6729011-asdmp

ASDM User GuideVersion 5.2(1) May 2006

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Text Part Number: OL-10106-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Quick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. ASDM User Guide 2006 Cisco Systems, Inc. All rights reserved.

C ON T E N T SPrefacexxix xxix xxix

Related Documentation Document Conventions

Obtaining Documentation xxx Cisco.com xxx Product Documentation DVD xxx Ordering Documentation xxxi Documentation Feedbackxxxi

Cisco Product Security Overview xxxi Reporting Security Problems in Cisco Products

xxxii

Obtaining Technical Assistance xxxii Cisco Technical Support & Documentation Website Submitting a Service Request xxxiii Definitions of Service Request Severity xxxiii Obtaining Additional Publications and Information1xxxiv

xxxii

CHAPTER

Welcome to ASDM Important Notes

1-1 1-1 1-2

New in This Release

Unsupported Commands 1-2 Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations 1-4 About the ASDM Window 1-4 Menus 1-4 File Menu 1-4 Options Menu 1-7 Tools Menu 1-9 Wizards Menu 1-19 Help Menu 1-19 Toolbar 1-20 Status Bar 1-21 Connection to Device 1-21 Buttons That Appear on Many Panels

1-2 1-3

1-21ASDM User Guide

OL-10106-01

iii

Contents

About the Help Window 1-22 Header Buttons 1-22 Notes 1-22 Home Page 1-22 Home 1-23 Home > Content Security Tab2

1-24

CHAPTER

Before You Start

2-1

Factory Default Configurations 2-1 Restoring the Factory Default Configuration ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration PIX 515/515E Default Configuration 2-4

2-2

2-3

Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Downloading the ASDM Launcher2-6

2-4 2-5

Starting ASDM 2-6 Starting ASDM from the ASDM Launcher 2-6 Using ASDM in Demo Mode 2-7 Starting ASDM from a Web Browser 2-8 History Metrics2-9 2-9

Configuration Overview3

CHAPTER

Using the Startup Wizard

3-1

Startup Wizard 3-1 Starting Point 3-3 Basic Configuration 3-4 Outside Interface Configuration 3-5 Internet (Outside) VLAN Configuration 3-7 Outside Interface Configuration - PPPoE 3-8 Internet (Outside) VLAN Configuration - PPPoE Inside Interface Configuration 3-11 Business (Inside) VLAN Configuration 3-12 DMZ Interface Configuration 3-14 Home (DMZ) VLAN Configuration 3-15 Switch Port Allocation 3-17 General Interface Configuration 3-18 Static Routes 3-19

3-10

ASDM User Guide

iv

OL-10106-01

Contents

Add/Edit Static Routes 3-19 Route Monitoring Options 3-19 Auto Update Server 3-19 DHCP Server 3-20 Address Translation (NAT/PAT) 3-22 Administrative Access 3-23 Add/Edit Administrative Access Entry 3-24 Easy VPN Remote Configuration 3-25 Management IP Address Configuration 3-28 Other Interfaces Configuration 3-28 Edit Interface 3-29 Startup Wizard Summary 3-304

CHAPTER

Configuring Interfaces

4-1 4-1

Security Level Overview

Configuring the Interfaces 4-2 Interfaces (System) 4-2 Add/Edit Interface 4-3 Hardware Properties 4-4 Interfaces (Single Mode and Context) 4-5 Add/Edit Interface > General 4-7 Add/Edit Interface > Advanced 4-9 PPPoE IP Address and Route Settings 4-10 Hardware Properties 4-115

CHAPTER

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 5-13 Interface Overview 5-13 Understanding ASA 5505 Ports and Interfaces 5-14 Maximum Active VLAN Interfaces for Your License 5-14 Default Interface Configuration 5-15 VLAN MAC Addresses 5-16 Power Over Ethernet 5-16 Security Level Overview 5-16 Configuring VLAN Interfaces 5-17 Interfaces > Interfaces 5-17 Add/Edit Interface > General 5-19 Add/Edit Interface > Advanced 5-22 Configuring Switch Ports5-23

ASDM User Guide OL-10106-01

v

Contents

Interfaces > Switch Ports Edit Switch Port 5-246

5-23

CHAPTER

Global Objects

6-1

Configuring Network Object Groups 6-1 Network Object Groups 6-1 Add/Edit Network Object Group 6-2 Browse Address 6-3 Configuring IP Names 6-4 IP Names 6-4 Add/Edit IP Name 6-5 Configuring Service Groups 6-5 Service Groups 6-6 Add/Edit Service Group 6-7 Browse Service Groups 6-7 Configuring Class Maps 6-8 DNS Class Map 6-8 Add/Edit DNS Traffic Class Map 6-9 Add/Edit DNS Match Criterion 6-10 Manage Regular Expressions 6-11 Manage Regular Expression Class Maps FTP Class Map 6-13 Add/Edit FTP Traffic Class Map 6-13 Add/Edit FTP Match Criterion 6-14 H.323 Class Map 6-16 Add/Edit H.323 Traffic Class Map 6-16 Add/Edit H.323 Match Criterion 6-17 HTTP Class Map 6-18 Add/Edit HTTP Traffic Class Map 6-19 Add/Edit HTTP Match Criterion 6-19 IM Class Map 6-23 Add/Edit IM Traffic Class Map 6-24 Add/Edit IM Match Criterion 6-24 SIP Class Map 6-26 Add/Edit SIP Traffic Class Map 6-27 Add/Edit SIP Match Criterion 6-28 Configuring Inspect Maps 6-30 DCERPC Inspect Map 6-32 Customize Security Level 6-33ASDM User Guide

6-12

vi

OL-10106-01

Contents

DCERPC Inspect Map Basic/Advanced Viewl 6-34 DNS Inspect Map 6-35 Customize Security Level 6-36 DNS Inspect Map Basic View 6-37 DNS Inspect Map Advanced View 6-38 Add/Edit DNS Inspect 6-40 Manage Class Maps 6-41 ESMTP Inspect Map 6-42 Customize Security Level 6-43 MIME File Type Filtering 6-45 ESMTP Inspect Map Basic View 6-45 ESMTP Inspect Map Advanced View 6-46 Add/Edit ESMTP Inspect 6-47 FTP Inspect Map 6-51 Customize Security Level 6-52 File Type Filtering 6-52 FTP Inspect Map Basic View 6-53 FTP Inspect Map Advanced View 6-53 Add/Edit FTP Map 6-54 GTP Inspect Map 6-56 Customize Security Level 6-57 IMSI Prefix Filtering 6-58 GTP Inspect Map Basic View 6-59 GTP Inspect Map Advanced View 6-60 Add/Edit GTP Map 6-61 H.323 Inspect Map 6-63 Customize Security Level 6-64 Phone Number Filtering 6-65 H.323 Inspect Map Basic View 6-65 H.323 Inspect Map Advanced View 6-66 Add/Edit HSI Group 6-67 Add/Edit H.323 Map 6-68 HTTP Inspect Map 6-69 Customize Security Level 6-70 URI Filtering 6-71 HTTP Inspect Map Basic View 6-72 HTTP Inspect Map Advanced View 6-72 Add/Edit HTTP Map 6-73 Instant Messaging (IM) Inspect Map 6-77 Instant Messaging (IM) Inspect Map View 6-78ASDM User Guide OL-10106-01

vii

Contents

Add/Edit IM Map 6-79 IPSec Pass Through Inspect Map 6-81 Customize Security Level 6-82 IPSec Pass Through Inspect Map Basic View 6-83 IPSec Pass Through Inspect Map Advanced View 6-84 MGCP Inspect Map 6-84 Gateways and Call Agents 6-85 MGCP Inspect Map View 6-86 Add/Edit MGCP Group 6-87 NetBIOS Inspect Map 6-88 NetBIOS Inspect Map View 6-88 RADIUS Inspect Map 6-89 RADIUS Inspect Map Host 6-89 RADIUS Inspect Map Other 6-90 SCCP (Skinny) Inspect Map 6-91 Customize Security Level 6-92 Message ID Filtering 6-93 SCCP (Skinny) Inspect Map Basic View 6-94 SCCP (Skinny) Inspect Map Advanced View 6-94 Add/Edit Message ID Filter 6-95 SIP Inspect Map 6-96 Customize Security Level 6-98 SIP Inspect Map Basic View 6-99 SIP Inspect Map Advanced View 6-99 Add/Edit SIP Inspect 6-101 SNMP Inspect Map 6-103 Add/Edit SNMP Map 6-104 Configuring Regular Expressions 6-104 Regular Expressions 6-104 Add/Edit Regular Expression 6-105 Build Regular Expression 6-107 Test Regular Expression 6-109 Add/Edit Regular Expression Class Map TCP Maps 6-110 Add/Edit TCP Map6-111

