Manual De UsuarioTabla de contenidosContents3About This Guide23Configuring Service Policies25Configuring a Service Policy27Information About Service Policies27Supported Features27Feature Directionality28Feature Matching Within a Service Policy29Order in Which Multiple Feature Actions are Applied30Incompatibility of Certain Feature Actions31Feature Matching for Multiple Service Policies31Licensing Requirements for Service Policies31Guidelines and Limitations32Default Settings33Default Configuration33Default Traffic Classes34Task Flows for Configuring Service Policies34Task Flow for Configuring a Service Policy Rule34Adding a Service Policy Rule for Through Traffic34Adding a Service Policy Rule for Management Traffic39Configuring a Service Policy Rule for Management Traffic39Managing the Order of Service Policy Rules41Feature History for Service Policies43Configuring Special Actions for Application Inspections (Inspection Policy Map)45Information About Inspection Policy Maps45Guidelines and Limitations46Default Inspection Policy Maps46Defining Actions in an Inspection Policy Map47Identifying Traffic in an Inspection Class Map47Where to Go Next48Feature History for Inspection Policy Maps48Configuring Network Address Translation49Information About NAT (ASA 8.3 and Later)51Why Use NAT?51NAT Terminology52NAT Types53NAT Types Overview53Static NAT53Information About Static NAT53Information About Static NAT with Port Translation54Information About One-to-Many Static NAT56Information About Other Mapping Scenarios (Not Recommended)57Dynamic NAT58Information About Dynamic NAT59Dynamic NAT Disadvantages and Advantages60Dynamic PAT60Information About Dynamic PAT60Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later)61Dynamic PAT Disadvantages and Advantages61Identity NAT62NAT in Routed and Transparent Mode62NAT in Routed Mode63NAT in Transparent Mode63NAT and IPv665How NAT is Implemented65Main Differences Between Network Object NAT and Twice NAT65Information About Network Object NAT66Information About Twice NAT66NAT Rule Order70NAT Interfaces71Routing NAT Packets72Mapped Addresses and Routing72Transparent Mode Routing Requirements for Remote Networks74Determining the Egress Interface74NAT for VPN75NAT and Remote Access VPN75NAT and Site-to-Site VPN77NAT and VPN Management Access79Troubleshooting NAT and VPN81DNS and NAT81Where to Go Next86Configuring Network Object NAT (ASA 8.3 and Later)87Information About Network Object NAT87Licensing Requirements for Network Object NAT88Prerequisites for Network Object NAT88Guidelines and Limitations88Default Settings89Configuring Network Object NAT90Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool90Configuring Dynamic PAT (Hide)94Configuring Static NAT or Static NAT-with-Port-Translation97Configuring Identity NAT101Configuring Per-Session PAT Rules104Monitoring Network Object NAT105Configuration Examples for Network Object NAT106Providing Access to an Inside Web Server (Static NAT)107NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)109Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)114Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)118DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)121DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification)124IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification)126Feature History for Network Object NAT131Configuring Twice NAT (ASA 8.3 and Later)137Information About Twice NAT137Licensing Requirements for Twice NAT138Prerequisites for Twice NAT138Guidelines and Limitations138Default Settings140Configuring Twice NAT140Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool140Configuring Dynamic PAT (Hide)148Configuring Static NAT or Static NAT-with-Port-Translation154Configuring Identity NAT160Configuring Per-Session PAT Rules165Monitoring Twice NAT165Configuration Examples for Twice NAT166Different Translation Depending on the Destination (Dynamic PAT)166Different Translation Depending on the Destination Address and Port (Dynamic PAT)175Feature History for Twice NAT184Configuring NAT (ASA 8.2 and Earlier)189NAT Overview189Introduction to NAT189NAT in Routed Mode190NAT in Transparent Mode191NAT Control192NAT Types194Dynamic NAT194PAT196Static