ASA

ASA 55X0/PIX7.0 TSB MED P la tfo r m r e fe r e n c e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -1 N e w H a r d w a r e In t r o d u c t i o n ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -2 Cisco ASA 5510 Adaptive Security Appl ian ce • All-i n -O n e E n t e r p r i s e a n d S M B S e c u r ity /V P N G a te w a y H e a d -E n d • 6 4 ,0 0 0 c o n c u r r e n t c o n n e c tio n s • 2 5 6 -M B R AM • 2 0 0 -M b p s c le a r t e x t t h r o u g h p u t • 1 0 V L AN s • N o Ac t i v e / Ac t i v e F O • 1 0 0 -M b p s V P N t h r o u g h p u t • U p to 1 5 0 IP S e c V P N • S S L V P N S u p p o rt s u p p o rt P e e rs • 1 0 0 -M b p s I P S T h r o u g h p u t v i a I P S S e c u r i t y S e r v i c e s M o d u le ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -3 Cisco ASA 552 0 Adaptive Security Appl ian ce • All-i n -O n e E n t e r p r i s e a n d S M B S e c u r ity /V P N G a te w a y H e a d -E n d • 1 3 0 ,0 0 0 c o n c u r r e n t c o n n e c tio n s • 2 0 0 -M b p s c le a r t e x t t h r o u g h p u t • 5 1 2 -M B • 1 0 S e c u r ity C o n te x ts • 2 5 V L AN s • S u p p o r t s a c t i v e / a c t i v e f a i lo v e r • 2 0 0 -M b p s V P N t h r o u g h p u t • U p to 7 5 0 IP S e c V P N • S S L V P N S u p p o rt P e e rs R AM • 1 0 0 -M b p s I P S T h r o u g h p u t v i a I P S S e c u r i t y S e r v i c e s M o d u le ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -4 Cisco ASA 554 0 Adaptive Security Appl ian ce • All-i n -O n e E n t e r p r i s e a n d S M B E n d S e c u r ity /V P N G a te w a y H e a d - • 2 8 0 ,0 0 0 c o n c u r r e n t c o n n e c tio n s • 4 0 0 -M b p s c le a r t e x t t h r o u g h p u t • 1 0 2 4 -M B • 5 0 S e c u r ity C o n te x ts • 5 0 V L AN s • S u p p o r t s a c t i v e / a c t i v e f a i lo v e r • 3 6 0 -M b p s V P N • U p to 5 ,0 0 0 IP S e c V P N • U p to 2 5 0 0 S S L V P N th ro u g h p u t P e e rs R AM • 2 0 0 -M b p s I P S T h r o u g h p u t v i a I P S S e c u r i t y S e r v i c e s M o d u le ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . C o n n e c tio n s [ a c r o n y m X . X ] —[ C H # ] -5 ASA 5510/5520/5540 : Front Panel S ta tu s Power F la s h V PN A c tiv e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -6 ASA 5510/5520/5540 : B ac k Panel C o m p a c t F la s h ( R e m o v a b le ) S e c u r ity S e r v ic e s M o d u le In te r fa c e s ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -7 ASA 5510/ 552 0/ 554 0 : B ack P an el Con n ection s S e c uri t y S e rv i c e M od ul e ( S S M ) M on i t ori n g P ort C om p a c t Fl a s h 10/100 O ut of B a n d M a n a g e m e n t P ort C on s ol e P ort Four 10/100/1000 C op p e r G i g a b i t P ort s T w o U S B 2 . 0 P ort s A U X P ort s ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -8 PI X 7 . 0 and ASA 7 . 0 •Same Binary image file supports both platform. •Same A SD M • Web VPN • VPN L B • S S M •P I X 7 .0 d oes not support follow ings are features but offered by A SA 7 .0 . r el a t ed ( I PS ) image file supports both platform. • C F c a rd s u p p o rt • A U X p o rt s u p p o rt ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -9 Sec u ri ty Serv i c es M od u le ( SSM -AI P) • High performance module des igned t o prov ide addit ional s ecurit y s erv ices • D is k les s ( F las h-B as ed) D es ign for I mprov ed R eliab ilit y • G igab it E t hernet P ort for O ut -of-B and M anagement , et c. • R uns I P S 5 . 