User ManualTable of ContentsContents3About This Guide25Configuring Service Policies Using the Modular Policy Framework27Configuring a Service Policy Using the Modular Policy Framework29Information About Service Policies29Supported Features30Feature Directionality30Feature Matching Within a Service Policy31Order in Which Multiple Feature Actions are Applied32Incompatibility of Certain Feature Actions33Feature Matching for Multiple Service Policies34Licensing Requirements for Service Policies34Guidelines and Limitations34Default Settings36Default Configuration36Default Class Maps37Task Flows for Configuring Service Policies37Task Flow for Using the Modular Policy Framework37Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping39Identifying Traffic (Layer 3/4 Class Maps)40Creating a Layer 3/4 Class Map for Through Traffic40Creating a Layer 3/4 Class Map for Management Traffic42Defining Actions (Layer 3/4 Policy Map)43Applying Actions to an Interface (Service Policy)45Monitoring Modular Policy Framework46Configuration Examples for Modular Policy Framework46Applying Inspection and QoS Policing to HTTP Traffic47Applying Inspection to HTTP Traffic Globally47Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers48Applying Inspection to HTTP Traffic with NAT49Feature History for Service Policies50Configuring Special Actions for Application Inspections (Inspection Policy Map)51Information About Inspection Policy Maps51Guidelines and Limitations52Default Inspection Policy Maps53Defining Actions in an Inspection Policy Map54Identifying Traffic in an Inspection Class Map55Where to Go Next57Feature History for Inspection Policy Maps57Configuring Network Address Translation59Information About NAT61Why Use NAT?61NAT Terminology62NAT Types63NAT Types Overview63Static NAT63Information About Static NAT63Information About Static NAT with Port Translation64Information About One-to-Many Static NAT65Information About Other Mapping Scenarios (Not Recommended)66Dynamic NAT67Information About Dynamic NAT67Dynamic NAT Disadvantages and Advantages68Dynamic PAT68Information About Dynamic PAT68Per-Session PAT vs. Multi-Session PAT69Dynamic PAT Disadvantages and Advantages69Identity NAT70NAT in Routed and Transparent Mode70NAT in Routed Mode71NAT in Transparent Mode71NAT and IPv673How NAT is Implemented73Main Differences Between Network Object NAT and Twice NAT73Information About Network Object NAT74Information About Twice NAT74NAT Rule Order78NAT Interfaces79Routing NAT Packets79Mapped Addresses and Routing80Transparent Mode Routing Requirements for Remote Networks81Determining the Egress Interface82NAT for VPN82NAT and Remote Access VPN83NAT and Site-to-Site VPN84NAT and VPN Management Access86Troubleshooting NAT and VPN88DNS and NAT88Where to Go Next93Configuring Network Object NAT95Information About Network Object NAT95Licensing Requirements for Network Object NAT96Prerequisites for Network Object NAT96Guidelines and Limitations96Default Settings97Configuring Network Object NAT98Adding Network Objects for Mapped Addresses98Configuring Dynamic NAT99Configuring Dynamic PAT (Hide)101Configuring Static NAT or Static NAT-with-Port-Translation105Configuring Identity NAT108Configuring Per-Session PAT Rules110Monitoring Network Object NAT111Configuration Examples for Network Object NAT112Providing Access to an Inside Web Server (Static NAT)113NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)113Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)115Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)116DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)117DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification)119IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification)120Feature History for Network Object NAT122Configuring Twice NAT127Information About Twice NAT127Licensing Requirements for Twice NAT128Prerequisites for Twice NAT128Guidelines and Limitations128Default Settings130Configuring Twice NAT130Adding Network Objects for Real and Mapped Addresses130(Optional) Adding Service Objects for Real and Mapped Ports132Configuring Dynamic NAT133Configuring Dynamic PAT (Hide)137Configuring Static NAT or Static NAT-with-Port-Translation144Configuring Identity NAT147Configuring Per-Session PAT Rules150Monitoring Twice NAT150Configuration Examples for Twice NAT151Different Translation Depending on the Destination (Dynamic PAT)151Different