NAT197Static PAT197Bypassing NAT When NAT Control is Enabled198Policy NAT199NAT and Same Security Level Interfaces201Order of NAT Rules Used to Match Real Addresses202Mapped Address Guidelines202DNS and NAT202Configuring NAT Control204Using Dynamic NAT205Dynamic NAT Implementation205Real Addresses and Global Pools Paired Using a Pool ID206NAT Rules on Different Interfaces with the Same Global Pools206Global Pools on Different Interfaces with the Same Pool ID206Multiple NAT Rules with Different Global Pools on the Same Interface207Multiple Addresses in the Same Global Pool208Outside NAT209Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces210Managing Global Pools210Configuring Dynamic NAT, PAT, or Identity NAT211Configuring Dynamic Policy NAT or PAT213Using Static NAT215Configuring Static NAT, PAT, or Identity NAT216Configuring Static Policy NAT, PAT, or Identity NAT219Using NAT Exemption221Configuring Access Control223Configuring Access Rules225Information About Access Rules225General Information About Rules226Implicit Permits226Information About Interface Access Rules and Global Access Rules226Using Access Rules and EtherType Rules on the Same Interface226Rule Order227Implicit Deny227Using Remarks227NAT and Access Rules227Inbound and Outbound Rules227Transactional-Commit Model228Information About Access Rules229Access Rules for Returning Traffic229Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules229Management Access Rules230Information About EtherType Rules230Supported EtherTypes and Other Traffic230Access Rules for Returning Traffic231Allowing MPLS231Licensing Requirements for Access Rules231Guidelines and Limitations231Default Settings231Configuring Access Rules232Adding an Access Rule232Adding an EtherType Rule (Transparent Mode Only)233Configuring Management Access Rules234Advanced Access Rule Configuration235Access Rule Explosion236Configuring HTTP Redirect236Edit HTTP/HTTPS Settings237Configuring Transactional Commit Model237Feature History for Access Rules238Configuring AAA Rules for Network Access241AAA Performance241Licensing Requirements for AAA Rules241Guidelines and Limitations242Configuring Authentication for Network Access242Information About Authentication242One-Time Authentication243Applications Required to Receive an Authentication Challenge243ASA Authentication Prompts243AAA Prompts and Identity Firewall244AAA Rules as a Backup Authentication Method245Static PAT and HTTP245Configuring Network Access Authentication246Enabling the Redirection Method of Authentication for HTTP and HTTPS247Enabling Secure Authentication of Web Clients248Authenticating Directly with the ASA249Authenticating HTTP(S) Connections with a Virtual Server249Authenticating Telnet Connections with a Virtual Server250Configuring the Authentication Proxy Limit251Configuring Authorization for Network Access252Configuring TACACS+ Authorization252Configuring RADIUS Authorization253Configuring a RADIUS Server to Send Downloadable Access Control Lists254Configuring a RADIUS Server to Download Per-User Access Control List Names257Configuring Accounting for Network Access257Using MAC Addresses to Exempt Traffic from Authentication and Authorization259Feature History for AAA Rules260Configuring Public Servers261Information About Public Servers261Licensing Requirements for Public Servers261Guidelines and Limitations261Adding a Public Server that Enables Static NAT262Adding a Public Server that Enables Static NAT with PAT262Editing Settings for a Public Server263Feature History for Public Servers264Configuring Application Inspection265Getting Started with Application Layer Protocol Inspection267Information about Application Layer Protocol Inspection267How Inspection Engines Work267When to Use Application Protocol Inspection268Guidelines and Limitations269Default Settings and NAT Limitations270Configuring Application Layer Protocol Inspection273Configuring Inspection of Basic Internet Protocols275DNS Inspection275Information About DNS Inspection276General Information About DNS276DNS Inspection Actions276Default Settings for DNS Inspection276(Optional) Configuring a DNS Inspection Policy Map and Class Map277Configuring DNS Inspection290FTP Inspection291FTP Inspection Overview291Using Strict FTP291Select FTP Map292FTP Class Map293Add/Edit FTP Traffic Class Map293Add/Edit FTP Match Criterion294FTP Inspect Map295File Type Filtering296Add/Edit FTP Policy Map (Security Level)296Add/Edit FTP Policy Map (Details)297Add/Edit FTP Map298Verifying and Monitoring FTP Inspection299HTTP Inspection300HTTP Inspection Overview300Select HTTP Map300HTTP Class Map301Add/Edit HTTP Traffic Class Map301Add/Edit HTTP Match Criterion302HTTP Inspect Map306URI Filtering307Add/Edit HTTP Policy Map (Security Level)307Add/Edit HTTP Policy Map (Details)308Add/Edit HTTP Map309ICMP Inspection313ICMP Error Inspection313Instant Messaging Inspection313IM Inspection Overview314Adding a Class Map for IM Inspection314Select IM Map315IP Options Inspection315IP Options Inspection Overview315Configuring IP Options Inspection316Select IP Options Inspect Map317IP Options Inspect Map318Add/Edit IP Options Inspect Map318IPsec Pass Through Inspection319IPsec Pass Through Inspection Overview319Select IPsec-Pass-Thru Map320IPsec Pass Through Inspect Map320Add/Edit IPsec Pass Thru Policy Map (Security Level)321Add/Edit IPsec Pass Thru Policy Map (Details)321IPv6 Inspection322Information about IPv6 Inspection322Default Settings for IPv6 Inspection322(Optional) Configuring an IPv6 Inspection Policy Map322Configuring IPv6 Inspection323NetBIOS Inspection324NetBIOS Inspection Overview324Select NETBIOS Map324NetBIOS Inspect Map325Add/Edit NetBIOS Policy Map325PPTP Inspection325SMTP and Extended SMTP Inspection326SMTP and ESMTP Inspection Overview326Select ESMTP Map327ESMTP Inspect Map328MIME File Type Filtering329Add/Edit ESMTP Policy Map (Security Level)329Add/Edit ESMTP Policy Map (Details)330Add/Edit ESMTP Inspect331TFTP Inspection334Configuring Inspection for Voice and Video Protocols337CTIQBE Inspection337CTIQBE Inspection Overview337Limitations and Restrictions338H.323 Inspection338H.323 Inspection Overview339How H.323 Works339H.239 Support in H.245 Messages340Limitations and Restrictions340Select H.323 Map341H.323 Class Map341Add/Edit H.323 Traffic Class Map342Add/Edit H.323 Match Criterion342H.323 Inspect Map343Phone Number Filtering344Add/Edit H.323 Policy Map (Security Level)344Add/Edit H.323 Policy Map (Details)345Add/Edit HSI Group347Add/Edit H.323 Map347MGCP Inspection348MGCP Inspection Overview348Select MGCP Map350MGCP Inspect Map350Gateways and Call Agents351Add/Edit MGCP Policy Map351Add/Edit MGCP Group352RTSP Inspection352RTSP Inspection Overview353Using RealPlayer353Restrictions and Limitations354Select RTSP Map354RTSP Inspect Map354Add/Edit RTSP Policy Map355RTSP Class Map355Add/Edit RTSP Traffic Class Map356SIP Inspection356SIP Inspection Overview357SIP Instant Messaging358Select SIP Map358SIP Class Map359Add/Edit SIP Traffic Class Map360Add/Edit SIP Match Criterion360SIP Inspect Map362Add/Edit SIP Policy Map (Security Level)363Add/Edit SIP Policy Map (Details)364Add/Edit SIP Inspect366Skinny (SCCP) Inspection368SCCP Inspection Overview368Supporting Cisco IP Phones369Restrictions and Limitations369Select SCCP (Skinny) Map370SCCP (Skinny) Inspect Map370Message ID Filtering371Add/Edit SCCP (Skinny) Policy Map (Security Level)372Add/Edit SCCP (Skinny) Policy Map (Details)373Add/Edit Message ID Filter374Configuring Inspection of Database and Directory Protocols375ILS Inspection375SQL*Net Inspection376Sun RPC Inspection377Sun RPC Inspection Overview377SUNRPC Server377Add/Edit SUNRPC Service378Configuring Inspection for Management Application Protocols379DCERPC Inspection379DCERPC Overview379Select DCERPC Map380DCERPC Inspect Map380Add/Edit DCERPC Policy Map381GTP Inspection382GTP Inspection Overview383Select GTP Map383GTP Inspect Map384IMSI Prefix Filtering385Add/Edit GTP Policy Map (Security Level)385Add/Edit GTP Policy Map (Details)386Add/Edit GTP Map387RADIUS Accounting Inspection388RADIUS Accounting Inspection Overview389Select RADIUS Accounting Map389Add RADIUS Accounting Policy Map389RADIUS Inspect Map390RADIUS Inspect Map Host390RADIUS Inspect Map Other391RSH Inspection391SNMP Inspection391SNMP Inspection Overview392Select SNMP Map392SNMP Inspect Map392Add/Edit SNMP Map392XDMCP Inspection393Configuring Unified Communications395Information