Corporate Headquarters Cisco Systems, Inc.
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.0(4)
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco Security Appliance Command Line Configuration Guide Copyright © 2005 Cisco Systems, Inc. All rights reserved.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)
Document Objectives
xxiiiAudience
xxiiiRelated Documentation
xxivDocument Organization
xxivDocument Conventions
xxviObtaining Documentation
xxviiCisco.com
xxviiOrdering Documentation
xxviiDocumentation Feedback
xxviiObtaining Technical Assistance
xxviiiCisco Technical Support Website
xxviiiSubmitting a Service Request
xxviiiDefinitions of Service Request Severity
xxixObtaining Additional Publications and Information
xxixP A R T 1 Getting Started and General Information
C H A P T E R 1 Introduction to the Security Appliance 1-1
Firewall Functional Overview
1-1Security Policy Overview
1-2Permitting or Denying Traffic with Access Lists
1-2Applying NAT
1-2Using AAA for Through Traffic
1-2Applying HTTP, HTTPS, or FTP Filtering
1-3Applying Application Inspection
1-3Sending Traffic to the Advanced Inspection and Prevention Security Services Module
1-3Applying QoS Policies
1-3C H A P T E R 2 Getting Started 2-1
Accessing the Command-Line Interface
2-1Setting Transparent or Routed Firewall Mode
2-2Working with the Configuration
2-3Saving Configuration Changes
2-3Viewing the Configuration
2-3Clearing and Removing Configuration Settings
2-4Creating Text Configuration Files Offline
2-4C H A P T E R 3 Enabling Multiple Context Mode 3-1
Security Context Overview
3-1Common Uses for Security Contexts
3-2Unsupported Features
3-2Context Configuration Files
3-2How the Security Appliance Classifies Packets
3-3Sharing Interfaces Between Contexts
3-6Shared Interface Guidelines
3-7Cascading Security Contexts
3-9Logging into the Security Appliance in Multiple Context Mode
3-10Enabling or Disabling Multiple Context Mode
3-10Backing Up the Single Mode Configuration
3-10Enabling Multiple Context Mode
3-10Restoring Single Context Mode
3-11C H A P T E R 4 Configuring Ethernet Settings and Subinterfaces 4-1
Configuring and Enabling RJ-45 Interfaces
4-1Configuring and Enabling Fiber Interfaces on the 4GE SSM
4-2Configuring and Enabling Subinterfaces
4-3C H A P T E R 5 Adding and Managing Security Contexts 5-1
Configuring a Security Context
5-1Removing a Security Context
5-5Changing the Admin Context
5-5Changing Between Contexts and the System Execution Space
5-5Changing the Security Context URL
5-6Reloading a Security Context
5-7Reloading by Clearing the Configuration
5-7Reloading by Removing and Re-adding the Context
Monitoring Security Contexts
5-8Viewing Context Information
5-8Viewing Resource Usage
5-9C H A P T E R 6 Configuring Interface Parameters 6-1
Security Level Overview
6-1Configuring the Interface
6-2Allowing Communication Between Interfaces on the Same Security Level
6-5C H A P T E R 7 Configuring Basic Settings 7-1
Changing the Enable Password
7-1Setting the Hostname
7-2Setting the Domain Name
7-2Setting the Date and Time
7-2Setting the Time Zone and Daylight Saving Time Date Range
7-3Setting the Date and Time Using an NTP Server
7-4Setting the Date and Time Manually
7-4Setting the Management IP Address for a Transparent Firewall
7-5C H A P T E R 8 Configuring IP Routing and DHCP Services 8-1
Configuring Static and Default Routes
8-1Configuring a Static Route
8-2Configuring a Default Route
8-3Configuring OSPF
8-3OSPF Overview
8-4Enabling OSPF
8-5Redistributing Routes Between OSPF Processes
8-5Adding a Route Map
8-6Redistributing Static, Connected, or OSPF Routes to an OSPF Process
8-7Configuring OSPF Interface Parameters
8-8Configuring OSPF Area Parameters
8-10Configuring OSPF NSSA
8-11Monitoring OSPF
8-15Restarting the OSPF Process
8-15Configuring RIP
8-16RIP Overview
8-16Enabling RIP
8-16Configuring Multicast Routing
8-17Multicast Routing Overview
8-17Enabling Multicast Routing
8-18Configuring IGMP Features
8-18Disabling IGMP on an Interface
8-19Configuring Group Membership
8-19Configuring a Statically Joined Group
8-19Controlling Access to Multicast Groups
8-19Limiting the Number of IGMP States on an Interface
