Cisco ASA 5500 Configuration Guide

Document Version 0.9 (ASA 7.0.4 / ASDM 5.0.4)

ASA 5500 Series

Cisco ASA 5510 Adaptive Security Appliance

All-in-One Enterprise / SMB Head-End

Security/VPN Gateway
Session 64,000
200-Mbps
256-MB RAM
10 VLAN
Active/Active FO
100-Mbps VPN
150 IPSec VPN Peers
SSL VPN
SSM (IPS Service Module) 100-Mbps IPS

Cisco ASA 5520 Adaptive Security Appliance

All-in-One Enterprise / SMB Head-End

Security/VPN Gateway
130,000
200-Mbps
512-MB RAM
10 Virtual Firewall
25 VLAN
active/active failover
200-Mbps VPN
750 IPSec VPN Peers
SSL VPN
SSM (IPS Service Module) 100-Mbps IPS

Cisco ASA 5540 Adaptive Security Appliance

All-in-One Enterprise / SMB Head-End

Security/VPN Gateway
280,000
400-Mbps
1024-MB RAM
50 Virutual Firewall
50 VLANs
active/active failover
360-Mbps VPN
5,000 IPSec VPN Peers
2500 SSL VPN Connections
SSM (IPS Service Module) 200-Mbps IPS

Cisco ASA 5510, 5520, 5540 Platforms

Key Platform Metrics
Features

ASA 5510
( Sec Plus)

ASA 5520

ASA 5520
VPN Plus

ASA 5540

ASA 5540
VPN Plus

ASA 5540
VPN Premium

Real World Firewall Throughput

(300 / 1400 Byte)

100 / 200 Mbps

200 / 400 Mbps

200 / 400 Mbps

400 / 550 Mbps

400 / 550 Mbps

400 / 550 Mbps

Real World VPN Throughput

(300 / 1400 Byte)

50 / 100 Mbps

100 / 200 Mbps

100 / 200 Mbps

200 / 360 Mbps

200 / 360 Mbps

200 / 360 Mbps

Real World IPS Throughput

(500 Byte)

100 Mbps
with SSM-AIP 10

200 Mbps
with SSM-AIP 20

200 Mbps
with SSM-AIP 20

200 Mbps
with SSM-AIP 20

200 Mbps
with SSM-AIP 20

200 Mbps
with SSM-AIP 20

Maximum Connections

32,000 64,000

130,000

130,000

280,000

280,000

280,000

S2S and IPSec RA VPN Peers

50 150

300

750

500

2,000

5,000

SSL VPN Connections

Shared

Shared

Shared

Shared

Shared, up to 1,250

Shared, up to 2,500

VPN Clustering / Load Bal.

No

Yes

Yes

Yes

Yes

Yes

High Availability

None A/S

A/A and A/S

A/A and A/S

A/A and A/S

A/A and A/S

A/A and A/S

Interfaces

3 x 10/100 + OOB
5 10/100

4 x 10/100/1000,
1 10/100

4 x 10/100/1000,
1 10/100

4 x 10/100/1000,
1 10/100

4 x 10/100/1000,
1 10/100

4 x 10/100/1000,
1 10/100

Security Contexts

No

Up to 10

Up to 10

Up to 50

Up to 50

Up to 50

VLANs Supported

0 10

25

25

100

100

100

Comparable PIX Model

PIX 515E R/DMZ

PIX 515E UR

PIX 515E UR

PIX 525+

PIX 525+

PIX 525+

Comparable VPN3K Model

VPN 3005-

VPN 3005++

VPN 3020

VPN 3015

VPN 3030

VPN 3060

Real Traffic / Security Service Running / Logging Enable

ASA 5500 Intro

2004 Cisco Systems, Inc. All rights reserved.

 ASA 5500 ?

 Cisco ASA ?

1.

!!!
.
, IPSec VPN, SSL VPN, IPS/IDS, Anti-x

2.

!!!
.

1 Cisco Pix 7.0 , VPN 4.7, IPS 5.0

3.

!!!
.
-Routing Protocol , Multicast

Cisco Security ASA 5500
8

 Cisco ASA ?

