思科asa 系列常规操作asdm 配置指南软件版本7.4
TRANSCRIPT
-
ASA ASDM 7.4 ASA 5506-X ASA 5506H-X ASA 5506W-X ASA 5508-X ASA 5512-X ASA 5515-X ASA 5516-X ASA 5525-X ASA 5545-X ASA 5555-X ASA 5585-X ASA
2015 3 23 2015 4 7 www.cisco.com
200 www.cisco.com/go/offices
http://www.cisco.comhttp://www.cisco.com/go/officeshttp://www.cisco.com/go/offices
-
TCP (UCB) UCB UNIX 1981
// URLwww.cisco.com/go/trademarks (1110R)
(IP) IP
ASA ASDM 2015
http://www.cisco.com/go/trademarks
-
iii iii iii iv
(ASDM) ASA
ASA
ASDM ASA ASDM ASA ASA ASA ASDM ASA
ASA http://www.cisco.com/go/asadocs
[ ] {x | y | z } iii ASA ASDM
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.htmlhttp://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocs
-
(BST)http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html RSS RSS
[ x | y | z ]
courier courier courier courier courier courier < > [ ] ! # (!) (#) iv ASA ASDM
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
-
1
ASA
-
1
ASA
2015 3 23 2015 4 7
ASA VPN IPS ASA 2 3 IPsec VPN SSL VPN SSL VPN
ASDM ASA ASDM ASA ASA ASA ASDM ASA 1-16
ASDM 1-1 1-6 VPN 1-6 1-6 1-11 VPN 1-15 1-15 ASA 1-15 1-16
ASDM ASDM 1-2 Java 1-3 1-1 ASA ASDM
-
1 ASA ASDM ASDM ASDM Java
1-1
Java SE Internet Explorer Firefox Safari Chrome
Microsoft Windows
8 7 2008 2012
7.0
Apple OS X 10.4 64
7.0
Red Hat Enterprise Linux 5GNOME KDE
(Desktop)
N/A N/A 7.0 1-2 ASA ASDM
-
1 ASA ASDM Java Java ASDM
1-2 Java ASDM
Java
7 Update 51 ASDM Launcher Launcher Java Java 8 Java 7 update 45 ASA CA Java ASDM
Java Web StartJava 7 update 51 ASDM 7.1(5) Java ASDM 7.2 CLI ASDM Java ASDM ASA
http://java.com/en/download/help/java_blocked.xml ASDM 7.2
Java Web Start
Unable to connect
ASDM Launcher
Java -Djava.net.preferIPv6Addresses=true
a. Java b. Java c. Viewd. -Djava.net.preferIPv6Addresses=truee. OK Apply OK
7 Update 45 ASDM
Java ASA JAR ASDM 7.2 CA Configuration > Device Management > Certificates > Identity Certificates ASA ASDM Always trust connections to websites 1-3 ASA ASDM
http://www.cisco.com/go/asdm-certificatehttp://www.cisco.com/go/asdm-certificatehttp://java.com/en/download/help/java_blocked.xml
-
1 ASA ASDM 7 ASA (3DES/AES)
ASDM ASA SSL 3DES
1. www.cisco.com/go/license 2. Continue to Product License Registration3. Get Other Licenses4. IPS Crypto Other...5. ASA Search by Keyword 6. Product Cisco ASA 3DES/AES License
Next7. ASA ASA 3DES/AES
IPv6 Firefox Safari
ASA HTTPS IPv6 Firefox Safari https://bugzilla.mozilla.org/show_bug.cgi?id=633001 Firefox Safari ASA SSL ASDM ASA
ASA SSL RC4-MD5 RC4-SHA1 Chrome SSL
Chrome
ASA SSL RC4-MD5 RC4-SHA1 Chrome Chrome SSL ASDM Configuration > Device Management > Advanced > SSL Settings Run Chromium with flags --disable-ssl-false-start Chrome SSL
IE9 Internet Explorer 9.0Do not save encrypted pages to disk Tools > Internet Options > Advanced ASDM ASDM
OS X OS X ASDM Java ASDM
1-2 Java ASDM
Java 1-4 ASA ASDM
www.cisco.com/go/licensehttps://bugzilla.mozilla.org/show_bug.cgi?id=633001http://www.chromium.org/developers/how-tos/run-chromium-with-flags
-
1 ASA ASDM OS X 10.8 ASDM Apple ID
1. ASDM Ctrl Cisco ASDM-IDM Launcher Open
2. ASDM Open ASDM-IDM Launcher
1-2 Java ASDM
Java 1-5 ASA ASDM
-
1 ASA ASA
VPN VPN ASA
2015 3 23 ASA 9.4(1) /ASDM 7.4(1)
1-3 ASA 9.4(1) /ASDM 7.4(1)
ASA 5506W-X ASA 5506H-X ASA 5508-X ASA 5516-X
ASA 5506W-X ASA 5506H-XASA 5508-X ASA 5516-Xhw-module module wlan recover image hw-module module wlan recover image
(UCR) 2013
ASA DoD UCR 2013 UCR 2013
CA ASDM IKEv2 IKEv2 1-6 ASA ASDM
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
-
1 ASA FIPS 140-2 ASA FIPS ASA FIPS 140-2
RSA DH - 2K 2048 RSA DH DH 1 768 2 1024 5 1536 IKEv1 FIPS
- SHA256 SSH - aes128-cbc aes256-cbc MACSHA1 ASA FIPS http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf PDF
http://csrc.nist.gov/groups/STM/cmvp/inprocess.htmlfips enable
ASA SIP
SIP ASA SIP TLS IME
UC-IME SIP
SIP UC-IME TLS
Select SIP Inspect Map Phone Proxy UC-IME ProxyDCERPC ISystemMapper UUID RemoteGetClassObject opnum3
ASA 8.3 EPM DCERPC ISystemMapper UUID RemoteCreateInstance opnum4 RemoteGetClassObject opnum3
SNMP
ASA SNMP show snmp-server host ASA
VXLAN ASA VXLAN Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > Protocol Inspection
IPv6 DHCP IPv6 DHCP DHCP
Monitoring > Interfaces > DHCP > IPV6 DHCP StatisticsMonitoring > Interfaces > DHCP > IPV6 DHCP Binding
ASA
1-3 ASA 9.4(1) /ASDM 7.4(1)
1-7 ASA ASDM
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdfhttp://csrc.nist.gov/groups/STM/cmvp/inprocess.html
-
1 ASA ASA
VLAN VNI BVI
Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
DHCP ASA ASA DHCP MAC DHCP DHCP
ASA SIP ASA SIP TLS
(PBR) ACL QoS 3 4 ACL QoS
Configuration > Device Setup > Routing > Route Maps > Policy Based RoutingConfiguration > Device Setup > Routing > Interface Settings > Interfaces
VXLAN VXLAN VXLAN (VTEP) ASA VTEP
Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI InterfaceConfiguration > Device Setup > Interface Settings > VXLAN
EEM
Configuration > Device Management > Advanced > Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet Event
show tech-support show crashinfo 50 logging buffer
1-3 ASA 9.4(1) /ASDM 7.4(1)
1-8 ASA ASDM
-
1 ASA
ECDHE-ECDSA TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256ECDSA DHE Configuration > Remote Access VPN > Advanced > SSL Settings
SSL VPN Cookie
JavaScript SSL VPN Cookie TAC SSL VPN
Java Java
Sharepoint MS Office AnyConnect Web Citrix Receiver XenDesktop Xenon Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie9.2(3)
1-3 ASA 9.4(1) /ASDM 7.4(1)
1-9 ASA ASDM
-
1 ASA
ASA SSL Citrix (VDI) XenDesktop ASA Citrix
XenDesktop XenApp http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html
XenDesktop 7 http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.html
XenDesktop 7 http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.html
SSL VPN OWA 2013
SSL VPN OWA 2013
Active Directory (AD FS) 2.0 ASA AD FS 2.0
SSL VPN Citrix XenDesktop 7.5 StoreFront 2.5
SSL VPN XenDesktop 7.5 StoreFront 2.5 XenDesktop 7.5 http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html StoreFront 2.5 http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html
ASA VPN
Configuration > Device Management > Certificate Management > Identity CertificatesConfiguration > Device Management > Certificate Management > CA Certificates
ASA 24 CA ID 60 7
Configuration > Device Management > Certificate Management > Identity CertificatesConfiguration > Device Management > Certificate Management > CA Certificates
CA CA CA ASA CA ASA Configuration > Device Management > Certificate Management > CA Certificates
1-3 ASA 9.4(1) /ASDM 7.4(1)
1-10 ASA ASDM
http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.htmlhttp://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.htmlhttp://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.htmlhttp://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.htmlhttp://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.html
-
1 ASA Web FTP (DMZ) DMZ DMZ URL DMZ ASA DMZ []
1-12 1-13 1-14
IKEv2 ASA SA SA ASA IKEv2 AnyConnect 3.1.06060
IKEv2 IKEv2 Configuration > Site-to-Site VPN > Connection Profiles
ASDM ASDM
Configuration > Device Management > Management Access > HTTP Certificate RuleConfiguration > Device Management > Users/AAA > AAA Access > Authorization
terminal interactive CLI ?