6-110

Configuring Time Ranges 6-112 Add/Edit Time Range 6-113 Add/Edit Periodic Time Range

6-114

ASDM User Guide

viii

OL-10106-01

Contents

CHAPTER

7

Configuring Security Contexts

7-1

Security Context Overview 7-1 Common Uses for Security Contexts 7-2 Unsupported Features 7-2 Context Configuration Files 7-2 How the Security Appliance Classifies Packets 7-2 Valid Classifier Criteria 7-3 Invalid Classifier Criteria 7-4 Classification Examples 7-4 Cascading Security Contexts 7-7 Management Access to Security Contexts 7-8 System Administrator Access 7-8 Context Administrator Access 7-9 Enabling or Disabling Multiple Context Mode at the CLI Backing Up the Single Mode Configuration 7-9 Enabling Multiple Context Mode 7-9 Restoring Single Context Mode 7-10 Configuring Resource Classes 7-10 Classes and Class Members Overview Resource Limits 7-11 Default Class 7-12 Class Members 7-13 Adding a Resource Class 7-13 Resource Class 7-13 Add/Edit Resource Class 7-14 Configuring Security Contexts 7-16 Security Contexts 7-16 Add/Edit Context 7-18 Add/Edit Interface Allocation 7-1887-10 7-9

CHAPTER

Configuring Device Properties Management IP8-1

8-1

Device Administration 8-2 Banner 8-2 Boot Image/Configuration 8-3 Add Boot Image 8-4 Clock 8-4 Console 8-5 Device 8-5ASDM User Guide OL-10106-01

ix

Contents

FTP Mode 8-6 ICMP Rules 8-7 Add/Edit ICMP Rule 8-8 Management Access 8-9 NTP 8-10 Add/Edit NTP Server Configuration 8-11 Password 8-12 Secure Copy 8-13 SMTP 8-13 SNMP 8-14 Add/Edit SNMP Host Access Entry 8-17 SNMP Trap Configuration 8-18 TFTP Server 8-19 User Accounts 8-21 Add/Edit User Account > Identity Tab 8-22 Add/Edit User Account > VPN Policy Tab 8-23 Add/Edit User Account > WebVPN Tab 8-25 Auto Update 8-29 Set Polling Schedule 8-31 Add/Edit Auto Update Server 8-31 Advanced Auto Update Settings 8-32 Client Update 8-32 Add/Edit Client Update8-34 8-34

CHAPTER

9

DHCP and DNS Services

9-1

DHCP Relay 9-1 Edit DHCP Relay Agent Settings 9-2 DHCP Relay - Add/Edit DHCP Server 9-3 DHCP Server 9-4 Edit DHCP Server 9-6 Advanced DHCP Options

9-7

DNS Client 9-9 Add/Edit DNS Server Group

9-9

Dynamic DNS 9-10 Add/Edit Dynamic DNS Update Methods 9-11 Add/Edit Dynamic DNS Interface Settings 9-12

ASDM User Guide

x

OL-10106-01

Contents

CHAPTER

10

Configuring AAA Servers

10-1

Understanding AAA 10-1 AAA Overview 10-1 Preparing for AAA 10-2 LOCAL Database 10-3 AAA Implementation in ASDM 10-3 AAA for Device Administration 10-3 AAA for Network Access 10-4 AAA for VPN Access 10-4 AAA Setup 10-4 AAA Server Groups 10-4 Add/Edit AAA Server Group 10-6 Edit AAA Local Server Group 10-7 Add/Edit AAA Server 10-7 Test AAA Server 10-12 Auth. Prompt 10-13 LDAP Attribute Map 10-14 Add/Edit LDAP Attribute Map 10-1411

CHAPTER

Configuring Device Access

11-1

AAA Access 11-1 Authentication Tab 11-1 Authorization Tab 11-2 Command Privileges Setup 11-3 Predefined User Account Command Privilege Setup Accounting Tab 11-5 HTTPS/ASDM 11-6 Add/Edit HTTP Configuration Secure Shell 11-7 Add/Edit SSH Configuration Telnet 11-8 Add/Edit Telnet Configuration1211-6

11-4

11-8

11-9

CHAPTER

Failover

12-1

Understanding Failover 12-1 Active/Standby Failover 12-2 Active/Active Failover 12-2 Stateless (Regular) Failover 12-3


xi

Contents

Stateful Failover

12-3

Configuring Failover with the High Availability and Scalability Wizard 12-4 Accessing and Using the High Availability and Scalability Wizard 12-4 Configuring Active/Active Failover with the High Availability and Scalability Wizard 12-4 Configuring Active/Standby Failover with the High Availability and Scalability Wizard 12-5 Configuring VPN Load Balancing with the High Availability and Scalability Wizard 12-6 Field Information for the High Availability and Scalability Wizard 12-7 Choose the Type of Failover Configuration 12-7 Check Failover Peer Connectivity and Compatibility 12-8 Change Device to Multiple Mode 12-8 Select Failover Communication Media 12-9 Security Context Configuration 12-9 Failover Link Configuration 12-10 State Link Configuration 12-11 Standby Address Configuration 12-11 VPN Cluster Load Balancing Configuration 12-12 Summary 12-14 Field Information for the Failover Panes 12-14 Failover - Single Mode 12-15 Failover: Setup 12-15 Failover: Interfaces (Routed Firewall Mode) 12-17 Failover: Interfaces (Transparent Firewall Mode) 12-19 Failover: Criteria 12-20 Failover: MAC Addresses 12-21 Add/Edit Interface MAC Address 12-22 Failover-Multiple Mode, Security Context 12-23 Failover - Routed 12-23 Failover - Transparent 12-25 Failover-Multiple Mode, System 12-26 Failover > Setup Tab 12-26 Failover > Criteria Tab 12-28 Failover > Active/Active Tab 12-29 Failover > MAC Addresses Tab 12-3313

CHAPTER

Configuring Logging

13-1

Logging Setup 13-1 Configure FTP Settings 13-2 Configure Logging Flash Usage E-Mail Setup13-3

13-2

ASDM User Guide

xii

OL-10106-01

Contents

Add/Edit E-Mail Recipient

13-3

Event Lists 13-4 Add/Edit Event List 13-5 Add/Edit Class and Severity Filter 13-7 Add/Edit Syslog Message ID Filter 13-8 Logging Filters 13-9 Edit Logging Filters13-9

Rate Limit 13-11 Edit Rate Limit for Syslog Logging Level 13-12 Add/Edit Rate Limit for Syslog Message 13-13 Syslog Servers 13-13 Add/Edit Syslog Server 13-14 Specify Filter Interfaces 13-15 Syslog Setup 13-15 Edit Syslog ID Settings 13-16 Advanced Syslog Configuration14

13-17

CHAPTER

Configuring Dynamic And Static Routing Dynamic Routing 14-1 OSPF 14-1 Setup 14-2 Filtering 14-8 Interface 14-10 Redistribution 14-15 Static Neighbor 14-17 Summary Address 14-18 Virtual Link 14-20 RIP 14-22 Global Setup 14-23 Interface 14-24 Filter Rules 14-26 Route Redistribution 14-27

