-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs).
These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration.
–Translation Exemptions (NAT 0 ACL) Tab
Interfaces
•ASA 5505 Ports and Interfaces Page
Platform
•Device Admin
–Boot Image/Configuration Page
–Syslog
–Multicast Boundary Filter Page
–PIM Page - Neighbor Filter Tab
–PIM Page - Bidirectional Neighbor Filter Tab
–PIM Page - Rendezvous Points Tab
–PIM Page - Request Filter Tab
–IPS, QoS, and Connection Rules Page
The NAT section consists of the following pages:
–Translation Exemptions (NAT 0 ACL) Tab
Use the Address Pools page to view and manage the global address pools used in dynamic NAT rules.
Navigation Path
•(Device view) Select NAT > Address Pools from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Address Pools from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Address Pools to create a new policy.
Related Topics
Field Reference
|
|
---|---|
|
|
Interface |
The name of the device interface to which the address pool applies. |
ID |
The identification number of the address pool. |
IP Address(es) |
The IP addresses assigned to the pool. |
Description |
The description assigned to the address pool. |
Add button |
Opens the Address Pool Dialog Box so you can define a new address pool for a specific interface. |
Edit button |
Opens the Address Pool Dialog Box so you can edit the selected address pool. |
Delete button |
Deletes the selected entry in the Global Address Pools table. A confirmation dialog box may appear; click OK to delete the entry. |
Use the Address Pool dialog box to add or edit a global address pool for use in dynamic NAT rules.
Navigation Path
You open the Address Pool dialog box by clicking the Add Row or Edit Row buttons on the Address Pools Page.
Related Topics
Field Reference
Use the Translation Options page to set options that affect network address translation for the selected security appliance. These settings apply to all interfaces on the device.
Navigation Path
•(Device view) Select NAT > Translation Options from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Options to create a new policy.
Related Topics
•Configuring Translation Options, page 14-20
Field Reference
|
|
---|---|
Enable traffic through the firewall without address translation |
When selected, lets traffic pass through the security appliance without address translation. If this option is not selected, any traffic that does not match a translation rule will be dropped. Note This option is available only on PIX 7.x, FWSM 3.x, and ASA devices. |
Enable xlate bypass |
When selected, NAT sessions for untranslated traffic are disabled (this feature is called "xlate bypass"). See Configuring Translation Options, page 14-20 for more information. Note This option is available only on FWSM 3.2 and higher. |
Do not translate VPN traffic |
When selected, lets VPN traffic pass through the security appliance without address translation. |
Use the Translation Rules page to define address translation rules on the selected device. The Translation Rules page consists of the following tabs:
•Translation Exemptions (NAT 0 ACL) Tab
Navigation Path
•(Device view) Select NAT > Translation Rules from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy.
Use the Translation Exemptions (NAT 0 ACL) tab of the Translation Rules page to view and specify traffic that is exempt from address translation.
Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Advanced NAT Options Dialog Box
Field Reference
Note The following table describes standard Translation Exemption elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.
|
|
---|---|
Filter |
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Exemptions Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16. |
|
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box for information about enabling and disabling these rules.) |
|
No. |
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule. |
Action |
Indicates whether the rule is exempt or not exempt from NAT. |
Original Interface |
The ID of the device interface to which the rule is applied. |
Original Address |
The object names or IP addresses of the source hosts and networks to which the rule applies. |
Destination |
The object names or IP addresses of the destination hosts and networks to which the rule applies. |
Direction |
The traffic direction (Inbound or Outbound) to which the rule is applied. |
Category |
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding. To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
The description of the rule, if provided. |
Find/Replace button |
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Translation Exemptions Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature. |
Up Row |
Moves the selected entry one row higher in the table. |
Down Row |
Moves the selected entry one row lower in the table. |
Add Row |
Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you define a new translation exemption rule. |
Edit Row |
Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you edit the rule currently selected in the Translation Exemptions Rules table. |
Delete Row |
Deletes the selected entry from the Translation Exemptions Rules table. A confirmation dialog box may appear; click OK to delete the entry. |
Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation exemption rules.
Navigation Path
You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab. See Translation Exemptions (NAT 0 ACL) Tab for more information.
Related Topics
•Translation Exemptions (NAT 0 ACL) Tab
•Advanced NAT Options Dialog Box
Field Reference
|
|
---|---|
Enable Rule |
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it. |
Action |
Select the action for this rule: •exempt - The rule identifies traffic that is exempt from NAT. •do not exempt - The rule identifies traffic that is not exempt from NAT. |
Original: Interface |
Enter the name of (or Select) the device interface to which the rule applies. |
Original: Sources |
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas. |
Translated: Direction |
The rule can be applied to Inbound or Outbound traffic, as specified with this option. |
Traffic flow: Destinations |
Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas. |
Category |
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding. To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
Enter a description of the rule. |
Advanced button (FWSM only) |
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule. |
Use the Dynamic Rules tab of the Translation Rules page to view and configure dynamic NAT and PAT rules.
Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•Add/Edit Dynamic Translation Rule Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Note The following table describes standard Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.
|
|
---|---|
Filter |
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16. |
|
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.) |
|
No. |
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule. |
Original Interface |
The ID of the device interface to which the rule is applied. |
Original Address |
The object names or IP addresses of the source hosts and networks to which the rule applies. |
Translated Pool |
The ID number of the pool of addresses used for translation. |
Direction |
The traffic direction (Inbound or Outbound) to which the rule is applied. |
Category |
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding. To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
The description of the rule, if provided. |
Find/Replace button |
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Dynamic Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature. |
Up Row |
Moves the selected entry one row higher in the table. |
Down Row |
Moves the selected entry one row lower in the table. |
Add Row |
Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you define a new dynamic translation rule. |
Edit Row |
Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you edit the rule currently selected in the Dynamic Rules table. |
Delete Row |
Deletes the selected entry from the Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry. |
Use the Add/Edit Dynamic Translation Rule dialog box to define and edit dynamic NAT and PAT rules.
Navigation Path
You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. See Dynamic Rules Tab for more information.
Related Topics
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
|
|
---|---|
Enable Rule |
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it. |
Original: Interface |
Enter the name or Select the device interface to which the rule applies. |
Original: Address |
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas. |
Translated: Pool |
Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box. Enter a value of zero to specify this as an identity NAT rule. |
Translated: Direction |
The rule can be applied to Inbound or Outbound traffic, as specified with this option. |
Category |
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding. To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
Enter a description for the rule. |
Advanced button |
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule. |
The Select Address Pool dialog box presents a list of global address pools; these pools are defined and managed via the Address Pools Page. Use this dialog box to select an address pool for use by a dynamic translation rule, or a policy dynamic translation rule.
Navigation Path
You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog Box when adding or editing a dynamic translation rule, or from the Add/Edit Policy Dynamic Rules Dialog Box when adding or editing a policy dynamic translation rule.
Related Topics
Field Reference
Use the Policy Dynamic Rules tab of the Translation Rules page to view and configure dynamic translation rules based on source and destination addresses and services.
Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Policy Dynamic Rules tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•Add/Edit Policy Dynamic Rules Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Note The following table describes standard Policy Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.
|
|
---|---|
Filter |
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Policy Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16. |
|
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Policy Dynamic Rules Dialog Box for information about enabling and disabling these rules.) |
|
No. |
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule. |
Original Interface |
The ID of the device interface to which the rule is applied. |
Original Address |
The object names or IP addresses of the source hosts and networks to which the rule applies. |
Translated Pool |
The ID number of the pool of addresses used for translation. |
Destination |
The object names and IP addresses of the destination hosts and networks to which the rule applies. |
Service |
The services to which the rule applies. |
Direction |
The traffic direction (Inbound or Outbound) to which the rule is applied. |
Category |
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding. To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information. Note No commands are generated for the category attribute. |
Description |
The description of the rule, if provided. |
Find/Replace button |
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Policy Dynamic Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature. |
Up Row |
Moves the selected entry one row higher in the table. |
Down Row |
Moves the selected entry one row lower in the table. |
Add Row |
Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you define a new policy dynamic translation rule. |
Edit Row |
Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you edit the rule currently selected in the Policy Dynamic Rules table. |
Delete Row |
Deletes the selected entry from the Policy Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry. |
Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based on source and destination addresses and services.
Navigation Path
You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See Policy Dynamic Rules Tab for more information.
Related Topics
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
|
|
---|---|
Enable Rule |
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it. |
Original: Interface |
Enter the name of (or Select) the device interface to which the rule applies. |
Original: Sources |
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas. |
Translated: Pool |
Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box. Enter a value of zero to specify this as an identity NAT rule. |
Translated: Direction |
The rule can be applied to Inbound or Outbound traffic, as specified with this option. |
Traffic flow: Destinations |
Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas. |
Traffic flow: Services |
Enter (or Select) the services to which the rule applies. Multiple entries must be separated by commas. |
Category |
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding. To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
Enter a description of the rule. |
Advanced button |
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule. |
Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for a security appliance or shared policy.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•Add/Edit Static Rule Dialog Box
•Advanced NAT Options Dialog Box
Field Reference
Note The following table describes standard Static Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 2-18 for more information about showing and hiding specific columns.
|
|
---|---|
Filter |
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Static Rules table. For more information about using the filtering bar, see Filtering Tables, page 2-16. |
|
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Static Rule Dialog Box for information about enabling and disabling these rules.) |
|
No. |
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule, but do not change the rule order unless absolutely necessary. |
Original Interface |
The ID of the device interface to which the rule is applied. |
Original Address |
The object names or IP addresses of the source hosts and networks to which the rule applies. |
Local Port |
The port number supplied by the host or network (static PAT only). |
Translated Interface |
The interface on which the translated addresses are to be used. |
Translated Address |
The translated addresses. |
Global Port |
The port number to which the original port number will be translated (static PAT only). |
Destination |
The object names and IP addresses of the destination hosts or networks to which the rule applies. |
Service |
The services to which the rule applies. |
Protocol |
The protocol to which the rule applies. |
Nailed |
Whether TCP state tracking and sequence checking is skipped for the connection: true or false. (This value is a product of device discovery; it cannot be changed in Security Manager.) |
Category |
The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects. To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
The description of the rule, if provided. |
Find/Replace button |
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Static Rules table. See Find and Replace Dialog Box, page I-91 for more information about using this feature. |
Up Row |
Moves the selected entry one row higher in the table. |
Down Row |
Moves the selected entry one row lower in the table. |
Add Row |
Opens the Add/Edit Static Rule Dialog Box; lets you define a new static rule. |
Edit Row |
Opens the Add/Edit Static Rule Dialog Box; lets you edit the rule currently selected in the Static Rules table. |
Delete Row |
Deletes the selected entry from the Static Rules table. A confirmation dialog box may appear; click OK to delete the entry. |
Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.
Navigation Path
You can access the Add/Edit Static Rule dialog box from the Static Rules tab. See the Static Rules Tab for more information.
Related Topics
•Advanced NAT Options Dialog Box
Field Reference
|
|
---|---|
Enable Rule |
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it. |
Translation Type |
Select the type of translation for this rule: NAT or PAT. |
Original Interface |
Enter (or Select) the device interface connected to the host or network with original addresses to be translated. |
Original Address |
Enter (or Select) the source address to be translated. |
Translated Interface |
Enter (or Select) the interface on which the translated addresses are to be used. To specify this as an identity NAT rule, enter the same interface in both this and the Original Interface fields. |
Use Interface IP/Use Selected Address |
Specify the address used for the Translated Interface: select Use Interface IP (address), or select Use Selected Address and enter an address, or Select a network/host object. |
Enable Policy NAT |
Select this option to enable Policy NAT for this translation rule. |
Dest Address |
If Policy NAT is enabled, specify the destination addresses of the hosts or networks to which the rule applies. |
Services |
If PAT is the selected Translation Type, specify the services to which the rule applies. Note For Static NAT, IP is the only Service that can be specified. |
Protocol |
If PAT is the selected Translation Type, select the protocol, TCP or UDP, to which the rule applies. |
Original Port |
If PAT is the selected Translation Type, enter the port number to be translated. |
Translated Port |
If PAT is the selected Translation Type, enter the port number to which the original port number will be translated. |
Category |
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding. To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
Enter a description of the rule. |
Advanced button |
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule. |
Use the General tab of the Translation Rules page to view all current translation rules. The translation rules are listed in the order that they will be evaluated on the device.
Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules and do not need to display summary information.