8-20Modifying the Query Interval and Query Timeout
8-20Changing the Query Response Time
8-21Changing the IGMP Version
8-21Configuring Stub Multicast Routing
8-21Configuring a Static Multicast Route
8-21Configuring PIM Features
8-22Disabling PIM on an Interface
8-22Configuring a Static Rendezvous Point Address
8-22Configuring the Designated Router Priority
8-23Filtering PIM Register Messages
8-23Configuring PIM Message Intervals
8-23For More Information about Multicast Routing
8-24Configuring DHCP
8-24Configuring a DHCP Server
8-24Enabling the DHCP Server
8-24Configuring DHCP Options
8-26Using Cisco IP Phones with a DHCP Server
8-26Configuring DHCP Relay Services
8-27Configuring the DHCP Client
8-28C H A P T E R 9 Configuring IPv6 9-1
IPv6-enabled Commands
9-1Configuring IPv6 on an Interface
9-2Configuring IPv6 Default and Static Routes
9-3Configuring IPv6 Access Lists
9-4Verifying the IPv6 Configuration
9-5The show ipv6 interface Command
9-5The show ipv6 route Command
9-6Configuring a Dual IP Stack on an Interface
9-6IPv6 Configuration Example
9-7C H A P T E R 10 Configuring AAA Servers and the Local Database 10-1
AAA Overview
10-1About Authentication
10-2About Authorization
10-2About Accounting
10-2AAA Server and Local Database Support
10-3Summary of Support
10-3RADIUS Server Support
10-4Authentication Methods
10-4Attribute Support
10-4RADIUS Functions
10-4TACACS+ Server Support
10-5SDI Server Support
10-6SDI Version Support
10-6Two-step Authentication Process
10-7SDI Primary and Replica Servers
10-7NT Server Support
10-7Kerberos Server Support
10-7LDAP Server Support
10-8Local Database Support
10-8User Profiles
10-8Local Database Functions
10-8Fallback Support
10-9Configuring the Local Database
10-9Identifying AAA Server Groups and Servers
10-11Failover Link
11-3Stateful Failover Link
11-4Active/Active and Active/Standby Failover
11-5Active/Standby Failover
11-5Active/Active Failover
11-9Determining Which Type of Failover to Use
11-13Regular and Stateful Failover
11-13Regular Failover
11-13Stateful Failover
11-13Failover Health Monitoring
11-14Unit Health Monitoring
11-14Interface Monitoring
11-15Configuring Failover
11-15Configuring Active/Standby Failover
11-16Prerequisites
11-16Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)
11-16Configuring LAN-Based Active/Standby Failover
11-18Configuring Optional Active/Standby Failover Settings
11-21Configuring Active/Active Failover
11-23Prerequisites
11-23Configuring Cable-Based Active/Active Failover (PIX security appliance Only)
11-23Configuring LAN-Based Active/Active Failover
11-25Configuring Optional Active/Active Failover Settings
11-28Configuring Failover Communication Authentication/Encryption
11-32Verifying the Failover Configuration
11-32Using the show failover Command
11-33Viewing Monitored Interfaces
11-41Displaying the Failover Commands in the Running Configuration
11-41Testing the Failover Functionality
11-41Controlling and Monitoring Failover
11-42Forcing Failover
11-42Disabling Failover
11-43Restoring a Failed Unit or Failover Group
11-43Monitoring Failover
11-43Failover System Messages
11-43Debug Messages
11-44SNMP
11-44Failover Configuration Examples
11-44Cable-Based Active/Standby Failover Example
11-45LAN-Based Active/Standby Failover Example
11-46LAN-Based Active/Active Failover Example
11-48P A R T 2 Configuring the Firewall
C H A P T E R 12 Firewall Mode Overview 12-1
Routed Mode Overview
12-1IP Routing Support
12-2Network Address Translation
12-2How Data Moves Through the Security Appliance in Routed Firewall Mode
12-3An Inside User Visits a Web Server
12-4An Outside User Visits a Web Server on the DMZ
12-5An Inside User Visits a Web Server on the DMZ
12-6An Outside User Attempts to Access an Inside Host
12-7A DMZ User Attempts to Access an Inside Host
12-8Transparent Mode Overview
12-8Transparent Firewall Features
12-9Using the Transparent Firewall in Your Network
12-10Transparent Firewall Guidelines
12-10Unsupported Features in Transparent Mode
12-11How Data Moves Through the Transparent Firewall
12-12An Inside User Visits a Web Server
12-13An Outside User Visits a Web Server on the Inside Network