4.

!!!
Active/ Active Failover
Acitve / Active

5.

!!!

6.

!!!
Application Level
Application Inspection IPS

Cisco Security ASA 5500
9

10

CLI
Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Routed Mode(Layer 3) Bridge(Transparent-Layer2) Mode
Routed Mode NAT , Network , Transparent

Enable password [<use current password>]: cisco

Allow password recovery [yes]?

Clock (UTC):
Year [2005]:
Month [Nov]:
Day [2]:
Time [01:14:54]: 17:48:00
System Clock
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: ASA
Inside IP Address Host
Use this configuration and write to flash? Yes
Setup Config

Setup Inside (Gigabit0/1) ASDM

11


Inside Interface or Management Interface

Management Interface
Interface - Management0/0
Out Of Band , Failover Interface
Interface
Interface GigabitEthernet0/0 ~3
,, , Failover
Console, Aux Interface
console Aux

Management Interface

Interface Management0/0
no shutdown
description Interface for Management
nameif Mgmt-Interface
management-only
Management
ip address 1.1.1.1 255.255.255.0
Mgmt IP Address

12


Inside Interface or Management Interface
Interface(Outside)
Interface GigabitEthernet0/0
no shutdown
nameif outside
Internet Interface
security-level 0
Interface 0
ip address 10.10.10.1 255.255.255.0
IP Address

Interface(Inside)
interface GigabitEthernet0/1
nameif inside
Network interface
security-level 100
Network 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description interface for LAN
nameif inside-2
Network ( 0~100)
security-level 100
ip address 20.20.20.1 255.255.255.0

Same-Security-Level
same-security-traffic permit inter-interface
nameif (Security-level)
Same-Security-level
13


ASA Firmware ASDM Loading
ASA Firmware Upload
ASA# copy ftp://anonymous@192.168.1.10/asa704-k8.bin disk0:

ASA ASDM Upload
ASA# copy ftp://anonymous@192.168.1.10/asdm504.bin disk0:

Firmware Boot
ASA(config)# boot system disk0:asa704-k8.bin
ASA# sh bootvar
Current BOOT variable = disk0:/asa704-k8.bin
Disk0:
ASA# dir
Directory of disk0:/
2706 -rw- 1589
2707 -rw- 1009
2709 -rw- 1318
2711 -rw- 2167
2712 -rw- 5437440
4040 -rw- 5958324

00:06:14 Oct 10 2005 old_running.cfg

00:06:14 Oct 10 2005 admin.cfg
15:17:08 Jul 25 2005 c-a.cfg
00:30:14 Oct 16 2005 logo.gif
19:07:04 Nov 02 2005 asa704-k8.bin
19:08:22 Nov 02 2005 asdm504.bin

14


ASDM/ Telnet
ASDM
ASA(config)# http server enable
Web Service Enable
ASA(config)# http 192.168.0.0 255.255.0.0 inside
Network
ASA(config)# asdm image disk0:/asdm504.bin
ASDM image URL

Telnet

ASA(config)# telnet 0.0.0.0 0.0.0.0 inside

Telnet Network
Inside Network Check ICMP
ASA(config)# icmp permit any inside
Inside Interface Ping Test