Navigation Path
You can access the General tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•Translation Exemptions (NAT 0 ACL) Tab
Field Reference
|
|
---|---|
Filter |
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Rules Summary table. For more information about using the filtering bar, see Filtering Tables, page 2-16. |
|
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.) |
|
No. |
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. |
Type |
The type of translation rule; for example, Static, Dynamic, Exemption, etc. |
Action |
Displays "exempt" if the rule is exempt from NAT. |
Original Interface |
The ID of the device interface to which the rule is applied. |
Original Address |
The object names or IP addresses of the source hosts and networks to which the rule applies. |
Local Port |
The port number supplied by the host or network (for static PAT). |
Translated Pool |
The ID number of the address pool used for translation. |
Translated Interface |
The interface on which the translated addresses are to be used. |
Translated Address |
The translated addresses. |
Global Port |
The port number to which the original port number will be translated (for static PAT). |
Destination |
The object names and IP addresses of the destination hosts or networks to which the rule applies. |
Protocol |
The protocol to which the rule applies. |
Service |
The services to which the rule applies. |
Direction |
The traffic direction (Inbound or Outbound) on which the rule is applied. |
DNS Rewrite |
Whether the DNS Rewrite option is enabled: Yes or No. This option is set in the Advanced NAT Options Dialog Box. |
Maximum TCP Connections |
The maximum number of TCP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box. |
Embryonic Limit |
The number of embryonic connections allowed to form before the security appliance begins to deny these connections. If zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature. This option is set in the Advanced NAT Options Dialog Box. |
Maximum UDP Connections |
The maximum number of UDP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box. |
Timeout |
For PIX 6.x devices, this is the timeout value for a static translation rule. This value overrides the default translation timeout specified in Platform > Security > Timeouts. A Timeout value of 00:00:00 here means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts. |
Randomize Sequence Number |
Whether the security appliance will randomize the sequence number of TCP packets: Yes or No. This option is set in the Advanced NAT Options Dialog Box, and is enabled by default. |
Category |
The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects. To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 8-6 for more information. Note No commands are generated for the Category attribute. |
Description |
The description of the rule, if provided. |
Use the Advanced NAT Options dialog box to configure the advanced connection settings—DNS Rewrite, Maximum TCP and Maximum UDP Connections, Embryonic Limit, Timeout (PIX 6.x), and Randomize Sequence Number—for NAT and Policy NAT. You can also configure these options for Translation Exemption (NAT 0 ACL) rules on an FWSM.
Navigation Path
You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or editing a translation rule. See the following topics for more information:
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Add/Edit Dynamic Translation Rule Dialog Box
•Add/Edit Policy Dynamic Rules Dialog Box
•Add/Edit Static Rule Dialog Box
Related Topics
Field Reference
The Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them.
Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.
If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring.
Navigation Path
To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•Using the Add/Edit Interface Dialog Box, page 14-6
Field Reference
|
|
---|---|
|
|
Interface Type |
The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are: •Ethernet •GigabitEthernet •TenGigabitEthernet (ASA 5580 only) •Redundant |
Name |
The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by |
IP Address |
The IP address of the interface, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses. |
IP Address Type |
The method by which the IP address is provided. Valid options are: •static - The IP address is manually defined. •dhcp - The IP address is obtained via a DHCP lease. •pppoe - The IP address is obtained using PPPoE. |
Interface Role |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Valid options include: •All-Interfaces - The interface is a member of the default role assigned to all interfaces. •Internal - This interface is a member of the default role associated with all inside interfaces. •External - This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
Hardware Port |
Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed. For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated. |
Enabled |
Indicates if the interface is enabled: true or false. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. |
VLAN ID |
For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration. If this value is not specified, the column displays native. |
Security Level |
The interface security level; a value between 0 and 100. |
Management Only |
Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false. |
MTU |
The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500. |
Member |
Indicates whether this interface is a member of a redundant interface pair: true or false. |
Description |
A description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. |
ASR Group |
If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. |
Use the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 14-4 for more information about redundant interfaces.
You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.
In multiple-context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 14-82 page for information about assigning interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information:
•Add/Edit Interface Dialog Box (PIX/ASA)
•Add/Edit Interface Dialog Box (ASA 5505)
•Add/Edit Interface Dialog Box (PIX 6.3)
Navigation Path
You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Advanced Interface Settings Dialog Box
The Add/Edit Interface dialog box is used to define and configure interfaces.
|
|
---|---|
Enable Interface |
Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. |
Management Only |
Sets the interface to accept traffic to the security appliance only, and not through traffic. |
Redundant Interface |
Select this option to define a "redundant interface." When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear. See About Redundant Interfaces, page 14-4 for more information. |
Type |
Type of interface. Valid values are: •Interface - Settings represent a physical interface. •Subinterface - Settings represent a logical interface attached to the same network as its underlying physical interface. Note This option is not available when Redundant Interface is selected. |
Name |
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are: •Inside - Connects to your internal network. Must be most secure interface. •DMZ - Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type. •Outside - Connects to an external network or the Internet. Must be least secure interface. Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface. |
Hardware Port |
For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface. Valid values are: •Ethernet0 to Ethernetn •GigabitEthernet0 to GigabitEthernetn •GigabitEthernets/n •TenGigabitEthernets/n (ASA 5580 only) where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device. For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled. Note This option is not visible when Redundant Interface is selected. |
Subinterface ID |
Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. Note You cannot change the ID after you set it. |
Media Type |
When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface: •RJ45 - Port uses RJ-45 connectors. •SFP - Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards. |
Redundant ID |
Available only if Redundant Interface is checked. Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8. |
Primary Interface |
Available only if Redundant Interface is checked. Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces. |
Secondary Interface |
Available only if Redundant Interface is checked. Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces. |
IP Type |
Specifies the address type for the interface. •Static IP - Assigns a static IP address and mask to the interface. •Use DHCP - Assigns a dynamic IP address and mask to the interface. •PPPoE - Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE only on the outside interface of a firewall device. |
IP Address |
Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option. •IP address must be unique for each interface. •The IP address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. |
Subnet Mask |
Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24). Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface. |
DHCP Learned Route Metric |
Available only if Use DHCP is selected for IP Type. |
Obtain default route using DHCP |
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page. |
Enable Tracking for DHCP Learned Route |
Available only if Use DHCP is selected for IP Type. |
VPDN Group Name |
Available only if PPPoE is selected for IP Type. |
PPPoE Learned Route Metric |
Available only if PPPoE is selected for IP Type. |
Obtain Default Route using PPPoE |
Available only if PPPoE is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the PPPoE server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page. |
Enable Tracking for PPPoE Learned Route |
Available only if PPPoE is selected for IP Type. |
VLAN ID |
For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. |
Duplex |
Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full. Note This option is not visible when Redundant Interface is selected. |
Speed |
Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type. •10 •100 •1000 •10000 (set automatically for a TenGigabitEthernet interface; available only on ASA 5580) •non-negotiable Note This option is not visible when Redundant Interface is selected. |
MTU |
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300 - 65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration. |
Description |
Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. |
Security Level |
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. •Outside interface is always 0. •Inside interface is always 100. •DMZ interfaces are between 1-99. |
Active MAC Address |
Use this field to manually assign a private MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses. |
Standby MAC Address |
You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. |
Roles |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Default options include: •All-Interfaces - Indicates the interface is a member of the default role assigned to all interfaces. •Internal - Indicates this interface is a member of the default role associated with all inside interfaces. •External - Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page.
|
|
---|---|
Enable Interface |
Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. |
Management Only |
Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only. |
Name |
Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications. Supported interface names are: •Inside—Connects to your internal network. Must be most secure interface. •DMZ—"Demilitarized zone" attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. •Outside—Connects to an external network or the Internet. Must be least secure interface. |
IP Type |
Specifies the address type for the interface; choose one of the following methods and provide related parameters: •Static IP - Provide a static IP Address and Subnet Mask that represents the security device on this interface's connected network. If you omit the Subnet Mask value, a "classful" network is assumed. •Use DHCP - Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: –DHCP Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. –Obtain Default Route using DHCP - Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Static Route Page. –Enable Tracking for DHCP Learned Route - If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available: –Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77 for more information.) |
IP Type (continued) |
•PPPoE (PIX and ASA 7.2+) - Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover. –VPDN Group Name (required) - Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 14-16 for more information. –IP Address - If provided, this static IP address is used for connection and authentication, instead of a negotiated address. –Subnet Mask - The subnet mask to be used in conjunction with the provided IP Address. –PPPoE Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. –Obtain Default Route using PPPoE - Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. –Enable Tracking for PPPoE Learned Route - If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: –Dual ISP Interface - If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. –Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77 for more information.) Note You can configure DHCP and PPPoE only on the outside interface of a security appliance. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. |
MTU |
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration. |
VLAN ID |
Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration. |
Security Level |
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. •Outside interface is always 0. •Inside interface is always 100. •DMZ interfaces are between 1-99. |
Block Traffic To |
Restricts this VLAN interface from initiating contact with the VLAN chosen here. |
Backup Interface |
Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. |
Active MAC Address |
Use this field to manually assign a MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. |
Standby MAC Address |
If you assign an Active MAC Address, you also can assign a Standby MAC Address. |
Description |
Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. |
Roles |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Default options include: •All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces. •Internal—Indicates this interface is a member of the default role associated with all inside interfaces. •External—Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
|
|
---|---|
Enable Interface |
Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy. You must enable a physical interface before any traffic can pass through any enabled subinterfaces. |
Type |
Type of VLAN interface. Valid values are: •Logical—VLAN is associated with a logical interface. •Physical—VLAN is on the same network as its underlying hardware interface. |
Name |
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are: •Inside—Connects to your internal network. Must be most secure interface. •DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network. •Outside—Connects to an external network or the Internet. Must be least secure interface. |
Hardware Port |
When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device. When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled. Valid values are: •ethernet0 to ethernetn. •gb-ethernetn. where n represents the number of network interfaces in the device. |
IP Type |
Specifies the address type for the interface. •Static IP—Assigns a static IP address and mask to the interface. •Use DHCP—Assigns a dynamic IP address and mask to the interface. •Use PPPoE—Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE only on the outside interface of a firewall device. |
IP Address |
Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type. •IP address must be unique for each interface. •The IP address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list. |
Subnet Mask |
Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24). Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface. |
Obtain Default Route using DHCP |
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page. |
Retry Count |
Identifies the number of tries before an error is returned. Valid values are 4 through 16. |
Obtain default route using PPPoE |
Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway. |
Speed and Duplex |
Lists the speed options for a physical interface; not applicable to logical interfaces. •auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card. •10baset—10-Mbps Ethernet half-duplex. •10full—10-Mbps Ethernet full-duplex. •100basetx—100-Mbps Ethernet half-duplex. •100full—100-Mbps Ethernet full-duplex. •1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex. •1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex. •1000full nonnegotiate—1000-Mbps Ethernet full-duplex. •aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface. •bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface. Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly. |
MTU |
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. |
Physical VLAN ID |
For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices. |
Logical VLAN ID |
Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected. |
Security Level |
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. •Outside interface is always 0. •Inside interface is always 100. •DMZ interfaces are between 1 and 99. |
Roles |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Default options include: •All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces. •Internal—Indicates this interface is a member of the default role associated with all inside interfaces. •External—Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
Navigation Path
You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA or ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
Field Reference
Navigation Path
You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Navigation Path
You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•Add and Edit PPPoE User Dialog Boxes
Field Reference
Navigation Path
You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box.
Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
The FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained.
Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic.
If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining.
Navigation Path
To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•FWSM Add/Edit Interface Dialog Box
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
|
|
---|---|
|
|
Name |
The name assigned to the interface. |
IP Address |
The IP address and subnet mask assigned to the interface. |
Interface Role |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Valid options include: •All-Interfaces—The interface is a member of the default role assigned to all interfaces. •Internal—This interface is a member of the default role associated with all inside interfaces. •External—This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
VLAN ID |
The VLAN to which this logical interface is assigned. |
Bridge Group |
The bridge group to which this interface is assigned (transparent mode only). |
Enabled |
Indicates if the interface is enabled: true or false. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. |
Security Level |
Displays the interface security level; a value between 0 and 100. |
Management Only |
Indicates if this interface allows traffic to the security appliance for management purposes only. |
Description |
A description of the interface, if provided. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. |
ASR Group |
Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. |
|
|
Bridge Group |
The name of the bridge group. |
ID |
The identifier assigned to this bridge group. |
Interface A |
The first VLAN assigned to this bridge group. |
Interface B |
The second VLAN assigned to this bridge group. |
IP |
The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. A transparent firewall does not participate in IP routing. |
Netmask |
Displays the netmask for the management IP address. |
Description |
The description of this bridge group, if one was provided. |
Use the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 14-82 page to assign interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent).
Navigation Path
You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
|
|
---|---|
Enable Interface |
Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. |
Management Only |
Sets the interface to accept traffic to the security appliance only, and not through traffic. |
Name |
You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode. Special interface names are: •Inside—Connects to your internal network. Must be most secure interface. •DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type. •Outside—Connects to an external network or the Internet. Must be least secure interface. Note You cannot name more than two interfaces on an FWSM operating in transparent mode. |
IP Address |
The IP address for the interface. |
VLAN ID |
Enter the desired VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration. |
Security Level |
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. •Outside interface is always 0. •Inside interface is always 100. •DMZ interfaces are between 1-99. |
Description |
If desired, you can enter a description of the logical interface. |
Roles |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Default options include: •All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces. •Internal—Indicates this interface is a member of the default role associated with all inside interfaces. •External—Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
ASR Group |
To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. |
Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.
A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.
You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.
Navigation Path
You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:
•Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.
•Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Navigation Path
To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•Configure Hardware Ports Dialog Box
•Add/Edit Interface Dialog Box (PIX/ASA)
•Advanced Interface Settings Dialog Box
Field Reference
|
|
---|---|
|
|
Hardware Port |
Identifies the switch port. |
Enabled |
Indicates whether this switch port is enabled or not (Yes or No). |
Associated VLANs |
Shows the VLAN or VLANs that are associated with this port. |
Associated Interface Names |
Shows the interface name of the VLAN(s) that are associated with this port. |
Mode |
Shows the mode for this port: •Access Port—Port is in access mode. •Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command. |
Protected |
Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. |
|
|
Name |
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number. |
IP Address Type |
Specifies the method by which the IP address is provided. Valid options are: •static—Identifies that the IP address is manually defined. •dhcp—Identifies that the IP address is obtained via a DHCP lease. •pppoe—Identifies that the IP address is obtained using PPPoE. |
IP Address |
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses. |
Block Traffic To |
Displays the interface to which traffic is blocked. |
Backup Interface |
Displays the interface that acts as backup for this interface. |
Interface Role |
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. Valid options include: •All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces. •Internal—Indicates this interface is a member of the default role associated with all inside interfaces. •External—Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-33. |
Enabled |
Indicates if the interface is enabled (Yes or No). |
Vlan ID |
Identifies the VLAN ID for this interface. |
Security Level |
Displays the interface security level between 0 and 100. |
Management Only |
Indicates if the interface allows traffic to the security appliance or for management purposes only. |
MTU |
Displays the MTU. By default, the MTU is 1500. |
Description |
Displays a description of the interface. |
Use the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505, including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.
Navigation Path
You can access the Configure Hardware Ports dialog box from the Hardware Ports tab of the ASA 5505 Interfaces page. For more information about this page, see ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 14-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box (PIX/ASA)
•Advanced Interface Settings Dialog Box
Field Reference
This section discusses the following pages:
Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Configuration Dialog Box
Field Reference
Use the Add/Edit ARP Configuration dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
You can access the Add/Edit ARP Configuration dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page.
Related Topics
Field Reference
Use the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Inspection Dialog Box
Field Reference
Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.
Navigation Path
You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page.
Related Topics
Field Reference
Use the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Table Entry Dialog Box
Field Reference
Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.
Navigation Path
You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page.
Related Topics
Field Reference
|
|
---|---|
Interface |
The interface to which the MAC address is associated. |
MAC Address |
The MAC address; for example, 00e0.1e4e.3d8b. |
Use the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Learning Dialog Box
Field Reference
Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.
Navigation Path
You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page.
Related Topics
Field Reference
Use the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.
Navigation Path
•(Device view) Select Platform > Bridging > Management IP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Field Reference
|
|
---|---|
Management IP Address |
The management IP address. |
Subnet Mask |
The subnet mask that corresponds to the management IP address. |
This page includes tabs for configuring authentication, authorization, and accounting:
Navigation Path
•(Device view) Select Platform > Device Admin > AAA from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.
Use the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.
Navigation Path
You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
Field Reference
The Authorization tab allows you to configure authorization for accessing firewall commands.
Navigation Path
You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
Field Reference
Use the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.
Navigation Path
You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
Field Reference
Use the Banner page to configure message of the day, login and session banners.
Navigation Path
•(Device view) Select Platform > Device Admin > Banner from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Field Reference
Use the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.
Navigation Path
•(Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Boot Image and Configuration Settings, page 14-34
Field Reference
Use the Images dialog box to add a boot image entry to the boot order list.
Navigation Path
You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page.
Related Topics
•Configuring Boot Image and Configuration Settings, page 14-34
•Boot Image/Configuration Page
Field Reference
The Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.
To dynamically set the time using an NTP server, see Configuring NTP Settings, page 14-58; time derived from an NTP server overrides any time set manually on the Clock page.
Navigation Path
•(Device view) Select Platform > Device Admin > Clock from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Clock Settings, page 14-35
•Configuring NTP Settings, page 14-58
Field Reference
Use the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.
Navigation Path
•(Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Contact Credentials, page 14-36
Field Reference
Use the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.
Navigation Path
•(Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•SNMP Trap Configuration Dialog Box
Field Reference
The Device Access section is located under the Device Admin folder in the Policy selector. The following topics describe the pages for Device Access:
Use the Console page to specify a time period for the management console to remain active. When the time limit you specify is reached, the console shuts down.
In the Console Timeout field, enter the number of minutes a console session can remain idle before the firewall device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Console from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
The HTTP page provides a table that specifies the addresses of all the hosts or networks that are allowed access to the firewall device using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.
The HTTP page also displays information about HTTP redirection and HTTPS user certificate requirements for interfaces on the firewall device. You can use this table to change the entries for HTTP redirection and HTTPS user certificate requirements.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•HTTP Configuration Dialog Box
Field Reference
Use the HTTP Configuration dialog box to add a host or network that will be allowed administrative access to the firewall device manager over HTTPS.
Navigation Path
You can access the HTTP Configuration dialog box from the HTTP page. For more information about the HTTP page, see HTTP Page.
Related Topics
Field Reference
The ICMP page provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device. You can use this table to add or change the hosts or networks that are allowed to or prevented from sending ICMP messages to the firewall device.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Right-click ICMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add and Edit ICMP Dialog Boxes
Field Reference
Use the Add ICMP dialog box to add an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device.
Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.
Navigation Path
You can access the Add or Edit ICMP dialog boxes from the ICMP page. For more information about the ICMP page, see ICMP Page.
Related Topics
Field Reference
The Management Access page lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the firewall device. Use this feature if VPN is configured on the firewall device and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the firewall device securely from home using the VPN client.
In the Management Access Interface field, enter the name of the device interface that permits management access connections. You can click Select to select the interface from a list of interface objects.
You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time. Clear the Management Access Interface field to disable management access.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Right-click Management Access to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Use the Secure Shell page to configure rules that permit only specific hosts or networks to connect to a firewall device for administrative access using the SSH protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Secure Shell, page 14-40
•Add and Edit SSH Host Dialog Boxes
Field Reference
Use the Add Host dialog box to add an SSH access rule.
Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.
Navigation Path
You can access the Add and Edit Host dialog boxes from the Secure Shell page. For more information about the Secure Shell page, see Secure Shell Page.
Related Topics
•Configuring Secure Shell, page 14-40
Field Reference
The SNMP page lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•SNMP Trap Configuration Dialog Box
•Add SNMP Host Access Entry Dialog Box
Field Reference
Use the SNMP Trap Configuration dialog box to configure trap settings.
Traps are different than browsing; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.
An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. Firewall devices provide system OID in SNMP event traps & SNMP mib-2.system.sysObjectID.
The SNMP service running on a firewall device performs two different functions:
•Replies to SNMP requests from management stations (also known as SNMP clients).
•Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.
Cisco firewall devices support three types of traps:
•firewall
•generic
•syslog
Navigation Path
You can access the SNMP Trap Configuration dialog box from the SNMP page. See SNMP Page for more information.
Related Topics
•Add SNMP Host Access Entry Dialog Box
Field Reference
Use the Add SNMP Host Access Entry dialog box to add SNMP management stations.
Navigation Path
You can access the Add SNMP Host Access Entry dialog box from the SNMP page. See SNMP Page for more information.
Related Topics
•SNMP Trap Configuration Dialog Box
Field Reference
Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Telnet, page 14-44
•Telnet Configuration Dialog Box
Field Reference
Use the Telnet Configuration dialog box to configure Telnet options for an interface.
Navigation Path
You can access the Telnet Configuration dialog box from the Telnet page. See Telnet Page for more information.
Related Topics
•Configuring Telnet, page 14-44
Field Reference
This section discusses the pages that you use to configure failover for your firewall devices. The pages that are available for firewall configuration change depending on the type of firewall device you are configuring.
PIX 6.x Firewalls
–Edit Failover Interface Configuration Dialog Box (PIX 6.x)
–Bootstrap Configuration for LAN Failover Dialog Box
Firewall Services Modules
–Add Interface MAC Address Dialog Box
–Edit Failover Interface Configuration Dialog Box (FWSM)
–Bootstrap Configuration for LAN Failover Dialog Box
Adaptive Security Appliances and PIX 7.0 Firewalls
–Add Failover Group Dialog Box
–Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
–Add Interface MAC Address Dialog Box
–Bootstrap Configuration for LAN Failover Dialog Box
Use the Failover page to configure failover settings for a PIX 6.x Firewall.
Navigation Path
To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Edit Failover Interface Configuration Dialog Box (PIX 6.x)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for PIX 6.x devices.
Note The failover interface cannot be configured for PPPoE.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (PIX 6.x).
Related Topics
Field Reference
Use the Failover page to configure basic failover settings for FWSMs.
Navigation Path
To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Edit Failover Interface Configuration Dialog Box (FWSM)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
|
|
---|---|
Enable Failover |
Specifies whether failover is enabled on this device. You must configure the logical LAN failover interface and, optionally, the stateful failover interface. Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM. |
|
|
Active/Active option (FWSM 3.x only) |
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode. To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. |
Active/Standby option (FWSM 3.x only) |
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance. When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Active/Standby failover is available to security appliances in single mode or multiple mode. |
Settings button |
Click to display the Advance Settings dialog box. See Advanced Settings Dialog Box for more information. |
|
|
VLAN |
VLAN interface you are using for the failover link, for example, VLAN 11. |
Logical Name |
The logical name of the interface on the active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device. |
Active IP Address |
Specifies the IP address of the active interface. |
Standby IP Address |
Specifies the IP address of the standby interface. |
Subnet Mask |
Mask that corresponds with active and standby IP addresses. |
|
|
VLAN |
VLAN interface you are using for the stateful failover link, for example, VLAN 12. |
Logical Name |
The logical name of the interface on active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device. |
Active IP Address |
Specifies the IP address of the active interface. |
Standby IP Address |
Specifies the IP address of the standby interface. |
Subnet Mask |
Mask that corresponds with active and standby IP addresses. |
Enable HTTP Replication check box |
Enables stateful failover to copy active HTTP sessions to a standby firewall. |
Suspend Configuration Synchronization (FWSM 2.3 only) |
When selected, configurations between the active and standby device are no longer synchronized. Note You cannot disable this feature using the Security Manager user interface. To disable this feature after enabling it in Security Manager, issue the no failover suspend-config-sync command directly on the device, or by using the FlexConfig feature. For more information on FlexConfigs, see Understanding FlexConfig Policies and Policy Objects, page 18-1. |
Shared Key (FWSM 3.x only) |
To encrypt and authenticate the communication between failover peers, specify a shared secret in the Shared Key field for the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair. The shared key can be from 1 to 63 characters and can be any combination of numbers, letters, or punctuation. Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using FWSM to terminate VPN tunnels. |
The Advanced Settings dialog box lets you configure additional failover settings for FWSMs.
Note The following reference table presents all fields that can be presented in the Advanced Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.
Navigation Path
You can access the Advance dialog box by clicking the Settings button on the Failover page. See Failover Page (FWSM) for more information.
Related Topics
•Add Interface MAC Address Dialog Box
Field Reference
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for FWSMs.
Note The failover interface cannot be configured for PPPoE.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM).
Related Topics
Field Reference
Use the Failover page to configure basic failover settings for ASAs and PIX 7.x firewalls.
Navigation Path
To access this feature, select an ASA or PIX 7.x firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
|
|
---|---|
Enable Failover |
Specifies whether failover is enabled on this device. You must configure the logical LAN failover interface and, optionally, the stateful failover interface. Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM. |
|
|
Active/Active option |
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode. To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. |
Active/Standby option |
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance. When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Active/Standby failover is available to security appliances in single mode or multiple mode. |
Settings button |
Click to display the Settings dialog box. See Settings Dialog Box for more information. |
|
|
Interface |
Interface you are using for the failover link. |
Logical Name |
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device. |
Active IP Address |
Specifies the IP address of the active interface. |
Standby IP Address |
Specifies the IP address of the standby interface. |
Subnet Mask |
Netmask that corresponds with active and standby IP addresses. |
Bootstrap button |
Click to display the Bootstrap Configuration for LAN Failover dialog box. See Bootstrap Configuration for LAN Failover Dialog Box for more information. |
|
|
Interface |
Interface you are using for the stateful failover link. |
Logical Name |
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device. |
Active IP Address |
Specifies the IP address of the active interface. |
Standby IP Address |
Specifies the IP address of the standby interface. |
Subnet Mask |
Netmask that corresponds with active and standby IP addresses. |
Enable HTTP Replication |
When selected, enables stateful failover to copy active HTTP sessions to standby firewall. |
Shared Key |
Used to encrypt communication between primary and standby devices. Value can be any string. |
The Settings dialog box lets you define criteria for when failover should occur on an ASA or PIX 7.x appliance.
Navigation Path
You can access the Settings dialog box by clicking the Settings button on the Failover page. For more information, see Failover Page (ASA/PIX 7.x).
Note The following reference table presents all fields that can be presented in the Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.
Related Topics
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Use the Add Failover Group dialog box to define failover groups for an Active/Active failover configuration.
Navigation Path
You can access the Add Failover Group dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x).
Related Topics
Field Reference
Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Note The failover interface cannot be configured for PPPoE.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x).
Related Topics
•Add Failover Group Dialog Box
Field Reference
The Add Interface MAC Address dialog box allows you to define the MAC addresses of interfaces for ASA, FWSM 3.x and PIX 7.x security appliances that are configured for failover.
Related Topics
Field Reference
The Bootstrap Configuration for LAN Failover dialog box provides you with bootstrap configuration that can be applied to the primary and secondary devices in a LAN failover configuration.
Navigation Path
You can access the Bootstrap Configuration for LAN Failover dialog box from the Failover page. For more information about the Failover page, see:
Related Topics
Field Reference
Note For Active/Active Failover, the bootstrap configurations are only applied to the system contexts of the respective failover peer devices.
You can use the Hostname page to specify a host name for your firewall device and to set a default domain name. The firewall device uses this domain name when you do not enter the fully-qualified domain name in other commands. It also uses the domain name in RSA key generation.
Navigation Path
To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Hostname from the Device Policy selector.
