€¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform...

204
K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs). These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration. NAT Policies, page K-4 Address Pools Page, page K-4 Translation Options Page, page K-6 Translation Rules Page, page K-6 Translation Exemptions (NAT 0 ACL) Tab, page K-7 Dynamic Rules Tab, page K-9 Policy Dynamic Rules Tab, page K-13 Static Rules Tab, page K-15 General Tab, page K-19 Interfaces Interfaces Page: PIX and ASA, page K-23 Interfaces Page: FWSM, page K-40 ASA 5505 Ports and Interfaces Page, page K-45 Platform Bridging, page K-50 ARP Table Page, page K-50 ARP Inspection Page, page K-52 MAC Address Table Page, page K-53 MAC Learning Page, page K-54 Management IP Page, page K-56

Transcript of €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform...

Page 1: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

OL-19983-01

A

P P E N D I X K PIX/ASA/FWSM Platform User Interface Reference

The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs).

These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration.

NAT Policies, page K-4

• Address Pools Page, page K-4

• Translation Options Page, page K-6

• Translation Rules Page, page K-6

– Translation Exemptions (NAT 0 ACL) Tab, page K-7

– Dynamic Rules Tab, page K-9

– Policy Dynamic Rules Tab, page K-13

– Static Rules Tab, page K-15

– General Tab, page K-19

Interfaces

• Interfaces Page: PIX and ASA, page K-23

• Interfaces Page: FWSM, page K-40

• ASA 5505 Ports and Interfaces Page, page K-45

Platform

• Bridging, page K-50

– ARP Table Page, page K-50

– ARP Inspection Page, page K-52

– MAC Address Table Page, page K-53

– MAC Learning Page, page K-54

– Management IP Page, page K-56

K-1User Guide for Cisco Security Manager 3.3

Page 2: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface Reference

• Device Admin

– AAA Page, page K-56

– Authentication Tab, page K-57

– Authorization Tab, page K-58

– Accounting Tab, page K-58

– Banner Page, page K-60

– Boot Image/Configuration Page, page K-61

– Clock Page, page K-62

– Credentials Page, page K-64

– CPU Threshold Page, page K-64

– Device Access, page K-65

– Console Page, page K-65

– HTTP Page, page K-66

– ICMP Page, page K-67

– Management Access Page, page K-69

– Secure Shell Page, page K-69

– SNMP Page, page K-71

– Telnet Page, page K-74

– Failover Policies, page K-75

– Hostname Page, page K-91

– Resources Page, page K-92

– Server Access, page K-96

– AUS Page, page K-96

– DHCP Relay Page, page K-99

– DHCP Server Page, page K-102

– DNS Page, page K-106

– DDNS Page, page K-109

– NTP Page, page K-112

– SMTP Server Page, page K-114

– TFTP Server Page, page K-114

– User Accounts Page, page K-115

• Logging Policies, page K-116

– NetFlow Page, page K-117

– Syslog

– E-Mail Setup Page, page K-118

– Event Lists Page, page K-119

– Logging Filters Page, page K-123

– Logging Setup Page, page K-125

K-2User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 3: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface Reference

– Rate Limit Page, page K-126

– Server Setup Page, page K-128

– Syslog Servers Page, page K-131

• Multicast Policies, page K-133

– Enable PIM and IGMP Page, page K-134

– IGMP Page, page K-134

– IGMP Page - Protocol Tab, page K-134

– IGMP Page - Access Group Tab, page K-136

– IGMP Page - Static Group Tab, page K-137

– IGMP Page - Join Group Tab, page K-138

– Multicast Routes Page, page K-139

– Multicast Boundary Filter Page, page K-140

– PIM Page, page K-142

– PIM Page - Protocol Tab, page K-143

– PIM Page - Neighbor Filter Tab, page K-144

– PIM Page - Bidirectional Neighbor Filter Tab, page K-145

– PIM Page - Rendezvous Points Tab, page K-147

– PIM Page - Route Tree Tab, page K-149

– PIM Page - Request Filter Tab, page K-150

• Routing Policies, page K-152

– No Proxy ARP Page, page K-152

– OSPF Page, page K-153

– General Tab, page K-153

– Area Tab, page K-156

– Range Tab, page K-159

– Neighbors Tab, page K-160

– Redistribution Tab, page K-162

– Virtual Link Tab, page K-164

– Filtering Tab, page K-167

– Summary Address Tab, page K-169

– Interface Tab, page K-171

– RIP Page, page K-175

– Static Route Page, page K-184

• Security Policies, page K-186

– General Page, page K-186

– Timeouts Page, page K-188

K-3User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 4: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

• Service Policy Rules, page K-190

– Priority Queues Page, page K-190

– IPS, QoS, and Connection Rules Page, page K-192

• User Preferences, page K-198

Security Contexts Page, page K-198

NAT PoliciesThe NAT section consists of the following pages:

• Address Pools Page, page K-4

• Translation Options Page, page K-6

• Translation Rules Page, page K-6

– Translation Exemptions (NAT 0 ACL) Tab, page K-7

– Dynamic Rules Tab, page K-9

– Policy Dynamic Rules Tab, page K-13

– Static Rules Tab, page K-15

– General Tab, page K-19

Address Pools PageUse the Address Pools page to view and manage the global address pools used in dynamic NAT rules.

Navigation Path

• (Device view) Select NAT > Address Pools from the Device Policy selector.

• (Policy view) Select NAT (PIX/ASA/FWSM) > Address Pools from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Address Pools to create a new policy.

Related Topics

• NAT Policies, page K-4

• Address Pool Dialog Box, page K-5

Field Reference

Table K-1 Address Pools Page

Element Description

Global Address Pools table

Interface The name of the device interface to which the address pool applies.

ID The identification number of the address pool.

IP Address(es) The IP addresses assigned to the pool.

Description The description assigned to the address pool.

K-4User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 5: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Address Pool Dialog Box

Use the Address Pool dialog box to add or edit a global address pool for use in dynamic NAT rules.

Navigation Path

You open the Address Pool dialog box by clicking the Add Row or Edit Row buttons on the Address Pools Page, page K-4.

Related Topics

• NAT Policies, page K-4

• Address Pools Page, page K-4

Field Reference

Add button Opens the Address Pool Dialog Box, page K-5 so you can define a new address pool for a specific interface.

Edit button Opens the Address Pool Dialog Box, page K-5 so you can edit the selected address pool.

Delete button Deletes the selected entry in the Global Address Pools table. A confirmation dialog box may appear; click OK to delete the entry.

Table K-1 Address Pools Page (Continued)

Element Description

Table K-2 Address Pools Dialog Box

Element Description

Interface Name Enter or Select the name of the device interface on which the mapped IP addresses will be used.

Pool ID Enter a unique identification number for this address pool, an integer between 1 and 2147483647. When configuring a dynamic NAT rule, you select a Pool ID to specify the pool of addresses to be used for translation.

IP address ranges Enter or Select the addresses to be assigned to this address pool. You can specify these addresses as follows:

• Address range for dynamic NAT (e.g., 192.168.1.1-192.168.1.15)

• Subnetwork (e.g., 192.168.1.0/24)

• List of addresses separated by commas (e.g., 192.168.1.1, 192.168.1.2, 192.168.1.3)

• Single address to use for PAT (192.168.1.1)

• Combinations of the above (192.168.1.1-192.168.1.15, 192.168.1.25)

• Names of hosts on the connected network; these will be resolved to IP addresses.

Description Enter a description for the address pool.

Enable Interface PAT When checked, port address translation is enabled on the specified interface.

K-5User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 6: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Translation Options PageUse the Translation Options page to set options that affect network address translation for the selected security appliance. These settings apply to all interfaces on the device.

Navigation Path

• (Device view) Select NAT > Translation Options from the Device Policy selector.

• (Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Options to create a new policy.

Related Topics

• NAT Policies, page K-4

• Configuring Translation Options, page 14-20

Field Reference

Translation Rules PageUse the Translation Rules page to define address translation rules on the selected device. The Translation Rules page consists of the following tabs:

• Translation Exemptions (NAT 0 ACL) Tab, page K-7

• Dynamic Rules Tab, page K-9

• Policy Dynamic Rules Tab, page K-13

• Static Rules Tab, page K-15

• General Tab, page K-19

Table K-3 Translation Options Page

Element Description

Enable traffic through the firewall without address translation

When selected, lets traffic pass through the security appliance without address translation. If this option is not selected, any traffic that does not match a translation rule will be dropped.

Note This option is available only on PIX 7.x, FWSM 3.x, and ASA devices.

Enable xlate bypass When selected, NAT sessions for untranslated traffic are disabled (this feature is called “xlate bypass”). See Configuring Translation Options, page 14-20 for more information.

Note This option is available only on FWSM 3.2 and higher.

Do not translate VPN traffic When selected, lets VPN traffic pass through the security appliance without address translation.

K-6User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 7: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Navigation Path

• (Device view) Select NAT > Translation Rules from the Device Policy selector.

• (Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy.

Translation Exemptions (NAT 0 ACL) Tab

Use the Translation Exemptions (NAT 0 ACL) tab of the Translation Rules page to view and specify traffic that is exempt from address translation.

Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.

Navigation Path

You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page, page K-6.

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page K-8

• Advanced NAT Options Dialog Box, page K-21

• General Tab, page K-19

Field Reference

Note The following table describes standard Translation Exemption elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab, page K-19.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.

Table K-4 Translation Exemptions (NAT 0 ACL) Tab

Element Description

Filter Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Exemptions Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16.

Translation Exemptions (NAT 0 ACL) Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page K-8 for information about enabling and disabling these rules.)

K-7User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 8: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation exemption rules.

Navigation Path

You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab. See Translation Exemptions (NAT 0 ACL) Tab, page K-7 for more information.

No. Rules are evaluated sequentially in the order listed. This number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Action Indicates whether the rule is exempt or not exempt from NAT.

Original Interface The ID of the device interface to which the rule is applied.

Original Address The object names or IP addresses of the source hosts and networks to which the rule applies.

Destination The object names or IP addresses of the destination hosts and networks to which the rule applies.

Direction The traffic direction (Inbound or Outbound) to which the rule is applied.

Category The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description The description of the rule, if provided.

Find/Replace button Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Translation Exemptions Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature.

Up Row Moves the selected entry one row higher in the table.

Down Row Moves the selected entry one row lower in the table.

Add Row Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page K-8; lets you define a new translation exemption rule.

Edit Row Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page K-8; lets you edit the rule currently selected in the Translation Exemptions Rules table.

Delete Row Deletes the selected entry from the Translation Exemptions Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Table K-4 Translation Exemptions (NAT 0 ACL) Tab (Continued)

Element Description

K-8User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 9: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Translation Exemptions (NAT 0 ACL) Tab, page K-7

• Advanced NAT Options Dialog Box, page K-21

Field Reference

Dynamic Rules Tab

Use the Dynamic Rules tab of the Translation Rules page to view and configure dynamic NAT and PAT rules.

Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.

Table K-5 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Element Description

Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Action Select the action for this rule:

• exempt – The rule identifies traffic that is exempt from NAT.

• do not exempt – The rule identifies traffic that is not exempt from NAT.

Original: Interface Enter the name of (or Select) the device interface to which the rule applies.

Original: Sources Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Traffic flow: Destinations Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Category To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description Enter a description of the rule.

Advanced button (FWSM only)

Click to open the Advanced NAT Options Dialog Box, page K-21 to configure advanced settings for this rule.

K-9User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 10: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Navigation Path

You can access the Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page, page K-6.

Related Topics

• NAT Policies, page K-4

• Add/Edit Dynamic Translation Rule Dialog Box, page K-11

• Advanced NAT Options Dialog Box, page K-21

• Select Address Pool Dialog Box, page K-12

• General Tab, page K-19

Field Reference

Note The following table describes standard Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab, page K-19.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.

Table K-6 Dynamic Rules Tab

Element Description

Filter Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16.

Dynamic Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box, page K-11 for information about enabling and disabling these rules.)

No. Rules are evaluated sequentially in the order listed. This number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Original Interface The ID of the device interface to which the rule is applied.

Original Address The object names or IP addresses of the source hosts and networks to which the rule applies.

Translated Pool The ID number of the pool of addresses used for translation.

Direction The traffic direction (Inbound or Outbound) to which the rule is applied.

Category The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

K-10User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 11: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Add/Edit Dynamic Translation Rule Dialog Box

Use the Add/Edit Dynamic Translation Rule dialog box to define and edit dynamic NAT and PAT rules.

Navigation Path

You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. See Dynamic Rules Tab, page K-9 for more information.

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Dynamic Rules Tab, page K-9

• Advanced NAT Options Dialog Box, page K-21

• Select Address Pool Dialog Box, page K-12

Field Reference

Description The description of the rule, if provided.

Find/Replace button Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Dynamic Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature.

Up Row Moves the selected entry one row higher in the table.

Down Row Moves the selected entry one row lower in the table.

Add Row Opens the Add/Edit Dynamic Translation Rule Dialog Box, page K-11; lets you define a new dynamic translation rule.

Edit Row Opens the Add/Edit Dynamic Translation Rule Dialog Box, page K-11; lets you edit the rule currently selected in the Dynamic Rules table.

Delete Row Deletes the selected entry from the Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Table K-6 Dynamic Rules Tab (Continued)

Element Description

Table K-7 Add/Edit Dynamic Translation Rule Dialog Box

Element Description

Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Original: Interface Enter the name or Select the device interface to which the rule applies.

Original: Address Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Pool Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box, page K-12.

Enter a value of zero to specify this as an identity NAT rule.

K-11User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 12: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Select Address Pool Dialog Box

The Select Address Pool dialog box presents a list of global address pools; these pools are defined and managed via the Address Pools Page, page K-4. Use this dialog box to select an address pool for use by a dynamic translation rule, or a policy dynamic translation rule.

Navigation Path

You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog Box, page K-11 when adding or editing a dynamic translation rule, or from the Add/Edit Policy Dynamic Rules Dialog Box, page K-14 when adding or editing a policy dynamic translation rule.

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Address Pools Page, page K-4

Field Reference

Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Category To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description Enter a description for the rule.

Advanced button Click to open the Advanced NAT Options Dialog Box, page K-21 to configure advanced settings for this rule.

Table K-7 Add/Edit Dynamic Translation Rule Dialog Box (Continued)

Element Description

Table K-8 Select Address Pool Dialog Box

Element Description

Pool ID The identification number of the address pool.

Interface The name of the device interface to which the address pool applies.

IP Address Ranges The IP addresses assigned to the pool; “interface” in this list indicates PAT is enabled on the specified Interface.

Description The description provided for the address pool.

Selected Row This field identifies the pool currently selected in the list. When you click OK to close the dialog box, this pool is assigned to the translation rule.

K-12User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 13: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Policy Dynamic Rules Tab

Use the Policy Dynamic Rules tab of the Translation Rules page to view and configure dynamic translation rules based on source and destination addresses and services.

Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.

Navigation Path

You can access the Policy Dynamic Rules tab from the Translation Rules page. See Translation Rules Page, page K-6 for more information.

Related Topics

• NAT Policies, page K-4

• Add/Edit Policy Dynamic Rules Dialog Box, page K-14

• Advanced NAT Options Dialog Box, page K-21

• Select Address Pool Dialog Box, page K-12

• General Tab, page K-19

Field Reference

Note The following table describes standard Policy Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab, page K-19.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.

Table K-9 Policy Dynamic Rules Tab

Element Description

Filter Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Policy Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16.

Policy Dynamic Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Policy Dynamic Rules Dialog Box, page K-14 for information about enabling and disabling these rules.)

No. Rules are evaluated sequentially in the order listed. This number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Original Interface The ID of the device interface to which the rule is applied.

Original Address The object names or IP addresses of the source hosts and networks to which the rule applies.

Translated Pool The ID number of the pool of addresses used for translation.

K-13User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 14: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Add/Edit Policy Dynamic Rules Dialog Box

Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based on source and destination addresses and services.

Navigation Path

You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See Policy Dynamic Rules Tab, page K-13 for more information.

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Policy Dynamic Rules Tab, page K-13

• Advanced NAT Options Dialog Box, page K-21

• Select Address Pool Dialog Box, page K-12

Destination The object names and IP addresses of the destination hosts and networks to which the rule applies.

Service The services to which the rule applies.

Direction The traffic direction (Inbound or Outbound) to which the rule is applied.

Category The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information.

Note No commands are generated for the category attribute.

Description The description of the rule, if provided.

Find/Replace button Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Policy Dynamic Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature.

Up Row Moves the selected entry one row higher in the table.

Down Row Moves the selected entry one row lower in the table.

Add Row Opens the Add/Edit Policy Dynamic Rules Dialog Box, page K-14; lets you define a new policy dynamic translation rule.

Edit Row Opens the Add/Edit Policy Dynamic Rules Dialog Box, page K-14; lets you edit the rule currently selected in the Policy Dynamic Rules table.

Delete Row Deletes the selected entry from the Policy Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Table K-9 Policy Dynamic Rules Tab (Continued)

Element Description

K-14User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 15: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Field Reference

Static Rules Tab

Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for a security appliance or shared policy.

Caution The order of Static NAT rules on a security device is important, and Security Manager preserves this ordering during deployment. However, security appliances do not support in-line editing of Static NAT rules. This means that if you move, edit, or insert a rule anywhere above the end of the list, Security Manager will remove from the device all Static NAT rules that follow the new or modified rule, and then re-send the updated list from that point. Depending on the length of the list, this can require substantial overhead, and may result in traffic interruption. Whenever possible, add any new Static NAT rules to the end of the list.

Table K-10 Add/Edit Policy Dynamic Rules Dialog Box

Element Description

Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Original: Interface Enter the name of (or Select) the device interface to which the rule applies.

Original: Sources Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Pool Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box, page K-12.

Enter a value of zero to specify this as an identity NAT rule.

Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Traffic flow: Destinations Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Traffic flow: Services Enter (or Select) the services to which the rule applies. Multiple entries must be separated by commas.

Category To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description Enter a description of the rule.

Advanced button Click to open the Advanced NAT Options Dialog Box, page K-21 to configure advanced settings for this rule.

K-15User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 16: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Navigation Path

You can access the Static Rules tab from the Translation Rules page. See Translation Rules Page, page K-6 for more information.

Related Topics

• NAT Policies, page K-4

• Add/Edit Static Rule Dialog Box, page K-17

• Advanced NAT Options Dialog Box, page K-21

• General Tab, page K-19

Field Reference

Note The following table describes standard Static Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab, page K-19.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.

Table K-11 Static Rules Tab

Element Description

Filter Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Static Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16.

Static Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Static Rule Dialog Box, page K-17 for information about enabling and disabling these rules.)

No. Rules are evaluated sequentially in the order listed. This number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule, but do not change the rule order unless absolutely necessary.

Original Interface The ID of the device interface to which the rule is applied.

Original Address The object names or IP addresses of the source hosts and networks to which the rule applies.

Local Port The port number supplied by the host or network (static PAT only).

Translated Interface The interface on which the translated addresses are to be used.

Translated Address The translated addresses.

Global Port The port number to which the original port number will be translated (static PAT only).

Destination The object names and IP addresses of the destination hosts or networks to which the rule applies.

Service The services to which the rule applies.

Protocol The protocol to which the rule applies.

K-16User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 17: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Add/Edit Static Rule Dialog Box

Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.

Navigation Path

You can access the Add/Edit Static Rule dialog box from the Static Rules tab. See the Static Rules Tab, page K-15 for more information.

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

• Static Rules Tab, page K-15

• Advanced NAT Options Dialog Box, page K-21

Nailed Whether TCP state tracking and sequence checking is skipped for the connection: true or false. (This value is a product of device discovery; it cannot be changed in Security Manager.)

Category The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description The description of the rule, if provided.

Find/Replace button Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Static Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature.

Up Row Moves the selected entry one row higher in the table.

Down Row Moves the selected entry one row lower in the table.

Add Row Opens the Add/Edit Static Rule Dialog Box, page K-17; lets you define a new static rule.

Edit Row Opens the Add/Edit Static Rule Dialog Box, page K-17; lets you edit the rule currently selected in the Static Rules table.

Delete Row Deletes the selected entry from the Static Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Table K-11 Static Rules Tab (Continued)

Element Description

K-17User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 18: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Field Reference

Table K-12 Add/Edit Static Rule Dialog Box

Element Description

Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Translation Type Select the type of translation for this rule: NAT or PAT.

Original Interface Enter (or Select) the device interface connected to the host or network with original addresses to be translated.

Original Address Enter (or Select) the source address to be translated.

Translated Interface Enter (or Select) the interface on which the translated addresses are to be used.

To specify this as an identity NAT rule, enter the same interface in both this and the Original Interface fields.

Use Interface IP/Use Selected Address

Specify the address used for the Translated Interface: select Use Interface IP (address), or select Use Selected Address and enter an address, or Select a network/host object.

Enable Policy NAT Select this option to enable Policy NAT for this translation rule.

Dest Address If Policy NAT is enabled, specify the destination addresses of the hosts or networks to which the rule applies.

Services If PAT is the selected Translation Type, specify the services to which the rule applies.

Note For Static NAT, IP is the only Service that can be specified.

Protocol If PAT is the selected Translation Type, select the protocol, TCP or UDP, to which the rule applies.

Original Port If PAT is the selected Translation Type, enter the port number to be translated.

Translated Port If PAT is the selected Translation Type, enter the port number to which the original port number will be translated.

Category To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description Enter a description of the rule.

Advanced button Click to open the Advanced NAT Options Dialog Box, page K-21 to configure advanced settings for this rule.

K-18User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 19: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

General Tab

Use the General tab of the Translation Rules page to view all current translation rules. The translation rules are listed in the order that they will be evaluated on the device.

Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules and do not need to display summary information.

Navigation Path

You can access the General tab from the Translation Rules page. See Translation Rules Page, page K-6 for more information.

Related Topics

• NAT Policies, page K-4

• Translation Exemptions (NAT 0 ACL) Tab, page K-7

• Dynamic Rules Tab, page K-9

• Policy Dynamic Rules Tab, page K-13

• Static Rules Tab, page K-15

Field Reference

Table K-13 General Tab

Element Description

Filter Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Rules Summary table. For more information about using the filtering bar, see Filtering Tables, page 2-16.

Translation Rules Summary Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box, page K-11 for information about enabling and disabling these rules.)

No. Rules are evaluated sequentially in the order listed. This number indicates the rule’s position in the ordering of the list.

Type The type of translation rule; for example, Static, Dynamic, Exemption, etc.

Action Displays “exempt” if the rule is exempt from NAT.

Original Interface The ID of the device interface to which the rule is applied.

Original Address The object names or IP addresses of the source hosts and networks to which the rule applies.

Local Port The port number supplied by the host or network (for static PAT).

Translated Pool The ID number of the address pool used for translation.

Translated Interface The interface on which the translated addresses are to be used.

Translated Address The translated addresses.

K-19User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 20: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Global Port The port number to which the original port number will be translated (for static PAT).

Destination The object names and IP addresses of the destination hosts or networks to which the rule applies.

Protocol The protocol to which the rule applies.

Service The services to which the rule applies.

Direction The traffic direction (Inbound or Outbound) on which the rule is applied.

DNS Rewrite Whether the DNS Rewrite option is enabled: Yes or No. This option is set in the Advanced NAT Options Dialog Box, page K-21.

Maximum TCP Connections

The maximum number of TCP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box, page K-21.

Embryonic Limit The number of embryonic connections allowed to form before the security appliance begins to deny these connections. If zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.

This option is set in the Advanced NAT Options Dialog Box, page K-21.

Maximum UDP Connections

The maximum number of UDP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box, page K-21.

Timeout For PIX 6.x devices, this is the timeout value for a static translation rule. This value overrides the default translation timeout specified in Platform > Security > Timeouts. A Timeout value of 00:00:00 here means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts.

Randomize Sequence Number

Whether the security appliance will randomize the sequence number of TCP packets: Yes or No. This option is set in the Advanced NAT Options Dialog Box, page K-21, and is enabled by default.

Category The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information.

Note No commands are generated for the Category attribute.

Description The description of the rule, if provided.

Table K-13 General Tab (Continued)

Element Description

K-20User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 21: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Advanced NAT Options Dialog Box

Use the Advanced NAT Options dialog box to configure the advanced connection settings—DNS Rewrite, Maximum TCP and Maximum UDP Connections, Embryonic Limit, Timeout (PIX 6.x), and Randomize Sequence Number—for NAT and Policy NAT. You can also configure these options for Translation Exemption (NAT 0 ACL) rules on an FWSM.

Navigation Path

You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or editing a translation rule. See the following topics for more information:

• Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page K-8

• Add/Edit Dynamic Translation Rule Dialog Box, page K-11

• Add/Edit Policy Dynamic Rules Dialog Box, page K-14

• Add/Edit Static Rule Dialog Box, page K-17

Related Topics

• NAT Policies, page K-4

• Translation Rules Page, page K-6

Field Reference

Table K-14 Advanced NAT Options Dialog Box

Element Description

Translate the DNS replies that match the translation rule

If checked, the security appliance rewrites DNS replies so an outside client can resolve the name of an inside host using an inside DNS server, and vice versa. For instance, if your NAT rule includes the real address of a host with an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host: one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client.

As an example, assume an inside web server, www.example.com, has the IP address 192.168.1.1, which is translated to 10.1.1.1 on the outside interface of the appliance. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.

Note that the mapped host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with a static rule.

Max TCP Connections per Rule

Enter the maximum number of TCP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

K-21User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 22: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceNAT Policies

Max UDP Connections per Rule

Enter the maximum number of UDP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

Max Embryonic Connections Enter the number of embryonic connections allowed to form before the security appliance begins to deny these connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set this limit to prevent attack by a flood of embryonic connections. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

Any positive value enables the TCP Intercept feature. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP Intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server.

Timeout For PIX 6.x devices, enter a timeout value for this translation rule, in the format hh:mm:ss. This value overrides the default translation timeout specified in Platform > Security > Timeouts, unless this value is 00:00:00, in which case translations matching this rule use the default translation timeout (specified in Platform > Security > Timeouts).

Randomize Sequence Number

If checked, the security appliance randomizes the sequence numbers of TCP packets. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.

Disable this feature only if:

• Another in-line security appliance is also randomizing initial sequence numbers and data is being scrambled.

• You are using eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

• You are using a WAAS device which requires that the security appliance not randomize the sequence numbers of connections.

Disabling this option opens a security hole in the security appliance.

Table K-14 Advanced NAT Options Dialog Box (Continued)

Element Description

K-22User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 23: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Interfaces Page: PIX and ASAThe Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them.

Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.

If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring.

Navigation Path

To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Using the Add/Edit Interface Dialog Box, page 14-6

Field Reference

Table K-15 Interfaces Page

Element Description

Interfaces Table

Interface Type The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are:

• Ethernet

• GigabitEthernet

• TenGigabitEthernet (ASA 5580 only)

• Redundant

Name The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address The IP address of the interface, or in transparent mode, the word “native.” Transparent mode interfaces do not use IP addresses.

IP Address Type The method by which the IP address is provided. Valid options are:

• static – The IP address is manually defined.

• dhcp – The IP address is obtained via a DHCP lease.

• pppoe – The IP address is obtained using PPPoE.

K-23User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 24: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

• All-Interfaces – The interface is a member of the default role assigned to all interfaces.

• Internal – This interface is a member of the default role associated with all inside interfaces.

• External – This interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

Hardware Port Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.

For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.

Enabled Indicates if the interface is enabled: true or false.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

VLAN ID For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration.

If this value is not specified, the column displays native.

Security Level The interface security level; a value between 0 and 100.

Management Only Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false.

MTU The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500.

Member Indicates whether this interface is a member of a redundant interface pair: true or false.

Table K-15 Interfaces Page (Continued)

Element Description

K-24User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 25: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Add/Edit Interface Dialog BoxUse the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 14-4 for more information about redundant interfaces.

You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.

In multiple-context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 14-82 page for information about assigning interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information:

• Add/Edit Interface Dialog Box (PIX/ASA), page K-26

• Add/Edit Interface Dialog Box (ASA 5505), page K-30

• Add/Edit Interface Dialog Box (PIX 6.3), page K-34

Navigation Path

You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA, page K-23.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: PIX and ASA, page K-23

• ASA 5505 Ports and Interfaces Page, page K-45

• Advanced Interface Settings Dialog Box, page K-37

• Add VPND Group Dialog Box, page K-38

• PPPoE Users Dialog Box, page K-39

Description A description of the interface. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description.

ASR Group If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Table K-15 Interfaces Page (Continued)

Element Description

K-25User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 26: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Add/Edit Interface Dialog Box (PIX/ASA)

The Add/Edit Interface dialog box is used to define and configure interfaces.

Table K-16 Add/Edit Interface Dialog Box (PIX/ASA)

Element Description

Enable Interface Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Management Only Sets the interface to accept traffic to the security appliance only, and not through traffic.

Redundant Interface Select this option to define a “redundant interface.” When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear.

See About Redundant Interfaces, page 14-4 for more information.

Type Type of interface. Valid values are:

• Interface – Settings represent a physical interface.