12-14An Outside User Attempts to Access an Inside Host
12-15C H A P T E R 13 Identifying Traffic with Access Lists 13-1
Access List Overview
13-1Access List Types
13-2Access Control Entry Order
13-2Access Control Implicit Deny
13-3IP Addresses Used for Access Lists When You Use NAT
13-3Adding an Extended Access List
13-5Extended Access List Overview
Simplifying Access Lists with Object Grouping
13-9How Object Grouping Works
13-9Adding Object Groups
13-10Adding a Protocol Object Group
13-10Adding a Network Object Group
13-11Adding a Service Object Group
13-12Adding an ICMP Type Object Group
13-12Nesting Object Groups
13-13Using Object Groups with an Access List
13-14Displaying Object Groups
13-15Removing Object Groups
13-15Adding Remarks to Access Lists
13-16Time Range Options
13-16Logging Access List Activity
13-16Access List Logging Overview
13-17Configuring Logging for an Access Control Entry
13-18Managing Deny Flows
13-19C H A P T E R 14 Applying NAT 21
NAT Overview
21Introduction to NAT
22NAT Control
23NAT Types
25Dynamic NAT
25PAT
26Static NAT
27Static PAT
27Bypassing NAT when NAT Control is Enabled
28Policy NAT
29NAT and Same Security Level Interfaces
32Order of NAT Commands Used to Match Real Addresses
33Mapped Address Guidelines
33DNS and NAT
34Configuring NAT Control
35Using Dynamic NAT and PAT
36Dynamic NAT and PAT Implementation
36Configuring Dynamic NAT or PAT
42Using Static NAT
45Using Static PAT
46Bypassing NAT
49Configuring Identity NAT
49Configuring Static Identity NAT
50Configuring NAT Exemption
51NAT Examples
52Overlapping Networks
53Redirecting Ports
54C H A P T E R 15 Permitting or Denying Network Access 15-1
Inbound and Outbound Access List Overview
15-1Applying an Access List to an Interface
15-4C H A P T E R 16 Applying AAA for Network Access 16-1
AAA Performance
16-1Configuring Authentication for Network Access
16-1Authentication Overview
16-2Enabling Network Access Authentication
16-3Enabling Secure Authentication of Web Clients
16-4Configuring Authorization for Network Access
16-6Configuring TACACS+ Authorization
16-6Configuring RADIUS Authorization
16-7Configuring a RADIUS Server to Send Downloadable Access Control Lists
16-8Configuring a RADIUS Server to Download Per-User Access Control List Names
16-11Configuring Accounting for Network Access
16-12Using MAC Addresses to Exempt Traffic from Authentication and Authorization
16-13C H A P T E R 17 Applying Filtering Services 17-1
Filtering Overview
17-1Filtering ActiveX Objects
17-2Overview
17-2Enabling ActiveX Filtering
17-2Filtering Java Applets
17-3Buffering the Content Server Response
17-6Caching Server Addresses
17-7Filtering HTTP URLs
17-7Configuring HTTP Filtering
17-7Enabling Filtering of Long HTTP URLs
17-8Truncating Long HTTP URLs
17-8Exempting Traffic from Filtering
17-8Filtering HTTPS URLs
17-8Filtering FTP Requests
17-9Viewing Filtering Statistics and Configuration
17-10Viewing Filtering Server Statistics
17-10Viewing Buffer Configuration and Statistics
17-10Viewing Caching Statistics
17-11Viewing Filtering Performance Statistics
17-11Viewing Filtering Configuration
17-12C H A P T E R 18 Using Modular Policy Framework 18-1
Modular Policy Framework Overview
18-1Default Global Policy
18-2Identifying Traffic Using a Class Map
18-2Defining Actions Using a Policy Map
18-4Policy Map Overview
18-4Default Policy Map
18-6Adding a Policy Map
18-6Applying a Policy to an Interface Using a Service Policy
18-8Modular Policy Framework Examples
18-8Applying Inspection and QoS Policing to HTTP Traffic
18-9Applying Inspection to HTTP Traffic Globally
18-9Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
18-10Applying Inspection to HTTP Traffic with NAT
18-11C H A P T E R 19 Intercepting and Responding to Network Attacks 19-1
Configuring the AIP SSM
19-1Configuring the ASA 5500 to Divert Traffic to the AIP SSM
19-2Sessioning to the AIP SSM and Running Setup
19-3Configuring IP Audit for Basic IPS Support
19-4Configuring TCP Normalization
19-4Protecting Your Network Against Specific Attacks
19-7Preventing IP Spoofing
19-7Configuring Connection Limits and Timeouts
19-9Configuring the Fragment Size
19-10Blocking Unwanted Connections