Related Topics
•Configuring Hostname Settings, page 14-51
•"PIX/ASA/FWSM Platform User Interface Reference"
Field Reference
Use the Resources page to view configured classes and information about each class. You can also use the Resources page to add, edit, or delete a class.
Navigation Path
In Device View, select the system context of an FWSM in multiple-context mode, and then select Platform > Device Admin > Resources from the Device Policy selector.
Related Topics
•Configuring Resources on Firewall Services Modules, page 14-51
Field Reference
Use the Add/Edit Resource dialog box to add or edit a resource class for a FWSM.
Navigation Path
You can access the Add/Edit Resource dialog box from the Resources page. For more information about the Resources page, see Resources Page.
Related Topics
Field Reference
Server Access is under Device Admin in the Policy selector. The following topics describe the pages for Server Access:
The AUS page lets you configure a firewall device to be managed remotely from a server that supports the Auto Update specification. Auto Update lets you apply configuration changes to the firewall device and receive software updates from a remote location.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > AUS from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click AUS to create a new policy.
Related Topics
•Add and Edit Auto Update Server Dialog Boxes
Field Reference
|
|
---|---|
Auto Update Servers table |
This table lists currently configured Auto Update servers, presenting the following information for each: •No. - Numeric position of this entry in the list, and order of precedence when contacting AUS servers. Use the Up and Down arrow buttons to change the ordering of the list by moving the selected entry up or down. •Server URL - The URL for this AUS server; produced by concatenating the Protocol://[Username:Password@]IP Address/Path provided in the Add/Edit Auto Update Server dialog box for contacting the server. •User Name - The user name provided for contacting the server (optional). •Interface - The interface to use when sending requests to the Auto Update server. •Verify Certificate - Whether SSL verification of the AUS is required; true or false. Refer to Add and Edit Auto Update Server Dialog Boxes for information about adding and editing server entries. |
Device ID Type |
Method used for identifying this device to the AUS server; choose: •Hostname—The host name of this device. •Serial Number—The serial number of this device. •IP Address—The IP address of the specified interface is used: an Interface field appears; enter or Select the desired device interface. •MAC Address—The MAC address of the specified interface is used: an Interface field appears; enter or Select the desired device interface. •User Defined—A unique user-specified ID is used: a User Defined field appears; enter an arbitrary alphanumeric string. |
Poll Type |
Method defining how often the AUS server is polled for updates. Choose At Specified Frequency or At Scheduled Time. Different ancillary fields are displayed, depending on this choice. If you choose At Specified Frequency, this field is displayed: •Poll Period - The number of minutes the firewall device waits between polls of the AUS server. If you choose At Scheduled Time, the following fields are displayed. (This option is available only on ASA/PIX devices running version 7.2 or later.) •Days of the week - Select one or more days on which the device is to poll the AUS server. •Polling Start Time in Hours - The hour at which polling is to begin on the selected days; based on a 24-hour clock. •Polling Start Time in Mins - The minute within the chosen hour when polling is to begin. •Enable Randomization of the Start Time - Select this option to specify a random polling window; the Randomization Window field is enabled. –Randomization Window - The maximum number of minutes the device can use to randomize the specified polling time; valid values are 1 to 1439. |
Retry Count |
The number of times the device will try to poll the AUS server for new information. Optional; if you enter zero or leave this field blank, the device will not retry after a failed poll attempt. |
Retry Period |
If Retry Count is not zero or blank, the number of minutes the device will wait to re-poll the AUS server if the previous attempt failed; valid values are 1 to 35791. If Retry Count is not zero or blank and you leave this field blank, the value defaults to five minutes. |
Disable Device After |
Selecting this option ensures that if no response is received from the AUS server within the specified Timeout period, the security appliance will stop passing traffic. |
Timeout |
The number of minutes the firewall device will wait to timeout if no response is received from the AUS server. |
Use the Add Auto Update Server dialog box to configure a new AUS server definition. The security appliance will automatically poll this server for image and configuration updates.
Note With the exception of the title, the Edit Auto Update Server dialog box is identical to the Add Auto Update Server dialog box. The following description applies to both.
Navigation Path
You can access the Add and Edit Auto Update Server dialog boxes from the AUS Page.
Related Topics
•Configuring AUS Settings, page 14-52
Field Reference
Use the DHCP Relay page to configure DHCP relay services on a firewall device. For more information, see Configuring DHCP Relay, page 14-53.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > DHCP Relay from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Relay from the Policy Type selector. Right-click DHCP Relay to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring DHCP Relay, page 14-53
•Add and Edit DHCP Relay Agent Configuration Dialog Boxes
•Add and Edit DHCP Relay Server Configuration Dialog Boxes
Field Reference
Use the Add DHCP Relay Agent Configuration dialog box to enable and configure the DHCP relay agent for an interface. Use the Edit DHCP Relay Agent Configuration dialog box to update an existing interface relay agent.
Note The Add DHCP Relay Agent Configuration dialog box and the Edit DHCP Relay Agent Configuration dialog box are virtually identical; the following descriptions apply to both.
Navigation Path
You can access the Add and Edit DHCP Relay Agent Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page.
Related Topics
•Configuring DHCP Relay, page 14-53
•Add and Edit DHCP Relay Server Configuration Dialog Boxes
Field Reference
Use the Add DHCP Relay Server Configuration dialog box to define a new DHCP relay server; use the Edit DHCP Relay Server Configuration dialog box to update existing server information. You can define up to four DHCP relay servers.
Note The Add DHCP Relay Server Configuration dialog box and the Edit DHCP Relay Server Configuration dialog box are virtually identical; the following descriptions apply to both.
Navigation Path
You can access the Add and Edit DHCP Relay Server Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page.
Related Topics
•Configuring DHCP Relay, page 14-53
•Add and Edit DHCP Relay Agent Configuration Dialog Boxes
Field Reference
Use the DHCP Server page to configure global DHCP server and dynamic DNS (DDNS) updating options for the selected device, to set up a DHCP server on one or more device interfaces, as to configure advanced server options.
For more information about DHCP servers, see Configuring DHCP Servers, page 14-54.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > DHCP Server from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Server from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click DHCP Server to create a new policy.
Related Topics
•Configuring DHCP Servers, page 14-54
•Add/Edit DHCP Server Interface Configuration Dialog Boxes
•Add/Edit DHCP Server Advanced Configuration Dialog Box
Field Reference
|
|
---|---|
Ping Timeout |
Specifies the amount of time, in milliseconds, that the firewall device waits to time out a DHCP ping attempt. To avoid address conflicts, firewall devices send two ICMP ping packets to an address before assigning that address to a DHCP client. Valid values range from 10 to 10000 milliseconds. |
Lease Length |
Specifies the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour). |
Enable auto-configuration |
Select this option to enable DHCP auto configuration. DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If any of the information obtained through auto configuration is also specified manually in the Override settings from DHCP client area, the manually specified information takes precedence over the discovered information. |
Interface |
If Enable auto-configuration is checked, this field is available. Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters. |
|
|
Domain Name (Optional) |
Specifies the DNS domain name for DHCP clients. Enter a valid DNS domain name; for example, |
Primary DNS Server (Optional) |
Specifies the IP address of the primary DNS server for a DHCP client. |
Secondary DNS Server (Optional) |
Specifies the IP address of the alternate DNS server for a DHCP client. |
Primary WINS Server (Optional) |
Specifies the IP address of the primary WINS server for a DHCP client. |
Secondary WINS Server (Optional) |
Specifies the IP address of the alternate WINS server for a DHCP client. |
|
|
Enable Dynamic DNS Update |
Select this option to define global DDNS update options: •Select the type of resource-record updating: PTR Record only, or A Record and PTR Record. •You also can select Override DHCP Client Request. If selected, DHCP server updates override any updates requested by DHCP clients. Available only on ASA/PIX 7.2 and higher. |
|
|
Interface table |
This table lists device interfaces on which a DHCP server, DDNS updating, or both are configured: •Interface - An interface on which a DHCP server or DDNS update is configured. •DHCP Address Pool - Identifies the pool of addresses from which the DHCP server can assign an IP address for the specified interface. •Enable DHCP Server - Indicates whether a DHCP server is enabled on the interface; true or false. •Dynamic DNS Update - Indicates whether a DDNS update is enabled on the interface; true or false. |
Add button |
Opens the Add DHCP Server Interface Configuration dialog box; used to define a DHCP server, DDNS updating, or both on a specific interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes for more information. |
Edit button |
Opens the Edit DHCP Server Interface Configuration dialog box; used to update DHCP server configuration, DDNS updating, or both on the selected interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes for more information. |
Delete button |
Deletes the selected entry in the DHCP Server Interface Configuration table. A confirmation dialog box may appear; click OK to delete the entry. |
|
|
Advanced button |
Click to display the Add/Edit DHCP Server Advanced Configuration dialog box. See Add/Edit DHCP Server Advanced Configuration Dialog Box for more information. |
Use the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes to enable DHCP and specify a DHCP address pool for the specified interface, and to enable dynamic DNS (DDNS) updating on the interface.
Note Other than the titles, the two dialog boxes are identical.
Navigation Path
You can access the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes from the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page.
Related Topics
•Configuring DHCP Servers, page 14-54
•Add/Edit DHCP Server Advanced Configuration Dialog Box
•Add/Edit DHCP Server Option Dialog Box
Field Reference
The Add/Edit DHCP Server Advanced Configuration dialog box lets you manage DHCP options configured for the DHCP server. These options provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.
Navigation Path
You can access the Add/Edit DHCP Server Advanced Configuration dialog box by clicking the Advanced button on the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page.
Related Topics
•Configuring DHCP Servers, page 14-54
•Add/Edit DHCP Server Interface Configuration Dialog Boxes
•Add/Edit DHCP Server Option Dialog Box
Field Reference
|
|
---|---|
Options table |
This table lists configured DHCP server options: •Option Code - The numeric code representing the configured option. All DHCP options (options 1 through 255) are supported except 1, 12, 50-54, 58-59, 61, 67, and 82. •Type - The type of information the option returns to the DHCP client: IP, ASCII, or HEX. •Data - The information provided for the chosen Type: one or two IP addresses, an ASCII string, or a hexadecimal string. |
Add button |
Opens the Add DHCP Server Option dialog box; used to define a new DHCP server option. See Add/Edit DHCP Server Option Dialog Box for more information. |
Edit button |
Opens the Edit DHCP Server Option dialog box; used to update the selected DHCP server option. See Add/Edit DHCP Server Option Dialog Box for more information. |
Delete button |
Deletes the selected entry in the Options table. A confirmation dialog box may appear; click OK to delete the entry. |
The Add and Edit DHCP Server Option dialog boxes let you configure DHCP server option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.
Navigation Path
You can access the Add and Edit DHCP Server Option dialog boxes from the Add/Edit DHCP Server Advanced Configuration Dialog Box.
Related Topics
•Configuring DHCP Servers, page 14-54
•Add/Edit DHCP Server Interface Configuration Dialog Boxes
•Add/Edit DHCP Server Advanced Configuration Dialog Box
Field Reference
The DNS page lets you specify one or more DNS servers for a firewall device so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > DNS from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DNS from the Policy Type selector. Right-click DNS to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add DNS Server Group Dialog Box
Field Reference
Use the Add DNS Server Group dialog box to define the DNS servers and settings for a DNS server group.
Navigation Path
You can access the Add DNS Server Group dialog box from the DNS page. For more information about the DNS page, see DNS Page.
Related Topics
Field Reference
Use the Add DNS Server dialog box to define DNS servers.
Navigation Path
You can access the Add DNS Server dialog box from the Add DNS Server Group dialog box. For more information about the Add DNS Server Group dialog box, see Add DNS Server Group Dialog Box.
Related Topics
•Add DNS Server Group Dialog Box
Field Reference
Use the Edit Interfaces dialog box to specify the interfaces on which you want DNS look-up enabled.
Navigation Path
You can access the Edit Interfaces dialog box from the DNS page. For more information about the DNS page, see DNS Page.
Related Topics
Field Reference
Beginning with the version 7.2(3), security appliances can generate dynamic DNS (DDNS) updates, as hosts acquire IP addresses. The DDNS page is where you configure this feature.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > DDNS from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DDNS from the Policy Type selector. Right-click DDNS to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit DDNS Interface Rule Dialog Box
Field Reference
Use the Add/Edit DDNS Interface Rule dialog box to manage rules for dynamic DNS updates. These rules are defined on a per-interface basis.
Navigation Path
You access the Add/Edit DDNS Interface Rule dialog box from the DDNS page. For more information about the DDNS page, see DDNS Page.
Related Topics
•DDNS Update Methods Dialog Box
Field Reference
|
|
---|---|
Interface |
Enter the name of the interface on which DDNS is to be configured. You also can Select the interface from a list of interface objects. |
Method Name |
Choose a previously defined method for DDNS update, or choose Add/Edit Update Method to define a new method. The DDNS Update Methods dialog box opens; refer to DDNS Update Methods Dialog Box for more information. |
Hostname |
The name of a DDNS server host to which updates will be sent. |
DHCP Client requests DHCP Server to update records |
Choose Not Selected, Only PTR Record, Both A and PTR Record, or No Update. |
Use the DDNS Update Methods dialog box to define and manage methods for dynamic DNS updates. Each defined method specifies an update interval and the resource record(s) to be updated.
