思科asa 系列常规操作asdm 配置指南软件版本7.4

ASA ASDM 7.4 ASA 5506-X ASA 5506H-X ASA 5506W-X ASA 5508-X ASA 5512-X ASA 5515-X ASA 5516-X ASA 5525-X ASA 5545-X ASA 5555-X ASA 5585-X ASA

2015 3 23 2015 4 7 www.cisco.com

200 www.cisco.com/go/offices

http://www.cisco.comhttp://www.cisco.com/go/officeshttp://www.cisco.com/go/offices

TCP (UCB) UCB UNIX 1981

// URLwww.cisco.com/go/trademarks (1110R)

(IP) IP

ASA ASDM 2015

http://www.cisco.com/go/trademarks

iii iii iii iv

(ASDM) ASA

ASA

ASDM ASA ASDM ASA ASA ASA ASDM ASA

ASA http://www.cisco.com/go/asadocs

[ ] {x | y | z } iii ASA ASDM

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.htmlhttp://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocs

(BST)http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html RSS RSS

[ x | y | z ]

courier courier courier courier courier courier < > [ ] ! # (!) (#) iv ASA ASDM

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

1

ASA

1

ASA

2015 3 23 2015 4 7

ASA VPN IPS ASA 2 3 IPsec VPN SSL VPN SSL VPN

ASDM ASA ASDM ASA ASA ASA ASDM ASA 1-16

ASDM 1-1 1-6 VPN 1-6 1-6 1-11 VPN 1-15 1-15 ASA 1-15 1-16

ASDM ASDM 1-2 Java 1-3 1-1 ASA ASDM

1 ASA ASDM ASDM ASDM Java

1-1

Java SE Internet Explorer Firefox Safari Chrome

Microsoft Windows

8 7 2008 2012

7.0

Apple OS X 10.4 64

7.0

Red Hat Enterprise Linux 5GNOME KDE

(Desktop)

N/A N/A 7.0 1-2 ASA ASDM

1 ASA ASDM Java Java ASDM

1-2 Java ASDM

Java

7 Update 51 ASDM Launcher Launcher Java Java 8 Java 7 update 45 ASA CA Java ASDM

Java Web StartJava 7 update 51 ASDM 7.1(5) Java ASDM 7.2 CLI ASDM Java ASDM ASA

http://java.com/en/download/help/java_blocked.xml ASDM 7.2

Java Web Start

Unable to connect

ASDM Launcher

Java -Djava.net.preferIPv6Addresses=true

a. Java b. Java c. Viewd. -Djava.net.preferIPv6Addresses=truee. OK Apply OK

7 Update 45 ASDM

Java ASA JAR ASDM 7.2 CA Configuration > Device Management > Certificates > Identity Certificates ASA ASDM Always trust connections to websites 1-3 ASA ASDM

http://www.cisco.com/go/asdm-certificatehttp://www.cisco.com/go/asdm-certificatehttp://java.com/en/download/help/java_blocked.xml

1 ASA ASDM 7 ASA (3DES/AES)

ASDM ASA SSL 3DES

1. www.cisco.com/go/license 2. Continue to Product License Registration3. Get Other Licenses4. IPS Crypto Other...5. ASA Search by Keyword 6. Product Cisco ASA 3DES/AES License

Next7. ASA ASA 3DES/AES

IPv6 Firefox Safari

ASA HTTPS IPv6 Firefox Safari https://bugzilla.mozilla.org/show_bug.cgi?id=633001 Firefox Safari ASA SSL ASDM ASA

ASA SSL RC4-MD5 RC4-SHA1 Chrome SSL

Chrome

ASA SSL RC4-MD5 RC4-SHA1 Chrome Chrome SSL ASDM Configuration > Device Management > Advanced > SSL Settings Run Chromium with flags --disable-ssl-false-start Chrome SSL

IE9 Internet Explorer 9.0Do not save encrypted pages to disk Tools > Internet Options > Advanced ASDM ASDM

OS X OS X ASDM Java ASDM

1-2 Java ASDM

Java 1-4 ASA ASDM

www.cisco.com/go/licensehttps://bugzilla.mozilla.org/show_bug.cgi?id=633001http://www.chromium.org/developers/how-tos/run-chromium-with-flags

1 ASA ASDM OS X 10.8 ASDM Apple ID

1. ASDM Ctrl Cisco ASDM-IDM Launcher Open

2. ASDM Open ASDM-IDM Launcher

1-2 Java ASDM

Java 1-5 ASA ASDM

1 ASA ASA

VPN VPN ASA

2015 3 23 ASA 9.4(1) /ASDM 7.4(1)

1-3 ASA 9.4(1) /ASDM 7.4(1)

ASA 5506W-X ASA 5506H-X ASA 5508-X ASA 5516-X

ASA 5506W-X ASA 5506H-XASA 5508-X ASA 5516-Xhw-module module wlan recover image hw-module module wlan recover image

(UCR) 2013

ASA DoD UCR 2013 UCR 2013

CA ASDM IKEv2 IKEv2 1-6 ASA ASDM

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

1 ASA FIPS 140-2 ASA FIPS ASA FIPS 140-2

RSA DH - 2K 2048 RSA DH DH 1 768 2 1024 5 1536 IKEv1 FIPS

- SHA256 SSH - aes128-cbc aes256-cbc MACSHA1 ASA FIPS http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf PDF

http://csrc.nist.gov/groups/STM/cmvp/inprocess.htmlfips enable

ASA SIP

SIP ASA SIP TLS IME

UC-IME SIP

SIP UC-IME TLS

Select SIP Inspect Map Phone Proxy UC-IME ProxyDCERPC ISystemMapper UUID RemoteGetClassObject opnum3

ASA 8.3 EPM DCERPC ISystemMapper UUID RemoteCreateInstance opnum4 RemoteGetClassObject opnum3

SNMP

ASA SNMP show snmp-server host ASA

VXLAN ASA VXLAN Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > Protocol Inspection

IPv6 DHCP IPv6 DHCP DHCP

Monitoring > Interfaces > DHCP > IPV6 DHCP StatisticsMonitoring > Interfaces > DHCP > IPV6 DHCP Binding

ASA

1-3 ASA 9.4(1) /ASDM 7.4(1)

1-7 ASA ASDM

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdfhttp://csrc.nist.gov/groups/STM/cmvp/inprocess.html

1 ASA ASA

VLAN VNI BVI

Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

DHCP ASA ASA DHCP MAC DHCP DHCP

ASA SIP ASA SIP TLS

(PBR) ACL QoS 3 4 ACL QoS

Configuration > Device Setup > Routing > Route Maps > Policy Based RoutingConfiguration > Device Setup > Routing > Interface Settings > Interfaces

VXLAN VXLAN VXLAN (VTEP) ASA VTEP

Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI InterfaceConfiguration > Device Setup > Interface Settings > VXLAN

EEM

Configuration > Device Management > Advanced > Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet Event

show tech-support show crashinfo 50 logging buffer

1-3 ASA 9.4(1) /ASDM 7.4(1)

1-8 ASA ASDM

1 ASA

ECDHE-ECDSA TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256ECDSA DHE Configuration > Remote Access VPN > Advanced > SSL Settings

SSL VPN Cookie

JavaScript SSL VPN Cookie TAC SSL VPN

Java Java

Sharepoint MS Office AnyConnect Web Citrix Receiver XenDesktop Xenon Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie9.2(3)

1-3 ASA 9.4(1) /ASDM 7.4(1)

1-9 ASA ASDM

1 ASA

ASA SSL Citrix (VDI) XenDesktop ASA Citrix

XenDesktop XenApp http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html

XenDesktop 7 http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.html

XenDesktop 7 http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.html

SSL VPN OWA 2013

SSL VPN OWA 2013

Active Directory (AD FS) 2.0 ASA AD FS 2.0

SSL VPN Citrix XenDesktop 7.5 StoreFront 2.5

SSL VPN XenDesktop 7.5 StoreFront 2.5 XenDesktop 7.5 http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html StoreFront 2.5 http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html

ASA VPN

Configuration > Device Management > Certificate Management > Identity CertificatesConfiguration > Device Management > Certificate Management > CA Certificates

ASA 24 CA ID 60 7

Configuration > Device Management > Certificate Management > Identity CertificatesConfiguration > Device Management > Certificate Management > CA Certificates

CA CA CA ASA CA ASA Configuration > Device Management > Certificate Management > CA Certificates

1-3 ASA 9.4(1) /ASDM 7.4(1)

1-10 ASA ASDM

http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.htmlhttp://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.htmlhttp://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.htmlhttp://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.htmlhttp://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.htmlhttp://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.html

1 ASA Web FTP (DMZ) DMZ DMZ URL DMZ ASA DMZ []

1-12 1-13 1-14

IKEv2 ASA SA SA ASA IKEv2 AnyConnect 3.1.06060

IKEv2 IKEv2 Configuration > Site-to-Site VPN > Connection Profiles

ASDM ASDM

Configuration > Device Management > Management Access > HTTP Certificate RuleConfiguration > Device Management > Users/AAA > AAA Access > Authorization

terminal interactive CLI ?

ASA CLI ? ? ? URL no terminal interactive

REST API 1.1 REST API 1.1

1-3 ASA 9.4(1) /ASDM 7.4(1)

1-11 ASA ASDM

1 ASA

ASA

1-12 NAT 1-12 IP 1-12 HTTP HTTPS FTP 1-12 1-12 1-13 QoS 1-13 TCP 1-13 1-13

EtherType IP

NAT

NAT NAT NAT IP IP

IP

ASA IP ICMP ASA IP

HTTP HTTPS FTP

FTP ASA URL ASA ASA CX ASA FirePOWER ASA (WSA)

IP ASA 1-12 ASA ASDM

1 ASA

ASA

QoS

QoS QoS

TCP

TCP UDP DoS ASA TCP DoS TCP SYN TCP TCP

DoS IP IPS ASA IPID TCP ASA

ASA

ASA ASA ASA EtherType 1-13 ASA ASDM

1 ASA

ASA

TCP

ASA

ASA

NAT (xlate)

ASA TCP ASA UDP ICMP ICMP

IP SCTPASA ICMP

7 7 FTP H.323 SNMP

ASA

IP

TCP NAT 3 4 7 HTTP 7 1-14 ASA ASDM

1 ASA VPN VPN VPN TCP/IP ASA ASA ASA ASA

ASA

ASA

ASA IPS

ASA ASA

ASA ASA ASA

1-15 ASA ASDM

1 ASA ASA

1-16 1-16 1-16

ASA WCCP

ASA 8.2 8.3 NAT 8.3 8.4 ASDM ASA

ASA 1-16 ASA ASDM

http://www.cisco.com/go/asadocshttp://www.cisco.com/go/asadocs

2

ASA 2-1 ASDM 2-7 ASDM 2-12 ASDM 2-13 2-15 2-20 ASDM 2-21 2-22

CLI ASDM CLI 34 Telnet SSH

ASAv ASAv

2-2 ASA 2-2 2-6 ASA 5506W-X 2-7 2-1 ASA ASDM

2

1 9600 8 1 ASA

2 Enter ciscoasa> EXEC EXEC

3 EXEC ciscoasa> enable

Password:

EXEC EXEC 4

Enter Telnet 18-1

ciscoasa#

disable exit quit 5

ciscoasa# configure terminal

ciscoasa(config)#

ASA exit quit end

ASA Telnet SSH ASASM ASASM CLI ASDM ASASM CLI

2-3 ASA 2-4 2-5 2-2 ASA ASDM

2 2-5 Telnet 2-6

CLI ASASM - service-module session ASASM

ASASM ASASM ROMMON

9600

Ctrl-Shift-6, x Ctrl - Shift - 6, x ASASM ASASM ASASM IOS Telnet session

ASASM

Telnet - session ASASM Telnet

ASASM ASASM Telnet passwd

ASASM Telnet

Telnet ASASM ASASM ROMMON Telnet 2-3 ASA ASDM

2 ASA

Telnet SSH ASASM ASASM Telnet SSH ASASM

1

- CLI ASASM service-module session [switch {1 | 2}] slot number

Router# service-module session slot 3ciscoasa>

VSS switch show module EXEC

- CLI ASASM Telnetsession [switch {1 |2}] slot number processor 1

ciscoasa passwd:

Router# session slot 3 processor 1ciscoasa passwd: ciscociscoasa>

VSS switch session slot processor 0 ASASM ASASM 0 show module ASASM passwd EXEC

2 EXEC enable

ciscoasa> enablePassword:ciscoasa#

EXEC disable exit quit 2-4 ASA ASDM

2 3

configure terminal

disable exit quit

34-1 Telnet 18-1

ASASM ASASM CLI 2-5

1 CLICtrl-Shift-6, x

asasm# [Ctrl-Shift-6, x]Router#

Shift-6 (^) (^) terminal escape-character ascii_number default escape-character ascii_number ctrl-w, x terminal escape-character 23

ASASM

1 show users CLI con 127.0.0.slot0 slot Router# show users

2 0 conRouter# show usersLine User Host(s) Idle Location* 0 con 0 127.0.0.20 00:00:02 2-5 ASA ASDM

2 2

Router# clear line number

Router# clear line 0

Telnet

Telnet CLI

1 CLI ASASM EXEC exit exit Telnet

asasm# exitRouter#

Ctrl-Shift-6, x Telnet Enter Telnet Telnet CLI disconnect ASASM

ASA 5506-X ASA FirePOWER

session ASA CLI

1 ASA CLI session {sfr | cxsc | ips} console

ciscoasa# session sfr consoleOpening console session with module sfr.Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 5.3.1asasfr login: adminPassword: Admin1232-6 ASA ASDM

2 ASDM ASA 5506W-X

1 ASA CLI session wlan console

ciscoasa# session wlan consoleopening console session with module wlanconnected to module wlan. Escape character sequence is CTRL-^X

ap>

2 CLI Aironet IOS

ASDM ASDM

ASDM ASAv 2-7 ASAv ASDM 2-8 ASA ASDM 2-10

ASDM ASAv ASDM

1 ASDM

ASA 5506-X ASA 5508-X ASA 5516-X - ASDM GigabitEthernet 1/2

ASA 5512-X - ASDM Management 0/0 ASAv - ASDM Management 0/0

ASA - 192.168.1.1 ASAv - IP 2-7 ASA ASDM

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3.html

2 ASDM ASDM ASA - 192.168.1.0/24 DHCP

IP ASAv - IP ASAv DHCP

ASDM

2-15 8-14 ASDM 2-12

ASAv ASDM

ASDM IP

ASAv

1 CLI 2

firewall transparent

3

interface interface_idnameif name

security-level levelno shutdownip address ip_address mask

ciscoasa(config)# interface management 0/0ciscoasa(config-if)# nameif managementciscoasa(config-if)# security-level 1002-8 ASA ASDM

2 ASDM ciscoasa(config-if)# no shutdownciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

security-level 1 100 100 4 DHCP

dhcpd address ip_address-ip_address interface_namedhcpd enable interface_name

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 managementciscoasa(config)# dhcpd enable management

5

route management_ifc management_host_ip mask gateway_ip 1

ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1

6 ASDM HTTP http server enable

7 ASDMhttp ip_address mask interface_name

ciscoasa(config)# http 192.168.1.0 255.255.255.0 management

8

write memory

9

mode multiple

ASA

Management 0/0 ASDMfirewall transparentinterface management 0/0

ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdown

dhcpd address 192.168.1.2-192.168.1.254 managementdhcpd enable managementhttp server enablehttp 192.168.1.0 255.255.255.0 management2-9 ASA ASDM

2 ASDM

2-15 6-7 2-2 ASDM 2-12 8

ASA ASDM ASASM ASDM ASASM CLI ASDM ASDM ASASM

ASASM VLAN ASASM

1 ASASM 2


3

- interface vlan number

ip address ip_address [mask]nameif namesecurity-level level

ciscoasa(config)# interface vlan 1ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100

security-level 1 100 100 - VLAN

interface bvi numberip address ip_address [mask]

interface vlan numberbridge-group bvi_numbernameif namesecurity-level level

ciscoasa(config)# interface bvi 1ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.02-10 ASA ASDM

2 ASDM ciscoasa(config)# interface vlan 1ciscoasa(config-if)# bridge-group 1ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100

security-level 1 100 100 4 DHCP

dhcpd address ip_address-ip_address interface_namedhcpd enable interface_name

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 insideciscoasa(config)# dhcpd enable inside

5

route management_ifc management_host_ip mask gateway_ip 1

ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50

6 ASDM HTTP http server enable

7 ASDMhttp ip_address mask interface_name

ciscoasa(config)# http 192.168.1.0 255.255.255.0 management

8

write memory

9

mode multiple

ASASM

VLAN 1 ASDMinterface vlan 1

nameif insideip address 192.168.1.1 255.255.255.0security-level 100

dhcpd address 192.168.1.3-192.168.1.254 insidedhcpd enable insidehttp server enablehttp 192.168.1.0 255.255.255.0 inside2-11 ASA ASDM

2 ASDM VLAN 1 BVI 1 ASDMfirewall transparentinterface bvi 1

ip address 192.168.1.1 255.255.255.0interface vlan 1

bridge-group 1nameif insidesecurity-level 100

dhcpd address 192.168.1.3-192.168.1.254 insidedhcpd enable insidehttp server enablehttp 192.168.1.0 255.255.255.0 inside

ASA 2-2 8 6-7

ASDM ASDM

ASDM-IDM - ASA ASA IP ASA ASDM

Java Web Start - ASA Java Web Start ASA IP

ASDM ASA IP Java Web Start ASA ASDM ASDM java Web Start ASDM

1 ASDM URLhttps://asa_ip_address/admin

ASDM Install ASDM Launcher and Run ASDM Run ASDM Run Startup Wizard

2

a. Install ASDM Launcher and Run ASDMb. OK HTTPS

enable ASDM HTTPS 2-12 ASA ASDM

2 ASDM c. ASDM-IDM d. IP OK

HTTPS 3 Java Web Start

a. Run ASDM Run Startup Wizardb.

c. Java Web Startd. ASDM-IDM e. OK HTTPS

ASDM ASDM ASDM ASDM

ASDM 2-13 ASDM 2-13

ASDM Java 7 update 51 ASDM Java Web Start ASDM ASA ASDM Java http://www.cisco.com/go/asdm-certificate

ASDM ASDM 512 KB ASDM ASDM

Windows ASDM 2-13 Mac ASDM 2-14

Windows ASDM

ASDM run.bat

1. ASDM C:\Program Files (x86)\Cisco Systems\ASDM2. run.bat 2-13 ASA ASDM

http://www.cisco.com/go/asdm-certificate

2 ASDM 3. start javaw.exe -Xmx 768 MB -Xmx768M 1 GB -Xmx1G

4. run.bat

Mac ASDM

ASDM Info.plist

1. Cisco ASDM-IDM Show Package Contents2. Contents Info.plist

Property List Editor TextEdit 3. Java > VMOptions -Xmx

768 MB -Xmx768M 1 GB -Xmx1G

4.

5. Unlock Unlock Cisco ASDM-IDM Copy Cisco ASDM-IDM 2-14 ASA ASDM

2 ASA

ASA - ASDM

ASAv - ASDM IP

ASASM - ASA 2-2 ASAv

log/crypto_archive/ coredumpinfo/coredump.cfg

2-15 ASAv 2-16 ASA 5506-X 5508-X 5516-X 2-17 ASA 5512-X 5515-X 5525-X 2-18 ASAv 2-18

CLI ASDM ASAv ASA

ASASM

IP ASA

1

configure factory-default [ip_address [mask]]

ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0

ip_address IP IP 192.168.1.1 http dhcpd address 2-15 ASA ASDM

2 boot system boot system ASA ASA

2

write memory

boot config

1 ASDM File > Reset Device to the Factory Default Configuration Reset Device to the Default Configuration

2 Management IP address IP 192.168.1.1

3 Management Subnet Mask 4 OK

Configuration > Device Management > System Image/Configuration > Boot Image/Configuration ASA ASA

5 Yes 6 File > Save Running Configuration to Flash

ASAv ASAv 0

1

2 write erase2-16 ASA ASDM

2 ASAv boot image

3 ASAvreload

4

ASA 5506-X 5508-X 5516-X ASA 5506-X 5508-X 5516-X

--> - GigabitEthernet 1/1 GigabitEthernet 1/2 DHCP IP IP - 192.168.1.1 (ASA 5506W-X) WiFi WiFi --> - GigabitEthernet 1/9 (WiFi) (ASA 5506W-X) WiFi IP - 192.168.10.1 WiFi DHCP ASA DHCP Management 1/1 ASA FirePOWER

ASA ASDM - WiFi NAT - WiFi PAT

interface Management1/1management-onlyno nameifno security-levelno ip addressno shutdown

interface GigabitEthernet1/1nameif outsidesecurity-level 0ip address dhcp setrouteno shutdown

interface GigabitEthernet1/2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0no shutdown

object network obj_anysubnet 0.0.0.0 0.0.0.0nat (any,outside) dynamic interface

http server enablehttp 192.168.1.0 255.255.255.0 insidedhcpd auto_config outsidedhcpd address 192.168.1.5-192.168.1.254 inside2-17 ASA ASDM

2 dhcpd enable insidelogging asdm informational

ASA 5506W-Xsame-security-traffic permit inter-interface

interface GigabitEthernet 1/9security-level 100nameif wifiip address 192.168.10.1 255.255.255.0no shutdown

http 192.168.10.0 255.255.255.0 wifidhcpd address 192.168.10.2-192.168.10.254 wifidhcpd enable wifi

ASA 5512-X 5515-X 5525-X ASA 5512-X 5515-X 5525-X

- Management 0/0 IP - 192.168.1.1/24 DHCP - 192.168.1.2

192.168.1.254 ASDM -

interface management 0/0ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdown

asdm logging informational 100asdm history enablehttp server enablehttp 192.168.1.0 255.255.255.0 managementdhcpd address 192.168.1.2-192.168.1.254 managementdhcpd lease 3600dhcpd ping_timeout 750dhcpd enable management