0 C ode • I nline or P er mis cues • C an b e M anaged from t he b ack P lane us ing S es s ion or A S D M ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -10 10 SSM -AI P I P S -S S M S peed L ink / A ct P ow er S t at us ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -11 Cisco ASA 5510, 5520, and 5540 Platforms Key Platform Metrics F e a tu re s R e al W o r l d F i r e w al l T h r o u g h p u t (3 0 0 /1 4 0 0 B y te ) R e al W o r l d V P N T h r o u g h p u t (3 0 0 /1 4 0 0 B y te ) R e al W o r l d I P S T h r o u g h p u t (5 0 0 B y te ) M ax i m u m C o nne c t i o ns P e e rs ASA 5510 ( Se c P l u s ) 1 0 0 /2 0 0 M b p s 5 0 /1 0 0 M b p s 1 0 0 M b p s w i t h SSM -AI P 1 0 3 2 ,0 0 0 5 0 6 4 ,0 0 0 1 5 0 ASA 552 0 2 0 0 /4 0 0 M b p s 1 0 0 /2 0 0 M b p s 2 0 0 M b p s w i t h SSM -AI P 2 0 1 3 0 ,0 0 0 3 0 0 Sh ar e d Y e s ASA 552 0 V P N P lu s 2 0 0 /4 0 0 M b p s 1 0 0 /2 0 0 M b p s 2 0 0 M b p s w i t h SSM -AI P 2 0 1 3 0 ,0 0 0 7 5 0 Sh ar e d Y e s A/A and A/S 4 x 1 0 /1 0 0 /1 0 0 0 , 1 1 0 /1 0 0 U p to 1 0 2 5 P IX 5 1 5 E U R V P N 3 0 2 0 ASA 554 0 4 0 0 /5 5 0 M b p s 2 0 0 /3 6 0 M b p s 2 0 0 M b p s w i t h SSM -AI P 2 0 2 8 0 ,0 0 0 5 0 0 Sh ar e d Y e s A/A and A/S 4 x 1 0 /1 0 0 /1 0 0 0 , 1 1 0 /1 0 0 U p to 5 0 1 0 0 P IX 5 2 5 + V P N 3 0 1 5 ASA 554 0 V P N P lu s 4 0 0 /5 5 0 M b p s 2 0 0 /3 6 0 M b p s 2 0 0 M b p s w i t h SSM -AI P 2 0 2 8 0 ,0 0 0 2 ,0 0 0 Sh ar e d, u p t o 1 , 2 5 0 Y e s A/A and A/S 4 x 1 0 /1 0 0 /1 0 0 0 , 1 1 0 /1 0 0 U p to 5 0 1 0 0 P IX 5 2 5 + V P N 3 0 3 0 ASA 554 0 V P N P r e m iu m 4 0 0 /5 5 0 M b p s 2 0 0 /3 6 0 M b p s 2 0 0 M b p s w i t h SSM -AI P 2 0 2 8 0 ,0 0 0 5 ,0 0 0 Sh ar e d, u p t o 2 , 5 0 0 Y e s A/A and A/S 4 x 1 0 /1 0 0 /1 0 0 0 , 1 1 0 /1 0 0 U p to 5 0 1 0 0 P IX 5 2 5 + V P N 3 0 6 0 S2 S and I P Se c R A V P N SSL V P N C o nne c t i o ns Sh ar e d N o N o ne A/S V P N C l u s t e r i ng / L o ad B al . H i g h Av ai l ab i l i t y I nt e r f ac e s Se c u r i t y C o nt e x t s V L AN s Su p p o r t e d C o m p ar ab l e P I X M o de l C o m p ar ab l e V P N 3 K M o de l 0 V P N A/A and A/S 4 x 1 0 /1 0 0 /1 0 0 0 , 1 1 0 /1 0 0 U p to 1 0 3 x 1 0 /1 0 0 + O O B 5 1 0 /1 0 0 N o 1 0 3 0 0 5 - 2 5 P IX 5 1 5 E U R V P N 3 0 0 5 + + P I X 5 1 5 E R /D M Z ASA 0 5500i s Introy ©2 0 2 , C c o S R eal w orld performance based on real traffic mix , all sv cs ru nning concu rrently and log g ing enabled. NOTE: ASA performance has not been finalized – this is su bj ect to chang e. s t e m s , I n c . A l l r i g h ©s 2 r 0 e 0 s 4 e Cr v i se c d o . S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . t [ a c r o n y m X . X ] —[ C H # ] -12 12 New 7.0 Software features Expanded Firewall Features Outbound ACLs (new), T i m eba sed ACLs (new), Ena bl e/ D i sa bl e ACLs (new), Ap p l i c a ti on F i r ewa l l (new), N o N AT R eq ui r em ent (new), S ec ur i ty Contex ts (V i r tua l F i r ewa l l ) (new), T r a nsp a r ent F i r ewa l l (La y er 2 F i r ewa l l ) (new), Conf i g ur a bl e F i r ewa l l I nsp ec ti on (M P C) V i r tua l i z a ti on of c ut-th r oug h P r ox y F unc ti ona l i ty (enh a nc ed), T CP P ool s f or U R L F i l ter i ng (enh a nc em ent) Enh a nc ed F T P I nsp ec ti on Eng i ne wi th Com m a nd F i l ter i ng (new), ES M T P I nsp ec ti on Eng i ne (new), N I S + I nsp ec ti on (enh a nc ed), I nbound/ Outbound R P C I nsp ec ti on (enh a nc ed), S unR P C T CP sup p or t (new), I CM P I nsp ec ti on Eng i ne (new), H . 3 2 3 T . 3 8 (new), H . 3 2 3 G K R CS (enh a nc ed), G T P I nsp ec ti on Eng i ne (new), M G CP N AT (enh a nc ed), R T S P N AT (enh a nc ed), T CP S tr ea m Assem bl y (new) N ew I nspec tio n suppo rt P I M -S M (new), Asy m m etr i c R outi ng (new), Outbound LLQ (new), P ol i c i ng (new), I ntr a N etwor k Com m uni c a ti ons Conf i g ur a ti on (new), I P v 6 P h a se I (new), I P F r a g em ent R e Assem bl y (enh a nc ed), P I N G enh a nc em ents (enh a nc em ent) N etwo rk I nteg ratio n 4 K + Cer ti f i c a te S up p or t (enh a nc ed), B l oc k Cl i ents by OS a nd V er si on (new), Ar e Y ou T h er e? , I K E D oS S a f eg ua r ds (new) N etm a sk sup p or t f or l oc a l I P a ddr ess p ool s (new), V P N H ub a nd S p ok e R outi ng (new), V P N Cl i ent to Cl i ent r outi ng (new), T r a f f i c U -T ur n on a n I nter f a c e (enh a nc em ent), OS P F N ei g h bor (new), I nter op er a bi l i ty wi th I OS CA ser v er (new) V irtual P riv ate N etwo rk Enh