Translation Depending on the Destination Address and Port (Dynamic PAT)153Feature History for Twice NAT155Configuring Access Control159Configuring Access Rules161Information About Access Rules161General Information About Rules162Implicit Permits162Information About Interface Access Rules and Global Access Rules162Using Access Rules and EtherType Rules on the Same Interface162Implicit Deny163Inbound and Outbound Rules163Transactional-Commit Model164Information About Extended Access Rules165Access Rules for Returning Traffic165Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules165Management Access Rules166Information About EtherType Rules166Supported EtherTypes and Other Traffic166Access Rules for Returning Traffic167Allowing MPLS167Licensing Requirements for Access Rules167Prerequisites167Guidelines and Limitations167Default Settings168Configuring Access Rules168Monitoring Access Rules170Configuration Examples for Permitting or Denying Network Access170Feature History for Access Rules171Configuring AAA Rules for Network Access173AAA Performance173Licensing Requirements for AAA Rules173Guidelines and Limitations174Configuring Authentication for Network Access174Information About Authentication174One-Time Authentication175Applications Required to Receive an Authentication Challenge175ASA Authentication Prompts175AAA Prompts and Identity Firewall176AAA Rules as a Backup Authentication Method177Static PAT and HTTP177Configuring Network Access Authentication179Enabling Secure Authentication of Web Clients182Authenticating Directly with the ASA183Authenticating HTTP(S) Connections with a Virtual Server183Authenticating Telnet Connections with a Virtual Server184Configuring Authorization for Network Access186Configuring TACACS+ Authorization186Configuring RADIUS Authorization189Configuring a RADIUS Server to Send Downloadable Access Control Lists189Configuring a RADIUS Server to Download Per-User Access Control List Names193Configuring Accounting for Network Access193Using MAC Addresses to Exempt Traffic from Authentication and Authorization195Feature History for AAA Rules197Configuring Application Inspection199Getting Started with Application Layer Protocol Inspection201Information about Application Layer Protocol Inspection201How Inspection Engines Work201When to Use Application Protocol Inspection202Guidelines and Limitations203Default Settings and NAT Limitations204Configuring Application Layer Protocol Inspection207Configuring Inspection of Basic Internet Protocols213DNS Inspection213Information About DNS Inspection214General Information About DNS214DNS Inspection Actions214Default Settings for DNS Inspection214(Optional) Configuring a DNS Inspection Policy Map and Class Map215Configuring DNS Inspection220Monitoring DNS Inspection221FTP Inspection222FTP Inspection Overview222Using the strict Option223Configuring an FTP Inspection Policy Map for Additional Inspection Control224Verifying and Monitoring FTP Inspection227HTTP Inspection227HTTP Inspection Overview227Configuring an HTTP Inspection Policy Map for Additional Inspection Control228ICMP Inspection232ICMP Error Inspection232Instant Messaging Inspection232IM Inspection Overview232Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control233IP Options Inspection235IP Options Inspection Overview236Configuring an IP Options Inspection Policy Map for Additional Inspection Control237IPsec Pass Through Inspection237IPsec Pass Through Inspection Overview238Example for Defining an IPsec Pass Through Parameter Map238IPv6 Inspection238Information about IPv6 Inspection239Default Settings for IPv6 Inspection239(Optional) Configuring an IPv6 Inspection Policy Map239Configuring IPv6 Inspection241NetBIOS Inspection242NetBIOS Inspection Overview242Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control242PPTP Inspection244SMTP and Extended SMTP Inspection244SMTP and ESMTP Inspection Overview244Configuring an ESMTP Inspection Policy Map for Additional Inspection Control245TFTP Inspection247Configuring Inspection for Voice and Video Protocols249CTIQBE Inspection249CTIQBE Inspection Overview249Limitations and Restrictions250Verifying and Monitoring CTIQBE Inspection250H.323 Inspection251H.323 Inspection Overview252How H.323 Works252H.239 Support in H.245 Messages253Limitations and Restrictions253Configuring an H.323 Inspection Policy Map for Additional Inspection Control254Configuring H.323 and