ASA CLI ? ? ? URL no terminal interactive
REST API 1.1 REST API 1.1
1-3 ASA 9.4(1) /ASDM 7.4(1)
1-11 ASA ASDM
-
1 ASA
ASA
1-12 NAT 1-12 IP 1-12 HTTP HTTPS FTP 1-12 1-12 1-13 QoS 1-13 TCP 1-13 1-13
EtherType IP
NAT
NAT NAT NAT IP IP
IP
ASA IP ICMP ASA IP
HTTP HTTPS FTP
FTP ASA URL ASA ASA CX ASA FirePOWER ASA (WSA)
IP ASA 1-12 ASA ASDM
-
1 ASA
ASA
QoS
QoS QoS
TCP
TCP UDP DoS ASA TCP DoS TCP SYN TCP TCP
DoS IP IPS ASA IPID TCP ASA
ASA
ASA ASA ASA EtherType 1-13 ASA ASDM
-
1 ASA
ASA
TCP
ASA
ASA
NAT (xlate)
ASA TCP ASA UDP ICMP ICMP
IP SCTPASA ICMP
7 7 FTP H.323 SNMP
ASA
IP
TCP NAT 3 4 7 HTTP 7 1-14 ASA ASDM
-
1 ASA VPN VPN VPN TCP/IP ASA ASA ASA ASA
ASA
ASA
ASA IPS
ASA ASA
ASA ASA ASA
1-15 ASA ASDM
-
1 ASA ASA
1-16 1-16 1-16
ASA WCCP
ASA 8.2 8.3 NAT 8.3 8.4 ASDM ASA
ASA 1-16 ASA ASDM
http://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocs
-
2
ASA 2-1 ASDM 2-7 ASDM 2-12 ASDM 2-13 2-15 2-20 ASDM 2-21 2-22
CLI ASDM CLI 34 Telnet SSH
ASAv ASAv
2-2 ASA 2-2 2-6 ASA 5506W-X 2-7 2-1 ASA ASDM
-
2
1 9600 8 1 ASA
2 Enter ciscoasa> EXEC EXEC
3 EXEC ciscoasa> enable
Password:
EXEC EXEC 4
Enter Telnet 18-1
ciscoasa#
disable exit quit 5
ciscoasa# configure terminal
ciscoasa(config)#
ASA exit quit end
ASA Telnet SSH ASASM ASASM CLI ASDM ASASM CLI
2-3 ASA 2-4 2-5 2-2 ASA ASDM
-
2 2-5 Telnet 2-6
CLI ASASM - service-module session ASASM
ASASM ASASM ROMMON
9600
Ctrl-Shift-6, x Ctrl - Shift - 6, x ASASM ASASM ASASM IOS Telnet session
ASASM
Telnet - session ASASM Telnet
ASASM ASASM Telnet passwd
ASASM Telnet
Telnet ASASM ASASM ROMMON Telnet 2-3 ASA ASDM
-
2 ASA
Telnet SSH ASASM ASASM Telnet SSH ASASM
1
- CLI ASASM service-module session [switch {1 | 2}] slot number
Router# service-module session slot 3ciscoasa>
VSS switch show module EXEC
- CLI ASASM Telnetsession [switch {1 |2}] slot number processor 1
ciscoasa passwd:
Router# session slot 3 processor 1ciscoasa passwd: ciscociscoasa>
VSS switch session slot processor 0 ASASM ASASM 0 show module ASASM passwd EXEC
2 EXEC enable
ciscoasa> enablePassword:ciscoasa#
EXEC disable exit quit 2-4 ASA ASDM
-
2 3
configure terminal
disable exit quit
34-1 Telnet 18-1
ASASM ASASM CLI 2-5
1 CLICtrl-Shift-6, x
asasm# [Ctrl-Shift-6, x]Router#
Shift-6 (^) (^) terminal escape-character ascii_number default escape-character ascii_number ctrl-w, x terminal escape-character 23
ASASM
1 show users CLI con 127.0.0.slot0 slot Router# show users
2 0 conRouter# show usersLine User Host(s) Idle Location* 0 con 0 127.0.0.20 00:00:02 2-5 ASA ASDM
-
2 2
Router# clear line number
Router# clear line 0
Telnet
Telnet CLI
1 CLI ASASM EXEC exit exit Telnet
asasm# exitRouter#
Ctrl-Shift-6, x Telnet Enter Telnet Telnet CLI disconnect ASASM
ASA 5506-X ASA FirePOWER
session ASA CLI
1 ASA CLI session {sfr | cxsc | ips} console
ciscoasa# session sfr consoleOpening console session with module sfr.Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 5.3.1asasfr login: adminPassword: Admin1232-6 ASA ASDM
-
2 ASDM ASA 5506W-X
1 ASA CLI session wlan console
ciscoasa# session wlan consoleopening console session with module wlanconnected to module wlan. Escape character sequence is CTRL-^X
ap>
2 CLI Aironet IOS
ASDM ASDM
ASDM ASAv 2-7 ASAv ASDM 2-8 ASA ASDM 2-10
ASDM ASAv ASDM
1 ASDM
ASA 5506-X ASA 5508-X ASA 5516-X - ASDM GigabitEthernet 1/2
ASA 5512-X - ASDM Management 0/0 ASAv - ASDM Management 0/0
ASA - 192.168.1.1 ASAv - IP 2-7 ASA ASDM
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3.html
-
2 ASDM ASDM ASA - 192.168.1.0/24 DHCP
IP ASAv - IP ASAv DHCP
ASDM
2-15 8-14 ASDM 2-12
ASAv ASDM
ASDM IP
ASAv
1 CLI 2
firewall transparent
3
interface interface_idnameif name
security-level levelno shutdownip address ip_address mask
ciscoasa(config)# interface management 0/0ciscoasa(config-if)# nameif managementciscoasa(config-if)# security-level 1002-8 ASA ASDM
-
2 ASDM ciscoasa(config-if)# no shutdownciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
security-level 1 100 100 4 DHCP
dhcpd address ip_address-ip_address interface_namedhcpd enable interface_name
ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 managementciscoasa(config)# dhcpd enable management
5
route management_ifc management_host_ip mask gateway_ip 1
ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1
6 ASDM HTTP http server enable
7 ASDMhttp ip_address mask interface_name
ciscoasa(config)# http 192.168.1.0 255.255.255.0 management
8
write memory
9
mode multiple
ASA
Management 0/0 ASDMfirewall transparentinterface management 0/0
ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdown
dhcpd address 192.168.1.2-192.168.1.254 managementdhcpd enable managementhttp server enablehttp 192.168.1.0 255.255.255.0 management2-9 ASA ASDM
-
2 ASDM
2-15 6-7 2-2 ASDM 2-12 8
ASA ASDM ASASM ASDM ASASM CLI ASDM ASDM ASASM
ASASM VLAN ASASM
1 ASASM 2
firewall transparent
3
- interface vlan number
ip address ip_address [mask]nameif namesecurity-level level
ciscoasa(config)# interface vlan 1ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100
security-level 1 100 100 - VLAN
interface bvi numberip address ip_address [mask]
interface vlan numberbridge-group bvi_numbernameif namesecurity-level level
ciscoasa(config)# interface bvi 1ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.02-10 ASA ASDM
-
2 ASDM ciscoasa(config)# interface vlan 1ciscoasa(config-if)# bridge-group 1ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100
security-level 1 100 100 4 DHCP
dhcpd address ip_address-ip_address interface_namedhcpd enable interface_name
ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 insideciscoasa(config)# dhcpd enable inside
5
route management_ifc management_host_ip mask gateway_ip 1
ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50
6 ASDM HTTP http server enable
7 ASDMhttp ip_address mask interface_name
ciscoasa(config)# http 192.168.1.0 255.255.255.0 management
8
write memory
9
mode multiple
ASASM
VLAN 1 ASDMinterface vlan 1
nameif insideip address 192.168.1.1 255.255.255.0security-level 100
dhcpd address 192.168.1.3-192.168.1.254 insidedhcpd enable insidehttp server enablehttp 192.168.1.0 255.255.255.0 inside2-11 ASA ASDM
-
2 ASDM VLAN 1 BVI 1 ASDMfirewall transparentinterface bvi 1
ip address 192.168.1.1 255.255.255.0interface vlan 1
bridge-group 1nameif insidesecurity-level 100
dhcpd address 192.168.1.3-192.168.1.254 insidedhcpd enable insidehttp server enablehttp 192.168.1.0 255.255.255.0 inside
ASA 2-2 8 6-7
ASDM ASDM
ASDM-IDM - ASA ASA IP ASA ASDM
Java Web Start - ASA Java Web Start ASA IP
ASDM ASA IP Java Web Start ASA ASDM ASDM java Web Start ASDM
1 ASDM URLhttps://asa_ip_address/admin
ASDM Install ASDM Launcher and Run ASDM Run ASDM Run Startup Wizard
2
a. Install ASDM Launcher and Run ASDMb. OK HTTPS
enable ASDM HTTPS 2-12 ASA ASDM
-
2 ASDM c. ASDM-IDM d. IP OK
HTTPS 3 Java Web Start
a. Run ASDM Run Startup Wizardb.
c. Java Web Startd. ASDM-IDM e. OK HTTPS
ASDM ASDM ASDM ASDM
ASDM 2-13 ASDM 2-13
ASDM Java 7 update 51 ASDM Java Web Start ASDM ASA ASDM Java http://www.cisco.com/go/asdm-certificate
ASDM ASDM 512 KB ASDM ASDM
Windows ASDM 2-13 Mac ASDM 2-14
Windows ASDM
ASDM run.bat
1. ASDM C:\Program Files (x86)\Cisco Systems\ASDM2. run.bat 2-13 ASA ASDM
http://www.cisco.com/go/asdm-certificate
-
2 ASDM 3. start javaw.exe -Xmx 768 MB -Xmx768M 1 GB -Xmx1G
4. run.bat
Mac ASDM
ASDM Info.plist
1. Cisco ASDM-IDM Show Package Contents2. Contents Info.plist
Property List Editor TextEdit 3. Java > VMOptions -Xmx
768 MB -Xmx768M 1 GB -Xmx1G
4.
5. Unlock Unlock Cisco ASDM-IDM Copy Cisco ASDM-IDM 2-14 ASA ASDM
-
2 ASA
ASA - ASDM
ASAv - ASDM IP
ASASM - ASA 2-2 ASAv
log/crypto_archive/ coredumpinfo/coredump.cfg
2-15 ASAv 2-16 ASA 5506-X 5508-X 5516-X 2-17 ASA 5512-X 5515-X 5525-X 2-18 ASAv 2-18
CLI ASDM ASAv ASA
ASASM
IP ASA
1
configure factory-default [ip_address [mask]]
ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0
ip_address IP IP 192.168.1.1 http dhcpd address 2-15 ASA ASDM
-
2 boot system boot system ASA ASA
2
write memory
boot config
1 ASDM File > Reset Device to the Factory Default Configuration Reset Device to the Default Configuration
2 Management IP address IP 192.168.1.1
3 Management Subnet Mask 4 OK
Configuration > Device Management > System Image/Configuration > Boot Image/Configuration ASA ASA
5 Yes 6 File > Save Running Configuration to Flash
ASAv ASAv 0
1
2 write erase2-16 ASA ASDM
-
2 ASAv boot image
3 ASAvreload
4
ASA 5506-X 5508-X 5516-X ASA 5506-X 5508-X 5516-X
--> - GigabitEthernet 1/1 GigabitEthernet 1/2 DHCP IP IP - 192.168.1.1 (ASA 5506W-X) WiFi WiFi --> - GigabitEthernet 1/9 (WiFi) (ASA 5506W-X) WiFi IP - 192.168.10.1 WiFi DHCP ASA DHCP Management 1/1 ASA FirePOWER
ASA ASDM - WiFi NAT - WiFi PAT
interface Management1/1management-onlyno nameifno security-levelno ip addressno shutdown
interface GigabitEthernet1/1nameif outsidesecurity-level 0ip address dhcp setrouteno shutdown
interface GigabitEthernet1/2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0no shutdown
object network obj_anysubnet 0.0.0.0 0.0.0.0nat (any,outside) dynamic interface
http server enablehttp 192.168.1.0 255.255.255.0 insidedhcpd auto_config outsidedhcpd address 192.168.1.5-192.168.1.254 inside2-17 ASA ASDM
-
2 dhcpd enable insidelogging asdm informational
ASA 5506W-Xsame-security-traffic permit inter-interface
interface GigabitEthernet 1/9security-level 100nameif wifiip address 192.168.10.1 255.255.255.0no shutdown
http 192.168.10.0 255.255.255.0 wifidhcpd address 192.168.10.2-192.168.10.254 wifidhcpd enable wifi
ASA 5512-X 5515-X 5525-X ASA 5512-X 5515-X 5525-X
- Management 0/0 IP - 192.168.1.1/24 DHCP - 192.168.1.2
192.168.1.254 ASDM -
interface management 0/0ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdown
asdm logging informational 100asdm history enablehttp server enablehttp 192.168.1.0 255.255.255.0 managementdhcpd address 192.168.1.2-192.168.1.254 managementdhcpd lease 3600dhcpd ping_timeout 750dhcpd enable management
ASAv ASAv ASDM Management 0/0
Management 0/0 management IP DHCP 0 2-18 ASA ASDM
-
2 IP HTTP IP HTTP GigabitEthernet 0/8 IP Management0/0 IP DNS ID
Smart Call Home HTTP URL SSH
IP
SSH REST API
ASAvASAv
interface Management0/0nameif managementsecurity-level 0ip address ip_addressmanagement-onlyno shutdown
http server enablehttp managemment_host_IP mask managementroute management management_host_IP mask gateway_ip 1dns server-group DefaultDNS
name-server ip_addresscall-home
http-proxy ip_address port portlicense smart
feature tier standardthroughput level {100M | 1G | 2G}
license smart register idtoken id_tokenaaa authentication ssh console LOCALusername username password passwordssh source_IP_address mask managementrest-api image boot:/pathrest-api agent
interface Management0/0nameif managementsecurity-level 0ip address ip_address standby standby_ipmanagement-onlyno shutdown
route management management_host_IP mask gateway_ip 1http server enablehttp managemment_host_IP mask managementdns server-group DefaultDNS2-19 ASA ASDM
-
2 name-server ip_addresscall-home
http-proxy ip_address port portlicense smart
feature tier standardthroughput level {100M | 1G | 2G}
license smart register idtoken id_tokenaaa authentication ssh console LOCALusername username password passwordssh source_IP_address mask managementrest-api image boot:/pathrest-api agentfailover failover lan unit primaryfailover lan interface fover gigabitethernet0/8failover link fover gigabitethernet0/8failover interface ip fover primary_ip mask standby standby_ip
ASA
ASDM 512 KB ASDM 2-13
1 Wizards > Startup Wizard 2 IPsec VPN IPSec VPN Wizards > IPsec VPN Wizards
3 SSL VPN SSL VPN Wizards > SSL VPN Wizards
4 Wizards > High Availability and Scalability Wizard
5 Wizards > Packet Capture Wizard 6 ASDM GUI View > Office Look and Feel 7 Configuration
Configuration Refresh
8 ASA Monitoring 2-20 ASA ASDM
-
2 ASDM ASDM ASDM CLI
2-21 ASDM 2-22
ASA CLI ASDM CLI
ASDM CLI ASA -
Response - CLI ASDM noconfirm
crypto key generate rsa modulus 1024 noconfirm
- ASA ASDM CLI ASA ASA Monitoring > Properties > Device Access
1 ASDM Tools > Command Line Interface Command Line Interface
2 3 Send 4 Clear Response 5 Enable context-sensitive help (?)