ASAv ASAv ASDM Management 0/0

Management 0/0 management IP DHCP 0 2-18 ASA ASDM

2 IP HTTP IP HTTP GigabitEthernet 0/8 IP Management0/0 IP DNS ID

Smart Call Home HTTP URL SSH

IP

SSH REST API

ASAvASAv

interface Management0/0nameif managementsecurity-level 0ip address ip_addressmanagement-onlyno shutdown

http server enablehttp managemment_host_IP mask managementroute management management_host_IP mask gateway_ip 1dns server-group DefaultDNS

name-server ip_addresscall-home

http-proxy ip_address port portlicense smart

feature tier standardthroughput level {100M | 1G | 2G}

license smart register idtoken id_tokenaaa authentication ssh console LOCALusername username password passwordssh source_IP_address mask managementrest-api image boot:/pathrest-api agent

interface Management0/0nameif managementsecurity-level 0ip address ip_address standby standby_ipmanagement-onlyno shutdown

route management management_host_IP mask gateway_ip 1http server enablehttp managemment_host_IP mask managementdns server-group DefaultDNS2-19 ASA ASDM

2 name-server ip_addresscall-home

http-proxy ip_address port portlicense smart

feature tier standardthroughput level {100M | 1G | 2G}

license smart register idtoken id_tokenaaa authentication ssh console LOCALusername username password passwordssh source_IP_address mask managementrest-api image boot:/pathrest-api agentfailover failover lan unit primaryfailover lan interface fover gigabitethernet0/8failover link fover gigabitethernet0/8failover interface ip fover primary_ip mask standby standby_ip

ASA

ASDM 512 KB ASDM 2-13

1 Wizards > Startup Wizard 2 IPsec VPN IPSec VPN Wizards > IPsec VPN Wizards

3 SSL VPN SSL VPN Wizards > SSL VPN Wizards

4 Wizards > High Availability and Scalability Wizard

5 Wizards > Packet Capture Wizard 6 ASDM GUI View > Office Look and Feel 7 Configuration

Configuration Refresh

8 ASA Monitoring 2-20 ASA ASDM

2 ASDM ASDM ASDM CLI

2-21 ASDM 2-22

ASA CLI ASDM CLI

ASDM CLI ASA -

Response - CLI ASDM noconfirm

crypto key generate rsa modulus 1024 noconfirm

- ASA ASDM CLI ASA ASA Monitoring > Properties > Device Access

1 ASDM Tools > Command Line Interface Command Line Interface

2 3 Send 4 Clear Response 5 Enable context-sensitive help (?)

6 Command Line Interface Refresh ASDM 2-21 ASA ASDM

2 ASDM ASDM ASDM ASDM 3-29

1 ASDM Tools > Show Commands Ignored by ASDM on Device 2 OK

show QoS service-policy show service-policy QoS

clear local-host [ip_address] [all] show local-host all all IP ip_address

clear conn [all] [protocol {tcp | udp}] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]] show conn all IP IP /2-22 ASA ASDM

3

ASDM

ASDM ASDM 3-1 ASDM 3-3 3-4 3-8 ASDM Assistant 3-8 3-9 3-9 3-10 3-10 ASDM 3-12 ACL Manager 3-12 3-13 3-13 Home 3-13 Home (System) 3-26 ASDM 3-27 ASDM Assistant 3-28 3-29 3-29

ASDM ASDM ASA ASDM

ASDM Home Configuration

Monitoring 3-1 ASA ASDM

3 ASDM ASDM Navigation Configuration Monitoring Configuration Monitoring Navigation Content

Configuration > Device Setup > Startup Wizard Content

Navigation Content Navigation Device List ASDM

SSL Navigation NAT AAA

ASDM Assistant

ASDM

3-1 ASDM

2472

71

1

765 89

24

10.10.10.25

10.10.10.010.10.10.110.10.10.2

10.10.10.3

3

3-2 ASA ASDM

3 ASDM ASDM

GUI Wizards Configuration Monitoring

ASDM ASDM Navigation Device List

Device Setup Firewall Botnet Traffic Filter Remote Access VPN Site to Site VPN Device Management Configuration Monitoring Home

1

2

Show More Buttons Show Fewer Buttons Add or Remove Buttons

GUI

1 2 3 4 5 6 7 8 9 3-3 ASA ASDM

3 ASDM Option Option

Move Up Move Down Reset

3 OK

ASDM 3-10 ASDM

File 3-4 View 3-5 Tools 3-6 Wizards 3-7 Window 3-7 Help 3-7

File File ASA

File Refresh ASDM with the Running Configuration on the Device

ASDM

Reset Device to the Factory Default Configuration

Show Running Configuration in New Window

Save Running Configuration to Flash

Save Running Configuration to TFTP Server

TFTP

Save Running Configuration to Standby Unit

Save Internal Log Buffer to Flash Print

Internet Explorer3-4 ASA ASDM

3 ASDM View View ASDM

Clear ASDM Cache ASDM ASDM ASDM

Clear ASDM Password Cache

Clear Internal Log Buffer Exit ASDM

File

View

Home Home Configuration Configuration Monitoring Monitoring Device List 3-9 Navigation Configuration Monitoring Navigation ASDM Assistant ASDM

ASDM Assistant 3-8 Latest ASDM Syslog Messages

Home Latest ASDM Syslog Messages Home %ASA-1-211004 24

Addresses Addresses Addresses Configuration Access Rules NAT Rules Service Policy Rules AAA Rules Filter Rules

Services Services Services Configuration Access RulesNAT RulesService Policy RulesAAA Rules Filter Rules

Time Ranges Time Ranges Time Ranges Configuration Access RulesService Policy RulesAAA Rules Filter Rules

Select Next Pane Service Policies Rules Address

Select Previous Pane Back Forward Find in ASDM ASDM AssistantReset Layout Office Look and Feel Microsoft Office 3-5 ASA ASDM

3 ASDM Tools Tools ASDM

Tools

Command Line Interface ASA Show Commands Ignored by ASDM on Device

ASDM

Packet Tracer

Ping ASA

Traceroute

File Management TFTP PC

Check for ASA/ASDM Updates

ASA ASDM

Upgrade Software from Local Computer

PC ASA ASDM

Downgrade Software ASA Backup Configurations ASA Cisco Secure Desktop SSL VPN

Restore Configurations ASA Cisco Secure Desktop SSL VPN

System Reload ASDM Administrators Alert to Clientless SSL VPN Users

SSL VPN VPN

Migrate Network Object Group Members

8.3 ASA IP ASDM IP IP

ASA ASDM ASA IP ASDM ASDM Tools > Migrate Network Object Group Members ASA 5500 8.3

Preferences ASDM ASDM 3-27

ASDM Java Console Java 3-6 ASA ASDM

3 ASDM Wizards Wizards

Window Window ASDM

Help Help ASDM ASA

Wizards

Startup Wizard ASA VPN Wizards VPN VPN High Availability and Scalability Wizard

VPN ASA ASA

Unified Communication Wizard

ASA IP

ASDM Identity Certificate Wizard

Java 7 update 51 ASDM Java Web Start ASDM http://www.cisco.com/go/asdm-certificate

Packet Capture Wizard ASA

Help

Help Topics ASDM ASDM ASA FirePOWER ASDM Help Topics

ASA FirePOWER Help Topics

ASA FirePOWER ASDM

Help for Current Screen ? Help

Release Notes Cisco.com ASDM ASDM

Cisco ASA Series Documentation

Cisco.com

ASDM Assistant ASDM Assistant Cisco.com

About Cisco Adaptive Security Appliance (ASA)

ASA

About Cisco ASDM ASDM Java 3-7 ASA ASDM

http://www.cisco.com/go/asdm-certificatehttp://www.cisco.com/go/asdm-certificate

3 ASDM Home Configuration Monitoring

ASDM Assistant ASDM Assistant ASDM

View > ASDM Assistant > How Do I? Look For Find How Do I? ASDM Assistant

1 View > ASDM Assistant ASDM Assistant

2 Search Go Search Results

3 Search Results and Features

Home Home ASA Home 3-13 Home

Configuration ASA Navigation Monitoring ASA Navigation Save Save ASA Changes

ASA FirePOWER ASDM Save ASA Changes

Refresh ASDM Monitoring Back ASDM Forward ASDM Help Search ASDM Search

Back Forward ASDM Assistant 3-8 3-8 ASA ASDM

3 ASDM ASDM

ASDM ASA Monitoring Home ASDM

Device List Home Configuration Monitoring System System ASDM

1 Add Add Device

2 IP OK 3 Delete 4 Connect

Enter Network Password 5 Login

Status Device configuration loaded successfully.Failover User Name ASDM

adminUser Privilege ASDM Commands Ignored by ASDM

ASDM

Connection to Device ASDM ASA 3-9

Syslog Connection ASA SSL Secure ASDM SSLTime ASA 3-9 ASA ASDM

3 ASDM ASDM

ASDM ASDM

Apply ASDM ASA Save Reset Refresh Apply

Reset Refresh

Restore Default Cancel Enable Close Clear Back Forward Help

3-1

Windows/Linux MacOS

Home Ctrl+H Shift+Command+HConfiguration Ctrl+G Shift+Command+GMonitoring Ctrl+M Shift+Command+MHelp F1 Command+?Back Alt+ Command+[Forward Alt+ Command+] F5 Command+RCut Ctrl+X Command+XCopy Ctrl+C Command+CPaste Ctrl+V Command+V Ctrl+S Command+S Shift+F10 - Alt+F4 Command+W3-10 ASA ASDM

3 ASDM

Find Ctrl+F Command+FExit Alt+F4 Command+Q Ctrl_Shift

Ctrl+Shift+TabCtril+Shift Ctrl+Shift+Tab

3-1

Windows/Linux MacOS

3-2

Shift+Tab Ctrl+Tab Shift+Ctrl+TabNext Previous

Shift+Tab F6 Shift+F6

3-3

Windows/Linux MacOS

Ctrl+U Command+ F5 Command+R Ctrl+Delete Command+Delete Ctrl+C Command+C Ctrl+S Command+S Ctrl+P Command+P Alt+F4 Command+W3-11 ASA ASDM

3 ASDM ASDM

ASDM ASDM ASDM Find *? * Find Match Case

B*ton-L* Boston-LA Boston-Lisbon Boston-London

Bo?ton Boston, Bolton

ACL Manager ACL ACE ACL Manager ACL Manager

1 ACL Manager Find 2 Filter

Source - IP IP 4

Destination - Source IP IP 4

Source or Destination - 4 Service - 4 Query - Query Query

Source Destination Source or Destination Service

3-4

Windows/Linux

3-12 ASA ASDM

3 ASDM 3

is - 4 contains - 4 ACL ACE

4 ACL ACE Browse ACL/ACE

5 Filter ASDM ACL ACE

6 Clear ACL ACE 7 x

Tab JAWS

1 Tools > Preferences Preferences

2 General Enable screen reader support 3 OK 4 ASDM

Navigation

Home ASDM Home ASA Home 10 Device Dashboard Firewall Dashboard IPSCX ASA FirePOWER 3-13 ASA ASDM

3 ASDM Home Device Dashboard Device Dashboard ASA

Device Dashboard

3-2 Device Dashboard

1 2

3 4

5

6

3708

25

GUI

1 Device Information 3-15 2 Interface Status 3-16 3 VPN Sessions 3-16 4 Traffic Status 3-16 5 System Resources Status 3-16 6 Traffic Status 3-16 - 3-9 - Latest ASDM Syslog Messages 3-17 3-14 ASA ASDM