H.225 Timeout Values257Verifying and Monitoring H.323 Inspection257Monitoring H.225 Sessions257Monitoring H.245 Sessions258Monitoring H.323 RAS Sessions258MGCP Inspection259MGCP Inspection Overview259Configuring an MGCP Inspection Policy Map for Additional Inspection Control260Configuring MGCP Timeout Values261Verifying and Monitoring MGCP Inspection262RTSP Inspection262RTSP Inspection Overview263Using RealPlayer263Restrictions and Limitations263Configuring an RTSP Inspection Policy Map for Additional Inspection Control264SIP Inspection266SIP Inspection Overview266SIP Instant Messaging267Configuring a SIP Inspection Policy Map for Additional Inspection Control268Configuring SIP Timeout Values272Verifying and Monitoring SIP Inspection272Skinny (SCCP) Inspection272SCCP Inspection Overview273Supporting Cisco IP Phones273Restrictions and Limitations274Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control274Verifying and Monitoring SCCP Inspection276Configuring Inspection of Database and Directory Protocols277ILS Inspection277SQL*Net Inspection278Sun RPC Inspection279Sun RPC Inspection Overview279Managing Sun RPC Services280Verifying and Monitoring Sun RPC Inspection280Configuring Inspection for Management Application Protocols283DCERPC Inspection283DCERPC Overview283Configuring a DCERPC Inspection Policy Map for Additional Inspection Control284GTP Inspection285GTP Inspection Overview285Configuring a GTP Inspection Policy Map for Additional Inspection Control286Verifying and Monitoring GTP Inspection289RADIUS Accounting Inspection290RADIUS Accounting Inspection Overview291Configuring a RADIUS Inspection Policy Map for Additional Inspection Control291RSH Inspection292SNMP Inspection292SNMP Inspection Overview292Configuring an SNMP Inspection Policy Map for Additional Inspection Control292XDMCP Inspection293Configuring Unified Communications295Information About Cisco Unified Communications Proxy Features297Information About the Adaptive Security Appliance in Cisco Unified Communications297TLS Proxy Applications in Cisco Unified Communications299Licensing for Cisco Unified Communications Proxy Features300Using the Cisco Unified Communication Wizard303Information about the Cisco Unified Communication Wizard303Licensing Requirements for the Unified Communication Wizard305Guidelines and Limitations306Configuring the Phone Proxy by using the Unified Communication Wizard306Configuring the Private Network for the Phone Proxy307Configuring Servers for the Phone Proxy308Enabling Certificate Authority Proxy Function (CAPF) for IP Phones310Configuring the Public IP Phone Network311Configuring the Media Termination Address for Unified Communication Proxies312Configuring the Mobility Advantage by using the Unified Communication Wizard313Configuring the Topology for the Cisco Mobility Advantage Proxy314Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy314Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy315Configuring the Presence Federation Proxy by using the Unified Communication Wizard316Configuring the Topology for the Cisco Presence Federation Proxy316Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy317Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy317Configuring the UC-IME by using the Unified Communication Wizard318Configuring the Topology for the Cisco Intercompany Media Engine Proxy319Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy320Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy322Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy322Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy323Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy324Working with Certificates in the Unified Communication Wizard325Exporting an Identity Certificate325Installing a Certificate325Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy326Saving the Identity Certificate Request327Installing the ASA Identity Certificate on the Mobility Advantage Server328Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers328Configuring the Cisco Phone Proxy331Information About the Cisco Phone Proxy331Phone Proxy Functionality331Supported Cisco UCM and IP Phones for the Phone Proxy333Licensing Requirements for the Phone Proxy334Prerequisites for the Phone Proxy336Media Termination Instance Prerequisites336Certificates from the Cisco UCM337DNS Lookup Prerequisites337Cisco Unified Communications Manager Prerequisites337ACL Rules337NAT