6 Command Line Interface Refresh ASDM 2-21 ASA ASDM
-
2 ASDM ASDM ASDM ASDM 3-29
1 ASDM Tools > Show Commands Ignored by ASDM on Device 2 OK
show QoS service-policy show service-policy QoS
clear local-host [ip_address] [all] show local-host all all IP ip_address
clear conn [all] [protocol {tcp | udp}] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]] show conn all IP IP /2-22 ASA ASDM
-
3
ASDM
ASDM ASDM 3-1 ASDM 3-3 3-4 3-8 ASDM Assistant 3-8 3-9 3-9 3-10 3-10 ASDM 3-12 ACL Manager 3-12 3-13 3-13 Home 3-13 Home (System) 3-26 ASDM 3-27 ASDM Assistant 3-28 3-29 3-29
ASDM ASDM ASA ASDM
ASDM Home Configuration
Monitoring 3-1 ASA ASDM
-
3 ASDM ASDM Navigation Configuration Monitoring Configuration Monitoring Navigation Content
Configuration > Device Setup > Startup Wizard Content
Navigation Content Navigation Device List ASDM
SSL Navigation NAT AAA
ASDM Assistant
ASDM
3-1 ASDM
2472
71
1
765 89
24
10.10.10.25
10.10.10.010.10.10.110.10.10.2
10.10.10.3
3
3-2 ASA ASDM
-
3 ASDM ASDM
GUI Wizards Configuration Monitoring
ASDM ASDM Navigation Device List
Device Setup Firewall Botnet Traffic Filter Remote Access VPN Site to Site VPN Device Management Configuration Monitoring Home
1
2
Show More Buttons Show Fewer Buttons Add or Remove Buttons
GUI
1 2 3 4 5 6 7 8 9 3-3 ASA ASDM
-
3 ASDM Option Option
Move Up Move Down Reset
3 OK
ASDM 3-10 ASDM
File 3-4 View 3-5 Tools 3-6 Wizards 3-7 Window 3-7 Help 3-7
File File ASA
File Refresh ASDM with the Running Configuration on the Device
ASDM
Reset Device to the Factory Default Configuration
Show Running Configuration in New Window
Save Running Configuration to Flash
Save Running Configuration to TFTP Server
TFTP
Save Running Configuration to Standby Unit
Save Internal Log Buffer to Flash Print
Internet Explorer3-4 ASA ASDM
-
3 ASDM View View ASDM
Clear ASDM Cache ASDM ASDM ASDM
Clear ASDM Password Cache
Clear Internal Log Buffer Exit ASDM
File
View
Home Home Configuration Configuration Monitoring Monitoring Device List 3-9 Navigation Configuration Monitoring Navigation ASDM Assistant ASDM
ASDM Assistant 3-8 Latest ASDM Syslog Messages
Home Latest ASDM Syslog Messages Home %ASA-1-211004 24
Addresses Addresses Addresses Configuration Access Rules NAT Rules Service Policy Rules AAA Rules Filter Rules
Services Services Services Configuration Access RulesNAT RulesService Policy RulesAAA Rules Filter Rules
Time Ranges Time Ranges Time Ranges Configuration Access RulesService Policy RulesAAA Rules Filter Rules
Select Next Pane Service Policies Rules Address
Select Previous Pane Back Forward Find in ASDM ASDM AssistantReset Layout Office Look and Feel Microsoft Office 3-5 ASA ASDM
-
3 ASDM Tools Tools ASDM
Tools
Command Line Interface ASA Show Commands Ignored by ASDM on Device
ASDM
Packet Tracer
Ping ASA
Traceroute
File Management TFTP PC
Check for ASA/ASDM Updates
ASA ASDM
Upgrade Software from Local Computer
PC ASA ASDM
Downgrade Software ASA Backup Configurations ASA Cisco Secure Desktop SSL VPN
Restore Configurations ASA Cisco Secure Desktop SSL VPN
System Reload ASDM Administrators Alert to Clientless SSL VPN Users
SSL VPN VPN
Migrate Network Object Group Members
8.3 ASA IP ASDM IP IP
ASA ASDM ASA IP ASDM ASDM Tools > Migrate Network Object Group Members ASA 5500 8.3
Preferences ASDM ASDM 3-27
ASDM Java Console Java 3-6 ASA ASDM
-
3 ASDM Wizards Wizards
Window Window ASDM
Help Help ASDM ASA
Wizards
Startup Wizard ASA VPN Wizards VPN VPN High Availability and Scalability Wizard
VPN ASA ASA
Unified Communication Wizard
ASA IP
ASDM Identity Certificate Wizard
Java 7 update 51 ASDM Java Web Start ASDM http://www.cisco.com/go/asdm-certificate
Packet Capture Wizard ASA
Help
Help Topics ASDM ASDM ASA FirePOWER ASDM Help Topics
ASA FirePOWER Help Topics
ASA FirePOWER ASDM
Help for Current Screen ? Help
Release Notes Cisco.com ASDM ASDM
Cisco ASA Series Documentation
Cisco.com
ASDM Assistant ASDM Assistant Cisco.com
About Cisco Adaptive Security Appliance (ASA)
ASA
About Cisco ASDM ASDM Java 3-7 ASA ASDM
http://www.cisco.com/go/asdm-certificatehttp://www.cisco.com/go/asdm-certificate
-
3 ASDM Home Configuration Monitoring
ASDM Assistant ASDM Assistant ASDM
View > ASDM Assistant > How Do I? Look For Find How Do I? ASDM Assistant
1 View > ASDM Assistant ASDM Assistant
2 Search Go Search Results
3 Search Results and Features
Home Home ASA Home 3-13 Home
Configuration ASA Navigation Monitoring ASA Navigation Save Save ASA Changes
ASA FirePOWER ASDM Save ASA Changes
Refresh ASDM Monitoring Back ASDM Forward ASDM Help Search ASDM Search
Back Forward ASDM Assistant 3-8 3-8 ASA ASDM
-
3 ASDM ASDM
ASDM ASA Monitoring Home ASDM
Device List Home Configuration Monitoring System System ASDM
1 Add Add Device
2 IP OK 3 Delete 4 Connect
Enter Network Password 5 Login
Status Device configuration loaded successfully.Failover User Name ASDM
adminUser Privilege ASDM Commands Ignored by ASDM
ASDM
Connection to Device ASDM ASA 3-9
Syslog Connection ASA SSL Secure ASDM SSLTime ASA 3-9 ASA ASDM
-
3 ASDM ASDM
ASDM ASDM
Apply ASDM ASA Save Reset Refresh Apply
Reset Refresh
Restore Default Cancel Enable Close Clear Back Forward Help
3-1
Windows/Linux MacOS
Home Ctrl+H Shift+Command+HConfiguration Ctrl+G Shift+Command+GMonitoring Ctrl+M Shift+Command+MHelp F1 Command+?Back Alt+ Command+[Forward Alt+ Command+] F5 Command+RCut Ctrl+X Command+XCopy Ctrl+C Command+CPaste Ctrl+V Command+V Ctrl+S Command+S Shift+F10 - Alt+F4 Command+W3-10 ASA ASDM
-
3 ASDM
Find Ctrl+F Command+FExit Alt+F4 Command+Q Ctrl_Shift
Ctrl+Shift+TabCtril+Shift Ctrl+Shift+Tab
3-1
Windows/Linux MacOS
3-2
Shift+Tab Ctrl+Tab Shift+Ctrl+TabNext Previous
Shift+Tab F6 Shift+F6
3-3
Windows/Linux MacOS
Ctrl+U Command+ F5 Command+R Ctrl+Delete Command+Delete Ctrl+C Command+C Ctrl+S Command+S Ctrl+P Command+P Alt+F4 Command+W3-11 ASA ASDM
-
3 ASDM ASDM
ASDM ASDM ASDM Find *? * Find Match Case
B*ton-L* Boston-LA Boston-Lisbon Boston-London
Bo?ton Boston, Bolton
ACL Manager ACL ACE ACL Manager ACL Manager
1 ACL Manager Find 2 Filter
Source - IP IP 4
Destination - Source IP IP 4
Source or Destination - 4 Service - 4 Query - Query Query
Source Destination Source or Destination Service
3-4
Windows/Linux
3-12 ASA ASDM
-
3 ASDM 3
is - 4 contains - 4 ACL ACE
4 ACL ACE Browse ACL/ACE
5 Filter ASDM ACL ACE
6 Clear ACL ACE 7 x
Tab JAWS
1 Tools > Preferences Preferences
2 General Enable screen reader support 3 OK 4 ASDM
Navigation
Home ASDM Home ASA Home 10 Device Dashboard Firewall Dashboard IPSCX ASA FirePOWER 3-13 ASA ASDM
-
3 ASDM Home Device Dashboard Device Dashboard ASA
Device Dashboard
3-2 Device Dashboard
1 2
3 4
5
6
3708
25
GUI
1 Device Information 3-15 2 Interface Status 3-16 3 VPN Sessions 3-16 4 Traffic Status 3-16 5 System Resources Status 3-16 6 Traffic Status 3-16 - 3-9 - Latest ASDM Syslog Messages 3-17 3-14 ASA ASDM
-
3 ASDM Home Device Information
Device Information General License General Environment Status
General
ASA Host name - ASA version - ASA ASDM version - ASDM Firewall mode - Total flash - RAM ASA Cluster Role - Master Slave Device uptime - Context mode - Total Memory - ASA DRAM Environment status - General Environment Status
(+) CPU Environment Status (+) OK (+) Critical
ASA Memory Insufficient Warning ASA ASDM OK
License
More Licenses Configuration > Device Management > Licensing > Activation Key 3-15 ASA ASDM