19-10C H A P T E R 20 Applying QoS Policies 20-1
Overview
20-1QoS Concepts
20-2Identifying Traffic for QoS
20-3Classifying Traffic for QoS
20-4Defining a QoS Policy Map
20-6Applying Rate Limiting
20-6Verifying the Traffic-Policing Configuration
20-8Verifying QoS Statistics
20-8Viewing QoS Police Statistics
20-8Viewing QoS Priority-Queue Statistics
20-9Activating the Service Policy
20-9Applying Low Latency Queueing
20-9Configuring Priority Queuing
20-10Sizing the Priority Queue
20-10Reducing Queue Latency
20-10Viewing QoS Statistics
20-11Viewing the Priority-Queue Configuration for an Interface
20-12C H A P T E R 21 Applying Application Layer Protocol Inspection 21-1
Application Inspection Engines
21-1Overview
21-2How Inspection Engines Work
21-2Supported Protocols
21-3Applying Application Inspection to Selected Traffic
21-5Overview
21-5Identifying Traffic with a Traffic Class Map
21-6Enabling and Configuring CTIQBE Inspection
21-11Verifying and Monitoring CTIQBE Inspection
21-13Managing DNS Inspection
21-14How DNS Application Inspection Works
21-14How DNS Rewrite Works
21-15Configuring DNS Rewrite
21-16Using the Alias Command for DNS Rewrite
21-16Using the Static Command for DNS Rewrite
21-17Configuring DNS Rewrite
21-17DNS Rewrite with Three NAT Zones
21-17Configuring DNS Rewrite with Three NAT Zones
21-19Configuring DNS Inspection
21-19Verifying and Monitoring DNS Inspection
21-21Managing FTP Inspection
21-22FTP Inspection Overview
21-22Using the strict Option
21-22Configuring FTP Inspection
21-23Verifying and Monitoring FTP Inspection
21-26Managing GTP Inspection
21-27GTP Inspection Overview
21-27Enabling and Configuring GTP Inspection
21-28Enabling and Configuring GSN Pooling
21-31Verifying and Monitoring GTP Inspection
21-33Managing H.323 Inspection
21-34H.323 Inspection Overview
21-34How H.323 Works
21-34Limitations and Restrictions
21-36Enabling and Configuring H.323 Inspection
21-36Configuring H.225 Timeout Values
21-38Verifying and Monitoring H.323 Inspection
21-38Monitoring H.225 Sessions
21-38Monitoring H.245 Sessions
21-39Monitoring H.323 RAS Sessions
21-39Managing HTTP Inspection
21-40HTTP Inspection Overview
21-40Enabling and Configuring Advanced HTTP Inspection
21-41Managing MGCP Inspection
21-44MGCP Inspection Overview
21-44Configuring MGCP Call Agents and Gateways
21-46Configuring and Enabling MGCP Inspection
21-46Configuring MGCP Timeout Values
21-49Verifying and Monitoring MGCP Inspection
21-49Managing RTSP Inspection
21-50RTSP Inspection Overview
21-50Using RealPlayer
21-50Restrictions and Limitations
21-51Enabling and Configuring RTSP Inspection
21-51Managing SIP Inspection
21-53SIP Inspection Overview
21-53SIP Instant Messaging
21-54Enabling and Configuring SIP Inspection
21-55Configuring SIP Timeout Values
21-56Verifying and Monitoring SIP Inspection
21-57Managing Skinny (SCCP) Inspection
21-57SCCP Inspection Overview
21-58Supporting Cisco IP Phones
21-58Restrictions and Limitations
21-58Verifying and Monitoring SCCP Inspection
21-60Managing SMTP and Extended SMTP Inspection
21-61SMTP and Extended SMTP Inspection Overview
21-61Enabling and Configuring SMTP and Extended SMTP Application Inspection
21-62Managing SNMP Inspection
21-64SNMP Inspection Overview
21-64Enabling and Configuring SNMP Application Inspection
21-64Managing Sun RPC Inspection
21-67Sun RPC Inspection Overview
21-67Enabling and Configuring Sun RPC Inspection
21-67Managing Sun RPC Services
21-69Verifying and Monitoring Sun RPC Inspection
21-70C H A P T E R 22 Configuring ARP Inspection and Bridging Parameters 22-1
Setting the MAC Address Timeout
22-3Disabling MAC Address Learning
22-4Viewing the MAC Address Table
22-4P A R T 3 Configuring VPN
C H A P T E R 23 Configuring IPSec and ISAKMP 23-1
Tunneling Overview
23-1IPSec Overview
23-2Configuring ISAKMP
23-2ISAKMP Overview
23-3Configuring ISAKMP Policies
23-5Enabling ISAKMP on the Outside Interface
23-6Disabling ISAKMP in Aggressive Mode
23-6Determining an ID Method for ISAKMP Peers
23-6Enabling IPSec over NAT-T
23-7Using NAT-T
23-7Enabling IPSec over TCP
23-8Waiting for Active Sessions to Terminate Prior to Reboot
23-8Alerting Peers Before Disconnecting
23-9Configuring Certificate Group Matching