14-1

Static Routes 14-29 Static Route Tracking 14-30 Configuring Static Route Tracking 14-30 Field Information for Static Routes 14-31 Static Routes 14-31 Add/Edit Static Route 14-32 Route Monitoring Options 14-33ASDM User Guide OL-10106-01

xiii

Contents

Proxy ARPs15

14-34

CHAPTER

Configuring Multicast Routing

15-1

IGMP 15-1 Access Group 15-2 Add/Edit Access Group 15-2 Join Group 15-3 Add/Edit IGMP Join Group 15-4 Protocol 15-4 Configure IGMP Parameters 15-5 Static Group 15-6 Add/Edit IGMP Static Group 15-6 Multicast Route 15-7 Add/Edit Multicast Route PIM15-8 15-8

Protocol 15-9 Edit PIM Protocol 15-9 Rendezvous Points 15-10 Add/Edit Rendezvous Point 15-11 Request Filter 15-12 Request Filter Entry 15-13 Route Tree 15-1416

CHAPTER

Firewall Mode Overview

16-1

Routed Mode Overview 16-1 IP Routing Support 16-2 Network Address Translation 16-2 How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server 16-4 An Outside User Visits a Web Server on the DMZ 16-5 An Inside User Visits a Web Server on the DMZ 16-6 An Outside User Attempts to Access an Inside Host 16-7 A DMZ User Attempts to Access an Inside Host 16-8 Transparent Mode Overview 16-8 Transparent Firewall Features 16-9 Using the Transparent Firewall in Your Network 16-10 Transparent Firewall Guidelines 16-10 Unsupported Features in Transparent Mode 16-11 How Data Moves Through the Transparent Firewall 16-12ASDM User Guide

16-3

xiv

OL-10106-01

Contents

An Inside User Visits a Web Server 16-13 An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host 16-1517

16-14

CHAPTER

Configuring Access Rules

17-1

Access Rules 17-1 Rule Queries 17-3 New/Edit Rule Query 17-4 Add/Edit Access Rule 17-5 Manage Service Groups 17-7 Add/Edit Service Group 17-8 Advanced Access Rule Configuration Log Options 17-918

17-8

CHAPTER

Configuring EtherType Rules

18-1 18-1

Ethertype Rules (Transparent Mode Only) Add/Edit EtherType Rule 18-219

CHAPTER

Configuring AAA Rules AAA Performance

19-1

19-1

Configuring AAA Rules 19-1 AAA Rules 19-1 Add/Edit Authentication Rule 19-4 Add/Edit Authorization Rule 19-7 Add/Edit Accounting Rule 19-10 Add/Edit MAC Exempt Rule 19-12 Advanced AAA Configuration 19-12 Configuring a RADIUS Server for Authorization 19-13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-13 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-1720

CHAPTER

Configuring Filter Rules

20-1

URL Filtering 20-1 Add/Edit Parameters for Websense URL Filtering 20-3 Add/Edit Parameters for Secure Computing SmartFilter URL Filtering Advanced URL Filtering 20-4 Filter Rules 20-5 Select Source20-7

20-3


xv

Contents

Rule Query 20-7 Add/Edit Filter Rule 20-8 Browse Source/Destination Address21

20-10

CHAPTER

Configuring Service Policy Rules Configuring Service Policy Rules

21-1 21-1

Service Policy Rules 21-1 Service Policy 21-3 Edit Service Policy 21-4 Traffic Classification Criteria 21-4 Default Inspections 21-5 Management Type Traffic Class and Action 21-5 Select RADIUS Accounting Map 21-6 Add RADIUS Accounting Policy Map 21-6 Using Default Inspection Traffic Criteria 21-7 Changing Default Ports for Application Inspection 21-8 Configuring Application Inspection with Multiple Ports 21-9 Source and Destination Address (This dialog is called ACL in other contexts) Destination Port 21-13 RTP Ports 21-13 IP Precedence 21-14 IP DiffServ CodePoints (DSCP) 21-14 Rule Actions > Protocol Inspection Tab 21-15 Select DCERPC Map 21-17 Configure DNS 21-17 Select DNS Map 21-18 Select ESMTP Map 21-18 Select FTP Map 21-19 Select GTP Map 21-19 Select H.323 Map 21-20 Select HTTP Map 21-20 Select IM Map 21-21 Select IPSec-Pass-Thru Map 21-21 Select MGCP Map 21-22 Select NETBIOS Map 21-22 Select SCCP (Skinny) Map 21-23 Select SIP Map 21-23 Select SNMP Map 21-24 Rule Actions > Intrusion Prevention Tab 21-24

21-10

ASDM User Guide

xvi

OL-10106-01

Contents

Rule Actions > CSC Scan Tab 21-25 Rule Actions > Connection Settings Tab 21-26 Rule Actions > QoS Tab 21-27 Edit Class Map 21-28 Edit Rule 21-28 Edit Service Policy Rule > Traffic Classification Tab Tunnel Group 21-31 SUNRPC Server 21-32 Add/Edit SUNRPC Service2221-32

21-30

CHAPTER

NAT

22-1 22-1

NAT

Add/Edit Static NAT Rule 22-4 Add/Edit Dynamic NAT Rule 22-5 NAT Options 22-6 Global Pools 22-7 Add/Edit Static Policy NAT Rule 22-9 Add/Edit Dynamic Policy NAT Rule 22-10 Add/Edit NAT Exempt Rule 22-11 Add/Edit Identity NAT Rule 22-1223

CHAPTER

Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection 23-1 ARP Inspection 23-1 Edit ARP Inspection Entry 23-2 ARP Static Table 23-3 Add/Edit ARP Static Configuration

23-1

23-4

Customizing the MAC Address Table 23-4 MAC Address Table 23-5 Add/Edit MAC Address Entry 23-6 MAC Learning 23-624

CHAPTER

Preventing Network Attacks

24-1 24-1

Connection Settings (Transparent Mode Only) Set/Edit Connection Settings 24-2 IP Audit 24-3 IP Audit Policy 24-3 Add/Edit IP Audit Policy Configuration IP Audit Signatures 24-5

24-4


xvii

Contents

IP Audit Signature List Fragment 24-10 Show Fragment 24-11 Edit Fragment 24-12 Anti-Spoofing24-12

24-6

TCP Options 24-13 TCP Reset Settings Timeouts2524-16

24-15

CHAPTER

Configuring QoS

25-1

Priority Queue 25-1 Edit Priority Queue 25-1 WCCP 25-3 WCCP Service Groups 25-3 Add or Edit WCCP Service Group 25-3 Redirection 25-4 Add or Edit WCCP Redirection 25-4 WCCP 25-5 WCCP Service Groups 25-5 Redirection 25-526

CHAPTER

VPN

26-1

VPN Wizard 26-1 VPN Tunnel Type 26-2 Remote Site Peer 26-3 IKE Policy 26-4 IPSec Encryption and Authentication 26-5 Local Hosts and Networks 26-6 Summary 26-7 Remote Access Client 26-8 VPN Client Authentication Method and Tunnel Group Name Client Authentication 26-10 New Authentication Server Group 26-10 User Accounts 26-11 Address Pool 26-12 Attributes Pushed to Client 26-12 Address Translation Exemption 26-13

26-9

ASDM User Guide

xviii

OL-10106-01

Contents

CHAPTER

27

IKE

27-1

Certificate Group Matching 27-1 Policy 27-1 Rules 27-2 Add/Edit Certificate Matching Rule 27-3 Add/Edit Certificate Matching Rule Criterion Global Parameters27-5

27-3

Policies 27-8 Add/Edit IKE Policy

27-9

IP Address Management 27-10 Assignment 27-11 IP Pools 27-11 Add/Edit IP Pool 27-12 IPSec 27-12 IPSec Rules 27-13 Tunnel Policy (Crypto Map) - Basic 27-15 Tunnel Policy (Crypto Map) - Advanced 27-16 Tunnel Policy (Crypto Map) -Traffic Selection 27-16 Pre-Fragmentation 27-18 Edit IPSec Pre-Fragmentation Policy 27-20 Transform Sets 27-20 Add/Edit Transform Set 27-21 Tunnel Policy 27-22 Add/Edit Tunnel Policy 27-23 Tunnel Policy Advanced Settings 27-24 Load Balancing NAC2827-28 27-25

CHAPTER

General

28-1

Client Update 28-1 Edit Client Update Entry Default Tunnel Gateway28-4

28-3

Group Policy 28-4 Add/Edit External Group Policy 28-6 Add AAA Server Group 28-6 Add/Edit Internal Group Policy > General Tab Browse Time Range 28-8 Add/Edit Time Range 28-9

28-7


xix

Contents

Add/Edit Recurring Time Range

28-10

ACL Manager 28-11 Standard ACL Tab 28-11 Extended ACL Tab 28-12 Add/Edit/Paste ACE 28-13 Browse Source/Destination Address 28-15 Browse Source/Destination Port 28-15 Add TCP Service Group 28-16 Browse ICMP 28-17 Add ICMP Group 28-17 Browse Other 28-18 Add Protocol Group 28-18 Add/Edit Internal Group Policy > IPSec Tab 28-19 Add/Edit Client Access Rule 28-20 Add/Edit Internal Group Policy > Client Configuration Tab 28-21 Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab 28-21 View/Config Banner 28-22 Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab 28-24 Add/Edit Standard Access List Rule 28-25 Add/Edit Internal Group Policy > Client Firewall Tab 28-26 Add/Edit Internal Group Policy > Hardware Client Tab 28-28 Add/Edit Internal Group Policy > NAC Tab 28-31 Add/Edit Posture Validation Exception 28-32 WebVPN Tab > Functions Tab 28-32 Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab 28-34 Add/Edit Group Policy > WebVPN Tab > Homepage Tab 28-35 Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab 28-36 Add/Edit Port Forwarding List 28-37 Add/Edit Port Forwarding Entry 28-37 Add/Edit Group Policy > WebVPN Tab > Other Tab 28-38 Add/Edit Server and URL List 28-39 Add/Edit Server or URL 28-39 Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab 28-39 Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab 28-41 ACLs 28-42 Tunnel Group 28-43 Add/Edit Tunnel Group > General Tab > Basic TabASDM User Guide

28-23

28-44

xx

OL-10106-01

Contents

Add/Edit Tunnel Group > General Tab > Authentication Tab 28-45 Add/Edit Tunnel Group > General Tab > Authorization Tab 28-46 Add/Edit Tunnel Group > General Tab > Accounting Tab 28-47 Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab 28-48 Add/Edit Tunnel Group > General Tab > Advanced Tab 28-48 Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab 28-49 Add/Edit Tunnel Group > PPP Tab 28-51 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab 28-51 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab 28-53 Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab 28-55 Add/Edit Tunnel Group > WebVPN Tab > Basic Tab 28-56 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab 28-57 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server 28-58 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab 28-58 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab 28-60 VPN System Options Easy VPN Remote28-61 28-61

Zone Labs Integrity Server28-63

Advanced Easy VPN Properties29

28-64

CHAPTER

WebVPN

29-1 29-1

WebVPN Security Precautions ACLs 29-2 Add ACL 29-3 Add/Edit ACE 29-3 APCF 29-4 Add/Edit APCF Profile Upload APCF package29-5

29-5

Auto Signon 29-6 Add/Edit Auto Signon Entry CSD Setup 29-8 Upload Image Cache29-11 29-9

29-7

Content Rewrite 29-12 Add/Edit Content Rewrite Rule Java Trustpoint Encoding29-13 29-13

29-12


xxi

Contents

Add\Edit Encoding

29-15

Port Forwarding 29-16 Add/Edit Port Forwarding List 29-17 Add/Edit Port Forwarding Entry 29-18 Proxies29-18

Proxy Bypass 29-19 Add/Edit Proxy Bypass Rule

29-20

SSL VPN Client 29-21 Add SSL VPN Client Image 29-22 Add SSL VPN Client Browse Flash Dialog 29-22 Add SSL VPN Client Upload Flash Dialog 29-23 Replace SSL VPN Client Image 29-23 Replace SSL VPN Client Upload Flash Dialog 29-24 SSO Servers 29-24 Add/Edit SSO Server Servers and URLs WebVPN Access29-27 29-27 29-26

Webpage Customization 29-29 Add/Edit Webpage Customization Object > Select Font 29-30 Add/Edit Webpage Customization Object > Select Foreground Color 29-30 Add/Edit Webpage Customization Object > Select Background Color 29-31 Add/Edit Webpage Customization Object > Page Title Tab 29-32 Add/Edit Webpage Customization Object > Page Title Tab > Upload Logo 29-33 Add/Edit Webpage Customization Object > Login Page Tab > Login Box Tab 29-33 Add/Edit Webpage Customization Object > Login Page Tab > Login Prompts Tab 29-35 Add/Edit Webpage Customization Object > Login Page Tab > Login Buttons Tab 29-36 Add/Edit Webpage Customization Object > Logout Page Tab 29-37 Add/Edit Webpage Customization Object > Home Page Tab > Border Color Tab 29-38 Add/Edit Webpage Customization Object > Home Page Tab > Web Applications Tab 29-39 Add/Edit Webpage Customization Object > Home Page Tab > Application Access Tab 29-40 Add/Edit Webpage Customization Object > Home Page Tab > Browse Network Tab 29-41 Add/Edit Webpage Customization Object > Home Page Tab > Web Bookmarks Tab 29-42 Add/Edit Webpage Customization Object > Home Page Tab > File Bookmarks Tab 29-43 Add/Edit Webpage Customization Object > Application Access Window Tab 29-44 Add/Edit Webpage Customization Object > Prompt Dialog Tab 29-45 Add/Edit Webpage Customization Object > Quick Style Configuration 29-4630

CHAPTER

WebVPN End User Set-up

30-1 30-1

Requiring Usernames and PasswordsASDM User Guide

xxii

OL-10106-01

Contents

Communicating Security Tips

30-2 30-2

Configuring Remote Systems to Use WebVPN Features Capturing WebVPN Data 30-7 Creating a Capture File 30-8 Using a Browser to Display Capture Data31

30-8

CHAPTER

E-Mail Proxy

31-1 31-1

Configuring E-Mail Proxy AAA 31-2 POP3S Tab 31-2 IMAP4S Tab 31-4 SMTPS Tab 31-5

Access 31-7 Edit E-Mail Proxy Access Authentication Default Servers Delimiters3231-10 31-8 31-9

31-8

CHAPTER

Configuring SSL Settings SSL32-1

32-1

Edit SSL Trustpoint33

32-3

CHAPTER

Configuring Certificates Authentication Enrollment33-2 33-3 33-1

33-1

Import Certificate

Key Pair 33-3 Add Key Pair 33-4 Key Pair Details 33-5 Manage Certificate Add Certificate33-5 33-6

Trustpoint 33-7 Configuration 33-7 Add/Edit Trustpoint Configuration > Enrollment Settings Tab 33-8 Add/Edit Key Pair 33-9 Certificate Parameters 33-10 Edit DN 33-10 Add/Edit Trustpoint Configuration > Revocation Check Tab 33-11ASDM User Guide OL-10106-01

xxiii

Contents

Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab 33-12 Add/Edit Static URL 33-12 Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab 33-13 Add/Edit Trustpoint Configuration > OCSP Rules Tab 33-13 Add/Edit Trustpoint OCSP Rule dialog box 33-14 Add/Edit Trustpoint Configuration > Advanced Tab 33-15 Export 33-16 Import 33-17 Authenticating, Enrolling for, and Managing Digital Certificates 33-18 Summary of Configuration Steps 33-18 Generating the Key Pair 33-18 Enrolling for a Certificate Using Automatic Enrollment (SCEP) 33-19 Authenticating to the CA 33-20 Enrolling with the CA 33-20 Enrolling for a Certificate Using Manual Enrollment 33-20 Additional Steps for a Failover Configuration 33-21 Exporting the Certificate to a File or PKCS12 data 33-21 Importing the Certificate onto the Standby Device 33-22 Managing Certificates 33-2234