-
3 ASDM Home Cluster
Virtual Resources (ASAv)
ASAv vCPU RAM ASAv
Interface Status
Kbps
VPN Sessions
VPN Details Monitoring > VPN > VPN Statistics > Sessions
Failover Status
Configure High Availability and Scalability Wizard Active/Active Active/Standby Details Monitoring > Properties > Failover > Status
System Resources Status
CPU
Traffic Status
outside ASDM 3-16 ASA ASDM
-
3 ASDM Home Latest ASDM Syslog Messages
ASA 100 Enable Logging 3-3 Latest ASDM Syslog Messages
3-3 Latest ASDM Syslog Messages
Clear Content Save Content PC Copy Color Settings
21
3
4
5
6
87
2478
36
GUI
1 2 3 4 Latest ASDM
Syslog Messages
5 View Latest ASDM Syslog Messages 6 7 8 Logging Filters 3-17 ASA ASDM
-
3 ASDM Home Firewall Dashboard Firewall Dashboard ASA Firewall Dashboard 3-4 Firewall Dashboard
3-4 Firewall Dashboard
GUI
1 Traffic Overview 3-19 2 Top 10 Access Rules 3-19 3 Top Usage Status 3-19 Top Ten Protected Servers Under SYN Attack 3-20 Top 200 Hosts 3-20 Top Botnet Traffic Filter Hits 3-20 3-18 ASA ASDM
-
3 ASDM Home Traffic Overview
Enable
NAT
TCP SYN UDP
Top 10 Access Rules
Enable Table Show Rule Access Rules
Top Usage Status
Top 10 Services - Top 10 Sources - Top 10 Destinations - Top 10 Users - Top 10 Services Top 10 Sources Top 10 Destinations Enable
Top 10 Services Enable Top 10 Sources Top 10 Destinations Enable
Top 10 Users IP ASA IP - ASA Microsoft Active Directory Cisco Active Directory (AD) Top 10 Users Top 10 Users 10 EPS EPS domain\user_name EPS EPS
ASA 3-19 ASA ASDM
-
3 ASDM Home Top Ten Protected Servers Under SYN Attack
Enable 10 ASA 30 30 IP Detail 1000 10 ASA 60 30 60
Top 200 Hosts
ASA 200 IP 120 hpm topnenable
Top Botnet Traffic Filter Hits
Botnet Traffic Filter 10 10 IP whois 3-20 ASA ASDM
-
3 ASDM Home Cluster Dashboard ASA Cluster Dashboard
Cluster Members - IP
ASDM IP IP IP ASDM IP
System Resource Status - CPU
Traffic Status - Connections Per Second
Cluster Overall - Per-Member Total - 3-21 ASA ASDM
-
3 ASDM Home Throughput Cluster Overall - Per-Member Throughput -
Load Balancing Per-Member Percentage of Total Traffic -
Per-Member Locally Processed Traffic - Control Link Usage
Per-Member Receival Capacity Utilization - Per-Member Transmittal Capacity Utilization -
Cluster Firewall Dashboard Cluster Firewall Dashboard N Firewall Dashboard 3-22 ASA ASDM
-
3 ASDM Home Intrusion Prevention Intrusion Prevention IPS ASA IPS
IPS
1 Intrusion Prevention Connecting to IPS
2 IP IP 192.168.1.2:443 cisco cisco
3 Save IPS login information on local host PC 4 Continue3-23 ASA ASDM
-
3 ASDM Home
Intrusion Prevention Health Dashboard
3-5 Intrusion Prevention (Health Dashboard)
2473
51
1 23 4 5
GUI
1 Sensor Information 2 Sensor Health 3 CPU Memory Load 4 Interface Status 5 Licensing 3-24 ASA ASDM
-
3 ASDM Home ASA CX Status ASA CX Status ASA CX ASA ASA CX
ASA FirePOWER ASA FirePOWER Status FireSIGHT ASA FirePOWER ASDM FireSIGHT ASA FirePOWER
ASA FirePOWER Dashboard -
ASA FirePOWER Reporting - 10 Web 3-25 ASA ASDM
-
3 ASDM Home (System)Home (System) ASDM System Home ASA ASDM System Home ASDM ASA System Home 10 System Home
3-6 System Home
1
3
2
2529
73
5
4
GUI
1 2 Interface Status 3 Connection Status 4 CPU Status 5 Memory Status 3-26 ASA ASDM
-
3 ASDM ASDM ASDM ASDM ASDM
1 Tools > Preferences Preferences General Rules Table Syslog
2 General Rules Table Rules Syslog Home NetFlow
3 General Warn that configuration in ASDM is out of sync with the configuration in ASA
Show configuration restriction message to read-only user You are not allowed to modify the ASA configuration, because you do not have sufficient privileges.
Show configuration restriction message on a slave unit in an ASA cluster
Confirm before exiting ASDM ASDM
Enable screen reader support (requires ASDM restart) ASDM
Warn of insufficient ASA memory when ASDM loads ASA ASDM ASDM ASDM 24
Communications Preview commands before sending them to the device ASDM
CLI Enable cumulative (batch) CLI delivery ASA 60
Logging Enable logging to the ASDM Java console Java Logging Level
Packet Capture Wizard Network Sniffer Application Browse
4 Rules Table Rules
Auto-expand network and service object groups with specified prefix Auto-Expand Prefix
Auto-Expand Prefix Show members of network and service object groups Rules
3-27 ASA ASDM
-
3 ASDM ASDM Assistant Limit Members To n
Show all actions for service policy rules Rules
Rules ASA Issue clear xlate command when deploying access lists
NAT ASA Access Rule Hit Count Settings Access Rules
Access Rules Update access rule hit counts automatically Access Rules
Access Rules 10 86400 5 Syslog
Syslog Colors Severity Pick a Color Swatches OK HSB H S B OK RGB Red Green Blue OK
NetFlow Warn to disable redundant syslog messages when NetFlow action is first applied to the global service policy rule
6 OK Preferences
.conf ASDM ASDM
ASDM Assistant ASDM Assistant ASDM View > ASDM Assistant > How Do I? Look For Find How Do I? ASDM Assistant
1 View > ASDM Assistant ASDM Assistant
2 Search Go Search Results
3 Search Results and Features 3-28 ASA ASDM
-
3 ASDM Configuration > Device Management > Advanced > History Metrics ASA ASDM / 10 60 12 5
1 Configuration > Device Management > Advanced > History Metrics History Metrics
2 ASDM History Metrics Apply
ASDM ASA ASDM Tools > Show Commands Ignored by ASDM on Device
CLI ASDM ASDM ASDM ASDM GUI GUI
3-5
ASDM
capture coredump CLI crypto engine large-mod-accel dhcp-server (tunnel-group name general-attributes)
ASDM DHCP
eject established failover timeout fips nat-assigned-to-public-ip pager pim accept-register route-map ASDM list 3-29 ASA ASDM
-
3 ASDM
ASDM ASDM Tools > Show Commands Ignored by ASDM on Device
ASDM 255.255.0.255 ip address inside 192.168.2.1 255.255.0.255
ASDM CLI ASDM CLI CLI ASDM [yes/no] ASDM 1. Tools > Command Line Interface2. crypto key generate rsa
ASDM 1024 RSA 3. crypto key generate rsa
ASDM RSA RSA Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.
%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:
%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names
service-policy global match access-list access-list myacl extended permit ip any anyclass-map mycm
match access-list myaclpolicy-map mypm
class mycminspect ftp
service-policy mypm global
set metric sysopt nodnsalias sysopt uauth allow-http-cache terminal threat-detection rate
3-5
ASDM 3-30 ASA ASDM
-
3 ASDM
ASDM noconfirm CLI CLI
crypto key generate rsa noconfirm3-31 ASA ASDM
-
3 ASDM 3-32 ASA ASDM
-
4
ASA ASA (PAK) ASAv 5 ASAv
4-1 PAK 4-16 PAK 4-24 PAK 4-25 AnyConnect 3 4-27 PAK 4-32 PAK 4-33
4-1 4-13
ASA 5506-X ASA 5506W-X ASA 5506H-X 4-2 ASA 5508-X 4-3 ASA 5512-X 4-3 ASA 5515-X 4-4 ASA 5516-X 4-5 ASA 5525-X 4-6 ASA 5545-X 4-7 ASA 5555-X 4-8 SSP-10 ASA 5585-X 4-9 SSP-20 ASA 5585-X 4-10 4-1 ASA ASDM
-
4 SSP-40 SSP-60 ASA 5585-X 4-11 ASA 4-12 24 500 AnyConnect GTP/GPRS
4-23
4-13
ASA 5506-X ASA 5506W-X ASA 5506H-X
4-1 ASA 5506-X ASA 5506W-X ASA 5506H-X
20,000 50,000GTP/GPRS UC 160 160VPN AnyConnect Plus Apex AnyConnect
AnyConnect
50 50
VPN AnyConnect
AnyConnect Essentials AnyConnect VPN
VPN 50 50 VPN 10 50VPN
(DES) (3DES/AES) (DES) (3DES/AES) / 536 636
VLAN 5 304-2 ASA ASDM
-
4 ASA 5508-X
ASA 5512-X
4-2 ASA 5508-X
100,000GTP/GPRS UC 320VPN AnyConnect Plus Apex AnyConnect
AnyConnect
100
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
100
VPN 100VPN
(DES) (3DES/AES) // 716 2 5
VLAN 50