15

ASDM

16

ASDM
https
1

https://ipaddress

SSL Yes

ID, Password

17

ASDM
ASDM 5.0 Launcher Install

Local PC ASDM
ASA

Java Applet ASDM

ASDM Launcher

18

ASDM
Local PC ASDM Launcher

Download ASDM Launcher and

Start ADSM

Local PC

19

ASDM
Local PC ASDM Launcher

Install

20

ASDM
ASDM Launcher

ASDM Launcher

ASA 5500 IP Address

ID,Password

21

ASDM
ASDM Main Menu

ASA 5500 License

1

3
5

ASA Interface
2

VPN

Connection, Inside Traffic

CPU/Memory

ASDM Syslog
22

ASDM
Firewall

23

ASDM
Launch Startup Wizard
1
1

ASDM

24

ASDM
Step 1 Config

1
2

ASDM

Inside Interface IP

25

ASDM
Step 2

ASA Host

Password

26

ASDM
Step 3 Outside Interface

1
Outside( Traffic)
Interface

2
Outside interface IP

27

ASDM
Step 4 Interface

Interface

28

ASDM
Step 5 DHCP Server

DHCP IP

DHCP Service DNS,Wins,Domain,

Lease Time

29

ASDM
Step 6 NAT/PAT

NAT IP
2

PAT IP Interface
3
NAT/PAT

30

ASDM
Step 7

Web , Telnet
- IP Address Type

31

ASDM
Step 8

32

ASDM
Config

33

 Interface

34

ASDM Interface

1
2
3

Interface
Interface
Feature Interface
4

Same-Security-level

35

ASDM Interface
Management Interface
1
2

3
Interface

Mgmt

4
Interface

0 ~100

Interface IP Address

(Duplex, Speed)

36

ASDM Interface
Outside Interface
1
2

3
Interface

Mgmt

4
5

Interface
Outside 0

Interface IP Address

(Duplex, Speed)

37

ASDM Interface
Inside Interface
1
2

3
Interface

Mgmt

4
5

Interface
Inside 100

Interface IP Address

(Duplex, Speed)

38

ASDM Interface
Interface CLI Command

39

NAT/PAT

40

NAT/PAT I
NAT + Real IP
Cisco ASA
5500

192.168.1.10

192.168.1.x
10.10.10.64 ~ 127

192.168.1.1
10.10.10.1

20.20.20.10

10.10.10.10

20.20.20.1
20.20.20.x
IP

1 NAT
192.168.1.x IP Address 10.10.10.65 ~ 127 IP Address

2 NAT IP
20.20.20.x IP address NAT .

41

NAT/PAT I
Translation Rule

2
1

NAT Add
Feature NAT Translation Rule
Feature NAT

42

NAT/PAT I
Translation Rule NAT

Add Browse :
NAT IP Address
5
6

Add Manage Pools

IP Address Pool

Add Browse :
NAT IP Address
43

NAT/PAT I
Translation Rule IP

Interface
PAT

9
IP Address

Range IP Pool

44

NAT/PAT I
Translation Exemption Rule NAT

2
1

No NAT Add
Feature NAT Trans Exe Rule
Feature NAT

45

NAT/PAT I
Translation Exemption Rule NAT

No Nat Exempt

NAT
Interface / IP

NAT
Outbound Traffic

46

NAT/PAT I
CLI
CLI NAT
Inside Interface 192.168.1.x Network (Outside) ,
10.10.10.65 ~ 10.10.10.126 IP Address .
global (outside) 1 10.10.10.65-10.10.10.126 netmask 255.255.255.192
nat (inside) 1 192.168.1.0 255.255.255.0

Inside2 Interface 20.20.20.x Network (Outside) ,

IP address .
access-list inside-2_nat0_outbound line 1 remark No-NAT for Inside-2 to Outside
ACL Description
access-list inside-2_nat0_outbound line 2 extended permit ip 20.20.20.0 255.255.255.0 any
ACL
nat (inside-2) 0 access-list inside-2_nat0_outbound
NAT (xxx) 0 No-NAT.
ACL

Translation Table Monitoring

ASA# sh xlate
1 in use, 1 most used
Global 10.10.10.65 Local whchoi
whchoi(192.168.1.10) IP Address 10.10.10.65 Translation .
47

NAT/PAT II
Port Redirection
NAT + Real IP
Server
Telnet Service

10.10.10.200
telnet

Cisco ASA
5500

192.168.3.1
Inside 192.168.1.1
192.168.3.33

10.10.10.1

Server
FTP Service

10.10.10.201
FTP

Port Redirection (Proxy )

1.

IP

2.