and PAT Prerequisites338Prerequisites for IP Phones on Multiple Interfaces3397960 and 7940 IP Phones Support339Cisco IP Communicator Prerequisites340Prerequisites for Rate Limiting TFTP Requests341Rate Limiting Configuration Example341About ICMP Traffic Destined for the Media Termination Address341End-User Phone Provisioning342Ways to Deploy IP Phones to End Users342Phone Proxy Guidelines and Limitations342General Guidelines and Limitations343Media Termination Address Guidelines and Limitations344Configuring the Phone Proxy344Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster345Importing Certificates from the Cisco UCM345Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster347Creating Trustpoints and Generating Certificates347Creating the CTL File348Using an Existing CTL File350Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster350Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster351Creating the Media Termination Instance353Creating the Phone Proxy Instance354Enabling the Phone Proxy with SIP and Skinny Inspection356Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy357Configuring Your Router358Troubleshooting the Phone Proxy358Debugging Information from the Security Appliance358Debugging Information from IP Phones362IP Phone Registration Failure363TFTP Auth Error Displays on IP Phone Console363Configuration File Parsing Error364Configuration File Parsing Error: Unable to Get DNS Response364Non-configuration File Parsing Error365Cisco UCM Does Not Respond to TFTP Request for Configuration File365IP Phone Does Not Respond After the Security Appliance Sends TFTP Data366IP Phone Requesting Unsigned File Error367IP Phone Unable to Download CTL File367IP Phone Registration Failure from Signaling Connections368SSL Handshake Failure370Certificate Validation Errors371Media Termination Address Errors371Audio Problems with IP Phones372Saving SAST Keys372Configuration Examples for the Phone Proxy374Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher374Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher376Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers377Example 4: Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary and TFTP Server on Different Servers378Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher380Example 6: VLAN Transversal382Feature History for the Phone Proxy384Configuring the TLS Proxy for Encrypted Voice Inspection385Information about the TLS Proxy for Encrypted Voice Inspection385Decryption and Inspection of Unified Communications Encrypted Signaling385Supported Cisco UCM and IP Phones for the TLS Proxy386CTL Client Overview387Licensing for the TLS Proxy389Prerequisites for the TLS Proxy for Encrypted Voice Inspection391Configuring the TLS Proxy for Encrypted Voice Inspection391Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection392Creating Trustpoints and Generating Certificates393Creating an Internal CA394Creating a CTL Provider Instance395Creating the TLS Proxy Instance396Enabling the TLS Proxy Instance for Skinny or SIP Inspection397Monitoring the TLS Proxy399Feature History for the TLS Proxy for Encrypted Voice Inspection401Configuring Cisco Mobility Advantage403Information about the Cisco Mobility Advantage Proxy Feature403Cisco Mobility Advantage Proxy Functionality403Mobility Advantage Proxy Deployment Scenarios404Mobility Advantage Proxy Using NAT/PAT406Trust Relationships for Cisco UMA Deployments407Licensing for the Cisco Mobility Advantage Proxy Feature408Configuring Cisco Mobility Advantage408Task Flow for Configuring Cisco Mobility Advantage409Installing the Cisco UMA Server Certificate409Creating the TLS Proxy Instance410Enabling the TLS Proxy for MMP Inspection411Monitoring for Cisco Mobility Advantage412Configuration Examples for Cisco Mobility Advantage413Example 1: Cisco UMC/Cisco UMA Architecture – Security Appliance as Firewall with TLS Proxy and MMP Inspection413Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only414Feature History for Cisco Mobility Advantage416Configuring Cisco Unified Presence417Information About Cisco Unified Presence417Architecture for Cisco Unified Presence for SIP Federation Deployments417Trust Relationship in the Presence Federation420Security Certificate Exchange Between Cisco UP and the Security Appliance421XMPP Federation Deployments421Configuration Requirements for XMPP Federation422Licensing for Cisco Unified