• Subinterface – Settings represent a logical interface attached to the same network as its underlying physical interface.

Note This option is not available when Redundant Interface is selected.

Name Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:

• Inside – Connects to your internal network. Must be most secure interface.

• DMZ – Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with “DMZ” to identify the interface type.

• Outside – Connects to an external network or the Internet. Must be least secure interface.

Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface.

K-26User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 27: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Hardware Port For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface.

Valid values are:

• Ethernet0 to Ethernetn

• GigabitEthernet0 to GigabitEthernetn

• GigabitEthernets/n

• TenGigabitEthernets/n (ASA 5580 only)

where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device.

For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled.

Note This option is not visible when Redundant Interface is selected.

Subinterface ID Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform.

Note You cannot change the ID after you set it.

Media Type When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface:

• RJ45 – Port uses RJ-45 connectors.

• SFP – Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards.

Redundant ID Available only if Redundant Interface is checked. Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8.

Primary Interface Available only if Redundant Interface is checked. Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.

Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces.

Secondary Interface Available only if Redundant Interface is checked. Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.

Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces.

Table K-16 Add/Edit Interface Dialog Box (PIX/ASA) (Continued)

Element Description

K-27User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 28: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

IP Type Specifies the address type for the interface.

• Static IP – Assigns a static IP address and mask to the interface.

• Use DHCP – Assigns a dynamic IP address and mask to the interface.

• PPPoE – Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.

IP Address Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.

• IP address must be unique for each interface.

• The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

Subnet Mask Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

DHCP Learned Route Metric

Available only if Use DHCP is selected for IP Type.

Obtain default route using DHCP

Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page, page K-184.

Enable Tracking for DHCP Learned Route

Available only if Use DHCP is selected for IP Type.

VPDN Group Name Available only if PPPoE is selected for IP Type.

PPPoE Learned Route Metric

Available only if PPPoE is selected for IP Type.

Obtain Default Route using PPPoE

Available only if PPPoE is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the PPPoE server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page, page K-184.

Enable Tracking for PPPoE Learned Route

Available only if PPPoE is selected for IP Type.

Table K-16 Add/Edit Interface Dialog Box (PIX/ASA) (Continued)

Element Description

K-28User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 29: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

VLAN ID For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.

Duplex Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.

For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full.

Note This option is not visible when Redundant Interface is selected.

Speed Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type.

• 10

• 100

• 1000

• 10000 (set automatically for a TenGigabitEthernet interface; available only on ASA 5580)

• non-negotiable

Note This option is not visible when Redundant Interface is selected.

MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300 – 65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

Description Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

• Outside interface is always 0.

• Inside interface is always 100.

• DMZ interfaces are between 1-99.

Table K-16 Add/Edit Interface Dialog Box (PIX/ASA) (Continued)

Element Description

K-29User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 30: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Add/Edit Interface Dialog Box (ASA 5505)

The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page, page K-45.

Active MAC Address Use this field to manually assign a private MAC address to the interface.

MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses.

Standby MAC Address You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Roles Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

• All-Interfaces – Indicates the interface is a member of the default role assigned to all interfaces.

• Internal – Indicates this interface is a member of the default role associated with all inside interfaces.

• External – Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

Table K-16 Add/Edit Interface Dialog Box (PIX/ASA) (Continued)

Element Description

Table K-17 Add/Edit Interface Dialog Box (ASA 5505)

Element Description

Enable Interface

Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

Management Only

Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only.

K-30User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 31: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Name Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications.

Supported interface names are:

• Inside—Connects to your internal network. Must be most secure interface.

• DMZ—“Demilitarized zone” attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type.

• Outside—Connects to an external network or the Internet. Must be least secure interface.

IP Type Specifies the address type for the interface; choose one of the following methods and provide related parameters:

• Static IP – Provide a static IP Address and Subnet Mask that represents the security device on this interface’s connected network. If you omit the Subnet Mask value, a “classful” network is assumed.

• Use DHCP – Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available:

– DHCP Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

– Obtain Default Route using DHCP – Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Static Route Page, page K-184.

– Enable Tracking for DHCP Learned Route – If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available:

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77 for more information.)

Table K-17 Add/Edit Interface Dialog Box (ASA 5505) (Continued)

Element Description

K-31User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 32: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

IP Type (continued)

• PPPoE (PIX and ASA 7.2+) – Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover.

– VPDN Group Name (required) – Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 14-16 for more information.

– IP Address – If provided, this static IP address is used for connection and authentication, instead of a negotiated address.

– Subnet Mask – The subnet mask to be used in conjunction with the provided IP Address.

– PPPoE Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

– Obtain Default Route using PPPoE – Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration.

– Enable Tracking for PPPoE Learned Route – If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available:

– Dual ISP Interface – If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring.

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77 for more information.)

Note You can configure DHCP and PPPoE only on the outside interface of a security appliance.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

VLAN ID Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration.

Table K-17 Add/Edit Interface Dialog Box (ASA 5505) (Continued)

Element Description

K-32User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 33: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

• Outside interface is always 0.

• Inside interface is always 100.

• DMZ interfaces are between 1-99.

Block Traffic To

Restricts this VLAN interface from initiating contact with the VLAN chosen here.

Backup Interface

Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails.

Active MAC Address

Use this field to manually assign a MAC address to the interface.

MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

Standby MAC Address

If you assign an Active MAC Address, you also can assign a Standby MAC Address.

Description Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Roles Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

• All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

• Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

• External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

Table K-17 Add/Edit Interface Dialog Box (ASA 5505) (Continued)

Element Description

K-33User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 34: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Add/Edit Interface Dialog Box (PIX 6.3)

Table K-18 Add/Edit Interface Dialog Box (PIX 6.3)

Element Description

Enable Interface Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy.

You must enable a physical interface before any traffic can pass through any enabled subinterfaces.

Type Type of VLAN interface. Valid values are:

• Logical—VLAN is associated with a logical interface.

• Physical—VLAN is on the same network as its underlying hardware interface.

Name Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:

• Inside—Connects to your internal network. Must be most secure interface.

• DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.

• Outside—Connects to an external network or the Internet. Must be least secure interface.

Hardware Port When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device.

When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled.

Valid values are:

• ethernet0 to ethernetn.

• gb-ethernetn.

where n represents the number of network interfaces in the device.

IP Type Specifies the address type for the interface.

• Static IP—Assigns a static IP address and mask to the interface.

• Use DHCP—Assigns a dynamic IP address and mask to the interface.

• Use PPPoE—Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.

K-34User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 35: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

IP Address Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type.

• IP address must be unique for each interface.

• The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list.

Subnet Mask Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface.

Obtain Default Route using DHCP

Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page, page K-184.

Retry Count Identifies the number of tries before an error is returned. Valid values are 4 through 16.

Obtain default route using PPPoE

Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway.

Table K-18 Add/Edit Interface Dialog Box (PIX 6.3) (Continued)

Element Description

K-35User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 36: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Speed and Duplex Lists the speed options for a physical interface; not applicable to logical interfaces.

• auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.

• 10baset—10-Mbps Ethernet half-duplex.

• 10full—10-Mbps Ethernet full-duplex.

• 100basetx—100-Mbps Ethernet half-duplex.

• 100full—100-Mbps Ethernet full-duplex.

• 1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex.

Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.

• 1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.

• 1000full nonnegotiate—1000-Mbps Ethernet full-duplex.

• aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.

• bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.

Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.

MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.

Physical VLAN ID For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices.

Logical VLAN ID Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected.

Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

• Outside interface is always 0.

• Inside interface is always 100.

• DMZ interfaces are between 1 and 99.

Table K-18 Add/Edit Interface Dialog Box (PIX 6.3) (Continued)

Element Description

K-36User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 37: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Advanced Interface Settings Dialog Box

Navigation Path

You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA, page K-23 or ASA 5505 Ports and Interfaces Page, page K-45.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: PIX and ASA, page K-23

• Interfaces Page: FWSM, page K-40

• ASA 5505 Ports and Interfaces Page, page K-45

• Add/Edit Interface Dialog Box, page K-25

• FWSM Add/Edit Interface Dialog Box, page K-42

• Add VPND Group Dialog Box, page K-38

• PPPoE Users Dialog Box, page K-39

Roles Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

• All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

• Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

• External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

Table K-18 Add/Edit Interface Dialog Box (PIX 6.3) (Continued)

Element Description

K-37User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 38: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Field Reference

Add VPND Group Dialog Box

Navigation Path

You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page K-37.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: PIX and ASA, page K-23

• Interfaces Page: FWSM, page K-40

• ASA 5505 Ports and Interfaces Page, page K-45

• Add/Edit Interface Dialog Box, page K-25

• FWSM Add/Edit Interface Dialog Box, page K-42

• Advanced Interface Settings Dialog Box, page K-37

• PPPoE Users Dialog Box, page K-39

Table K-19 Advanced Interface Settings Dialog Box

Element Description

Traffic between interfaces with same security levels

Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

• Disabled—Does not allow communication between interfaces on the same security level.

• Inter-interface—Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device.

• Intra-interface—Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface.

• Both—Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level.

PPPoE Users button Click to access the PPPoE Users dialog box.

VPDN Groups (PIX and ASA 7.2+)

Group Name Displays the group name.

PPPoE Username Displays the PPPoE username.

PPP Authentication Indicates the PPP Authentication method for this VPDN group:

• PAP

• CHAP

• MSCHAP

K-38User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 39: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Field Reference

PPPoE Users Dialog Box

Navigation Path

You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page K-37. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box, page K-38.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: PIX and ASA, page K-23

• Interfaces Page: FWSM, page K-40

• ASA 5505 Ports and Interfaces Page, page K-45

• Add/Edit Interface Dialog Box, page K-25

• FWSM Add/Edit Interface Dialog Box, page K-42

• Advanced Interface Settings Dialog Box, page K-37

• Add VPND Group Dialog Box, page K-38

• Add and Edit PPPoE User Dialog Boxes, page K-40

Field Reference

Table K-20 Add VPND Group Dialog Box

Element Description

Group Name Enter the group name.

PPPoE Username Select the PPPoE username.

PPP Authentication Select the PPP Authentication method:

• PAP

• CHAP

• MSCHAP

Table K-21 PPPoE Users Dialog Box

Element Description

PPPoE Users (PIX and ASA 7.2+)

Username Displays the PPPoE username.

Store in Local Flash Indicates whether this PPPoE user account is to be stored in local flash (True or False).

K-39User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 40: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

Add and Edit PPPoE User Dialog Boxes

Navigation Path

You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box, page K-39.

Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: PIX and ASA, page K-23

• Interfaces Page: FWSM, page K-40

• ASA 5505 Ports and Interfaces Page, page K-45

• Add/Edit Interface Dialog Box, page K-25

• FWSM Add/Edit Interface Dialog Box, page K-42

• Advanced Interface Settings Dialog Box, page K-37

• Add VPND Group Dialog Box, page K-38

• PPPoE Users Dialog Box, page K-39

Field Reference

Interfaces Page: FWSMThe FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained.

Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic.

If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

Table K-22 Add and Edit PPPoE User Dialog Boxes

Element Description

Username Provide a name for the PPPoE user.

Password Enter a password for this user.

Confirm Re-enter the password.

Store Username and Password in Local Flash

Select this option to store the PPPoE user information in flash memory.

K-40User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 41: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining.

Navigation Path

To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• FWSM Add/Edit Interface Dialog Box, page K-42

• Add/Edit Bridge Group Dialog Box, page K-44

• Advanced Interface Settings Dialog Box, page K-37

Field Reference

Table K-23 FWSM Interfaces Page

Element Description

Interfaces Tab

Name The name assigned to the interface.

IP Address The IP address and subnet mask assigned to the interface.

Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

• All-Interfaces—The interface is a member of the default role assigned to all interfaces.

• Internal—This interface is a member of the default role associated with all inside interfaces.

• External—This interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

VLAN ID The VLAN to which this logical interface is assigned.

Bridge Group The bridge group to which this interface is assigned (transparent mode only).

Enabled Indicates if the interface is enabled: true or false.

When disabled, the interface does not transmit or receive packets, but its configuration information is retained.

Security Level Displays the interface security level; a value between 0 and 100.

Management Only Indicates if this interface allows traffic to the security appliance for management purposes only.

K-41User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 42: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

FWSM Add/Edit Interface Dialog BoxUse the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 14-82 page to assign interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent).

Navigation Path

You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page K-40.

Description A description of the interface, if provided.

In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description.

ASR Group Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Bridge Groups Tab (transparent mode only)

Bridge Group The name of the bridge group.

ID The identifier assigned to this bridge group.

Interface A The first VLAN assigned to this bridge group.

Interface B The second VLAN assigned to this bridge group.

IP The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

A transparent firewall does not participate in IP routing.

Netmask Displays the netmask for the management IP address.

Description The description of this bridge group, if one was provided.

Table K-23 FWSM Interfaces Page (Continued)

Element Description

K-42User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 43: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: FWSM, page K-40

• Add/Edit Bridge Group Dialog Box, page K-44

• Advanced Interface Settings Dialog Box, page K-37

Field Reference

Table K-24 FWSM Add/Edit Interface Dialog Box

Element Description

Enable Interface Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained.

Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic.

Management Only Sets the interface to accept traffic to the security appliance only, and not through traffic.

Name You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode.

Special interface names are:

• Inside—Connects to your internal network. Must be most secure interface.

• DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with “DMZ” to identify the interface type.

• Outside—Connects to an external network or the Internet. Must be least secure interface.

Note You cannot name more than two interfaces on an FWSM operating in transparent mode.

IP Address The IP address for the interface.

VLAN ID Enter the desired VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration.

K-43User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 44: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

Add/Edit Bridge Group Dialog BoxUse the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.

Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

• Outside interface is always 0.

• Inside interface is always 100.

• DMZ interfaces are between 1-99.

Description If desired, you can enter a description of the logical interface.

Roles Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

• All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

• Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

• External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

ASR Group To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Table K-24 FWSM Add/Edit Interface Dialog Box (Continued)

Element Description

K-44User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 45: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page

Navigation Path

You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page K-40.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Interfaces Page: FWSM, page K-40

• FWSM Add/Edit Interface Dialog Box, page K-42

• Advanced Interface Settings Dialog Box, page K-37

Field Reference

ASA 5505 Ports and Interfaces PageThe ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:

• Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.

Table K-25 Add/Edit Bridge Group Dialog Box

Element Description

Name Enter a name for this bridge group.

ID Enter the bridge group ID as an integer between 1 and 100.

Interface A Select the first interface that is part of this bridge group.

Interface B Select the second interface that is part of this bridge group.

IP Address Enter the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

Netmask Network mask for IP address of bridge group. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

Description You can enter an optional description for this bridge group.

K-45User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 46: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page

• Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.

Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.

Navigation Path

To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• Configure Hardware Ports Dialog Box, page K-48

• Add/Edit Interface Dialog Box (PIX/ASA), page K-26

• Advanced Interface Settings Dialog Box, page K-37

• Add VPND Group Dialog Box, page K-38

• PPPoE Users Dialog Box, page K-39

Field Reference

Table K-26 ASA 5505 Ports and Interfaces Page

Element Description

Hardware Ports Tab

Hardware Port Identifies the switch port.

Enabled Indicates whether this switch port is enabled or not (Yes or No).

Associated VLANs Shows the VLAN or VLANs that are associated with this port.

Associated Interface Names Shows the interface name of the VLAN(s) that are associated with this port.

Mode Shows the mode for this port:

• Access Port—Port is in access mode.

• Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.

K-46User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 47: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page

Protected Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

Interfaces Tab

Name Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address Type Specifies the method by which the IP address is provided. Valid options are:

• static—Identifies that the IP address is manually defined.

• dhcp—Identifies that the IP address is obtained via a DHCP lease.

• pppoe—Identifies that the IP address is obtained using PPPoE.

IP Address Displays the IP address, or in transparent mode, the word “native.” Transparent mode interfaces do not use IP addresses.

Block Traffic To Displays the interface to which traffic is blocked.

Backup Interface Displays the interface that acts as backup for this interface.

Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

• All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

• Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

• External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33.

Enabled Indicates if the interface is enabled (Yes or No).

Vlan ID Identifies the VLAN ID for this interface.

Security Level Displays the interface security level between 0 and 100.

Table K-26 ASA 5505 Ports and Interfaces Page (Continued)

Element Description

K-47User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 48: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page

Configure Hardware Ports Dialog BoxUse the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505, including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.

Caution The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore, you must ensure that any connection with the appliance does not end up in a network loop.

Navigation Path

You can access the Configure Hardware Ports dialog box from the Hardware Ports tab of the ASA 5505 Interfaces page. For more information about this page, see ASA 5505 Ports and Interfaces Page, page K-45.

Related Topics

• Configuring Firewall Device Interfaces, page 14-2

• ASA 5505 Ports and Interfaces Page, page K-45

• Add/Edit Interface Dialog Box (PIX/ASA), page K-26

• Advanced Interface Settings Dialog Box, page K-37

• Add VPND Group Dialog Box, page K-38

• PPPoE Users Dialog Box, page K-39

Field Reference

Management Only Indicates if the interface allows traffic to the security appliance or for management purposes only.

MTU Displays the MTU. By default, the MTU is 1500.

Description Displays a description of the interface.

Table K-26 ASA 5505 Ports and Interfaces Page (Continued)

Element Description

Table K-27 Configure Hardware Ports Dialog Box

Element Description

Enable Interface Select to enable this switch port.

Isolated Select this option to prevent this port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, if you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Isolated option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

K-48User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 49: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page

Hardware Port Choose the switch port that you are configuring.

Mode Choose a mode for this port:

• Access Port—Sets the port to access mode. Access ports can be assigned to one VLAN.

• Trunk Port—Sets the port to trunk mode using 802.1Q tagging. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets, there is no native VLAN support, and the appliance drops all packets that do not contain a tag specified in this command.

VLAN ID Enter the VLAN ID(s) according to the chosen Mode:

• Access Port mode—Enter the VLAN ID to which you want to assign this switch port.

• Trunk Port mode—Enter the VLAN IDs to which you want to assign this switch port, separated by commas.

Duplex Lists the duplex options for the port, including Full, Half, or Auto. The Auto setting is the default.

If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Speed Choose a speed for the port:

• auto (default)

• 10

• 100

If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Table K-27 Configure Hardware Ports Dialog Box (Continued)

Element Description

K-49User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 50: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

BridgingThis section discusses the following pages:

• ARP Table Page, page K-50

• ARP Inspection Page, page K-52

• MAC Address Table Page, page K-53

• MAC Learning Page, page K-54

• Management IP Page, page K-56

ARP Table Page Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

• (Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit ARP Configuration Dialog Box, page K-51

• Bridging, page K-50

• ARP Inspection Page, page K-52

• MAC Address Table Page, page K-53

• MAC Learning Page, page K-54

• Management IP Page, page K-56

Field Reference

Table K-28 ARP Table Page

Element Description

Timeout (seconds) The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds.

Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.

Note The timeout applies to the dynamic ARP table, and not the static entries contained in the ARP table.

ARP Table

Interface The interface to which the host is attached.

IP Address The IP address of the host.

K-50User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 51: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

Add/Edit ARP Configuration Dialog Box

Use the Add/Edit ARP Configuration dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

You can access the Add/Edit ARP Configuration dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page, page K-50.

Related Topics

• Bridging, page K-50

• ARP Table Page, page K-50

Field Reference

MAC Address The MAC address of the host.

Alias Enabled Indicates whether the security appliance performs proxy ARP for this mapping. If this setting is enabled and the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.

Table K-28 ARP Table Page (Continued)

Element Description

Table K-29 Add/Edit ARP Configuration dialog box

Element Description

Interface The name of the interface to which the host network is attached.

IP Address The IP address of the host.

MAC Address The MAC address of the host; for example, 00e0.1e4e.3d8b.

Enable Alias When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.

K-51User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 52: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

ARP Inspection PageUse the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.

Navigation Path

• (Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit ARP Inspection Dialog Box, page K-52

• Bridging, page K-50

• ARP Table Page, page K-50

• MAC Address Table Page, page K-53

• MAC Learning Page, page K-54

• Management IP Page, page K-56

Field Reference

Add/Edit ARP Inspection Dialog Box

Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.

Navigation Path

You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page, page K-52.

Related Topics

• Bridging, page K-50

• ARP Inspection Page, page K-52

Table K-30 ARP Inspection Page

Element Description

ARP Inspection Table

Interface The name of the interface to which the ARP inspection setting applies.

ARP Inspection Enabled Indicates whether ARP inspection is enabled on the specified interface.

Flood Enabled Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.

K-52User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 53: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

Field Reference

MAC Address Table PageUse the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.

Navigation Path

• (Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit MAC Table Entry Dialog Box, page K-54

• Bridging, page K-50

• ARP Table Page, page K-50

• ARP Inspection Page, page K-52

• MAC Learning Page, page K-54

• Management IP Page, page K-56

Table K-31 Add/Edit ARP Inspection dialog box

Element Description

Interface The name of the interface for which you are enabling or disabling ARP inspection.

Enable ARP Inspection on this interface

When selected, enables ARP inspection on the specified interface.

Flood ARP packets When selected, packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.

K-53User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 54: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

Field Reference

Add/Edit MAC Table Entry Dialog Box

Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.

Navigation Path

You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page, page K-53.

Related Topics

• Bridging, page K-50

• MAC Address Table Page, page K-53

Field Reference

MAC Learning PageUse the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.

Navigation Path

• (Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.

Table K-32 MAC Address Table Page

Element Description

Aging Time (minutes) Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default.

MAC Address Table

Interface The interface to which the MAC address is associated.

MAC Address The MAC address; for example, 00e0.1e4e.3d8b.

Table K-33 Add/Edit MAC Table Entry dialog box

Element Description

Interface The interface to which the MAC address is associated.

MAC Address The MAC address; for example, 00e0.1e4e.3d8b.

K-54User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 55: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBridging

Related Topics

• Add/Edit MAC Learning Dialog Box, page K-55

• Bridging, page K-50

• ARP Table Page, page K-50

• ARP Inspection Page, page K-52

• MAC Address Table Page, page K-53

• Management IP Page, page K-56

Field Reference

Add/Edit MAC Learning Dialog Box

Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.

Navigation Path

You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page, page K-54.

Related Topics

• Bridging, page K-50

• MAC Learning Page, page K-54

Field Reference

Table K-34 MAC Learning Page

Element Description

MAC Learning Table

Interface The interface to which the MAC learning setting applies.

MAC Learning Enabled Indicates whether the security appliance learns MAC addresses from traffic entering the interface.

Table K-35 Add/Edit MAC Learning dialog box

Element Description

Interface The interface to which the MAC learning setting applies.

MAC Learning Enabled When selected, the security appliance learns MAC addresses from traffic entering the interface.

K-55User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 56: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceAAA Page

Management IP PageUse the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.

Navigation Path

• (Device view) Select Platform > Bridging > Management IP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Bridging, page K-50

• ARP Table Page, page K-50

• ARP Inspection Page, page K-52

• MAC Address Table Page, page K-53

• MAC Learning Page, page K-54

Field Reference

AAA PageThis page includes tabs for configuring authentication, authorization, and accounting:

• Authentication Tab, page K-57

• Authorization Tab, page K-58

• Accounting Tab, page K-58

Navigation Path

• (Device view) Select Platform > Device Admin > AAA from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.

Table K-36 Management IP Page

Element Description

Management IP Address The management IP address.

Subnet Mask The subnet mask that corresponds to the management IP address.

K-56User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 57: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceAAA Page

Authentication TabUse the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.

Navigation Path

You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page, page K-56.

Related Topics

• Configuring AAA, page 14-28

• Authorization Tab, page K-58

• Accounting Tab, page K-58

Field Reference

Table K-37 Authentication Tab

Element Description

Require AAA Authentication to allow use of privileged mode commands

Enable Forces AAA authentication from a server group before you can access enable mode on the firewall. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears.

Server Group Provides a drop-down menu from which you can choose a server group to force AAA authentication.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Require AAA Authorization for the following types of connections

Connection type Specify the connection types that require authorization:

• HTTP—Require AAA authentication when you start an HTTPS connection to the firewall console.

• Serial—Require AAA authentication when you connect to the firewall console via the serial console cable. The firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the firewall username and the enable password.

• SSH—Require AAA authentication when you start a Secure Shell (SSH) connection to the firewall console. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears. This option requests a username and password before the first command line prompt on the SSH console.

• Telnet—Require AAA authentication when you start a Telnet connection to the firewall console. You must authenticate before you can enter a Telnet command.

Server Group Specify the server group to use for authorization.

K-57User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 58: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceAAA Page

Authorization TabThe Authorization tab allows you to configure authorization for accessing firewall commands.

Navigation Path

You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page, page K-56.

Related Topics

• Configuring AAA, page 14-28

• Authentication Tab, page K-57

• Accounting Tab, page K-58

Field Reference

Accounting TabUse the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.

Navigation Path

You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page, page K-56.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Authentication Prompts

Login Prompt Enter the prompt a user will see when logging in to the security appliance.

User Accepted Message Enter the message a user will see when successfully authenticated by the security appliance.

User Rejected Message Enter the message a user will see when authentication by the security appliance fails.

Table K-37 Authentication Tab (Continued)

Element Description

Table K-38 Authorization Tab

Element Description

Enable Authorization for Command Access

Requires authorization for accessing firewall commands.

Server Group Specify the server group to use for authorization.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

K-58User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 59: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceAAA Page

Related Topics

• Configuring AAA, page 14-28

• Authentication Tab, page K-57

• Authorization Tab, page K-58

Field Reference

Table K-39 Accounting Tab

Element Description

Require AAA Accounting for privileged commands

Enable When selected, enables the generation of accounting records to mark the entry to and exit from privileged mode for administrative access via the console.

Server Group Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require AAA Accounting for the following types of connections

Connection type Specify the connection types that will generate accounting records:

• HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP. Valid server group protocols are RADIUS and TACACS+.

• Serial—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions that are established via the serial interface to the console. Valid server group protocols are RADIUS and TACACS+.

• SSH—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. Valid server group protocols are RADIUS and TACACS+.

• Telnet—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet. Valid server group protocols are RADIUS and TACACS+.

Server Group Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require Accounting for command access

Enable When selected, enables the generation of accounting records for commands entered by an administrator/user.

Server Group Provides a drop-down menu from which you can choose the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Privilege Level Minimum privilege level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.

K-59User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 60: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBanner Page

Banner PageUse the Banner page to configure message of the day, login and session banners.

Navigation Path

• (Device view) Select Platform > Device Admin > Banner from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Server Access, page K-96

Field Reference

Table K-40 Banner Page

Element Description

Session (exec) Banner Enter text that you want the system to display as a banner before displaying the enable prompt.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Login Banner Enter text that you want the system to display as a banner before the password login prompt when someone accesses the security appliance using Telnet.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Message-of-the-Day (motd) Banner

Enter text that you want the system to display as a message-of-the-day banner.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

K-60User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 61: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceBoot Image/Configuration Page

Boot Image/Configuration PageUse the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.

Navigation Path

• (Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Boot Image and Configuration Settings, page 14-34

• Images Dialog Box, page K-62

Field Reference

Table K-41 Boot Image/Configuration Page

Element Description

Boot Config Location The configuration file to use when the system is loaded. Use the following syntax:

• disk0:/[path/]filename

Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

• disk1:/[path/]filename

Indicates the external Flash card.

• flash:/[path/]filename

ASDM Image Location The location of the ASDM software image to be used when ASDM sessions are initiated. Use the following syntax:

• disk0:/[path/]filename

Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

• disk1:/[path/]filename

Indicates the external Flash card.

• flash:/[path/]filename

• tftp://[user[:password]@]server[:port]/[path/]filename

Boot Images Table

No. Identifies the number of the boot image.

Images Identifies the path and name of the boot image.

K-61User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 62: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceClock Page

Images Dialog BoxUse the Images dialog box to add a boot image entry to the boot order list.

Navigation Path

You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page, page K-61.

Related Topics

• Configuring Boot Image and Configuration Settings, page 14-34

• Boot Image/Configuration Page, page K-61

Field Reference

Clock PageThe Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.

To dynamically set the time using an NTP server, see Configuring NTP Settings, page 14-58; time derived from an NTP server overrides any time set manually on the Clock page.

Navigation Path

• (Device view) Select Platform > Device Admin > Clock from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Clock Settings, page 14-35

• Configuring NTP Settings, page 14-58

• NTP Page, page K-112

Table K-42 Images Dialog Box

Element Description

Image File Enter the path and name of the image file to add to the boot order list. See the following syntax:

• disk0:/[path/]filename

This option is available only for the ASA platform, and indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

• disk1:/[path/]filename

This option is available only for the ASA platform, and indicates the external Flash card.

• flash:/[path/]filename

• tftp://[user[:password]@]server[:port]/[path/]filename

K-62User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 63: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceClock Page

Field Reference

Table K-43 Clock Page

Element Description

Device Time Zone Select the time zone for the device from the list.

Daylight Savings Time (Summer Time)

Select whether daylight savings time is used and if so what method is used to specify when daylight savings time applies:

None—Disables daylight savings time on the security appliance.