Redirection

IP 80 , IP 8080

48

NAT/PAT II
Port Redirection
1

1
Port Redirection Rule
1

Port Redirection Rule Display

49

NAT/PAT II
Port Redirection
1

NAT Source Address

2
IP Address Redirection
Service Port

50

NAT/PAT II
Port Redirection

1
NAT Translation Server
TCP UDP Connection

- TCP, UDP
2
TCP 3-way Half-open
embryonic wqjthrdl Connction

- Server Syn Flooding Attack

51

NAT/PAT II
CLI Port Redirection
CLI Port Redirection
Inside Interface 192.168.3.x Network (Outside) ,
10.10.10.65 ~ 10.10.10.126 IP Address .
global (outside) 1 10.10.10.65-10.10.10.126 netmask 255.255.255.192
nat (inside) 1 192.168.3.0 255.255.255.0

Inside2 Interface 20.20.20.x Network (Outside) ,

IP address .
static (inside,outside) tcp 10.10.10.200 telnet 192.168.3.1 telnet netmask 255.255.255.255
10.10.10.200 Telnet 192.168.3.1 Telnet Translation
static (inside,outside) tcp 10.10.10.201 ftp 192.168.3.33 ftp netmask 255.255.255.255
10.10.10.201 FTP 192.168.3.33 FTP Translation

Optional ACL ACL

Access-list inside extended permit ip any any
Access-list outside-redirection extended permit tcp any host 10.10.10.200 eq telnet
Access-list outside-redirection extended permit tcp any host 10.10.10.201 eq ftp

52

NAT/PAT II
CLI Port Redirection
CLI Port Redirection
Translation Monitoring

ASA-1# sh xlate
PAT Global 10.10.10.200(23) Local 192.168.3.1(23)
PAT Global 10.10.10.201(21) Local 192.168.3.33(21)
PAT 10.10.10.200 Telnet 192.168.3.1
Redirection, 10.10.10.201 FTP 192.168.3.33 Redirection
ASA-1# sh conn
TCP out 100.100.100.100:5001 in 192.168.3.33:20 idle 0:00:07 bytes 0 flags saA
TCP out 100.100.100.100:1257 in 192.168.3.33:21 idle 0:00:16 bytes 277 flags UIOB
TCP out 100.100.100.100:1261 in 192.168.3.1:23 idle 0:00:02 bytes 91 flags UIOB
Connection

Flag

A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up

53

Filtering
Access-list

54

Filtering
Security Policy Main Menu
1

1
1

Configuration Service Policy Access Rule

,,,

55

Filtering

1

1
Action
Select an Action
Apply to Traffic - in/outbound Traffic

2
Syslog & Time Range
Syslog ACL Syslog
Time Range ,, ACL

3
Source/Destination
Source Destination Network

Rule Flow Diagram

1,2,3 Flow
Diagram

Protocol and Service

Manage Service Group

56

Filtering
Manage Service Group
1
Manage Groups

Manage Group Service Port

TCP-UDP : TCP/UDP Range

ADD

Service Group Name

Service Group
() HTTP-Port ,FTP Port

4
4
2

Add Service Range

Service Port
Range Port : Service Port

Well Known Service Port Port
Service Port

57

Filtering
Manage Service Group

58

Filtering
Time Range Filtering
Time Range Name ACL

1
2

ACL

ACL

,,

59

Filtering
Time Range Filtering
1
ACL
- , (~),(~),

2
ACL
-

3
ACL
- ()

60

Filtering
,

Config Buliding Blocks Host/Network

,

61

Filtering
,

Host, Network host Outside

NAT
- Dynamic Static

Config Buliding Blocks Host/Network

,

62

Filtering
,
1

Host, Network

Host, Network

Add Host

Host

63

Filtering
CLI ACL
CLI ACL
Host Name

name 192.168.1.10 whchoi description whchoi's PC

name 192.168.3.33 whchoi-33 description whchoi's Notebook
name 192.168.3.34 whchoi-34 description whchoi's Desktop

Service
object-group service FTP tcp-udp
port-object range 20 21

Network Group
object-group network whchoi-group
description whchoi-group
network-object whchoi-33 255.255.255.255
network-object 192.168.3.1 255.255.255.255
network-object whchoi-34 255.255.255.255

ACL
time-range TFTP-Time
absolute start 04:59 30 November 2005 end 04:59 02 December 2005
periodic weekdays 8:00 to 20:00

ACL

access-list outside_access_in extended permit udp any host whchoi eq tftp time-range TFTP-Time
access-list outside_access_in extended permit tcp any host whchoi object-group FTP
access-list outside_access_in extended deny ip any any log

64

ASA 5500 Device

65

Device Administration

Device Host Domain

Password Password
AAA Access AAA
User Account User Account
Banner
Console Console Idle Time
ASDM/HTTPS ASDM/HTTPS
Telnet Telnet Service
Secure Copy SCP
Secure Shell SSH
Management Access Management
SMTP Event Email
ICMP Rules ICMP /
TFTP Server TFTP Server Config
Clock ASA
NTP NTP ASA
Boot Image/Config Boot image ASDM Path
FTP Mode Passive FTP
Certificate Certificate

66

Device Administration
Device Host,Domain Password
1

ASA Host Domain

Enable Password, Telnet Password

67

Device Administration
AAA

Privileged

Service type

68

Device Administration
User Account

Local User DB IPSec Client VPN, Web VPN Loacl User DB

69

Device Administration
Banner

70

Device Administration
ASDM/HTTPS
3

ASDM Host,Network
Interface

HTTP Server Daemon

HTTP Server Daemon

71

Device Administration
Telnet
3

Telnet Host,Network
Interface

Telnet Timeout Session

72

Device Administration
SSH
3
1

SSH Version Timeout

Telnet Host,Network
Interface

73

Device Administration
SNMP

74

Device Administration
ICMP Rule
1

Interface ICMP Rule

- () Host, Network Inside,Outside
ICMP

75

Device Administration

Time Zone GMT +09:00 Seoul

76

Device Administration
Boot Image ASDM Image

Boot Image

ASDM Image

77

Device Administration
CLI
CLI Device Administration
Device Host Domain name
hostname ASA-1
domain-name cisco.com

password

enable password cisco Enable Password

passwd cisco encrypted Telnet Password

Username

username cisco password cisco encrypted privilege 2

clear config username cisco

console Time Out

console timeout 30

ASDM/HTTP

http 1.1.1.0 255.255.255.0 Mgmt-Interface

http 192.168.1.11 255.255.255.255 inside

Telnet
telnet 0.0.0.0 0.0.0.0 outside
telnet 1.1.1.0 255.255.255.0 Mgmt-Interface
telnet 0.0.0.0 0.0.0.0 inside

78

Device Administration
CLI
CLI Device Administration
SMTP Server

smtp-server 192.168.3.55

SNMP

snmp-server host inside 192.168.1.10 community public version 2c

ICMP

icmp permit 0.0.0.0 0.0.0.0 outside

icmp permit 0.0.0.0 0.0.0.0 inside

clock time
clock timezone KST 9 0
clock set 18:22:58 NOV 9 2005

NTP

ntp server 192.168.3.1 source inside

boot image

boot system disk0:/asa704-k8.bin

79

ASA 5500

80

ASA Properties

AAA Setup AAA Server Auth

Advanced IP , Fragment, TCP Option, Timeout
ARP Static Table ARP Static
Auto Update Image Update
DHCP Service ASA DHCP Relay
DNS Client DNS
Failover Failover
History Metrics History
HTTP/HTTPS HTTP Redirection HTTPS user Certicated
IP Audit Firewall IPS
Logging Logging
Prioirty Queue Interface Priority Queue
SSL ASDM SSL VPN SSL
SUNRPC Server SUNRPC Service
URL Filtering URL Filtering

81

ASA Properties
AAA Server Group

1
2

AAA Server Group

Protocol RADIUS / TACACS
Accounting Mode
Reactivation Mode

82

ASA Properties
AAA Server
3

Server IP Address, Interface

Radius Parameter

Auth

83

ASA Properties
CLI AAA Setup
CLI AAA Setup
AAA Server Group
aaa-server 192.168.3.111 protocol radius
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3