Navigation Path
You access the DDNS Update Methods dialog box by choosing Add/Edit Update Method from the Method Name drop-down list in the Add/Edit DDNS Interface Rule Dialog Box.
Related Topics
•Add/Edit DDNS Interface Rule Dialog Box
•Add/Edit DDNS Update Methods Dialog Box
Field Reference
|
|
---|---|
Update Methods |
This table lists the currently defined update methods. Each entry includes the Method Name, update Interval, and specified type of DNS server record update. |
Add Row button |
Opens the Add/Edit DDNS Update Methods Dialog Box, letting you define a new update method. |
Edit Row button |
Opens the Add/Edit DDNS Update Methods Dialog Box, letting you edit the method currently selected in the Update Methods table. |
Delete Row button |
Deletes the update method currently selected in the Update Methods table; confirmation may be required. |
Use the Add/Edit DDNS Update Methods dialog box to define or edit a DDNS update method; these are listed in the DDNS Update Methods Dialog Box.
Navigation Path
You access the Add/Edit DDNS Update Methods dialog box by clicking the Add Row button or the Edit Row button in the DDNS Update Methods Dialog Box.
Related Topics
•Add/Edit DDNS Interface Rule Dialog Box
•DDNS Update Methods Dialog Box
Field Reference
Use the NTP page to define NTP servers to dynamically set the time on a firewall device.
Note Time derived from an NTP server overrides any time set manually in the Clock panel.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > NTP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > NTP from the Policy Type selector. Right-click NTP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring NTP Settings, page 14-58
•NTP Server Configuration Dialog Box
Field Reference
Use the NTP Server Configuration dialog box to add or edit an NTP server.
Navigation Path
You can access the NTP Server Configuration dialog box from the NTP page. For more information about the NTP page, see NTP Page.
Related Topics
•Configuring NTP Settings, page 14-58
Field Reference
Use the SMTP Server page to specify the IP address of an SMTP server and optionally, the IP address of a backup server.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > SMTP Server from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > SMTP Server from the Policy Type selector. Right-click SMTP Server to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring SMTP Servers, page 14-59
Field Reference
|
|
---|---|
Primary Server IP Address |
The IP address of the SMTP server. |
Secondary Server IP Address |
The IP address of a secondary SMTP server. |
TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. You can use the TFTP Server page to configure a firewall device to propagate its configuration files to a server using the Trivial File Transfer Protocol (TFTP). Only one server is supported.
Navigation Path
•(Device view) Select Platform > Device Admin > Server Access > TFTP Server from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > TFTP Server from the Policy Type selector. Right-click TFTP Server to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring TFTP Servers, page 14-59
Field Reference
Use the User Accounts page to manage the local user database. For more information, see Configuring User Accounts, page 14-60.
Navigation Path
•(Device view) Select Platform > Device Admin > User Accounts from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > User Accounts from the Policy Type selector. Right-click User Accounts to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring User Accounts, page 14-60
•Add/Edit User Account Dialog Box
Field Reference
Use the Add/Edit User Account dialog box to add a user account, or to modify an existing user account.
Navigation Path
You can access the Add/Edit User Account dialog box from the User Accounts Page.
Related Topics
•Configuring User Accounts, page 14-60
Field Reference
The Logging feature lets you enable and manage NetFlow "collectors," and enable logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslogs, configure syslog servers, and specify e-mail notification parameters.
After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (for a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.
The Logging section consists of the following pages:
•Syslog
A device configured for NetFlow data export captures flow-based traffic statistics on the device. This information is periodically transmitted from the device to a NetFlow collection server, in the form of User Datagram Protocol (UDP) datagrams.
The NetFlow page lets you enable NetFlow export on the selected device, and define and manage NetFlow "collectors" to which collected flow information is transmitted.
Note NetFlow data export is available only the ASA 5580.
Navigation Path
•(Device view) Select Platform > Logging > NetFlow from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click NetFlow to create a policy.
Related Topics
•Add and Edit Collector Dialog Boxes (NetFlow)
•Configuring NetFlow, page 14-61
Field Reference
|
|
---|---|
Enable Flow Export |
If checked, NetFlow data export is enabled. |
Template Export Interval |
Interval (in minutes) at which flow information is sent to the collectors. Can be from one to 3600 minutes; default is 30. |
Collectors table |
Displays defined NetFlow collectors. •Filter - Filters the information displayed in the Collectors table. Click the arrow before the Filter label to hide or display the filtering bar, which lets you set filtering parameters. See Filtering Tables, page 2-16 for more information about filtering the table. •Interface - Name of the device interface through which the collector is contacted. •Collector - IP address or network name of the server to which NetFlow packets will be sent. •UDP Port - UDP port on the specified Collector to which the NetFlow packets will be sent. |
Add button |
Opens the Add Collector dialog box to let you define a new NetFlow collector. See Add and Edit Collector Dialog Boxes (NetFlow) for more information. |
Edit button |
Opens the Edit Collector dialog box to let you edit the selected collector definition. See Add and Edit Collector Dialog Boxes (NetFlow) for more information. |
Delete button |
Deletes the selected collector definition. |
Use the Add Collector dialog box to define a new NetFlow "collector."
Note With the exception of the title, the Edit Collector dialog box is identical to the Add Collector dialog box. The following description applies to both.
Navigation Path
You can access the Add and Edit Collector dialog boxes from the NetFlow Page.
Related Topics
•Configuring NetFlow, page 14-61
Field Reference
The E-Mail Setup page lets you set up a source email address as well as a list of recipients for specified syslogs to be sent as emails. You can filter the syslogs sent to a destination email address by severity. The table shows which entries have been set up.
The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients in the Logging Filters page.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > E-Mail Setup from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > E-Mail Setup from the Policy Type selector. Right-click E-Mail Setup to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit Email Recipient Dialog Box
Field Reference
The Add/Edit Email Recipient dialog box lets you set up a destination email address for a particular severity of syslog messages to be sent.
The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients in the Logging Filters page.
Navigation Path
You can access the Add/Edit Email Recipient dialog box from the E-Mail Setup page. For more information about the E-Mail Setup page, see E-Mail Setup Page.
Related Topics
Field Reference
The Event Lists page lets you define a set of syslogs to filter for logging. After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for event lists.
You can use three criteria to define an event list:
•Class
•Severity
•Message ID
The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.
Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Event Lists from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Event Lists from the Policy Type selector. Right-click Event Lists to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit Event List Dialog Box
Field Reference
|
|
---|---|
Name |
Lists the name of the event list. |
Event Class/Severity column |
Lists the event class or logging severity level associated with the event list. Event classes are described in Message Classes and Associated Message ID Numbers. Severity levels are described in Logging Levels. |
Message IDs column |
Lists a syslog message ID or range of syslog message IDs to include in the filter. For example, 101001-101010. |
The following table lists the message classes and the range of message IDs in each class.
The Add/Edit Event List dialog box lets you create or edit an event list and specify which syslogs to include in the event list filter.
You can use three criteria to define an event list:
•Class
•Severity
•Message ID
The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all syslog messages that are related to user authentication.
Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.
Navigation Path
You can access the Add/Edit Event List dialog box from the Event Lists page. For more information about the Event Lists page, see Event Lists Page.
Related Topics
Field Reference
The Add/Edit Syslog Class dialog box lets you specify the event class and the severity level to include in the event list filter.
The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.
Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
Navigation Path
You can access the Add/Edit Syslog Class dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box.
Related Topics
•Add/Edit Event List Dialog Box
Field Reference
|
|
---|---|
Event Class list |
Specifies the event class. Event classes are described in Table K-99. |
Severity list |
Specifies the level of logging messages. Severity levels are described in Table K-109. |
The Add/Edit Syslog Message ID Filter dialog box lets you specify the syslog message IDs to include in the event list filter.
Navigation Path
You can access the Add/Edit Syslog Message ID Filter dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box.
Related Topics
•Add/Edit Event List Dialog Box
Field Reference
Message IDs - Specifies a syslog message ID, or a range of IDs. Use a hyphen to specify a range; for example, 101001-101010
.
The Logging Filters page lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists page, or for only the syslogs that you specify using the Edit Logging Filters dialog box. Syslogs from specific or all event classes can be selected using the Edit Logging Filters dialog box.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Logging Filters from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Filters from the Policy Type selector. Right-click Logging Filters to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Edit Logging Filters Dialog Box
Field Reference
|
|
---|---|
Logging Destination |
Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows: •Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance. •Console. Messages matching this filter are published to any console port connections. •Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance. •Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page. •E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page. •SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page. ASDM. Messages matching this filter are published to any ASDM sessions. |
Syslogs From All Event Classes |
Lists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Event classes are described in Message Classes and Associated Message ID Numbers. |
Syslogs From Specific Event Classes |
Lists event class and severity set up as the filter. Event classes are described in Message Classes and Associated Message ID Numbers. Severity levels are described in Logging Levels. |
The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.
Navigation Path
You can access the Edit Logging Filters dialog box from the Logging Filters page. For more information about the Logging Filters page, see Logging Filters Page.
Related Topics
Field Reference
|
|
---|---|
Logging Destination list |
Specifies the logging destination for this filter: •Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance. •Console. Messages matching this filter are published to any console port connections. •Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance. •Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page. •E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page. •SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page. •ASDM. Messages matching this filter are published to any ASDM sessions. |
|
|
Filter on severity option |
Filters on the severity of the logging messages. |
Filter on severity list |
Specifies the level of logging messages on which to filter. |
Use event list option |
Specifies to use an event list. |
Use event list |
Specifies the event list to use. Event lists are defined on the Event Lists Page. |
Disable logging option |
Disables all logging to the selected destination. |
|
|
Event Class |
Specifies the event class and severity. Event classes include one or all available items. Event classes are described in Table K-99. |
Severity |
Specifies the level of logging messages. Severity levels are described in Table K-109. |
The Logging Setup panel lets you enable system logging on the security appliance and configure other logging parameters.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Logging Setup from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Setup from the Policy Type selector. Right-click Logging Setup to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Field Reference
The Rate Limit page allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level and Syslog message ID. If the settings differ, Syslog message ID limits take precedence.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Rate Limit to create a new policy.
Related Topics
•Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
•Add/Edit Rate Limited Syslog Message Dialog Box
Field Reference
Using the Add/Edit Rate Limit for Syslog Logging Levels dialog box, you can specify the maximum number of log messages for particular log level that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID (see Add/Edit Rate Limited Syslog Message Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
Navigation Path
You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page.
Related Topics
•Add/Edit Rate Limited Syslog Message Dialog Box
Field Reference
Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the maximum number of log messages of a particular Syslog ID that can be generated within a given period of time. You can specify a limit for each syslog message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
Navigation Path
You can access the Add/Edit Rate Limited Syslog Message dialog box from the Rate Limit page. For more information, see Rate Limit Page.
Related Topics
•Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Field Reference
The Server Setup page allows you to configure the syslog server that runs on the security appliance. The settings that you specify on this page define the possible behaviors of the specific syslog server instance on the security appliance. You can set the facility code to include in syslogs, include timestamp in syslog, view syslog ID levels, modify syslog ID levels, and suppress syslog messages.
To generate meaningful reports about the network activity of a security appliance and to monitor the security events associated with that device, you must select the appropriate logging level. The logging level generates the syslog details required to track session-specific data. After you select a logging level, you can define a syslog rule that directs traffic to a third-party syslog server or Cisco Security MARS.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Server Setup from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Right-click Server Setup to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit Syslog Message Dialog Box
Field Reference
|
|
---|---|
Facility |
Syslog facility used by host as basis to file the messages. Values range between 16 and 23. Default is LOCAL0(16). Most UNIX systems expect LOCAL4(20). List presents values that enable you to identify syslog facility for selected security appliance. This value is included in any syslog messages generated by this security appliance. Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams. Note Because your network devices share the eight available facilities, you might need to change this value for syslog. |
Enable Timestamp on Each Syslog Message |
When selected, attaches timestamp (time and date) to each saved syslog message. |
Enable Syslog Device ID |
When selected, attaches the specified device ID to each saved syslog message. You can specify the device ID as one of the following: •Hostname—Name of the selected security appliance. •Interface name—Name of the interface in the security appliance that generated the syslog message. These names are defined on the Interfaces page. Note If you click Select, a list displays all interfaces defined at the current scope. •User Defined ID—User-defined name specified on the Syslog Setup page that uniquely represents the security appliance to the syslog server. |
Logging Level |
Identifies the logging level specified for this rule. See Logging Levels for logging levels and descriptions. |
Suppressed |
Identifies whether the security appliance suppresses the generation of the syslog message identified in this rule. The value is either Unsuppressed (on) or Suppressed (off). |
Disable NetFlow Equivalent Syslogs |
Certain syslog messages are duplicated by NetFlow logging. If NetFlow is enabled, click this button to disable Syslog logging of those messages. The button then displays "Enable NetFlow Equivalent Syslogs"; if clicked, logging of all syslog messages is re-established. |
The following table describes logging levels.
The Add/Edit Syslog Message dialog box lets you modify the logging level or suppression setting for selected syslog messages.
Navigation Path
You can access the Add/Edit Syslog Message dialog box from the Server Setup page. For more information about the Server Setup page, see Server Setup Page.