Presence423Configuring Cisco Unified Presence Proxy for SIP Federation424Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation425Creating Trustpoints and Generating Certificates425Installing Certificates426Creating the TLS Proxy Instance428Enabling the TLS Proxy for SIP Inspection429Monitoring Cisco Unified Presence430Configuration Example for Cisco Unified Presence430Example Configuration for SIP Federation Deployments431Example ACL Configuration for XMPP Federation433Example NAT Configuration for XMPP Federation434Feature History for Cisco Unified Presence436Configuring Cisco Intercompany Media Engine Proxy437Information About Cisco Intercompany Media Engine Proxy437Features of Cisco Intercompany Media Engine Proxy437How the UC-IME Works with the PSTN and the Internet438Tickets and Passwords439Call Fallback to the PSTN440Architecture and Deployment Scenarios for Cisco Intercompany Media Engine441Architecture441Basic Deployment442Off Path Deployment443Licensing for Cisco Intercompany Media Engine443Guidelines and Limitations444Configuring Cisco Intercompany Media Engine Proxy446Task Flow for Configuring Cisco Intercompany Media Engine446Configuring NAT for Cisco Intercompany Media Engine Proxy447Configuring PAT for the Cisco UCM Server449Creating ACLs for Cisco Intercompany Media Engine Proxy451Creating the Media Termination Instance452Creating the Cisco Intercompany Media Engine Proxy453Creating Trustpoints and Generating Certificates456Creating the TLS Proxy459Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy460(Optional) Configuring TLS within the Local Enterprise462(Optional) Configuring Off Path Signaling465Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane466Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard468Troubleshooting Cisco Intercompany Media Engine Proxy469Feature History for Cisco Intercompany Media Engine Proxy472Configuring Connection Settings and QoS473Configuring Connection Settings475Information About Connection Settings475TCP Intercept and Limiting Embryonic Connections476Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility476Dead Connection Detection (DCD)476TCP Sequence Randomization477TCP Normalization477TCP State Bypass477Licensing Requirements for Connection Settings478Guidelines and Limitations479Default Settings479Configuring Connection Settings480Task Flow For Configuring Connection Settings480Customizing the TCP Normalizer with a TCP Map480Configuring Connection Settings485Monitoring Connection Settings489Configuration Examples for Connection Settings489Configuration Examples for Connection Limits and Timeouts489Configuration Examples for TCP State Bypass490Configuration Examples for TCP Normalization490Feature History for Connection Settings491Configuring QoS493Information About QoS493Supported QoS Features494What is a Token Bucket?494Information About Policing495Information About Priority Queuing495Information About Traffic Shaping496How QoS Features Interact496DSCP and DiffServ Preservation497Licensing Requirements for QoS497Guidelines and Limitations497Configuring QoS498Determining the Queue and TX Ring Limits for a Standard Priority Queue499Configuring the Standard Priority Queue for an Interface500Configuring a Service Rule for Standard Priority Queuing and Policing501Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing505(Optional) Configuring the Hierarchical Priority Queuing Policy505Configuring the Service Rule506Monitoring QoS508Viewing QoS Police Statistics508Viewing QoS Standard Priority Statistics509Viewing QoS Shaping Statistics509Viewing QoS Standard Priority Queue Statistics510Feature History for QoS511Troubleshooting Connections and Resources513Testing Your Configuration513Enabling ICMP Debugging Messages and Syslog Messages514Pinging ASA Interfaces515Passing Traffic Through the ASA517Disabling the Test Configuration518Determining Packet Routing with Traceroute519Tracing Packets with Packet Tracer519Monitoring Per-Process CPU Usage519Configuring Advanced Network Protection521Configuring the ASA for Cisco Cloud Web Security523Information About Cisco Cloud Web Security524Redirection of Web Traffic to Cloud Web Security524User Authentication and Cloud Web Security524Authentication Keys525Company Authentication Key525Group Authentication Key525ScanCenter Policy526Directory Groups526Custom Groups526How Groups and the Authentication Key Interoperate527Cloud Web Security