anc em ents M odul a r P ol i c y CLI (new), S S H v 2 (new), S N M P v 2 c (new), S N M P T r a c k S er v i c es (new), Addi ti ona l M I B sup p or t (new), F l a sh F i l e S y stem (new), M ul ti p l e Conf i g ur a ti ons (new), M ul ti p l e S of twa r e I m a g es (new), Ac c ounti ng f or M a na g em ent T r a f f i c (new) ,S up p or t f or S i m ul ta neous R AD I U S a c c ounti ng ser v er s (new), Li c ensi ng Enh a nc em ents (new), “H i tl ess” U p g r a de (new), S Y S LOG S er v er F a i l ur e P ol i c y f or T CP T r a nsp or t (enh a nc em ent) Log g i ng enh a nc em ents (enh a nc em ent) M anag em ent U sab ility Enh anc em ents R esilienc y Ac ti v e/ Ac ti v e F a i l ov er (new), V P N S ta tef ul F a i l ov er (new), ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -13 FLASH File System C o n f ig u r a tio n s & I ma g es Visual File Manager S im ilar t o W ind o w s E x p lo rer ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -14 A SD M –b oot i m ag e sel ec ti on Configure>Device A d m inis t a ra t ion>B oot I m a ge/ Configura t ion ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -15 A SD M – Sel ec t B oot Sy stem F ile ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -16 A c c ess-L i st K ey word : T I M E -R A NG E Select Time-R a n g e to ed it ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -17 A c c ess-L i st K ey word : T I M E -R A NG E Sta r t E n d P er io d ic ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -18 A c c ess-L i st K ey word : T I M E -R A NG E ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -19 A c c ess-L i st K ey word : T I M E -R A NG E Sh o w s u p h er e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -20 A c c ess-L i st K ey word : E n ab l e/ D i sab l e Removal of this checkmark ren d ers the ru le in a ctiv e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -21 A c c ess-G roup K ey word : O U T Tr a f f ic F lo w ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -22 A c c ess-G roup K ey word : O U T A p p lied h er e Tr a f f ic F lo w ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -23 V P N H ub an d Sp ok e/ Sp ok e to Sp ok e Since it utilize the IPSec tunnel to the Hub ( PIX 7 . 0 or A SA ) , Sp ok e conf ig ur a tion r eq uir es only one cr y p to m a p . ( in the m es h tota l num ber of s p ok es -1 ) A s s um e y ou a lr ea d y ha v e r outer 1 conf ig ur ed betw een Sp ok enet 1 to Hubnet, If y ou w is h to cr ea te Sp ok e to Sp ok e V PN , y ou ca n a d d a cces s -lis t a t both Sp ok es a nd hub. Rtr1 will have Rtr2 will have H u b will have S p o k en et1 to H u b n et an d S p o k en et1 to S p o k en et2 S p o k en et2 to H u b n et an d S p o k en et2 to S p o k en et1 2 C ry p to M ap s . o n e f o r rtr1 an d o ther f o r rtr2 M ap 1: H u b n et to S p o k en et1, S p o k en et2 to S p o k en et1 E ac h m ap tied to 2 ac c es s -lis t en tries M ap 2 : H u b n et to S p o k en et2 , S p o k en et1 to S p o k en et2 ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -24 Sn ap sh ot of H ub an d sp ok e V P N ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -25 VPN Stateful Failover (New) •O •S •B •R •S b j ect ive: S up p ort V P N a m p l e Configura t ion: y d efa ul t 7 . 0 w il l s up p eq uirem ent s : L A N b a up p ort for t h e Cert is s t a t eful fa il over N one ort V P N s t a t eful fa il over. s e F O s et t ing a nd P re-s h a red k ey I K E in p rogres s for t h is rel ea s e. IKE Peer T y p e D ir R k y S ta te 1 1 7 2 . 1 6 . 5 0 . 1 0 L 2 L In i t N o M M _ S T A N D B Y I n t h e s t a nd b y P I X , y ou w il l s ee fol l ow ing I K E s t a t us : IKE Peer T y p e D ir R k y S ta te 2 1 7 2 . 1 6 . 5 0 . 1 L 2 L R es p N o M M _ S T A N D B Y ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -26 SY SL O G F eatures Extensive and significant additions have b een added to the l ogging facil ities of P I X / A S A O S 7 . 0 . T hese ar e a r esu l t of cu stom er r eq u ests for fl exib il ity and detail ed infor m ation content. T her e ar e now 3 6 configu r ab l e sy sl og p ar am eter s w her e 2 4 of these ar e new . ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -27 SY SL O G D ef inition F eatures severity, or syslog m essag e I D . I t can be used in two ways. A U ser can set g lobal d ef aults to track th is custom iz ed list, send ing th e results to p ref erred event d estination ( log , console, syslog , e-m ail, or trap ) . O r, it can overrid e g lobal d ef aults to track th is custom iz ed list f or an ind ivid ual event class. T h e nam e m ust start with an alp h a and cannot be a syslog level nam e. N am e of event_ list > ( > ( > ( > ( conf ig conf ig conf ig conf ig )# )# )# )# logging list big logging list big logging list big logging b u f f e r p rob le p rob le p rob m e d big p v e l c r itic a l v e l c r itic a l c la ss h a [and condition] e ssa ge 1 0 1 0 0 1 -1 0 2 0 3 4 rob Event_List – An event List allows users to track events by class, ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -28 L og g i n g setup on A SD M ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -29 ( NO ) NA T C O NT R O L ( n ew) T h e P IX h a s a lw a y s b e e n a d e v ic e s u p p o r tin g , e v e n r e q u ir in g N e tw o r k A d d r e s s T r a n s la tio n ( N A T ) fo r m a x im u m fle x ib ility a n d s e c u r ity . In tr o d u c e d in P IX O S 7 .0 is N A T a s a n o p tio n . S p e c i f y i n g N A T -CO N T R O L s p e c i f i e s t h e r e q u i r e m e n t t o u s e N A T f o r o u t s i d e c o m m u n i c a t i o n s . T o s p e c i f y N A T c o n t r o l , u s e t h e na t cont rol c o m m a n d i n g l o b a l c o n f i g u r a t i o n m o d e . T o d i s a b l e N A T c o n tr o l, w h ic h a llo w s in s id e h o s ts to c o m m u n ic a te w ith o u ts id e n e t w o r k s w i t h o u t c o n f i g u r i n g a N A T r u l e , u s e t h e c o m m a n d , no na t cont rol i n g l o b a l c o n f i g u r a t i o n m o d e . F o l l o w i n g a c o n f i g u r a t i o n m i g r a t i o n N A T -C O N T R O L i s e n a b l e d s o p r e v io u s N A T b e h a v io r is m a in ta in e d . F o r n e w c o n fig u r a tio n s N A T c o n t r o l i s d i s a b l e d b y d e f a u l t . I f no na t -cont rol i s s p e c i f i e d o n l y h o s ts th a t r e q u ir e N A T n e e d to h a v e a N A T r u le c o n fig u r e d . ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -30 ( NO ) NA T C O NT R O L C le a r ing th is c h e c k sp e c if ie s na t-c ontr ol ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -31 Modular Policy Framework (MPF) O b j ect iv e There is a growing need to provide greater granularity and f lex ib ility in c onf iguring network polic ies. F or ex am ple, the ab ility to inc lude destination I P address as one of the c riteria to identif y traf f ic f or N etwork A ddress Translation, or the ab ility to c reate a tim eout c onf iguration that is spec if ic to a partic ular TC P applic ation, as opposed to the c urrent tim eout sc hem e whic h applies a tim eout value to all TC P applic ations, etc . MPF provides the tools to m eet these and other needs. ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -32 Modular Policy Framework (MPF) D ef in it ion • M P F fe a tu r e s a r e d e r iv e d fr o m Q o S a s im p le m e n te d in IO S . N o t a ll fe a tu r e s h a v e b e e n c a r r ie d a c r o s s . • M P F is b u ilt o n th r e e r e la te d C L I c o m m a n d s … – c la ss-m a p – T h is com m and id entif ies th e traf f ic th at need s a sp ecif ic typ e of control. C lass-m ap s h ave sp ecif ic nam es wh ich tie th em into th e p olicy-m ap . – p olic y -m a p – T h is com m and d escribes th e actions to be taken on th e traf f ic d escribed in th e class-m ap . C lass-m ap s are listed by nam e und er th e ap p rop riate p olicy-m ap . P olicy-m ap s h ave sp ecif ic nam es too wh ich tie th em into th e service-p olicy. – se r v ic e -p olic y – T h is com m and d escribes wh ere th e traf f ic sh ould be intercep ted f or control. O nly one service-p olicy can ex ist p er interf ace. An ad d itional service-p olicy, “g lobal-servicep olicy,” is d ef ined f or traf f ic and g eneral p olicy ap p lication. T h is p olicy ap p lies to traf f ic on all interf aces. ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -33 Modular Policy Framework (MPF) L imit at ion s PIX/ASA 7.0 restrictions for match/policy and class statements. • N u mb er of Policy-map: • N u mb er of C lass-map: • N u mb er of C lasses in a policy-map: * 2 5 5 1 * 6 3 6 4 • N u mb er of match statement in a class-map: M atch tunnel-g roup and d ef ault-insp ect allow two statem ents ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -34 Q oS, P ol i c i n g – A SD M A c tio n Class-n am e o n f lo w T r af f i c se le c t o r ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -35 Q oS, L ow L aten c y Q ueui n g ( L L Q ) Consider this Problem: Y ou w a nt to ma k e su re V oI P p hones a t the M a in O f f ic e ( M a in) ha v e the low est la tenc y p ossible throu g h the f irew a ll a nd v p n to the R emote O f f ic e 1 ( ro1 ) . T here is a lot of other tra f f ic tha t u ses the v p n link bu t it is not time sensitiv e. H ow do w e c onf ig u re f or this beha v ior? Y ou a lso shou ld c onsider the retu rn tra f f ic ( ou tbou nd a t p eer) . ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -36 Q oS, L ow L aten c y Q ueui n g ( L L Q ) S e r v ic e T r af f i c S e le c t o r T y p e s Q o S ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -37 A p p licat ion Firewall A p p licat ion Firewall in C p M T h a p A F o f o v a p e e n h a n c e d H T T P in s p e c tio n fe a tu r e , is a ls o k n o w n a s a n p lic a tio n fir e w a ll ( A F W ) p r o v id e s d e e p a n a ly s is o f w e b tr a ffic . W e n a b le s g r a n u la r c o n tr o l o v e r H T T P s e s s io n s to p r e v e n t a b u s e th e H T T P p r o to c o l. In a d d itio n , A F W a llo w s a d m in is tr a tiv e c o n tr o l e r a p p lic a tio n s th a t a tte m p t to tu n n e l o v e r p o r t 8 0 , s u c h a s p lic a tio n s lik e g o to m y p c a n d th e v a r io u s fo r m s o f In s ta n t e s s e n g e r . A d m in is tr a tio n is d o n e b y e n a b lin g a n d d is a b lin g r e d e fin e d s ig n a tu r e s . o m p e tito r s r e fe r to A F W fe a tu r e s a s d e e p in s p e c tio n o r a p p lic a tio n te llig e n c e . ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -38 A p p licat ion Firewall Application Firewall Feature Summary R F C com p liance enf orcem ent H T T P req uest m eth od auth oriz ation and enf orcem ent R esp onse m essag e valid ation P ort M isuse and enf orcem ent M I M E typ e enf orcem ent T ransf er encod ing typ e valid ation C ontent control based on m essag e d ata content and typ e U R I leng th enf orcem ent M essag e siz e enf orcem ent ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -39 A p p licat ion Firewall content-l eng th : Inspection’s b a sed on th e l eng th of th e H T T P content. content-ty p e-v er i f i ca ti on: Inspection’s b a sed on th e ty pe of H T T P content. m a x -h ea d er -l eng th : Inspection’s b a sed on th e l eng th of th e H T T P h ea d er . m a x -u r i -l eng th : Inspection’s b a sed on th e l eng th of th e U R I. p or t-m i su se: Inspections of p2 p, im , a nd tu nnel ed a ppl ica tions. r eq u est-m eth od : Inspection’s b a sed on th e H T T P r eq u est m eth od . str i ct-h ttp : E na b l es str ict H T T P inspection. tr a nsf er -encod i ng : Inspection’s b a sed on th e tr a nsf er encod ing ty pe. no N eg a tes a com m a nd or sets a pa r a m eter to its d ef a u l t v a l u e. K eywords an d Fun ct ion s ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -40 A p p licat ion Firewall K eywords an d Fun ct ion s C l a ss-m a p – Id entif y th e tr a f f