Related Topics
Field Reference
|
|
---|---|
Syslog ID list |
Specifies the message log ID of the specific message. These values and their corresponding messages are identified in the System Log Message guides for the appropriate product. You can access these guides from the following URLs: PIX Firewall •http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html ASA •http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html FWSM •http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html |
Logging Level list |
Specifies the logging level for the selected message. See Table K-109 for logging levels and descriptions. |
Suppressed |
Specifies whether the security appliance suppresses the generation of identified syslog message. To disable the generation, select the Suppressed check box. To enable generation of the syslog, deselect the Suppressed check box. Note The default value for all messages is Suppressed. |
The Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Note Syslog messages can be sent to Cisco Security MARS and third-party products.
Navigation Path
•(Device view) Select Platform > Logging > Syslog > Syslog Servers from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Syslog Servers from the Policy Type selector. Right-click Syslog Servers to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit Syslog Server Dialog Box
Field Reference
The Add Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Note There is a limit of four syslog servers that can be set up per context.
Navigation Path
You can access the Add Syslog Servers dialog box from the Syslog Servers page. For more information about the Syslog Servers page, see Syslog Servers Page.
Related Topics
Field Reference
The Multicast section consists of the following pages:
•Multicast Boundary Filter Page
–PIM Page - Neighbor Filter Tab
–PIM Page - Bidirectional Neighbor Filter Tab
–PIM Page - Rendezvous Points Tab
–PIM Page - Request Filter Tab
The Enable PIM and IGMP page lets you enable and disable Internet Group Management Protocol (IGMP) and Protocol Independent Multicast (PIM) on all interfaces on the security appliance.
When Enable PIM and IGMP is checked, PIM and IGMP are enabled on all interfaces on the security appliance. You can disable PIM and IGMP on a per-interface basis; see IGMP Page - Protocol Tab and PIM Page - Protocol Tab for more information.
Navigation Path
•(Device view) Select Platform > Multicast > Enable PIM and IGMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Enable PIM and IGMP from the Policy Type selector. Right-click Enable PIM and IGMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Enabling PIM and IGMP, page 14-69
•Multicast Boundary Filter Page
The IGMP page consists of the following tabs:
Navigation Path
•(Device view) Select Platform > Multicast > IGMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Multicast > IGMP from the Policy Type selector. Right-click IGMP to create a policy, or select an existing policy from the Shared Policy selector.
Use the Protocol tab to configure IGMP parameters for an interface on the security appliance.
Navigation Path
You can access the Protocol tab from the IGMP page. For more information about the IGMP page, see IGMP Page.
Related Topics
•Configure IGMP Parameters Dialog Box
Field Reference
Use the Configure IGMP Parameters dialog box to configure IGMP parameters for an interface on the security appliance.
Navigation Path
You can access the Configure IGMP Parameters dialog box from the IGMP Page - Protocol tab. For more information, see IGMP Page - Protocol Tab.
Related Topics
Field Reference
Use the Access Group tab to control the multicast groups that are allowed on an interface.
Navigation Path
You can access the Access Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.
Related Topics
•Configure IGMP Access Group Parameters Dialog Box
Field Reference
Use the Configure IGMP Access Group Parameters dialog box to add or modify an access group entry.
Navigation Path
You can access the Configure IGMP Access Group Parameters dialog box from the IGMP Page - Access Group tab. For more information, see IGMP Page - Access Group Tab.
Related Topics
Field Reference
Use the Static Group tab to statically assign a multicast group to an interface.
Navigation Path
You can access the Static Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.
Related Topics
•Configure IGMP Static Group Parameters Dialog Box
Field Reference
Use the Configure IGMP Static Group Parameters dialog box to statically assign a multicast group to an interface or to change existing static group assignments.
Navigation Path
You can access the Configure IGMP Static Group Parameters dialog box from the IGMP Page - Static Group tab. For more information, see IGMP Page - Static Group Tab.
Related Topics
Field Reference
Use the Join Group tab to configure an interface to be a member of a multicast group.
Navigation Path
You can access the Join Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.
Related Topics
•Configure IGMP Join Group Parameters Dialog Box
Field Reference
Use the Configure IGMP Join Group Parameters dialog box to configure an interface to be a member of a multicast group or to change existing membership information.
Navigation Path
You can access the Configure IGMP Join Group Parameters dialog box from the IGMP Page - Join Group tab. For more information, see IGMP Page - Join Group Tab.
Related Topics
Field Reference
Use the Multicast Routes page to define static multicast routes for a security appliance.
Navigation Path
•(Device view) Select Platform > Multicast > Multicast Routes from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Routes from the Policy Type selector. Right-click Multicast Routes to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MRoute Configuration Dialog Box
•Multicast Boundary Filter Page
Field Reference
Use the Add/Edit MRoute Configuration dialog box to add static multicast routes to the security appliance or to change existing static multicast routes.
Navigation Path
You can access the Add/Edit MRoute Configuration dialog box from the Multicast Routing page. For more information about the Multicast Routing page, see Multicast Routes Page.
Related Topics
Field Reference
On an ASA running version 7.2(1) or later, you can use the Multicast Boundary Filter page to configure the appliance to act as a boundary between multicast domains. The ASA compares multicast group addresses to an access list, blocking all multicast traffic except that specifically permitted by the list.
The Add/Edit MBoundary Configuration dialog box, accessed from this page, is used to define and manage per-interface boundary filter lists. The Add/Edit MBoundary Interface Configuration dialog box, accessed from the Add/Edit MBoundary Configuration dialog box, is used to specifically permit or deny multicast group addresses for the selected interface.
Navigation Path
•(Device view) Select Platform > Multicast > Multicast Boundary Filter from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Boundary Filter from the Policy Type selector. Select an existing policy from the Shared Policy selector, or you can right-click Multicast Boundary Filter to create a new policy.
Related Topics
•Add/Edit MBoundary Configuration Dialog Box
•Add/Edit MBoundary Interface Configuration Dialog Box
•Configuring Multicast Boundary Filters, page 14-71
Field Reference
Use the Add/Edit MBoundary Configuration dialog box to add, edit and delete multicast boundary filter lists for individual interfaces.
Navigation Path
You can access the Add/Edit MBoundary Configuration dialog box from the Multicast Boundary Filter Page.
Related Topics
•Add/Edit MBoundary Interface Configuration Dialog Box
•Multicast Boundary Filter Page
Field Reference
|
|
---|---|
Interface |
Enter or Select an interface defined on this appliance. |
Remove any Auto_RP group range announcements |
If you check this box, Auto-RP messages denied by the boundary access control list for this interface are dropped. |
Multicast boundary filter configuration list (Action and Mboundary Filter) |
Lists the multicast group addresses specifically permitted or denied for the specified interface. This list is managed with the Add/Edit MBoundary Interface Configuration Dialog Box. |
Use this dialog box to add, edit or delete multicast address entries for the list in the Add/Edit MBoundary Configuration dialog box. Each multicast address is assigned an action: permit or deny.
Navigation Path
You can access the Add/Edit MBoundary Interface Configuration dialog box from the Add/Edit MBoundary Configuration Dialog Box.
Related Topics
•Multicast Boundary Filter Page
•Add/Edit MBoundary Configuration Dialog Box
Field Reference
The PIM (protocol independent multicast) protocol provides a scalable method for determining the best paths in a network for distributing a specific multicast transmission to each host that has registered using IGMP to receive the transmission. With PIM sparse mode (PIM SM), which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next until the packets reach every registered host. If a more direct path to the traffic source exists, the last-hop router sends a join message toward the source that causes the traffic to be rerouted along the better path.
The following topics discuss configuring PIM:
•PIM Page - Neighbor Filter Tab (ASA 7.2(1) or later)
•PIM Page - Bidirectional Neighbor Filter Tab (ASA 7.2(1) or later)
•PIM Page - Rendezvous Points Tab
•PIM Page - Request Filter Tab
Navigation Path
•(Device view) Select Platform > Multicast > PIM from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Multicast > PIM from the Policy Type selector. Right-click PIM to create a policy, or select an existing policy from the Shared Policy selector.
Use the Protocol tab to configure PIM properties for the interfaces on a security appliance running PIX 7.x or later.
Navigation Path
You can access the Protocol tab from the PIM page. For more information about the PIM page, see PIM Page.
Related Topics
•Add/Edit PIM Protocol Dialog Box
•PIM Page - Rendezvous Points Tab
•PIM Page - Request Filter Tab
Field Reference
Use the Add/Edit PIM Protocol dialog box to configure PIM properties for an interface on a security appliance running PIX 7.x or later.
Navigation Path
You can access the Add/Edit PIM Protocol dialog box from the PIM Page - Protocol tab. For more information, see PIM Page - Protocol Tab.
Related Topics
Field Reference
On an ASA running version 7.2(1) or later, you can use the Neighbor Filter tab to control the routers that can become PIM neighbors. By filtering routers that can become PIM neighbors, you can prevent unauthorized routers from becoming PIM neighbors, and prevent attached stub routers from participating in PIM.
The Add/Edit PIM Neighbor Filter Dialog Box, accessed from this page, is used to define and manage the per-interface neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.
Navigation Path
You can access the Neighbor Filter tab from the PIM Page in Device view.
Related Topics
•Add/Edit PIM Neighbor Filter Dialog Box
•PIM Page - Bidirectional Neighbor Filter Tab
•PIM Page - Rendezvous Points Tab
•PIM Page - Request Filter Tab
Field Reference
Use the Add/Edit PIM Neighbor Filter dialog box to add or edit entries in the neighbor access control list displayed on the PIM Page - Neighbor Filter Tab.
Navigation Path
You can access the Add/Edit PIM Neighbor Filter dialog box from the Neighbor Filter tab on the PIM Page.
Related Topics
•PIM Page - Neighbor Filter Tab
Field Reference
On an ASA running version 7.2(1) or later, you can use the Bidirectional Neighbor Filter tab to filter bidirectional PIM neighbors to control which bidirectional routers can participate in bidirectional trees and designated forwarder (DF) election.
The Add/Edit PIM Bidirectional Neighbor Filter Dialog Box, accessed from this page, is used to define and manage the per-interface bidirectional neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.
Navigation Path
You can access the Bidirectional Neighbor Filter tab from the PIM Page.
Related Topics
•Add/Edit PIM Bidirectional Neighbor Filter Dialog Box
•PIM Page - Neighbor Filter Tab
•PIM Page - Rendezvous Points Tab
•PIM Page - Request Filter Tab
Field Reference
Use the Add/Edit PIM Bidirectional Neighbor Filter dialog box to add or edit entries in the bidirectional neighbor access control list displayed on the PIM Page - Bidirectional Neighbor Filter Tab.
Navigation Path
You can access the Add/Edit PIM Bidirectional Neighbor Filter dialog box from the PIM Page - Bidirectional Neighbor Filter Tab on the PIM Page.
Related Topics
•PIM Page - Bidirectional Neighbor Filter Tab
Field Reference
Use the Rendezvous Points tab to define rendezvous points. A rendezvous point is a single, common root of a shared distribution tree and is statically configured on each router. First hop routers use the rendezvous point to send register packets on behalf of the source multicast hosts.
Navigation Path
You can access the Rendezvous Points tab from the PIM page. For more information about the PIM page, see PIM Page.
Related Topics
•Add/Edit Rendezvous Point Dialog Box
•Add/Edit Multicast Groups Dialog Box
•PIM Page - Request Filter Tab
Field Reference
Use the Add/Edit Rendezvous Point dialog box to add an entry to the Rendezvous Points table or to change a rendezvous point entry.
Please note the following:
•You cannot use the same rendezvous point address twice.
•You cannot specify All Groups for more than one rendezvous point.
Navigation Path
You can access the Add/Edit Rendezvous Point dialog box from the Rendezvous Points tab. For more information about the Rendezvous Points tab, see PIM Page - Rendezvous Points Tab.
Related Topics
•Add/Edit Multicast Groups Dialog Box
•PIM Page - Rendezvous Points Tab
Field Reference
Use the Add/Edit Multicast Groups dialog box to create a multicast group rule or to modify a multicast group rule.
Navigation Path
You can access the Add/Edit Multicast Group dialog box from the Add/Edit Rendezvous Point dialog box. For more information about the Add/Edit Rendezvous Point dialog box, see Add/Edit Rendezvous Point Dialog Box.
Related Topics
•Add/Edit Rendezvous Point Dialog Box
•PIM Page - Rendezvous Points Tab
Field Reference
Use the Route Tree tab to specify whether a multicast group should use shortest-path tree or shared tree.
Navigation Path
You can access the Route Tree tab from the PIM page. For more information about the PIM page, see PIM Page.
Related Topics
•PIM Page - Rendezvous Points Tab
•PIM Page - Request Filter Tab
Field Reference
Use the Multicast Group dialog box to create a multicast group rule or to modify a multicast group rule.
Navigation Path
You can access the Multicast Group dialog box from the PIM Page - Route Tree tab. For more information, see PIM Page - Route Tree Tab.
Related Topics
Field Reference
When the security appliance is acting as a rendezvous point, you can restrict specific multicast sources from registering with it. This prevents unauthorized sources from registering with the rendezvous point. You can use the Request Filter tab to define the multicast sources from which the security appliance accepts PIM register messages.
Navigation Path
You can access the Request Filter tab from the PIM page. For more information about the PIM page, see PIM Page.
Related Topics
•PIM Page - Rendezvous Points Tab
Field Reference
Use the Multicast Group dialog box to define the multicast sources that are allowed to register with the security appliance when the security appliance acts as a rendezvous point. You create the filter rules based on the source IP address and the destination multicast address.
