module
    Table 30-2 lists each feature change and the platform release in which it was implemented. ASDM is 
    backwards-compatible with multiple platform releases, so the specific ASDM release in which support 
    was added is not listed.
    Table 30-2 Feature History for the ASA CX Module
    Feature NamePlatform 
    Releases Feature Information
    ASA 5585-X with SSP-10 and -20 support for 
    the ASA CX SSP-10 and -20ASA 8.4(4.1)
    ASA CX 9.0(1)The ASA CX module lets you enforce security based on the 
    complete context of a situation. This context includes the 
    identity of the user (who), the application or website that the 
    user is trying to access (what), the origin of the access 
    attempt (where), the time of the attempted access (when), 
    and the properties of the device used for the access (how). 
    With the ASA CX module, you can extract the full context 
    of a flow and enforce granular policies such as permitting 
    access to Facebook but denying access to games on 
    Facebook or permitting finance employees access to a 
    sensitive enterprise database but denying the same access to 
    other employees.
    We introduced the following screens:
    Home > ASA CX Status
    Wizards > Startup Wizard > ASA CX Basic Configuration
    Configuration > Firewall > Service Policy Rules > Add 
    Service Policy Rule > Rule Actions > ASA CX Inspection
    ASA 5512-X through ASA 5555-X support for 
    the ASA CX SSPASA 9.1(1)
    ASA CX 9.1(1)We introduced support for the ASA CX SSP software 
    module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, 
    ASA 5545-X, and ASA 5555-X.
    We did not modify any screens. 
    						
    							 
    30-34
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 30      Configuring the ASA CX Module
      Feature History for the ASA CX Module
    Monitor-only mode for demonstration 
    purposesASA 9.1(2)
    ASA CX 9.1(2)For demonstration purposes only, you can enable 
    monitor-only mode for the service policy, which forwards a 
    copy of traffic to the ASA CX module, while the original 
    traffic remains unaffected.
    Another option for demonstration purposes is to configure a 
    traffic-forwarding interface instead of a service policy in 
    monitor-only mode. The traffic-forwarding interface sends 
    all traffic directly to the ASA CX module, bypassing the 
    ASA.
    We modified the following screen: Configuration > Firewall 
    > Service Policy Rules > Add Service Policy Rule > Rule 
    Actions > ASA CX Inspection.
    The traffic-forwarding feature is supported by CLI only. 
    NAT 64 support for the ASA CX module ASA 9.1(2)
    ASA CX 9.1(2)You can now use NAT 64 in conjunction with the ASA CX 
    module.
    We did not modify any screens. 
    ASA 5585-X with SSP-40 and -60 support for 
    the ASA CX SSP-40 and -60ASA 9.1(3)
    ASA CX 9.2(1)ASA CX SSP-40 and -60 modules can be used with the 
    matching level ASA 5585-X with SSP-40 and -60.
    We did not modify any screens.
    Multiple context mode support for the ASA 
    CX moduleASA 9.1(3)
    ASA CX 9.2(1)You can now configure ASA CX service policies per 
    context on the ASA.
    NoteAlthough you can configure per context ASA 
    service policies, the ASA CX module itself 
    (configured in PRSM) is a single context mode 
    device; the context-specific traffic coming from the 
    ASA is checked against the common ASA CX 
    policy.
    We did not modify any screens.
    Filtering packets captured on the ASA CX 
    backplaneASA 9.1(3)
    ASA CX 9.2(1)You can now filter packets captured on the ASA CX 
    backplane using the match or access-list keyword with the 
    capture interface asa_dataplane command.
    Control traffic specific to the ASA CX module is not 
    affected by the access-list or match filtering; the ASA 
    captures all control traffic.
    In multiple context mode, configure the packet capture per 
    context. Note that all control traffic in multiple context 
    mode goes only to the system execution space. Because 
    control traffic cannot be filtered using an access-list or 
    match, these options are not available in the system 
    execution space.
    We did not modify any ASDM screens.
    Table 30-2 Feature History for the ASA CX Module (continued)
    Feature NamePlatform 
    Releases Feature Information 
    						