Actions527Bypassing Scanning with Whitelists528IPv4 and IPv6 Support528Failover from Primary to Backup Proxy Server528Licensing Requirements for Cisco Cloud Web Security528Prerequisites for Cloud Web Security529Guidelines and Limitations529Default Settings530Configuring Cisco Cloud Web Security530Configuring Communication with the Cloud Web Security Proxy Server530(Multiple Context Mode) Allowing Cloud Web Security Per Security Context531Configuring a Service Policy to Send Traffic to Cloud Web Security532(Optional) Configuring Whitelisted Traffic537(Optional) Configuring the User Identity Monitor538Configuring the Cloud Web Security Policy538Monitoring Cloud Web Security539Configuration Examples for Cisco Cloud Web Security540Single Mode Example540Multiple Mode Example541Whitelist Example541Directory Integration Examples542Configuring the Active Directory Server Using LDAP542Configuring the Active Directory Agent Using RADIUS543Creating the ASA as a Client on the AD Agent Server543Creating a Link Between the AD Agent and DCs543Testing the AD Agent543Configuring the Identity Options on the ASA543Configuring the User Identity Options and Enabling Granular Reporting543Monitoring the Active Directory Groups544Downloading the Entire Active-User Database from the Active Directory Server544Downloading the Database from the AD Agent544Showing a List of Active Users544Cloud Web Security with Identity Firewall Example544Related Documents548Feature History for Cisco Cloud Web Security548Configuring the Botnet Traffic Filter549Information About the Botnet Traffic Filter549Botnet Traffic Filter Address Types550Botnet Traffic Filter Actions for Known Addresses550Botnet Traffic Filter Databases550Information About the Dynamic Database550Information About the Static Database551Information About the DNS Reverse Lookup Cache and DNS Host Cache552How the Botnet Traffic Filter Works553Licensing Requirements for the Botnet Traffic Filter554Prerequisites for the Botnet Traffic Filter554Guidelines and Limitations554Default Settings554Configuring the Botnet Traffic Filter555Task Flow for Configuring the Botnet Traffic Filter555Configuring the Dynamic Database556Adding Entries to the Static Database557Enabling DNS Snooping558Enabling Traffic Classification and Actions for the Botnet Traffic Filter560Blocking Botnet Traffic Manually563Searching the Dynamic Database564Monitoring the Botnet Traffic Filter565Botnet Traffic Filter Syslog Messaging565Botnet Traffic Filter Commands565Configuration Examples for the Botnet Traffic Filter567Recommended Configuration Example567Other Configuration Examples568Where to Go Next569Feature History for the Botnet Traffic Filter570Configuring Threat Detection571Information About Threat Detection571Licensing Requirements for Threat Detection571Configuring Basic Threat Detection Statistics572Information About Basic Threat Detection Statistics572Guidelines and Limitations573Default Settings573Configuring Basic Threat Detection Statistics574Monitoring Basic Threat Detection Statistics575Feature History for Basic Threat Detection Statistics576Configuring Advanced Threat Detection Statistics576Information About Advanced Threat Detection Statistics576Guidelines and Limitations576Default Settings577Configuring Advanced Threat Detection Statistics577Monitoring Advanced Threat Detection Statistics579Feature History for Advanced Threat Detection Statistics584Configuring Scanning Threat Detection585Information About Scanning Threat Detection585Guidelines and Limitations586Default Settings586Configuring Scanning Threat Detection587Monitoring Shunned Hosts, Attackers, and Targets587Feature History for Scanning Threat Detection588Configuration Examples for Threat Detection589Using Protection Tools591Preventing IP Spoofing591Configuring the Fragment Size592Blocking Unwanted Connections592Configuring IP Audit for Basic IPS Support593Configuring IP Audit593IP Audit Signature List594Configuring Filtering Services599Information About Web Traffic Filtering599Configuring ActiveX Filtering600Information About ActiveX Filtering600Licensing Requirements for ActiveX Filtering600Guidelines and Limitations for ActiveX Filtering601Configuring ActiveX Filtering601Configuration Examples for ActiveX Filtering601Feature History for ActiveX Filtering602Configuring Java Applet Filtering602Information About Java Applet Filtering602Licensing Requirements for Java