23-9Creating a Certificate Group Matching Rule and Policy
23-10Using the Tunnel-group-map default-group Command
23-11Configuring IPSec
23-11Understanding IPSec Tunnels
23-11Understanding Transform Sets
23-12Defining Crypto Maps
23-12Applying Crypto Maps to Interfaces
23-20Using Interface Access Lists
23-20Changing IPSec SA Lifetimes
23-22Creating a Basic IPSec Configuration
23-23Using Dynamic Crypto Maps
23-24Providing Site-to-Site Redundancy
23-26Viewing an IPSec Configuration
23-26Clearing Security Associations
23-27Clearing Crypto Map Configurations
23-27C H A P T E R 24 Setting General VPN Parameters 24-1
Configuring VPNs in Single, Routed Mode
24-1Configuring IPSec to Bypass ACLs
24-1Permitting Intra-Interface Traffic
24-2NAT Considerations for Intra-Interface Traffic
24-3Setting Maximum Active IPSec VPN Sessions
24-3Configuring Client Update
24-3C H A P T E R 25 Configuring Tunnel Groups, Group Policies, and Users 25-1
Overview of Tunnel Groups, Group Policies, and Users
25-1Tunnel Groups
25-2General Tunnel Group Parameters
25-2IPSec Connection Parameters
25-3Configuring Tunnel Groups
25-4Default Remote Access Tunnel Group Configuration
25-4Configuring Remote-Access Tunnel Groups
25-4Specify a Name and Type for the Remote-Access Tunnel Group
25-4Configure Remote-Access Tunnel Group General Attributes
25-5Configure Remote-Access Tunnel Group IPSec Attributes
25-6Default LAN-to-LAN Tunnel Group Configuration
25-8Configuring LAN-to-LAN Tunnel Groups
25-8Specify a Name and Type for the LAN-to-LAN Tunnel Group
25-8Configure LAN-to-LAN Tunnel Group General Attributes
25-8Configure LAN-to-LAN IPSec Attributes
25-9Group Policies
25-10Default Group Policy
25-11Configuring Group Policies
25-12Configuring Users
25-31Viewing the Username Configuration
25-31Configuring Specific Users
25-32Setting a User Password and Privilege Level
25-32Configuring User Attributes
25-33C H A P T E R 27 Configuring Remote Access VPNs 27-1
Summary of the Configuration
27-1Configuring Interfaces
27-2Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
27-3Configuring an Address Pool
27-4Adding a User
27-4Creating a Transform Set
27-4Defining a Tunnel Group
27-5Creating a Dynamic Crypto Map
27-6Creating a Crypto Map Entry to Use the Dynamic Crypto Map
27-7C H A P T E R 28 Configuring LAN-to-LAN VPNs 28-1
Summary of the Configuration
28-1Configuring Interfaces
28-2Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
28-2Creating a Transform Set
28-4Configuring an ACL
28-4Defining a Tunnel Group
28-5Creating a Crypto Map and Applying It To an Interface
28-6Applying Crypto Maps to Interfaces
28-7C H A P T E R 29 Configuring WebVPN 29-1
Observing WebVPN Security Precautions
29-2Understanding Features Not Supported for WebVPN
29-2Using SSL to Access the Central Site
29-3Using HTTPS for WebVPN Sessions
29-3Setting WebVPN HTTP/HTTPS Proxy
29-3Configuring SSL/TLS Encryption Protocols
29-4Authenticating with Digital Certificates
29-4Enabling Cookies on Browsers for WebVPN
29-4Understanding WebVPN Global and Group Policy Settings
29-5Authenticating with Digital Certificates
29-5Configuring DNS Globally
29-5Configuring Global WebVPN Attributes
29-5Creating and Applying WebVPN Policies
29-7Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode
29-7Assigning Lists to Group Policies and Users in Group-Policy or User Mode
29-7Enabling Features for Group Policies and Users
29-7Assigning Users to Group Policies
29-7Using a RADIUS Server
29-7Using the Security Appliance Authentication Server
29-8Configuring WebVPN Group Policy and User Attributes
29-8Configuring Email
29-8Configuring Email Proxies
29-9Email Proxy Certificate Authentication
29-9Configuring MAPI
29-10Configuring Web Email: MS Outlook Web Access
29-10Understanding WebVPN End User Set-up
29-10Defining the End User Interface
29-10Viewing the WebVPN Home Page
29-11Viewing the WebVPN Application Access Panel
29-11Viewing the Floating Toolbar
29-12Requiring Usernames and Passwords
29-12Communicating Security Tips
29-13Configuring Remote Systems to Use WebVPN Features
29-13Recovering from hosts File Errors in Application Access
29-18Understanding the hosts File