About Cisco Unified Communications Proxy Features397Information About the Adaptive Security Appliance in Cisco Unified Communications397TLS Proxy Applications in Cisco Unified Communications399Licensing for Cisco Unified Communications Proxy Features400Using the Cisco Unified Communication Wizard403Information about the Cisco Unified Communication Wizard403Licensing Requirements for the Unified Communication Wizard405Guidelines and Limitations406Configuring the Phone Proxy by using the Unified Communication Wizard406Configuring the Private Network for the Phone Proxy407Configuring Servers for the Phone Proxy408Enabling Certificate Authority Proxy Function (CAPF) for IP Phones410Configuring the Public IP Phone Network411Configuring the Media Termination Address for Unified Communication Proxies412Configuring the Mobility Advantage by using the Unified Communication Wizard413Configuring the Topology for the Cisco Mobility Advantage Proxy414Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy414Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy415Configuring the Presence Federation Proxy by using the Unified Communication Wizard416Configuring the Topology for the Cisco Presence Federation Proxy416Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy417Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy417Configuring the UC-IME by using the Unified Communication Wizard418Configuring the Topology for the Cisco Intercompany Media Engine Proxy419Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy420Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy422Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy422Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy423Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy424Working with Certificates in the Unified Communication Wizard425Exporting an Identity Certificate425Installing a Certificate425Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy426Saving the Identity Certificate Request427Installing the ASA Identity Certificate on the Mobility Advantage Server428Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers428Configuring the Cisco Phone Proxy431Information About the Cisco Phone Proxy431Phone Proxy Functionality431Supported Cisco UCM and IP Phones for the Phone Proxy433Licensing Requirements for the Phone Proxy434Prerequisites for the Phone Proxy436Media Termination Instance Prerequisites436Certificates from the Cisco UCM437DNS Lookup Prerequisites437Cisco Unified Communications Manager Prerequisites437ACL Rules437NAT and PAT Prerequisites438Prerequisites for IP Phones on Multiple Interfaces4397960 and 7940 IP Phones Support439Cisco IP Communicator Prerequisites440Prerequisites for Rate Limiting TFTP Requests440Rate Limiting Configuration Example441End-User Phone Provisioning441Ways to Deploy IP Phones to End Users441Phone Proxy Guidelines and Limitations442General Guidelines and Limitations442Media Termination Address Guidelines and Limitations443Configuring the Phone Proxy444Task Flow for Configuring the Phone Proxy444Creating the CTL File445Adding or Editing a Record Entry in a CTL File446Creating the Media Termination Instance447Creating the Phone Proxy Instance448Adding or Editing the TFTP Server for a Phone Proxy450Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy451Configuring Your Router451Feature History for the Phone Proxy452Configuring the TLS Proxy for Encrypted Voice Inspection453Information about the TLS Proxy for Encrypted Voice Inspection453Decryption and Inspection of Unified Communications Encrypted Signaling454Supported Cisco UCM and IP Phones for the TLS Proxy455Licensing for the TLS Proxy456Prerequisites for the TLS Proxy for Encrypted Voice Inspection458Configuring the TLS Proxy for Encrypted Voice Inspection458CTL Provider458Add/Edit CTL Provider459Configure TLS Proxy Pane460Adding a TLS Proxy Instance461Add TLS Proxy Instance Wizard – Server Configuration461Add TLS Proxy Instance Wizard – Client Configuration462Add TLS Proxy Instance Wizard – Other Steps464Edit TLS Proxy Instance – Server Configuration465Edit TLS Proxy Instance – Client Configuration466TLS Proxy468Add/Edit TLS Proxy468Feature History for the TLS Proxy for Encrypted Voice Inspection469Configuring Cisco Mobility Advantage471Information about the Cisco Mobility Advantage Proxy Feature471Cisco Mobility Advantage Proxy Functionality471Mobility Advantage Proxy Deployment Scenarios472Mobility Advantage Proxy Using NAT/PAT474Trust Relationships for Cisco UMA Deployments474Licensing for the Cisco Mobility Advantage Proxy Feature476Configuring Cisco Mobility Advantage476Task Flow for Configuring Cisco Mobility Advantage477Feature History for Cisco Mobility Advantage477Configuring Cisco Unified Presence479Information About Cisco Unified Presence479Architecture for Cisco Unified Presence for SIP Federation Deployments479Trust Relationship in the Presence Federation482Security Certificate Exchange Between Cisco UP and the Security Appliance483XMPP Federation Deployments483Configuration Requirements for XMPP Federation484Licensing for Cisco Unified Presence485Configuring Cisco Unified Presence Proxy for SIP Federation486Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation487Feature History for Cisco Unified Presence487Configuring Cisco Intercompany Media Engine Proxy489Information About Cisco Intercompany Media Engine Proxy489Features of Cisco Intercompany Media Engine Proxy489How the UC-IME Works with the PSTN and the Internet490Tickets and Passwords491Call Fallback to the PSTN493Architecture and Deployment Scenarios for Cisco Intercompany Media Engine493Architecture493Basic Deployment494Off Path Deployment495Licensing for Cisco Intercompany Media Engine496Guidelines and Limitations497Configuring Cisco Intercompany Media Engine Proxy499Task Flow for Configuring Cisco Intercompany Media Engine499Configuring NAT for Cisco Intercompany Media Engine Proxy500Configuring PAT for the Cisco UCM Server502Creating ACLs for Cisco Intercompany Media Engine Proxy504Creating the Media Termination Instance505Creating the Cisco Intercompany Media Engine Proxy506Creating Trustpoints and Generating Certificates509Creating the TLS Proxy512Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy513(Optional) Configuring TLS within the Local Enterprise515(Optional) Configuring Off Path Signaling518Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane519Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard521Feature History for Cisco Intercompany Media Engine Proxy525Configuring Connection Settings and QoS527Configuring Connection Settings529Information About Connection Settings529TCP Intercept and Limiting Embryonic Connections530Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility530Dead Connection Detection (DCD)530TCP Sequence Randomization531TCP Normalization531TCP State Bypass531Licensing Requirements for Connection Settings532Guidelines and Limitations533Default Settings533Configuring Connection Settings534Task Flow For Configuring Connection Settings534Customizing the TCP Normalizer with a TCP Map534Configuring Connection Settings536Configuring Global Timeouts537Feature History for Connection Settings539Configuring QoS541Information About QoS541Supported QoS Features542What is a Token Bucket?542Information About Policing543Information About Priority Queuing543Information About Traffic Shaping544How QoS Features Interact544DSCP and DiffServ Preservation545Licensing Requirements for QoS545Guidelines and Limitations545Configuring QoS546Determining the Queue and TX Ring Limits for a Standard Priority Queue547Configuring the Standard Priority Queue for an Interface548Configuring a Service Rule for Standard Priority Queuing and Policing549Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing550Monitoring QoS551Viewing QoS Police Statistics552Viewing QoS Standard Priority Statistics552Viewing QoS Shaping Statistics553Viewing QoS Standard Priority Queue Statistics553Feature History for QoS554Troubleshooting Connections and Resources555Testing Your Configuration555Pinging ASA Interfaces555Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping557Information About Ping557Pinging From an ASA Interface558Pinging to an ASA Interface558Pinging Through the ASA Interface558Troubleshooting the Ping Tool558Using the Ping Tool559Determining Packet Routing with Traceroute560Tracing Packets with Packet Tracer561Monitoring Performance562Monitoring System