ic f or inspection ( see pr ev iou s ex a m pl es) T h e por t to u se f or tr a f f ic inspection is id entif ied h er e … h ttp -m a p - D escr ib es th e pa r a m eter s th a t http inspection w il l u se f or pr ocessing K ey w or d s - ( a nd pa r a m eter s) specif ic to th e f u nction th ey per f or m . e. g . content-l eng th h a s m inim u m a nd m a x im u m a ccepta b l e siz e l im its. O u t of r a ng e initia tes specif ied a ctions. A cti ons: a l l ow d r op r eset l og ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -41 A p p licat ion Firewall Create a class-m ap f o r h ttp i n sp ecti o n Create an h ttp -m ap to sp eci f y p aram eters f o r inspect http pix/a pix/a pix/a pix/a pix/a pix/a pix/a pix/a s a s a s a s a s a s a s a s a (c (c (c (c (c (c (c (c o n o n o n o n o n o n o n o n f ig f ig f ig f ig f ig f ig f ig f ig )# -h -h -h -h -h -h -h h ttp t t p-m t t p-m t t p-m t t p-m t t p-m t t p-m t t p-m -m a a a a a a a ap p) # p) # p) # p) # p) # p) # p) # in b o u n d _ co n t e n t -le co n t e n t -t y m ax -h e ad m ax -u r i -le p o r t -m i su p o r t -m i su p o r t -m i su h ttp n g t h m i n 1 0 0 m ax 2 0 0 0 act i o n r e se t lo g p e -v e r i f i cat i o n m at ch -r e q -r sp r e se t lo g e r -le n g t h r e q u e st b y t e s 1 0 0 act i o n r e se t lo g n g t h 1 0 0 act i o n r e se t lo g se p 2 p act i o n d r o p se i m act i o n d r o p se d e f au lt act i o n allo w pix/a s a ( c o n f ig ) # class-m ap h t t p -p o r t pix/a s a ( c o n f ig -c m a p) # m at ch p o r t t cp e q 8 0 pix/a s a ( c o n f ig -c m a p) # e x i t pix/a s a ( c o n f ig -h t t p-m a p) # e x i t ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -42 Application Firewall Create a p o li cy -m ap f o r h ttp i n sp ecti o n pix / a sa ( conf ig ) # p ol i cy -m a p i nb ou nd _ p ol i cy * pix / a sa ( conf ig -pm a p) # cl a ss h ttp -p or t pix / a sa ( conf ig -pm a p-c) # i nsp ect h ttp i nb ou nd _ h ttp pix / a sa ( conf ig -pm a p) # ex i t pix / a sa ( conf ig -pm a p-c) # ex i t pix / a sa ( conf ig ) # ser v i ce-p ol i cy i nb ou nd _ p ol i cy i nter f a ce ou tsi d e ( if necessa r y cr ea te a ser v ice-pol icy or u se th e d ef a u l t-inspection pol icy ) *A tta ch th e pol icy -m a p f or h ttp inspection to a n inter f a ce ( a n ex isting pol icy m a p cou l d a l so b e u sed ) ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -43 A p p licat ion Firewall – A S D M B u i ld t h e A C New class-m ap L S t ealt h ap p ’s S et u p y o u r i n sp ect i o n s C o n fig u r e h ttp ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -44 FT P I ns pection ( new) Configura tion > S ecurity Policy > (S elect Policy ) E d it > Rule Action -B a s ic F T P In s p e c tio n : F ix u p fr o m 6 .X pixfirewall(config-pm ap-c) # ins pect ft p (U nd er t h e G lob al P olicy ) -S tr ic t F T P in s p e c tio n W h e n F T P T u n n e le d o v e r b r o w s e r s fr o m s e n d in g e It w ill a ls o c o n ta in s th e B pixfirewall(config-pm ap-c) # (U nd er t h e G lob al P I f F T P r e q u e st d o e s co n t e n d co m m an d s w h i ch i s n o t R F C co m p li an t , co n n e ct i o n w i ll b e clo se d an d sy slo g w i ll b e g e n e r at e d . H T T P it P r e m b e d d e d c o a s ic F T P In s ins pect ft p s olicy ) v e n ts w e b m m a n d s . p e c tio n . t rict (Rule Action > (FTP) Configure ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -45 FT P I ns pect C om m and Filtering F T P I nsp ecti on: ( new) C o n fig u r e to a llo w o r d is a llo w s p e c ific c o m m a n d s th r o u g h th e s e c u r ity d e v ic e . W h e n a c o m m a n d is d is a llo w e d , th e c o n n e c tio n w ill b e c lo s e d a n d s y s lo g w ill b e g e n e r a te d . C o A P H E R N n fig P E L P F R u ra –C –M –R b le D U K D N T c o m P –D –P U O –S m a n d s E L E -G T -R M IT E –S : D E T pix f ir ew a l l ( conf ig ) # f tp-m a p f tpins r eq u est-com m a nd d eny a