3 ASDM Home Device Information

Device Information General License General Environment Status

General

ASA Host name - ASA version - ASA ASDM version - ASDM Firewall mode - Total flash - RAM ASA Cluster Role - Master Slave Device uptime - Context mode - Total Memory - ASA DRAM Environment status - General Environment Status

(+) CPU Environment Status (+) OK (+) Critical

ASA Memory Insufficient Warning ASA ASDM OK

License

More Licenses Configuration > Device Management > Licensing > Activation Key 3-15 ASA ASDM

3 ASDM Home Cluster

Virtual Resources (ASAv)

ASAv vCPU RAM ASAv

Interface Status

Kbps

VPN Sessions

VPN Details Monitoring > VPN > VPN Statistics > Sessions

Failover Status

Configure High Availability and Scalability Wizard Active/Active Active/Standby Details Monitoring > Properties > Failover > Status

System Resources Status

CPU

Traffic Status

outside ASDM 3-16 ASA ASDM

3 ASDM Home Latest ASDM Syslog Messages

ASA 100 Enable Logging 3-3 Latest ASDM Syslog Messages

3-3 Latest ASDM Syslog Messages

Clear Content Save Content PC Copy Color Settings

21

3

4

5

6

87

2478

36

GUI

1 2 3 4 Latest ASDM

Syslog Messages

5 View Latest ASDM Syslog Messages 6 7 8 Logging Filters 3-17 ASA ASDM

3 ASDM Home Firewall Dashboard Firewall Dashboard ASA Firewall Dashboard 3-4 Firewall Dashboard

3-4 Firewall Dashboard

GUI

1 Traffic Overview 3-19 2 Top 10 Access Rules 3-19 3 Top Usage Status 3-19 Top Ten Protected Servers Under SYN Attack 3-20 Top 200 Hosts 3-20 Top Botnet Traffic Filter Hits 3-20 3-18 ASA ASDM

3 ASDM Home Traffic Overview

Enable

NAT

TCP SYN UDP

Top 10 Access Rules

Enable Table Show Rule Access Rules

Top Usage Status

Top 10 Services - Top 10 Sources - Top 10 Destinations - Top 10 Users - Top 10 Services Top 10 Sources Top 10 Destinations Enable

Top 10 Services Enable Top 10 Sources Top 10 Destinations Enable

Top 10 Users IP ASA IP - ASA Microsoft Active Directory Cisco Active Directory (AD) Top 10 Users Top 10 Users 10 EPS EPS domain\user_name EPS EPS

ASA 3-19 ASA ASDM

3 ASDM Home Top Ten Protected Servers Under SYN Attack

Enable 10 ASA 30 30 IP Detail 1000 10 ASA 60 30 60

Top 200 Hosts

ASA 200 IP 120 hpm topnenable

Top Botnet Traffic Filter Hits

Botnet Traffic Filter 10 10 IP whois 3-20 ASA ASDM

3 ASDM Home Cluster Dashboard ASA Cluster Dashboard

Cluster Members - IP

ASDM IP IP IP ASDM IP

System Resource Status - CPU

Traffic Status - Connections Per Second

Cluster Overall - Per-Member Total - 3-21 ASA ASDM

3 ASDM Home Throughput Cluster Overall - Per-Member Throughput -

Load Balancing Per-Member Percentage of Total Traffic -

Per-Member Locally Processed Traffic - Control Link Usage

Per-Member Receival Capacity Utilization - Per-Member Transmittal Capacity Utilization -

Cluster Firewall Dashboard Cluster Firewall Dashboard N Firewall Dashboard 3-22 ASA ASDM

3 ASDM Home Intrusion Prevention Intrusion Prevention IPS ASA IPS

IPS

1 Intrusion Prevention Connecting to IPS

2 IP IP 192.168.1.2:443 cisco cisco

3 Save IPS login information on local host PC 4 Continue3-23 ASA ASDM

3 ASDM Home

Intrusion Prevention Health Dashboard

3-5 Intrusion Prevention (Health Dashboard)

2473

51

1 23 4 5

GUI

1 Sensor Information 2 Sensor Health 3 CPU Memory Load 4 Interface Status 5 Licensing 3-24 ASA ASDM

3 ASDM Home ASA CX Status ASA CX Status ASA CX ASA ASA CX

ASA FirePOWER ASA FirePOWER Status FireSIGHT ASA FirePOWER ASDM FireSIGHT ASA FirePOWER

ASA FirePOWER Dashboard -

ASA FirePOWER Reporting - 10 Web 3-25 ASA ASDM

3 ASDM Home (System)Home (System) ASDM System Home ASA ASDM System Home ASDM ASA System Home 10 System Home

3-6 System Home

1

3

2

2529

73

5

4

GUI

1 2 Interface Status 3 Connection Status 4 CPU Status 5 Memory Status 3-26 ASA ASDM

3 ASDM ASDM ASDM ASDM ASDM

1 Tools > Preferences Preferences General Rules Table Syslog

2 General Rules Table Rules Syslog Home NetFlow

3 General Warn that configuration in ASDM is out of sync with the configuration in ASA

Show configuration restriction message to read-only user You are not allowed to modify the ASA configuration, because you do not have sufficient privileges.

Show configuration restriction message on a slave unit in an ASA cluster

Confirm before exiting ASDM ASDM

Enable screen reader support (requires ASDM restart) ASDM

Warn of insufficient ASA memory when ASDM loads ASA ASDM ASDM ASDM 24

Communications Preview commands before sending them to the device ASDM

CLI Enable cumulative (batch) CLI delivery ASA 60

Logging Enable logging to the ASDM Java console Java Logging Level

Packet Capture Wizard Network Sniffer Application Browse

4 Rules Table Rules

Auto-expand network and service object groups with specified prefix Auto-Expand Prefix

Auto-Expand Prefix Show members of network and service object groups Rules

3-27 ASA ASDM

3 ASDM ASDM Assistant Limit Members To n

Show all actions for service policy rules Rules

Rules ASA Issue clear xlate command when deploying access lists

NAT ASA Access Rule Hit Count Settings Access Rules

Access Rules Update access rule hit counts automatically Access Rules

Access Rules 10 86400 5 Syslog

Syslog Colors Severity Pick a Color Swatches OK HSB H S B OK RGB Red Green Blue OK

NetFlow Warn to disable redundant syslog messages when NetFlow action is first applied to the global service policy rule

6 OK Preferences

.conf ASDM ASDM

ASDM Assistant ASDM Assistant ASDM View > ASDM Assistant > How Do I? Look For Find How Do I? ASDM Assistant

1 View > ASDM Assistant ASDM Assistant

2 Search Go Search Results

3 Search Results and Features 3-28 ASA ASDM

3 ASDM Configuration > Device Management > Advanced > History Metrics ASA ASDM / 10 60 12 5

1 Configuration > Device Management > Advanced > History Metrics History Metrics

2 ASDM History Metrics Apply

ASDM ASA ASDM Tools > Show Commands Ignored by ASDM on Device

CLI ASDM ASDM ASDM ASDM GUI GUI

3-5

ASDM

capture coredump CLI crypto engine large-mod-accel dhcp-server (tunnel-group name general-attributes)

ASDM DHCP

eject established failover timeout fips nat-assigned-to-public-ip pager pim accept-register route-map ASDM list 3-29 ASA ASDM

3 ASDM

ASDM ASDM Tools > Show Commands Ignored by ASDM on Device

ASDM 255.255.0.255 ip address inside 192.168.2.1 255.255.0.255

ASDM CLI ASDM CLI CLI ASDM [yes/no] ASDM 1. Tools > Command Line Interface2. crypto key generate rsa

ASDM 1024 RSA 3. crypto key generate rsa

ASDM RSA RSA Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.

%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:

%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names

service-policy global match access-list access-list myacl extended permit ip any anyclass-map mycm

match access-list myaclpolicy-map mypm

class mycminspect ftp

service-policy mypm global

set metric sysopt nodnsalias sysopt uauth allow-http-cache terminal threat-detection rate

3-5

ASDM 3-30 ASA ASDM

3 ASDM

ASDM noconfirm CLI CLI

crypto key generate rsa noconfirm3-31 ASA ASDM

3 ASDM 3-32 ASA ASDM

4

ASA ASA (PAK) ASAv 5 ASAv

4-1 PAK 4-16 PAK 4-24 PAK 4-25 AnyConnect 3 4-27 PAK 4-32 PAK 4-33

4-1 4-13

ASA 5506-X ASA 5506W-X ASA 5506H-X 4-2 ASA 5508-X 4-3 ASA 5512-X 4-3 ASA 5515-X 4-4 ASA 5516-X 4-5 ASA 5525-X 4-6 ASA 5545-X 4-7 ASA 5555-X 4-8 SSP-10 ASA 5585-X 4-9 SSP-20 ASA 5585-X 4-10 4-1 ASA ASDM

4 SSP-40 SSP-60 ASA 5585-X 4-11 ASA 4-12 24 500 AnyConnect GTP/GPRS

4-23

4-13

ASA 5506-X ASA 5506W-X ASA 5506H-X

4-1 ASA 5506-X ASA 5506W-X ASA 5506H-X

20,000 50,000GTP/GPRS UC 160 160VPN AnyConnect Plus Apex AnyConnect

AnyConnect

50 50

VPN AnyConnect

AnyConnect Essentials AnyConnect VPN

VPN 50 50 VPN 10 50VPN

(DES) (3DES/AES) (DES) (3DES/AES) / 536 636

VLAN 5 304-2 ASA ASDM

4 ASA 5508-X

ASA 5512-X

4-2 ASA 5508-X

100,000GTP/GPRS UC 320VPN AnyConnect Plus Apex AnyConnect

AnyConnect

100

VPN AnyConnect

AnyConnect Essentials AnyConnect

VPN

VPN

100

VPN 100VPN

(DES) (3DES/AES) // 716 2 5

VLAN 50

4-3 ASA 5512-X

100,000 250,000GTP/GPRS 4-3 ASA ASDM

4 ASA 5515-X

UC 2 2 24 50 100 250 500 24 50 100 250 500

VPN AnyConnect Plus Apex AnyConnect

AnyConnect

250 250 AnyConnect Plus Apex

AnyConnect Plus Apex

VPN AnyConnect


VPN

VPN

250 250

VPN 250 250VPN

(DES) (3DES/AES) (DES) (3DES/AES) // 716 916 2 5 2IPS VLAN 50 100

4-3 ASA 5512-X

4-4 ASA 5515-X

250,000GTP/GPRS UC 2 24 50 100 250 5004-4 ASA ASDM

4 ASA 5516-X


AnyConnect

250 AnyConnect Plus Apex

VPN AnyConnect


VPN

VPN

250

VPN 250VPN

(DES) (3DES/AES) // 916 2 5 2IPS VLAN 100

4-4 ASA 5515-X

4-5 ASA 5516-X

250,000GTP/GPRS UC 1000VPN AnyConnect Plus Apex AnyConnect

AnyConnect

300

VPN AnyConnect

4-5 ASA ASDM

4 ASA 5525-X


VPN

VPN

300

VPN 300VPN

(DES) (3DES/AES) // 1,116 2 5

VLAN 150

4-5 ASA 5516-X

4-6 ASA 5525-X

500,000GTP/GPRS UC 2 24 50 100 250 500 750 1000VPN AnyConnect Plus Apex AnyConnect