CHAPTER

CSD

34-1

CHAPTER

35

Configuring IPS

35-1

CHAPTER

36

Configuring Trend Micro Content Security

36-1

Managing the CSC SSM 36-1 About the CSC SSM 36-1 Getting Started with the CSC SSM 36-3 Determining What Traffic to Scan 36-5 CSC Setup 36-7 Activation/License 36-8 IP Configuration 36-9 Host/Notification Settings 36-10 Management Access Host/Networks Password 36-11 Wizard Setup 36-12 Summary 36-13 Web MailASDM User Guide

36-11

36-14 36-15

xxiv

OL-10106-01

Contents

Mail > SMTP Tab 36-16 Mail > POP3 Tab 36-17 File Transfer Updates36-18 36-18 36-19

Connecting to CSC/Content Security and Control Password37

CHAPTER

Monitoring System Log Messages Log Buffer37-1 37-1 37-3 37-3

37-1

Log Buffer Viewer

Real-time Log Viewer Real-time Log Viewer38

CHAPTER

Monitoring Trend Micro Content Security Threats38-1

38-1

Live Security Events 38-2 Live Security Events Viewer Software Updates38-3

38-2

Resource Graphs 38-4 CSC CPU 38-4 CSC Memory 38-539

CHAPTER

Monitoring Failover

39-1

Single Context Mode 39-1 Failover 39-1 Status 39-1 Graphs 39-4 Multiple Context Mode 39-5 System 39-6 Failover Group 1 and Failover Group 240

39-8

CHAPTER

Monitoring Interfaces ARP Table40-1

40-1

DHCP 40-2 DHCP Server Table 40-2 DHCP Client Lease Information DHCP Statistics 40-4 MAC Address Table40-5

40-2


xxv

Contents

Dynamic ACLs

40-5

Interface Graphs 40-6 Graph/Table 40-8 PPPoE Client40-9

interface connection 40-9 Track Status for 40-9 Monitoring Statistics for41

40-10

CHAPTER

Monitoring Routing OSPF LSAs Type 1 Type 2 Type 3 Type 4 Type 5 Type 7 Routes41-7 41-1 41-1 41-2 41-3 41-3 41-4 41-4

41-1

OSPF Neighbors

41-5

CHAPTER

42

Monitoring VPN

42-1

VPN Connection Graphs 42-1 IPSec Tunnels 42-1 Sessions 42-2 VPN Statistics 42-3 Sessions 42-3 Sessions Details 42-6 Sub-session Details NAC Details Encryption Statistics 42-10 NAC Session Summary 42-10 Protocol Statistics 42-11 Global IKE/IPSec Statistics 42-12 Crypto Statistics 42-12 Compression Statistics 42-13 Cluster Loads 42-14 WebVPN SSO Statistics 42-1443

42-8

CHAPTER

Monitoring Properties AAA Servers43-1

43-1

ASDM User Guide

xxvi

OL-10106-01

Contents

CRL

43-2

Connection Graphs 43-2 Xlates 43-2 Perfmon 43-3 DNS Cache43-4

Device Access 43-5 AAA Local Locked Out Users 43-5 Authenticated Users 43-6 HTTPS/ASDM Sessions 43-6 Secure Shell Sessions 43-7 Telnet Sessions 43-8 IP Audit43-8 43-11

System Resources Graphs Blocks 43-11 CPU 43-12 Memory 43-12INDEX


xxvii

Contents

ASDM User Guide

xxviii

OL-10106-01

PrefaceThe ASDM User Guide contains the information that is available in the ASDM online help system. This preface contains the following topics:

Related Documentation, page xxix Document Conventions, page xxix Obtaining Documentation, page xxx Documentation Feedback, page xxxi Cisco Product Security Overview, page xxxi Obtaining Technical Assistance, page xxxii Obtaining Additional Publications and Information, page xxxiv

Related DocumentationFor more information, refer to the following documentation:

Cisco ASDM Release Notes Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco Security Appliance Logging Configuration and System Log Messages

Document ConventionsCommand descriptions use these conventions:

Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Vertical bars ( | ) separate alternative, mutually exclusive elements. Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply values.


xxix

Preface Obtaining Documentation

Examples use these conventions:

Examples depict screen displays and the command line in screen font. Information you need to enter in examples is shown in boldface screen font. Variables for which you must supply a value are shown in italic screen font.

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.comYou can access the most current Cisco documentation at this URL: http://www.cisco.com/techsupport You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVDCisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/

ASDM User Guide

xxx

OL-10106-01

Preface Documentation Feedback

Ordering DocumentationBeginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at [email protected] or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation FeedbackYou can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to [email protected]. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.

Cisco Product Security OverviewCisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html


xxxi

Preface Obtaining Technical Assistance

Reporting Security Problems in Cisco ProductsCisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies [email protected] An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

Nonemergencies [email protected]

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302 1 408 525-6532

Tip

We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html The link on this page has the current PGP key ID in use.

Obtaining Technical AssistanceCisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation WebsiteThe Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do

ASDM User Guide

xxxii

OL-10106-01

Preface Obtaining Technical Assistance

Note

Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service RequestUsing the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts

Definitions of Service Request SeverityTo ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)Your network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.


xxxiii

Preface Obtaining Additional Publications and Information

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine or view the digital edition at this URL: http://ciscoiq.texterity.com/ciscoiq/sample/ Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj

Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: http://www.cisco.com/en/US/products/index.html Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html

ASDM User Guide

xxxiv

OL-10106-01

C H A P T E R

1

Welcome to ASDMWelcome to ASDM, a browser-based, Java applet used to configure and monitor the software on security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device. For more information about this release, see the following topics:

Important Notes New in This Release Unsupported Commands About the ASDM Window About the Help Window Home Page

Important Notes

CLI Command SupportWith a few exceptions, almost all CLI commands are fully supported by ASDM. For a list of commands ASDM does not support, see Unsupported Commands. Multiple ASDM SessionsASDM allows multiple PCs or workstations to each have one browser session open with the same security appliance software. A single security appliance can support up to 5 concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a particular security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a limit of 32 connections total per security appliance. Security Appliance ReleaseThis release of ASDM requires Version 7.1 and does not run with earlier security appliance releases. CaveatsUse the Bug Toolkit on cisco.com to view current caveat information. You can access Bug Toolkit at: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Changing OS Color SchemesIf you change the color scheme of your operating system while ASDM is running, you should restart ASDM or some ASDM screens might not display correctly.


1-1

Chapter 1 New in This Release

Welcome to ASDM

New in This ReleaseSee the following topics for more information about the new features in this release:

Enhanced and new inspection engines. See Service Policy Rules, page 21-1 and Global Objects, page 6-1. Sub-second failover and the High Availability and Scalability Wizard. See Failover, page 12-1. Packet Tracer. See Packet Tracer, page 1-11. Expanded VPN and EasyVPN support. See VPN, page 26-1. RIP routing enhancements. See RIP, page 14-22. Static Route Tracking/Dual ISP support. See Static Routes, page 14-29.

Unsupported CommandsASDM supports almost all commands available for the security appliance, but some commands in an existing configuration are ignored by ASDM. Most of these commands can remain in your configuration; see Show Commands Ignored by ASDM on Device for the ignored commands in your configuration. In the case of the alias command, ASDM enters into Monitor-only mode until you remove the command from your configuration. This section contains the following topics:

Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations

Ignored and View-Only CommandsThe following table lists commands that ASDM supports in the configuration when added by the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If it is view-only, then the command appears in the GUI, but you cannot edit it. Unsupported Commands access-list asr-group capture dns-guard established failover timeout ipv6, any IPv6 addresses object-group icmp-type object-group network object-group protocol ASDM Behavior Ignored if not used. Ignored Ignored Ignored Ignored. Ignored. Ignored. View-only. Nested group is view-only. View-only.

