Cisco Security Appliance Command Line Configuration_Guide_Version7.pdf

Cisco Security Appliance Command Line

Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series

Software Version 7.0(4)

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: N/A, Online only

Text Part Number: OL-6721-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and

iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco

Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,

Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ

Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packe t , PIX, Post-Routing, Pre-Routing,

ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered

trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0502R)

Cisco Security Appliance Command Line Configuration Guide

CONTENTS

About This Guide xxiii

Document Objectives

xxiii

Audience xxiii

Related Documentation

xxiv

Document Organization

xxiv

Document Conventions

xxvi

Obtaining Documentation

xxvii

Cisco.com xxvii

Ordering Documentation xxvii

Documentation Feedback xxvii

Obtaining Technical Assistance xxviii

Cisco Technical Support Website xxviii

Submitting a Service Request xxviii

Definitions of Service Request Severity xxix

Obtaining Additional Publications and Information

xxix

Getting Started and General Information

PART 1

Introduction to the Security Appliance

CHAPTER 1

1-1

Firewall Functional Overview 1-1

Security Policy Overview 1-2

Permitting or Denying Traffic with Access Lists

1-2

Applying NAT 1-2

Using AAA for Through Traffic 1-2

Applying HTTP, HTTPS, or FTP Filtering

1-3

Applying Application Inspection 1-3

Sending Traffic to the Advanced Inspection and Prevention Security Services Module

1-3

Applying QoS Policies 1-3

Applying Connection Limits and TCP Normalization

1-3

Firewall Mode Overview 1-3

Stateful Inspection Overview

1-4

VPN Functional Overview

1-5

Intrusion Prevention Services Functional Overview

1-5

Security Context Overview

1-5

Cisco Security Appliance Command Line Configuration Guide

OL-6721-02

Contents

Getting Started 2-1

Accessing the Command-Line Interface 2-1

Setting Transparent or Routed Firewall Mode

CHAPTER 2

2-2

Working with the Configuration

2-3

Saving Configuration Changes

2-3

Viewing the Configuration 2-3

Clearing and Removing Configuration Settings

2-4

Creating Text Configuration Files Offline

2-4

Enabling Multiple Context Mode

CHAPTER 3

3-1

Security Context Overview 3-1

Common Uses for Security Contexts

3-2

Unsupported Features 3-2

Context Configuration Files 3-2

How the Security Appliance Classifies Packets

3-3

Sharing Interfaces Between Contexts

3-6

Shared Interface Guidelines 3-7

Cascading Security Contexts 3-9

Logging into the Security Appliance in Multiple Context Mode

3-10

Enabling or Disabling Multiple Context Mode

3-10

Backing Up the Single Mode Configuration

3-10

Enabling Multiple Context Mode

3-10

Restoring Single Context Mode

3-11

Configuring Ethernet Settings and Subinterfaces

CHAPTER 4

4-1

Configuring and Enabling RJ-45 Interfaces 4-1

Configuring and Enabling Fiber Interfaces on the 4GE SSM

4-2

Configuring and Enabling Subinterfaces

4-3

Adding and Managing Security Contexts

CHAPTER 5

5-1

Configuring a Security Context

5-1

Removing a Security Context

5-5

Changing the Admin Context

5-5

Changing Between Contexts and the System Execution Space

5-5

Changing the Security Context URL

5-6

Reloading a Security Context 5-7

Reloading by Clearing the Configuration 5-7

Reloading by Removing and Re-adding the Context

5-7

Cisco Security Appliance Command Line Configuration Guide

OL-6721-02

Contents

Monitoring Security Contexts 5-8

Viewing Context Information

5-8

Viewing Resource Usage

5-9

Configuring Interface Parameters

CHAPTER 6

6-1

Security Level Overview 6-1

Configuring the Interface 6-2

Allowing Communication Between Interfaces on the Same Security Level

6-5

Configuring Basic Settings

CHAPTER 7

7-1

Changing the Enable Password

7-1

Setting the Hostname

7-2

Setting the Domain Name

7-2

Setting the Date and Time 7-2

Setting the Time Zone and Daylight Saving Time Date Range

7-3

Setting the Date and Time Using an NTP Server

7-4

Setting the Date and Time Manually

7-4

Setting the Management IP Address for a Transparent Firewall

7-5

Configuring IP Routing and DHCP Services

CHAPTER 8

8-1

Configuring Static and Default Routes

8-1

Configuring a Static Route

8-2

Configuring a Default Route

8-3

Configuring OSPF 8-3

OSPF Overview 8-4

Enabling OSPF 8-5

Redistributing Routes Between OSPF Processes

8-5

Adding a Route Map 8-6

Redistributing Static, Connected, or OSPF Routes to an OSPF Process

8-7

Configuring OSPF Interface Parameters

8-8

Configuring OSPF Area Parameters

8-10

Configuring OSPF NSSA 8-11

Configuring Route Summarization Between OSPF Areas 8-12

Configuring Route Summarization When Redistributing Routes into OSPF

8-12

Generating a Default Route 8-13

Configuring Route Calculation Timers

8-13

Logging Neighbors Going Up or Down

8-14

Displaying OSPF Update Packet Pacing

8-14

Cisco Security Appliance Command Line Configuration Guide

iii

OL-6721-02

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: