Asdm Para Cisco Asa 5510

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Cisco ASDM User GuideVersion 5.2

Text Part Number: OL-10106-04

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R)

Cisco ASDM User Guide 2008 Cisco Systems, Inc. All rights reserved.

OL-10106-04

Home Page 1-25Home 1-25Home > Content Sec

C O N T E N T S

About This Guide xxix

Related Documentation xxix

Obtaining Documentation and Submitting a Service Request xxix

C H A P T E R 1 Welcome to ASDM 1-1

Important Notes 1-1

New in This Release 1-2Features Introduced in the 5.2(1) Release 1-2Features Introduced in the 5.2(2) Release 1-2Features Introduced in the 5.2(3) Release 1-3Features Introduced in the 5.2(4) Release 1-4

Unsupported Commands 1-5Ignored and View-Only Commands 1-5Effects of Unsupported Commands 1-6Other CLI Limitations 1-6

About the ASDM Window 1-6Menus 1-7

File Menu 1-7Options Menu 1-9Tools Menu 1-11Wizards Menu 1-22Help Menu 1-22

Toolbar 1-22Status Bar 1-23

Connection to Device 1-24Buttons That Appear on Many Panels 1-24

About the Help Window 1-24Header Buttons 1-24Notes 1-25iiiCisco ASDM User Guide

urity Tab 1-27

Contents

C H A P T E R 2 Before You Start 2-1

Factory Default Configurations 2-1Restoring the Factory Default Configuration 2-2ASA 5505 Default Configuration 2-2ASA 5510 and Higher Default Configuration 2-3PIX 515/515E Default Configuration 2-4

Configuring the Security Appliance for ASDM Access 2-4

Setting Transparent or Routed Firewall Mode at the CLI 2-5

Downloading the ASDM Launcher 2-6

Starting ASDM 2-6Starting ASDM from the ASDM Launcher 2-6Using ASDM in Demo Mode 2-7Starting ASDM from a Web Browser 2-8

History Metrics 2-9

Configuration Overview 2-9

C H A P T E R 3 Using the Startup Wizard 3-1

Startup Wizard 3-1Starting Point 3-3Basic Configuration 3-4Outside Interface Configuration 3-5Internet (Outside) VLAN Configuration 3-7Outside Interface Configuration - PPPoE 3-8Internet (Outside) VLAN Configuration - PPPoE 3-9Inside Interface Configuration 3-11Business (Inside) VLAN Configuration 3-12DMZ Interface Configuration 3-14Home (DMZ) VLAN Configuration 3-15Switch Port Allocation 3-17General Interface Configuration 3-18Static Routes 3-19Add/Edit Static Routes 3-19Route Monitoring Options 3-19Auto Update Server 3-19DHCP Server 3-20Address Translation (NAT/PAT) 3-21Administrative Access 3-23Add/Edit Administrative Access Entry 3-23ivCisco ASDM User Guide

OL-10106-04

Contents

Easy VPN Remote Configuration 3-25Management IP Address Configuration 3-27Other Interfaces Configuration 3-28Edit Interface 3-28Startup Wizard Summary 3-29

C H A P T E R 4 Configuring Interfaces 4-1

Security Level Overview 4-1

Configuring the Interfaces 4-2Interfaces (System) 4-2

Add/Edit Interface 4-3Hardware Properties 4-4

Interfaces (Single Mode and Context) 4-5Add/Edit Interface > General 4-7Add/Edit Interface > Advanced 4-9PPPoE IP Address and Route Settings 4-10Hardware Properties 4-11

C H A P T E R 5 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 5-13

Interface Overview 5-13Understanding ASA 5505 Ports and Interfaces 5-14Maximum Active VLAN Interfaces for Your License 5-14Default Interface Configuration 5-16VLAN MAC Addresses 5-16Power Over Ethernet 5-16Monitoring Traffic Using SPAN 5-16Security Level Overview 5-17

Configuring VLAN Interfaces 5-17Interfaces > Interfaces 5-18Add/Edit Interface > General 5-19Add/Edit Interface > Advanced 5-22

Configuring Switch Ports 5-23Interfaces > Switch Ports 5-24Edit Switch Port 5-24

C H A P T E R 6 Global Objects 6-1

Using Network Objects and Groups 6-1vCisco ASDM User Guide

OL-10106-04

Network Object Overview 6-1

Contents

Configuring a Network Object 6-2Configuring a Network Object Group 6-3Using Network Objects and Groups in a Rule 6-4Viewing the Usage of a Network Object or Group 6-4

Configuring Service Groups 6-5Service Groups 6-5Add/Edit Service Group 6-6Browse Service Groups 6-7

Configuring Class Maps 6-8DNS Class Map 6-8Add/Edit DNS Traffic Class Map 6-9Add/Edit DNS Match Criterion 6-9Manage Regular Expressions 6-11Manage Regular Expression Class Maps 6-11FTP Class Map 6-12Add/Edit FTP Traffic Class Map 6-13Add/Edit FTP Match Criterion 6-13H.323 Class Map 6-15Add/Edit H.323 Traffic Class Map 6-15Add/Edit H.323 Match Criterion 6-16HTTP Class Map 6-17Add/Edit HTTP Traffic Class Map 6-18Add/Edit HTTP Match Criterion 6-18IM Class Map 6-22Add/Edit IM Traffic Class Map 6-23Add/Edit IM Match Criterion 6-23SIP Class Map 6-25Add/Edit SIP Traffic Class Map 6-26Add/Edit SIP Match Criterion 6-26

Configuring Inspect Maps 6-28DCERPC Inspect Map 6-31Customize Security Level 6-32DCERPC Inspect Map Basic/Advanced Viewl 6-33DNS Inspect Map 6-33Customize Security Level 6-35DNS Inspect Map Basic View 6-36DNS Inspect Map Advanced View 6-37Add/Edit DNS Inspect 6-38viCisco ASDM User Guide

OL-10106-04

Manage Class Maps 6-40

Contents

ESMTP Inspect Map 6-41Customize Security Level 6-42MIME File Type Filtering 6-43ESMTP Inspect Map Basic View 6-44ESMTP Inspect Map Advanced View 6-44Add/Edit ESMTP Inspect 6-45FTP Inspect Map 6-49Customize Security Level 6-50File Type Filtering 6-51FTP Inspect Map Basic View 6-51FTP Inspect Map Advanced View 6-52Add/Edit FTP Map 6-53GTP Inspect Map 6-55Customize Security Level 6-56IMSI Prefix Filtering 6-57GTP Inspect Map Basic View 6-57GTP Inspect Map Advanced View 6-58Add/Edit GTP Map 6-60H.323 Inspect Map 6-61Customize Security Level 6-62Phone Number Filtering 6-63H.323 Inspect Map Basic View 6-64H.323 Inspect Map Advanced View 6-64Add/Edit HSI Group 6-66Add/Edit H.323 Map 6-66HTTP Inspect Map 6-67Customize Security Level 6-69URI Filtering 6-69HTTP Inspect Map Basic View 6-70HTTP Inspect Map Advanced View 6-70Add/Edit HTTP Map 6-71Instant Messaging (IM) Inspect Map 6-75Instant Messaging (IM) Inspect Map View 6-76Add/Edit IM Map 6-77IPSec Pass Through Inspect Map 6-79Customize Security Level 6-80IPSec Pass Through Inspect Map Basic View 6-80IPSec Pass Through Inspect Map Advanced View 6-81MGCP Inspect Map 6-82viiCisco ASDM User Guide

OL-10106-04

Gateways and Call Agents 6-82

Contents

MGCP Inspect Map View 6-83Add/Edit MGCP Group 6-84NetBIOS Inspect Map 6-85NetBIOS Inspect Map View 6-86RADIUS Inspect Map 6-86RADIUS Inspect Map Host 6-87RADIUS Inspect Map Other 6-87SCCP (Skinny) Inspect Map 6-88Customize Security Level 6-89Message ID Filtering 6-90SCCP (Skinny) Inspect Map Basic View 6-91SCCP (Skinny) Inspect Map Advanced View 6-91Add/Edit Message ID Filter 6-92SIP Inspect Map 6-93Customize Security Level 6-94SIP Inspect Map Basic View 6-95SIP Inspect Map Advanced View 6-96Add/Edit SIP Inspect 6-97SNMP Inspect Map 6-100

Add/Edit SNMP Map 6-100

Configuring Regular Expressions 6-101Regular Expressions 6-101Add/Edit Regular Expression 6-102Build Regular Expression 6-104Test Regular Expression 6-106Add/Edit Regular Expression Class Map 6-106