Set by Date—Select this option to specify the date and time when daylight savings time begins and ends for a specific year. If you use this option, you need to reset the dates every year.

Set Recurring—Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Set by Date

Date (Begin/End) Enter the date on which daylight savings time begins and ends in MMM dd YYYY format (for example, Jul 15 2005). You can also click Calendar to select the date from a calendar.

Hour (Begin/End) Select the hour, from 00 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End) Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.

Set Recurring

Specify Recurring Time Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Month (Begin/End) Select the month in which daylight savings time begins and the month in which it ends.

Week (Begin/End) Select the week of the month in which daylight savings time begins and the week in which it ends. You can select the numerical value that corresponds to the week, 1 through 5, or you can specify the first or last week in the month by selecting first or last. For example, if the day might fall in the partial fifth week, specify “last”.

Weekday (Begin/End) Select the day on which daylight savings time begins and the day on which it ends.

Hour (Begin/End) Select the hour, from 0 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End) Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.

K-63User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 64: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceCredentials Page

Credentials PageUse the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.

Navigation Path

• (Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Contact Credentials, page 14-36

• User Accounts Page, page K-115

Field Reference

CPU Threshold PageUse the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.

Navigation Path

• (Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.

Table K-44 Contact Credentials Page

Element Description

Username Specifies the username for logging in to the device.

Password Specifies the password for logging in to the device.

Confirm Confirms the password entered in the Password field. The values in the Password and Confirm fields must match before you can save these settings.

Privilege Level Specifies the privilege level of the user logging in to the device.

Enable Password Specifies the new enable password for the device.

Confirm Confirms the password entered in the Enable Password field. The values in the Enable Password and Confirm fields must match before you can save these settings.

Telnet/SSH Password Specifies the new login password for the device.

Confirm Confirms the password entered in the Telnet/SSH Password field. The values in the Telnet/SSH Password and Confirm fields must match before you can save these settings.

K-64User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 65: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Related Topics

• Configuring SNMP, page 14-41

• SNMP Page, page K-71

• SNMP Trap Configuration Dialog Box, page K-72

Field Reference

Device AccessThe Device Access section is located under the Device Admin folder in the Policy selector. The following topics describe the pages for Device Access:

• Console Page, page K-65

• HTTP Page, page K-66

• ICMP Page, page K-67

• Management Access Page, page K-69

• Secure Shell Page, page K-69

• SNMP Page, page K-71

• Telnet Page, page K-74

Console PageUse the Console page to specify a time period for the management console to remain active. When the time limit you specify is reached, the console shuts down.

In the Console Timeout field, enter the number of minutes a console session can remain idle before the firewall device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > Console from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.

Table K-45 CPU Threshold Page

Element Description

CPU Rising Threshold Percentage

Enter the percentage of CPU usage above which you want to receive a notification. If the CPU utilization percentage is equal to or above this value for the duration specified in the CPU Monitoring Period field then a notification will be sent.

CPU Monitoring Period (seconds)

Enter the number of seconds that the percentage of CPU usage must remain at or above the threshold set in the CPU Rising Threshold Percentage field before a notification is sent.

K-65User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 66: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Related Topics

• Device Access, page K-65

HTTP PageThe HTTP page provides a table that specifies the addresses of all the hosts or networks that are allowed access to the firewall device using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.

The HTTP page also displays information about HTTP redirection and HTTPS user certificate requirements for interfaces on the firewall device. You can use this table to change the entries for HTTP redirection and HTTPS user certificate requirements.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Device Access, page K-65

• HTTP Configuration Dialog Box, page K-67

Field Reference

Table K-46 HTTP Page

Element Description

Enable HTTP Server Enables or disables HTTPS access to the firewall device.

HTTP Interface Table

Interface Lists the interface on the firewall device from which the administrative access to the device manager is allowed.

Network Lists the IP address and netmask, separated by a slash (“/”), of hosts or networks that are permitted to establish an HTTPS connection with the firewall device.

Authentication Certificate Identifies if a user certificate is required to authenticate users who are establishing HTTPS connections.

Redirect Port Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. If this column is empty, then HTTP redirect is disabled.

K-66User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 67: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

HTTP Configuration Dialog Box

Use the HTTP Configuration dialog box to add a host or network that will be allowed administrative access to the firewall device manager over HTTPS.

Navigation Path

You can access the HTTP Configuration dialog box from the HTTP page. For more information about the HTTP page, see HTTP Page, page K-66.

Related Topics

• Device Access, page K-65

• HTTP Page, page K-66

Field Reference

ICMP PageThe ICMP page provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device. You can use this table to add or change the hosts or networks that are allowed to or prevented from sending ICMP messages to the firewall device.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Right-click ICMP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Device Access, page K-65

• Add and Edit ICMP Dialog Boxes, page K-68

Table K-47 HTTP Configuration Dialog Box

Element Description

Interface Name Specifies the interface on the firewall device from which administrative access to the firewall device manager is allowed.

IP Address/Netmask Enter the IP address and netmask, separated by a “/”, of the host or network that is permitted to establish an HTTPS connection with the firewall device.

Enable Authentication Certificate

Specifies whether user certificate authentication is required to establish an HTTPS connection.

Redirect port Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. To disable HTTP redirect, ensure that this field is blank.

K-67User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 68: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Field Reference

Add and Edit ICMP Dialog Boxes

Use the Add ICMP dialog box to add an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device.

Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.

Navigation Path

You can access the Add or Edit ICMP dialog boxes from the ICMP page. For more information about the ICMP page, see ICMP Page, page K-67.

Related Topics

• Device Access, page K-65

• ICMP Page, page K-67

Field Reference

Table K-48 ICMP Page

Element Description

ICMP Rules Table

Interface Lists the interface on the security appliance from which ICMP access is allowed.

Action Displays whether ICMP messages are permitted or denied from the specified network or host.

Network Lists the IP address and netmask, separated by a “/”, of hosts or networks that are allowed or denied access.

ICMP Service Lists the type of ICMP message to which the rule applies.

Table K-49 Add and ICMP Dialog Boxes

Element Description

Action Choose whether ICMP messages are permitted or denied on the specified network or host:

• Permit – ICMP messages from the specified host or network and interface are allowed.

• Deny – ICMP messages from the specified host or network and interface will be dropped.

ICMP Service Enter or Select the type of ICMP service message to which the rule applies.

Interface Enter or Select the interface on the firewall device from which ICMP access is allowed.

Network Enter the IP address and netmask, separated by a slash (/), of the host or network that is allowed or denied access. You also can Select a Network/Host object.

K-68User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 69: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Management Access PageThe Management Access page lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the firewall device. Use this feature if VPN is configured on the firewall device and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the firewall device securely from home using the VPN client.

In the Management Access Interface field, enter the name of the device interface that permits management access connections. You can click Select to select the interface from a list of interface objects.

You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time. Clear the Management Access Interface field to disable management access.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Right-click Management Access to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Device Access, page K-65

Secure Shell PageUse the Secure Shell page to configure rules that permit only specific hosts or networks to connect to a firewall device for administrative access using the SSH protocol.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Secure Shell, page 14-40

• Device Access, page K-65

• Add and Edit SSH Host Dialog Boxes, page K-70

K-69User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 70: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Field Reference

Add and Edit SSH Host Dialog Boxes

Use the Add Host dialog box to add an SSH access rule.

Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.

Navigation Path

You can access the Add and Edit Host dialog boxes from the Secure Shell page. For more information about the Secure Shell page, see Secure Shell Page, page K-69.

Related Topics

• Configuring Secure Shell, page 14-40

• Device Access, page K-65

• Secure Shell Page, page K-69

Field Reference

Table K-50 Secure Shell Page

Element Description

SSH Version Restricts the version of SSH accepted by the firewall device. By default, SSH Version 1 and SSH Version 2 connections are accepted.

Timeout The number of minutes, 1 to 60, the Secure Shell session can remain idle before the firewall device closes it.

Enable Secure Copy Select this option to enable the secure copy server on the security appliance.

Secure Shell Access Rule table

Interface The name of a firewall device interface that will permit SSH connections.

Network The IP address of each host or network permitted to connect to this security appliance through the specified interface.

Table K-51 Add and Edit Host Dialog Boxes

Element Description

Interface Enter or Select the name of the device interface that permits SSH connections.

IP Addresses Enter or Select the IP address for each host or network that is permitted to establish an SSH connection with the security device; use commas to separate multiple entries.

K-70User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 71: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

SNMP PageThe SNMP page lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring SNMP, page 14-41

• Device Access, page K-65

• SNMP Trap Configuration Dialog Box, page K-72

• Add SNMP Host Access Entry Dialog Box, page K-73

Field Reference

Table K-52 SNMP Page

Element Description

Password (Community String)

Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

System Administrator Name Enter the name of the firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Location Specify the firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Port (PIX 7.x and ASA only) Specify the port on which incoming requests will be accepted.

Configure Traps button Click to open the SNMP Trap Configuration dialog box from which you can configure SNMP trap settings.

SNMP Hosts Table

Interface Identifies the interface on which the SNMP management station resides.

IP Address Identifies the IP address of the SNMP management station.

Community String Identifies the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

K-71User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 72: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

SNMP Trap Configuration Dialog Box

Use the SNMP Trap Configuration dialog box to configure trap settings.

Traps are different than browsing; they are unsolicited “comments” from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.

An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. Firewall devices provide system OID in SNMP event traps & SNMP mib-2.system.sysObjectID.

The SNMP service running on a firewall device performs two different functions:

• Replies to SNMP requests from management stations (also known as SNMP clients).

• Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.

Cisco firewall devices support three types of traps:

• firewall

• generic

• syslog

Navigation Path

You can access the SNMP Trap Configuration dialog box from the SNMP page. See SNMP Page, page K-71 for more information.

Related Topics

• Configuring SNMP, page 14-41

• Device Access, page K-65

• SNMP Page, page K-71

• Add SNMP Host Access Entry Dialog Box, page K-73

SNMP Version Identifies the version of SNMP set on the management station.

Poll/Trap Displays the method for communicating with this management station, poll only, trap only, or both trap and poll.

• Poll—Firewall device waits for a periodic request from the management station.

• Trap—Sends syslog events when they occur.

UDP Port Specifies the UDP port for the SNMP host. The default value is 162 for the SNMP host UDP port.

Table K-52 SNMP Page (Continued)

Element Description

K-72User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 73: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Field Reference

Add SNMP Host Access Entry Dialog Box

Use the Add SNMP Host Access Entry dialog box to add SNMP management stations.

Navigation Path

You can access the Add SNMP Host Access Entry dialog box from the SNMP page. See SNMP Page, page K-71 for more information.

Related Topics

• Device Access, page K-65

• SNMP Page, page K-71

• SNMP Trap Configuration Dialog Box, page K-72

Table K-53 SNMP Trap Configuration Dialog Box

Element Description

Standard SNMP Traps (PIX 7.x, ASA and FWSM only)

Select the standard SNMP traps you want sent:

• Authentication—Enables authentication standard trap.

• Cold Start—Enables cold start standard trap.

• Link Up—Enables link up standard trap.

• Link Down—Enables link down standard trap.

Entity MIB Notifications (PIX 7.x and ASA only)

Select the Entity MIB Notifications that you want to enable:

• FRU Insert—Enables a trap notification when a Field Replaceable Unit (FRU) has been inserted.

• FRU Remove—Enables a trap notification when a Field Replaceable Unit (FRU) has been removed.

• Configuration Change—Enables a trap notification when there has been a hardware change.

IPsec Traps (PIX 7.x and ASA only)

Select the IPsec traps that you want to enable:

• Start—Enables a trap when IPsec starts.

• Stop—Enables a trap when IPsec stops.

Remote Access Traps (PIX 7.x and ASA only)

Select the Remote Access traps that you want to enable:

• Session Threshold Exceeded—Enables the firewall device send traps when remote access sessions reach the defined limit.

Enable Syslog Traps Enables or disables the sending of syslog messages to the SNMP management station.

K-73User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 74: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceDevice Access

Field Reference

Telnet PageUse the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Telnet, page 14-44

• Device Access, page K-65

• Telnet Configuration Dialog Box, page K-75

Table K-54 Add SNMP Host Access Entry Dialog Box

Element Description

Interface Name Select the interface on which the SNMP management station resides. You can click Select to select the interface from a list of interface objects.

IP Address Enter the IP address of the SNMP management station. You can click Select to select the IP address from a list of IP address objects.

UDP Port Enter the UDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port.

Community String Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

SNMP Version Select the version of SNMP set on the management station.

Server Poll/Trap Specification

Specify the method for communicating with this management station, poll only, trap only, or both trap and poll.

• Poll—Firewall device waits for a periodic request from the management station.

• Trap—Sends syslog events when they occur.

K-74User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 75: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Field Reference

Telnet Configuration Dialog BoxUse the Telnet Configuration dialog box to configure Telnet options for an interface.

Navigation Path

You can access the Telnet Configuration dialog box from the Telnet page. See Telnet Page, page K-74 for more information.

Related Topics

• Configuring Telnet, page 14-44

• Device Access, page K-65

• Telnet Page, page K-74

Field Reference

Failover PoliciesThis section discusses the pages that you use to configure failover for your firewall devices. The pages that are available for firewall configuration change depending on the type of firewall device you are configuring.

PIX 6.x Firewalls

• Failover Page (PIX 6.x), page K-76

– Edit Failover Interface Configuration Dialog Box (PIX 6.x), page K-77

– Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Table K-55 Telnet Page

Element Description

Timeout Number of minutes a Telnet session can remain idle before the firewall device closes it. Values can range from 1 to 1440 minutes.

Telnet Access Table

Interface Interface that receives Telnet packets from the client.

IP Addresses The IP address and network mask of each host or network that can access the Telnet console through the specified interface.

Table K-56 Telnet Configuration Dialog Box

Element Description

Interface Name Enter or Select an interface that can receive Telnet packets from a client.

IP Addresses/Netmask Enter or Select the IP address and netmask, separated by a “/”, of each host or network permitted to access the firewall device’s Telnet console through the specified interface. Use commas to separate multiple entries.

Note To limit access to a single IP address, use 255.255.255.255 or 32 as the netmask. Do not use the subnetwork mask of the internal network.

K-75User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 76: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Firewall Services Modules

• Failover Page (FWSM), page K-78

– Advanced Settings Dialog Box, page K-81

– Add Interface MAC Address Dialog Box, page K-90

– Edit Failover Interface Configuration Dialog Box (FWSM), page K-82

– Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Adaptive Security Appliances and PIX 7.0 Firewalls

• Failover Page (ASA/PIX 7.x), page K-83

– Settings Dialog Box, page K-85

– Add Failover Group Dialog Box, page K-88

– Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x), page K-89

– Add Interface MAC Address Dialog Box, page K-90

– Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Failover Page (PIX 6.x)Use the Failover page to configure failover settings for a PIX 6.x Firewall.

Navigation Path

To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

• Failover Policies, page K-75

• Edit Failover Interface Configuration Dialog Box (PIX 6.x), page K-77

• Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Field Reference

Table K-57 Failover Page (PIX 6.x)

Element Description

Failover

Failover Method Choose the type of failover link: Serial Cable or LAN Based.

Enable Failover Check this box to enable failover on this device.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Failover Poll Time Specifies how long failover waits before determining if other devices remain available between primary and standby devices over all network interfaces and failover cable. Values can range from 3 to 15 seconds; default is 15.

LAN-Based Failover

Interface Choose the interface to be used for LAN-based failover. If “Not Selected” is chosen, LAN-Based Failover is disabled.

K-76User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 77: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Use the Edit Failover Interface Configuration dialog box to configure a failover interface for PIX 6.x devices.

Note The failover interface cannot be configured for PPPoE.

Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (PIX 6.x), page K-76.

Shared Key Used to encrypt communication between primary and standby devices. Value can be any string.

Confirm Re-enter the Shared Key.

Stateful Failover

Interface Choose the interface to be used for Stateful Failover. If “Not Selected” is chosen, Stateful Failover is disabled.

Note You must choose a fast LAN link from the list (for example, 100full, 1000full, or 1000sxfull).

Enable HTTP Replication

Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.

Failover Interface Table

Interface Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.

Active IP Address Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the active device.

Standby IP Address Displays the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on same network as system IP address.

Tip You can use this IP address with the ping tool to check the status of the standby device.

Active MAC Address Displays the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address Displays the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

Edit Row button Click to display the Edit Failover Interface Configuration dialog box.

Table K-57 Failover Page (PIX 6.x) (Continued)

Element Description

K-77User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 78: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Related Topics

• Failover Policies, page K-75

• Failover Page (PIX 6.x), page K-76

Field Reference

Failover Page (FWSM)Use the Failover page to configure basic failover settings for FWSMs.

Navigation Path

To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

• Failover Policies, page K-75

• Advanced Settings Dialog Box, page K-81

• Edit Failover Interface Configuration Dialog Box (FWSM), page K-82

• Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Table K-58 Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Element Description

Interface Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.

Active IP Address Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the active device.

Netmask Displays the netmask of the active device.

Standby IP Address Specify the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the standby device.

Failover MAC Addresses

Active MAC Address Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

K-78User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 79: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Field Reference

Table K-59 Failover Page (FWSM)

Element Description

Enable Failover Specifies whether failover is enabled on this device.

You must configure the logical LAN failover interface and, optionally, the stateful failover interface.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Configuration (FWSM 3.x only)

Active/Active option (FWSM 3.x only)

In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.

To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Active/Standby option (FWSM 3.x only)

In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.

When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to security appliances in single mode or multiple mode.

Settings button Click to display the Advance Settings dialog box. See Advanced Settings Dialog Box, page K-81 for more information.

LAN Failover

VLAN VLAN interface you are using for the failover link, for example, VLAN 11.

Logical Name The logical name of the interface on the active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address Specifies the IP address of the active interface.

K-79User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 80: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Standby IP Address Specifies the IP address of the standby interface.

Subnet Mask Mask that corresponds with active and standby IP addresses.

State Failover

VLAN VLAN interface you are using for the stateful failover link, for example, VLAN 12.

Logical Name The logical name of the interface on active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address Specifies the IP address of the active interface.

Standby IP Address Specifies the IP address of the standby interface.

Subnet Mask Mask that corresponds with active and standby IP addresses.

Enable HTTP Replication check box

Enables stateful failover to copy active HTTP sessions to a standby firewall.

Suspend Configuration Synchronization

(FWSM 2.3 only)

When selected, configurations between the active and standby device are no longer synchronized.

Note You cannot disable this feature using the Security Manager user interface. To disable this feature after enabling it in Security Manager, issue the no failover suspend-config-sync command directly on the device, or by using the FlexConfig feature. For more information on FlexConfigs, see Understanding FlexConfig Policies and Policy Objects, page 18-1.

Shared Key (FWSM 3.x only)

To encrypt and authenticate the communication between failover peers, specify a shared secret in the Shared Key field for the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair. The shared key can be from 1 to 63 characters and can be any combination of numbers, letters, or punctuation.

Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using FWSM to terminate VPN tunnels.

Table K-59 Failover Page (FWSM) (Continued)

Element Description

K-80User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 81: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Advanced Settings Dialog Box

The Advanced Settings dialog box lets you configure additional failover settings for FWSMs.

Note The following reference table presents all fields that can be presented in the Advanced Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.

Navigation Path

You can access the Advance dialog box by clicking the Settings button on the Failover page. See Failover Page (FWSM), page K-78 for more information.

Related Topics

• Failover Policies, page K-75

• Failover Page (FWSM), page K-78

• Add Interface MAC Address Dialog Box, page K-90

Field Reference

Table K-60 Advance Dialog Box

Element Description

Interface Policy

Number of failed interfaces When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces

When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.

Failover Poll Time

Unit Failover The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.

Unit Hold Time Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the Unit Failover value.

Monitored Interface The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Management IP Address

Active The IP address of the management interface.

Netmask The subnet mask for the Active and Standby addresses.

Standby The management IP address on the standby unit, which must be on the same subnet as the Active IP address. You do not need to identify the Standby address subnet mask.

K-81User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 82: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Edit Failover Interface Configuration Dialog Box (FWSM)

Use the Edit Failover Interface Configuration dialog box to configure a failover interface for FWSMs.

Note The failover interface cannot be configured for PPPoE.

Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM), page K-78.

Related Topics

• Failover Policies, page K-75

• Failover Page (FWSM), page K-78

Field Reference

Failover Groups

Group table This table lists failover groups on the device, with the following information:

• Group Number – Numeric identifier for the group.

• Preferred Role – Primary or Secondary.

• Preempt Enabled – True or false.

Edit row button Click this button to edit the selected entry in the Failover Groups table; the Edit Failover Group dialog box opens.

Table K-60 Advance Dialog Box (Continued)

Element Description

Table K-61 Edit Failover Interface Configuration Dialog Box (FWSM)

Element Description

Interface Name Identifies the interface name; not editable.

Active IP Address Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

K-82User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 83: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Failover Page (ASA/PIX 7.x)Use the Failover page to configure basic failover settings for ASAs and PIX 7.x firewalls.

Navigation Path

To access this feature, select an ASA or PIX 7.x firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

• Failover Policies, page K-75

• Settings Dialog Box, page K-85

• Add Failover Group Dialog Box, page K-88

• Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x), page K-89

• Add Interface MAC Address Dialog Box, page K-90

• Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Monitor this interface for failure

Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

• Unknown—Initial status. This status can also mean the status cannot be determined.

• Normal—The interface is receiving traffic.

• Testing—Hello messages are not heard on the interface for five poll times.

• Link Down—The interface is administratively down.

• No Link—The physical link for the interface is down.

• Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Table K-61 Edit Failover Interface Configuration Dialog Box (FWSM) (Continued)

Element Description

K-83User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 84: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Field Reference

Table K-62 Failover Page (ASA/PIX 7.x)

Element Description

Enable Failover Specifies whether failover is enabled on this device.

You must configure the logical LAN failover interface and, optionally, the stateful failover interface.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Configuration

Active/Active option In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.

To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Active/Standby option In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.

When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to security appliances in single mode or multiple mode.

Settings button Click to display the Settings dialog box. See Settings Dialog Box, page K-85 for more information.

LAN Failover

Interface Interface you are using for the failover link.

Logical Name The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address Specifies the IP address of the active interface.

Standby IP Address Specifies the IP address of the standby interface.

K-84User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 85: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Settings Dialog Box

The Settings dialog box lets you define criteria for when failover should occur on an ASA or PIX 7.x appliance.

Navigation Path

You can access the Settings dialog box by clicking the Settings button on the Failover page. For more information, see Failover Page (ASA/PIX 7.x), page K-83.

Note The following reference table presents all fields that can be presented in the Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.

Related Topics

• Failover Policies, page K-75

• Failover Page (ASA/PIX 7.x), page K-83

• Add Failover Group Dialog Box, page K-88

• Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x), page K-89

• Add Interface MAC Address Dialog Box, page K-90

• Bootstrap Configuration for LAN Failover Dialog Box, page K-91

Subnet Mask Netmask that corresponds with active and standby IP addresses.

Bootstrap button Click to display the Bootstrap Configuration for LAN Failover dialog box. See Bootstrap Configuration for LAN Failover Dialog Box, page K-91 for more information.

State Failover

Interface Interface you are using for the stateful failover link.

Logical Name The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address Specifies the IP address of the active interface.

Standby IP Address Specifies the IP address of the standby interface.

Subnet Mask Netmask that corresponds with active and standby IP addresses.

Enable HTTP Replication When selected, enables stateful failover to copy active HTTP sessions to standby firewall.

Shared Key Used to encrypt communication between primary and standby devices. Value can be any string.

Table K-62 Failover Page (ASA/PIX 7.x) (Continued)

Element Description

K-85User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 86: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Field Reference

Table K-63 Settings Dialog Box

Element Description

Interface Policy

Number of failed interfaces When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces

When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.

Failover Poll Time

Unit Failover The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 200 and 999 milliseconds if the msec option is checked.

Unit Hold Time Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds, or between 800 and 999 milliseconds if the msec option is checked. You cannot enter a value that is less than three times the Unit Failover value.

Monitored Interface The amount of time between polls among interfaces. The range is between 3 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.

Interface Hold Time Sets the time during which a data interface must receive a hello message, after which the peer is declared failed. Valid values are from 5 to 75 seconds.

Failover Groups

Group Number Specifies the failover group number. This number is used when assigning contexts to failover groups.

Preferred Role Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Preempt Enabled Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.

Preempt Delay Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

Interface Policy Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.

Interface Poll Time Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

K-86User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 87: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Replicate HTTP Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

MAC Address Identifies the MAC address of the active interface.

MAC Address Mapping

Physical Interface Specifies the physical interface for which failover virtual MAC addresses are configured.

Active MAC Address Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

Monitor Interface Configuration

Interface Name Displays the name of the interface.

Is Monitored Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

• Unknown—Initial status. This status can also mean the status cannot be determined.

• Normal—The interface is receiving traffic.

• Testing—Hello messages are not heard on the interface for five poll times.

• Link Down—The interface is administratively down.

• No Link—The physical link for the interface is down.

• Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Edit Row button Click to display the Edit Failover Interface Configuration dialog box to edit a failover interface configuration.

Management IP Address

Active Specifies the management IP address of the active device.

Netmask Specifies the netmask that corresponds with the active and standby IP addresses.

Standby Specifies the management IP address of the standby device.

Table K-63 Settings Dialog Box (Continued)

Element Description

K-87User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 88: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Add Failover Group Dialog Box

Use the Add Failover Group dialog box to define failover groups for an Active/Active failover configuration.

Navigation Path

You can access the Add Failover Group dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x), page K-83.

Related Topics

• Failover Policies, page K-75

• Failover Page (ASA/PIX 7.x), page K-83

Field Reference

Table K-64 Add Failover Group Dialog Box

Element Description

Preferred Role Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

“Preempt after booting with optional delay of”

Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

Interface Policy Select the failover policy for this interface:

• Number of failed interfaces that triggers failover

• Percentage of failed interfaces that triggers failover

• Use system failover interface policy

Poll time interval for monitored interfaces

Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Enable HTTP Replication Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

Interface Table

Physical Interface Specifies the physical interface for which failover virtual MAC addresses are configured.

Active MAC Address Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

K-88User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 89: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.

Note The failover interface cannot be configured for PPPoE.

Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x), page K-83.

Related Topics

• Failover Policies, page K-75

• Failover Page (ASA/PIX 7.x), page K-83

• Add Failover Group Dialog Box, page K-88

Field Reference

Add Click to display the dialog box to define a failover interface association.

Edit Click to display the dialog box to edit a failover interface association.

Delete Click to delete the selected failover interface association.

Table K-64 Add Failover Group Dialog Box (Continued)

Element Description

Table K-65 Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Element Description

Interface Name Identifies the interface name.

Active IP Address Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

K-89User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 90: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceFailover Policies

Add Interface MAC Address Dialog Box

The Add Interface MAC Address dialog box allows you to define the MAC addresses of interfaces for ASA, FWSM 3.x and PIX 7.x security appliances that are configured for failover.

Related Topics

• Failover Policies, page K-75

• Failover Page (ASA/PIX 7.x), page K-83

• Settings Dialog Box, page K-85

Field Reference

Monitor this interface for failure

Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

• Unknown—Initial status. This status can also mean the status cannot be determined.

• Normal—The interface is receiving traffic.

• Testing—Hello messages are not heard on the interface for five poll times.

• Link Down—The interface is administratively down.

• No Link—The physical link for the interface is down.

• Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Table K-65 Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x) (Continued)

Element Description

Table K-66 Add Interface MAC Address Dialog Box

Element Description

Physical Interface Specifies the physical interface for which failover virtual MAC addresses are configured.

MAC Address

Active Interface Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby Interface Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

K-90User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 91: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceHostname Page

Bootstrap Configuration for LAN Failover Dialog BoxThe Bootstrap Configuration for LAN Failover dialog box provides you with bootstrap configuration that can be applied to the primary and secondary devices in a LAN failover configuration.

Navigation Path

You can access the Bootstrap Configuration for LAN Failover dialog box from the Failover page. For more information about the Failover page, see:

• Failover Page (PIX 6.x), page K-76

• Failover Page (FWSM), page K-78

• Failover Page (ASA/PIX 7.x), page K-83

Related Topics

• Failover Policies, page K-75

• Failover Page (PIX 6.x), page K-76

• Failover Page (FWSM), page K-78

• Failover Page (ASA/PIX 7.x), page K-83

Field Reference

Note For Active/Active Failover, the bootstrap configurations are only applied to the system contexts of the respective failover peer devices.

Hostname PageYou can use the Hostname page to specify a host name for your firewall device and to set a default domain name. The firewall device uses this domain name when you do not enter the fully-qualified domain name in other commands. It also uses the domain name in RSA key generation.

Navigation Path

To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Hostname from the Device Policy selector.

Table K-67 Bootstrap Configuration for LAN Failover Dialog Box

Element Description

Primary Contains the bootstrap configuration for the primary device. Open a console connection to the primary device and then paste this configuration to activate failover on the device.