AAA Server Network

aaa-server 192.168.3.111 (Mgmt-Interface) host 192.168.3.111

Auth. Prompt

auth-prompt accept Good-User

auth-prompt reject NoNoNo...
auth-prompt prompt whchoi-ASA

84

ASA Properties
Anti-Spoofing

Anti-Spoofing (IP )
IP
Blocking

CLI
ip verify reverse-path interface inside

85

ASA Properties
Fragment

Fragment
Fragment Reassembly Fragment Database Packet Size

86

ASA Properties
Time Out

Time Out
Protocol Connection Idle Time
Idle Time Session Close

87

ASA Properties
Time Out

ARP Static Table

MAC IP,MAC Mapping

CLI
arp inside 192.168.3.111 aaaa.bbbb.cccc

88

ASA Properties
Auto Update

Auto Update
Server Image

89

ASA Properties
DHCP
1

DHCP Service

DHCP Relay Agent

ASA DHCP Service

ASA DHCP Server Relay

90

ASA Properties
ASA IDS S.W
1

ASA S.W IDS

IP Audit
Policy Type Attack Info
Action Alarm , Drop, Reset

Interface

interface
- Attack , Information

91

ASA Properties
ASA IDS S.W
Signature Number
Information Attack
Signature

Signature

92

ASA Properties
CLI ASA S.W IDS
CLI Audit Signature
AAA Server Group
ip audit name P1 attack action reset
ip audit name P2 info action alarm
Audit
ip audit interface inside P2
ip audit interface inside P1
Audit Interface
no ip audit signature 1000
Audit Signature

93

ASA Properties
Logging
1
Logging Setup
-Loggin Enable, Debug Message
-Failover Standby Unit Logging
-EMBLEM Syslog

3
Log
-Flash
-FTP Server

ASDM Logging Queue Size

94

ASA Properties
Logging

Logging Filter
-Internal , , Telnet Session, Syslog
SNMP Trap, E-mail, ASDM Logging
Filtering

Syslog
-Syslog Facility
- Syslog

95

ASA Properties
Logging

Syslog Server
- IP address, Protocol , Port , EMBLEM

Syslog Server

96

ASA Properties
Logging

E-mail Setup
- Event

Rate Limit
- DDoS Log System

, Log Rate Limit
97

ASA Properties
CLI Logging
CLI Logging
Logging
logging enable
logging standby Standby
logging debug-trace Debug
logging emblem Cisco EMBLEM logging
logging timestamp Time Stamp
logging host inside 192.168.3.39 Logging Server
logging from-address source@cisco.com Logging Source E-Mail
logging recipient-address whchoi@cisco.com level Errors
Logging
logging rate-limit 100 5 level Notifications
Logging

98

ASA Properties
SSL URL Filtering Server

SSL ()
- SSL
-SSL VPN SSL

URL Filtering Server

-URL URL
-WebSense,N2H2

99

ASA Properties
PQ(Priority Queue)

PQ
-LLQ PQ
-Voice Traffic Traffic Delay, Jitter
Traffic

CLI
priority-queue inside
tx-ring-limit 80
queue-limit 2048

100

ASA 5500 Deep Inspection

Application Inspection

101

Application Inspection FTP

Application Inspection - FTP
Cisco ASA
5500

192.168.3.33
192.168.1.1

10.10.10.1
FTP

100.100.100.100

FTP Down

FTP Inspection
Inside Network ,
Inside Network , .

102

Application Inspection - FTP

1

FTP Inspection Map

103

Application Inspection - FTP

1
FTP Map

2
Deny FTP Command

104

Application Inspection - FTP

1
3
2

Config Service Policy Service Policy Rules - Add

105

Application Inspection - FTP

FTP Inspection
Policy name

2
Class Group

106

Application Inspection - FTP

Inspection Map

4
107

Application Inspection FTP

CLI
CLI FTP Inspection
FTP Inspection
ftp-map FTP-PUT-Deny
request-command deny put
Inspection Map
policy-map outside-ftp
class class-default
inspect ftp strict FTP-PUT-Deny
Policy Map Class-Map
service-policy outside-ftp interface outside
Interface

108

Application Inspection HTTP

Application Inspection - HTTP
Cisco ASA
5500

192.168.3.33
192.168.1.1

10.10.10.1
100.100.100.100
Well Known P2P,
Messanger,Tunneled Application

HTTP Inspection
Inside Network P2P(Kazza,E-Donkey), Messanger(MSN,Yahoo,..),
Tunneled Application

109

Application Inspection HTTP

1

HTTP Inspection Map

110

Application Inspection HTTP

1
HTTP Inspection

- Action Syslog

Application

111

Application Inspection HTTP

3
1

Inspection Map

4
112

Application Inspection HTTP

CLI
CLI HTTP Inspection
HTTP Inspection
http-map P2P-IM
strict-http action reset log
port-misuse im action drop log
port-misuse tunnelling action drop log
port-misuse p2p action drop log
HTTP Inspection Map
policy-map inside-policy
class class-default
inspect http P2P-IM
Policy map, Class map
service-policy inside-policy interface inside
Http Inspection

113

ASA Active/Active

114

ASA 5500 Active/Active

ASA 5500 Active/Active

Admin
10.10.10.1

Virtual-1
20.20.20.1

Admin
10.10.10.2

Failover
192.168.5.1

Virtual-1
20.20.20.2

Failover
192.168.5.2
Admin
192.168.1.1

S
Virtual-1
192.168.2.1

S
Admin
192.168.1.2

Virtual-1
192.168.2.2

115

ASA 5500 Active/Active

1
2
4
3

Multi-Context Active/Active

116

ASA 5500 Active/Active

Multi-context
1
2

Context Group
Context Interface /

3
4

Context Config
Failover Group

117

ASA 5500 Active/Active

Multi-context
1
2

Context Group
Context Interface /

3
4

Context Config
Failover Group

118

ASA 5500 Active/Active

Failover Feature - Setup

1
Failover

Failover Interface Management Interface

Active/Standby IP Address
Logiacl
Primary,Secondary

119

ASA 5500 Active/Active

Failover Feature Failover interface

Interface Policy

Failover Monitor (sec), Failover Time(Sec), Hold Time(Sec)

120

ASA 5500 Active/Active

Failover Feature Active/Active

Active /Active Group Priority

121

ASA 5500 Active/Active

Failover Feature Active/Active
Primary/Secondary Preemt

Active MAC Standby Mac

122

ASA 5500 Active/Active

Failover Feature MAC

ASA Interface Active /Standby Mac

123

ASA 5500 Active/Active

CLI Act/Act
CLI Act/Act
Failover
failover
failover lan unit primary
failover lan interface FO Management0/0
failover polltime interface 3
failover mac address GigabitEthernet0/0 0013.c480.5e56 1013.c480.5e56
failover mac address GigabitEthernet0/1 0013.c480.5e57 1013.c480.5e57
failover mac address GigabitEthernet0/2 1013.c480.5e58 0013.c480.5e58
failover mac address GigabitEthernet0/3 1013.c480.5e59 0013.c480.5e59
failover interface ip FO 192.168.5.1 255.255.255.252 standby 192.168.5.2

124

ASA 5500 Active/Active

CLI Act/Act
CLI Act/Act
Failover
failover group 1
preempt 3
mac address GigabitEthernet0/0 0013.c480.5e56 1013.c480.5e56
mac address GigabitEthernet0/1 0013.c480.5e57 1013.c480.5e57
failover group 2
secondary
preempt 3
replication http
mac address GigabitEthernet0/2 1013.c480.5e58 0013.c480.5e58
mac address GigabitEthernet0/3 1013.c480.5e59 0013.c480.5e59

125

ASA 5500 Active/Active

CLI Act/Act
CLI Act/Act
Context
admin-context admin
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg
!
context virtual-1
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/virtual-1.cfg

126

ASA 5500 Active/Active

CLI Act/Act
CLI Act/Act
Context IP Address
admin-context
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Virtual-1-context
interface GigabitEthernet0/0
ip address 20.20.20.2 255.255.255.0 standby 20.20.20.1
!
interface GigabitEthernet0/1
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1

127