AnyConnect


VPN AnyConnect


VPN

VPN

750

VPN 7504-6 ASA ASDM

4 ASA 5545-X

VPN

(DES) (3DES/AES) // 1316 2 5 10 20 2IPS VLAN 200

4-6 ASA 5525-X

4-7 ASA 5545-X

750,000GTP/GPRS UC 2 24 50 100 250 500 750 1000 2000VPN AnyConnect Plus Apex AnyConnect

AnyConnect


VPN AnyConnect


VPN

VPN

2500

VPN 2500VPN

(DES) (3DES/AES) // 1716 2 5 10 20 504-7 ASA ASDM

4 ASA 5555-X

2IPS VLAN 300

4-7 ASA 5545-X

4-8 ASA 5555-X

1,000,000GTP/GPRS UC 2

24 50 100 250 500 750 1000 2000 3000VPN AnyConnect Plus Apex AnyConnect

AnyConnect


VPN AnyConnect


VPN

VPN

5000

VPN 5000VPN

(DES) (3DES/AES) // 2516 2 5 10 20 50 100 2IPS VLAN 5004-8 ASA ASDM

4 SSP-10 ASA 5585-X

SSP SSP SSP-10 SSP-20 SSP SSP

4-9 SSP-10 ASA 5585-X


24 50 100 250 500 750 1000 2000 3000VPN AnyConnect Plus Apex AnyConnect

AnyConnect


VPN AnyConnect


VPN

VPN

5000

VPN 5000VPN

10 GE I/O 1 GE

10 GE

(DES) (3DES/AES) // 4612 2 5 10 20 50 100 16 VLAN 10244-9 ASA ASDM

4 SSP-20 ASA 5585-X


4-10 SSP-20 ASA 5585-X


24 50 100 250 500 750 1000 2000 3000 5000 10,0001

1. 10,000 UC 10,000 5000


AnyConnect

10,000 AnyConnect Plus Apex

VPN AnyConnect


VPN

VPN

10,000

VPN 10,000VPN

10 GE I/O 1 GE

10 GE

(DES) (3DES/AES) // 4612 2 5 10 20 50 100 250 16 VLAN 10244-10 ASA ASDM

4 SSP-40 SSP-60 ASA 5585-X


4-11 SSP-40 SSP-60 ASA 5585-X

SSP-40 5585-X4,000,000 SSP-60 5585-X10,000,000GTP/GPRS UC 2

24 50 100 250 500 750 1000 2000 3000 5000 10,0001

1. 10,000 UC 10,000 5000


AnyConnect


VPN AnyConnect


VPN

VPN

10,000

VPN 10,000VPN

10 GE I/O 10 GE (DES) (3DES/AES) // 4612 2 5 10 20 50 100 250 16 VLAN 10244-11 ASA ASDM

4 ASA

4-12 ASASM

10,000,000GTP/GPRS UC 2

24 50 100 250 500 750 1000 2000 3000 5000 10,0001

1. 10,000 UC 10,000 5000


AnyConnect


VPN AnyConnect


VPN

VPN

10,000

VPN 10,000VPN

(DES) (3DES/AES) // 2

5 10 20 50 100 250

VLAN 10004-12 ASA ASDM

4

4-13

AnyConnect Essentials AnyConnect Plus Apex

AnyConnect VPN SSL VPN IKEv2 IPsec VPN SSL VPN AnyConnect AnyConnect AnyConnect VPN Web

(WebLaunch) AnyConnect

AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect webvpn no anyconnect-essentials ASDM Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials

VPN AnyConnect


AnyConnect AnyConnect IP 4-13 ASA ASDM

4 AnyConnect


Windows Mobile 5.06.0 6.1 AnyConnect AnyConnect 2.3 SSL VPN AnyConnect AnyConnect

ASA AnyConnect Mobile AnyConnect AnyConnect

AnyConnect DAP DAP

AnyConnect ASDM CLI ASDM

DAP AnyConnect Premium AnyConnect Plus Apex

AnyConnect VPN SSL VPN SSL VPN IKEv2 IPsec VPN

AnyConnect AnyConnect Plus Apex

ASA ASA ASA

(3DES/AES) DES 3DES DES

DES VLAN EtherChannel

interface

4-13

4-14 ASA ASDM

4 IPS IPS ASA IPS IPS IPS

IPS IPS ASAIPS ASA5515-IPS-K9 IPS ASA IPS

IPS ASA

IPS IPS ASA IPS IPS IPS

VPN VPN VPN IKEv1 IPsec VPN IKEv1 IPsec VPN IKEv2 IPsec VPN

VPN

VPN VPN AnyConnect VPN VPN VPN ASA

SSL VPN AnyConnect 1 AnyConnect SSL VPN 2

4-13

4-15 ASA ASDM

4 PAK PAK ASA 160 5 32 20 11

4-17 4-17 4-17

UC TLS UC TLS UC Mobility Advantage

UC 2 TLS 2 UC tls-proxy maximum-sessions ASDM Configuration > Firewall > Unified Communications > TLS Proxy TLS tls-proxy maximum-sessions ? TLS UC ASA TLS UC TLS UC TLS UC UC

K8 250 TLS 1000 k9 250 TLS K8 K9 K8 K9

clear configure all TLS UC tls-proxy maximum-sessions ASDM TLS Proxy write standby ASDM File > Save Running Configuration to Standby Unit clear configure all TLS

SRTP K8 SRTP 250 K9

/ SRTP SRTP

CPU ASAv vCPU 100 kbps

VLAN VLAN VLAN

VPN VPN (3DES/AES)

4-13

4-16 ASA ASDM

4 PAK AnyConnect AnyConnect 3 4-20 ASA 4-20 4-23 4-23

ASA

PAK 4-32

ASA

4-18

1

4-17 4-18 4-18 4-19 4-19

3000 2000

1000 AnyConnect 2000 4-17 ASA ASDM

4 PAK

ASA

ASA ASA ASA

PAK 4-32

4-14

AnyConnect 1000 2500 2500

2500 1000 3500

10 20 30

4-18 ASA ASDM

4 PAK

ASA

1. 52 25 27 2. 52

79 52 27

1. 8 1000 2 6 2. 8 1000 14 1000 8

6 1000 2000

ASA

4-26 4-19

ASA

ASA ASA 2000 1000 500 2000 ASA 1000 1000 ASA 500

4-26 4-19 ASA ASDM

4 PAK AnyConnect AnyConnect 3

AnyConnect 4 ASA AnyConnect

AnyConnect ASA ASA

ASA

4-20 ASA 4-21 ASA 4-21 ASA 4-22 4-23

/

ASA 5506-X / - / -

ASA 5512-X ASA 5555-X

ASA 5512-X - -

IPS IPS IPS

IPS IPS ASAIPS ASA5515-IPS-K9 IPS ASA IPS

IPS ASA

IPS IPS ASA IPS IPS IPS 4-20 ASA ASDM

4 PAK 0

ASA

ASA

ASA

ASA

ASA 10 AnyConnect 20 AnyConnect

500 AnyConnect ASA 5525-X 750 750 AnyConnect

AnyConnect 500 250

ASAv / - / -

ASA 5585-X 10 GE I/O/

SSP-10 SSP-20 ASA 5585-XASA 5512-X

ASA 5515-X ASA 5525-XASA 5545-X ASA 5555-X

4-21 ASA ASDM

4 PAK ASA 5545-X ASA 20 10 30 / 18 12 30

ASA SSP-10 ASA 5585-X ASA 50 2

100 100 100 100

SSP-60 ASA 5585-X ASA 50 2 250 152 152 152

// / ASA

48 96

PAK 4-32

ASA

30 30

30 /// 30 30

1. 52 104

2. /ASA 10 94 / 42 / 52

3. // 94

4.

30 - / 4 / 4 90 38 52

30 - 6 // 6 84 / 36 / 46 4-22 ASA ASDM

4 PAK

4-15 4-26

/ ASA ASA

VPN (3DES/AES) ASDM HTTPS/SSL SSHv2 Telnet SNMPv3 SSL VPN

PAK 4-32

AnyConnect

1000 AnyConnect 2500 ASA

4-23 ASA ASDM

4 PAK 8.3(1) 8.3

AnyConnect AnyConnect


PAK

ASA 4-20

ASAv ASAv ASA 5506-X ASA 5508-X ASA 5516-X

8.1 - 8.2 8.2 ASA 8.2

8.2 - 8.3

8.3

8.3 4-24 ASA ASDM

4 PAK

TAC

25 SSL VPN 50 75 50 25 75

AnyConnect AnyConnect AnyConnect AnyConnect Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials AnyConnect

PAK

4-25 4-26

AnyConnect Cisco.com

1 ASA Configuration > Device Management > Licensing > Activation Key

2 Cisco.com 3

http://www.cisco.com/go/license 4

ASA 4-25 ASA ASDM

http://www.cisco.com/go/license

4 PAK

5 4

ASA

1 Configuration > Device Management Licensing > Activation Key Licensing Activation Key

2 New Activation Key

key 0x ASA0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490

Time-based License Keys Installed

3 Time-based License Keys Installed Activate Deactivate

4 Update Activation Key ASA

4-17 4-15 4-26

4-15

ASAv vCPU 4-26 ASA ASDM

4 AnyConnect 3 AnyConnect 3

AnyConnect 4 ASA AnyConnect

4-27 4-31 4-31

AnyConnect ASA ASA

4-27 4-28 4-28 4-29 4-30

1. ASA 2. ASA

3. ASA

4.

5. ASA

IP

6.

7. 50 4-27 ASA ASDM

4 AnyConnect 3 8.

a.

b.

9.