Secondary Contains the bootstrap configuration for the secondary device. After the primary device becomes active, open a console connection to the secondary device and then paste this configuration to activate failover on the device.

K-91User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 92: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceResources Page

Related Topics

• Configuring Hostname Settings, page 14-51

• Appendix K, “PIX/ASA/FWSM Platform User Interface Reference”

Field Reference

Resources PageUse the Resources page to view configured classes and information about each class. You can also use the Resources page to add, edit, or delete a class.

Navigation Path

In Device View, select the system context of an FWSM in multiple-context mode, and then select Platform > Device Admin > Resources from the Device Policy selector.

Related Topics

• Configuring Resources on Firewall Services Modules, page 14-51

Field Reference

Table K-68 Hostname Page

Element Description

Host Name User-defined device name to help you differentiate among devices, for example, PIX-510-A.

Note We recommend that you use a unique host name for each device you create. The device name can be up to 63 alphanumeric (U.S. English) characters and can include any of the following special characters: ` ( ) + - , . / : =.

Domain Name Optional field to add domain name. Enter valid Domain Name System (DNS) domain name, for example, cisco.com.

Table K-69 Resources Page

Element Description

Class Shows the class name.

Contexts Shows the contexts assigned to this class.

Connection Rate Shows the limit for connections per second.

Fixups Shows the limit for application inspections per second.

Syslogs Shows the limit for system log messages per second.

Connections Shows the limit for TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

Hosts Shows the limit for hosts that can connect through the FWSM.

IPsec Shows the limit for IPsec management sessions, by default 5.

SSH Shows the limit for SSH sessions, by default 5.

K-92User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 93: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceResources Page

Add/Edit Resource Dialog BoxUse the Add/Edit Resource dialog box to add or edit a resource class for a FWSM.

Navigation Path

You can access the Add/Edit Resource dialog box from the Resources page. For more information about the Resources page, see Resources Page, page K-92.

Related Topics

• Resources Page, page K-92

Field Reference

Telnet Shows the limit for Telnet sessions, by default 5.

Xlates Shows the limit for address translations.

MAC Addr Shows the limit for MAC addresses in the MAC address table in transparent firewall mode, by default 65535.

ASDM Shows the limit for ASDM management sessions (by default 5). ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS sessions, divided between all contexts.

All Shows the limit for all resources that you do not set individually, by default zero, which means unlimited.

Table K-69 Resources Page (Continued)

Element Description

Table K-70 Add Resource Dialog Box

Element Description

Class Name The class name as a string up to 20 characters long.

Limits Tab

Note If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, the limit is the system limit by default.

K-93User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 94: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceResources Page

TCP or UDP Connections Sets the limit for concurrent TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 999900.

Note For concurrent connections, the FWSM allocates half of the limit to each of two NPs that accept connections. Typically, the connections are divided evenly between the NPs. However, in some circumstances, the connections are not evenly divided, and you might reach the maximum connection limit on one NP before reaching the maximum on the other. In this case, the maximum connections allowed is less than the limit you set. The NP distribution is controlled by the switch based on an algorithm. You can adjust this algorithm on the switch, or you can adjust the connection limit upward to account for the inequality.

Inspections (Fixups) Sets the limit for application inspections per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 10000.

Syslog Messages Sets the limit for system log messages per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 102400.

Connections Sets the limit for connections per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 and 102400.

Hosts Sets the limit for concurrent hosts that can connect through the FWSM. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 262144.

IPsec Sessions Sets the limit for concurrent IPsec sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 10 sessions divided between all contexts.

Table K-70 Add Resource Dialog Box (Continued)

Element Description

K-94User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 95: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceResources Page

SSH Sessions Sets the limit for SSH sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 100 sessions divided between all contexts.

Telnet Sessions Sets the limit for concurrent Telnet sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 100 sessions divided between all contexts.

NAT Translations Sets the limit for address translations. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 266144.

MAC Address (Transparent mode only) Sets the limit for MAC address entries in the MAC address table. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 65535.

ASDM Shows the limit for ASDM management sessions (by default 5). ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS sessions, divided between all contexts.

You can set the limit as a percentage by entering a value between 3.0 and 15.0 and then selecting the percent check box. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and deselecting the percent check box.

All Resources Limit Sets the limit for all resources. If you also set the limit for a specific resource, then that limit overrides the limit you set for all resources. You can set the limit as a percentage by entering an integer and then selecting the percent check box, or as unlimited by setting the value to 0. You cannot set any other absolute value. You can assign more than 100 percent if you want to oversubscribe the device.

Contexts Tab

Available Contexts Shows the contexts available to be assigned.

Selected Contexts Shows the contexts assigned to this class.

Table K-70 Add Resource Dialog Box (Continued)

Element Description

K-95User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 96: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Server AccessServer Access is under Device Admin in the Policy selector. The following topics describe the pages for Server Access:

• AUS Page, page K-96

• DHCP Server Page, page K-102

• DHCP Relay Page, page K-99

• DNS Page, page K-106

• DDNS Page, page K-109

• NTP Page, page K-112

• SMTP Server Page, page K-114

• TFTP Server Page, page K-114

AUS PageThe AUS page lets you configure a firewall device to be managed remotely from a server that supports the Auto Update specification. Auto Update lets you apply configuration changes to the firewall device and receive software updates from a remote location.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > AUS from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click AUS to create a new policy.

Related Topics

• Add and Edit Auto Update Server Dialog Boxes, page K-98

• Server Access, page K-96

K-96User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 97: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

Table K-71 AUS Page

Element Description

Auto Update Servers table

This table lists currently configured Auto Update servers, presenting the following information for each:

• No. – Numeric position of this entry in the list, and order of precedence when contacting AUS servers. Use the Up and Down arrow buttons to change the ordering of the list by moving the selected entry up or down.

• Server URL – The URL for this AUS server; produced by concatenating the Protocol://[Username:Password@]IP Address/Path provided in the Add/Edit Auto Update Server dialog box for contacting the server.

• User Name – The user name provided for contacting the server (optional).

• Interface – The interface to use when sending requests to the Auto Update server.

• Verify Certificate – Whether SSL verification of the AUS is required; true or false.

Refer to Add and Edit Auto Update Server Dialog Boxes, page K-98 for information about adding and editing server entries.

Device ID Type Method used for identifying this device to the AUS server; choose:

• Hostname—The host name of this device.

• Serial Number—The serial number of this device.

• IP Address—The IP address of the specified interface is used: an Interface field appears; enter or Select the desired device interface.

• MAC Address—The MAC address of the specified interface is used: an Interface field appears; enter or Select the desired device interface.

• User Defined—A unique user-specified ID is used: a User Defined field appears; enter an arbitrary alphanumeric string.

K-97User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 98: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Add and Edit Auto Update Server Dialog Boxes

Use the Add Auto Update Server dialog box to configure a new AUS server definition. The security appliance will automatically poll this server for image and configuration updates.

Note With the exception of the title, the Edit Auto Update Server dialog box is identical to the Add Auto Update Server dialog box. The following description applies to both.

Navigation Path

You can access the Add and Edit Auto Update Server dialog boxes from the AUS Page, page K-96.

Poll Type Method defining how often the AUS server is polled for updates. Choose At Specified Frequency or At Scheduled Time. Different ancillary fields are displayed, depending on this choice.

If you choose At Specified Frequency, this field is displayed:

• Poll Period – The number of minutes the firewall device waits between polls of the AUS server.

If you choose At Scheduled Time, the following fields are displayed. (This option is available only on ASA/PIX devices running version 7.2 or later.)

• Days of the week – Select one or more days on which the device is to poll the AUS server.

• Polling Start Time in Hours – The hour at which polling is to begin on the selected days; based on a 24-hour clock.

• Polling Start Time in Mins – The minute within the chosen hour when polling is to begin.

• Enable Randomization of the Start Time – Select this option to specify a random polling window; the Randomization Window field is enabled.

– Randomization Window – The maximum number of minutes the device can use to randomize the specified polling time; valid values are 1 to 1439.

Retry Count The number of times the device will try to poll the AUS server for new information. Optional; if you enter zero or leave this field blank, the device will not retry after a failed poll attempt.

Retry Period If Retry Count is not zero or blank, the number of minutes the device will wait to re-poll the AUS server if the previous attempt failed; valid values are 1 to 35791. If Retry Count is not zero or blank and you leave this field blank, the value defaults to five minutes.

Disable Device After Selecting this option ensures that if no response is received from the AUS server within the specified Timeout period, the security appliance will stop passing traffic.

Timeout The number of minutes the firewall device will wait to timeout if no response is received from the AUS server.

Table K-71 AUS Page (Continued)

Element Description

K-98User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 99: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Related Topics

• AUS Page, page K-96

• Configuring AUS Settings, page 14-52

Field Reference

DHCP Relay PageUse the DHCP Relay page to configure DHCP relay services on a firewall device. For more information, see Configuring DHCP Relay, page 14-53.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > DHCP Relay from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Relay from the Policy Type selector. Right-click DHCP Relay to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring DHCP Relay, page 14-53

• Add and Edit DHCP Relay Agent Configuration Dialog Boxes, page K-100

• Add and Edit DHCP Relay Server Configuration Dialog Boxes, page K-101

Table K-72 Add and Edit Auto Update Server Dialog Boxes

Element Description

Protocol The protocol used to communicate with the AUS server; choose http or https.

IP Address The IP address of the AUS server.

Port Number of the port on which communications with the AUS server take place. Defaults to 80 if http is chosen as the Protocol, and to 443 if https is chosen. If you enter an arbitrary port number, be sure the AUS server is configured to use the same port.

Path The path to AUS services on the server. The standard path is autoupdate/AutoUpdateServlet; change this to admin/auto-update only if the AUS server host is an ASA.

AUS Interface The interface to use when polling the Auto Update server.

Verify Certificate Select this option to require SSL verification from the AUS server. The certificate returned by the server will be checked against Certification Authority (CA) root certificates. This requires that the AUS Server and this device use the same CA.

Username The user name to be used for AUS authentication (optional).

Password The password to be used for AUS authentication (optional).

Confirm Re-enter the password (optional).

K-99User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 100: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Use the Add DHCP Relay Agent Configuration dialog box to enable and configure the DHCP relay agent for an interface. Use the Edit DHCP Relay Agent Configuration dialog box to update an existing interface relay agent.

Note The Add DHCP Relay Agent Configuration dialog box and the Edit DHCP Relay Agent Configuration dialog box are virtually identical; the following descriptions apply to both.

Navigation Path

You can access the Add and Edit DHCP Relay Agent Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page, page K-99.

Related Topics

• Configuring DHCP Relay, page 14-53

• Server Access, page K-96

• DHCP Relay Page, page K-99

• Add and Edit DHCP Relay Server Configuration Dialog Boxes, page K-101

Table K-73 DHCP Relay Page

Element Description

DHCP Relay Agent

Interface Displays the interface for which DHCP relay agent is configured.

DHCP Relay Enabled Indicates whether the DHCP relay agent is enabled on the interface. This column displays “true” if the DHCP relay agent is enabled or “false” if the DHCP relay agent is not enabled on the interface.

Set Route Indicates whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. This column displays “true” if the DHCP relay agent is configured to change the default router address to the interface address or “false” if the DHCP relay agent does not modify the default router address.

DHCP Servers

Server Displays the IP address of the external DHCP server to which DHCP requests are forwarded.

Interface Displays the interface to which the specified DHCP server is attached.

Timeout (seconds) Specifies the amount of time, in seconds, allowed for DHCP address negotiation. Valid values range from 1 to 3600 seconds.

K-100User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 101: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

Add and Edit DHCP Relay Server Configuration Dialog Boxes

Use the Add DHCP Relay Server Configuration dialog box to define a new DHCP relay server; use the Edit DHCP Relay Server Configuration dialog box to update existing server information. You can define up to four DHCP relay servers.

Note The Add DHCP Relay Server Configuration dialog box and the Edit DHCP Relay Server Configuration dialog box are virtually identical; the following descriptions apply to both.

Navigation Path

You can access the Add and Edit DHCP Relay Server Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page, page K-99.

Related Topics

• Configuring DHCP Relay, page 14-53

• Server Access, page K-96

• DHCP Relay Page, page K-99

• Add and Edit DHCP Relay Agent Configuration Dialog Boxes, page K-100

Field Reference

Table K-74 Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Element Description

Interface Interface on which you want to enable the DHCP relay agent.

Enable DHCP Relay If selected, the DHCP relay agent is enabled on the selected interface.

Set Route Specifies whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. When this option is selected, the DHCP relay agent substitutes the address of the selected interface for the default router address in the information returned from the DHCP server.

Table K-75 Add and Edit DHCP Relay Server Configuration Dialog Boxes

Element Description

Server Enter or Select the IP address of the external DHCP server to which DHCP requests are forwarded.

Interface Enter or Select the interface through which DHCP requests are forwarded to the external DHCP server.

K-101User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 102: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

DHCP Server PageUse the DHCP Server page to configure global DHCP server and dynamic DNS (DDNS) updating options for the selected device, to set up a DHCP server on one or more device interfaces, as to configure advanced server options.

For more information about DHCP servers, see Configuring DHCP Servers, page 14-54.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > DHCP Server from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Server from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click DHCP Server to create a new policy.

Related Topics

• Configuring DHCP Servers, page 14-54

• Server Access, page K-96

• Add/Edit DHCP Server Interface Configuration Dialog Boxes, page K-104

• Add/Edit DHCP Server Advanced Configuration Dialog Box, page K-104

Field Reference

Table K-76 DHCP Server Page

Element Description

Ping Timeout Specifies the amount of time, in milliseconds, that the firewall device waits to time out a DHCP ping attempt. To avoid address conflicts, firewall devices send two ICMP ping packets to an address before assigning that address to a DHCP client. Valid values range from 10 to 10000 milliseconds.

Lease Length Specifies the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).

Enable auto-configuration

Select this option to enable DHCP auto configuration.

DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If any of the information obtained through auto configuration is also specified manually in the Override settings from DHCP client area, the manually specified information takes precedence over the discovered information.

Interface If Enable auto-configuration is checked, this field is available. Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.

Define settings

Domain Name (Optional)

Specifies the DNS domain name for DHCP clients. Enter a valid DNS domain name; for example, example.com.

Primary DNS Server (Optional)

Specifies the IP address of the primary DNS server for a DHCP client.

K-102User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 103: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Secondary DNS Server (Optional)

Specifies the IP address of the alternate DNS server for a DHCP client.

Primary WINS Server (Optional)

Specifies the IP address of the primary WINS server for a DHCP client.

Secondary WINS Server (Optional)

Specifies the IP address of the alternate WINS server for a DHCP client.

Dynamic DNS Update

Enable Dynamic DNS Update

Select this option to define global DDNS update options:

• Select the type of resource-record updating: PTR Record only, or A Record and PTR Record.

• You also can select Override DHCP Client Request. If selected, DHCP server updates override any updates requested by DHCP clients.

Available only on ASA/PIX 7.2 and higher.

DHCP Server Interface Configuration table

Interface table This table lists device interfaces on which a DHCP server, DDNS updating, or both are configured:

• Interface – An interface on which a DHCP server or DDNS update is configured.

• DHCP Address Pool – Identifies the pool of addresses from which the DHCP server can assign an IP address for the specified interface.

• Enable DHCP Server – Indicates whether a DHCP server is enabled on the interface; true or false.

• Dynamic DNS Update – Indicates whether a DDNS update is enabled on the interface; true or false.

Add button Opens the Add DHCP Server Interface Configuration dialog box; used to define a DHCP server, DDNS updating, or both on a specific interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes, page K-104 for more information.

Edit button Opens the Edit DHCP Server Interface Configuration dialog box; used to update DHCP server configuration, DDNS updating, or both on the selected interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes, page K-104 for more information.

Delete button Deletes the selected entry in the DHCP Server Interface Configuration table. A confirmation dialog box may appear; click OK to delete the entry.

Advanced Options

Advanced button Click to display the Add/Edit DHCP Server Advanced Configuration dialog box. See Add/Edit DHCP Server Advanced Configuration Dialog Box, page K-104 for more information.

Table K-76 DHCP Server Page (Continued)

Element Description

K-103User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 104: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Add/Edit DHCP Server Interface Configuration Dialog Boxes

Use the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes to enable DHCP and specify a DHCP address pool for the specified interface, and to enable dynamic DNS (DDNS) updating on the interface.

Note Other than the titles, the two dialog boxes are identical.

Navigation Path

You can access the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes from the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page, page K-102.

Related Topics

• Configuring DHCP Servers, page 14-54

• Server Access, page K-96

• DHCP Server Page, page K-102

• Add/Edit DHCP Server Advanced Configuration Dialog Box, page K-104

• Add/Edit DHCP Server Option Dialog Box, page K-105

Field Reference

Add/Edit DHCP Server Advanced Configuration Dialog Box

The Add/Edit DHCP Server Advanced Configuration dialog box lets you manage DHCP options configured for the DHCP server. These options provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.

Table K-77 Add/Edit DHCP Server Interface Configuration Dialog Box

Element Description

Interface Identifies the interface on which you are configuring a DHCP server. Enter an interface name, or select an interface object.

DHCP Address Pool Enter the beginning and ending addresses, separated by a hyphen, for the range of IP addresses that the DHCP server will use when assigning IP addresses.

Enable DHCP Server Select this option to enable a DHCP server on this interface.

Enable Dynamic DNS Update

Select this option to enable DDNS updating by this DHCP server. Select the record(s) to be updated:

• PTR Record

• A Record and PTR Record

You also can select Override DHCP Client Request. If selected, DHCP server updates override any updates requested by DHCP clients.

K-104User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 105: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Navigation Path

You can access the Add/Edit DHCP Server Advanced Configuration dialog box by clicking the Advanced button on the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page, page K-102.

Related Topics

• Configuring DHCP Servers, page 14-54

• Server Access, page K-96

• DHCP Server Page, page K-102

• Add/Edit DHCP Server Interface Configuration Dialog Boxes, page K-104

• Add/Edit DHCP Server Option Dialog Box, page K-105

Field Reference

Add/Edit DHCP Server Option Dialog Box

The Add and Edit DHCP Server Option dialog boxes let you configure DHCP server option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.

Navigation Path

You can access the Add and Edit DHCP Server Option dialog boxes from the Add/Edit DHCP Server Advanced Configuration Dialog Box, page K-104.

Table K-78 Add/Edit DHCP Server Advanced Configuration Dialog Box

Element Description

Options table This table lists configured DHCP server options:

• Option Code – The numeric code representing the configured option. All DHCP options (options 1 through 255) are supported except 1, 12, 50-54, 58-59, 61, 67, and 82.

• Type – The type of information the option returns to the DHCP client: IP, ASCII, or HEX.

• Data – The information provided for the chosen Type: one or two IP addresses, an ASCII string, or a hexadecimal string.

Add button Opens the Add DHCP Server Option dialog box; used to define a new DHCP server option. See Add/Edit DHCP Server Option Dialog Box, page K-105 for more information.

Edit button Opens the Edit DHCP Server Option dialog box; used to update the selected DHCP server option. See Add/Edit DHCP Server Option Dialog Box, page K-105 for more information.

Delete button Deletes the selected entry in the Options table. A confirmation dialog box may appear; click OK to delete the entry.

K-105User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 106: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Related Topics

• Configuring DHCP Servers, page 14-54

• DHCP Server Page, page K-102

• Add/Edit DHCP Server Interface Configuration Dialog Boxes, page K-104

• Add/Edit DHCP Server Advanced Configuration Dialog Box, page K-104

Field Reference

DNS PageThe DNS page lets you specify one or more DNS servers for a firewall device so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > DNS from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DNS from the Policy Type selector. Right-click DNS to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add DNS Server Group Dialog Box, page K-107

• Add DNS Server Dialog Box, page K-108

• Edit Interfaces Dialog Box, page K-108

Table K-79 Add/Edit DHCP Server Option Dialog Box

Element Description

Option Code Choose an option from the list of available option codes. All DHCP options (options 1 through 255) are supported except 1, 12, 50-54, 58-59, 61, 67, and 82.

Type Choose the type of information the option returns to the DHCP client:

• IP – Choosing this type specifies that an IP address is returned to the DHCP client. You can provide up to two IP addresses.

• ASCII – Choosing this type specifies that an ASCII value is returned to the DHCP client. Provide the ASCII character string, which cannot include spaces.

• HEX – Choosing this type specifies that an hexadecimal value is returned to the DHCP client. Provide the HEX string with an even number of digits and no spaces; you do not need to use a 0x prefix.

K-106User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 107: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

Add DNS Server Group Dialog Box

Use the Add DNS Server Group dialog box to define the DNS servers and settings for a DNS server group.

Navigation Path

You can access the Add DNS Server Group dialog box from the DNS page. For more information about the DNS page, see DNS Page, page K-106.

Related Topics

• DNS Page, page K-106

• Add DNS Server Dialog Box, page K-108

Table K-80 DNS Page

Element Description

DNS Server Groups

Name The name of the DNS server group.

Servers Lists the DNS servers to use for resolving server names in commands. You can specify up to six DNS servers. The firewall device tries each DNS server in order until it receives a response.

Timeout Specifies the number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the firewall device retries the list of servers, this timeout doubles.

Retries Specifies the number of times, from 0 to 10, to retry the list of DNS servers when the firewall device does not receive a response.

Domain Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example, example.com.

DNS Lookup Interfaces Lists the interfaces on which you want to enable DNS lookup.

Enable DNS Guard (ASA/PIX 7.0(5), 7.2(x) and 8.x only)

Select this check box to enable DNS Guard for the selected device or shared policy. DNS guard tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

This command is effective only on interfaces for which DNS inspection is disabled. When DNS inspection is enabled, the DNS guard function is always performed.

Note In releases prior to 7.0(5), the DNS guard functions are always enabled regardless of the configuration of DNS inspection.

K-107User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 108: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

Add DNS Server Dialog Box

Use the Add DNS Server dialog box to define DNS servers.

Navigation Path

You can access the Add DNS Server dialog box from the Add DNS Server Group dialog box. For more information about the Add DNS Server Group dialog box, see Add DNS Server Group Dialog Box, page K-107.

Related Topics

• DNS Page, page K-106

• Add DNS Server Group Dialog Box, page K-107

Field Reference

Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to specify the interfaces on which you want DNS look-up enabled.

Navigation Path

You can access the Edit Interfaces dialog box from the DNS page. For more information about the DNS page, see DNS Page, page K-106.

Table K-81 Add DNS Server Group Dialog Box

Element Description

Name The name of the DNS server group.

DNS Servers Lists the DNS servers to use for resolving server names in commands. You can specify up to six DNS servers. The firewall device tries each DNS server in order until it receives a response.

Timeout Specifies the number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the firewall device retries the list of servers, this timeout doubles.

Retries Specifies the number of times, from 0 to 10, to retry the list of DNS servers when the firewall device does not receive a response.

Domain Name Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example example.com.

Table K-82 Add DNS Server Dialog Box

Element Description

DNS Server Enter the IP address or the object name of the DNS server. When you click OK, the DNS server is added to the DNS Servers list.

Select Click to select the DNS server from a list of host objects.

K-108User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 109: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Related Topics

• DNS Page, page K-106

Field Reference

DDNS PageBeginning with the version 7.2(3), security appliances can generate dynamic DNS (DDNS) updates, as hosts acquire IP addresses. The DDNS page is where you configure this feature.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > DDNS from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DDNS from the Policy Type selector. Right-click DDNS to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit DDNS Interface Rule Dialog Box, page K-110

• Configuring DDNS, page 14-57

Field Reference

Table K-83 Edit Interfaces Dialog Box

Element Description

Interfaces Enter the names of the interfaces, separated by commas, on which you want to enable DNS look-up. When you click OK, the interfaces are added to the DNS Lookup Interfaces list.

Select Click to select the interfaces on which you want to enable DNS look-up from a list of interface objects.

Table K-84 DDNS Page

Element Description

Dynamic DNS Interface Settings

This table lists currently defined DDNS interface-update rules, presenting the following information for each:

• Interface – The name of the interface to which this update method is assigned.

• Method Name – The name assigned to this update method.

• Hostname – The name or IP address of the DDNS client.

• Update DHCP – The setting on the interface for DHCP client update requests; specifies whether the DHCP server updates the PTR resource record, both the A and PTR records, or neither.

K-109User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 110: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Add/Edit DDNS Interface Rule Dialog Box

Use the Add/Edit DDNS Interface Rule dialog box to manage rules for dynamic DNS updates. These rules are defined on a per-interface basis.

Navigation Path

You access the Add/Edit DDNS Interface Rule dialog box from the DDNS page. For more information about the DDNS page, see DDNS Page, page K-109.

Related Topics

• DDNS Page, page K-109

• DDNS Update Methods Dialog Box, page K-111

Field Reference

DHCP Client requests DHCP Server to update records

The global setting on the appliance for DHCP client update requests. This option enables the client to send DDNS updates via the DHCP server, and specifies what is updated: the PTR resource record, both the A and PTR resource records, or neither. Choose Not Selected, Only PTR Record, Both A and PTR Record, or No Update.

DHCP Client ID Interface Specify an interface on the appliance for global DHCP client update requests: enter an interface name or IP address, or Select an interface object.

Enable DHCP Client Broadcast

Select this option to allow DHCP clients on the device to broadcast DDNS updates.

Table K-84 DDNS Page (Continued)

Element Description

Table K-85 Add/Edit DDNS Interface Rule Dialog Box

Element Description

Interface Enter the name of the interface on which DDNS is to be configured. You also can Select the interface from a list of interface objects.

Method Name Choose a previously defined method for DDNS update, or choose Add/Edit Update Method to define a new method. The DDNS Update Methods dialog box opens; refer to DDNS Update Methods Dialog Box, page K-111 for more information.

Hostname The name of a DDNS server host to which updates will be sent.

DHCP Client requests DHCP Server to update records

Choose Not Selected, Only PTR Record, Both A and PTR Record, or No Update.

K-110User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 111: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

DDNS Update Methods Dialog Box

Use the DDNS Update Methods dialog box to define and manage methods for dynamic DNS updates. Each defined method specifies an update interval and the resource record(s) to be updated.

Navigation Path

You access the DDNS Update Methods dialog box by choosing Add/Edit Update Method from the Method Name drop-down list in the Add/Edit DDNS Interface Rule Dialog Box, page K-110.

Related Topics

• DDNS Page, page K-109

• Add/Edit DDNS Interface Rule Dialog Box, page K-110

• Add/Edit DDNS Update Methods Dialog Box, page K-111

Field Reference

Add/Edit DDNS Update Methods Dialog Box

Use the Add/Edit DDNS Update Methods dialog box to define or edit a DDNS update method; these are listed in the DDNS Update Methods Dialog Box, page K-111.

Navigation Path

You access the Add/Edit DDNS Update Methods dialog box by clicking the Add Row button or the Edit Row button in the DDNS Update Methods Dialog Box, page K-111.

Related Topics

• DDNS Page, page K-109

• Add/Edit DDNS Interface Rule Dialog Box, page K-110

• DDNS Update Methods Dialog Box, page K-111

Table K-86 DDNS Update Methods Dialog Box

Element Description

Update Methods This table lists the currently defined update methods. Each entry includes the Method Name, update Interval, and specified type of DNS server record update.

Add Row button Opens the Add/Edit DDNS Update Methods Dialog Box, page K-111, letting you define a new update method.

Edit Row button Opens the Add/Edit DDNS Update Methods Dialog Box, page K-111, letting you edit the method currently selected in the Update Methods table.

Delete Row button Deletes the update method currently selected in the Update Methods table; confirmation may be required.

K-111User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 112: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

Field Reference

NTP PageUse the NTP page to define NTP servers to dynamically set the time on a firewall device.

Note Time derived from an NTP server overrides any time set manually in the Clock panel.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > NTP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > NTP from the Policy Type selector. Right-click NTP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring NTP Settings, page 14-58

• Server Access, page K-96

• NTP Server Configuration Dialog Box, page K-113

Field Reference

Table K-87 Add/Edit DDNS Update Methods Dialog Box

Element Description

Method Name Provide an identifier for the method.

Update Interval Specify how often records are to be updated for this method: provide a number of days, hours, minutes, and seconds.

Update Records Specify the resource record(s) to be updated: select Not Defined, A Records, or Both A and PTR Records.

Table K-88 NTP Page

Element Description

Enable NTP Authentication Enables or disables authentication with an NTP server. NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating Certificate Revocation Lists (CRLs).

If you enable authentication, the security appliance only communicates with an NTP server if it uses the correct trusted key in the packets. The security appliance also uses an authentication key to synchronize with the NTP server.

NTP Server Table

IP Address Specifies the IP address of the NTP server.

Interface Identifies the interface from which the firewall gets NTP packets.

K-112User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 113: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

NTP Server Configuration Dialog Box

Use the NTP Server Configuration dialog box to add or edit an NTP server.

Navigation Path

You can access the NTP Server Configuration dialog box from the NTP page. For more information about the NTP page, see NTP Page, page K-112.