Resources563Blocks563CPU564Memory564Monitoring Connections565Monitoring Per-Process CPU Usage566Configuring Advanced Network Protection567Configuring the ASA for Cisco Cloud Web Security569Information About Cisco Cloud Web Security570Redirection of Web Traffic to Cloud Web Security570User Authentication and Cloud Web Security570Authentication Keys571Company Authentication Key571Group Authentication Key571ScanCenter Policy572Directory Groups572Custom Groups572How Groups and the Authentication Key Interoperate573Cloud Web Security Actions573Bypassing Scanning with Whitelists574IPv4 and IPv6 Support574Failover from Primary to Backup Proxy Server574Licensing Requirements for Cisco Cloud Web Security574Prerequisites for Cloud Web Security575Guidelines and Limitations575Default Settings576Configuring Cisco Cloud Web Security576Configuring Communication with the Cloud Web Security Proxy Server576(Multiple Context Mode) Allowing Cloud Web Security Per Security Context578Configuring a Service Policy to Send Traffic to Cloud Web Security578(Optional) Configuring Whitelisted Traffic591(Optional) Configuring the User Identity Monitor593Configuring the Cloud Web Security Policy594Monitoring Cloud Web Security594Related Documents595Feature History for Cisco Cloud Web Security595Configuring the Botnet Traffic Filter597Information About the Botnet Traffic Filter597Botnet Traffic Filter Address Types598Botnet Traffic Filter Actions for Known Addresses598Botnet Traffic Filter Databases598Information About the Dynamic Database598Information About the Static Database599Information About the DNS Reverse Lookup Cache and DNS Host Cache600How the Botnet Traffic Filter Works601Licensing Requirements for the Botnet Traffic Filter602Prerequisites for the Botnet Traffic Filter602Guidelines and Limitations602Default Settings602Configuring the Botnet Traffic Filter603Task Flow for Configuring the Botnet Traffic Filter603Configuring the Dynamic Database604Adding Entries to the Static Database605Enabling DNS Snooping605Enabling Traffic Classification and Actions for the Botnet Traffic Filter606Blocking Botnet Traffic Manually608Searching the Dynamic Database609Monitoring the Botnet Traffic Filter610Botnet Traffic Filter Syslog Messaging610Botnet Traffic Filter Monitor Panes611Where to Go Next612Feature History for the Botnet Traffic Filter612Configuring Threat Detection613Information About Threat Detection613Licensing Requirements for Threat Detection613Configuring Basic Threat Detection Statistics614Information About Basic Threat Detection Statistics614Guidelines and Limitations615Default Settings615Configuring Basic Threat Detection Statistics616Monitoring Basic Threat Detection Statistics616Feature History for Basic Threat Detection Statistics617Configuring Advanced Threat Detection Statistics617Information About Advanced Threat Detection Statistics617Guidelines and Limitations617Default Settings618Configuring Advanced Threat Detection Statistics618Monitoring Advanced Threat Detection Statistics619Feature History for Advanced Threat Detection Statistics620Configuring Scanning Threat Detection620Information About Scanning Threat Detection621Guidelines and Limitations621Default Settings622Configuring Scanning Threat Detection622Feature History for Scanning Threat Detection623Using Protection Tools625Preventing IP Spoofing625Configuring the Fragment Size626Show Fragment626Configuring TCP Options627TCP Reset Settings628Configuring IP Audit for Basic IPS Support629IP Audit Policy629Add/Edit IP Audit Policy Configuration629IP Audit Signatures630IP Audit Signature List630Configuring Filtering Services637Information About Web Traffic Filtering637Filtering URLs and FTP Requests with an External Server638Information About URL Filtering638Licensing Requirements for URL Filtering639Guidelines and Limitations for URL Filtering639Identifying the Filtering Server639Configuring Additional URL Filtering Settings640Buffering the Content Server Response641Caching Server Addresses641Filtering HTTP URLs642Configuring Filtering Rules642Filtering the Rule Table647Defining Queries648Feature History for URL Filtering648Configuring Modules649Configuring the ASA CX Module651Information About the ASA CX