ASA SSL

3

24 24

24

10

30 30 15 30

5 30 20 10 20 30 4-28 ASA ASDM

4 AnyConnect 3

4-29 4-30

ASA VPN

/

/

2 1 2 1 2 1 2 1 2 2 4-14-29 ASA ASDM

4 AnyConnect 3 4-1

4-28

ID ID ID

ASA

Failover Pair #1

Main (Active) Main (Standby)

Failover Pair #2

Backup (Active) Backup (Standby)1. Normaloperation:

Blue=Shared licenseserver in use

(Active)=Activefailover unit

Failover Pair #1

Main (Failed) Main (Active)

Failover Pair #2

Backup (Active) Backup (Standby)2. Primary mainserver fails over:

Failover Pair #1

Main (Failed) Main (Failed)

Failover Pair #2

Backup (Active) Backup (Standby)3. Both main servers fail:

Failover Pair #1

Main (Failed) Main (Failed)

Failover Pair #2

Backup (Failed) Backup (Active)4. Both main servers andprimary backup fail:

Key

2513

564-30 ASA ASDM

4 AnyConnect 3

ASA

1 Configuration > Device Management > Licenses > Shared SSL VPN Licenses 2 Shared Secret 4 128 ASCII

3 TCP IP Port SSL 1 65535 TCP 50554

4 Refresh interval 10 300 30

5 Interfaces that serve shared licenses Shares Licenses

6 Optional backup shared SSL VPN license server

a. Backup server IP address IP b. Primary backup server serial number c. Secondary backup server serial number

1 7 Apply

1 Configuration > Device Management > Licenses > Shared SSL VPN Licenses 2 Shared Secret 4 128 ASCII 4-31 ASA ASDM

4 PAK 3 TCP IP Port SSL 1 65535 TCP 50554

4 Select backup role of participant a. Backup Server b. Shares Licenses

5 Apply

PAK

4-32 4-33

VPN 4-23

1 Configuration > Device Management > Licensing > Activation Key Running Licenses

Configuration > Device Management > Activation Key

ASA 4-21 License Duration

2 Time-Based License Keys Installed Show License Details

3 Running Licenses Show information of license specifically purchased for this device alone4-32 ASA ASDM

4 PAK

Monitoring > VPN > Clientless SSL VPN > Shared Licenses

PAK

VLAN 7.0(5) ASA5510 32000 50000

VLAN 0 10 ASA5510 64000 130000

VLAN 10 25 ASA5520 130000 280000VLAN

25 100 ASA5540 280000 400000VLAN

100 200SSL VPN 7.1(1) SSL VPN SSL VPN 7.2(1) ASA 5550 5000 SSL VPN

ASA 5510 7.2(2) ASA 5510 3

VLAN 7.2(2) ASA 5505 VLAN 53 1 1 20 1 8 20 backup interface ISP Easy VPN

VLAN ASA 5510 10 50 25 100 ASA 5520 100 150 ASA 5550 200 250

ASA 5510

7.2(3) ASA 5510 Ethernet 0/0 0/1 (1000 Mbps) (100 Mbps) Ethernet 0/20/3 0/4

Ethernet 0/0 Ethernet 0/14-33 ASA ASDM

4 PAK 8.0(2) Cisco AnyConnect SSL VPN ASA ASA (DAP)

ASA 5510 VPN 8.0(2) ASA 5510 VPN AnyConnect 8.0(3) AnyConnect

Windows AnyConnect ASA 8.0(4)/8.1(2) ASA 5580 VLAN 8.1(2) ASA 5580 VLAN 100 250 8.0(4) UC

TLS UC TLS UC 8.1

8.2(1) IP

4-34 ASA ASDM

4 PAK AnyConnect 8.2(1) AnyConnect AnyConnect VPN ASA SSL VPN AnyConnect AnyConnect AnyConnect VPN

Web (WebLaunch) AnyConnect


ASA AnyConnect AnyConnect ASA AnyConnect AnyConnect ASA AnyConnect Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials

SSL VPN AnyConnect SSL VPN

8.2(1) SSL VPN AnyConnect SSL VPN

SSL VPN 8.2(1) SSL VPN ASA SSL VPN

8.2(2) UC 10 GE I/O SSP-20 ASA 5585-X

8.2(3) 10 GE I/O SSP-20 ASA 5585-X 10 SSP-60 10 8.3(x) ASA 5585-X

10 GE I/O SSP-10 ASA 5585-X

8.2(4) 10 GE I/O SSP-10 ASA 5585-X 10 SSP-40 10 8.3(x) ASA 5585-X

8.3(1)

Configuration > Device Management > Licensing > Activation Key

8.3(1) ASA

4-35 ASA ASDM

4 PAK 8.3(1) IME 8.3(1) ASA

8.3(1)


8.3(1)


AnyConnect SSL VPN AnyConnect SSL VPN

8.3(1) AnyConnect SSL VPN AnyConnect SSL VPN

8.3(2) ASA 5505 5550 VPN 8.3(x) 8.4(1)

ASA

ASA 55505580 5585-X 8.4(1) SSP-10 ASA 5550 ASA 5585-X 50 100 SSP-20 ASA 5580 5585-X 50 250

ASA 5580 5585-X VLAN 8.4(1) ASA 5580 5585-X VLAN 250 1024

ASA 5580 5585-X 8.4(1) ASA 5580-20 - 1,000,000 2,000,000 ASA 5580-40 - 2,000,000 4,000,000 SSP-10 ASA 5585-X750,000 1,000,000 SSP-20 ASA 5585-X1,000,000 2,000,000 SSP-40 ASA 5585-X2,000,000 4,000,000 SSP-60 ASA 5585-X2,000,000 10,000,000

AnyConnect SSL VPN AnyConnect

8.4(1) AnyConnect SSL VPN AnyConnect SSL VPN Peers AnyConnect Premium Peers

ASA 5580 AnyConnect VPN 8.4(1) AnyConnect VPN 5,000 10,000 ASA 5580 VPN 8.4(1) VPN 5,000 10,000 IKEv2 IPsec VPN 8.4(1) AnyConnect AnyConnect

IKEv2 IPsec VPN ASA IKEv2

IKEv2 VPN IPsec VPN VPN

4-36 ASA ASDM

4 PAK 8.4(1) ASA 5585-XASA VPN ASA /

SSP-20 SSP-40 SSP 8.4(2) SSP-40 SSP-60 SSP SSP SSP-40 SSP-60 SSP SSP SSP VPN VPN

ASA 5512-X ASA 5555-X IPS

8.6(1) ASA 5512-XASA 5515-XASA 5525-XASA 5545-X ASA 5555-X IPS SSP IPS

ASA 5580 5585-X 9.0(1) ASA 5580 5585-X ASASM VPN 9.0(1) ASASM VPN ASASM 9.0(1) ASASM SSP-10 SSP-20 ASA 5585-X SSP SSP-40 SSP-60 SSP VPN

9.0(1) ASA 5585-X SSP SSP SSP SSP VPN

ASA 5500-X 9.1(4) ASA 5512-XASA 5515-XASA 5525-XASA 5545-X ASA 5555-X 2 ASA 5512-X

ASA 5585-X 16 9.2(1) ASA 5585-X 16 ASAv4 ASAv30

9.2(1) ASAv ASAv4 ASAv30

4-37 ASA ASDM

4 PAK 4-38 ASA ASDM

5

ASAv

(PAK) ASAv

5-1 5-4 5-6 5-6 5-6 5-7 5-8 5-9 5-10

ASAv

ASAv5 ASAv10 5-2 ASAv30 5-3 5-4 5-1 ASA ASDM

5 ASAv ASAv5 ASAv10

5-1 ASAv5 ASAv10

100,000GTP/GPRS

UC UC

500


AnyConnect

250

VPN AnyConnect


VPN

VPN

250

VPN 250VPN

ASAv5100 MbpsASAv101 Gbps

(3DES/AES) / 716

VLAN 50RAMvCPU vCPU

2 GB 1 vCPU 5000 MHz5-2 ASA ASDM

5 ASAv ASAv30

5-2 ASAv30

500,000GTP/GPRS

UC UC

1000


AnyConnect

750

VPN AnyConnect


VPN

VPN

750

VPN 750VPN

2 Gbps (3DES/AES) / 1316

VLAN 200RAMvCPU vCPU

8 GB 4 vCPU 20000 MHz 2 3 vCPU

2 vCPU - 4 GB RAM10000 MHz vCPU 250,000 3 vCPU - 4 GB RAM15000 MHz vCPU 350,000 5-3 ASA ASDM

5 ASAv

ASAv

5-5 5-5 5-5 5-5 5-5

5-3

AnyConnect Premium VPN AnyConnect Plus Apex AnyConnect VPN

SSL VPN SSL VPN IKEv2 IPsec VPN

DES 3DES DES DES

VLAN EtherChannel interface

VPN VPN VPN IKEv1 IPsec VPN IKEv1 IPsec VPN IKEv2 IPsec VPN

VPN

VPN VPN AnyConnect VPN VPN VPN ASA

SSL VPN AnyConnect 1 AnyConnect SSL VPN 2

VLAN VLAN VLAN5-4 ASA ASDM

5 ASAv

ASAv http://tools.cisco.com/rhodui/index

ASAv ASAv

30 ASAv ASAv ID ASAv ASAv ASAv ID 1 6

ASAv 30 ASAv ASAv HTTP ASAv 90 HTTP 30 ASAv 90 90

ASAv - ASAv - - ASAv 90 ASAv 5-5 ASA ASDM

5 ASAv Smart Call Home Smart Call Home License URL URL TAC URL Smart Call Home no service call-home Smart Call Home Smart Call Home

http://tools.cisco.com/rhodui/index ASAv ASAv HTTP ASAv

DNS ASA DNS 18-10

PAK ASAv PAK ASAv ASAv

ASAv License Smart Call Home

URL ASAv HTTP 5-6 ASA ASDM

5 ASAv ASAv ASAv

1 HTTP 5-7 2 5-7 3 ASAv 5-8

HTTP HTTP Smart Call Home

1 Configuration > Device Management > Smart Call-Home 2 Enable HTTP Proxy 3 Proxy server Proxy port IP HTTPS

443 4 Apply

1 Configuration > Device Management > Licensing > Smart Licensing 2 Enable Smart license configuration 3 Feature Tier Standard

4 Throughput Level 100M 1G 2G 5 Apply5-7 ASA ASDM

5 ASAv ASAv ASAv ASAv ID ASAv ID ASAv

1 ASAv 2 Configuration > Device Management > Licensing > Smart Licensing 3 Register 4 ID Token 5 Force registration ASAv

ASAv Force registration 6 Register

ASAv

ASAv ID

ASAv 5-8 ID 5-9

ASAv ASAv ASAv ASAv ASAv ASAv

1 Configuration > Device Management > Licensing > Smart Licensing 2 Unregister5-8 ASA ASDM

5 ASAv ID ID 6 30

1 Configuration > Device Management > Licensing > Smart Licensing 2 ID Renew ID Certificate 3 Renew Authorization

5-9 5-9

Configuration > Device Management > Licensing > Smart Licensing Effective Running Licenses

Monitoring > Properties > Smart License UDI

Configuration > Device Management > Licensing > Smart Licensing > Registration Status5-9 ASA ASDM

5 ASAv

ASAv 9.3(2) PAK ASAv

Configuration > Device Management > Licensing > Smart LicenseConfiguration > Device Management > Smart Call-HomeMonitoring > Properties > Smart License5-10 ASA ASDM

6

6-1 6-6 6-6 6-7 ARP 6-8 MAC 6-10 6-11 6-21

6-1 6-1

ASA ASA IP ASA ASA

2 6-1 ASA ASDM

6 6-2 6-3 6-3 3 6-3 MAC 6-4 6-4 BPDU 6-4 MAC 6-4 ARP 6-5 MAC 6-5

ASA

6-1

6-1

10.1.1.1

10.1.1.2Management IP

10.1.1.3

192.168.1.2

Network A

Network B

Internet

9241

1

6-2 ASA ASDM

6

ASA ASA ASA AAA

6-2 ASA

6-2

IP ASA IP IP 6-3

ASA IP

IP / ASA 11-2

3

IPv4 IPv6 ACL

10.2.1.110.1.1.1

Management IPBridge Group 210.2.1.2

Management IPBridge Group 1

10.1.1.2

10.2.1.310.1.1.3

2542

796-3 ASA ASDM

6 ARP ACL ARP ARP IPv6 ACL 3 ACL

MAC

MAC MAC MAC FFFF.FFFF.FFFF IPv4 MAC 0100.5E00.0000 0100.5EFE.FFFF IPv6 MAC 3333.0000.0000 3333.FFFF.FFFF BPDU 0100.0CCC.CCCD AppleTalk MAC 0900.0700.0000 0900.07FF.FFFF