Related Topics

• Configuring NTP Settings, page 14-58

• Server Access, page K-96

• NTP Page, page K-112

Field Reference

Preferred Displays Yes if the selected server is preferred, and No if it is not preferred. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, this option specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred. We recommend that you configure an NTP server as preferred only when multiple servers have the same stratum.

Key Number Specifies the authentication key number, a value from 1 to 4294967295.

Trusted Specifies if the authentication key is trusted. A trusted key is similar to a password used to authenticate an NTP server.

Table K-88 NTP Page (Continued)

Element Description

Table K-89 NTP Server Configuration Dialog Box

Element Description

IP Address Enter the IP address of the NTP server. You can click Select to select the IP address from a list of IP address objects.

Preferred Sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then this option specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred. We recommend that you configure an NTP server as preferred only when multiple servers have the same stratum.

Interface Specify the outgoing interface for NTP packets. You can click Select to select the interface from a list of interface objects.

K-113User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 114: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceServer Access

SMTP Server PageUse the SMTP Server page to specify the IP address of an SMTP server and optionally, the IP address of a backup server.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > SMTP Server from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > SMTP Server from the Policy Type selector. Right-click SMTP Server to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring SMTP Servers, page 14-59

Field Reference

TFTP Server PageTFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. You can use the TFTP Server page to configure a firewall device to propagate its configuration files to a server using the Trivial File Transfer Protocol (TFTP). Only one server is supported.

Navigation Path

• (Device view) Select Platform > Device Admin > Server Access > TFTP Server from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > TFTP Server from the Policy Type selector. Right-click TFTP Server to create a policy, or select an existing policy from the Shared Policy selector.

Authentication Key

Key Number Sets the key ID for this authentication key. The NTP server packets must also use this key ID. If you previously configured a key ID for another server, you can select it in the list; otherwise, type a number between 1 and 4294967295.

Trusted Specify whether the NTP server is trusted.

Key Value Enter the key value, an arbitrary string of up to 32 characters.

Confirm Re-enter the key value.

Table K-89 NTP Server Configuration Dialog Box (Continued)

Element Description

Table K-90 SMTP Server Page

Element Description

Primary Server IP Address The IP address of the SMTP server.

Secondary Server IP Address The IP address of a secondary SMTP server.

K-114User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 115: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceUser Accounts Page

Related Topics

• Configuring TFTP Servers, page 14-59

Field Reference

User Accounts PageUse the User Accounts page to manage the local user database. For more information, see Configuring User Accounts, page 14-60.

Navigation Path

• (Device view) Select Platform > Device Admin > User Accounts from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > User Accounts from the Policy Type selector. Right-click User Accounts to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring User Accounts, page 14-60

• Add/Edit User Account Dialog Box, page K-115

Field Reference

Add/Edit User Account Dialog BoxUse the Add/Edit User Account dialog box to add a user account, or to modify an existing user account.

Navigation Path

You can access the Add/Edit User Account dialog box from the User Accounts Page, page K-115.

Table K-91 TFTP Server Page

Element Description

Interface Name of interface on which the TFTP server resides.

IP Address IP address of the TFTP server.

Directory TFTP server path, beginning with “/” and ending in the filename, to which the configuration files will be written.

Table K-92 User Accounts Page

Element Description

Username The name of the user account to which these parameters apply.

Privilege Level The privilege level assigned to this user. The privilege level is used with local command authorization. The range is 0 (lowest) to 15 (highest). The default privilege level is 2.

K-115User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 116: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Related Topics

• Configuring User Accounts, page 14-60

• User Accounts Page, page K-115

Field Reference

Logging PoliciesThe Logging feature lets you enable and manage NetFlow “collectors,” and enable logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslogs, configure syslog servers, and specify e-mail notification parameters.

After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (for a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.

The Logging section consists of the following pages:

• NetFlow Page, page K-117

• Syslog

– E-Mail Setup Page, page K-118

– Event Lists Page, page K-119

– Logging Filters Page, page K-123

– Logging Setup Page, page K-125

– Rate Limit Page, page K-126

– Server Setup Page, page K-128

– Syslog Servers Page, page K-131

Table K-93 Add/Edit User Account Dialog Box

Element Description

Username Enter a name for this user account; must be at least four characters. Entries are case-sensitive.

Password Enter a unique password for this user account; must be at least three characters. The maximum is 32 characters. Entries are case-sensitive.

Note To protect security, we recommend a password length of at least eight characters.

Confirm Re-enter the user password to verify it.

Privilege Level Selects the privilege level for this user to use with local command authorization. The range is 0 (lowest) to 15 (highest). The default privilege level is 2.

K-116User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 117: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

NetFlow PageA device configured for NetFlow data export captures flow-based traffic statistics on the device. This information is periodically transmitted from the device to a NetFlow collection server, in the form of User Datagram Protocol (UDP) datagrams.

The NetFlow page lets you enable NetFlow export on the selected device, and define and manage NetFlow “collectors” to which collected flow information is transmitted.

Note NetFlow data export is available only the ASA 5580.

Navigation Path

• (Device view) Select Platform > Logging > NetFlow from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click NetFlow to create a policy.

Related Topics

• Add and Edit Collector Dialog Boxes (NetFlow), page K-118

• Configuring NetFlow, page 14-61

Field Reference

Table K-94 NetFlow Page

Element Description

Enable Flow Export If checked, NetFlow data export is enabled.

Template Export Interval Interval (in minutes) at which flow information is sent to the collectors. Can be from one to 3600 minutes; default is 30.

Collectors table Displays defined NetFlow collectors.

• Filter – Filters the information displayed in the Collectors table. Click the arrow before the Filter label to hide or display the filtering bar, which lets you set filtering parameters. See Filtering Tables, page 2-16 for more information about filtering the table.

• Interface – Name of the device interface through which the collector is contacted.

• Collector – IP address or network name of the server to which NetFlow packets will be sent.

• UDP Port – UDP port on the specified Collector to which the NetFlow packets will be sent.

Add button Opens the Add Collector dialog box to let you define a new NetFlow collector. See Add and Edit Collector Dialog Boxes (NetFlow), page K-118 for more information.

Edit button Opens the Edit Collector dialog box to let you edit the selected collector definition. See Add and Edit Collector Dialog Boxes (NetFlow), page K-118 for more information.

Delete button Deletes the selected collector definition.

K-117User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 118: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Add and Edit Collector Dialog Boxes (NetFlow)

Use the Add Collector dialog box to define a new NetFlow “collector.”

Note With the exception of the title, the Edit Collector dialog box is identical to the Add Collector dialog box. The following description applies to both.

Navigation Path

You can access the Add and Edit Collector dialog boxes from the NetFlow Page, page K-117.

Related Topics

• NetFlow Page, page K-117

• Configuring NetFlow, page 14-61

Field Reference

E-Mail Setup PageThe E-Mail Setup page lets you set up a source email address as well as a list of recipients for specified syslogs to be sent as emails. You can filter the syslogs sent to a destination email address by severity. The table shows which entries have been set up.

The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients in the Logging Filters page.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > E-Mail Setup from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > E-Mail Setup from the Policy Type selector. Right-click E-Mail Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Logging Policies, page K-116

• Add/Edit Email Recipient Dialog Box, page K-119

Table K-95 Add and Edit Collector Dialog Boxes

Element Description

Interface The Name of the device interface through which the collector is contacted.

Collector The IP address or network name of the server to which NetFlow packets will be sent.

UDP Port UDP port on the specified Collector to which the NetFlow packets will be sent. Values can range from 1 to 65535; default is 2055.

K-118User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 119: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Field Reference

Add/Edit Email Recipient Dialog Box

The Add/Edit Email Recipient dialog box lets you set up a destination email address for a particular severity of syslog messages to be sent.

The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients in the Logging Filters page.

Navigation Path

You can access the Add/Edit Email Recipient dialog box from the E-Mail Setup page. For more information about the E-Mail Setup page, see E-Mail Setup Page, page K-118.

Related Topics

• Logging Policies, page K-116

• E-Mail Setup Page, page K-118

Field Reference

Event Lists PageThe Event Lists page lets you define a set of syslogs to filter for logging. After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for event lists.

You can use three criteria to define an event list:

• Class

• Severity

• Message ID

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.

Table K-96 E-Mail Setup Page

Element Description

Source Email Address Specifies the email address that will be used as the source address when syslogs are sent as emails.

Destination Email Address column

Specifies the email address of the recipient of the syslog message.

Syslog Severity column Specifies the severity of the syslogs sent to this recipient.

Table K-97 Add/Edit Email Recipient Dialog Box

Element Description

Destination Email Address Enter the email address of the recipient of the syslog message.

Syslog Severity list Select the severity of the syslogs to be sent to this recipient.

K-119User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 120: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Event Lists from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Event Lists from the Policy Type selector. Right-click Event Lists to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Logging Policies, page K-116

• Add/Edit Event List Dialog Box, page K-121

Field Reference

Message Classes and Associated Message ID Numbers

The following table lists the message classes and the range of message IDs in each class.

Table K-98 Event Lists Page

Element Description

Name Lists the name of the event list.

Event Class/Severity column Lists the event class or logging severity level associated with the event list. Event classes are described in Message Classes and Associated Message ID Numbers, page K-120. Severity levels are described in Logging Levels, page K-130.

Message IDs column Lists a syslog message ID or range of syslog message IDs to include in the filter. For example, 101001-101010.

Table K-99 Message Classes and Associated Message ID Numbers

Class Definition Message ID Numbers

auth User Authentication 109, 113

bridge Transparent Firewall 110, 220

ca PKI Certification Authority 717

config Command interface 111, 112, 208, 308

e-mail E-mail Proxy 719

ha Failover (High Availability) 101, 102, 103, 104, 210, 311, 709

ids Intrusion Detection System 400, 401, 415

ip IP Stack 209, 215, 313, 317, 408

np Network Processor 319

K-120User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 121: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Add/Edit Event List Dialog Box

The Add/Edit Event List dialog box lets you create or edit an event list and specify which syslogs to include in the event list filter.

You can use three criteria to define an event list:

• Class

• Severity

• Message ID

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all syslog messages that are related to user authentication.

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.

Navigation Path

You can access the Add/Edit Event List dialog box from the Event Lists page. For more information about the Event Lists page, see Event Lists Page, page K-119.

Related Topics

• Logging Policies, page K-116

• Event Lists Page, page K-119

ospf OSPF Routing 318, 409, 503, 613

rip RIP Routing 107, 312

rm Resource Manager 321

session User Session 106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710

snmp SNMP 212

sys System 199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711

vpdn PPTP and L2TP Sessions 213, 403, 603

vpn IKE and IPsec 316, 320, 402, 404, 501, 602, 702, 713, 714, 715

vpnc VPN Client 611

vpnfo VPN Failover 720

vpnlb VPN Load Balancing 718

webvpn Web-based VPN 716

Table K-99 Message Classes and Associated Message ID Numbers (Continued)

Class Definition Message ID Numbers

K-121User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 122: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Field Reference

Add/Edit Syslog Class Dialog Box

The Add/Edit Syslog Class dialog box lets you specify the event class and the severity level to include in the event list filter.

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

Navigation Path

You can access the Add/Edit Syslog Class dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box, page K-121.

Related Topics

• Logging Policies, page K-116

• Event Lists Page, page K-119

• Add/Edit Event List Dialog Box, page K-121

Field Reference

Add/Edit Syslog Message ID Filter Dialog Box

The Add/Edit Syslog Message ID Filter dialog box lets you specify the syslog message IDs to include in the event list filter.

Navigation Path

You can access the Add/Edit Syslog Message ID Filter dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box, page K-121.

Table K-100 Add/Edit Event List Dialog Box

Element Description

Event List Name A logical name that uniquely identifies this event list.

Event Class/Severity Filters table

This table organizes the event classes and severity levels that comprise the event list.

Message ID Filters table This table organizes the message IDs that comprise the event list.

Table K-101 Add/Edit Syslog Class Dialog Box

Element Description

Event Class list Specifies the event class. Event classes are described in Table K-99 on page K-120.

Severity list Specifies the level of logging messages. Severity levels are described in Table K-109 on page K-130.

K-122User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 123: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Related Topics

• Logging Policies, page K-116

• Event Lists Page, page K-119

• Add/Edit Event List Dialog Box, page K-121

Field Reference

Message IDs – Specifies a syslog message ID, or a range of IDs. Use a hyphen to specify a range; for example, 101001-101010.

Logging Filters PageThe Logging Filters page lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists page, or for only the syslogs that you specify using the Edit Logging Filters dialog box. Syslogs from specific or all event classes can be selected using the Edit Logging Filters dialog box.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Logging Filters from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Filters from the Policy Type selector. Right-click Logging Filters to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Logging Policies, page K-116

• Edit Logging Filters Dialog Box, page K-124

Field Reference

Table K-102 Logging Filters Page

Element Description

Logging Destination Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows:

• Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance.

• Console. Messages matching this filter are published to any console port connections.

• Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance.

• Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page.

• E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page.

• SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page.

ASDM. Messages matching this filter are published to any ASDM sessions.

K-123User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 124: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Edit Logging Filters Dialog Box

The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.

Navigation Path

You can access the Edit Logging Filters dialog box from the Logging Filters page. For more information about the Logging Filters page, see Logging Filters Page, page K-123.

Related Topics

• Logging Policies, page K-116

• Logging Filters Page, page K-123

Field Reference

Syslogs From All Event Classes

Lists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Event classes are described in Message Classes and Associated Message ID Numbers, page K-120.

Syslogs From Specific Event Classes

Lists event class and severity set up as the filter. Event classes are described in Message Classes and Associated Message ID Numbers, page K-120. Severity levels are described in Logging Levels, page K-130.

Table K-102 Logging Filters Page (Continued)

Element Description

Table K-103 Edit Logging Filters Dialog Box

Element Description

Logging Destination list Specifies the logging destination for this filter:

• Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance.

• Console. Messages matching this filter are published to any console port connections.

• Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance.

• Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page.

• E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page.

• SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page.

• ASDM. Messages matching this filter are published to any ASDM sessions.

K-124User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 125: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Logging Setup PageThe Logging Setup panel lets you enable system logging on the security appliance and configure other logging parameters.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Logging Setup from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Setup from the Policy Type selector. Right-click Logging Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Logging Policies, page K-116

Field Reference

Syslog from All Event Classes

Filter on severity option Filters on the severity of the logging messages.

Filter on severity list Specifies the level of logging messages on which to filter.

Use event list option Specifies to use an event list.

Use event list Specifies the event list to use. Event lists are defined on the Event Lists Page, page K-119.

Disable logging option Disables all logging to the selected destination.

Syslog from Specific Event Classes (PIX 7.0)

Event Class Specifies the event class and severity. Event classes include one or all available items. Event classes are described in Table K-99 on page K-120.

Severity Specifies the level of logging messages. Severity levels are described in Table K-109 on page K-130.

Table K-103 Edit Logging Filters Dialog Box (Continued)

Element Description

Table K-104 Logging Setup Page

Element Description

Enable Logging Turns on logging for the main security appliance.

Enable Logging on the Failover Standby Unit

Turns on logging for the standby security appliance, if available.

Send syslogs in EMBLEM format (PIX7.0)

Enables EMBLEM format logging for every logging destination.

Note This setting is not compatible with Cisco Security MARS.

K-125User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 126: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Rate Limit PageThe Rate Limit page allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level and Syslog message ID. If the settings differ, Syslog message ID limits take precedence.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Rate Limit to create a new policy.

Send debug messages as syslogs (PIX 7.0)

Redirects all the debug trace output to the syslog. The syslog message does not appear in the console if this option is enabled. Therefore, to see debug messages, you must enable logging at the console and configure it as the destination for the debug syslog message number and logging level. The syslog message number used is 711011. Default logging level for this syslog is debug.

Memory Size of Internal Buffer (bytes)

Specifies the size of the internal buffer to which syslogs is saved if the logging buffer is enabled. When the buffer fills up, it is overwritten. The default is 4096 bytes. The range is 4096 to 1048576.

Specify FTP Server Information (PIX7.0)

FTP Server Buffer Wrap To save the buffer contents to the FTP server before it is overwritten, select this check box. To remove the FTP configuration, deselect this option.

IP Address Identifies the IP address of the FTP server.

User Name Specifies the username to use when connecting to the FTP server.

Path Specifies the path, relative to the FTP root, where the buffer contents should be saves.

Password/Confirm Specifies the password used to authenticate the username to the FTP server.

Specify flash size

Flash To save the buffer contents to the Flash before it is overwritten, select this check box. This option is only available in routed or transparent single mode.

Maximum flash to be used by logging (KB)

Specifies the maximum space to be used in the Flash for logging (in KB). This option is available only in routed or transparent single mode.

Minimum free space to be preserved (KB)

Specifies the minimum free space to be preserved in Flash (in KB). This option is available only in routed or transparent single mode.

ASDM Logging (PIX7.0)

Message Queue Size Specifies the queue size for syslogs intended for viewing in ASDM.

Table K-104 Logging Setup Page (Continued)

Element Description

K-126User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 127: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Related Topics

• Logging Policies, page K-116

• Add/Edit Rate Limit for Syslog Logging Levels Dialog Box, page K-127

• Add/Edit Rate Limited Syslog Message Dialog Box, page K-128

Field Reference

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Using the Add/Edit Rate Limit for Syslog Logging Levels dialog box, you can specify the maximum number of log messages for particular log level that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID (see Add/Edit Rate Limited Syslog Message Dialog Box, page K-128). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.

Navigation Path

You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page, page K-126.

Related Topics

• Logging Policies, page K-116

• Rate Limit Page, page K-126

• Add/Edit Rate Limited Syslog Message Dialog Box, page K-128

Table K-105 Rate Limit Page

Element Description

Rate Limits for Syslog Logging Levels Table

Logging Level The Syslog logging level for which you are specifying a rate limit.

No. of Messages Maximum number of messages of the specified type allowed in the specified time period.

Interval (seconds) Number of seconds before the rate limit counter resets.

Individually Rate Limited Syslog Messages Table

Syslog ID Identification number of the Syslog message for which you are specifying a rate limit.

No. of Messages Maximum number of messages with the specified ID allowed in the specified time period.

Interval (seconds) Number of seconds before the rate limit counter resets.

K-127User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 128: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Field Reference

Add/Edit Rate Limited Syslog Message Dialog Box

Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the maximum number of log messages of a particular Syslog ID that can be generated within a given period of time. You can specify a limit for each syslog message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels Dialog Box, page K-127). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.

Navigation Path

You can access the Add/Edit Rate Limited Syslog Message dialog box from the Rate Limit page. For more information, see Rate Limit Page, page K-126.

Related Topics

• Logging Policies, page K-116

• Rate Limit Page, page K-126

• Add/Edit Rate Limit for Syslog Logging Levels Dialog Box, page K-127

Field Reference

Server Setup PageThe Server Setup page allows you to configure the syslog server that runs on the security appliance. The settings that you specify on this page define the possible behaviors of the specific syslog server instance on the security appliance. You can set the facility code to include in syslogs, include timestamp in syslog, view syslog ID levels, modify syslog ID levels, and suppress syslog messages.

To generate meaningful reports about the network activity of a security appliance and to monitor the security events associated with that device, you must select the appropriate logging level. The logging level generates the syslog details required to track session-specific data. After you select a logging level, you can define a syslog rule that directs traffic to a third-party syslog server or Cisco Security MARS.

Table K-106 Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Element Description

Logging Level The syslog logging level for which you are specifying the rate limit.

Number of Messages Maximum number of messages of the specified type allowed in the specified time period.

Interval (Seconds) Number of seconds before the rate limit counter resets.

Table K-107 Add/Edit Rate Limited Syslog Message Dialog Box

Element Description

Syslog ID Identification number of the syslog message for which you are specifying a rate limit.

Number of Messages Maximum number of messages with the specified ID allowed in the specified time period.

Interval (Seconds) Number of seconds before the rate limit counter resets.

K-128User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 129: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Server Setup from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Right-click Server Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Logging Policies, page K-116

• Add/Edit Syslog Message Dialog Box, page K-130

Field Reference

Table K-108 Server Setup Page

Element Description

Facility Syslog facility used by host as basis to file the messages. Values range between 16 and 23. Default is LOCAL0(16). Most UNIX systems expect LOCAL4(20). List presents values that enable you to identify syslog facility for selected security appliance. This value is included in any syslog messages generated by this security appliance.

Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams.

Note Because your network devices share the eight available facilities, you might need to change this value for syslog.

Enable Timestamp on Each Syslog Message

When selected, attaches timestamp (time and date) to each saved syslog message.

Enable Syslog Device ID When selected, attaches the specified device ID to each saved syslog message. You can specify the device ID as one of the following:

• Hostname—Name of the selected security appliance.

• Interface name—Name of the interface in the security appliance that generated the syslog message. These names are defined on the Interfaces page.

Note If you click Select, a list displays all interfaces defined at the current scope.

• User Defined ID—User-defined name specified on the Syslog Setup page that uniquely represents the security appliance to the syslog server.

Logging Level Identifies the logging level specified for this rule.

See Logging Levels, page K-130 for logging levels and descriptions.

K-129User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 130: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Logging Levels

The following table describes logging levels.

Add/Edit Syslog Message Dialog Box

The Add/Edit Syslog Message dialog box lets you modify the logging level or suppression setting for selected syslog messages.

Navigation Path

You can access the Add/Edit Syslog Message dialog box from the Server Setup page. For more information about the Server Setup page, see Server Setup Page, page K-128.

Suppressed Identifies whether the security appliance suppresses the generation of the syslog message identified in this rule. The value is either Unsuppressed (on) or Suppressed (off).

Disable NetFlow Equivalent Syslogs

Certain syslog messages are duplicated by NetFlow logging. If NetFlow is enabled, click this button to disable Syslog logging of those messages. The button then displays “Enable NetFlow Equivalent Syslogs”; if clicked, logging of all syslog messages is re-established.

Table K-108 Server Setup Page (Continued)

Element Description

Table K-109 Logging Levels

Logging Level Type Description

0 Emergency System unusable. Generates messages that identify system instabilities.

1 Alerts Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action.

2 Critical Critical condition. Generates messages that identify critical system issues.

3 Errors Error condition. Generates messages that identify system errors during operation.

4 Warnings Warning condition. Generates messages that identify system warnings. For example, device might be configured incorrectly.

5 Notifications Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.

6 Information Informational only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records.

7 Debugging Generates syslog messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Includes all emergency, alert, critical, error, warning, notification, and information messages.

- Disabled No logging.

K-130User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 131: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Related Topics

• Logging Policies, page K-116

• Server Setup Page, page K-128

Field Reference

Syslog Servers PageThe Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.

Note Syslog messages can be sent to Cisco Security MARS and third-party products.

Navigation Path

• (Device view) Select Platform > Logging > Syslog > Syslog Servers from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Syslog Servers from the Policy Type selector. Right-click Syslog Servers to create a policy, or select an existing policy from the Shared Policy selector.

Table K-110 Add/Edit Syslog Message Dialog Box

Element Description

Syslog ID list Specifies the message log ID of the specific message. These values and their corresponding messages are identified in the System Log Message guides for the appropriate product. You can access these guides from the following URLs:

PIX Firewall

• http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html

ASA

• http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html

FWSM

• http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

Logging Level list Specifies the logging level for the selected message. See Table K-109 on page K-130 for logging levels and descriptions.

Suppressed Specifies whether the security appliance suppresses the generation of identified syslog message. To disable the generation, select the Suppressed check box. To enable generation of the syslog, deselect the Suppressed check box.

Note The default value for all messages is Suppressed.

K-131User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 132: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceLogging Policies

Related Topics

• Logging Policies, page K-116

• Add/Edit Syslog Server Dialog Box, page K-132

Field Reference

Add/Edit Syslog Server Dialog Box

The Add Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.

Note There is a limit of four syslog servers that can be set up per context.

Navigation Path

You can access the Add Syslog Servers dialog box from the Syslog Servers page. For more information about the Syslog Servers page, see Syslog Servers Page, page K-131.

Related Topics

• Logging Policies, page K-116

• Syslog Servers Page, page K-131

Table K-111 Syslog Servers Page

Element Description

Interface Displays the logical name of the security appliance’s interface that publishes syslog messages to the syslog server. For example, inside or outside.

IP Address Displays the IP address of syslog server.

Protocol Displays the protocol used to publish messages to the syslog server.

Port Displays the port to which the syslog message are sent.

Log messages in Cisco EMBLEM format

Specifies whether this device is publishing messages in the EMBLEM syslog format.

Note If the syslog server identifies a Cisco Security MARS appliance, ensure that this option is not selected. Cisco Security MARS does not process the EMBLEM format.

Port Identifies the port from which security appliance sends either UDP or TCP syslog messages.

Queue Size Specifies the size of the queue for storing syslog messages on the security appliance when syslog server is busy. Minimum is 1 message. Default is 512.

Note A zero value means an unlimited number of messages can be queued (subject to available block memory).

Allow user traffic to pass when TCP server is down

Specifies whether or not to restrict all traffic if any syslog server is down.

K-132User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 133: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Multicast PoliciesThe Multicast section consists of the following pages:

• Enable PIM and IGMP Page, page K-134

• IGMP Page, page K-134

– IGMP Page - Protocol Tab, page K-134

– IGMP Page - Access Group Tab, page K-136

– IGMP Page - Static Group Tab, page K-137

– IGMP Page - Join Group Tab, page K-138

• Multicast Routes Page, page K-139

• Multicast Boundary Filter Page, page K-140

• PIM Page, page K-142

– PIM Page - Protocol Tab, page K-143

– PIM Page - Neighbor Filter Tab, page K-144

– PIM Page - Bidirectional Neighbor Filter Tab, page K-145

– PIM Page - Rendezvous Points Tab, page K-147

– PIM Page - Route Tree Tab, page K-149

– PIM Page - Request Filter Tab, page K-150

Table K-112 Add/Edit Syslog Server Dialog Box

Element Description

Interface Specifies the interface used to communicate with the syslog server.

Note If you click Select, a list displays all hosts defined.

IP Address Specifies the IP address of syslog server.

Note If you click Select, a list displays all interfaces defined for the security appliance.

Protocol Specifies the protocol used by syslog server.

• TCP

• UDP (Default)

Note You must select UDP if you intend to use the EMBLEM format.

Port Specifies the TCP or UDP port from which the security appliance sends syslog messages. Must be the same port at which the syslog server listens. The default ports for each protocol are:

• TCP—1470.

• UDP—514.

Log messages in Cisco EMBLEM format (UDP only)

Specifies whether to log messages in Cisco EMBLEM format (UDP only) or not.

Note This settings is not compatible with Cisco Security MARS.

K-133User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 134: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Enable PIM and IGMP PageThe Enable PIM and IGMP page lets you enable and disable Internet Group Management Protocol (IGMP) and Protocol Independent Multicast (PIM) on all interfaces on the security appliance.

When Enable PIM and IGMP is checked, PIM and IGMP are enabled on all interfaces on the security appliance. You can disable PIM and IGMP on a per-interface basis; see IGMP Page - Protocol Tab, page K-134 and PIM Page - Protocol Tab, page K-143 for more information.

Navigation Path

• (Device view) Select Platform > Multicast > Enable PIM and IGMP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Enable PIM and IGMP from the Policy Type selector. Right-click Enable PIM and IGMP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Enabling PIM and IGMP, page 14-69

• IGMP Page, page K-134

• Multicast Routes Page, page K-139

• Multicast Boundary Filter Page, page K-140

• PIM Page, page K-142

IGMP PageThe IGMP page consists of the following tabs:

• IGMP Page - Protocol Tab, page K-134

• IGMP Page - Access Group Tab, page K-136

• IGMP Page - Static Group Tab, page K-137

• IGMP Page - Join Group Tab, page K-138

Navigation Path

• (Device view) Select Platform > Multicast > IGMP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Multicast > IGMP from the Policy Type selector. Right-click IGMP to create a policy, or select an existing policy from the Shared Policy selector.

IGMP Page - Protocol Tab

Use the Protocol tab to configure IGMP parameters for an interface on the security appliance.

Navigation Path

You can access the Protocol tab from the IGMP page. For more information about the IGMP page, see IGMP Page, page K-134.

K-134User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 135: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Related Topics

• Configure IGMP Parameters Dialog Box, page K-135

• Enable PIM and IGMP Page, page K-134

• PIM Page, page K-142

• Multicast Routes Page, page K-139

Field Reference

Configure IGMP Parameters Dialog Box

Use the Configure IGMP Parameters dialog box to configure IGMP parameters for an interface on the security appliance.

Navigation Path

You can access the Configure IGMP Parameters dialog box from the IGMP Page - Protocol tab. For more information, see IGMP Page - Protocol Tab, page K-134.

Related Topics

• IGMP Page - Protocol Tab, page K-134

• IGMP Page, page K-134

Table K-113 Protocol Tab

Element Description

Protocol Table

Interface The name of the interface to which the IGMP settings apply.

Enabled Indicates whether IGMP is enabled on the interface.