4-3 ASA 5512-X
100,000 250,000GTP/GPRS 4-3 ASA ASDM
-
4 ASA 5515-X
UC 2 2 24 50 100 250 500 24 50 100 250 500
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
250 250 AnyConnect Plus Apex
AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
250 250
VPN 250 250VPN
(DES) (3DES/AES) (DES) (3DES/AES) // 716 916 2 5 2IPS VLAN 50 100
4-3 ASA 5512-X
4-4 ASA 5515-X
250,000GTP/GPRS UC 2 24 50 100 250 5004-4 ASA ASDM
-
4 ASA 5516-X
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
250 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
250
VPN 250VPN
(DES) (3DES/AES) // 916 2 5 2IPS VLAN 100
4-4 ASA 5515-X
4-5 ASA 5516-X
250,000GTP/GPRS UC 1000VPN AnyConnect Plus Apex AnyConnect
AnyConnect
300
VPN AnyConnect
4-5 ASA ASDM
-
4 ASA 5525-X
AnyConnect Essentials AnyConnect
VPN
VPN
300
VPN 300VPN
(DES) (3DES/AES) // 1,116 2 5
VLAN 150
4-5 ASA 5516-X
4-6 ASA 5525-X
500,000GTP/GPRS UC 2 24 50 100 250 500 750 1000VPN AnyConnect Plus Apex AnyConnect
AnyConnect
750 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
750
VPN 7504-6 ASA ASDM
-
4 ASA 5545-X
VPN
(DES) (3DES/AES) // 1316 2 5 10 20 2IPS VLAN 200
4-6 ASA 5525-X
4-7 ASA 5545-X
750,000GTP/GPRS UC 2 24 50 100 250 500 750 1000 2000VPN AnyConnect Plus Apex AnyConnect
AnyConnect
2500 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
2500
VPN 2500VPN
(DES) (3DES/AES) // 1716 2 5 10 20 504-7 ASA ASDM
-
4 ASA 5555-X
2IPS VLAN 300
4-7 ASA 5545-X
4-8 ASA 5555-X
1,000,000GTP/GPRS UC 2
24 50 100 250 500 750 1000 2000 3000VPN AnyConnect Plus Apex AnyConnect
AnyConnect
5000 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
5000
VPN 5000VPN
(DES) (3DES/AES) // 2516 2 5 10 20 50 100 2IPS VLAN 5004-8 ASA ASDM
-
4 SSP-10 ASA 5585-X
SSP SSP SSP-10 SSP-20 SSP SSP
4-9 SSP-10 ASA 5585-X
1,000,000GTP/GPRS UC 2
24 50 100 250 500 750 1000 2000 3000VPN AnyConnect Plus Apex AnyConnect
AnyConnect
5000 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
5000
VPN 5000VPN
10 GE I/O 1 GE
10 GE
(DES) (3DES/AES) // 4612 2 5 10 20 50 100 16 VLAN 10244-9 ASA ASDM
-
4 SSP-20 ASA 5585-X
SSP SSP SSP-20 SSP-40 SSP SSP
4-10 SSP-20 ASA 5585-X
2,000,000GTP/GPRS UC 2
24 50 100 250 500 750 1000 2000 3000 5000 10,0001
1. 10,000 UC 10,000 5000
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
10,000 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
10,000
VPN 10,000VPN
10 GE I/O 1 GE
10 GE
(DES) (3DES/AES) // 4612 2 5 10 20 50 100 250 16 VLAN 10244-10 ASA ASDM
-
4 SSP-40 SSP-60 ASA 5585-X
SSP SSP SSP-40 SSP-60 SSP SSP
4-11 SSP-40 SSP-60 ASA 5585-X
SSP-40 5585-X4,000,000 SSP-60 5585-X10,000,000GTP/GPRS UC 2
24 50 100 250 500 750 1000 2000 3000 5000 10,0001
1. 10,000 UC 10,000 5000
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
10,000 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
10,000
VPN 10,000VPN
10 GE I/O 10 GE (DES) (3DES/AES) // 4612 2 5 10 20 50 100 250 16 VLAN 10244-11 ASA ASDM
-
4 ASA
4-12 ASASM
10,000,000GTP/GPRS UC 2
24 50 100 250 500 750 1000 2000 3000 5000 10,0001
1. 10,000 UC 10,000 5000
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
10,000 AnyConnect Plus Apex
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
10,000
VPN 10,000VPN
(DES) (3DES/AES) // 2
5 10 20 50 100 250
VLAN 10004-12 ASA ASDM
-
4
4-13
AnyConnect Essentials AnyConnect Plus Apex
AnyConnect VPN SSL VPN IKEv2 IPsec VPN SSL VPN AnyConnect AnyConnect AnyConnect VPN Web
(WebLaunch) AnyConnect
AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect webvpn no anyconnect-essentials ASDM Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials
VPN AnyConnect
AnyConnect Plus Apex
AnyConnect AnyConnect IP 4-13 ASA ASDM
-
4 AnyConnect
AnyConnect Plus Apex
Windows Mobile 5.06.0 6.1 AnyConnect AnyConnect 2.3 SSL VPN AnyConnect AnyConnect
ASA AnyConnect Mobile AnyConnect AnyConnect
AnyConnect DAP DAP
AnyConnect ASDM CLI ASDM
DAP AnyConnect Premium AnyConnect Plus Apex
AnyConnect VPN SSL VPN SSL VPN IKEv2 IPsec VPN
AnyConnect AnyConnect Plus Apex
ASA ASA ASA
(3DES/AES) DES 3DES DES
DES VLAN EtherChannel
interface
4-13
4-14 ASA ASDM
-
4 IPS IPS ASA IPS IPS IPS
IPS IPS ASAIPS ASA5515-IPS-K9 IPS ASA IPS
IPS ASA
IPS IPS ASA IPS IPS IPS
VPN VPN VPN IKEv1 IPsec VPN IKEv1 IPsec VPN IKEv2 IPsec VPN
VPN
VPN VPN AnyConnect VPN VPN VPN ASA
SSL VPN AnyConnect 1 AnyConnect SSL VPN 2
4-13
4-15 ASA ASDM
-
4 PAK PAK ASA 160 5 32 20 11
4-17 4-17 4-17
UC TLS UC TLS UC Mobility Advantage
UC 2 TLS 2 UC tls-proxy maximum-sessions ASDM Configuration > Firewall > Unified Communications > TLS Proxy TLS tls-proxy maximum-sessions ? TLS UC ASA TLS UC TLS UC TLS UC UC
K8 250 TLS 1000 k9 250 TLS K8 K9 K8 K9
clear configure all TLS UC tls-proxy maximum-sessions ASDM TLS Proxy write standby ASDM File > Save Running Configuration to Standby Unit clear configure all TLS
SRTP K8 SRTP 250 K9
/ SRTP SRTP
CPU ASAv vCPU 100 kbps
VLAN VLAN VLAN
VPN VPN (3DES/AES)
4-13
4-16 ASA ASDM
-
4 PAK AnyConnect AnyConnect 3 4-20 ASA 4-20 4-23 4-23
ASA
PAK 4-32
ASA
4-18
1
4-17 4-18 4-18 4-19 4-19
3000 2000
1000 AnyConnect 2000 4-17 ASA ASDM
-
4 PAK
ASA
ASA ASA ASA
PAK 4-32
4-14
AnyConnect 1000 2500 2500
2500 1000 3500
10 20 30
4-18 ASA ASDM
-
4 PAK
ASA
1. 52 25 27 2. 52
79 52 27
1. 8 1000 2 6 2. 8 1000 14 1000 8
6 1000 2000
ASA
4-26 4-19
ASA
ASA ASA 2000 1000 500 2000 ASA 1000 1000 ASA 500
4-26 4-19 ASA ASDM
-
4 PAK AnyConnect AnyConnect 3
AnyConnect 4 ASA AnyConnect
AnyConnect ASA ASA
ASA
4-20 ASA 4-21 ASA 4-21 ASA 4-22 4-23
/
ASA 5506-X / - / -
ASA 5512-X ASA 5555-X
ASA 5512-X - -
IPS IPS IPS
IPS IPS ASAIPS ASA5515-IPS-K9 IPS ASA IPS
IPS ASA
IPS IPS ASA IPS IPS IPS 4-20 ASA ASDM
-
4 PAK 0
ASA
ASA
ASA
ASA
ASA 10 AnyConnect 20 AnyConnect
500 AnyConnect ASA 5525-X 750 750 AnyConnect
AnyConnect 500 250
ASAv / - / -
ASA 5585-X 10 GE I/O/
SSP-10 SSP-20 ASA 5585-XASA 5512-X
ASA 5515-X ASA 5525-XASA 5545-X ASA 5555-X
4-21 ASA ASDM
-
4 PAK ASA 5545-X ASA 20 10 30 / 18 12 30
ASA SSP-10 ASA 5585-X ASA 50 2
100 100 100 100
SSP-60 ASA 5585-X ASA 50 2 250 152 152 152
// / ASA
48 96
PAK 4-32
ASA
30 30
30 /// 30 30
1. 52 104
2. /ASA 10 94 / 42 / 52
3. // 94
4.
30 - / 4 / 4 90 38 52
30 - 6 // 6 84 / 36 / 46 4-22 ASA ASDM
-
4 PAK
4-15 4-26
/ ASA ASA
VPN (3DES/AES) ASDM HTTPS/SSL SSHv2 Telnet SNMPv3 SSL VPN
PAK 4-32
AnyConnect
1000 AnyConnect 2500 ASA
4-23 ASA ASDM
-
4 PAK 8.3(1) 8.3
AnyConnect AnyConnect
AnyConnect AnyConnect
PAK
ASA 4-20
ASAv ASAv ASA 5506-X ASA 5508-X ASA 5516-X
8.1 - 8.2 8.2 ASA 8.2
8.2 - 8.3
8.3
8.3 4-24 ASA ASDM
-
4 PAK
TAC
25 SSL VPN 50 75 50 25 75
AnyConnect AnyConnect AnyConnect AnyConnect Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials AnyConnect
PAK
4-25 4-26
AnyConnect Cisco.com
1 ASA Configuration > Device Management > Licensing > Activation Key
2 Cisco.com 3
http://www.cisco.com/go/license 4
ASA 4-25 ASA ASDM
http://www.cisco.com/go/license
-
4 PAK
5 4
ASA
1 Configuration > Device Management Licensing > Activation Key Licensing Activation Key
2 New Activation Key
key 0x ASA0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490
Time-based License Keys Installed
3 Time-based License Keys Installed Activate Deactivate
4 Update Activation Key ASA
4-17 4-15 4-26
4-15
ASAv vCPU 4-26 ASA ASDM
-
4 AnyConnect 3 AnyConnect 3
AnyConnect 4 ASA AnyConnect
4-27 4-31 4-31
AnyConnect ASA ASA
4-27 4-28 4-28 4-29 4-30
1. ASA 2. ASA
3. ASA
4.
5. ASA
IP
6.
7. 50 4-27 ASA ASDM
-
4 AnyConnect 3 8.
a.
b.
9.