Navigation Path
You can access the Multicast Group dialog box from the PIM Page - Request Filter tab. For more information, see PIM Page - Request Filter Tab.
Related Topics
•PIM Page - Request Filter Tab
Field Reference
The Routing feature lets you specify static route, RIP, OSPF, and proxy ARP configuration parameters. The Routing section consists of the following pages:
Use the No Proxy ARP page to disable proxy ARP for global addresses. For more information, see Configuring No Proxy ARP, page 14-73.
To disable proxy ARP for one or more interfaces, enter their names in the Interfaces field. By default, proxy ARP is enabled for all interfaces. Separate multiple interfaces with commas. You can click Select to choose the interfaces from a list of interfaces defined on the device and interface roles defined in Cisco Security Manager.
Navigation Path
•(Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Right-click No Proxy ARP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring No Proxy ARP, page 14-73
Use the OSPF page to enable and configure OSPF (Open Shortest Path First) routing on a firewall device. The following topics provide more information about enabling and configuring OSPF:
Navigation Path
•(Device view) Select Platform > Routing > OSPF from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Right-click OSPF to create a policy, or select an existing policy from the Shared Policy selector.
Use the General tab on the OSPF page to enable OSPF processes. You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.
Note You cannot enable OSPF if you have RIP enabled.
Navigation Path
You can access the General tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
Field Reference
Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.
Navigation Path
You can access the OSPF Advanced dialog box from the General tab. For more information about the General tab, see General Tab.
Related Topics
Field Reference
Use the Area tab on the OSPF page to configure OSPF areas and networks.
Navigation Path
You can access the Area tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
•Add/Edit Area/Area Networks Dialog Box
Field Reference
Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.
Navigation Path
You can access the Add/Edit Area/Area Networks dialog box from the Area tab. For more information about the Area tab, see Area Tab.
Related Topics
Field Reference
Use the Range tab to summarize routes between areas.
Navigation Path
You can access the Range tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
•Add/Edit Area Range Network Dialog Box
Field Reference
Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.
Navigation Path
You can access the Add/Edit Area Range Network dialog box from the Range tab. For more information about the Range tab, see Range Tab.
Related Topics
Field Reference
Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.
Navigation Path
You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
•Add/Edit Static Neighbor Dialog Box
Field Reference
Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.
Navigation Path
You can access the Add/Edit Static Neighbor dialog box from the Neighbors tab. For more information about the Neighbors tab, see Neighbors Tab.
Related Topics
Field Reference
Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.
Navigation Path
You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
Field Reference
Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.
Navigation Path
You can access the Redistribution dialog box from the Redistribution tab. For more information about the Redistribution tab, see Redistribution Tab.
Related Topics
Field Reference
Use the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.
Navigation Path
You can access the Virtual Link tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
•Add/Edit OSPF Virtual Link Configuration Dialog Box
Field Reference
Use the Add/Edit OSPF Virtual Link Configuration dialog box to define virtual links or change the properties of existing virtual links.
Navigation Path
You can access the Add/Edit OSPF Virtual Link Configuration dialog box from the Virtual Link tab. For more information about the Virtual Link tab, see Virtual Link Tab.
Related Topics
•Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box
Field Reference
Use the Add/Edit OSPF Virtual Link MD5 Configuration dialog box to define MD5 keys for authentication of virtual links.
Navigation Path
You can access the Add/Edit OSPF Virtual Link MD5 Configuration dialog box from the Add/Edit OSPF Virtual Link Configuration dialog box. For more information about the Add/Edit OSPF Virtual Link Configuration dialog box, see Add/Edit OSPF Virtual Link Configuration Dialog Box.
Related Topics
•Add/Edit OSPF Virtual Link Configuration Dialog Box
Field Reference
Use the Filtering tab to configure the ABR Type 3 LSA filters for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.
Benefits
OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.
Restrictions
Only type-3 LSAs that originate from an ABR are filtered.
Navigation Path
You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
•Add/Edit Filtering Dialog Box
Field Reference
Use the Add/Edit Filtering dialog box to add new filters to the Filter table or to modify an existing filter.
Navigation Path
You can access the Add/Edit Filtering dialog box from the Filtering tab. For more information about the Filtering tab, see Filtering Tab.
Related Topics
Field Reference
Use the Summary Address tab to configure summary addresses for each OSPF routing process.
Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.
Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.
Navigation Path
You can access the Summary Address tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
Field Reference
Use the Add/Edit Summary Address dialog box to add new entries or to modify existing entries in the Summary Address table.
Navigation Path
You can access the Add/Edit Summary Address dialog box from the Summary Address tab. For more information about the Summary Address tab, see Summary Address Tab.
Related Topics
Field Reference
Use the Interface tab to configure interface-specific OSPF authentication routing properties.
Navigation Path
You can access the Interface tab from the OSPF page. For more information about the OSPF page, see OSPF Page.
Related Topics
Field Reference
Use the Add/Edit Interface dialog box to add OSPF authentication routing properties for an interface or to change an existing entry.
Navigation Path
You can access the Add/Edit Interface dialog box from the Interface tab. For more information about the Interface tab, see Interface Tab.
Related Topics
Field Reference
Use the RIP page to enable the Routing Information Protocol (RIP) on an interface. The settings and features available when configuring RIP depend on the type of device and OS version that you are configuring:
•To configure RIP on a PIX Firewall or ASA running an OS version earlier than 7.2, or to configure RIP on any FWSM, see RIP Page for PIX/ASA 6.3-7.1 and FWSM.
•To configure RIP on a PIX Firewall or ASA running OS version 7.2 or later, see RIP Page for PIX/ASA 7.2 and Later.
RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcast packets with neighboring devices to learn the network topology change. Security Manager supports both RIP version 1 and RIP version 2. RIP version 1 does not send the subnet mask with the routing update. RIP version 2 sends the subnet mask with the routing update and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that Security Manager receives reliable routing information from a trusted source.
Navigation Path
•(Device view) Select Platform > Routing > RIP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Right-click RIP to create a policy, or select an existing policy from the Shared Policy selector.
Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.
Related Topics
Use this RIP page to enable the Routing Information Protocol (RIP) on an interface.
Navigation Path
•(Device view) Select Platform > Routing > RIP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new RIP policy.
Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.
Related Topics
Field Reference
Use the Add/Edit RIP Configuration dialog box to add a RIP configuration to the security appliance or make changes to a RIP configuration. By adding a RIP configuration, you enable RIP on the selected interface.
Navigation Path
You can access the Add/Edit RIP Configuration dialog box from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 6.3-7.1 and FWSM.
Related Topics
•RIP Page for PIX/ASA 6.3-7.1 and FWSM
Field Reference
Use the RIP page to enable and configure the Routing Information Protocol (RIP) on a firewall device. The following topics provide more information about enabling and configuring RIP for PIX Firewalls and ASA devices running OS 7.2 or later:
Navigation Path
•(Device view) Select Platform > Routing > RIP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Right-click RIP to create a policy, or select an existing policy from the Shared Policy selector.
Note When creating a shared RIP policy, you must indicate whether you are creating a policy for any FWSM or a PIX/ASA running a pre-7.2 version OS, or whether the policy is for a PIX/ASA version 7.2 or later. When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.
Related Topics
•RIP Page for PIX/ASA 6.3-7.1 and FWSM
Use the Setup tab to define and enable a RIP policy in the Security Manager and to configure global RIP protocol parameters.
Navigation Path
You can access the Setup tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later.
Related Topics
Field Reference
Use the Redistribution tab to view, add, or edit redistribution routes. These are the routes that are being redistributed from other routing processes into the RIP routing process. For details on specific fields, see Add/Edit Redistribution Dialog Box.
Navigation Path
You can access the Redistribution tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later.
Related Topics
•Add/Edit Redistribution Dialog Box
Use the Add/Edit Redistribution dialog box to add or edit redistribution routes on the RIP - Redistribution Tab. These are the routes that are being redistributed from other routing processes into the RIP routing process.
Navigation Path
You can access the Add/Edit Redistribution dialog box from the Redistribution tab on the RIP Page for PIX/ASA 7.2 and Later.
Related Topics
Field Reference
Note The fields you employ in the Add/Edit Redistribution Mapping Dialog Box vary according to the protocol you choose.
|
|
---|---|
Protocol to Redistribute |
Enables you to choose the routing protocol to redistribute into the RIP routing process. Choices include: •Static—Static routes. •Connected—Directly connected networks. •OSPF—Routes discovered by the OSPF routing process. Note If you choose OSPF, you must also enter the OSPF Process ID and, optionally, the Match Criteria. |
Process ID |
Specifies the process when the OSPF protocol is selected. |
Match |
If you are redistributing OSPF routes into the RIP routing process, you can click to select specific types of OSPF routes to redistribute. Match criteria is optional. The default is match: Internal, external 1, external 2. |
Metric |
The RIP metric type being applied to the redistributed routes. The two choices are: •Transparent—Choose this option to cause the current route metric to be used. •Specified Value—Choose this to assign a specific metric value. |
Metric Value |
The specific value that, when reached, applies the RIP metric. |
Route Map |
Specifies the name of a route map that must be satisfied before the route can be redistributed into the RIP routing process. Note This field contains only the route Map name. The contents of a route map are created and contained within a FlexConfig. For more information see Understanding FlexConfig Policies and Policy Objects, page 18-1. |
Use the Filtering tab to view, add, or edit filters for RIP policy. For details on specific fields, see Add/Edit Filter Dialog Box.
Navigation Path
You can access the Filtering tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later.
Related Topics
Use the Add/Edit Filter dialog box to add or edit an RIP filter on the RIP - Filtering Tab.
Navigation Path
You can access the Add/Edit Filter dialog box from the Filtering tab on the RIP Page for PIX/ASA 7.2 and Later.
Related Topics
Field Reference
Use the Interface tab to view, add, or edit interface-specific RIP settings, such as the version of RIP the interface sends and receives and the authentication method, if any, used for the RIP broadcasts. For details on specific fields, see Add/Edit Interface Dialog Box
Navigation Path
You can access the Interface tab from the RIP page. For more information about the RIP page, see RIP Page for PIX/ASA 7.2 and Later.
Related Topics
•Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add or edit an interface configuration for RIP on the RIP - Interface Tab.
Navigation Path
You can access the Add/Edit Interface dialog box from the Interface tab on the RIP Page for PIX/ASA 7.2 and Later.
Related Topics
Field Reference
Use the Static Route page to create static routes that will access networks connected to a router on any interface.
Navigation Path
•(Device view) Select Platform > Routing > Static Route from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Routing > Static Route from the Policy Type selector. Right-click Static Route to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77
Field Reference
The Add/Edit Static Route dialog box lets you add or edit a static route.
Navigation Path
You can access the Add/Edit Static Route dialog box from the Static Route page. For more information about the Static Route page, see Static Route Page.
Related Topics
Field Reference
|
|
---|---|
Interface |
Specifies the interface name to which the static route applies. |
Network |
Specifies the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. |
Gateway |
Specifies the IP address of the gateway router which is the next hop address for this router. |
Metric |
Specifies the number of hops to the gateway IP. Valid values range from 1 to 255. The default is 1 if a metric is not specified. A metric is a measurement of the expense of a route based on the number of hops (hop count) to the network on which a specific host resides. Hop count refers to the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1. For the metric value, you can specify a number between 1 and 255. The maximum number of equal cost (metric) routes that can be defined per interface is three. You cannot add a route with the same metric on different interfaces that are on the same network. When routing network packets, a security appliance uses the rule with the most specific network within the rule's definition. Only in cases where two routing rules have the same network is the metric used to break the tie. In a tie, the lowest metric value wins. If no routing rule exists, the network packet is dropped, and if the gateway is not detected (dead), the network packet is dropped. |
Tunneled option |
Used only for default route. Only one default tunneled gateway is allowed per security appliance. Tunneled option is not supported under transparent mode. |
Route Tracking |
The name of an SLA (service level agreement) monitor object that defines how you want to monitor connectivity for this route. Enter the name of an object or click Select to select it from a list or to create a new object. For more information on performing route tracking, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 8-77. |
The Security section consists of the following pages:
Use the General page to configure security settings that help protect against malformed packets, spoofed packets, fragmented packets, and denial of service attacks.
Navigation Path
•(Device view) Select Platform > Security > General from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Security > General from the Policy Type selector. Right-click General to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Security Policies on Firewall Devices, page 14-76
•Add/Edit General Security Configuration Dialog Box
Field Reference
Use the Add/Edit General Security Configuration dialog box to enable or disable anti-spoofing on an interface and to configure fragment settings for an interface.
Navigation Path
You can access the Add/Edit General Security Configuration dialog box from the General page. For more information about the General page, see General Page.
Related Topics
Field Reference
The Timeouts page lets you set the timeout durations for use with the security appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.
Note It is recommended that you do not change these values unless advised to do so by Customer Support.
Navigation Path
•(Device view) Select Platform > Security > Timeouts from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Security > Timeouts from the Policy Type selector. Right-click Timeouts to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Field Reference
Service policy rules define how specific types of application inspection are applied to different types of traffic received by the security appliance. You apply a specific rule to an interface or globally to every interface.
The Service Policy Rules section consists of the following topics:
•IPS, QoS, and Connection Rules Page
Priority queues allow you to define how traffic is prioritized in the network. You can define a series of filters based on packet characteristics to cause traffic to be placed in a higher or lower priority queue. The queue with the highest priority is serviced first until it is empty, then the lower queues are serviced in sequence.