Version The version of IGMP enabled on the interface.

Query Interval The interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds.

Query Timeout The period of time, in seconds, before the security appliance takes over querying the interface, after the previous appliance has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.

Response Time The maximum response time, in seconds, advertised in IGMP queries. If the security appliance does not receive any host reports within the designated response time, the IGMP group is pruned. Decreasing this value lets the security appliance prune groups faster. Valid values range from 1 to 12 seconds. The default value is 10 seconds. Changing this value is only valid only for IGMP Version 2.

Group Limit The maximum number of hosts that can join on an interface. Valid values range from 1 to 500. The default value is 500.

Maximum Groups (PIX 6.3) The maximum number of groups enabled for multicast. Valid values range from 0 to 2000.

Forward Interface The name of the interface to which the selected interface forwards IGMP host reports if IGMP forwarding is enabled.

K-135User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 136: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

IGMP Page - Access Group Tab

Use the Access Group tab to control the multicast groups that are allowed on an interface.

Navigation Path

You can access the Access Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page, page K-134.

Related Topics

• Configure IGMP Access Group Parameters Dialog Box, page K-137

• Enable PIM and IGMP Page, page K-134

• PIM Page, page K-142

• Multicast Routes Page, page K-139

Table K-114 Configure IGMP Parameters Dialog Box

Element Description

Interface The name of the interface to which the IGMP settings apply.

Forward Interface The name of the interface to which IGMP host reports are forwarded if IGMP forwarding is enabled.

Version The version of IGMP to enable on the interface. Choose 1 to enable IGMP Version 1, or 2 to enable IGMP Version 2. Some features require IGMP Version 2. By default, the security appliance uses IGMP Version 2.

Query Interval The interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds.

Response Time The maximum response time, in seconds, advertised in IGMP queries. If the security appliance does not receive any host reports within the designated response time, the IGMP group is pruned. Decreasing this value lets the security appliance prune groups faster. Valid values range from 1 to 12 seconds. The default value is 10 seconds. Changing this value is valid only for IGMP Version 2.

Maximum Groups (PIX 6.3) The maximum number of groups enabled for multicast. Valid values range from 0 to 2000.

PIX 7.x and ASA Only

Enable IGMP When selected, IGMP is enabled on the specified interface.

Group Limit The maximum number of hosts that can join on an interface. Valid values range from 1 to 500. The default value is 500.

Query Timeout The period of time, in seconds, before the security appliance takes over querying the interface, after the previous appliance has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.

K-136User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 137: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Configure IGMP Access Group Parameters Dialog Box

Use the Configure IGMP Access Group Parameters dialog box to add or modify an access group entry.

Navigation Path

You can access the Configure IGMP Access Group Parameters dialog box from the IGMP Page - Access Group tab. For more information, see IGMP Page - Access Group Tab, page K-136.

Related Topics

• IGMP Page - Access Group Tab, page K-136

• IGMP Page, page K-134

Field Reference

IGMP Page - Static Group TabUse the Static Group tab to statically assign a multicast group to an interface.

Navigation Path

You can access the Static Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page, page K-134.

Related Topics

• Configure IGMP Static Group Parameters Dialog Box, page K-138

• Enable PIM and IGMP Page, page K-134

• PIM Page, page K-142

• Multicast Routes Page, page K-139

Table K-115 Access Group Tab

Element Description

IGMP Table

Interface The interface with which the access group is associated.

Multicast Group Network The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.

Action Displays “permit” if the multicast group address is permitted by the access rule. Displays “deny” if the multicast group address is denied by the access rule.

Table K-116 Configure IGMP Access Group Parameters Dialog Box

Element Description

Interface The name of the interface with which the access group is associated.

Multicast Group Network The multicast group address to which this rule applies.

Action Select “permit” if the multicast group address is permitted by the access rule. Displays “deny” if the multicast group address is denied by the access rule.

K-137User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 138: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Configure IGMP Static Group Parameters Dialog Box

Use the Configure IGMP Static Group Parameters dialog box to statically assign a multicast group to an interface or to change existing static group assignments.

Navigation Path

You can access the Configure IGMP Static Group Parameters dialog box from the IGMP Page - Static Group tab. For more information, see IGMP Page - Static Group Tab, page K-137.

Related Topics

• IGMP Page - Static Group Tab, page K-137

• IGMP Page, page K-134

Field Reference

IGMP Page - Join Group Tab

Use the Join Group tab to configure an interface to be a member of a multicast group.

Navigation Path

You can access the Join Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page, page K-134.

Related Topics

• Configure IGMP Join Group Parameters Dialog Box, page K-139

• Enable PIM and IGMP Page, page K-134

• PIM Page, page K-142

• Multicast Routes Page, page K-139

Table K-117 Static Group Tab

Element Description

Interface The name of the interface with which the static group is associated.

Multicast Group Address The multicast group address to which this rule applies.

Table K-118 Configure IGMP Static Group Parameters Dialog Box

Element Description

Interface The name of the interface with which the static group is associated.

Multicast Group The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.

K-138User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 139: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Configure IGMP Join Group Parameters Dialog Box

Use the Configure IGMP Join Group Parameters dialog box to configure an interface to be a member of a multicast group or to change existing membership information.

Navigation Path

You can access the Configure IGMP Join Group Parameters dialog box from the IGMP Page - Join Group tab. For more information, see IGMP Page - Join Group Tab, page K-138.

Related Topics

• IGMP Page - Join Group Tab, page K-138

• IGMP Page, page K-134

Field Reference

Multicast Routes PageUse the Multicast Routes page to define static multicast routes for a security appliance.

Navigation Path

• (Device view) Select Platform > Multicast > Multicast Routes from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Routes from the Policy Type selector. Right-click Multicast Routes to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit MRoute Configuration Dialog Box, page K-140

• Enable PIM and IGMP Page, page K-134

• IGMP Page, page K-134

• Multicast Boundary Filter Page, page K-140

• PIM Page, page K-142

Table K-119 Join Group Tab

Element Description

Interface The name of the interface for which you are configuring multicast group membership.

Multicast Group Address The multicast group address to which this rule applies.

Table K-120 Configure IGMP Join Group Parameters Dialog Box

Element Description

Interface The name of the interface for which you are configuring multicast group membership.

Join Group The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.

K-139User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 140: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Add/Edit MRoute Configuration Dialog Box

Use the Add/Edit MRoute Configuration dialog box to add static multicast routes to the security appliance or to change existing static multicast routes.

Navigation Path

You can access the Add/Edit MRoute Configuration dialog box from the Multicast Routing page. For more information about the Multicast Routing page, see Multicast Routes Page, page K-139.

Related Topics

• Multicast Routes Page, page K-139

• Multicast Policies, page K-133

Field Reference

Multicast Boundary Filter PageOn an ASA running version 7.2(1) or later, you can use the Multicast Boundary Filter page to configure the appliance to act as a boundary between multicast domains. The ASA compares multicast group addresses to an access list, blocking all multicast traffic except that specifically permitted by the list.

The Add/Edit MBoundary Configuration dialog box, accessed from this page, is used to define and manage per-interface boundary filter lists. The Add/Edit MBoundary Interface Configuration dialog box, accessed from the Add/Edit MBoundary Configuration dialog box, is used to specifically permit or deny multicast group addresses for the selected interface.

Table K-121 Multicast Routes Page

Element Description

Source Interface The incoming interface for the multicast route.

Source Network The IP address and mask of the multicast source.

Output Interface The outgoing interface for the multicast route.

Multicast Network (PIX 6.3) The group that is to receive the multicast packets.

Distance (PIX 7.x and ASA) The administrative distance of the static multicast route.

Table K-122 Add/Edit MRoute Configuration Dialog Box

Element Description

Source Interface The incoming interface for the multicast route.

Source Network The IP address and mask of the multicast source.

Output Interface/Dense The outgoing interface for the multicast route.

Multicast Network (PIX 6.3) The group that is to receive the multicast packets. This must be a multicast IP address in the range of 224.0.1.0-239.255.255.255.

Distance (PIX 7.x and ASA) The administrative distance of the static multicast route. If the static multicast route has the same administrative distance as the unicast route, the static multicast route takes precedence.

K-140User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 141: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Navigation Path

• (Device view) Select Platform > Multicast > Multicast Boundary Filter from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Boundary Filter from the Policy Type selector. Select an existing policy from the Shared Policy selector, or you can right-click Multicast Boundary Filter to create a new policy.

Related Topics

• Add/Edit MBoundary Configuration Dialog Box, page K-141

• Add/Edit MBoundary Interface Configuration Dialog Box, page K-142

• Configuring Multicast Boundary Filters, page 14-71

Field Reference

Add/Edit MBoundary Configuration Dialog Box

Use the Add/Edit MBoundary Configuration dialog box to add, edit and delete multicast boundary filter lists for individual interfaces.

Navigation Path

You can access the Add/Edit MBoundary Configuration dialog box from the Multicast Boundary Filter Page, page K-140.

Related Topics

• Add/Edit MBoundary Interface Configuration Dialog Box, page K-142

• Multicast Boundary Filter Page, page K-140

Field Reference

Table K-123 Multicast Boundary Filter Page

Element Description

Interface The interfaces for which multicast boundary filters are defined.

Boundary Filter The boundary filters defined for each listed interface.

AutoFilter True indicates “Remove any Auto-RP group range announcements...” is selected for an interface; false indicates it is not.

Table K-124 Add/Edit MBoundary Configuration Dialog Box

Element Description

Interface Enter or Select an interface defined on this appliance.

Remove any Auto_RP group range announcements

If you check this box, Auto-RP messages denied by the boundary access control list for this interface are dropped.

Multicast boundary filter configuration list (Action and Mboundary Filter)

Lists the multicast group addresses specifically permitted or denied for the specified interface. This list is managed with the Add/Edit MBoundary Interface Configuration Dialog Box, page K-142.

K-141User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 142: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Add/Edit MBoundary Interface Configuration Dialog Box

Use this dialog box to add, edit or delete multicast address entries for the list in the Add/Edit MBoundary Configuration dialog box. Each multicast address is assigned an action: permit or deny.

Navigation Path

You can access the Add/Edit MBoundary Interface Configuration dialog box from the Add/Edit MBoundary Configuration Dialog Box, page K-141.

Related Topics

• Multicast Boundary Filter Page, page K-140

• Add/Edit MBoundary Configuration Dialog Box, page K-141

Field Reference

PIM PageThe PIM (protocol independent multicast) protocol provides a scalable method for determining the best paths in a network for distributing a specific multicast transmission to each host that has registered using IGMP to receive the transmission. With PIM sparse mode (PIM SM), which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next until the packets reach every registered host. If a more direct path to the traffic source exists, the last-hop router sends a join message toward the source that causes the traffic to be rerouted along the better path.

The following topics discuss configuring PIM:

• PIM Page - Protocol Tab, page K-143

• PIM Page - Neighbor Filter Tab, page K-144 (ASA 7.2(1) or later)

• PIM Page - Bidirectional Neighbor Filter Tab, page K-145 (ASA 7.2(1) or later)

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Route Tree Tab, page K-149

• PIM Page - Request Filter Tab, page K-150

Navigation Path

• (Device view) Select Platform > Multicast > PIM from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Multicast > PIM from the Policy Type selector. Right-click PIM to create a policy, or select an existing policy from the Shared Policy selector.

Table K-125 Add/Edit MBoundary Interface Configuration Dialog Box

Element Description

Action Choose permit or deny to specify the action taken for this multicast address.

Multicast Group Enter a single multicast address, or a multicast group address, to which this action applies. The address must be 0.0.0.0, or from 224.0.0.0 to 239.255.255.255. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.

K-142User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 143: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

PIM Page - Protocol Tab

Use the Protocol tab to configure PIM properties for the interfaces on a security appliance running PIX 7.x or later.

Navigation Path

You can access the Protocol tab from the PIM page. For more information about the PIM page, see PIM Page, page K-142.

Related Topics

• Add/Edit PIM Protocol Dialog Box, page K-143

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Route Tree Tab, page K-149

• PIM Page - Request Filter Tab, page K-150

• Multicast Policies, page K-133

Field Reference

Add/Edit PIM Protocol Dialog Box

Use the Add/Edit PIM Protocol dialog box to configure PIM properties for an interface on a security appliance running PIX 7.x or later.

Navigation Path

You can access the Add/Edit PIM Protocol dialog box from the PIM Page - Protocol tab. For more information, see PIM Page - Protocol Tab, page K-143.

Related Topics

• PIM Page - Protocol Tab, page K-143

• PIM Page, page K-142

Table K-126 Protocol Tab

Element Description

Interface The name of the security appliance interface to which the PIM settings apply.

PIM Enabled Indicates whether PIM is enabled on the interface or not.

DR Priority The designated router priority for the selected interface. The router with the highest DR priority on subnet becomes the designated router. A value of zero makes the security appliance interface ineligible to become the default router.

Hello Interval The frequency, in seconds, at which the interface sends PIM hello messages.

Join-Prune Interval The frequency, in seconds, at which the interface sends PIM join and prune advertisements.

K-143User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 144: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

PIM Page - Neighbor Filter Tab

On an ASA running version 7.2(1) or later, you can use the Neighbor Filter tab to control the routers that can become PIM neighbors. By filtering routers that can become PIM neighbors, you can prevent unauthorized routers from becoming PIM neighbors, and prevent attached stub routers from participating in PIM.

The Add/Edit PIM Neighbor Filter Dialog Box, page K-145, accessed from this page, is used to define and manage the per-interface neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.

Navigation Path

You can access the Neighbor Filter tab from the PIM Page, page K-142 in Device view.

Related Topics

• Add/Edit PIM Neighbor Filter Dialog Box, page K-145

• PIM Page, page K-142

• PIM Page - Protocol Tab, page K-143

• PIM Page - Bidirectional Neighbor Filter Tab, page K-145

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Route Tree Tab, page K-149

• PIM Page - Request Filter Tab, page K-150

Table K-127 Add/Edit PIM Protocol Dialog Box

Element Description

Interface The name of the interface for which you are configuring PIM settings.

Enable PIM When selected, PIM is enabled on the selected interface.

DR Priority The designated router priority for the selected interface. The router with the highest DR priority on subnet becomes the designated router. Valid values range from 0 to 4294967294. The default DR priority is 1. Setting this value to 0 makes the security appliance interface ineligible to become the default router.

Hello Interval (seconds) The frequency, in seconds, at which the interface sends PIM hello messages. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.

Join-Prune Interval (seconds) The frequency, in seconds, at which the interface sends PIM join and prune advertisements. Valid values range from 10 to 600 seconds. The default value is 60 seconds.

K-144User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 145: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Field Reference

Add/Edit PIM Neighbor Filter Dialog Box

Use the Add/Edit PIM Neighbor Filter dialog box to add or edit entries in the neighbor access control list displayed on the PIM Page - Neighbor Filter Tab, page K-144.

Navigation Path

You can access the Add/Edit PIM Neighbor Filter dialog box from the Neighbor Filter tab on the PIM Page, page K-142.

Related Topics

• PIM Page - Neighbor Filter Tab, page K-144

Field Reference

PIM Page - Bidirectional Neighbor Filter Tab

On an ASA running version 7.2(1) or later, you can use the Bidirectional Neighbor Filter tab to filter bidirectional PIM neighbors to control which bidirectional routers can participate in bidirectional trees and designated forwarder (DF) election.

The Add/Edit PIM Bidirectional Neighbor Filter Dialog Box, page K-146, accessed from this page, is used to define and manage the per-interface bidirectional neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.

Navigation Path

You can access the Bidirectional Neighbor Filter tab from the PIM Page, page K-142.

Table K-128 Neighbor Filter Tab

Element Description

Interface The interfaces for which neighbor filters are defined.

Network The network names or addresses provided for each listed interface.

Action The action assigned to each specified network: permit or deny.

Table K-129 Add/Edit PIM Neighbor Filter Dialog Box

Element Description

Interface Enter or Select an interface defined on this appliance.

Neighbor Filter Group Enter a single multicast address, or a multicast group address, to which the chosen Action applies. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.

Action Choose permit or deny to specify the action taken for this address.

K-145User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 146: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Related Topics

• Add/Edit PIM Bidirectional Neighbor Filter Dialog Box, page K-146

• PIM Page, page K-142

• PIM Page - Protocol Tab, page K-143

• PIM Page - Neighbor Filter Tab, page K-144

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Route Tree Tab, page K-149

• PIM Page - Request Filter Tab, page K-150

Field Reference

Add/Edit PIM Bidirectional Neighbor Filter Dialog Box

Use the Add/Edit PIM Bidirectional Neighbor Filter dialog box to add or edit entries in the bidirectional neighbor access control list displayed on the PIM Page - Bidirectional Neighbor Filter Tab, page K-145.

Navigation Path

You can access the Add/Edit PIM Bidirectional Neighbor Filter dialog box from the PIM Page - Bidirectional Neighbor Filter Tab, page K-145 on the PIM Page, page K-142.

Related Topics

• PIM Page - Bidirectional Neighbor Filter Tab, page K-145

Field Reference

Table K-130 Bidirectional Neighbor Filter Tab

Element Description

Interface The interfaces for which bidirectional neighbor filters are defined.

Network The network names or addresses provided for each listed interface.

Action The action assigned to each specified network: permit or deny.

Table K-131 Add/Edit PIM Bidirectional Neighbor Filter Dialog Box

Element Description

Interface Enter or Select an interface defined on this appliance.

Neighbor Filter Group Enter a single multicast address, or a multicast group address, to which the chosen Action applies. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.

Action Choose permit or deny to specify the action taken for this address.

K-146User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 147: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

PIM Page - Rendezvous Points Tab

Use the Rendezvous Points tab to define rendezvous points. A rendezvous point is a single, common root of a shared distribution tree and is statically configured on each router. First hop routers use the rendezvous point to send register packets on behalf of the source multicast hosts.

Navigation Path

You can access the Rendezvous Points tab from the PIM page. For more information about the PIM page, see PIM Page, page K-142.

Related Topics

• Add/Edit Rendezvous Point Dialog Box, page K-147

• Add/Edit Multicast Groups Dialog Box, page K-148

• PIM Page - Protocol Tab, page K-143

• PIM Page - Route Tree Tab, page K-149

• PIM Page - Request Filter Tab, page K-150

• Multicast Policies, page K-133

Field Reference

Add/Edit Rendezvous Point Dialog Box

Use the Add/Edit Rendezvous Point dialog box to add an entry to the Rendezvous Points table or to change a rendezvous point entry.

Please note the following:

• You cannot use the same rendezvous point address twice.

• You cannot specify All Groups for more than one rendezvous point.

Navigation Path

You can access the Add/Edit Rendezvous Point dialog box from the Rendezvous Points tab. For more information about the Rendezvous Points tab, see PIM Page - Rendezvous Points Tab, page K-147.

Table K-132 Rendezvous Points Tab

Element Description

Generate older IOS compatible register messages (Enable if your Rendezvous Point is an IOS router)

Select this check box if your rendezvous point is a Cisco IOS router. The security appliance software accepts register messages with the checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS software method—accepting register messages with the checksum on the entire PIM message for all PIM message types.

Rendezvous Points table Displays the rendezvous points configured on the security appliance.

Rendezvous Point The IP address of the rendezvous point.

Multicast Groups The multicast groups associated with the rendezvous point. Displays “—All Groups—” if the rendezvous point is associated with all multicast groups on the interface.

Bi-directional Displays “true” if the specified multicast groups are to operate in bidirectional mode. Displays “false” if the specified groups are to operate in sparse mode.

K-147User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 148: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Related Topics

• Add/Edit Multicast Groups Dialog Box, page K-148

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page, page K-142

Field Reference

Add/Edit Multicast Groups Dialog Box

Use the Add/Edit Multicast Groups dialog box to create a multicast group rule or to modify a multicast group rule.

Navigation Path

You can access the Add/Edit Multicast Group dialog box from the Add/Edit Rendezvous Point dialog box. For more information about the Add/Edit Rendezvous Point dialog box, see Add/Edit Rendezvous Point Dialog Box, page K-147.

Table K-133 Add/Edit Rendezvous Point Dialog Box

Element Description

Rendezvous Point IP Address Enter the IP address of the rendezvous point. This is a unicast address. When editing a rendezvous point entry, you cannot change this value.

Use bi-directional forwarding

Select this check box if you want the specified multicast groups to operate in bidirectional mode. In bidirectional mode, if the security appliance receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a Prune message back to the source. Deselect this check box if you want the specified multicast groups to operate in sparse mode.

Note The security appliance always advertises the bidirectional capability in the PIM hello messages regardless of the actual bidir configuration.

Use this RP for All Multicast Groups

Select this option to use the specified rendezvous point for all multicast groups on the interface.

Use this RP for the Multicast Groups as specified below

Select this option to designate the multicast groups to use with specified rendezvous point.

Multicast Groups table Displays the multicast groups associated with the specified rendezvous point.

The table entries are processed from the top down. You can create a rendezvous point entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Add/Edit Multicast Groups dialog box for the selected entry.

• Action—Displays “permit” if the multicast group is included or “deny” if the multicast group is excluded.

• Multicast Group Network—The address and network mask of the multicast group.

K-148User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 149: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Related Topics

• Add/Edit Rendezvous Point Dialog Box, page K-147

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page, page K-142

Field Reference

PIM Page - Route Tree Tab

Use the Route Tree tab to specify whether a multicast group should use shortest-path tree or shared tree.

Navigation Path

You can access the Route Tree tab from the PIM page. For more information about the PIM page, see PIM Page, page K-142.

Related Topics

• Multicast Group Dialog Box, page K-150

• PIM Page - Protocol Tab, page K-143

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Request Filter Tab, page K-150

• Multicast Policies, page K-133

Field Reference

Table K-134 Add/Edit Multicast Groups Dialog Box

Element Description

Action Select “permit” to create a group rule that allows the specified multicast addresses; select “deny” to create a group rule that filters the specified multicast addresses.

Multicast Group Network The multicast address and network mask associated with the group.

Table K-135 Route Tree Tab

Element Description

Use Shortest Path Tree for All Groups

When selected, the security appliance uses shortest-path tree for all multicast groups.

Use Shared Tree for All Groups

When selected, the security appliance uses shared tree for all multicast groups.

Use Shared Tree for the Groups specified below

When selected, the security appliance uses shared tree for the groups specified in the Multicast Groups table. Shortest-path tree is used for any group not specified in the Multicast Groups table.

K-149User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 150: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Multicast Group Dialog Box

Use the Multicast Group dialog box to create a multicast group rule or to modify a multicast group rule.

Navigation Path

You can access the Multicast Group dialog box from the PIM Page - Route Tree tab. For more information, see PIM Page - Route Tree Tab, page K-149.

Related Topics

• PIM Page - Route Tree Tab, page K-149

• PIM Page, page K-142

Field Reference

PIM Page - Request Filter Tab

When the security appliance is acting as a rendezvous point, you can restrict specific multicast sources from registering with it. This prevents unauthorized sources from registering with the rendezvous point. You can use the Request Filter tab to define the multicast sources from which the security appliance accepts PIM register messages.

Navigation Path

You can access the Request Filter tab from the PIM page. For more information about the PIM page, see PIM Page, page K-142.

Multicast Groups table Displays the multicast groups to use Shared Tree with.

The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Multicast Group dialog box for the selected entry.

• Action—Displays “permit” if the multicast group is included or “deny” if the multicast group is excluded.

• Multicast Group Network—The address and network mask of the multicast group.

Table K-135 Route Tree Tab (Continued)

Element Description

Table K-136 Multicast Group Dialog Box

Element Description

Action Select “permit” to create a group rule that allows the specified multicast addresses; select “deny” to create a group rule that filters the specified multicast addresses.

Multicast Group The multicast address and network mask associated with the group.

K-150User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 151: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceMulticast Policies

Related Topics

• Multicast Group Dialog Box, page K-151

• PIM Page - Protocol Tab, page K-143

• PIM Page - Rendezvous Points Tab, page K-147

• PIM Page - Route Tree Tab, page K-149

• Multicast Policies, page K-133

Field Reference

Multicast Group Dialog Box

Use the Multicast Group dialog box to define the multicast sources that are allowed to register with the security appliance when the security appliance acts as a rendezvous point. You create the filter rules based on the source IP address and the destination multicast address.

Navigation Path

You can access the Multicast Group dialog box from the PIM Page - Request Filter tab. For more information, see PIM Page - Request Filter Tab, page K-150.

Table K-137 Request Filter Tab

Element Description

Filter PIM register messages using

Select the method to use for filtering PIM register messages:

• None—Do not filter PIM register messages.

• route-map—Filter PIM register messages using a route map. Only PIM register messages that are permitted by the route map are allowed to reach the rendezvous point.

• access-list—Filter PIM register messages using an access list. Only PIM register messages that are permitted by the access list are allowed to reach the rendezvous point.

Route Map Specifies a route-map name. Use standard host ACLs in the referenced route-map; extended ACLs are not supported.

Multicast Groups table Displays the request filter access rules.

The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Multicast Group dialog box for the selected entry.

• No—The rule number.

• Action—Displays “permit” if the multicast source is allowed to register or “deny” if the multicast source is excluded.

• Source—The address and network mask of the source of the register message.

• Destination—The address and network mask of the multicast destination.

K-151User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 152: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Related Topics

• PIM Page - Request Filter Tab, page K-150

• PIM Page, page K-142

Field Reference

Routing PoliciesThe Routing feature lets you specify static route, RIP, OSPF, and proxy ARP configuration parameters. The Routing section consists of the following pages:

• No Proxy ARP Page, page K-152

• OSPF Page, page K-153

– General Tab, page K-153

– Area Tab, page K-156

– Range Tab, page K-159

– Neighbors Tab, page K-160

– Redistribution Tab, page K-162

– Virtual Link Tab, page K-164

– Filtering Tab, page K-167

– Summary Address Tab, page K-169

– Interface Tab, page K-171

• RIP Page, page K-175

• Static Route Page, page K-184

No Proxy ARP PageUse the No Proxy ARP page to disable proxy ARP for global addresses. For more information, see Configuring No Proxy ARP, page 14-73.

To disable proxy ARP for one or more interfaces, enter their names in the Interfaces field. By default, proxy ARP is enabled for all interfaces. Separate multiple interfaces with commas. You can click Select to choose the interfaces from a list of interfaces defined on the device and interface roles defined in Cisco Security Manager.

Table K-138 Multicast Group Dialog Box

Element Description

Action Select “permit” to create a rule that allows the specified source of the specified multicast traffic to register with the security appliance; select “deny” to create a rule that prevents the specified source of the specified multicast traffic from registering with the security appliance.

Source Network The IP address and network mask for the source of the register message.

Destination Network The multicast destination address.

K-152User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 153: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Navigation Path

• (Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Right-click No Proxy ARP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring No Proxy ARP, page 14-73

• Static Route Page, page K-184

• RIP Page, page K-175

• OSPF Page, page K-153

OSPF PageUse the OSPF page to enable and configure OSPF (Open Shortest Path First) routing on a firewall device. The following topics provide more information about enabling and configuring OSPF:

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Navigation Path

• (Device view) Select Platform > Routing > OSPF from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Right-click OSPF to create a policy, or select an existing policy from the Shared Policy selector.

General Tab

Use the General tab on the OSPF page to enable OSPF processes. You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.

Note You cannot enable OSPF if you have RIP enabled.

Navigation Path

You can access the General tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

K-153User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 154: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Related Topics

• Table K-140 on page K-155

• OSPF Page, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

OSPF Advanced Dialog Box

Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.

Navigation Path

You can access the OSPF Advanced dialog box from the General tab. For more information about the General tab, see General Tab, page K-153.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

Table K-139 General Tab

Element Description

OSPF Process 1 and 2 group boxes

Each group box contains the settings for a specific OSPF process.

Enable this OSPF Process Select the check box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this check box to remove the OSPF process.

OSPF Process ID Enter a unique numeric identifier for the OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.

Advanced button Opens the OSPF Advanced dialog box, from which you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings.

K-154User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 155: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Table K-140 OSPF Advanced Dialog Box

Element Description

OSPF Process Displays the OSPF process you are configuring. You cannot change this value.

Router ID To use a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID.

Ignore LSA MOSPF Select this check box to suppress the sending of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets. This setting is deselected by default.

RFC 1583 Compatible Select this check box to calculate summary route costs per RFC 1583. Deselect this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically. This setting is selected by default.

Adjacency Changes Contains settings that define the adjacency changes that cause syslog messages to be sent.

• Log Adjacency Changes—Select this check box to cause the security appliance to send a syslog message whenever an OSPF neighbor goes up or down. This setting is selected by default.

• Log Adjacency Changes Detail—Select this check box to cause the security appliance to send a syslog message whenever any state change occurs, not just when a neighbor goes up or down. This setting is deselected by default.

Administrative Route Distances

Contains the settings for the administrative distances of routes based on the route type.

• Inter Area—Sets the administrative distance for all routes from one area to another. Valid values range from 1 to 255. The default value is 100.