29-19Stopping Application Access Improperly
29-19Reconfiguring hosts Files
29-20Reconfiguring hosts File Automatically Using WebVPN
29-20Reconfiguring hosts File Manually
29-21Capturing WebVPN Data
29-22WebVPN Capture Files
29-22Activating the WebVPN Capture Tool
29-22Locating and Uploading the WebVPN Capture Tool Output Files
29-24C H A P T E R 30 Configuring Certificates 30-1
Public Key Cryptography
30-1Preparing for Certificates
30-4Configuring Key Pairs
30-5Generating Key Pairs
30-5Removing Key Pairs
30-6Configuring Trustpoints
30-6Obtaining Certificates
30-8Obtaining Certificates with SCEP
30-8Obtaining Certificates Manually
30-10Configuring CRLs for a Trustpoint
30-12Exporting and Importing Trustpoints
30-14Exporting a Trustpoint Configuration
30-14Importing a Trustpoint Configuration
30-14Configuring CA Certificate Map Rules
30-15P A R T 4 System Administration
C H A P T E R 31 Managing System Access 31-1
Allowing Telnet Access
31-1Allowing SSH Access
31-2Configuring SSH Access
31-2Using an SSH Client
31-3Changing the Login Password
31-3Allowing HTTPS Access for ASDM
31-4Authenticating and Authorizing System Administrators
31-4Configuring Authentication for CLI Access
31-5Configuring Authentication To Access Privileged EXEC Mode
31-5Configuring Authentication for the Enable Command
31-6Authenticating Users Using the Login Command
31-6Configuring Command Authorization
31-7Command Authorization Overview
31-7Configuring Local Command Authorization
31-7Configuring TACACS+ Command Authorization
31-11Viewing the Current Logged-In User
31-14Recovering from a Lockout
31-15Configuring a Login Banner
31-16C H A P T E R 32 Managing Software, Licenses, and Configurations 32-1
Managing Licenses
32-1Obtaining an Activation Key
32-1Entering a New Activation Key
32-2Viewing Files in Flash Memory
32-2Downloading Files to Flash Memory from a Server
32-3Ensure Network Access to the Server
32-3Downloading Files
32-4Configuring the Application Image and ASDM Image to Boot
32-4Performing Zero Downtime Upgrades for Failover Pairs
32-5Downloading and Backing Up Configuration Files
32-6Downloading a Text File to the Startup or Running Configuration
32-6Configuring the File to Boot as the Startup Configuration
32-7Copying the Startup Configuration to the Running Configuration
32-7Backing Up the Configuration
32-8Backing up the Single Mode or Multiple Mode System Configuration
32-8Backing up a Context Configuration within the Context
32-8Copying the Configuration from the Terminal Display
32-9Configuring Auto Update Support
32-10Configuring Communication with an Auto Update Server
32-10Viewing Auto Update Status
32-11C H A P T E R 33 Monitoring and Troubleshooting 33-1
Monitoring the Security Appliance
33-1Using System Log Messages
33-1Using SNMP
33-1SNMP Overview
33-1Enabling SNMP
33-3Troubleshooting the Security Appliance
33-4Testing Your Configuration
33-4Enabling ICMP Debug Messages and System Messages
33-5Pinging Security Appliance Interfaces
33-6Pinging Through the Security Appliance
33-7Disabling the Test Configuration
33-9Reloading the Security Appliance
33-9Viewing the Crash Dump
33-13Common Problems
33-13P A R T 5 Reference
A P P E N D I X A Feature Licenses and Specifications A-1
Supported Platforms
A-1Platform Feature Licenses
A-1Security Services Module Support
A-6VPN Specifications
A-6Cisco VPN Client Support
A-6Site-to-Site VPN Compatibility
A-7Cryptographic Standards
A-7A P P E N D I X B Sample Configurations B-1
Example 1: Multiple Mode Firewall With Outside Access
B-1Example 1: System Configuration
B-2Example 1: Admin Context Configuration
B-3Example 1: Customer A Context Configuration
B-4Example 1: Customer B Context Configuration
B-4Example 1: Customer C Context Configuration
B-5Example 2: Single Mode Firewall Using Same Security Level
B-5Example 3: Shared Resources for Multiple Contexts
B-7Example 3: System Configuration
B-8Example 3: Admin Context Configuration
B-9Example 3: Department 1 Context Configuration
B-10Example 3: Department 2 Context Configuration
B-11Example 4: Multiple Mode, Transparent Firewall with Outside Access
B-12Example 4: System Configuration
B-13Example 4: Admin Context Configuration