ASA SSL
3
24 24
24
10
30 30 15 30
5 30 20 10 20 30 4-28 ASA ASDM
-
4 AnyConnect 3
4-29 4-30
ASA VPN
/
/
2 1 2 1 2 1 2 1 2 2 4-14-29 ASA ASDM
-
4 AnyConnect 3 4-1
4-28
ID ID ID
ASA
Failover Pair #1
Main (Active) Main (Standby)
Failover Pair #2
Backup (Active) Backup (Standby)1. Normaloperation:
Blue=Shared licenseserver in use
(Active)=Activefailover unit
Failover Pair #1
Main (Failed) Main (Active)
Failover Pair #2
Backup (Active) Backup (Standby)2. Primary mainserver fails over:
Failover Pair #1
Main (Failed) Main (Failed)
Failover Pair #2
Backup (Active) Backup (Standby)3. Both main servers fail:
Failover Pair #1
Main (Failed) Main (Failed)
Failover Pair #2
Backup (Failed) Backup (Active)4. Both main servers andprimary backup fail:
Key
2513
564-30 ASA ASDM
-
4 AnyConnect 3
ASA
1 Configuration > Device Management > Licenses > Shared SSL VPN Licenses 2 Shared Secret 4 128 ASCII
3 TCP IP Port SSL 1 65535 TCP 50554
4 Refresh interval 10 300 30
5 Interfaces that serve shared licenses Shares Licenses
6 Optional backup shared SSL VPN license server
a. Backup server IP address IP b. Primary backup server serial number c. Secondary backup server serial number
1 7 Apply
1 Configuration > Device Management > Licenses > Shared SSL VPN Licenses 2 Shared Secret 4 128 ASCII 4-31 ASA ASDM
-
4 PAK 3 TCP IP Port SSL 1 65535 TCP 50554
4 Select backup role of participant a. Backup Server b. Shares Licenses
5 Apply
PAK
4-32 4-33
VPN 4-23
1 Configuration > Device Management > Licensing > Activation Key Running Licenses
Configuration > Device Management > Activation Key
ASA 4-21 License Duration
2 Time-Based License Keys Installed Show License Details
3 Running Licenses Show information of license specifically purchased for this device alone4-32 ASA ASDM
-
4 PAK
Monitoring > VPN > Clientless SSL VPN > Shared Licenses
PAK
VLAN 7.0(5) ASA5510 32000 50000
VLAN 0 10 ASA5510 64000 130000
VLAN 10 25 ASA5520 130000 280000VLAN
25 100 ASA5540 280000 400000VLAN
100 200SSL VPN 7.1(1) SSL VPN SSL VPN 7.2(1) ASA 5550 5000 SSL VPN
ASA 5510 7.2(2) ASA 5510 3
VLAN 7.2(2) ASA 5505 VLAN 53 1 1 20 1 8 20 backup interface ISP Easy VPN
VLAN ASA 5510 10 50 25 100 ASA 5520 100 150 ASA 5550 200 250
ASA 5510
7.2(3) ASA 5510 Ethernet 0/0 0/1 (1000 Mbps) (100 Mbps) Ethernet 0/20/3 0/4
Ethernet 0/0 Ethernet 0/14-33 ASA ASDM
-
4 PAK 8.0(2) Cisco AnyConnect SSL VPN ASA ASA (DAP)
ASA 5510 VPN 8.0(2) ASA 5510 VPN AnyConnect 8.0(3) AnyConnect
Windows AnyConnect ASA 8.0(4)/8.1(2) ASA 5580 VLAN 8.1(2) ASA 5580 VLAN 100 250 8.0(4) UC
TLS UC TLS UC 8.1
8.2(1) IP
4-34 ASA ASDM
-
4 PAK AnyConnect 8.2(1) AnyConnect AnyConnect VPN ASA SSL VPN AnyConnect AnyConnect AnyConnect VPN
Web (WebLaunch) AnyConnect
AnyConnect AnyConnect
ASA AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials
SSL VPN AnyConnect SSL VPN
8.2(1) SSL VPN AnyConnect SSL VPN
SSL VPN 8.2(1) SSL VPN ASA SSL VPN
8.2(2) UC 10 GE I/O SSP-20 ASA 5585-X
8.2(3) 10 GE I/O SSP-20 ASA 5585-X 10 SSP-60 10 8.3(x) ASA 5585-X
10 GE I/O SSP-10 ASA 5585-X
8.2(4) 10 GE I/O SSP-10 ASA 5585-X 10 SSP-40 10 8.3(x) ASA 5585-X
8.3(1)
Configuration > Device Management > Licensing > Activation Key
8.3(1) ASA
4-35 ASA ASDM
-
4 PAK 8.3(1) IME 8.3(1) ASA
8.3(1)
Configuration > Device Management > Licensing > Activation Key
8.3(1)
Configuration > Device Management > Licensing > Activation Key
AnyConnect SSL VPN AnyConnect SSL VPN
8.3(1) AnyConnect SSL VPN AnyConnect SSL VPN
8.3(2) ASA 5505 5550 VPN 8.3(x) 8.4(1)
ASA
ASA 55505580 5585-X 8.4(1) SSP-10 ASA 5550 ASA 5585-X 50 100 SSP-20 ASA 5580 5585-X 50 250
ASA 5580 5585-X VLAN 8.4(1) ASA 5580 5585-X VLAN 250 1024
ASA 5580 5585-X 8.4(1) ASA 5580-20 - 1,000,000 2,000,000 ASA 5580-40 - 2,000,000 4,000,000 SSP-10 ASA 5585-X750,000 1,000,000 SSP-20 ASA 5585-X1,000,000 2,000,000 SSP-40 ASA 5585-X2,000,000 4,000,000 SSP-60 ASA 5585-X2,000,000 10,000,000
AnyConnect SSL VPN AnyConnect
8.4(1) AnyConnect SSL VPN AnyConnect SSL VPN Peers AnyConnect Premium Peers
ASA 5580 AnyConnect VPN 8.4(1) AnyConnect VPN 5,000 10,000 ASA 5580 VPN 8.4(1) VPN 5,000 10,000 IKEv2 IPsec VPN 8.4(1) AnyConnect AnyConnect
IKEv2 IPsec VPN ASA IKEv2
IKEv2 VPN IPsec VPN VPN
4-36 ASA ASDM
-
4 PAK 8.4(1) ASA 5585-XASA VPN ASA /
SSP-20 SSP-40 SSP 8.4(2) SSP-40 SSP-60 SSP SSP SSP-40 SSP-60 SSP SSP SSP VPN VPN
ASA 5512-X ASA 5555-X IPS
8.6(1) ASA 5512-XASA 5515-XASA 5525-XASA 5545-X ASA 5555-X IPS SSP IPS
ASA 5580 5585-X 9.0(1) ASA 5580 5585-X ASASM VPN 9.0(1) ASASM VPN ASASM 9.0(1) ASASM SSP-10 SSP-20 ASA 5585-X SSP SSP-40 SSP-60 SSP VPN
9.0(1) ASA 5585-X SSP SSP SSP SSP VPN
ASA 5500-X 9.1(4) ASA 5512-XASA 5515-XASA 5525-XASA 5545-X ASA 5555-X 2 ASA 5512-X
ASA 5585-X 16 9.2(1) ASA 5585-X 16 ASAv4 ASAv30
9.2(1) ASAv ASAv4 ASAv30
4-37 ASA ASDM
-
4 PAK 4-38 ASA ASDM
-
5
ASAv
(PAK) ASAv
5-1 5-4 5-6 5-6 5-6 5-7 5-8 5-9 5-10
ASAv
ASAv5 ASAv10 5-2 ASAv30 5-3 5-4 5-1 ASA ASDM
-
5 ASAv ASAv5 ASAv10
5-1 ASAv5 ASAv10
100,000GTP/GPRS
UC UC
500
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
250
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
250
VPN 250VPN
ASAv5100 MbpsASAv101 Gbps
(3DES/AES) / 716
VLAN 50RAMvCPU vCPU
2 GB 1 vCPU 5000 MHz5-2 ASA ASDM
-
5 ASAv ASAv30
5-2 ASAv30
500,000GTP/GPRS
UC UC
1000
VPN AnyConnect Plus Apex AnyConnect
AnyConnect
750
VPN AnyConnect
AnyConnect Essentials AnyConnect
VPN
VPN
750
VPN 750VPN
2 Gbps (3DES/AES) / 1316
VLAN 200RAMvCPU vCPU
8 GB 4 vCPU 20000 MHz 2 3 vCPU
2 vCPU - 4 GB RAM10000 MHz vCPU 250,000 3 vCPU - 4 GB RAM15000 MHz vCPU 350,000 5-3 ASA ASDM
-
5 ASAv
ASAv
5-5 5-5 5-5 5-5 5-5
5-3
AnyConnect Premium VPN AnyConnect Plus Apex AnyConnect VPN
SSL VPN SSL VPN IKEv2 IPsec VPN
DES 3DES DES DES
VLAN EtherChannel interface
VPN VPN VPN IKEv1 IPsec VPN IKEv1 IPsec VPN IKEv2 IPsec VPN
VPN
VPN VPN AnyConnect VPN VPN VPN ASA
SSL VPN AnyConnect 1 AnyConnect SSL VPN 2
VLAN VLAN VLAN5-4 ASA ASDM
-
5 ASAv
ASAv http://tools.cisco.com/rhodui/index
ASAv ASAv
30 ASAv ASAv ID ASAv ASAv ASAv ID 1 6
ASAv 30 ASAv ASAv HTTP ASAv 90 HTTP 30 ASAv 90 90
ASAv - ASAv - - ASAv 90 ASAv 5-5 ASA ASDM
-
5 ASAv Smart Call Home Smart Call Home License URL URL TAC URL Smart Call Home no service call-home Smart Call Home Smart Call Home
http://tools.cisco.com/rhodui/index ASAv ASAv HTTP ASAv
DNS ASA DNS 18-10
PAK ASAv PAK ASAv ASAv
ASAv License Smart Call Home
URL ASAv HTTP 5-6 ASA ASDM
-
5 ASAv ASAv ASAv
1 HTTP 5-7 2 5-7 3 ASAv 5-8
HTTP HTTP Smart Call Home
1 Configuration > Device Management > Smart Call-Home 2 Enable HTTP Proxy 3 Proxy server Proxy port IP HTTPS
443 4 Apply
1 Configuration > Device Management > Licensing > Smart Licensing 2 Enable Smart license configuration 3 Feature Tier Standard
4 Throughput Level 100M 1G 2G 5 Apply5-7 ASA ASDM
-
5 ASAv ASAv ASAv ASAv ID ASAv ID ASAv
1 ASAv 2 Configuration > Device Management > Licensing > Smart Licensing 3 Register 4 ID Token 5 Force registration ASAv
ASAv Force registration 6 Register
ASAv
ASAv ID
ASAv 5-8 ID 5-9
ASAv ASAv ASAv ASAv ASAv ASAv
1 Configuration > Device Management > Licensing > Smart Licensing 2 Unregister5-8 ASA ASDM
-
5 ASAv ID ID 6 30
1 Configuration > Device Management > Licensing > Smart Licensing 2 ID Renew ID Certificate 3 Renew Authorization
5-9 5-9
Configuration > Device Management > Licensing > Smart Licensing Effective Running Licenses
Monitoring > Properties > Smart License UDI
Configuration > Device Management > Licensing > Smart Licensing > Registration Status5-9 ASA ASDM
-
5 ASAv
ASAv 9.3(2) PAK ASAv
Configuration > Device Management > Licensing > Smart LicenseConfiguration > Device Management > Smart Call-HomeMonitoring > Properties > Smart License5-10 ASA ASDM
-
6
6-1 6-6 6-6 6-7 ARP 6-8 MAC 6-10 6-11 6-21