• Intra Area—Sets the administrative distance for all routes within an area. Valid values range from 1 to 255. The default value is 100.

• External—Sets the administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255. The default value is 100.

K-155User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 156: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Area Tab

Use the Area tab on the OSPF page to configure OSPF areas and networks.

Navigation Path

You can access the Area tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Add/Edit Area/Area Networks Dialog Box, page K-157

• OSPF Page, page K-153

• General Tab, page K-153

• Range Tab, page K-159

• Neighbors Tab, page K-160

Timers (in seconds) Contains the settings used to configure LSA pacing and SPF calculation timers.

• SPF Delay—Specifies the time between when OSPF receives a topology change and when the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.

• SPF Hold—Specifies the hold time between consecutive SPF calculations. Valid values range from 1 to 65534. The default value is 10.

• LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800. The default value is 240.

Default Information Originate

Contains the settings used by an ASBR to generate a default external route into an OSPF routing domain.

• Enable Default Information Originate—Select this check box to enable the generation of the default route into the OSPF routing domain.

• Always advertise the default route—Select this check box to always advertise the default route. This option is deselected by default.

• Metric Value—Specifies the OSPF default metric. Valid values range from 0 to 16777214. The default value is 1.

• Metric Type—Specifies the external link type associated with the default route advertised into the OSPF routing domain. Valid values are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.

• Route Map—(Optional) The name of the route map to apply. The routing process generates the default route if the route map is satisfied.

Table K-140 OSPF Advanced Dialog Box (Continued)

Element Description

K-156User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 157: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Add/Edit Area/Area Networks Dialog Box

Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.

Navigation Path

You can access the Add/Edit Area/Area Networks dialog box from the Area tab. For more information about the Area tab, see Area Tab, page K-156.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Table K-141 Area Tab

Element Description

OSPF Process The OSPF process the area applies to.

Area ID The area ID.

Area Type The area type (Normal, Stub, or NSSA).

Networks The area networks.

Options The options, if any, set for the area type.

Authentication The type of authentication set for the area (None, Password, or MD5).

Cost The default cost for the area.

K-157User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 158: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Table K-142 Add/Edit Area/Area Networks Dialog Box

Element Description

OSPF Process When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being added. If there is only one OSPF process enabled on the security appliance, that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

Area ID When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.

Area Type

Normal Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you can prevent summary LSAs (Type 3 and 4) from being flooded into the area by deselecting the Summary check box.

Summary (allows sending LSAs into the stub area)

When the area being defined is a stub area, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you can prevent summary LSAs from being flooded into the area by deselecting the Summary check box. You can also disable route redistribution by deselecting the Redistribute check box and enabling Default Information Originate.

Redistribute (imports routes to normal and NSSA areas)

Deselect this check box to prevent routes from being imported into the NSSA. This check box is selected by default.

Summary (allows sending LSAs into the NSSA area)

When the area being defined is a NSSA, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.

Default Information Originate (generate a Type 7 default)

Select this check box to generate a Type 7 default into the NSSA. This check box is deselected by default.

Metric Value Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.

Metric Type The OSPF metric type for the default route. The choices are 1 (Type 1) or 2 (Type 2). The default value is 2.

Network The IP address and network mask of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.

Tip You can click Select to select the interfaces from a list of interface objects.

K-158User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 159: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Range Tab

Use the Range tab to summarize routes between areas.

Navigation Path

You can access the Range tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Add/Edit Area Range Network Dialog Box, page K-160

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Authentication Contains the settings for OSPF area authentication.

• None—Choose this option to disable OSPF area authentication. This is the default setting.

• Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.

• MD5—Choose this option to use MD5 authentication.

Default Cost Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.

Table K-142 Add/Edit Area/Area Networks Dialog Box (Continued)

Element Description

Table K-143 Range Tab

Element Description

Process ID The ID of the OSPF process associated with the route summary.

Area ID The ID of the area associated with the route summary.

Network The summary IP address and network mask.

Advertise Displays “true” if the route summaries are advertised when they match the address/mask pair or “false” if the route summaries are suppressed when they match the address/mask pair.

K-159User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 160: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit Area Range Network Dialog Box

Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.

Navigation Path

You can access the Add/Edit Area Range Network dialog box from the Range tab. For more information about the Range tab, see Range Tab, page K-159.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Neighbors TabUse the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.

Navigation Path

You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Table K-144 Add/Edit Area Range Network Dialog Box

Element Description

OSPF Process Select the OSPF process to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Area Select the area ID of the area to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Network The IP address and mask of the network for the routes being summarized.

Tip You can click Select to select the networks from a list of network objects.

Advertise Select this check box to set the address range status to “advertise”. This causes Type 3 summary LSAs to be generated. Deselect this check box to suppress the Type 3 summary LSA for the specified networks.

K-160User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 161: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Related Topics

• Add/Edit Static Neighbor Dialog Box, page K-161

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Add/Edit Static Neighbor Dialog Box

Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.

Navigation Path

You can access the Add/Edit Static Neighbor dialog box from the Neighbors tab. For more information about the Neighbors tab, see Neighbors Tab, page K-160.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Table K-145 Neighbors Tab

Element Description

OSPF Process The OSPF process associated with the static neighbor.

Neighbor The IP address of the static neighbor.

Interface The interface associated with the static neighbor.

K-161User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 162: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Redistribution Tab

Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.

Navigation Path

You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Redistribution Dialog Box, page K-163

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Table K-146 Add/Edit Static Neighbor Dialog Box

Element Description

OSPF Process The OSPF process associated with the static neighbor.

Neighbor The IP address of the static neighbor.

Tip You can click Select to select the neighbor from a list of host objects.

Interface The interface associated with the static neighbor.

Tip You can click Select to select the interface from a list of interface objects.

K-162User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 163: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Redistribution Dialog Box

Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.

Navigation Path

You can access the Redistribution dialog box from the Redistribution tab. For more information about the Redistribution tab, see Redistribution Tab, page K-162.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Table K-147 Redistribution Tab

Element Description

OSPF Process The OSPF process associated with the route redistribution entry.

Route Type The source protocol the routes are being redistributed from. Valid entries are the following:

• Static—The route is a static route.

• Connected—The route was established automatically by virtue of having IP enabled on the interface.

• OSPF—The route is an OSPF route from another process.

Match The conditions used for redistributing routes from one routing protocol to another.

Subnets Displays “true” if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.

Metric Value The metric that is used for the route. This column is blank for redistribution entries if the default metric is used.

Metric Type Displays “1” if the metric is a Type 1 external route, “2” if the metric is Type 2 external route.

Tag Value A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Route Map The name of the route map to apply to the redistribution entry.

K-163User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 164: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Virtual Link TabUse the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.

Navigation Path

You can access the Virtual Link tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Table K-148 OSPF Redistribution Settings Dialog Box

Element Description

OSPF Process Select the OSPF process associated with the route redistribution entry.

Route Type Select the source protocol from which the routes are being redistributed. You can choose one of the following options:

• Static—The route is a static route.

• Connected—The route was established automatically by virtue of having IP enabled on the interface.

• OSPF—The route is an OSPF route from another process.

Match The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

• Internal—The route is internal to a specific AS.

• External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

• External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

• NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

• NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Metric Value The metric value for the routes being redistributed. Valid values range from 1 to 16777214. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified.

Metric Type Select “1” if the metric is a Type 1 external route, “2” if the metric is a Type 2 external route.

Tag Value The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Use Subnets When selected, redistribution of subnetted routes is enabled. Deselect this check box to cause only routes that are not subnetted to be redistributed.

Route Map The name of the route map to apply to the redistribution entry.

K-164User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 165: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Related Topics

• Add/Edit OSPF Virtual Link Configuration Dialog Box, page K-165

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Add/Edit OSPF Virtual Link Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link Configuration dialog box to define virtual links or change the properties of existing virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link Configuration dialog box from the Virtual Link tab. For more information about the Virtual Link tab, see Virtual Link Tab, page K-164.

Related Topics

• Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box, page K-167

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

Table K-149 Virtual Link Tab

Element Description

OSPF Process The OSPF process associated with the virtual link.

Area ID The ID of the transit area.

Peer Router The IP address of the virtual link neighbor.

Authentication Displays the type of authentication used by the virtual link:

• None—No authentication is used.

• Password—Clear text password authentication is used.

• MD5—MD5 authentication is used.

K-165User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 166: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Table K-150 Add/Edit OSPF Virtual Link Configuration Dialog Box

Element Description

OSPF Process Select the OSPF process associated with the virtual link.

Area ID Select the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a stub area.

Peer Router Enter the IP address of the virtual link neighbor.

Hello Interval The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is one second.

Dead Interval The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.

Authentication Contains the OSPF authentication options.

• None—Choose this option to disable OSPF authentication.

• Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

• MD5—Choose this option to use MD5 authentication (recommended).

K-166User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 167: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link MD5 Configuration dialog box to define MD5 keys for authentication of virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link MD5 Configuration dialog box from the Add/Edit OSPF Virtual Link Configuration dialog box. For more information about the Add/Edit OSPF Virtual Link Configuration dialog box, see Add/Edit OSPF Virtual Link Configuration Dialog Box, page K-165.

Related Topics

• Add/Edit OSPF Virtual Link Configuration Dialog Box, page K-165

• Virtual Link Tab, page K-164

• OSPF Page, page K-153

Field Reference

Filtering TabUse the Filtering tab to configure the ABR Type 3 LSA filters for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

Benefits

OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.

Authentication Password

Contains the settings for entering the password when password authentication is enabled.

• Password—Enter a text string of up to 8 characters.

• Confirm—Re-enter the password.

MD5 IDs and Keys Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

• MD5 Key ID and MD5 Key Table

– MD5 Key ID—A numerical key identifier. Valid values range from 1 to 255.

– MD5 Key—An alphanumeric character string of up to 16 bytes.

Table K-150 Add/Edit OSPF Virtual Link Configuration Dialog Box (Continued)

Element Description

Table K-151 Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Element Description

MD5 Key ID A numerical key identifier. Valid values range from 1 to 255.

MD5 Key An alphanumeric character string of up to 16 bytes.

Confirm Re-enter the MD5 key.

K-167User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 168: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Restrictions

Only type-3 LSAs that originate from an ABR are filtered.

Navigation Path

You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Add/Edit Filtering Dialog Box, page K-168

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Add/Edit Filtering Dialog Box

Use the Add/Edit Filtering dialog box to add new filters to the Filter table or to modify an existing filter.

Navigation Path

You can access the Add/Edit Filtering dialog box from the Filtering tab. For more information about the Filtering tab, see Filtering Tab, page K-167.

Table K-152 Filtering Tab

Element Description

OSPF Process The OSPF process associated with the filter entry.

Area ID The ID of the area associated with the filter entry.

Filtered Network The IP address and mask of the network being filtered.

Traffic Direction Displays “Inbound” if the filter entry applies to LSAs coming in to an OSPF area or “Outbound” if it applies to LSAs going out of an OSPF area.

Sequence # The sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action Displays “Permit” if LSAs matching the filter are allowed or “Deny” if LSAs matching the filter are denied.

Lower Range The minimum prefix length to be matched.

Upper Range The maximum prefix length to be matched.

K-168User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 169: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Summary Address TabUse the Summary Address tab to configure summary addresses for each OSPF routing process.

Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.

Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.

Table K-153 Add/Edit Filtering Dialog Box

Element Description

OSPF Process Select the OSPF process associated with the filter entry.

Area ID Select the ID of the area associated with the filter entry.

Prefix List Name

Filtered Network Enter the IP address and mask of the network being filtered.

Traffic Direction Select the traffic direction to filter. Choose “Inbound” to filter LSAs coming into an OSPF area or “Outbound” to filter LSAs going out of an OSPF area.

Sequence Number Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action Select “Permit” to allow the LSA traffic or “Deny” to block the LSA traffic.

Lower Range Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.

Upper Range Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.

K-169User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 170: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Navigation Path

You can access the Summary Address tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Table K-155 on page K-171

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Interface Tab, page K-171

Field Reference

Add/Edit Summary Address Dialog Box

Use the Add/Edit Summary Address dialog box to add new entries or to modify existing entries in the Summary Address table.

Navigation Path

You can access the Add/Edit Summary Address dialog box from the Summary Address tab. For more information about the Summary Address tab, see Summary Address Tab, page K-169.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

Table K-154 Summary Address Tab

Element Description

OSPF Process The OSPF process associated with the summary address.

Network The IP address and network mask of the summary address.

Tag A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs.

Advertise Displays “true” if the summary routes are advertised. Displays “false” if the summary route is not advertised.

K-170User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 171: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Field Reference

Interface Tab

Use the Interface tab to configure interface-specific OSPF authentication routing properties.

Navigation Path

You can access the Interface tab from the OSPF page. For more information about the OSPF page, see OSPF Page, page K-153.

Related Topics

• Table K-157 on page K-174

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

Table K-155 Add/Edit Summary Address Dialog Box

Element Description

OSPF Process Choose the OSPF process associated with the summary address. You cannot change this information when editing an existing entry.

Network The IP address and network mask of the summary address.

Tag The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Advertise When selected, summary routes are advertised. Deselect this check box to suppress routes that fall under the summary address. By default, this check box is selected.

K-171User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 172: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Table K-156 Interface Tab

Element Description

Interface The name of the interface to which the configuration applies.

Authentication The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

• None—OSPF authentication is disabled.

• Password—Clear text password authentication is enabled.

• MD5—MD5 authentication is enabled.

• Area—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

Point-to-Point Displays “true” if the interface is set to non-broadcast (point-to-point). Displays “false” if the interface is set to broadcast.

Cost The cost of sending a packet through the interface.

Priority The OSPF priority assigned to the interface.

MTU Ignore Displays “false” if MTU mismatch detection is enabled. Displays “true” if the MTU mismatch detection is disabled.

Database Filter Displays “true” if outgoing LSAs are filtered during synchronization and flooding. Displays “false” if filtering is not enabled.

Hello Interval The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Transmit Delay The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

K-172User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 173: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add OSPF authentication routing properties for an interface or to change an existing entry.

Navigation Path

You can access the Add/Edit Interface dialog box from the Interface tab. For more information about the Interface tab, see Interface Tab, page K-171.

Related Topics

• OSPF Page, page K-153

• General Tab, page K-153

• Area Tab, page K-156

• Range Tab, page K-159

• Neighbors Tab, page K-160

• Redistribution Tab, page K-162

• Virtual Link Tab, page K-164

• Filtering Tab, page K-167

• Summary Address Tab, page K-169

• Interface Tab, page K-171

Retransmit Interval The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it resends the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Dead Interval The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Table K-156 Interface Tab (Continued)

Element Description

K-173User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 174: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Field Reference

Table K-157 Add/Edit Interface Dialog Box

Element Description

Interface The name of the interface to which the configuration applies.

Authentication The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

• No Authentication—OSPF authentication is disabled.

• Area Authentication—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

• Password Authentication—Clear text password authentication is enabled.

• MD5 Authentication—MD5 authentication is enabled.

Authentication Password Contains the settings for entering the password when password authentication is enabled.

• Enter Password—Enter a text string of up to 8 characters.

• Confirm—Re-enter the password.

MD5 Key IDs and Keys Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

• Key ID—Enter a numerical key identifier. Valid values range from 1 to 255.

• Key—An alphanumeric character string of up to 16 bytes.

• Confirm—Re-enter the MD5 key.

Cost The cost of sending a packet through the interface.

Priority The OSPF priority assigned to the interface.

MTU Ignore When selected, MTU mismatch detection is disabled. Deselect this check box to enable MTU mismatch detection.

Database Filter All Out When selected, outgoing LSAs are filtered during synchronization and flooding. Deselect this check box to disable filtering.

Hello Interval (sec) The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

K-174User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 175: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

RIP PageUse the RIP page to enable the Routing Information Protocol (RIP) on an interface. The settings and features available when configuring RIP depend on the type of device and OS version that you are configuring:

• To configure RIP on a PIX Firewall or ASA running an OS version earlier than 7.2, or to configure RIP on any FWSM, see RIP Page for PIX/ASA 6.3–7.1 and FWSM, page K-176.

• To configure RIP on a PIX Firewall or ASA running OS version 7.2 or later, see RIP Page for PIX/ASA 7.2 and Later, page K-178.

RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcast packets with neighboring devices to learn the network topology change. Security Manager supports both RIP version 1 and RIP version 2. RIP version 1 does not send the subnet mask with the routing update. RIP version 2 sends the subnet mask with the routing update and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that Security Manager receives reliable routing information from a trusted source.

Navigation Path

• (Device view) Select Platform > Routing > RIP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Right-click RIP to create a policy, or select an existing policy from the Shared Policy selector.

Transmit Delay (sec) The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is one second.

Retransmit Interval (sec) The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Dead Interval (sec) The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Point-to-Point Displays “true” if the interface is set to non-broadcast (point-to-point). Displays “false” if the interface is set to broadcast.

Table K-157 Add/Edit Interface Dialog Box (Continued)

Element Description

K-175User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 176: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.

Related Topics

• Static Route Page, page K-184

• OSPF Page, page K-153

• No Proxy ARP Page, page K-152

RIP Page for PIX/ASA 6.3–7.1 and FWSM

Use this RIP page to enable the Routing Information Protocol (RIP) on an interface.

Navigation Path

• (Device view) Select Platform > Routing > RIP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new RIP policy.

Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.

Related Topics

• Static Route Page, page K-184

• OSPF Page, page K-153

• No Proxy ARP Page, page K-152

Field Reference

Table K-158 RIP Page for PIX/ASA 6.3–7.1 and FWSM

Element Description

RIP table Displays RIP configuration information. Double-clicking a row in the RIP table opens the Add/Edit RIP Configuration dialog box, where you can change the parameters for the selected RIP configuration.

Interface Displays the name of the interface on which RIP is enabled.

Mode Displays the action configured for RIP on the selected interface. This column displays “Send” if the interface is configured to send RIP updates only, “Receive” if the interface is configured to receive RIP updates only, or “Send+Receive” if the interface is configured to send and receive RIP updates.

K-176User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 177: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Box

Use the Add/Edit RIP Configuration dialog box to add a RIP configuration to the security appliance or make changes to a RIP configuration. By adding a RIP configuration, you enable RIP on the selected interface.

Navigation Path

You can access the Add/Edit RIP Configuration dialog box from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 6.3–7.1 and FWSM, page K-176.

Related Topics

• RIP Page for PIX/ASA 6.3–7.1 and FWSM, page K-176

• Routing Policies, page K-152

Field Reference

Version Displays which version of RIP is enabled on the interface.

Enable Auth Identifies whether RIP version 2 authentication is enabled on this interface.

Auth Type Displays the type of authentication used for RIP version 2 authentication on the specified interface. This column contains “MD5” if MD5 authentication is enabled, “Text” if plaintext authentication is enabled, or is blank if authentication is not enabled.

Auth Key ID Displays the identification number of the authentication key used in RIP version 2 authentication on the specified interface. This column is blank if authentication is not enabled.

Table K-158 RIP Page for PIX/ASA 6.3–7.1 and FWSM (Continued)

Element Description

Table K-159 Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Box

Element Description

Interface Specifies the interface for the RIP configuration. You cannot specify two different RIP configurations for the same interface.

Mode Sets the behavior of RIP updates on the selected interface. You can select from the following actions:

• Send default routes—Sets the selected interface to send RIP routing updates of default routes.

• Receive routes—Sets the selected interface to listen for RIP routing broadcasts and to use that information to populate its routing table but not to send RIP routing updates.

• Send default routes and receive routes—Sets the selected interface to send RIP routing updates of default routes and to receive RIP routing updates.

K-177User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 178: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

RIP Page for PIX/ASA 7.2 and Later

Use the RIP page to enable and configure the Routing Information Protocol (RIP) on a firewall device. The following topics provide more information about enabling and configuring RIP for PIX Firewalls and ASA devices running OS 7.2 or later:

• RIP - Setup Tab, page K-179

• RIP - Redistribution Tab, page K-180

• RIP - Filtering Tab, page K-182

• RIP - Interface Tab, page K-183

Navigation Path

• (Device view) Select Platform > Routing > RIP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Right-click RIP to create a policy, or select an existing policy from the Shared Policy selector.

Version Selects the version of RIP that is enabled on the selected interface. You can select from the following versions:

• RIP Version 1—Enables RIP Version 1 on the interface.

• RIP Version 2—Enables RIP Version 2 on the interface. Configuring RIP Version 2 on an interface registers the multicast address 224.0.0.9 on the interface.

Version 2 Authentication group box

Contains the settings that lets you enable and select the type of authentication used in RIP Version 2.

• Enable Authentication—When selected, enables RIP neighbor authentication. Deselect this check box to disable RIP neighbor authentication.

• Type

– MD5 (Recommended)—Uses the MD5 hash algorithm for authentication.

– Clear text option—Uses clear text for authentication.

• Key ID—The identification number of the authentication key. This number must be shared with all other devices sending updates to and receiving updates from the security appliance. Valid values range from 1 to 255.

• Key—The shared key used for authentication. This key must be shared with all other devices sending updates to and receiving updates from the security appliance. The key can be up to 16 characters.

Table K-159 Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Box (Continued)

Element Description

K-178User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 179: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.

Related Topics

• RIP Page for PIX/ASA 6.3–7.1 and FWSM, page K-176

• Static Route Page, page K-184

• OSPF Page, page K-153

• No Proxy ARP Page, page K-152

RIP - Setup Tab

Use the Setup tab to define and enable a RIP policy in the Security Manager and to configure global RIP protocol parameters.

Navigation Path

You can access the Setup tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• RIP - Redistribution Tab, page K-180

• RIP - Filtering Tab, page K-182

• RIP - Interface Tab, page K-183

• Routing Policies, page K-152

Field Reference

Table K-160 Setup Tab

Element Description

Networks Defines a network for the RIP routing process. The network number specified must not contain any subnet information. There is no limit to the number of networks you can add to the security appliance configuration. RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates.

Passive Interface Sets the selected interface to listen for RIP routing broadcasts and to use that information to populate its routing table but not to send RIP routing updates. You can select from the list three options:

• All Interfaces—This sets the next field to Excluded Interfaces and sets as passive all interfaces except those explicitly excluded.

• None—When selected, specifies no passive interfaces.

• Specified Interfaces—This sets the next field to Interfaces and requires that interfaces be explicitly specified.

K-179User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 180: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

RIP - Redistribution Tab

Use the Redistribution tab to view, add, or edit redistribution routes. These are the routes that are being redistributed from other routing processes into the RIP routing process. For details on specific fields, see Add/Edit Redistribution Dialog Box, page K-181.

Navigation Path

You can access the Redistribution tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• Add/Edit Redistribution Dialog Box, page K-181

• RIP - Setup Tab, page K-179

• RIP - Filtering Tab, page K-182

• RIP - Interface Tab, page K-183

• Routing Policies, page K-152

Interfaces/Excluded Interfaces

Specifies the interfaces to be passive or not to be passive for the RIP configuration. You cannot specify two different RIP configurations for the same interface. If you have selected All Interfaces in the Passive Interface List, this field is renamed Excluded Interfaces and should contain those interfaces that you want excluded. If you have selected Specified Interfaces in the Passive Interface List, this field should contain those interfaces as passive.

RIP Version Enables you to select from the following:

• Receive Version 1 and 2, Send Version 1

• Send and Receive Version 1

• Send and Receive Version 2

Generate Default Route When selected, generates a default route into RIP to distribute.

Route Map Displays the selected route map for generating default routes.

Note This field contains only the route Map name. The contents of a route map are created and contained within a FlexConfig.

Enable Auto-Summary When using RIP Version 2, enables automatic route summarization when selected.

Note RIP Version 1 always uses automatic summarization. You cannot disable automatic summarization for RIP Version 1. If you are using RIP Version 2, you can turn off automatic summarization by deselecting this option. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.

Table K-160 Setup Tab (Continued)

Element Description

K-180User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 181: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit Redistribution Dialog Box

Use the Add/Edit Redistribution dialog box to add or edit redistribution routes on the RIP - Redistribution Tab, page K-180. These are the routes that are being redistributed from other routing processes into the RIP routing process.

Navigation Path

You can access the Add/Edit Redistribution dialog box from the Redistribution tab on the RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• RIP - Redistribution Tab, page K-180

Field Reference

Note The fields you employ in the Add/Edit Redistribution Mapping Dialog Box vary according to the protocol you choose.

Table K-161 Add/Edit Redistribution Mapping Dialog Box

Element Description

Protocol to Redistribute Enables you to choose the routing protocol to redistribute into the RIP routing process. Choices include:

• Static—Static routes.

• Connected—Directly connected networks.

• OSPF—Routes discovered by the OSPF routing process.

Note If you choose OSPF, you must also enter the OSPF Process ID and, optionally, the Match Criteria.

Process ID Specifies the process when the OSPF protocol is selected.

Match If you are redistributing OSPF routes into the RIP routing process, you can click to select specific types of OSPF routes to redistribute. Match criteria is optional. The default is match: Internal, external 1, external 2.

Metric The RIP metric type being applied to the redistributed routes. The two choices are:

• Transparent—Choose this option to cause the current route metric to be used.

• Specified Value—Choose this to assign a specific metric value.

Metric Value The specific value that, when reached, applies the RIP metric.

Route Map Specifies the name of a route map that must be satisfied before the route can be redistributed into the RIP routing process.

Note This field contains only the route Map name. The contents of a route map are created and contained within a FlexConfig. For more information see Understanding FlexConfig Policies and Policy Objects, page 18-1.

K-181User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 182: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

RIP - Filtering Tab

Use the Filtering tab to view, add, or edit filters for RIP policy. For details on specific fields, see Add/Edit Filter Dialog Box, page K-182.

Navigation Path

You can access the Filtering tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• Add/Edit Filter Dialog Box, page K-182

• RIP - Setup Tab, page K-179

• RIP - Redistribution Tab, page K-180

• RIP - Interface Tab, page K-183

• Routing Policies, page K-152

Add/Edit Filter Dialog Box

Use the Add/Edit Filter dialog box to add or edit an RIP filter on the RIP - Filtering Tab, page K-182.

Navigation Path

You can access the Add/Edit Filter dialog box from the Filtering tab on the RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• RIP - Filtering Tab, page K-182

Field Reference

Table K-162 Add/Edit Filter Dialog Box

Element Description

Traffic Direction Select either Inbound or Outbound traffic to be filtered.

Note If Traffic Direction is Inbound, only an Interface filter is allowed.

Route Specify the filter’s route type. Choices include:

• Interface—filters the routing updates sent on the specified interface.

• Static—filters only static routes.

• Connected—filters only connected routes.

• OSPF—filters only OSPF routes discovered by the specified OSPF process.

Interface Specify the interface on which routing updates should be filtered.

Filter ACLs Specify the ACLs that define the networks you want the RIP process to advertise or not.

K-182User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 183: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

RIP - Interface Tab

Use the Interface tab to view, add, or edit interface-specific RIP settings, such as the version of RIP the interface sends and receives and the authentication method, if any, used for the RIP broadcasts. For details on specific fields, see Add/Edit Interface Dialog Box, page K-183

Navigation Path

You can access the Interface tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• Add/Edit Interface Dialog Box, page K-183

• RIP - Setup Tab, page K-179

• RIP - Redistribution Tab, page K-180

• RIP - Filtering Tab, page K-182

• Routing Policies, page K-152

Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add or edit an interface configuration for RIP on the RIP - Interface Tab, page K-183.

Navigation Path

You can access the Add/Edit Interface dialog box from the Interface tab on the RIP Page for PIX/ASA 7.2 and Later, page K-178.

Related Topics

• RIP - Interface Tab, page K-183

Field Reference

Table K-163 Add/Edit Interface Dialog Box

Element Description

Interface Enter or Select an interface defined on this appliance.

Send (Version) Select to specify sending with Version 1, Version 2, or both.

Receive (Version) Select to specify receiving with Version 1, Version 2, or both.

Authentication type Specify the authentication type to be used for this interface. Choices include:

• None—No authentication type.

• MD5—Employ MD5 authentication

• Clear Text—Employ clear text

Key ID Enter the identification name for the authentication key

Key Enter the authentication key

Confirm Enter the authentication key again, to confirm.

K-183User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 184: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Static Route PageUse the Static Route page to create static routes that will access networks connected to a router on any interface.

Navigation Path

• (Device view) Select Platform > Routing > Static Route from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Routing > Static Route from the Policy Type selector. Right-click Static Route to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• RIP Page, page K-175

• OSPF Page, page K-153

• No Proxy ARP Page, page K-152

• Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77

Field Reference

Table K-164 Static Route Page

Element Description

Interface Lists the interface name to which the static route applies.

Network Lists the internal or external network. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.

Gateway Lists the IP address of the gateway router which is the next hop address for this device.

Metric Lists the number of hops to the gateway IP. The default is 1 if a metric is not specified.

Identifies the priority for using a specific route. When routing network packets, a security appliance uses the rule with the most specific network within the rule’s definition. Only in cases where two routing rules have the same network is the metric used to break the tie. In a tie, the lowest metric value wins. If no routing rule exists, the network packet is dropped, and if the gateway is not detected (dead), the network packet is dropped.