TCP Maps 6-107Add/Edit TCP Map 6-108

Configuring Time Ranges 6-110Add/Edit Time Range 6-110Add/Edit Periodic Time Range 6-111

C H A P T E R 7 Configuring Security Contexts 7-1

Security Context Overview 7-1Common Uses for Security Contexts 7-2Unsupported Features 7-2Context Configuration Files 7-2How the Security Appliance Classifies Packets 7-2viiiCisco ASDM User Guide

OL-10106-04

Valid Classifier Criteria 7-3

Contents

Invalid Classifier Criteria 7-4Classification Examples 7-4

Cascading Security Contexts 7-7Management Access to Security Contexts 7-8

System Administrator Access 7-8Context Administrator Access 7-9

Enabling or Disabling Multiple Context Mode at the CLI 7-9Backing Up the Single Mode Configuration 7-9Enabling Multiple Context Mode 7-9Restoring Single Context Mode 7-10

Configuring Resource Classes 7-10Classes and Class Members Overview 7-10

Resource Limits 7-11Default Class 7-12Class Members 7-13

Adding a Resource Class 7-13Resource Class 7-13Add/Edit Resource Class 7-14

Configuring Security Contexts 7-16Security Contexts 7-16Add/Edit Context 7-17Add/Edit Interface Allocation 7-18

C H A P T E R 8 Configuring Device Properties 8-1

Management IP 8-1

Device Administration 8-2Banner 8-2Boot Image/Configuration 8-3

Add Boot Image 8-4Clock 8-4Console 8-5Device 8-5FTP Mode 8-6ICMP Rules 8-7

Add/Edit ICMP Rule 8-8Management Access 8-9NTP 8-10

Add/Edit NTP Server Configuration 8-11ixCisco ASDM User Guide

OL-10106-04

Password 8-11

Contents

Secure Copy 8-12SMTP 8-13SNMP 8-13

Add/Edit SNMP Host Access Entry 8-16SNMP Trap Configuration 8-18

TFTP Server 8-19User Accounts 8-20

Add/Edit User Account > Identity Tab 8-22Add/Edit User Account > VPN Policy Tab 8-22Add/Edit User Account > WebVPN Tab 8-24

Auto Update 8-28Set Polling Schedule 8-30Add/Edit Auto Update Server 8-30Advanced Auto Update Settings 8-31

Client Update 8-32Add/Edit Client Update 8-33

8-33

C H A P T E R 9 DHCP and DNS Services 9-1

DHCP Relay 9-1Edit DHCP Relay Agent Settings 9-3DHCP Relay - Add/Edit DHCP Server 9-3

DHCP Server 9-4Edit DHCP Server 9-6Advanced DHCP Options 9-7

DNS Client 9-9Add/Edit DNS Server Group 9-9

Dynamic DNS 9-10Add/Edit Dynamic DNS Update Methods 9-11Add/Edit Dynamic DNS Interface Settings 9-12

C H A P T E R 10 Configuring AAA Servers 10-1

Understanding AAA 10-1AAA Overview 10-1Preparing for AAA 10-2LOCAL Database 10-3

AAA Implementation in ASDM 10-3AAA for Device Administration 10-3xCisco ASDM User Guide

OL-10106-04

Contents

AAA for Network Access 10-4AAA for VPN Access 10-4

AAA Setup 10-4AAA Server Groups 10-4

Add/Edit AAA Server Group 10-6Edit AAA Local Server Group 10-7Add/Edit AAA Server 10-7Test AAA Server 10-11

Auth. Prompt 10-12LDAP Attribute Map 10-13

Add/Edit LDAP Attribute Map 10-14

C H A P T E R 11 Configuring Device Access 11-1

AAA Access 11-1Authentication Tab 11-1Authorization Tab 11-2Command Privileges Setup 11-3Predefined User Account Command Privilege Setup 11-4Accounting Tab 11-5

HTTPS/ASDM 11-6Add/Edit HTTP Configuration 11-6

Secure Shell 11-7Add/Edit SSH Configuration 11-8

Telnet 11-8Add/Edit Telnet Configuration 11-9

Virtual Access 11-11

C H A P T E R 12 Failover 12-1

Understanding Failover 12-1Active/Standby Failover 12-2Active/Active Failover 12-2Stateless (Regular) Failover 12-3Stateful Failover 12-3