6-1 6-1
ASA ASA IP ASA ASA
2 6-1 ASA ASDM
-
6 6-2 6-3 6-3 3 6-3 MAC 6-4 6-4 BPDU 6-4 MAC 6-4 ARP 6-5 MAC 6-5
ASA
6-1
6-1
10.1.1.1
10.1.1.2Management IP
10.1.1.3
192.168.1.2
Network A
Network B
Internet
9241
1
6-2 ASA ASDM
-
6
ASA ASA ASA AAA
6-2 ASA
6-2
IP ASA IP IP 6-3
ASA IP
IP / ASA 11-2
3
IPv4 IPv6 ACL
10.2.1.110.1.1.1
Management IPBridge Group 210.2.1.2
Management IPBridge Group 1
10.1.1.2
10.2.1.310.1.1.3
2542
796-3 ASA ASDM
-
6 ARP ACL ARP ARP IPv6 ACL 3 ACL
MAC
MAC MAC MAC FFFF.FFFF.FFFF IPv4 MAC 0100.5E00.0000 0100.5EFE.FFFF IPv6 MAC 3333.0000.0000 3333.FFFF.FFFF BPDU 0100.0CCC.CCCD AppleTalk MAC 0900.0700.0000 0900.07FF.FFFF
ASA ACL ACL IP EtherType ACL IP IP AppleTalk IPX BPDU MPLS EtherType ACL
ASA CDP 0x600 EtherType BPDU IS-IS
ACL DHCP DHCP IP/TV ACL OSPF RIP EIGRP BGP HSRP VRRP ASA
BPDU
BPDU BPDU EtherType ACL BPDU BPDU 9-14
MAC
ASA MAC
ASA - ASA
NAT ASA - ASA ASA 6-4 ASA ASDM
-
6 ASA IP (VoIP) DNS - CCM H.323 H.323 ASA H.323 NAT CTIQBE DNS GTP H.323 MGCP RTSP SIP Skinny (SCCP)
ARP
ARP ASA ARP ARP ARP ASA ARP MAC IP ARP
IP MAC ARP MAC IP ASA ARP ARP ASA
flood
ARP ARP ARP ARP MAC MAC MAC ARP ARP ARP MAC IP MAC ARP
MAC
ASA MAC ASA ASA MAC MAC ASA
ASA MAC ASA
- ASA IP ARP ASA ARP
- ASA IP ping ASA ping
6-5 ASA ASDM
-
6
ARP ASA ARP MAC 5 MAC ASA
MAC
MAC Catalyst VLAN MAC ASA MAC ASA 30 MAC
IP ASA
IP
15-4
IPv6
IPv6
ASA 6-7
ASA firewall transparent ASA ASA 6-6 ASA ASDM
-
6
6-1
CLI ASDM ASDM 8-17
ASA 6-6
CLI ASDM
SSH ASA
ASDM ASDM 2-7
6-1
DNS -DHCP DHCP DHCP
DHCP ACL DHCP DCHP
ASA ACL ASA
IP ACL ASAQoS - VPN VPN
ASA VPN ACL VPN ASA SSL VPN
-6-7 ASA ASDM
-
6 ARP 1
firewall transparent
ciscoasa(config)# firewall transparent
no firewall transparent
ARP ARP
1 ARP 6-8 ARP ARP ARP ARP ARP ARP
2 ARP 6-9 ARP
ARP ARP ARP ARP ARP IP MAC ARP IP MAC ARP MAC ARP ARP ARP ARP IP MAC
ARP ARP ASA
1 Configuration > Device Management > Advanced > ARP > ARP Static Table 2 ARP Timeout ARP ARP
ASA ARP 60 4294967 14400 ARP 6-8 ASA ASDM
-
6 ARP 3 8.4(5) Allow non-connected subnets ASA ARP ARP ASA (DoS) ARP ASA ARP
ARP 4 Add
Add ARP Static Configuration 5 Interface 6 IP Address IP 7 MAC Address MAC 00e0.1e4e.3d8b 8 Proxy ARP ARP
ASA IP ARP MAC 9 OK Apply
ARP ARP
1 Configuration > Device Management > Advanced > ARP > ARP Inspection 2 ARP Edit
Edit ARP Inspection 3 Enable ARP Inspection ARP 4 Flood ARP Packets ARP
ARP MAC IP ASA ASA ARP
0/0 0/1 flood
5 OK Apply6-9 ASA ASDM
-
6 MAC MAC MAC
MAC 6-10 MAC 6-10
MAC
MAC MAC MAC MAC MAC MAC MAC ASA ARP ARP 6-8 MAC MAC MAC MAC
1 Configuration > Device Setup > Bridging > MAC Address Table 2 Dynamic Entry Timeout MAC
MAC 5 720 12 5
3
Add MAC Address Entry 4 Interface Name MAC 5 MAC Address MAC 6 OK Apply
MAC
MAC ASA MAC MAC MAC ASA MAC
1 Configuration > Device Setup > Bridging > MAC Learning 2 MAC Disable 3 MAC Enable 4 Apply6-10 ASA ASDM
-
6 ASA
ASA 6-11 6-16
ASA ASA
Web 6-11 DMZ Web 6-12 DMZ Web 6-13 6-14 DMZ 6-15
Web
6-3 Web
6-3
Web Server10.1.1.3
www.example.com
User10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Source Addr Translation209.165.201.1010.1.2.27
Outside
Inside DMZ
9240
4
6-11 ASA ASDM
-
6 ASA 6-31. www.example.com 2. ASA ASA
AAA ASA
3. ASA (10.1.2.27) 209.165.201.10
4. ASA 5. www.example.com ASA
ASA 10.1.2.27 NAT
6. ASA
DMZ Web
6-4 DMZ Web
6-4 DMZ
ASA 6-41. 209.165.201.3 DMZ Web
Web Server10.1.1.3
User
209.165.201.2
10.1.1.110.1.2.1
Dest Addr Translation209.165.201.3 10.1.1.13
Outside
Inside DMZ
9240
6
6-12 ASA ASDM
-
6 2. ASA 10.1.1.33. ASA AAA
ASA 4. ASA DMZ 5. DMZ Web ASA
ASA 209.165.201.3 NAT6. ASA
DMZ Web
6-5 DMZ Web
6-5 DMZ
ASA 6-51. 10.1.1.3 DMZ Web 2. ASA ASA
AAA ASA
3. ASA DMZ
Web Server10.1.1.3
User10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Inside DMZ
Outside92
403
6-13 ASA ASDM
-
6 4. DMZ Web
5. ASA
6-6
6-6
ASA 6-61. IP
NAT NAT
2. ASA ASA AAA
3. ASA ASA
www.example.com
User10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Outside
Inside DMZ
9240
7
6-14 ASA ASDM
-
6 DMZ
6-7 DMZ
6-7 DMZ
ASA 6-71. DMZ DMZ
2. ASA ASA AAA
ASA
Web Server10.1.1.3
User10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Outside
Inside DMZ
9240
2
6-15 ASA ASDM
-
6
6-8 Web ASA Web
6-8
ASA Web 6-17 NAT Web 6-18 Web 6-19 6-20
www.example.com
209.165.201.2
Management IP209.165.201.6
209.165.200.230
Web Server209.165.200.225
Host209.165.201.3
Internet
9241
2
6-16 ASA ASDM
-
6 Web
6-9 Web
6-9
ASA 6-91. www.example.com 2. ASA MAC MAC
AAA ASA
3. ASA 4. MAC ASA MAC
(209.165.201.2) MAC ASA ASA ARP ping MAC
5. Web 6. ASA
Management IP209.165.201.6
www.example.com
209.165.201.2
Host209.165.201.3
Internet
9240
8
6-17 ASA ASDM
-
6 NAT Web
6-10 Web
6-10 NAT
ASA 6-101. www.example.com 2. ASA MAC MAC
AAA ASA
3. ASA (10.1.2.27) 209.165.201.10 ASA
4. ASA 5. MAC ASA MAC
(10.1.2.1) MAC ASA ASA ARP ping MAC
6. Web 7. ASA 10.1.2.27 NAT
Management IP10.1.2.2
www.example.com
10.1.2.1
Host10.1.2.27
Internet
Source Addr Translation209.165.201.1010.1.2.27
Static route on routerto 209.165.201.0/27
through security appliance
1912
43
Securityappliance6-18 ASA ASDM
-
6 Web
6-11 Web
6-11
ASA 6-111. Web 2. ASA MAC MAC
AAA ASA
3. ASA 4. MAC ASA MAC
(209.165.201.1) MAC ASA ASA ARP ping MAC
5. Web 6. ASA
Host
209.165.201.2
209.165.201.1
209.165.200.230
Web Server209.165.200.225
Management IP209.165.201.6
Internet
9240
9
6-19 ASA ASDM
-
6
6-12
6-12
ASA 6-121.
2. ASA MAC MAC AAA ASA
3. ASA 4. ASA
Management IP209.165.201.6
Host
209.165.201.2
Host209.165.201.3
Internet
9241
0
6-20 ASA ASDM
-
6
6-2
7.0(1) 2
firewall transparent show firewall ASDM
ARP 7.0(1) ARP ARP MAC IP ARP arp arp-inspection show arp-inspection
MAC 7.0(1) MAC mac-address-table staticmac-address-table aging-time mac-learn disable show mac-address-table
8.4(1) 8 4 ASA 5505
ASA 5505 1
Configuration > Device Setup > Interface Settings > InterfacesConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Bridge Group InterfaceConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface
ARP 8.4(5)/9.1(2) ASA ARP ARP ASA (DoS) ARP ASA ARP
ARPConfiguration > Device Management > Advanced > ARP > ARP Static Table6-21 ASA ASDM
-
6 8.5(1)/9.0(1)
firewall transparent ASDM
Configuration > Context Management > Security Contexts
250 9.3(1) 8 250 250 4
Configuration > Device Setup > Interface Settings > InterfacesConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Bridge Group InterfaceConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface
6-2
6-22 ASA ASDM
-
7
ASDM ASA 7-1 7-1 7-1 7-5
Wizards > Startup Wizard Configuration > Device Setup > Startup Wizard Launch Startup Wizard
Modify existing configuration Reset configuration to factory defaults
Configure the IP address of the management interface 0/0 IP (192.168.1.1) 7-1 ASA ASDM
-
7 Cancel
Telnet 18-1
IP IPv6
15-5 IPv6 15-11
- PPPoE
PPoE
15-10
IP
IPv4 IP ASA BVI 1 IP
15-8 7-2 ASA ASDM
-
7
15-5 16-6
22-4
DHCP DHCP
DHCP 19-4
(NAT/PAT) NAT PAT
ASDM Telnet SSH Enable HTTP server for HTTPS/ASDM access HTTP
ASDM Enable ASDM history metrics
ASDM Telnet SSH ASA 34-4 3-29
IPS ASDM IPS IPS ASA 7-3 ASA ASDM
-
7 ASA CX (ASA 5585-X) ASDM ASA CX ASA CX ASA ASA CX CLI
ASA FirePOWER ASDM ASA FirePOWER (EULA) ASA FirePOWER ASA ASA FirePOWER CLI ASA FirePOWER
18-6
Enable Auto Update Server for ASA IPS Enable Signature and Engine Updates from Cisco.com
Cisco.com hh:mm:ss 24
35-25
ASA Back
Finish ASA
ASDM File > Save Running Configuration to Flash 7-4 ASA ASDM
-
7
7-1
Startup Wizard 7.0(1) Wizards > Startup Wizard
ASA IPS 8.4(1) ASA IPS IPS Basic Configuration IPS Auto Update Time Zone and Clock Configuration ASA IPS ASA
Wizards > Startup Wizard > IPS Basic ConfigurationWizards > Startup Wizard > Auto UpdateWizards > Startup Wizard > Time Zone and Clock Configuration