Navigation Path
•(Device view) Select Platform > Service Policy Rules > Priority Queues from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > Priority Queues from the Policy Type selector. Right-click Priority Queues to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Priority Queue Configuration Dialog Box
•Insert/Edit Service Policy (MPC) Rule Wizard
•Understanding Queuing Parameters, page 13-102
Field Reference
Use the Priority Queue Configuration dialog box to define priority queues on the Priority Queues page.
Navigation Path
You can access the Priority Queue Configuration dialog box from the Priority Queues page. For more information about the Priority Queues page, see Priority Queues Page.
Related Topics
•Insert/Edit Service Policy (MPC) Rule Wizard
•Understanding Queuing Parameters, page 13-102
Field Reference
Use the IPS, QoS, and Connection Rules page to define new service policy rules, and to edit or delete existing service policy rules.
Navigation Path
•(Device view) Select Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Policy Type selector. Right-click IPS, QoS, and Connection Rules to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Insert/Edit Service Policy (MPC) Rule Wizard
Field Reference
|
|
---|---|
|
|
Filter |
Click the arrow to display (or hide) the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 2-16. |
Traffic Class |
Identifies the name of the traffic class that identifies the criteria you want to use to match traffic for the security policy rule. |
Interfaces |
Identifies the interface to which the rule applies. |
MPC Actions |
Displays the MPC actions applied by the rule. The types of actions include: •IPS •Set connection •QoS •CSC For more information, see Table K-174. |
Category |
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding. To define categories, select Tools > Policy Object Manager > Category. Note No commands are generated for the category attribute. |
Comments |
Displays a description or comment on the rule if such is available. |
Use the Insert/Edit Service Policy (MPC) Rule wizard to define new service policy rules or to edit existing service policy rules. The Insert/Edit Service Policy (MPC) Rule wizard contains the following pages:
•Step 1. Table K-172.
•Step 2. Table K-173.
•Step 3. Table K-174.
|
|
---|---|
Traffic Classification |
Enables you to specify the criteria you want to use to match traffic for a security policy rule. Select the appropriate option to apply the rule to a specific traffic class or to apply the rule to the class-default traffic class: •Use class-default as the traffic class—Use the class-default traffic class for this service policy. The class-default traffic class is used when traffic does not match any other traffic class. •Traffic Class—Applies the rule to a specific traffic class. After you select this option, you must click Select to specify the traffic class. |
Select button |
If you are applying the service policy to a specific traffic class, click the Traffic Class radio button and then click Select to open the Traffic Flows Selector dialog box from which you can specify the traffic class to which the service policy should apply. The Traffic Flows Selector dialog box also enables you to add or edit a traffic flow. For more information, see Add and Edit Traffic Flow Dialog Boxes, page F-184. |
|
|
---|---|
|
|
Enable IPS for this Traffic (ASA 7.0+ & PIX 7.0(0)-7.0(3) only) |
Enables or disables intrusion prevention for this traffic flow. When this check box is selected, the other parameters on this panel become active. This is applicable only for ASA 7.0+ and PIX 7.0(0)-7.0(3) traffic flows. |
IPS Mode |
Configures the operating mode for intrusion prevention: •Inline—Selects Inline Mode, in which a packet is directed to IPS. The packet might be dropped as a result of the IPS operation. •Promiscuous—Selects Promiscuous Mode, in which IPS operates on a duplicate of the original packet. The original packet cannot be dropped. |
On IPS Card Failure |
Configures the action to take if the IPS card becomes inoperable. •Open—Permits traffic if the IPS card fails •Close—Blocks traffic if the IPS card fails. |
|
|
Enable Connection Settings For This Traffic |
Enables or disables connection settings for this traffic flow. When this check box is selected, the other parameters on this panel become active. From the Connection Settings tab you can configure maximum connections, embryonic connections, timeouts, and TCP parameters. |
Maximum Connections |
You can specify the maximum number of TCP and UDP connections, and the maximum number of embryonic connections for this traffic flow: •Maximum TCP & UDP Connections—Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet up to 65,536. The default is 0 for both protocols, which means the maximum possible connections are allowed. •Maximum TCP & UDP Connections Per Client—For ASA/PIX 7.1 only, specifies the maximum number of simultaneous TCP and UDP connections on a per client basis. •Maximum Embryonic Connections (ASA/PIX 7.0+ only)—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. •Maximum Embryonic Connections Per Client (ASA/PIX 7.1+ only)—Specifies the maximum number of embryonic connections on a per client basis. |
Connection Timeouts |
You can specify the following connection timeout settings for this traffic flow: •Embryonic Connection Timeout—Specifies the idle time until an embryonic connection slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 20 seconds for FWSM, and 30 seconds for ASA/PIX. •Half Closed Connection Timeout—Specifies the idle time until a half closed connection slot is freed. Enter 0:0:0 to disable timeout for the connection. For FWSM, the default value is 20 seconds; the maximum value is 255 seconds (four minutes, 15 seconds). For ASA/PIX, this duration must be at least 5 minutes; the default is 10 minutes. •TCP Connection Timeout—Specifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour. |
Reset Connection Upon Timeout |
Resets the connection after a timeout occurs when selected. Available for ASA/PIX 7.2+ only. |
Detect Dead Connections (ASA/PIX 7.2+ only) |
Enables the Dead Connection Detection feature which is only available for ASA/PIX 7.2+ devices. Selecting this check box enables you to configure the following two fields: •Dead Connection Detection Timeout—Specifies the period of time between retries when a dead connection is detected. The default is 15 seconds. •Dead Connection Detection Retries—Specifies the number of retries to be performed after a dead connection is detected. The default is five. |
Traffic Flow Idle Timeout (FWSM 3.2+ only) |
Specifies the period of time between a traffic flow becoming idle and the flows disconnection. Applicable to FWSM 3.2+ only. The default is 1 hour. |
Enable TCP Normalization (ASA/PIX 7.0+ only) |
Enables TCP normalization, and activates the TCP Map selection capability. Applicable to ASA/PIX 7.0+ only. |
TCP map |
Specifies the TCP map to use in TCP normalization. Click Select to display the TCP Maps Selector from which you can select a TCP map. |
Randomize TCP Sequence Number |
Enables the Randomize Sequence Number feature. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers: one generated by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server on the higher security interface. At least one ISN must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session. |
Enable TCP State Bypass (FWSM 3.2+ only) |
Enables the skipping of checks of the TCP state machine, for this traffic flow. This is useful for allowing certain traffic to flow through in asymmetric routing scenarios when two FWSMs are in different locations that are not Layer 2-adjacent. Applicable to FWSM 3.2+ only. Refer to your FWSM documentation for more information on configuring state bypass traffic. |
Enable Decrement TTL (PIX/ASA 7.2.2+ only) |
Select this option to turn on decrementing of the time-to-live (TTL) value in packets passed by the security appliance. |
Enable Trusted Flow Acceleration |
Select this option to enable Trusted Flow Acceleration for this context. See About Trusted Flow Acceleration, page 14-80 for more information. |
|
|
Enable QoS for this traffic flow |
Enables QoS for this traffic flow. When this option is selected, the Enable Priority For This Flow and the Traffic Policing options become active. Note The options on this tab are available for PIX/ASA 7.0+ devices only. |
Enable priority for this flow |
Enables strict scheduling priority for this flow. Priority (LLQ) does not work unless the priority queues are set. |
Traffic Policing |
Enables output and input traffic policing. |
Output (Traffic Policing) |
Enables policing of traffic flowing in the output direction. If you enable policing, you can specify the following values: •Committed Rate—The rate limit for this traffic flow; this is a value in the range 8,000-2,000,000,000, specifying the maximum speed (bits per second) allowed. •Burst Rate—A value in the range 1,000-512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value. •Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop. •Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop. |
Input (Traffic Policing; ASA/PIX 7.2+ only) |
Enables policing of traffic flowing in the input direction. If you enable policing, you can specify the following values: •Committed Rate—The rate limit for this traffic flow; this is a value in the range 8,000-2,000,000,000, specifying the maximum speed (bits per second) allowed. •Burst Rate—A value in the range 1,000-512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value. •Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop. •Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop. |
|
|
Enable Content Security Control For This Traffic (ASA7.1+ only) |
Enables or disables the use of the Cisco CSC SSM (Content Security and Control Security Services Module) for this traffic flow. When this check box is selected, the On CSC SSM Failure options become active. |
On CSC SSM Failure |
Configures the action to take if the CSC SSM becomes inoperable. Options are: •Open—Permits traffic if the CSC SSM fails •Close—Blocks traffic if the CSC SSM fails. |
The User Preferences section consists of the Deployment page. The Deployment page provides access to the Clear XLATE on deployment option.
Select this option to send a clear xlate command to the firewall before changes to access lists are made. This command clears all NAT translations. By default this option is not selected.
Navigation Path
•(Device view) Select Platform > User Preferences > Deployment from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > User Preferences > Deployment from the Policy Type selector. Right-click Deployment to create a policy, or select an existing policy from the Shared Policy selector.
Open the Security Contexts page to add, edit, or delete Security Contexts for an ASA, PIX 7.x (or later), or FWSM device running in multi-context mode.
Navigation Path
To access this feature, select an ASA, PIX 7.x (or later), or FWSM device running in multi-context mode and then select Security Contexts from the Device Policy selector.
Related Topics
•Add/Edit Security Context Dialog Box (FWSM)
•Add/Edit Security Context Dialog Box (PIX/ASA)
•Allocate Interfaces Dialog Box (PIX/ASA only)
•View Interface Allocation Dialog Box (PIX/ASA only)
Field Reference
The Add Security Context and Edit Security Context dialog boxes let you add or edit a security context and define context parameters. Except the title, the two dialog boxes are identical.
Navigation Path
You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page. For more information about the Security Contexts page, see Security Contexts Page.
Related Topics
Field Reference
|
|
---|---|
Name |
Enter a name of up to 32 characters for the context. The names Note While context names are case-sensitive on the device, they are not in Security Manager. That is, you cannot have two contexts with the same name but different capitalization in Security Manager. |
Mode (FWSM 3.x) |
Choose the mode, router or transparent, for this security context. Note You cannot change the mode in the Edit Security Context dialog box. |
Admin Context |
Select this option if this context is to be the admin context for this device. |
VLAN IDs |
Enter the VLANs assigned to this context. Use a comma to separate multiple VLAN entries. |
Config URL |
Specifies the context configuration location, as a URL-type address. Choose the protocol type from the drop-down list, and then type the server name (for remote file systems), path, and file name in the related text field. For example, the combined URL for FTP has the following format: Available protocols are: • • • • • |
Failover Group |
If this context is part of an active/active failover configuration, choose the failover group to which this context belongs. |
Description |
Enter an optional description for the context. |
Management IP Addr |
Enter or Select the IP address that Security Manager should use for communicating with this security context. |
Enable Trusted Flow Acceleration (FWSM 4.0(1)+ only) |
Select this option to enable Trusted Flow Acceleration for this context (available in Router mode only). See About Trusted Flow Acceleration, page 14-80 for more information. |
The Add Security Context and Edit Security Context dialog boxes let you add or edit a security context and define context parameters. Except the title, the two dialog boxes are identical.
Navigation Path
You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page. For more information about the Security Contexts page, see Security Contexts Page.
Related Topics
•Allocate Interfaces Dialog Box (PIX/ASA only)
•View Interface Allocation Dialog Box (PIX/ASA only)
Field Reference
The Allocate Interfaces dialog box lets you assign interfaces to a context and set interface parameters.
Navigation Path
You can access the Allocate Interfaces dialog box from the Add Security Context and Edit Security Context dialog boxes. See Add/Edit Security Context Dialog Box (PIX/ASA) for more information.
Related Topics
•Add/Edit Security Context Dialog Box (PIX/ASA)
•View Interface Allocation Dialog Box (PIX/ASA only)
Field Reference
|
|
---|---|
Physical Interface |
Sets the physical interface to assign to the context. You can assign the main interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown. If the main interface was already assigned to another context, you must select a subinterface. |
Sub Interface ID From/To |
Sets the subinterface ID or a range of subinterface IDs. To specify a single subinterface, click the ID in the first list. To specify a range, click the ending ID in the second list, if available. In transparent firewall mode, only subinterfaces that have not been allocated to other contexts are shown. |
View Allocation button |
Displays the View Interface Allocation dialog box. See View Interface Allocation Dialog Box (PIX/ASA only). |
Use aliased name in context |
Sets an aliased name for this interface to be used in the context configuration instead of the interface ID. |
Alias Name |
Sets the aliased name. An aliased name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. This box lets you specify a name that ends with a letter or underscore; to add an optional digit after the name, set the digit in the Suffix Range From/To fields. |
Suffix Range From/To |
Sets the numeric suffix for the aliased name. If you have a range of subinterfaces, you can enter a range of digits to be appended to the name. |
Show hardware properties in context |
Enables context users to see physical interface properties even if you set an aliased name. |
The View Interface Allocation dialog box presents a read-only table that lists all physical interfaces in a security appliance and displays the security contexts and failover groups associated with each interface.
Navigation Path
You can access the View Interface Allocation dialog box by clicking the View Allocation button in the Allocate Interfaces dialog box. See Allocate Interfaces Dialog Box (PIX/ASA only) for more information.
Related Topics
•Add/Edit Security Context Dialog Box (PIX/ASA)
•Allocate Interfaces Dialog Box (PIX/ASA only)
Field Reference