ASDM User Guide

1-2

OL-10106-01

Chapter 1

Welcome to ASDM Unsupported Commands

Unsupported Commands object-group service pager pim accept-register route-map prefix-list route-map service-policy global

ASDM Behavior Nested group cannot be added. Ignored. Ignored. Only the list option can be configured using ASDM Ignored if not used in an OSPF area. Ignored. Ignored if it uses a match access-list class. For example:access-list myacl line 1 extended permit ip any any class-map mycm match access-list mycl policy-map mypm class mycm inspect ftp service-policy mypm global

sysopt nodnsalias sysopt uauth allow-http-cache terminal virtual

Ignored. Ignored. Ignored. Ignored.

Effects of Unsupported Commands

If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available. If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, see Options > Show Commands Ignored by ASDM on Device. If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode. Monitor-only mode allows access to the following functions: The Monitoring area The CLI tool (Tools > Command Line Interface), which lets you use the CLI commands.

To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco Security Appliance Command Reference for more information.

Note

You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to 3 by your system administrator, which allows Monitor-only mode. For more information, see Configuration > Properties > Device Administration > User Accounts and Configuration > Device Access > AAA Access.


1-3

Chapter 1 About the ASDM Window

Welcome to ASDM

Other CLI LimitationsASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:ip address inside 192.168.2.1 255.255.0.255

About the ASDM WindowThe ASDM Window is designed to provide easy access to the many features that the security appliance supports. The ASDM Window includes the following:

MenusProvides quick access to files, tools, options and help. ToolbarLets you navigate ASDM. From the toolbar you can access the home page, configuration, and monitoring panels. You can also search for features, save the configuration, get help and navigate back and forth between panels. The Home, Configuration, and Monitoring buttons each open a panel with a variety of useful tools. The home page offers much information at a glance. Configuration and monitoring offer a useful category tree along the left side of the frame, for access to more detailed configuration or monitoring information. Status BarShows the time, connection status, user, and privilege level.

MenusASDM includes the following menus:

File Menu Options Menu Tools Menu Wizards Menu Help Menu

File MenuThe File menu manages security appliance configurations, and includes the following items:

Refresh ASDM with the Running Configuration on the DeviceLoads a copy of the running configuration to ASDM. Use refresh to make sure ASDM has a current copy of the running configuration. Reset Device to the Factory Default ConfigurationRestores the configuration to the factory default. See Reset Device to the Factory Default Configuration dialog box for more information. Show Running Configuration in New WindowDisplays the current running configuration in a new window. Save Running Configuration to FlashWrites a copy of the running configuration to Flash memory. Save Running Configuration to TFTP ServerStores a copy of the current running configuration file on a TFTP server. See the Save Running Configuration to TFTP Server dialog box for more information.

ASDM User Guide

1-4

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Save Running Configuration to Standby UnitSends a copy of the running configuration file on the primary unit to the running configuration of a failover standby unit. Save Internal Log Buffer to FlashSaves the log buffer to flash memory. PrintPrints the current panel. We recommend landscape page orientation when printing rules. If ASDM is running in Netscape Communicator and the user has not yet granted print privileges to the Java applet, a security dialog appears requesting Print privileges. Click Grant to grant the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet. Clear ASDM CacheClears the local ASDM images. ASDM downloads an image locally when you connect to ASDM. Clear Internal Log BufferClears the system log message buffer. ExitExits ASDM.

Reset Device to the Factory Default ConfigurationThe default configuration includes the minimum commands required to connect to the security appliance using ASDM. This feature is available only for routed firewall mode; transparent mode does not support IP addresses for interfaces, and setting the interface IP address is one of the actions this feature takes. This feature is also only available in single context mode; a security appliance with a cleared configuration does not have any defined contexts to automatically configure using this feature. This feature clears the current running configuration and then configures several commands. The configured interface depends on your platform. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. The following commands apply to the dedicated management interface, Management 0/0 (for a platform without a dedicated management interface, the interface is Ethernet 1):interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

If you set the IP address in this dialog box, then the http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the File > Save Running Configuration to Flash item. This menu item saves the running configuration to the default location for the startup configuration, even if you previously configured the Boot Image/Configuration to set a different location; when the configuration was cleared, this path was also cleared.


1-5


Welcome to ASDM

Note

This command also clears the Add Boot Image configuration, if present, along with the rest of the configuration. The Add Boot Image pane lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot.Fields

Use this address for the Interface_ID interface which will be named as nameManually sets the IP address of the management interface, instead of using the default address, 192.168.1.1. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. Management IP AddressSets the management interface IP address. Management subnet maskSets the subnet mask of the interface. If you do not set a mask, the security appliance uses the mask appropriate for the IP address class.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Save Running Configuration to TFTP ServerFile > Save Running Configuration to TFTP Server > Save Running Configuration to TFTP Server This dialog box stores a copy of the current running configuration file on a TFTP server.Fields

TFTP Server IP AddressEnter the IP address of the TFTP server. Configuration File PathEnter path on the TFTP server where the file will be saved.

Modes


Security Context Multiple Context

Transparent Single

System

Enter Log File NameFile > Save Internal Log Buffer to Flash > Enter Log File Name

ASDM User Guide

1-6

OL-10106-01

Chapter 1


Saves the log buffer to flash memory.Fields

Use default file nameSaves the log buffer using LOG-YYYY-MM-DD-hhmmss.txt as the file name. Use user-specified file nameSaves the log buffer using a file name that you specify. Field NameEnter the file name for the saved log buffer.

Options MenuThe Options menu lets you set ASDM preferences.

Show Commands Ignored by ASDM on DeviceDisplays unsupported commands that have been ignored by ASDM. See the Show Commands Ignored by ASDM on Device dialog box for more information. PreferencesChanges the behavior of some ASDM functions between sessions using your web browser cookie feature. See the Preferences dialog box for more information.

Show Commands Ignored by ASDM on DeviceOptions > Show Commands Ignored by ASDM on Device > Show Commands Ignored by ASDM on Device Some commands are unsupported in ASDM. Typically, they are ignored when encountered by ASDM, and are displayed in the list of unparsed commands invoked by Show Commands Ignored by ASDM on Device. ASDM does not change or remove these commands from your configuration. See Unsupported Commands for more information.Modes



Transparent Single

System

PreferencesOptions > Preferences > Preferences The Preferences dialog box lets you change the behavior of some ASDM functions between sessions by using your web browser cookie feature.Fields

General tabSets general preferences. Preview commands before sending to the device check boxLets you view CLI commands

generated by ASDM.


1-7


Welcome to ASDM

Enable Large Fonts (Requires ASDM Restart) check boxIncreases the ASDM icon font size,

after closing ASDM and reconnecting. Not all fonts are affected. Confirm before exiting from ASDM check boxDisplays a prompt when you try to close

ASDM to confirm that you want to exit. This option is checked by default.

Rules Table tabSets preferences for the Rules Table. Diplsay settingsLets you change the way rules are displayed in the Rules Table.

Auto expand network and service object groups with specified prefixDisplays the network and service object groups automatically expanded based on the Auto Expand-Prefix. Auto Expand-PrefixSpecifies the prefix of the network and service object groups to automatically expand when displayed. Show members of network and service object groupsSelect to display members of network and service object groups and the group name in the rules table. If the check box is not selected, only the group name is displayed. Limit members toEnter the number of network and service object groups to display. When the object group members are displayed, then display only the first nn members. Show all actions for service policy rulesSelect to display all action in the rules table. When cleared, a summary is displayed. deploying changes to the rules table.