    							CH A P T E R
     
    31-1
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    31
    Configuring the ASA IPS Module
    This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware 
    module or a software module, depending on your ASA model. For a list of supported ASA IPS modules 
    per ASA model, see the Cisco ASA Compatibility Matrix:
    http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
    This chapter includes the following sections:
    Information About the ASA IPS Module, page 31-1
    Licensing Requirements for the ASA IPS module, page 31-5
    Guidelines and Limitations, page 31-5
    Default Settings, page 31-6
    Configuring the ASA IPS module, page 31-7
    Managing the ASA IPS module, page 31-19
    Monitoring the ASA IPS module, page 31-24
    Feature History for the ASA IPS module, page 31-25
    Information About the ASA IPS Module
    The ASA IPS module runs advanced IPS software that provides proactive, full-featured intrusion 
    prevention services to stop malicious traffic, including worms and network viruses, before they can 
    affect your network. This section includes the following topics:
    How the ASA IPS Module Works with the ASA, page 31-2
    Operating Modes, page 31-3
    Using Virtual Sensors (ASA 5510 and Higher), page 31-3
    Information About Management Access, page 31-4 
    						
    							 
    31-2
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 31      Configuring the ASA IPS Module
      Information About the ASA IPS Module
    How the ASA IPS Module Works with the ASA
    The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an 
    external management interface so you can connect to the ASA IPS module directly; if it does not have a 
    management interface, you can connect to the ASA IPS module through the ASA interface. The ASA 
    IPS SSP on the ASA 5585-X includes data interfaces; these interfaces provide additional port-density 
    for the ASA. However, the overall through-put of the ASA is not increased.
    Traffic goes through the firewall checks before being forwarded to the ASA IPS module. When you 
    identify traffic for IPS inspection on the ASA, traffic flows through the ASA and the ASA IPS module 
    as follows. Note: This example is for “inline mode.” See the “Operating Modes” section on page 31-3 
    for information about “promiscuous mode,” where the ASA only sends a copy of the traffic to the ASA 
    IPS module.
    1.Traffic enters the ASA.
    2.Incoming VPN traffic is decrypted.
    3.Firewall policies are applied.
    4.Traffic is sent to the ASA IPS module.
    5.The ASA IPS module applies its security policy to the traffic, and takes appropriate actions.
    6.Valid traffic is sent back to the ASA; the ASA IPS module might block some traffic according to its 
    security policy, and that traffic is not passed on.
    7.Outgoing VPN traffic is encrypted.
    8.Traffic exits the ASA.
    Figure 31-1 shows the traffic flow when running the ASA IPS module in inline mode. In this example, 
    the ASA IPS module automatically blocks traffic that it identified as an attack. All other traffic is 
    forwarded through the ASA.
    Figure 31-1 ASA IPS module Traffic Flow in the ASA: Inline Mode
    ASA
    Main System
    IPS
    Diverted Traffic
    IPS inspection
    VPN
    Decryption Firewall
    Policy
    Block
    251157
    inside
    outside 
    						
    							 
    31-3
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 31      Configuring the ASA IPS Module
      Information About the ASA IPS Module
    Operating Modes
    You can send traffic to the ASA IPS module using one of the following modes:
    Inline mode—This mode places the ASA IPS module directly in the traffic flow (see Figure 31-1). 
    No traffic that you identified for IPS inspection can continue through the ASA without first passing 
    through, and being inspected by, the ASA IPS module. This mode is the most secure because every 
    packet that you identify for inspection is analyzed before being allowed through. Also, the ASA IPS 
    module can implement a blocking policy on a packet-by-packet basis. This mode, however, can 
    affect throughput.
    Promiscuous mode—This mode sends a duplicate stream of traffic to the ASA IPS module. This 
    mode is less secure, but has little impact on traffic throughput. Unlike inline mode, in promiscuous 
    mode the ASA IPS module can only block traffic by instructing the ASA to shun the traffic or by 
    resetting a connection on the ASA. Also, while the ASA IPS module is analyzing the traffic, a small 
    amount of traffic might pass through the ASA before the ASA IPS module can shun it. Figure 31-2 
    shows the ASA IPS module in promiscuous mode. In this example, the ASA IPS module sends a 
    shun message to the ASA for traffic it identified as a threat.
    Figure 31-2 ASA IPS module Traffic Flow in the ASA: Promiscuous Mode
    Using Virtual Sensors (ASA 5510 and Higher)
    The ASA IPS module running IPS software Version 6.0 and later can run multiple virtual sensors, which 
    means you can configure multiple security policies on the ASA IPS module. You can assign each ASA 
    security context or single mode ASA to one or more virtual sensors, or you can assign multiple security 
    contexts to the same virtual sensor. See the IPS documentation for more information about virtual 
    sensors, including the maximum number of sensors supported.
    Figure 31-3 shows one security context paired with one virtual sensor (in inline mode), while two 
    security contexts share the same virtual sensor.
    ASA
    Main System
    inside
    IPS
    IPS inspectionoutside
    VPN
    Decryption Firewall
    Policy
    Shun
    message
    251158
    Copied Traffic 
    						