A metric is a measurement of the expense of a route based on the number of hops (hop count) to the network on which a specific host resides. Hop count is the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1.

For the metric value, you can specify a number between 1 and 255. The maximum number of equal cost (metric) routes that can be defined per interface is three. You cannot add a route with the same metric on different interfaces that are on the same network.

K-184User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 185: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceRouting Policies

Add/Edit Static Route Dialog Box

The Add/Edit Static Route dialog box lets you add or edit a static route.

Navigation Path

You can access the Add/Edit Static Route dialog box from the Static Route page. For more information about the Static Route page, see Static Route Page, page K-184.

Related Topics

• Static Route Page, page K-184

• Routing Policies, page K-152

Field Reference

Tunneled Lists whether the route is tunneled or not. Used only for default route. You can only configure one tunneled route per device. Tunneled option is not supported under transparent mode.

Tracked The name of the SLA (service level agreement) monitor object that defines how connectivity for this route is monitored.

Table K-164 Static Route Page (Continued)

Element Description

Table K-165 Add/Edit Static Route Dialog Box

Element Description

Interface Specifies the interface name to which the static route applies.

Network Specifies the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.

Gateway Specifies the IP address of the gateway router which is the next hop address for this router.

K-185User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 186: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Policies

Security PoliciesThe Security section consists of the following pages:

• General Page, page K-186

• Timeouts Page, page K-188

General Page Use the General page to configure security settings that help protect against malformed packets, spoofed packets, fragmented packets, and denial of service attacks.

Navigation Path

• (Device view) Select Platform > Security > General from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Security > General from the Policy Type selector. Right-click General to create a policy, or select an existing policy from the Shared Policy selector.

Metric Specifies the number of hops to the gateway IP. Valid values range from 1 to 255. The default is 1 if a metric is not specified.

A metric is a measurement of the expense of a route based on the number of hops (hop count) to the network on which a specific host resides. Hop count refers to the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1.

For the metric value, you can specify a number between 1 and 255. The maximum number of equal cost (metric) routes that can be defined per interface is three. You cannot add a route with the same metric on different interfaces that are on the same network.

When routing network packets, a security appliance uses the rule with the most specific network within the rule’s definition. Only in cases where two routing rules have the same network is the metric used to break the tie. In a tie, the lowest metric value wins. If no routing rule exists, the network packet is dropped, and if the gateway is not detected (dead), the network packet is dropped.

Tunneled option Used only for default route. Only one default tunneled gateway is allowed per security appliance. Tunneled option is not supported under transparent mode.

Route Tracking The name of an SLA (service level agreement) monitor object that defines how you want to monitor connectivity for this route. Enter the name of an object or click Select to select it from a list or to create a new object.

For more information on performing route tracking, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77.

Table K-165 Add/Edit Static Route Dialog Box (Continued)

Element Description

K-186User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 187: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Policies

Related Topics

• Configuring Security Policies on Firewall Devices, page 14-76

• Add/Edit General Security Configuration Dialog Box, page K-187

• Timeouts Page, page K-188

Field Reference

Add/Edit General Security Configuration Dialog Box

Use the Add/Edit General Security Configuration dialog box to enable or disable anti-spoofing on an interface and to configure fragment settings for an interface.

Navigation Path

You can access the Add/Edit General Security Configuration dialog box from the General page. For more information about the General page, see General Page, page K-186.

Table K-166 General Page

Element Description

Disable Floodguard (PIX 6.3 and FWSM 2.x only)

Select to disable Floodguard on the firewall device.

Default Fragment Settings

Enable Default Settings Select to configure default fragment settings for the firewall device. When selected, the Size, Chain, and Timeout fields become active.

Size Sets the maximum number of packets that can be in the IP reassembly database waiting for reassembly. The default is 200.

Chain Specifies the maximum number of packets into which a full IP packet can be fragmented. The default is 24 packets.

Timeout Specifies the maximum number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is 5 seconds.

Interface Configuration Table

Interface Lists the interface names to which the configuration applies.

Anti-Spoofing Shows whether an interface has Unicast RPF enabled, true or false.

Size Identifies the maximum number of packets that can be in the IP reassembly database waiting for reassembly for the specified interface. The default is 200.

Chain Identifies the maximum number of packets into which a full IP packet can be fragmented for the specified interface. The default is 24 packets.

Timeout Identifies the maximum number of seconds to wait for an entire fragmented packet to arrive on the specified interface. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is five seconds.

K-187User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 188: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Policies

Related Topics

• Security Policies, page K-186

• General Page, page K-186

Field Reference

Timeouts PageThe Timeouts page lets you set the timeout durations for use with the security appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.

Note It is recommended that you do not change these values unless advised to do so by Customer Support.

Navigation Path

• (Device view) Select Platform > Security > Timeouts from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Security > Timeouts from the Policy Type selector. Right-click Timeouts to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• General Page, page K-186

Table K-167 Add/Edit General Security Configuration Dialog Box

Element Description

Interface Enter the name of the interface for which you want to configure anti-spoofing or fragment settings.

Enable Anti-Spoofing Select to enable anti-spoofing on the specified interface.

Override Default Fragment Settings

Select to configure fragment settings for the specified interface. When selected, the Size, Chain, and Timeout fields become active.

Size (block) Enter the maximum number of packets that can be in the IP reassembly database waiting for reassembly for the specified interface. The default is 200.

Chain (packet) Enter the maximum number of packets into which a full IP packet can be fragmented for the specified interface. The default is 24 packets.

Timeout (Sec) Enter the maximum number of seconds to wait for an entire fragmented packet to arrive on the specified interface. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is 5 seconds.

K-188User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 189: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Policies

Field Reference

Table K-168 Timeouts Page

Element Description

Note In all cases, except for Auth. (uauth) Absolute and Auth.(uauth) Inactivity, selecting disable means there is no timeout value. For those two cases, disable means re-authenticate on every new connection.

Translation Slot (xlate) Modifies the idle time until a translation slot is freed. This duration must be at least 1 minute. The default is3 hours. Enter 0:0:0 to disable timeout.

Connection(conn) Modifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour.

Half-Closed Modifies the idle time until a TCP half-closed connection closes. The minimum is 5 minutes. The default is 10 minutes. Enter 0:0:0 to disable timeout for a half-closed connection.

UDP Modifies the idle time until a UDP protocol connection closes. This duration must be at least 1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout.

ICMP(PIX7.0/FWSM) Modifies the idle time after which general ICMP states are closed.

RPC/Sun RPC Modifies the idle time until a SunRPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes. Enter 0:0:0 to disable timeout.

H.225 Modifies the idle time until an H.225 signaling connection closes. The H.225 default timeout is 1 hour (01:00:00). Setting the value of 00:00:00 means never close this connection. To close this connection immediately after all calls are cleared, enter 1 second (00:00:01).

H.323 Modifies the idle time until an H.323 media connection closes. The default is5 minutes. Enter 0:0:0 to disable timeout.

MGCP Modifies the timeout value for MGCP which represents the idle time after which MGCP media ports are closed. The MGCP default timeout is5 minutes (00:05:00). Enter 0:0:0 to disable timeout.

MGCP PAT(PIX7.0) Modifies the idle time after which an MGCP PAT translation is removed. The default is 5 minutes (00:05:00). The minimum time is 30 seconds. Deselect the check box to return to the default value.

SIP Modifies the idle time until an SIP signaling port connection closes. This duration must be at least 5 minutes. The default is 30 minutes.

SIP Media Modifies the idle time until an SIP media port connection closes. This duration must be at least 1 minute. The default is 2 minutes.

K-189User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 190: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Service Policy RulesService policy rules define how specific types of application inspection are applied to different types of traffic received by the security appliance. You apply a specific rule to an interface or globally to every interface.

The Service Policy Rules section consists of the following topics:

• Priority Queues Page, page K-190

• IPS, QoS, and Connection Rules Page, page K-192

Priority Queues PagePriority queues allow you to define how traffic is prioritized in the network. You can define a series of filters based on packet characteristics to cause traffic to be placed in a higher or lower priority queue. The queue with the highest priority is serviced first until it is empty, then the lower queues are serviced in sequence.

Navigation Path

• (Device view) Select Platform > Service Policy Rules > Priority Queues from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > Priority Queues from the Policy Type selector. Right-click Priority Queues to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Priority Queue Configuration Dialog Box, page K-191

• Service Policy Rules, page K-190

• Insert/Edit Service Policy (MPC) Rule Wizard, page K-193

• Understanding Queuing Parameters, page 13-102

Auth.(uath) Absolute Modifies the duration until the authentication cache times out and you have to re-authenticate a new connection. This duration must be shorter than the Translation Slot value. The system waits until you start a new connection to prompt you again. Enter 0:0:0 to disable caching and re-authenticate on every new connection.

Note Do not set this value to 0:0:0 if passive FTP is used on the connections.

Auth.(uath) Inactivity Modifies the idle time until the authentication cache times out and users have to re-authenticate a new connection. This duration must be shorter than the Translation Slot value.

Table K-168 Timeouts Page (Continued)

Element Description

K-190User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 191: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Field Reference

Priority Queue Configuration Dialog Box

Use the Priority Queue Configuration dialog box to define priority queues on the Priority Queues page.

Navigation Path

You can access the Priority Queue Configuration dialog box from the Priority Queues page. For more information about the Priority Queues page, see Priority Queues Page, page K-190.

Related Topics

• Service Policy Rules, page K-190

• Priority Queues Page, page K-190

• Insert/Edit Service Policy (MPC) Rule Wizard, page K-193

• Understanding Queuing Parameters, page 13-102

Field Reference

Table K-169 Priority Queues Page

Element Description

Priority Queues Table

Interface Identifies the interface to which the rule applies.

Queue Limit Specifies a maximum number of packets that can be queued up in a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets.

Transmission Ring Limit Specifies the maximum number of packets allowed into the transmit queue. This allows for fine-tuning the transmit queue to reduce latency and offer better performance through the transmit driver. This limit must be in the range 3 through 128 packets on the PIX platform. For the ASA platform, this limit must be in the range 3 through 512 packets on ASA versions 7.2 and higher, and must be in the range 3 through 256 packets for all other ASA versions.

Table K-170 Priority Queue Configuration Dialog Box

Element Description

Interface Name Specify the interface to which this rule applies.

Queue Limit Enter the maximum number of packets that can be queued up in a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets.

Transmission Ring Limit Enter the maximum number of packets allowed into the transmit queue. This allows for fine-tuning the transmit queue to reduce latency and offer better performance through the transmit driver. This limit must be in the range 3 through 128 packets on the PIX platform. For the ASA platform, this limit must be in the range 3 through 512 packets on ASA versions 7.2 and higher, and must be in the range 3 through 256 packets for all other ASA versions.

K-191User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 192: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

IPS, QoS, and Connection Rules PageUse the IPS, QoS, and Connection Rules page to define new service policy rules, and to edit or delete existing service policy rules.

Navigation Path

• (Device view) Select Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Policy Type selector. Right-click IPS, QoS, and Connection Rules to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Service Policy Rules, page K-190

• Insert/Edit Service Policy (MPC) Rule Wizard, page K-193

Field Reference

Table K-171 IPS, QoS, and Connection Rules Page

Element Description

Service Policy Rule (MPC) Table

Filter Click the arrow to display (or hide) the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 2-16.

Traffic Class Identifies the name of the traffic class that identifies the criteria you want to use to match traffic for the security policy rule.

Interfaces Identifies the interface to which the rule applies.

MPC Actions Displays the MPC actions applied by the rule. The types of actions include:

• IPS

• Set connection

• QoS

• CSC

For more information, see Table K-174 on page K-194.

Category Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.

To define categories, select Tools > Policy Object Manager > Category.

Note No commands are generated for the category attribute.

Comments Displays a description or comment on the rule if such is available.

K-192User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 193: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Insert/Edit Service Policy (MPC) Rule Wizard

Use the Insert/Edit Service Policy (MPC) Rule wizard to define new service policy rules or to edit existing service policy rules. The Insert/Edit Service Policy (MPC) Rule wizard contains the following pages:

• Step 1. Table K-172 on page K-193.

• Step 2. Table K-173 on page K-194.

• Step 3. Table K-174 on page K-194.

Step 1. Configure a Service Policy

Table K-172 Insert/Edit Service Policy (MPC) Rule Wizard—Step 1. Configure a Service Policy.

Element Description

Enable The Current MPC Rule

Enables the service policy rule. You can deselect this option if you want to define the rule now, and not deploy it to the device until later.

Category To assign the rule to a category, select the category from the list. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.

To define categories, select Tools > Policy Object Manager > Category.

Note No commands are generated for the category attribute.

Description Enter a description for the service policy rule.

Interface Select the appropriate option to apply the rule to a specific interface or group of interfaces, or to apply the rule globally to all interfaces:

• Global - applies to all interfaces—Applies the rule to all interfaces. This selection is not compatible with matching traffic based on the source or destination IP address using an access list.

• Interfaces—Applies the rule to a specific interface or group of interfaces (or interface roles). This selection is required if you want to match traffic based on the source or destination IP address using an access list.

Select button (Interfaces)

If you are applying the service policy rule to a specific interface, interface role, or group of interfaces, select the Interfaces radio button and then click the Select button to open the Interfaces Selector dialog box from which you can specify the interfaces to which the service policy rule should apply.

Next button Advances to the next page in the wizard.

Cancel button Closes the wizard and discards your changes.

K-193User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 194: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Step 2. Configure the traffic class

Step 3. Configure the actions

Table K-173 Insert/Edit Service Policy (MPC) Rule Wizard—Step 2. Configure the traffic class.

Element Description

Traffic Classification Enables you to specify the criteria you want to use to match traffic for a security policy rule. Select the appropriate option to apply the rule to a specific traffic class or to apply the rule to the class-default traffic class:

• Use class-default as the traffic class—Use the class-default traffic class for this service policy. The class-default traffic class is used when traffic does not match any other traffic class.

• Traffic Class—Applies the rule to a specific traffic class. After you select this option, you must click Select to specify the traffic class.

Select button If you are applying the service policy to a specific traffic class, click the Traffic Class radio button and then click Select to open the Traffic Flows Selector dialog box from which you can specify the traffic class to which the service policy should apply.

The Traffic Flows Selector dialog box also enables you to add or edit a traffic flow. For more information, see Add and Edit Traffic Flow Dialog Boxes, page F-184.

Table K-174 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.

Element Description

Intrusion Prevention tab

Enable IPS for this Traffic (ASA 7.0+ & PIX 7.0(0)-7.0(3) only)

Enables or disables intrusion prevention for this traffic flow. When this check box is selected, the other parameters on this panel become active. This is applicable only for ASA 7.0+ and PIX 7.0(0)-7.0(3) traffic flows.

IPS Mode Configures the operating mode for intrusion prevention:

• Inline—Selects Inline Mode, in which a packet is directed to IPS. The packet might be dropped as a result of the IPS operation.

• Promiscuous—Selects Promiscuous Mode, in which IPS operates on a duplicate of the original packet. The original packet cannot be dropped.

On IPS Card Failure Configures the action to take if the IPS card becomes inoperable.

• Open—Permits traffic if the IPS card fails

• Close—Blocks traffic if the IPS card fails.

Connection Settings tab

Enable Connection Settings For This Traffic

Enables or disables connection settings for this traffic flow. When this check box is selected, the other parameters on this panel become active. From the Connection Settings tab you can configure maximum connections, embryonic connections, timeouts, and TCP parameters.

K-194User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 195: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Maximum Connections You can specify the maximum number of TCP and UDP connections, and the maximum number of embryonic connections for this traffic flow:

• Maximum TCP & UDP Connections—Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet up to 65,536. The default is 0 for both protocols, which means the maximum possible connections are allowed.

• Maximum TCP & UDP Connections Per Client—For ASA/PIX 7.1 only, specifies the maximum number of simultaneous TCP and UDP connections on a per client basis.

• Maximum Embryonic Connections (ASA/PIX 7.0+ only)—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server.

• Maximum Embryonic Connections Per Client (ASA/PIX 7.1+ only)—Specifies the maximum number of embryonic connections on a per client basis.

Connection Timeouts You can specify the following connection timeout settings for this traffic flow:

• Embryonic Connection Timeout—Specifies the idle time until an embryonic connection slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 20 seconds for FWSM, and 30 seconds for ASA/PIX.

• Half Closed Connection Timeout—Specifies the idle time until a half closed connection slot is freed. Enter 0:0:0 to disable timeout for the connection.

For FWSM, the default value is 20 seconds; the maximum value is 255 seconds (four minutes, 15 seconds).

For ASA/PIX, this duration must be at least 5 minutes; the default is 10 minutes.

• TCP Connection Timeout—Specifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour.

Table K-174 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.

Element Description

K-195User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 196: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Reset Connection Upon Timeout (ASA/PIX 7.0(4)+ only)

Resets the connection after a timeout occurs when selected. Available for ASA/PIX 7.2+ only.

Detect Dead Connections (ASA/PIX 7.2+ only)

Enables the Dead Connection Detection feature which is only available for ASA/PIX 7.2+ devices. Selecting this check box enables you to configure the following two fields:

• Dead Connection Detection Timeout—Specifies the period of time between retries when a dead connection is detected. The default is 15 seconds.

• Dead Connection Detection Retries—Specifies the number of retries to be performed after a dead connection is detected. The default is five.

Traffic Flow Idle Timeout (FWSM 3.2+ only)

Specifies the period of time between a traffic flow becoming idle and the flows disconnection. Applicable to FWSM 3.2+ only. The default is 1 hour.

Enable TCP Normalization (ASA/PIX 7.0+ only)

Enables TCP normalization, and activates the TCP Map selection capability. Applicable to ASA/PIX 7.0+ only.

TCP map Specifies the TCP map to use in TCP normalization. Click Select to display the TCP Maps Selector from which you can select a TCP map.

Randomize TCP Sequence Number

Enables the Randomize Sequence Number feature. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers: one generated by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server on the higher security interface. At least one ISN must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.

Enable TCP State Bypass (FWSM 3.2+ only)

Enables the skipping of checks of the TCP state machine, for this traffic flow. This is useful for allowing certain traffic to flow through in asymmetric routing scenarios when two FWSMs are in different locations that are not Layer 2-adjacent. Applicable to FWSM 3.2+ only. Refer to your FWSM documentation for more information on configuring state bypass traffic.

Enable Decrement TTL (PIX/ASA 7.2.2+ only)

Select this option to turn on decrementing of the time-to-live (TTL) value in packets passed by the security appliance.

Enable Trusted Flow Acceleration (FWSM 4.0(1)+ only)

Select this option to enable Trusted Flow Acceleration for this context. See About Trusted Flow Acceleration, page 14-80 for more information.

QoS tab

Enable QoS for this traffic flow

Enables QoS for this traffic flow. When this option is selected, the Enable Priority For This Flow and the Traffic Policing options become active.

Note The options on this tab are available for PIX/ASA 7.0+ devices only.

Table K-174 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.

Element Description

K-196User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 197: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceService Policy Rules

Enable priority for this flow Enables strict scheduling priority for this flow. Priority (LLQ) does not work unless the priority queues are set.

Traffic Policing Enables output and input traffic policing.

Output (Traffic Policing) Enables policing of traffic flowing in the output direction. If you enable policing, you can specify the following values:

• Committed Rate—The rate limit for this traffic flow; this is a value in the range 8,000-2,000,000,000, specifying the maximum speed (bits per second) allowed.

• Burst Rate—A value in the range 1,000-512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

• Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop.

• Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop.

Input (Traffic Policing; ASA/PIX 7.2+ only)

Enables policing of traffic flowing in the input direction. If you enable policing, you can specify the following values:

• Committed Rate—The rate limit for this traffic flow; this is a value in the range 8,000-2,000,000,000, specifying the maximum speed (bits per second) allowed.

• Burst Rate—A value in the range 1,000-512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

• Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop.

• Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop.

CSC tab

Enable Content Security Control For This Traffic (ASA7.1+ only)

Enables or disables the use of the Cisco CSC SSM (Content Security and Control Security Services Module) for this traffic flow. When this check box is selected, the On CSC SSM Failure options become active.

On CSC SSM Failure Configures the action to take if the CSC SSM becomes inoperable. Options are:

• Open—Permits traffic if the CSC SSM fails

• Close—Blocks traffic if the CSC SSM fails.

Table K-174 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.

Element Description

K-197User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 198: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceUser Preferences

User PreferencesThe User Preferences section consists of the Deployment page. The Deployment page provides access to the Clear XLATE on deployment option.

Select this option to send a clear xlate command to the firewall before changes to access lists are made. This command clears all NAT translations. By default this option is not selected.

Navigation Path

• (Device view) Select Platform > User Preferences > Deployment from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > User Preferences > Deployment from the Policy Type selector. Right-click Deployment to create a policy, or select an existing policy from the Shared Policy selector.

Security Contexts PageOpen the Security Contexts page to add, edit, or delete Security Contexts for an ASA, PIX 7.x (or later), or FWSM device running in multi-context mode.

Navigation Path

To access this feature, select an ASA, PIX 7.x (or later), or FWSM device running in multi-context mode and then select Security Contexts from the Device Policy selector.

Related Topics

• Add/Edit Security Context Dialog Box (FWSM), page K-199

• Add/Edit Security Context Dialog Box (PIX/ASA), page K-200

• Allocate Interfaces Dialog Box (PIX/ASA only), page K-202

• View Interface Allocation Dialog Box (PIX/ASA only), page K-203

Field Reference

Table K-175 Security Contexts Page

Element Description

Security Contexts Table

Context Name Shows the context name.

VLANs (FWSM) Shows the VLANs assigned to the context.

Interfaces (PIX/ASA) Shows the interfaces and subinterfaces assigned to the context. If you specified a range of subinterfaces, each subinterface is listed separately.

Failover Group Displays the failover group to which this context belongs.

Config URL Displays the context configuration location, including the URL type.

Mode (FWSM 3+) Displays the mode, router or transparent, of the security context.

Admin The admin context entry is identified by true in this column. An information line is also displayed below the Security Contexts table, indicating which of the listed security contexts is the admin context.

K-198User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 199: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

Add/Edit Security Context Dialog Box (FWSM)The Add Security Context and Edit Security Context dialog boxes let you add or edit a security context and define context parameters. Except the title, the two dialog boxes are identical.

Navigation Path

You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page. For more information about the Security Contexts page, see Security Contexts Page, page K-198.

Related Topics

• Security Contexts Page, page K-198

Field Reference

Description The description of the context.

Trusted Flow Acceleration If Trusted Flow Acceleration is enabled for this context, true is displayed in this column.

Table K-175 Security Contexts Page (Continued)

Element Description

Table K-176 Add/Edit Security Context Dialog Box (FWSM)

Element Description

Name Enter a name of up to 32 characters for the context. The names System and Null (in any combination of upper- and lower-case letters) are reserved, and cannot be used.

Note While context names are case-sensitive on the device, they are not in Security Manager. That is, you cannot have two contexts with the same name but different capitalization in Security Manager.

Mode (FWSM 3.x) Choose the mode, router or transparent, for this security context.

Note You cannot change the mode in the Edit Security Context dialog box.

Admin Context Select this option if this context is to be the admin context for this device.

VLAN IDs Enter the VLANs assigned to this context. Use a comma to separate multiple VLAN entries.

K-199User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 200: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

Add/Edit Security Context Dialog Box (PIX/ASA)The Add Security Context and Edit Security Context dialog boxes let you add or edit a security context and define context parameters. Except the title, the two dialog boxes are identical.

Navigation Path

You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page. For more information about the Security Contexts page, see Security Contexts Page, page K-198.

Related Topics

• Security Contexts Page, page K-198

• Allocate Interfaces Dialog Box (PIX/ASA only), page K-202

• View Interface Allocation Dialog Box (PIX/ASA only), page K-203

Config URL Specifies the context configuration location, as a URL-type address. Choose the protocol type from the drop-down list, and then type the server name (for remote file systems), path, and file name in the related text field. For example, the combined URL for FTP has the following format: ftp://server.example.com/configs/admin.cfg.

Available protocols are:

• disk:/

• ftp://

• http://

• https://

• tftp://

Failover Group If this context is part of an active/active failover configuration, choose the failover group to which this context belongs.

Description Enter an optional description for the context.

Management IP Addr Enter or Select the IP address that Security Manager should use for communicating with this security context.

Enable Trusted Flow Acceleration (FWSM 4.0(1)+ only)

Select this option to enable Trusted Flow Acceleration for this context (available in Router mode only). See About Trusted Flow Acceleration, page 14-80 for more information.

Table K-176 Add/Edit Security Context Dialog Box (FWSM) (Continued)

Element Description

K-200User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 201: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

Field Reference

Table K-177 Add/Edit Security Context Dialog Box (PIX/ASA)

Element Description

Name Enter a name of up to 32 characters for the context. The names System and Null (in any combination of upper- and lower-case letters) are reserved, and cannot be used.

Note While context names are case-sensitive on the device, they are not in Security Manager. That is, you cannot have two contexts with the same name but different capitalization in Security Manager.

Description Enter an optional description for the context.

Admin Context Select this option if this context is to be the admin context for this device.

Config URL Specifies the context configuration location, as a URL-type address. Choose the protocol type from the drop-down list, and then type the server name (for remote file systems), path, and file name in the related text field. For example, the combined URL for FTP has the following format: ftp://server.example.com/configs/admin.cfg.

Available protocols are:

• disk0:/

• disk1:/

• flash:/

• ftp://

• http://

• https://

• tftp://

Interfaces table Shows the interfaces and subinterfaces assigned to this context and their associated settings.

• Interface—Identifies the interface or subinterface assigned to this context.

• Alias Name—Identifies the alias used to represent this interface in policies.

• Show Hardware Property—Shows whether context users can see physical interface properties even if you set an aliased name.

Failover Group If this context is part of an active/active failover configuration, choose the failover group to which this context belongs.

Management IP Address

Enter or Select the IP address that Security Manager should use for communicating with this security context.

K-201User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 202: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

Allocate Interfaces Dialog Box (PIX/ASA only)The Allocate Interfaces dialog box lets you assign interfaces to a context and set interface parameters.

Navigation Path

You can access the Allocate Interfaces dialog box from the Add Security Context and Edit Security Context dialog boxes. See Add/Edit Security Context Dialog Box (PIX/ASA), page K-200 for more information.

Related Topics

• Security Contexts Page, page K-198

• Add/Edit Security Context Dialog Box (PIX/ASA), page K-200

• View Interface Allocation Dialog Box (PIX/ASA only), page K-203

Field Reference

Table K-178 Allocate Interfaces Dialog Box

Element Description

Physical Interface Sets the physical interface to assign to the context. You can assign the main interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown. If the main interface was already assigned to another context, you must select a subinterface.

Sub Interface ID From/To Sets the subinterface ID or a range of subinterface IDs. To specify a single subinterface, click the ID in the first list. To specify a range, click the ending ID in the second list, if available. In transparent firewall mode, only subinterfaces that have not been allocated to other contexts are shown.

View Allocation button Displays the View Interface Allocation dialog box. See View Interface Allocation Dialog Box (PIX/ASA only), page K-203.

Use aliased name in context Sets an aliased name for this interface to be used in the context configuration instead of the interface ID.

Alias Name Sets the aliased name. An aliased name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. This box lets you specify a name that ends with a letter or underscore; to add an optional digit after the name, set the digit in the Suffix Range From/To fields.

Suffix Range From/To Sets the numeric suffix for the aliased name. If you have a range of subinterfaces, you can enter a range of digits to be appended to the name.

Show hardware properties in context

Enables context users to see physical interface properties even if you set an aliased name.

K-202User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 203: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

View Interface Allocation Dialog Box (PIX/ASA only)The View Interface Allocation dialog box presents a read-only table that lists all physical interfaces in a security appliance and displays the security contexts and failover groups associated with each interface.

Navigation Path

You can access the View Interface Allocation dialog box by clicking the View Allocation button in the Allocate Interfaces dialog box. See Allocate Interfaces Dialog Box (PIX/ASA only), page K-202 for more information.

Related Topics

• Security Contexts Page, page K-198

• Add/Edit Security Context Dialog Box (PIX/ASA), page K-200

• Allocate Interfaces Dialog Box (PIX/ASA only), page K-202

Field Reference

Table K-179 Allocate Interfaces Dialog Box

Element Description

Interface Shows all the physical interfaces in this security appliance.

Contexts Indicates which contexts are associated with a interface.

Used for Failover Indicates whether the interface is used for failover and identifies the failover group to which it belongs.

K-203User Guide for Cisco Security Manager 3.3

OL-19983-01

Page 204: €¦ · K-1 User Guide for Cisco Security Manager 3.3 OL-19983-01 APPENDIX K PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for

Appendix K PIX/ASA/FWSM Platform User Interface ReferenceSecurity Contexts Page

K-204User Guide for Cisco Security Manager 3.3

OL-19983-01