Deployment SettingsLets you configure the behavior the security appliance has when

Issue clear xlate command when deploying access listsCheck to clear the NAT table when deploying a new access lists. This ensures the access lists that are configured on the security appliance are applied to all translated addresses. Show filter panel by defaultDisplays the filter panel by default. Show rule diagram panel by defaultDisplays the rule diagram by default.

Applications Inspections tabSets Application Inspection map options. Prompt to add inspect map before applying changesEnables a prompt that reminds you the

inspection map has not yet been added. Make advanced view the default inspect viewSelect to make the advanced view the default

application inspection view.

Ask to make advanced view the default viewEnables a dialog box that asks to make the advanced view the default application inspection view. Clear to disable the prompt.

Syslog Color Settings tabSets the background and text colors for system log messages displayed on the Home page. Severity columnLists each severity level. Background Color columnShows the background color for messages for each severity level.

To change the color, click the appropriate row. The Pick a Color dialog box appears. Foreground Color columnShows the foreground (text) color for messages for each severity

level. To change the color, click the appropriate row. The Pick a Color dialog box appears. Restore Default buttonRestores the default settings of white background and colored text.

Note

Each time a preference is checked or unchecked, the change is written to the .conf file and becomes available for all the other ASDM sessions running on the workstation at the time. Restarting ASDM maintains your preferences.

ASDM User Guide

1-8

OL-10106-01

Chapter 1


Modes



Transparent Single

System

Tools MenuThe Tools menu provides you with troubleshooting tools on ASDM. Here you can upload new software to the ASDM, check connectivity, or issue commands at the command line.

Command Line InterfaceProvides a text-based tool for sending commands to the security appliance and viewing the results. See the Command Line Interface dialog box for more information. Packet TracerLets you trace a packet from a specified source address and interface to a destination. You can specify the protocol and port of any type of data and see the lifespan of a packet with detailed information about actions taken on it. See the Packet Tracer dialog box for more information. PingProvides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. See the Ping dialog box for more information. TracerouteLets you determine the route packets will take to their destination. See the Traceroute dialog box for more information. File ManagementLets you view, move, copy and delete files stored in Flash memory. You can also create a directory in Flash memory. See the File Management dialog box for more information. You can also bring up the File Transfer dialog box to transfer files between various file systems, including TFTP, Flash memory, and your local PC. Upload ASDM Assistant GuideLets you upload an XML file to Flash memory that contains information used in the ASDM Assistant. These files can be downloaded from Cisco.com. Upgrade SoftwareLets you choose a security appliance image, ASDM image, or other image file on your PC, and upload it to Flash memory. See the Upload Image from Local PC dialog box for more information. System ReloadLets you restart the system and reload the saved configuration into memory. See the System Reload dialog box for more information. ASDM Java ConsoleShows the Java console.

Command Line InterfaceTools > Command Line Interface > Command Line Interface The Command Line Interface dialog box provides a text-based tool for sending commands to the security appliance and viewing the results.

Note

Commands entered via the ASDM CLI tool might function differently from commands entered through a terminal connection to the security appliance.


1-9


Welcome to ASDM

Command ErrorsIf an error occurs because you entered an incorrect command, the offending command is skipped and the remaining commands are processed anyway. A message displays in the Response box to let you know what, if any, errors were encountered as well as other pertinent information.

Note

Refer to the Cisco Security Appliance Command Reference for a list of commands. With a few exceptions, almost all CLI commands are fully supported by ASDM.

Interactive CommandsInteractive commands are not supported in the Command Line Interface dialog box. To use these commands in ASDM, use the noconfirm keyword if available, as follows:crypto key generate rsa modulus 1024 noconfirm

Avoiding Conflicts with Other AdministratorsMultiple administrative users can update the running configuration of the security appliance. Before using the ASDM Command Line Interface tool to make configuration changes, check for other active administrative sessions. If more than one user is configuring the security appliance at the same time, the last changes take effect. (Click the Monitoring tab to view other administrative sessions that are currently active on the same security appliance.)

Viewing Configuration Changes in ASDMIf you change the configuration using the Command Line Interface tool, click the Refresh button to view the changes in ASDM.Prerequisites

The commands you can enter at the Command Line Interface tool depends on your user privileges. See the Authorization Tab. Review your privilege level in the status bar at the bottom of the main ASDM window to ensure you have privileges to execute privileged-level CLI commands.Fields

CommandSends commands to the security appliance. Single LineLets you enter single commands, one at a time. The most recent commands

entered are listed, or you can type a new command. Multiple LineLets you enter multiple command lines. Enable context sensitive help (?)Shows CLI help for a command if you enter a question mark

(?) after it. You do not need to press enter; the help displays as soon as you type a ?. Clearing this check box causes ASDM to escape the question mark character before sending it to the device, allowing you to enter the question mark as part of a text string without causing the command line help to display.

ResponseDisplays the results of the commands you entered in the command box. SendSends all commands to the security appliance. Clear ResponseClears all text displayed in the Response box.

ASDM User Guide

1-10

OL-10106-01

Chapter 1


Modes



Transparent Single

System

Packet TracerThe packet tracer tool provides packet tracing capabilities for packet sniffing and network fault isolation. The tool provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet tracer tool will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, packet dropped due to bad ip header (reason). In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet tracer tool lets you do the following:

Debug all packet drops in production network. Verify the configuration is working as intended. Show all rules applicable to a packet along with the CLI lines which caused the rule addition. Show a time line of packet changes in a data path. Inject tracer packets into the data path.

Fields

InterfaceSpecifies the source interface for the packet trace. Packet typeSpecifies the protocol type for the packet trace. Available protocol types are icmp, rawip, tcp or udp. Source IPSpecifies the source address for the packet trace. Source PortSpecifies the source port for the packet trace. Destination IP Specifies the destination address for the packet trace. Destination PortSpecifies the destination port for the packet trace.

Start Starts the packet trace. ClearClears all fields. Show animationCheck to display graphically the packet trace. Information Display AreaDisplays detailed messages about the packet trace.

Modes

The following table shows the modes in which this feature is available:


1-11


Welcome to ASDM

Firewall Mode Routed


Transparent Single

System

PingTools > Ping > Ping The Ping dialog box provides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. A ping is the network equivalent of sonar for submarines. A ping is sent to an IP address and it returns an echo, or reply. This simple process enables network devices to discover, identify, and test each other. The Ping tool uses ICMP described in RFC-777 and RFC-792. ICMP defines an echo and echo reply transaction between two network devices, which has become known as a ping. The echo (request) packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Using the Ping ToolAdministrators can use the ASDM Ping tool as an interactive diagnostic aid in several ways, for example:

Loopback testing of two interfacesA ping may be initiated from one interface to another on the same security appliance, as an external loopback test to verify basic up status and operation of each interface. Pinging to an security appliance interfaceAn interface on another security appliance may be pinged by the Ping tool or another source to verify that it is up and responding. Pinging through an security appliancePing packets originating from the Ping tool may pass through an intermediate security appliance on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit. Pinging to test questionable operation of a network deviceA ping may be initiated from an security appliance interface to a network device that is suspected to be functioning improperly. If the interface is configured properly and an echo is not received, there may be problems with the device. Pinging to test intermediate communicationsA ping may be initiated from an security appliance interface to a network device which is known to be functioning properly and returning echo requests. If the echo is received, the proper operation of any intermediate devices and physical connectivity is confirmed.

Troubleshooting the Ping ToolWhen pings fail to receive an echo, it may be the result of a configuration or operational error in a security appliance, and not always due to NO response from the IP address being pinged. Before using the Ping tool to ping from, to or through an security appliance interface, verify the following: Basic Interface Checks

Verify that interfaces are configured properly in Configuration > Properties > Interfaces.

ASDM User Guide

1-12

OL-10106-01

Chapter 1


Verify that devices in the intermediate communications path, such as switches or routers, are properly delivering other types of network traffic. Make sure that traffic of other types from known good sources is being passed. Use Monitoring > Interface Graphs.