Configuring Failover with the High Availability and Scalability Wizard 12-4Accessing and Using the High Availability and Scalability Wizard 12-4Configuring Active/Active Failover with the High Availability and Scalability Wizard 12-4Configuring Active/Standby Failover with the High Availability and Scalability Wizard 12-5Configuring VPN Load Balancing with the High Availability and Scalability Wizard 12-6xiCisco ASDM User Guide

OL-10106-04

Field Information for the High Availability and Scalability Wizard 12-7

Contents

Choose the Type of Failover Configuration 12-7Check Failover Peer Connectivity and Compatibility 12-8Change Device to Multiple Mode 12-8Select Failover Communication Media 12-9Security Context Configuration 12-9Failover Link Configuration 12-10State Link Configuration 12-11Standby Address Configuration 12-11VPN Cluster Load Balancing Configuration 12-12Summary 12-14

Field Information for the Failover Panes 12-14Failover - Single Mode 12-15

Failover: Setup 12-15Failover: Interfaces (Routed Firewall Mode) 12-17Failover: Interfaces (Transparent Firewall Mode) 12-19Failover: Criteria 12-20Failover: MAC Addresses 12-21Add/Edit Interface MAC Address 12-22

Failover-Multiple Mode, Security Context 12-23Failover - Routed 12-23Failover - Transparent 12-24

Failover-Multiple Mode, System 12-26Failover > Setup Tab 12-26Failover > Criteria Tab 12-28Failover > Active/Active Tab 12-29Failover > MAC Addresses Tab 12-32

C H A P T E R 13 Configuring Logging 13-1

About Logging 13-1Security Contexts in Logging 13-1

Using Logging 13-1

Logging Setup 13-2Configure FTP Settings 13-3Configure Logging Flash Usage 13-4

Syslog Setup 13-4Edit Syslog ID Settings 13-5Advanced Syslog Configuration 13-6

E-Mail Setup 13-6xiiCisco ASDM User Guide

OL-10106-04

Add/Edit E-Mail Recipients 13-7

Contents

Event Lists 13-8Add/Edit Event List 13-9Add/Edit Syslog Message ID Filter 13-11

Logging Filters 13-11Edit Logging Filters 13-12Add/Edit Class and Severity Filter 13-13Add/Edit Syslog Message ID Filter 13-14

Rate Limit 13-15Edit Rate Limit for Syslog Logging Level 13-16Add/Edit Rate Limit for Syslog Message 13-17

Syslog Servers 13-18Add/Edit Syslog Server 13-18

13-19

C H A P T E R 14 Configuring Dynamic And Static Routing 14-1

Dynamic Routing 14-1OSPF 14-1

Setup 14-2Filtering 14-8Interface 14-10Redistribution 14-14Static Neighbor 14-16Summary Address 14-17Virtual Link 14-19

RIP 14-21Global Setup 14-22Interface 14-23Filter Rules 14-24Route Redistribution 14-26

Static Routes 14-28Static Route Tracking 14-29

Configuring Static Route Tracking 14-29Field Information for Static Routes 14-30

Static Routes 14-30Add/Edit Static Route 14-31Route Monitoring Options 14-32

ASR Group 14-32

Proxy ARPs 14-33xiiiCisco ASDM User Guide

OL-10106-04

Contents

C H A P T E R 15 Configuring Multicast Routing 15-1

Multicast 15-1

IGMP 15-2Access Group 15-2

Add/Edit Access Group 15-3Join Group 15-3

Add/Edit IGMP Join Group 15-4Protocol 15-4

Configure IGMP Parameters 15-5Static Group 15-6

Add/Edit IGMP Static Group 15-7

Multicast Route 15-7Add/Edit Multicast Route 15-8

MBoundary 15-8Edit Boundary Filter 15-9Add/Edit/Insert Neighbor Filter Entry 15-10

MForwarding 15-10

PIM 15-11Protocol 15-11

Edit PIM Protocol 15-12Neighbor Filter 15-13

Add/Edit/Insert Neighbor Filter Entry 15-13Bidirectional Neighbor Filter 15-14

Add/Edit/Insert Bidirectional Neighbor Filter Entry 15-15Rendezvous Points 15-16

Add/Edit Rendezvous Point 15-16Request Filter 15-18

Request Filter Entry 15-19Route Tree 15-19

C H A P T E R 16 Firewall Mode Overview 16-1

Routed Mode Overview 16-1IP Routing Support 16-2Network Address Translation 16-2How Data Moves Through the Security Appliance in Routed Firewall Mode 16-3