B-14Example 4: Customer A Context Configuration
B-14Example 4: Customer B Context Configuration
B-14Example 4: Customer C Context Configuration
B-15Example 5: WebVPN Configuration
B-15A P P E N D I X C Using the Command-Line Interface C-1
Firewall Mode and Security Context Mode
C-1Command Modes and Prompts
C-2Syntax Formatting
C-3Abbreviating Commands
C-3Command-Line Editing
C-3Command Completion
C-3Command Help
C-4Filtering show Command Output
C-4Command Output Paging
C-5Adding Comments
C-5Text Configuration Files
C-6How Commands Correspond with Lines in the Text File
C-6Command-Specific Configuration Mode Commands
C-6Automatic Text Entries
C-6Line Order
C-7Commands Not Included in the Text Configuration
C-7Passwords
C-7Multiple Security Context Files
C-7A P P E N D I X D Addresses, Protocols, and Ports D-1
IPv4 Addresses and Subnet Masks
D-1Classes
D-2Private Networks
D-2Subnet Masks
D-2Determining the Subnet Mask
D-3Determining the Address to Use with the Subnet Mask
D-3IPv6 Addresses
D-5IPv6 Address Format
D-5IPv6 Address Types
D-6Unicast Addresses
D-6Multicast Address
D-8Anycast Address
D-9Required Addresses
D-10IPv6 Address Prefixes
D-10This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes the following sections:
• Document Objectives, page xxiii
• Obtaining Documentation, page xxvii
• Documentation Feedback, page xxvii
• Obtaining Technical Assistance, page xxviii
• Obtaining Additional Publications and Information, page xxix
Document Objectives
The purpose of this guide is to help you configure the security appliance using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.
You can also configure and monitor the security appliance by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5510, ASA 5520, and ASA 5540). Throughout this guide, the term “security appliance” applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0.
Audience
Related Documentation
For more information, refer to the following documentation:
• Cisco PIX Security Appliance Release Notes
• Cisco ASDM Release Notes
• Cisco PIX 515E Quick Start Guide
• Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
• Cisco Security Appliance Command Reference
• Cisco ASA 5500 Series Quick Start Guide
• Cisco ASA 5500 Series Release Notes
• Cisco Security Appliance Logging Configuration and System Log Messages
Document Organization
This guide includes the chapters and appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Definition Part 1: Getting Started and General Information Chapter 1, “Introduction to the
Security Appliance”
Provides a high-level overview of the security appliance.
Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and work with the configuration.
Chapter 3, “Enabling Multiple Context Mode”
Describes how to use security contexts and enable multiple context mode.
Chapter 4, “Configuring Ethernet Settings and Subinterfaces”
Describes how to configure Ethernet settings for physical interfaces and add subinterfaces.
Chapter 5, “Adding and Managing Security Contexts”
Describes how to configure multiple security contexts on the security appliance.
Chapter 6, “Configuring Interface Parameters”
Describes how to configure each interface and subinterface for a name, security, level, and IP address.
Chapter 7, “Configuring Basic Settings”
Describes how to configure basic settings that are typically required for a functioning configuration.
Chapter 8, “Configuring IP Routing and DHCP Services”
Describes how to configure IP routing and DHCP.
Chapter 9, “Configuring IPv6” Describes how to enable and configure IPv6.
Chapter 10, “Configuring AAA Servers and the Local Database”
Describes how to configure AAA servers and the local database.
Chapter 11, “Configuring Failover”
Describes the failover feature, which lets you configure two security appliances so that one will take over operation if the other one fails.
Part 2: Configuring the Firewall Chapter 12, “Firewall Mode Overview”
Describes in detail the two operation modes of the security appliance, routed and transparent mode, and how data is handled differently with each mode.
Chapter 13, “Identifying Traffic with Access Lists”
Describes how to identify traffic with access lists.