Pinging from an security appliance interface For basic testing of an interface, a ping may be initiated from an security appliance interface to a network device which, by other means, is known to be functioning properly and returning echoes via the intermediate communications path.

Verify receipt of the ping from the security appliance interface by the known good device. If it is not received, there may be a problem with the transmit hardware or configuration of the interface. If the security appliance interface is configured properly and it does not receive an echo from the known good device, there may be problems with the interface hardware receive function. If a different interface with known good receive capability can receive an echo after pinging the same known good device, the hardware receive problem of the first interface is confirmed.

Pinging to an security appliance interface When attempting to ping to an security appliance interface, verify that pinging response (ICMP echo reply), is enabled for that interface in the Configuration > Properties > Administration > ICMP panel. When pinging is disabled, the security appliance cannot be detected by other devices or software applications, and will not respond to the ASDM Ping tool. Pinging through the security appliance

First, verify that other types of network traffic from known good sources is being passed through through the security appliance. Use Monitoring > Interface Graphs, or an SNMP management station. To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Configuration > Access Rules.

Fields

IP AddressThe destination IP address for the ICMP echo request packets.

Note

If a host name has been assigned in the Configuration>Hosts/Networks>Basic Information>Host Name panel, you can use the host name in place of the IP address. Interface(Optional). The security appliance interface that transmits the echo request packets is specified. If it is not specified, the security appliance checks the routing table to find the destination address and uses the required interface. Ping OutputThe result of the ping. When you click Ping, three attempts are made to ping the IP address, and three results display the following fields: Reply IP address/Device nameThe IP address of the device pinged or a device name, if

available. The name of the device, if assigned Hosts/Networks, may be displayed, even if NO response is the result. Response time/timeout (ms)When the ping is transmitted, a millisecond timer starts with a

specified maximum, or timeout value. This is useful for testing the relative response times of different routes or activity levels, for example. Example Ping Output:Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:


1-13


Welcome to ASDM

!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the ping fails, the output is as follows:Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)

PingSends an ICMP echo request packet from the specified or default interface to the specified IP address and starts the response timer. Clear ScreenClears the output on the screen from previous ping command attempts.

Modes



Transparent Single

System

TracerouteThe Traceroute dialog box provides a useful tool to determine the route packets will take to their destination.Traceroute Output

The traceroute tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following are the output symbols printed by the traceroute tool: Output Symbol * nn msec !N. !H !P !A ?Fields

Description No response was received for the probe within the timeout period. For each node, the round-trip time (in milliseconds) for the specified number of probes. ICMP network unreachablee. ICMP host unreachable. ICMP protocol unreachable. ICMP administratively prohibited. Unknown ICMP error.

Hostname or IP addressSpecifies the hostname of the host to which the route is traced. If the hostname is specified, define it with Configuration > Global Objects > IP Names, or configure a DNS server to enable traceroute to resolve the hostname to an IP address. TimeoutSpecifies the amount of time in seconds to wait for a response before the connection times out. The default is three seconds. PortSpecifies the destination port used by the UDP probe messages. The default is 33434. ProbeSpecifies the number of probes to be sent at each TTL level. The default count is 3.

ASDM User Guide

1-14

OL-10106-01

Chapter 1


Min & Max TTLSpecifies the minimum and maximum time to live values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The tool terminates when the traceroute packet reaches the destination or when the maximum value is reached. Destination PortSpecifies the destination port used by the UDP probe messages. The default is 33434. Specify Source Interface or IP AddressSpecifies the source interface or IP address for the packet trace. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the security appliance. Reverse ResolveWhen checked, the output displays the names of hops encountered if name resolution is configured . If left unchecked, the output displays IP addresses. Use ICMPSpecifies the use of ICMP probe packets instead of UDP probe packets. Traceroute OutputDisplays detailed messages about the traceroute. TracerouteStarts the traceroute. ClearClears all fields.

Modes



Transparent Single

System

File ManagementTools > File Management > File Management Lets you view, move, copy and delete files stored on Flash memory. You can also create a directory in Flash memory. In multiple context mode, this tool is only available in the system.Fields

FoldersDisplays the folders available in disk. Flash SpaceShows the size of Flash and how much is available.

TotalShows the total size of Flash memory. AvailableShows how much memory is available.

FilesDisplays information about the files in the selected folder. PathShows the selected path Filename Size (bytes) Time Modified Status


1-15


Welcome to ASDM

ViewDisplays the selected file in your browser. CutCuts the selected file for pasting to another directory. CopyCopies the selected file for pasting to another directory. PastePastes the copied file to the selected destination. DeleteDeletes the selected file from Flash. RenameLets you rename the file. New DirectoryCreates a new directory for storing files. File TransferOpens the File Transfer dialog box.

Modes



Transparent Single

Upload Image from Local PCTools > Upgrade Software > Upload Image from Local PC The Upload Image from Local PC dialog box lets you choose a security appliance image file, ASDM image, or other images on your PC, and upload it to Flash memory.Fields

Image to uploadSelect which image type to upload. Local File PathEnter the path to the file on your PC. Browse LocalSelect to browse to the file on your PC.

Flash File System PathEnter the path to copy the file in Flash memory. Browse LocalSelect to browse to the directory or file in Flash memory.

Modes



Transparent Single

System

File TransferTools > File Management > File Management > File Transfer

ASDM User Guide

1-16

OL-10106-01

Chapter 1


File Transfer lets you copy files to and from your security appliance using HTTPS, TFTP, FTP or by browsing for a local image.Fields

Source FileSelect the source file to be transferred. Remote ServerSelect to transfer a file from a remote server.

PathEnter the path to the location of the file, including the IP address of the server. Port/TypeEnter the port number or type (if FTP) of the remote server. Valid FTP types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode. Flash File SystemSelect to copy the file from Flash memory.

PathEnter the path to the location of the file. Browse FlashSelect to browse to the file location on your security appliance where the file will be copied from. Local ComputerSelect to copy the file from the local PC.

PathEnter the path to the location of the file. Browse LocalhostBrowses the local PC for the file to be transferred.

Destination FileSelect the destination file to be transferred. Depending on the source destination, the Flash File System or the Remote Server will automatically be selected. Flash File SystemTransfers the file to Flash memory.

PathEnter the path to the location of the file. Browse FlashSelect to browse to the file location on your security appliance where the file will be transferred. Remote ServerTransfers a file to a remote server.

PathEnter the path to the location of the file. TypeFor FTP transfers, enter the type. Valid types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode.

Transfer FileStarts the file transfer.

Modes

The following table shows the modes in which this feature is available:


1-17


Welcome to ASDM

Firewall Mode Routed


Transparent Single

Upload ASDM Assistant GuideTools > Upload ASDM Assistant Guide Upload ASDM Assistant Gude lets you upload an XML file to flash that contains useful ASDM procedural help about certain tasks. You can obtain these files from Cisco.com. Once loaded the files are available in the Search field in the File Menu.Fields

File to uploadThe name of the XML file located on your computer, typically obtained from Cisco.com Flash File System PathThe path in the Flash memory where the XML file is loaded. Upload FileStarts the upload.

Modes



Transparent Single

System ReloadTools > System Reload > System Reload System Reload lets you restart the system and reload the saved configuration into memory. The System Reload dialog box lets you choose when the system should be reloaded, whether you should save the running configuration to Flash memory, and send a message to connected users at reload.Fields

Reload SchedulingLets you configure when the reload will take place. Configuration StateSelect whether to save the running configuration or not at reload.

Save the Running Configuration at Time of ReloadSelect to save the running configuration at reload. Reload Without Saving the Running ConfigurationSelect to discard configuration changes to the running configuration at reload.

Reload Start TimeLets you select the time of the reload. NowSelect to perform an immediate reload.

ASDM User Guide

1-18

OL-10106-01

Chapter 1


Delay byLets you delay the reload by a select amount of time. Enter the time to elapse before

the reload in ho

6729011-asdmp

Documents

Transcript of 6729011-asdmp