    							 
    31-4
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 31      Configuring the ASA IPS Module
      Information About the ASA IPS Module
    Figure 31-3 Security Contexts and Virtual Sensors
    Figure 31-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined 
    traffic flow goes to a different sensor.
    Figure 31-4 Single Mode ASA with Multiple Virtual Sensors
    Information About Management Access
    You can manage the IPS application using the following methods:
    Sessioning to the module from the ASA—If you have CLI access to the ASA, then you can session 
    to the module and access the module CLI. See the “Sessioning to the Module from the ASA (May 
    Be Required)” section on page 31-11.
    Connecting to the IPS management interface using ASDM or SSH—After you launch ASDM from 
    the ASA, your management station connects to the module management interface to configure the 
    IPS application. For SSH, you can access the module CLI directly on the module management 
    interface. (Telnet access requires additional configuration in the module application). The module 
    management interface can also be used for sending syslog messages or allowing updates for the 
    module application, such as signature database updates.
    ASA
    Main System
    IPS Sensor 
    1  Context
    1
    Context
    2
    Context
    3
    Sensor
    2
    251160
    Sensor
    1Sensor
    2Sensor
    3
    ASA
    Main System
    IPS
    Traffic 1
    Traffic 2
    Traffic 3
    251159 
    						
    							 
    31-5
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 31      Configuring the ASA IPS Module
      Licensing Requirements for the ASA IPS module
    See the following information about the management interface:
    –ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface 
    is a separate external Gigabit Ethernet interface.
    –ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the 
    ASA IPS module as a software module. The IPS management interface shares the 
    Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are 
    supported for the ASA and ASA IPS module. You must perform configuration of the IPS 
    IP address within the IPS operating system (using the CLI or ASDM). However, physical 
    characteristics (such as enabling the interface) are configured on the ASA. You can remove the 
    ASA interface configuration (specifically the interface name) to dedicate this interface as an 
    IPS-only interface. This interface is management-only.
    –ASA 5505—You can use an ASA VLAN to allow access to an internal management IP address 
    over the backplane.
    Licensing Requirements for the ASA IPS module
    The following table shows the licensing requirements for this feature:
    Guidelines and Limitations
    This section includes the guidelines and limitations for this feature.
    Context Mode Guidelines
    The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual 
    sensors, are not supported on the AIP SSC.
    Firewall Mode Guidelines
    Supported in routed and transparent firewall mode.
    Model Guidelines
    See the Cisco ASA Compatibility Matrix for information about which models support which 
    modules: Model License Requirement
    ASA 5512-X, 
    ASA 5515-X, 
    ASA 5525-X, 
    ASA 5545-X, 
    ASA 5555-XIPS Module License.
    NoteThe IPS module license lets you run the IPS software module on the ASA. You must also 
    purchase a separate IPS signature subscription; for failover, purchase a subscription for each 
    unit. To obtain IPS signature support, you must purchase the ASA with IPS pre-installed (the 
    part number must include “IPS”). The combined failover cluster license does not let you pair 
    non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part 
    number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part 
    number ASA5515-K9), then you will not be able to obtain IPS signature updates for the 
    ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
    All other models Base License. 
    						
    							 
    31-6
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 31      Configuring the ASA IPS Module
      Default Settings
    http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
    The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual 
    sensors, are not supported on the AIP SSC.
    The ASA IPS module for the ASA 5510 and higher supports higher performance requirements, 
    while the ASA IPS module for the ASA 5505 is designed for a small office installation. The 
    following features are not supported for the ASA 5505:
    –Virtual sensors
    –Anomaly detection
    –Unretirement of default retired signatures
    Additional Guidelines
    The total throughput for the ASA plus the IPS module is lower than ASA throughput alone.
    –ASA 5512-X through ASA 5555-X—See 
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.
    html
    –ASA 5585-X—See 
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-617018.
    html
    –ASA 5505 through ASA 5540—See 
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sh
    eet0900aecd802930c5.html
    You cannot change the software type installed on the module; if you purchase an ASA IPS module, 
    you cannot later install other software on it.
    Default Settings
    Table 31-1 lists the default settings for the ASA IPS module.
    NoteThe default management IP address on the ASA is 192.168.1.1/24.
    Table 31-1 Default Network Parameters
    Parameters Default
    Management VLAN (ASA 5505 only) VLAN 1
    Management IP address 192.168.1.2/24
    Gateway 192.168.1.1/24 (the default ASA management IP address)
    Username cisco
    Password cisco 
    						
    All Cisco manuals Comments (0)