ASA CX 9.1(1) ASA IPS ASA CX Basic Configuration
Wizards > Startup Wizard > ASA CX Basic ConfigurationASA FirePOWER
9.2 2.4 ASA FirePOWER ASA FirePOWER Basic Configuration
Wizards > Startup Wizard > ASA FirePOWER Basic Configuration7-5 ASA ASDM
-
7 7-6 ASA ASDM
-
2
-
8
ASA 8-1 8-12 8-13 8-13 8-14 8-20 8-21 8-24 8-26
ASA 8-13
8-2 8-2 ASA 8-2 8-6 8-7 8-8 MAC 8-10 8-1 ASA ASDM
-
8
ASA
ASA
ASA 8-2 8-2 8-2
ASA TFTP FTP HTTP(S)
ASA
admin.cfg admin admin.cfg
ASA ASA ASA
8-3 8-4 8-2 ASA ASDM
-
8 MAC MAC
8-3 MAC 8-3 NAT 8-3
IP
ASA
MAC
MAC MAC MAC MAC
NAT
MAC ASA NAT MAC NAT NAT 8-3 ASA ASDM
-
8
8-1 B MAC B
8-1 MAC
Classifier
Context A Context B
MAC 000C.F142.4CDCMAC 000C.F142.4CDBMAC 000C.F142.4CDA
GE 0/1.3GE 0/1.2
GE 0/0.1 (Shared Interface)
AdminContext
GE 0/1.1
Host209.165.201.1
Host209.165.200.225
Host209.165.202.129
Packet Destination:209.165.201.1 via MAC 000C.F142.4CDC
Internet
InsideCustomer A
InsideCustomer B
AdminNetwork
1533
678-4 ASA ASDM
-
8 8-2 B B 0/1.3 B
8-2
Host10.1.1.13
Host10.1.1.13
Host10.1.1.13
Classifier
Context A Context B
GE 0/1.3GE 0/1.2
GE 0/0.1Admin
Context
GE 0/1.1
InsideCustomer A
InsideCustomer B
Internet
AdminNetwork
9239
5
8-5 ASA ASDM
-
8 8-3 B B 1/0.3 B
8-3
MAC MAC MAC
Host10.1.3.13
Host10.1.2.13
Host10.1.1.13
Context A Context B
GE 1/0.3GE 1/0.2
AdminContext
GE 1/0.1
GE 0/0.3GE 0/0.1
GE 0/0.2
Classifier
InsideCustomer A
InsideCustomer B
Internet
AdminNetwork
9240
1
8-6 ASA ASDM
-
8 8-4
8-4
ASA
8-7 8-8
ASA ASA
Telnet SSH ASDM Telnet SSH ASDM 34
enable_15 enable_15 login admin
AdminContext
Context A
GatewayContext
GE 1/1.43
GE 0/0.2Outside
GE 1/1.8
GE 0/0.1(Shared Interface)
Internet
InsideInside
Outside
Inside
Outside
1533
668-7 ASA ASDM
-
8 admin A enable_15 login admin B login admin AAA
TelnetSSH ASDM TelnetSSH ASDM 34
ASA VPN VPN VPN
8-8 8-8 8-9 8-9 8-10
ASA
ASA ASA VPN VPN ASA VPN VPN 8-8 ASA ASDM
-
8
2%
Telnet - 5 SSH - 5 IPsec - 5 MAC - 65535 VPN - 0 VPN 8-5 A C B Gold D
8-5
100% VPN ASA Bronze 20% 10 200% 20% 8-6
Default Class
Class Gold(All Limits
Set)
Class Silver(Some Limits
Set)
ClassBronze(Some Limits Set)
Context A
Context B
Context C
Context D
1046
898-9 ASA ASDM
-
8 8-6
ASA A B C Silver 1% 3% 2% Gold Gold 97% AB C 1% AB C 3% 8-7 ASA
8-7
MAC ASA MAC MAC 8-20 MAC MAC ASA 8-2
Total Number of System Connections = 999,900
Maximum connectionsallowed.
Connections deniedbecause system limitwas reached.
Connections in use.
1 2 3 4 5 6 7 8 9 10
Max. 20%(199,800)
16%(159,984)
12%(119,988)
8%(79,992)
4%(39,996)
Contexts in Class
1048
95
Maximum connectionsallowed.
Connections deniedbecause system limitwas reached.
Connections in use.
A B C 1 2 3
1%
2%
3%
5%
4%
Contexts Silver Class Contexts Gold Class
50% 43%
1532
118-10 ASA ASDM
-
8 MAC MAC MAC MAC MAC MTU TCP MSS 16-5
MAC 8-11 MAC 8-11 MAC 8-11 MAC 8-11
MAC
8.5(1.7) MAC ASA (ASA 5500-X) (ASASM) MAC MAC MAC
ASA 5500-X - MAC MAC
ASASM - VLAN MAC MAC MAC 8-11
8.5(1.6) ASA ASASM ASASM MAC MAC MAC mac-address auto
MAC
MAC MAC MAC A2 A2 MAC
MAC
ASA MAC MAC MAC 8-11
MAC
ASA MAC A2xx.yyzz.zzzz xx.yy (ASA 5500-X) (ASASM) MAC zz.zzzz ASA MAC 18-11 ASA ASDM
-
8 77 ASA 77 004D (yyxx) MAC (xxyy) ASA A24D.00zz.zzzz 1009 (03F1) MAC A2F1.03zz.zzzz
MAC ASA mac-address auto
ASA 5506-X ASA 5508-X 2
5 ASA 5512-X
2 5
ASA 5515-X 2 5
ASA 5516-X 2 5
ASA 5525-X 2 5 10 20
ASA 5545-X 2 5 10 20 50
ASA 5555-X 2 5 10 20 50 100
ASA 5585-X SSP-10
2 5 10 20 50 100
ASA 5585-X SSP-20 SSP-40 SSP-60
2 5 10 20 50 100 250
ASASM 2 5 10 20 50 100 250
ASAv 8-12 ASA ASDM
-
8 IP 2 ASA
/
IPv6
IPv6
IPv6
RIP OSPFv3 OSPFv2
QoS VPN VPN
ASA 5585-X FAT 16 8.3 512 http://support.microsoft.com/kb/120138/en-us
ASA 8-9 MAC 8-11 8-13 ASA ASDM
http://support.microsoft.com/kb/120138/en-ushttp://support.microsoft.com/kb/120138/en-us
-
8
1 8-14 2 8-15
VPN VPN VPN 3
ASA 5500-X - 11 ASASM - ASASM
4 8-17 5 MAC MAC 8-20 6 15
ASA ASDM / 9 / CLI CLI
8-14 8-15
ASA admin.cfg old_running.cfg ASA admin
ASA 35-8
1
mode multiple8-14 ASA ASDM
-
8
ciscoasa(config)# mode multiple
ASA
1
copy disk0:old_running.cfg startup-config
ciscoasa(config)# copy disk0:old_running.cfg startup-config
2
mode single
ciscoasa(config)# mode single
ASA
8-1 8-15 ASA ASDM
-
8 8-1
1
1. N/A
ASDM 1 5
32 ASDM ASDM HTTPS
32 ASDM HTTPS 64
/2
2. xlates conns xlates 7 conns 9 ASA 321001 Resource 'xlates' limit of 7 reached for context 'ctx1' 321002 Resource 'conn rate' limit of 5 reached for context 'ctx1'
N/A 4-1 N/A
TCP UDP
N/A N/A ASA / N/A N/A MAC N/A 65,535 MAC
MAC N/A N/A VPN
N/A VPN VPN
VPN VPN 5000 VPN 4000 1000 VPN VPN VPN
VPN N/A VPN 4-1
VPN
SSH 1 5
100 SSH
/ N/A N/A Telnet 1
5 100 Telnet
xlates2 N/A N/A 8-16 ASA ASDM
-
8
1 Device List IP System 2 Configuration > Context Management > Resource Class Add
Add Resource Class 3 Resource Class 20 4 Count Limited Resources
8-1 8-16 0 VPN 0
5 Rate Limited Resources 8-1 8-16 0
6 OK
URL
ASASM ASASM VLAN ASASM ASA 5500-X 11 VLAN
EtherChannel
1 Device List IP System 2 Configuration > Context Management > Security Contexts Add
Add Context 3 Security Context 32
customerA CustomerA System Null
4 Interface Allocation Add a. Interfaces > Physical Interface
ID 8-17 ASA ASDM
-
8 b. Interfaces > Subinterface Range ID ID ID
c. Aliased Names Use Aliased Name in Context ID Name
Range
Range
d. Show Hardware Properties in Context
e. OK Add Context 5 IPS IPS Sensor Allocation
IPS 6 Resource Assignment > Resource Class
8-15 7 Config URL URL
FTP URL ftp://server.example.com/configs/admin.cfga. Login
8 / Failover Group 9 ScanSafe Enable
License 10 Description 8-18 ASA ASDM
-
8 11 OK Security Contexts
12 Change Firewall Mode
Change Mode
ASDM 6-7 8-19 ASA ASDM
-
8 13 MAC MAC 8-20 14 Specify the maximum number of TLS Proxy sessions that the ASA needs to support
TLS TLS
MAC MAC MAC MAC 8-10 ASA MAC 8-25
MAC MAC MAC MAC GigabitEthernet0/1 GigabitEthernet0/1 MAC
MAC MAC MAC MAC MAC MTU TCP MSS 16-5
1 Device List IP System 2 Configuration > Context Management > Security Contexts Mac-Address
auto ASA (ASA 5500-X) (ASASM) MAC
3 Prefix 0 65535 MAC MAC 8-11
1 Device List IP System 2 Device List IP 8-20 ASA ASDM
-
8
8-21 8-21 URL 8-22 8-23
1 Device List IP System 2 Configuration > Context Management > Security Contexts 3 Delete
Delete Context 4 Also delete config
URL file from the disk
5 Yes
ASDM ASDM ASDM 8-21 ASA ASDM
-
8
1 Device List IP System 2 Tools > Command Line Interface
Command Line Interface 3
admin-context context_name
4 Send TelnetSSH HTTPS (ASDM)
ntp server
URL URL
URL URL ASA
URL
URL
1 Device List IP System 2 Configuration > Context Management > Security Contexts8-22 ASA ASDM
-
8 3 Edit Edit Context
4 Config URL URL OK
NAT
URL
8-23 8-24
URL
1 Device List IP 2 Tools > Command Line Interface
Command Line Interface 3
clear configure all
4 Send
5 Tools > Command Line Interface Command Line Interface
6
copy startup-config running-config
7 SendASA ASA URL URL8-23 ASA ASDM
-
8
1. 8-21 Also delete config URL file from the disk 2. 8-17
8-24 MAC 8-25
1 Device List IP System 2 Monitoring 3 Context Resource Usage
ASDM/Telnet/SSH - ASDM Telnet SSH Context -
Existing Connections (#) - Existing Connections (%) - Peak Connections (#) - clear resource usage
Routes - Context - Existing Connections (#) - Existing Connections (%) - Peak Connections (#) - clear resource usage
Xlates - Context - Xlates (#) - Xlates (%) -
Peak (#) - clear resource usage 8-24 ASA ASDM
-
8 NATs - NAT Context - NATs (#) - NAT NATs (%) - NAT NAT Peak NATs (#) - clear resource usage
NAT Syslogs -
Context - Syslog Rate (#/sec) - Syslog Rate (%) -
Peak Syslog Rate (#/sec) - clear resource usage
VPN - VPN Context - VPN Connections - VPN VPN Burst Connections - VPN
Existing (#) - Peak (#) - clear resource usage
4 Refresh
MAC MAC
MAC 8-25 MAC 8-26
MAC