ASA ACL ACL IP EtherType ACL IP IP AppleTalk IPX BPDU MPLS EtherType ACL

ASA CDP 0x600 EtherType BPDU IS-IS

ACL DHCP DHCP IP/TV ACL OSPF RIP EIGRP BGP HSRP VRRP ASA

BPDU

BPDU BPDU EtherType ACL BPDU BPDU 9-14

MAC

ASA MAC

ASA - ASA

NAT ASA - ASA ASA 6-4 ASA ASDM

6 ASA IP (VoIP) DNS - CCM H.323 H.323 ASA H.323 NAT CTIQBE DNS GTP H.323 MGCP RTSP SIP Skinny (SCCP)

ARP

ARP ASA ARP ARP ARP ASA ARP MAC IP ARP

IP MAC ARP MAC IP ASA ARP ARP ASA

flood

ARP ARP ARP ARP MAC MAC MAC ARP ARP ARP MAC IP MAC ARP

MAC

ASA MAC ASA ASA MAC MAC ASA

ASA MAC ASA

- ASA IP ARP ASA ARP

- ASA IP ping ASA ping

6-5 ASA ASDM

6

ARP ASA ARP MAC 5 MAC ASA

MAC

MAC Catalyst VLAN MAC ASA MAC ASA 30 MAC

IP ASA

IP

15-4

IPv6

IPv6

ASA 6-7

ASA firewall transparent ASA ASA 6-6 ASA ASDM

6

6-1

CLI ASDM ASDM 8-17

ASA 6-6

CLI ASDM

SSH ASA

ASDM ASDM 2-7

6-1

DNS -DHCP DHCP DHCP

DHCP ACL DHCP DCHP

ASA ACL ASA

IP ACL ASAQoS - VPN VPN

ASA VPN ACL VPN ASA SSL VPN

-6-7 ASA ASDM

6 ARP 1


ciscoasa(config)# firewall transparent

no firewall transparent

ARP ARP

1 ARP 6-8 ARP ARP ARP ARP ARP ARP

2 ARP 6-9 ARP

ARP ARP ARP ARP ARP IP MAC ARP IP MAC ARP MAC ARP ARP ARP ARP IP MAC

ARP ARP ASA

1 Configuration > Device Management > Advanced > ARP > ARP Static Table 2 ARP Timeout ARP ARP

ASA ARP 60 4294967 14400 ARP 6-8 ASA ASDM

6 ARP 3 8.4(5) Allow non-connected subnets ASA ARP ARP ASA (DoS) ARP ASA ARP

ARP 4 Add

Add ARP Static Configuration 5 Interface 6 IP Address IP 7 MAC Address MAC 00e0.1e4e.3d8b 8 Proxy ARP ARP

ASA IP ARP MAC 9 OK Apply

ARP ARP

1 Configuration > Device Management > Advanced > ARP > ARP Inspection 2 ARP Edit

Edit ARP Inspection 3 Enable ARP Inspection ARP 4 Flood ARP Packets ARP

ARP MAC IP ASA ASA ARP

0/0 0/1 flood

5 OK Apply6-9 ASA ASDM

6 MAC MAC MAC

MAC 6-10 MAC 6-10

MAC

MAC MAC MAC MAC MAC MAC MAC ASA ARP ARP 6-8 MAC MAC MAC MAC

1 Configuration > Device Setup > Bridging > MAC Address Table 2 Dynamic Entry Timeout MAC

MAC 5 720 12 5

3

Add MAC Address Entry 4 Interface Name MAC 5 MAC Address MAC 6 OK Apply

MAC

MAC ASA MAC MAC MAC ASA MAC

1 Configuration > Device Setup > Bridging > MAC Learning 2 MAC Disable 3 MAC Enable 4 Apply6-10 ASA ASDM

6 ASA

ASA 6-11 6-16

ASA ASA

Web 6-11 DMZ Web 6-12 DMZ Web 6-13 6-14 DMZ 6-15

Web

6-3 Web

6-3

Web Server10.1.1.3

www.example.com

User10.1.2.27

209.165.201.2

10.1.1.110.1.2.1

Source Addr Translation209.165.201.1010.1.2.27

Outside

Inside DMZ

9240

4

6-11 ASA ASDM

6 ASA 6-31. www.example.com 2. ASA ASA

AAA ASA

3. ASA (10.1.2.27) 209.165.201.10

4. ASA 5. www.example.com ASA

ASA 10.1.2.27 NAT

6. ASA

DMZ Web

6-4 DMZ Web

6-4 DMZ

ASA 6-41. 209.165.201.3 DMZ Web

Web Server10.1.1.3

User

209.165.201.2

10.1.1.110.1.2.1

Dest Addr Translation209.165.201.3 10.1.1.13

Outside

Inside DMZ

9240

6

6-12 ASA ASDM

6 2. ASA 10.1.1.33. ASA AAA

ASA 4. ASA DMZ 5. DMZ Web ASA

ASA 209.165.201.3 NAT6. ASA

DMZ Web

6-5 DMZ Web

6-5 DMZ

ASA 6-51. 10.1.1.3 DMZ Web 2. ASA ASA

AAA ASA

3. ASA DMZ

Web Server10.1.1.3

User10.1.2.27

209.165.201.2

10.1.1.110.1.2.1

Inside DMZ

Outside92

403

6-13 ASA ASDM

6 4. DMZ Web

5. ASA

6-6

6-6

ASA 6-61. IP

NAT NAT

2. ASA ASA AAA

3. ASA ASA

www.example.com

User10.1.2.27

209.165.201.2

10.1.1.110.1.2.1

Outside

Inside DMZ

9240

7

6-14 ASA ASDM

6 DMZ

6-7 DMZ

6-7 DMZ

ASA 6-71. DMZ DMZ

2. ASA ASA AAA

ASA

Web Server10.1.1.3

User10.1.2.27

209.165.201.2

10.1.1.110.1.2.1

Outside

Inside DMZ

9240

2

6-15 ASA ASDM

6

6-8 Web ASA Web

6-8

ASA Web 6-17 NAT Web 6-18 Web 6-19 6-20

www.example.com

209.165.201.2

Management IP209.165.201.6

209.165.200.230

Web Server209.165.200.225

Host209.165.201.3

Internet

9241

2

6-16 ASA ASDM

6 Web

6-9 Web

6-9

ASA 6-91. www.example.com 2. ASA MAC MAC

AAA ASA

3. ASA 4. MAC ASA MAC

(209.165.201.2) MAC ASA ASA ARP ping MAC

5. Web 6. ASA


www.example.com

209.165.201.2

Host209.165.201.3

Internet

9240

8

6-17 ASA ASDM

6 NAT Web

6-10 Web

6-10 NAT

ASA 6-101. www.example.com 2. ASA MAC MAC

AAA ASA

3. ASA (10.1.2.27) 209.165.201.10 ASA



6. Web 7. ASA 10.1.2.27 NAT


www.example.com

10.1.2.1

Host10.1.2.27

Internet

Source Addr Translation209.165.201.1010.1.2.27

Static route on routerto 209.165.201.0/27

through security appliance

1912

43

Securityappliance6-18 ASA ASDM

6 Web

6-11 Web

6-11

ASA 6-111. Web 2. ASA MAC MAC

AAA ASA



5. Web 6. ASA

Host

209.165.201.2

209.165.201.1

209.165.200.230

Web Server209.165.200.225


Internet

9240

9

6-19 ASA ASDM

6

6-12

6-12

ASA 6-121.

2. ASA MAC MAC AAA ASA

3. ASA 4. ASA


Host

209.165.201.2

Host209.165.201.3

Internet

9241

0

6-20 ASA ASDM

6

6-2

7.0(1) 2

firewall transparent show firewall ASDM

ARP 7.0(1) ARP ARP MAC IP ARP arp arp-inspection show arp-inspection

MAC 7.0(1) MAC mac-address-table staticmac-address-table aging-time mac-learn disable show mac-address-table

8.4(1) 8 4 ASA 5505

ASA 5505 1

Configuration > Device Setup > Interface Settings > InterfacesConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Bridge Group InterfaceConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface

ARP 8.4(5)/9.1(2) ASA ARP ARP ASA (DoS) ARP ASA ARP

ARPConfiguration > Device Management > Advanced > ARP > ARP Static Table6-21 ASA ASDM

6 8.5(1)/9.0(1)

firewall transparent ASDM

Configuration > Context Management > Security Contexts

250 9.3(1) 8 250 250 4

Configuration > Device Setup > Interface Settings > InterfacesConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Bridge Group InterfaceConfiguration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface

6-2

6-22 ASA ASDM

7

ASDM ASA 7-1 7-1 7-1 7-5

Wizards > Startup Wizard Configuration > Device Setup > Startup Wizard Launch Startup Wizard

Modify existing configuration Reset configuration to factory defaults

Configure the IP address of the management interface 0/0 IP (192.168.1.1) 7-1 ASA ASDM

7 Cancel

Telnet 18-1

IP IPv6

15-5 IPv6 15-11

- PPPoE

PPoE

15-10

IP

IPv4 IP ASA BVI 1 IP

15-8 7-2 ASA ASDM

7

15-5 16-6

22-4

DHCP DHCP

DHCP 19-4

(NAT/PAT) NAT PAT

ASDM Telnet SSH Enable HTTP server for HTTPS/ASDM access HTTP

ASDM Enable ASDM history metrics

ASDM Telnet SSH ASA 34-4 3-29

IPS ASDM IPS IPS ASA 7-3 ASA ASDM

7 ASA CX (ASA 5585-X) ASDM ASA CX ASA CX ASA ASA CX CLI

ASA FirePOWER ASDM ASA FirePOWER (EULA) ASA FirePOWER ASA ASA FirePOWER CLI ASA FirePOWER

18-6

Enable Auto Update Server for ASA IPS Enable Signature and Engine Updates from Cisco.com

Cisco.com hh:mm:ss 24

35-25

ASA Back

Finish ASA

ASDM File > Save Running Configuration to Flash 7-4 ASA ASDM

7

7-1

Startup Wizard 7.0(1) Wizards > Startup Wizard

ASA IPS 8.4(1) ASA IPS IPS Basic Configuration IPS Auto Update Time Zone and Clock Configuration ASA IPS ASA

Wizards > Startup Wizard > IPS Basic ConfigurationWizards > Startup Wizard > Auto UpdateWizards > Startup Wizard > Time Zone and Clock Configuration

ASA CX 9.1(1) ASA IPS ASA CX Basic Configuration

Wizards > Startup Wizard > ASA CX Basic ConfigurationASA FirePOWER

9.2 2.4 ASA FirePOWER ASA FirePOWER Basic Configuration

Wizards > Startup Wizard > ASA FirePOWER Basic Configuration7-5 ASA ASDM

7 7-6 ASA ASDM

8

ASA 8-1 8-12 8-13 8-13 8-14 8-20 8-21 8-24 8-26

ASA 8-13

8-2 8-2 ASA 8-2 8-6 8-7 8-8 MAC 8-10 8-1 ASA ASDM

8

ASA

ASA

ASA 8-2 8-2 8-2

ASA TFTP FTP HTTP(S)