ppe cd u p h el p T O U ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -46 T C P H ead er Form at Configurable Fields using TCP Map ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -47 AS D M T C P M ap C onf ig u ration ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -48 T C P N orm aliz ation q u eu e-l i m i t C q u r g ent-f l a g A tcp -op ti ons A onf ig u r es th e m a x im u m nu m b er of ou t-of -or d er pa ck ets th a t ca n b e u eu ed f or a T C P connection. l l ow s or cl ea r s th e U R G pointer th r ou g h th e secu r ity a ppl ia nce. l l ow s or cl ea r s th e sel ectiv e-a ck , tim esta m ps, or w ind ow -sca l e T C P options. w i nd ow -v a r i a ti on D r ops a connection th a t h a s ch a ng ed its w ind ow siz e u nex pected l y . ttl -ev a si on-p r otecti on E na b l es or d isa b l es th e T T L ev a sion pr otection of f er ed b y th e secu r ity a ppl ia nce. r eser v ed -b i ts S ets th e r eser v ed f l a g s pol icy in th e secu r ity a ppl ia nce. ch eck -r etr a nsm i ssi on E na b l es a nd d isa b l es th e r etr a nsm it d a ta ch eck s. ex ceed -m ss A l l ow s or d r ops pa ck ets th a t ex ceed M S S set b y peer . ( m a x S eg siz e) sy n-d a ta A l l ow s or d r ops S Y N pa ck ets w ith d a ta . ch eck su m -v er i f i ca ti on E na b l es a nd d isa b l e ch eck su m v er if ica tion. ( D one in th e d r iv er f or A S A –S of tw a r e in P IX – w il l h a v e per f or m a nce Im pa ct on P IX ) ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -49 AS D M T C P M ap C onf ig u ration T C P M ap N am e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -50 I K E D oS S af eg u ard s ( new) T h is a llo w s u s e r s to o p tio n a lly d is a b le A g g r e s s iv e M o d e r e q u e s ts , a n d it a llo w s th e d e v ic e to q u ic k ly r e je c t IK E p a c k e ts th a t a r e r e c e iv e d fr o m u n k n o w n h o s ts o r n e tw o r k s . i s a k m p a m -d i s a b l e i s a k m p r e l o a d -w a i t i s a k m p d i s c o n n e c t -n o t i f y ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -51 B lock C lien t s b y C lien t t yp e an d V ers ion (n ew) C a p a b i l i ty of d i sa l l ow i ng connecti ons f r om r em ote a ccess cl i ents b y sp eci f y i ng sof tw a r e or h a r d w a r e cl i ents b a sed on v er si on a nd ty p e. F or th e sof tw a r e cl i ent, th e ty p e i ncl u d es th e O S . F or ex a m p l e, th e one cou l d conf i g u r e th e d ev i ce to a l l ow connecti ons f r om a l l cl i ents ex cep t W i n2 0 0 0 cl i ents P i x ( conf i g ) # g r ou p -p ol i cy T M E 1 a ttr i b u tes cl i ent-a ccess-r u l e 2 p er m i t ty p e ci sco v er si on 4 . 1 cl i ent-a ccess-r u l e 1 d eny ty p e m i cr osof t v er si on 1 . 3 ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -52 AS D M W eb Acces s C onf ig u ration Configurat ion > V PN > W eb V PN A c c ess > E nable G en er a l VPN C o n fig u r a tio n Web VPN A c c es s ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -53 AS D M W eb Acces s C onf ig u ration C o n fig u r e U R L F o r th e H o m e Pa g e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . H o m ep a g e U R L [ a c r o n y m X . X ] —[ C H # ] -54 C u s tom iz e H om e P ag e C u s to m iz e th eL o g o ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . C u s to m iz e B a c k g ro u n d C o lo r s [ a c r o n y m X . X ] —[ C H # ] -55 C onf ig u re Au th entication Device Administration > U ser Accou nts S el ec t t M et h o d L o c a l U C o n fig u h e A u t h en t i c a t i o n ( C o n s i d er i n g s er s a r e r ed ) S el ec t t h e Pr ev i o u s l y C o n f i g u r ed G ro u p Po l i c y ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -56 H om e P ag e and Au th entication H T T P S : : / / [ I P A d d r e ss o f t h e W e b V P N H o m e Pa g e E n ab le d I n t e r f ace ] F lo a tin g T o o l B a r A u t h en t i c a t i o n Wi n d o w ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -57 