Applet Filtering602Guidelines and Limitations for Java Applet Filtering603Configuring Java Applet Filtering603Configuration Examples for Java Applet Filtering603Feature History for Java Applet Filtering604Filtering URLs and FTP Requests with an External Server604Information About URL Filtering604Licensing Requirements for URL Filtering605Guidelines and Limitations for URL Filtering605Identifying the Filtering Server606Configuring Additional URL Filtering Settings608Buffering the Content Server Response608Caching Server Addresses609Filtering HTTP URLs609Filtering HTTPS URLs611Filtering FTP Requests612Monitoring Filtering Statistics613Feature History for URL Filtering615Configuring Modules617Configuring the ASA CX Module619Information About the ASA CX Module619How the ASA CX Module Works with the ASA620Monitor-Only Mode621Service Policy in Monitor-Only Mode621Traffic-Forwarding Interface in Monitor-Only Mode621Information About ASA CX Management622Initial Configuration622Policy Configuration and Management623Information About Authentication Proxy623Information About VPN and the ASA CX Module623Compatibility with ASA Features623Licensing Requirements for the ASA CX Module624Prerequisites624Guidelines and Limitations624Default Settings626Configuring the ASA CX Module626Task Flow for the ASA CX Module626Connecting the ASA CX Management Interface627ASA 5585-X (Hardware Module)627ASA 5512-X through ASA 5555-X (Software Module)629(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module630(ASA 5585-X) Changing the ASA CX Management IP Address632Configuring Basic ASA CX Settings at the ASA CX CLI633Configuring the Security Policy on the ASA CX Module Using PRSM634(Optional) Configuring the Authentication Proxy Port635Redirecting Traffic to the ASA CX Module636Creating the ASA CX Service Policy636Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode)638Managing the ASA CX Module639Resetting the Password640Reloading or Resetting the Module640Shutting Down the Module641(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image642(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA642Monitoring the ASA CX Module643Showing Module Status643Showing Module Statistics644Monitoring Module Connections645Capturing Module Traffic648Troubleshooting the ASA CX Module648Debugging the Module648Problems with the Authentication Proxy649Configuration Examples for the ASA CX Module650Feature History for the ASA CX Module651Configuring the ASA IPS Module655Information About the ASA IPS Module655How the ASA IPS Module Works with the ASA656Operating Modes657Using Virtual Sensors (ASA 5510 and Higher)657Information About Management Access658Licensing Requirements for the ASA IPS module659Guidelines and Limitations659Default Settings660Configuring the ASA IPS module661Task Flow for the ASA IPS Module661Connecting the ASA IPS Management Interface662ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module)662ASA 5512-X through ASA 5555-X (Software Module)663ASA 5505664Sessioning to the Module from the ASA665(ASA 5512-X through ASA 5555-X) Booting the Software Module665Configuring Basic IPS Module Network Settings666(ASA 5510 and Higher) Configuring Basic Network Settings667(ASA 5505) Configuring Basic Network Settings667Configuring the Security Policy on the ASA IPS Module669Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)670Diverting Traffic to the ASA IPS module672Managing the ASA IPS module675Installing and Booting an Image on the Module675Shutting Down the Module677Uninstalling a Software Module Image677Resetting the Password678Reloading or Resetting the Module679Monitoring the ASA IPS module679Configuration Examples for the ASA IPS module680Feature History for the ASA IPS module681Configuring the ASA CSC Module683Information About the CSC SSM683Determining What Traffic to Scan685Licensing Requirements for the CSC SSM687Prerequisites for the CSC SSM687Guidelines and Limitations688Default Settings688Configuring the CSC SSM689Before Configuring the CSC SSM689Connecting to the CSC SSM690Diverting Traffic to the CSC SSM692Monitoring the CSC SSM695Troubleshooting the CSC Module696Installing an Image on the Module696Resetting the Password697Reloading or Resetting the Module698Shutting Down the Module699Configuration Examples for the CSC SSM699Additional References700Feature History for the CSC SSM701Index703Size: 10.5 MBPages: 712Language: EnglishOpen manual