Module651How the ASA CX Module Works with the ASA652Monitor-Only Mode653Service Policy in Monitor-Only Mode653Traffic-Forwarding Interface in Monitor-Only Mode653Information About ASA CX Management654Initial Configuration654Policy Configuration and Management655Information About Authentication Proxy655Information About VPN and the ASA CX Module655Compatibility with ASA Features655Licensing Requirements for the ASA CX Module656Prerequisites656Guidelines and Limitations656Default Settings658Configuring the ASA CX Module658Task Flow for the ASA CX Module658Connecting the ASA CX Management Interface659ASA 5585-X (Hardware Module)659ASA 5512-X through ASA 5555-X (Software Module)661(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module662(ASA 5585-X) Changing the ASA CX Management IP Address664Configuring Basic ASA CX Settings at the ASA CX CLI666Configuring the Security Policy on the ASA CX Module Using PRSM667(Optional) Configuring the Authentication Proxy Port668Redirecting Traffic to the ASA CX Module669Creating the ASA CX Service Policy669Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode)672Managing the ASA CX Module673Resetting the Password673Reloading or Resetting the Module674Shutting Down the Module675(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image676(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA676Monitoring the ASA CX Module677Showing Module Status678Showing Module Statistics678Monitoring Module Connections678Capturing Module Traffic682Troubleshooting the ASA CX Module682Problems with the Authentication Proxy682Feature History for the ASA CX Module683Configuring the ASA IPS Module685Information About the ASA IPS Module685How the ASA IPS Module Works with the ASA686Operating Modes687Using Virtual Sensors (ASA 5510 and Higher)687Information About Management Access688Licensing Requirements for the ASA IPS module689Guidelines and Limitations689Default Settings690Configuring the ASA IPS module691Task Flow for the ASA IPS Module691Connecting the ASA IPS Management Interface692ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module)692ASA 5512-X through ASA 5555-X (Software Module)693ASA 5505694Sessioning to the Module from the ASA (May Be Required)695(ASA 5512-X through ASA 5555-X) Booting the Software Module696Configuring Basic IPS Module Network Settings696(ASA 5510 and Higher) Configuring Basic Network Settings697(ASA 5505) Configuring Basic Network Settings698Configuring the Security Policy on the ASA IPS Module699Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)701Diverting Traffic to the ASA IPS module702Managing the ASA IPS module703Installing and Booting an Image on the Module704Shutting Down the Module706Uninstalling a Software Module Image706Resetting the Password707Reloading or Resetting the Module708Monitoring the ASA IPS module708Feature History for the ASA IPS module709Configuring the ASA CSC Module711Information About the CSC SSM711Determining What Traffic to Scan713Licensing Requirements for the CSC SSM715Prerequisites for the CSC SSM715Guidelines and Limitations716Default Settings716Configuring the CSC SSM717Before Configuring the CSC SSM717Connecting to the CSC SSM718Determining Service Policy Rule Actions for CSC Scanning719CSC SSM Setup Wizard720Activation/License721IP Configuration721Host/Notification Settings722Management Access Host/Networks723Password723Restoring the Default Password724Wizard Setup725CSC Setup Wizard Activation Codes Configuration725CSC Setup Wizard IP Configuration726CSC Setup Wizard Host Configuration726CSC Setup Wizard Management Access Configuration727CSC Setup Wizard Password Configuration727CSC Setup Wizard Traffic Selection for CSC Scan727CSC Setup Wizard Summary729Using the CSC SSM GUI730Web730Mail731SMTP Tab731POP3 Tab732File Transfer732Updates733Monitoring the CSC SSM734Threats734Live Security Events735Live Security Events Log735Software Updates736Resource Graphs737CSC CPU737CSC Memory737Troubleshooting the CSC Module737Installing an Image on the Module738Resetting the Password739Reloading or Resetting the Module740Shutting Down the Module740Additional References741Feature History for the CSC SSM741Index743Tamaño: 10 MBPáginas: 754Language: EnglishManuales abiertas