S ecu rity S erv ices M od u le ( S S M -AI P ) •H ig h p e r fo r m a n c e m o d u le d e s ig n e d to p r o v id e a d d itio s e c u r ity s e r v ic e s • D i s k l e s s (F l a s h -B a s e d ) D e s fo r Im p r o v e d R e lia b ility •G ig a b it E th e r n e t P o r t fo r O u t -o f -B a n d M a n a g e m e n t , •R u n s IP S 5 .0 C o d e •In lin e o r P r o m is c u o u s •C a n b e M a n a g e d fr o m th e b P la n e u s in g S e s s io n o r A S • i t s n o t h o t -s w a p p a b l e •If th e S S M fa ils it w ill c a u s e fa ilo v e r . n a l ig n a c k D M a ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -58 58 S S M -AI P I P S -S S M S p e e d L in k /A c t P o w e r S ta tu s C o m m a n d & C o n tro l ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -59 Acces s ing S S M v ia th e AS D M SSM ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -60 Acces s ing S S M S S M f r om v ia th e AS D M C om m a nd a nd C ontr ol I nter f a ce need s to b e a ccessi b l e th e A S A ’s I nter f a ce th a t i s d ed i ca ted f or m a na g em ent ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -61 Configuring ASA for Traffic flow through the SSM C o n f i g u r a t i o n > Se c u r i t y P o l i c y ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -62 Configuring ASA for Traffic flow through the SSM C o n f i g u r a t i o n > Se c u r i t y P o l i c y > A d d N e x t > ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -63 Configuring ASA for Traffic flow through the SSM N e x t > ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -64 Configuring ASA for Traffic flow through the SSM A SA C o m m a n d l i n e C o n f i g u r a t i o n f o r i n l i n e I P S w i t h MP C class-m ap I P S -class m at ch an y p o li cy -m ap I P S -p o li cy class I P S -class i p s i n li n e f ai l-o p e n se r v i ce -p o li cy I P S -p o li cy i n t e r f ace o u t si d e ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -65 AS D M - T rans parent Firewall ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -66 ASD M - Trans p arent F irewall ( Multi m od e) ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -67 M u ltiple C ontex t on AS D M ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -68 H ow Activ e/ Activ e Failov er W ork s ? Summary •N e e d M ul t i p l e c o n t e x t (n o V P N ) •V L an T run k i n g ( o p t i o n al ) •L A N b as e / Se ri al F ai l o v e r •W o rk s un d e r N A T o r N o N A T (e x c e p t fo r Sh are d I n t e rf ac e ) •N e w F / O g ro up c o mman d •A / A F O l i c e n s e o r U R ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -69 Activ e/ Activ e Failov er D es ig n A f t e r… B e f o re … Network A 1 7 2 . 1 6 . 1 . 0 n e two r k Network A -1 Switch .1 Logical1-A .1 Logical2 -S .4 Logical1-S .2 .3 Logical2 -A .3 .4 .2 Swit ch 1 9 2 . 1 6 8 . 1 . 0 n e two r k Network B -1 Switch 1 9 2 . 1 6 8 . 2 . 0 n e two r k Network B -2 Network B ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -70 Failov er G rou p AS D M S creen S h ot ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -71 Activ e Activ e FO AS D M S creen S h ot ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -72 E S M T P v ia AS D M ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -73 T u nnel G rou p ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -74 G rou p P olicy ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -75 ASD M Screen s hot for V P N load -b alancing ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -76 R R I AS D M S creen S h ot Configuration > Features > VPN > IPSec > Tunnel Policy panel, click th e A d d b utton ©2 0 0 2 , C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d . [ a c r o n y m X . X ] —[ C H # ] -77 PIX 501Intro i Updatee ©2 0 0 2 , C s c o S y s t m s , I n c . A l l r i g h ©s 2 0r e 0 s 2 e , r C v i e s d c o. S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . t [ a c r o n y m X . X ] —[ C H # ] -78 78