ASA

admin.cfg admin admin.cfg

ASA ASA ASA

8-3 8-4 8-2 ASA ASDM

8 MAC MAC

8-3 MAC 8-3 NAT 8-3

IP

ASA

MAC

MAC MAC MAC MAC

NAT

MAC ASA NAT MAC NAT NAT 8-3 ASA ASDM

8

8-1 B MAC B

8-1 MAC

Classifier

Context A Context B

MAC 000C.F142.4CDCMAC 000C.F142.4CDBMAC 000C.F142.4CDA

GE 0/1.3GE 0/1.2

GE 0/0.1 (Shared Interface)

AdminContext

GE 0/1.1

Host209.165.201.1

Host209.165.200.225

Host209.165.202.129

Packet Destination:209.165.201.1 via MAC 000C.F142.4CDC

Internet

InsideCustomer A

InsideCustomer B

AdminNetwork

1533

678-4 ASA ASDM

8 8-2 B B 0/1.3 B

8-2

Host10.1.1.13

Host10.1.1.13

Host10.1.1.13

Classifier

Context A Context B

GE 0/1.3GE 0/1.2

GE 0/0.1Admin

Context

GE 0/1.1

InsideCustomer A

InsideCustomer B

Internet

AdminNetwork

9239

5

8-5 ASA ASDM

8 8-3 B B 1/0.3 B

8-3

MAC MAC MAC

Host10.1.3.13

Host10.1.2.13

Host10.1.1.13

Context A Context B

GE 1/0.3GE 1/0.2

AdminContext

GE 1/0.1

GE 0/0.3GE 0/0.1

GE 0/0.2

Classifier

InsideCustomer A

InsideCustomer B

Internet

AdminNetwork

9240

1

8-6 ASA ASDM

8 8-4

8-4

ASA

8-7 8-8

ASA ASA

Telnet SSH ASDM Telnet SSH ASDM 34

enable_15 enable_15 login admin

AdminContext

Context A

GatewayContext

GE 1/1.43

GE 0/0.2Outside

GE 1/1.8

GE 0/0.1(Shared Interface)

Internet

InsideInside

Outside

Inside

Outside

1533

668-7 ASA ASDM

8 admin A enable_15 login admin B login admin AAA

TelnetSSH ASDM TelnetSSH ASDM 34

ASA VPN VPN VPN

8-8 8-8 8-9 8-9 8-10

ASA

ASA ASA VPN VPN ASA VPN VPN 8-8 ASA ASDM

8

2%

Telnet - 5 SSH - 5 IPsec - 5 MAC - 65535 VPN - 0 VPN 8-5 A C B Gold D

8-5

100% VPN ASA Bronze 20% 10 200% 20% 8-6

Default Class

Class Gold(All Limits

Set)

Class Silver(Some Limits

Set)

ClassBronze(Some Limits Set)

Context A

Context B

Context C

Context D

1046

898-9 ASA ASDM

8 8-6

ASA A B C Silver 1% 3% 2% Gold Gold 97% AB C 1% AB C 3% 8-7 ASA

8-7

MAC ASA MAC MAC 8-20 MAC MAC ASA 8-2

Total Number of System Connections = 999,900

Maximum connectionsallowed.

Connections deniedbecause system limitwas reached.

Connections in use.

1 2 3 4 5 6 7 8 9 10

Max. 20%(199,800)

16%(159,984)

12%(119,988)

8%(79,992)

4%(39,996)

Contexts in Class

1048

95

Maximum connectionsallowed.

Connections deniedbecause system limitwas reached.

Connections in use.

A B C 1 2 3

1%

2%

3%

5%

4%

Contexts Silver Class Contexts Gold Class

50% 43%

1532

118-10 ASA ASDM

8 MAC MAC MAC MAC MAC MTU TCP MSS 16-5

MAC 8-11 MAC 8-11 MAC 8-11 MAC 8-11

MAC

8.5(1.7) MAC ASA (ASA 5500-X) (ASASM) MAC MAC MAC

ASA 5500-X - MAC MAC

ASASM - VLAN MAC MAC MAC 8-11

8.5(1.6) ASA ASASM ASASM MAC MAC MAC mac-address auto

MAC

MAC MAC MAC A2 A2 MAC

MAC

ASA MAC MAC MAC 8-11

MAC

ASA MAC A2xx.yyzz.zzzz xx.yy (ASA 5500-X) (ASASM) MAC zz.zzzz ASA MAC 18-11 ASA ASDM

8 77 ASA 77 004D (yyxx) MAC (xxyy) ASA A24D.00zz.zzzz 1009 (03F1) MAC A2F1.03zz.zzzz

MAC ASA mac-address auto

ASA 5506-X ASA 5508-X 2

5 ASA 5512-X

2 5

ASA 5515-X 2 5

ASA 5516-X 2 5

ASA 5525-X 2 5 10 20

ASA 5545-X 2 5 10 20 50

ASA 5555-X 2 5 10 20 50 100

ASA 5585-X SSP-10

2 5 10 20 50 100

ASA 5585-X SSP-20 SSP-40 SSP-60

2 5 10 20 50 100 250

ASASM 2 5 10 20 50 100 250

ASAv 8-12 ASA ASDM

8 IP 2 ASA

/

IPv6

IPv6

IPv6

RIP OSPFv3 OSPFv2

QoS VPN VPN

ASA 5585-X FAT 16 8.3 512 http://support.microsoft.com/kb/120138/en-us

ASA 8-9 MAC 8-11 8-13 ASA ASDM

http://support.microsoft.com/kb/120138/en-ushttp://support.microsoft.com/kb/120138/en-us

8

1 8-14 2 8-15

VPN VPN VPN 3

ASA 5500-X - 11 ASASM - ASASM

4 8-17 5 MAC MAC 8-20 6 15

ASA ASDM / 9 / CLI CLI

8-14 8-15

ASA admin.cfg old_running.cfg ASA admin

ASA 35-8

1

mode multiple8-14 ASA ASDM

8

ciscoasa(config)# mode multiple

ASA

1

copy disk0:old_running.cfg startup-config

ciscoasa(config)# copy disk0:old_running.cfg startup-config

2

mode single

ciscoasa(config)# mode single

ASA

8-1 8-15 ASA ASDM

8 8-1

1

1. N/A

ASDM 1 5

32 ASDM ASDM HTTPS

32 ASDM HTTPS 64

/2

2. xlates conns xlates 7 conns 9 ASA 321001 Resource 'xlates' limit of 7 reached for context 'ctx1' 321002 Resource 'conn rate' limit of 5 reached for context 'ctx1'

N/A 4-1 N/A

TCP UDP

N/A N/A ASA / N/A N/A MAC N/A 65,535 MAC

MAC N/A N/A VPN

N/A VPN VPN

VPN VPN 5000 VPN 4000 1000 VPN VPN VPN

VPN N/A VPN 4-1

VPN

SSH 1 5

100 SSH

/ N/A N/A Telnet 1

5 100 Telnet

xlates2 N/A N/A 8-16 ASA ASDM

8

1 Device List IP System 2 Configuration > Context Management > Resource Class Add

Add Resource Class 3 Resource Class 20 4 Count Limited Resources

8-1 8-16 0 VPN 0

5 Rate Limited Resources 8-1 8-16 0

6 OK

URL

ASASM ASASM VLAN ASASM ASA 5500-X 11 VLAN

EtherChannel

1 Device List IP System 2 Configuration > Context Management > Security Contexts Add

Add Context 3 Security Context 32

customerA CustomerA System Null

4 Interface Allocation Add a. Interfaces > Physical Interface

ID 8-17 ASA ASDM

8 b. Interfaces > Subinterface Range ID ID ID

c. Aliased Names Use Aliased Name in Context ID Name

Range

Range

d. Show Hardware Properties in Context

e. OK Add Context 5 IPS IPS Sensor Allocation

IPS 6 Resource Assignment > Resource Class

8-15 7 Config URL URL

FTP URL ftp://server.example.com/configs/admin.cfga. Login

8 / Failover Group 9 ScanSafe Enable

License 10 Description 8-18 ASA ASDM

8 11 OK Security Contexts

12 Change Firewall Mode

Change Mode

ASDM 6-7 8-19 ASA ASDM

8 13 MAC MAC 8-20 14 Specify the maximum number of TLS Proxy sessions that the ASA needs to support

TLS TLS

MAC MAC MAC MAC 8-10 ASA MAC 8-25

MAC MAC MAC MAC GigabitEthernet0/1 GigabitEthernet0/1 MAC

MAC MAC MAC MAC MAC MTU TCP MSS 16-5

1 Device List IP System 2 Configuration > Context Management > Security Contexts Mac-Address

auto ASA (ASA 5500-X) (ASASM) MAC

3 Prefix 0 65535 MAC MAC 8-11

1 Device List IP System 2 Device List IP 8-20 ASA ASDM

8

8-21 8-21 URL 8-22 8-23

1 Device List IP System 2 Configuration > Context Management > Security Contexts 3 Delete

Delete Context 4 Also delete config

URL file from the disk

5 Yes

ASDM ASDM ASDM 8-21 ASA ASDM

8

1 Device List IP System 2 Tools > Command Line Interface

Command Line Interface 3

admin-context context_name

4 Send TelnetSSH HTTPS (ASDM)

ntp server

URL URL

URL URL ASA

URL

URL

1 Device List IP System 2 Configuration > Context Management > Security Contexts8-22 ASA ASDM

8 3 Edit Edit Context

4 Config URL URL OK

NAT

URL

8-23 8-24

URL

1 Device List IP 2 Tools > Command Line Interface

Command Line Interface 3

clear configure all

4 Send

5 Tools > Command Line Interface Command Line Interface

6

copy startup-config running-config

7 SendASA ASA URL URL8-23 ASA ASDM

8

1. 8-21 Also delete config URL file from the disk 2. 8-17

8-24 MAC 8-25

1 Device List IP System 2 Monitoring 3 Context Resource Usage

ASDM/Telnet/SSH - ASDM Telnet SSH Context -

Existing Connections (#) - Existing Connections (%) - Peak Connections (#) - clear resource usage

Routes - Context - Existing Connections (#) - Existing Connections (%) - Peak Connections (#) - clear resource usage

Xlates - Context - Xlates (#) - Xlates (%) -

Peak (#) - clear resource usage 8-24 ASA ASDM

8 NATs - NAT Context - NATs (#) - NAT NATs (%) - NAT NAT Peak NATs (#) - clear resource usage

NAT Syslogs -

Context - Syslog Rate (#/sec) - Syslog Rate (%) -

Peak Syslog Rate (#/sec) - clear resource usage

VPN - VPN Context - VPN Connections - VPN VPN Burst Connections - VPN

Existing (#) - Peak (#) - clear resource usage

4 Refresh

MAC MAC

MAC 8-25 MAC 8-26

MAC

思科asa 系列常规操作asdm 配置指南软件版本7.4

Documents