Chapter 14, “Applying NAT” Describes how address translation is performed.
Chapter 15, “Permitting or Denying Network Access”
Describes how to control network access through the security appliance using access lists.
Chapter 16, “Applying AAA for Network Access”
Describes how to enable AAA for network access.
Chapter 17, “Applying Filtering Services”
Describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
Chapter 18, “Using Modular Policy Framework”
Describes how to use the Modular Policy Framework to create security policies for TCP, general connection settings, inspection, and QoS.
Chapter 19, “Intercepting and Responding to Network Attacks”
Describes how to configure protection features to intercept and respond to network attacks.
Chapter 20, “Applying QoS Policies”
Describes how to configure the network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks.
Chapter 21, “Applying Application Layer Protocol Inspection”
Describes how to use and configure application inspection.
Chapter 22, “Configuring ARP Inspection and Bridging Parameters”
Describes how to enable ARP inspection and how to customize bridging operations.
Part 3: Configuring VPN
Chapter 23, “Configuring IPSec and ISAKMP”
Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN
“tunnels,” or secure connections between remote users and a private corporate network.
Chapter 24, “Setting General VPN Parameters”
Describes miscellaneous VPN configuration procedures.
Chapter 25, “Configuring Tunnel Groups, Group Policies, and Users”
Describes how to configure VPN tunnel groups, group policies, and users.
Chapter 26, “Configuring IP Addresses for VPNs”
Describes how to configure IP addresses in your private network addressing scheme, which let the client function as a tunnel endpoint.
Chapter 27, “Configuring Describes how to configure a remote access VPN connection.
Table 1 Document Organization (continued) Chapter/Appendix Definition
Document Conventions
Command descriptions use these conventions:
• Braces ({ }) indicate a required choice.
• Square brackets ([ ]) indicate optional elements.
• Vertical bars ( | ) separate alternative, mutually exclusive elements.
• Boldface indicates commands and keywords that are entered literally as shown.
• Italics indicate arguments for which you supply values.
Examples use these conventions:
• Examples depict screen displays and the command line in screen font.
• Information you need to enter in examples is shown in boldface screen font.
• Variables for which you must supply a value are shown in italic screen font.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Chapter 30, “Configuring Certificates”
Describes how to configure a digital certificates, which contains information that identifies a user or device. Such information can include a name, serial number, company,
department, or IP address. A digital certificate also contains a copy of the public key for the user or device.
Part 4: System Administration Chapter 31, “Managing System Access”
Describes how to access the security appliance for system management through Telnet, SSH, and HTTPS.
Chapter 32, “Managing Software, Licenses, and Configurations”
Describes how to enter license keys and download software and configurations files.
Chapter 33, “Monitoring and Troubleshooting”
Describes how to monitor and troubleshoot the security appliance.
Appendix A, “Feature Licenses and Specifications”
Describes the feature licenses and specifications.
Appendix B, “Sample Configurations”
Describes a number of common ways to implement the security appliance.
Appendix C, “Using the Command-Line Interface”
Describes how to use the CLI to configure the the security appliance.
Appendix D, “Addresses, Protocols, and Ports”
Provides a quick reference for IP addresses, protocols, and applications.
Table 1 Document Organization (continued) Chapter/Appendix Definition
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering 170 West Tasman Drive
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM. The security appliance includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported in software Version 7.0.
This chapter includes the following sections:
• Firewall Functional Overview, page 1-1
• VPN Functional Overview, page 1-5
• Intrusion Prevention Services Functional Overview, page 1-5
• Security Context Overview, page 1-5
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server.
This section includes the following topics:
• Security Policy Overview, page 1-2
• Firewall Mode Overview, page 1-3
• Stateful Inspection Overview, page 1-4
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the security appliance allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy. This section includes the following topics:
• Permitting or Denying Traffic with Access Lists, page 1-2
• Applying NAT, page 1-2
• Using AAA for Through Traffic, page 1-2
• Applying HTTP, HTTPS, or FTP Filtering, page 1-3
• Applying Application Inspection, page 1-3
• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3
• Applying QoS Policies, page 1-3
• Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The security appliance also sends accounting information to a RADIUS or TACACS+ server.
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet. We recommend that you use the security appliance in conjunction with a separate server running one of the following Internet filtering products:
• Websense Enterprise
• Sentian by N2H2
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM for inspection.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic over various technologies for the best overall services with limited bandwidth of the underlying technologies.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks – Performing route lookups
– Allocating NAT translations (xlates) – Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks:
– IP checksum verification – Session lookup
– TCP sequence number check
– NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments
For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.