An Inside User Visits a Web Server 16-4An Outside User Visits a Web Server on the DMZ 16-5An Inside User Visits a Web Server on the DMZ 16-6xivCisco ASDM User Guide

OL-10106-04

An Outside User Attempts to Access an Inside Host 16-7

Contents

A DMZ User Attempts to Access an Inside Host 16-8

Transparent Mode Overview 16-8Transparent Firewall Features 16-9Using the Transparent Firewall in Your Network 16-10Transparent Firewall Guidelines 16-10Unsupported Features in Transparent Mode 16-11How Data Moves Through the Transparent Firewall 16-12

An Inside User Visits a Web Server 16-13An Outside User Visits a Web Server on the Inside Network 16-14An Outside User Attempts to Access an Inside Host 16-15

C H A P T E R 17 Configuring Access Rules 17-1

Access Rules 17-1Rule Queries 17-3New/Edit Rule Query 17-4Add/Edit Access Rule 17-5Manage Service Groups 17-7Add/Edit Service Group 17-8Advanced Access Rule Configuration 17-8Log Options 17-9

C H A P T E R 18 Configuring EtherType Rules 18-1

Ethertype Rules (Transparent Mode Only) 18-1Add/Edit EtherType Rule 18-2

C H A P T E R 19 Configuring AAA Rules 19-1

AAA Performance 19-1

Configuring AAA Rules 19-1AAA Rules 19-2Add/Edit Authentication Rule 19-4Add/Edit Authorization Rule 19-7Add/Edit Accounting Rule 19-10Add/Edit MAC Exempt Rule 19-12Configuring Advanced AAA Features 19-12

Adding an Interactive Authentication Rule 19-13

Configuring a RADIUS Server for Authorization 19-15Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-15Configuring a RADIUS Server to Download Per-User Access Control List Names 19-19xvCisco ASDM User Guide

OL-10106-04

Contents

C H A P T E R 20 Configuring Filter Rules 20-1

URL Filtering 20-1Add/Edit Parameters for Websense URL Filtering 20-3Add/Edit Parameters for Secure Computing SmartFilter URL Filtering 20-3Advanced URL Filtering 20-4

Filter Rules 20-5Select Source 20-7Rule Query 20-7Add/Edit Filter Rule 20-8Browse Source/Destination Address 20-10

C H A P T E R 21 Configuring Service Policy Rules 21-1

Service Policy Rules 21-1Service Policy 21-3Edit Service Policy 21-3Traffic Classification Criteria 21-4

Default Inspections 21-5Management Type Traffic Class and Action 21-5

Select RADIUS Accounting Map 21-6Add RADIUS Accounting Policy Map 21-6

Using Default Inspection Traffic Criteria 21-7Changing Default Ports for Application Inspection 21-8Configuring Application Inspection with Multiple Ports 21-9

Source and Destination Address (This dialog is called ACL in other contexts) 21-10Destination Port 21-12RTP Ports 21-13IP Precedence 21-13IP DiffServ CodePoints (DSCP) 21-14

Rule Actions > Protocol Inspection Tab 21-14Select DCERPC Map 21-16Configure DNS 21-17Select DNS Map 21-17Select ESMTP Map 21-18Select FTP Map 21-18Select GTP Map 21-19Select H.323 Map 21-19Select HTTP Map 21-20Select IM Map 21-20xviCisco ASDM User Guide

OL-10106-04

Select IPSec-Pass-Thru Map 21-20

Contents

Select MGCP Map 21-21Select NETBIOS Map 21-21Select SCCP (Skinny) Map 21-22Select SIP Map 21-22Select SNMP Map 21-23

Rule Actions > Intrusion Prevention Tab 21-23Rule Actions > CSC Scan Tab 21-24Rule Actions > Connection Settings Tab 21-24Rule Actions > QoS Tab 21-26Edit Class Map 21-30Edit Rule 21-31Edit Service Policy Rule > Traffic Classification Tab 21-32

Tunnel Group 21-33

SUNRPC Server 21-34Add/Edit SUNRPC Service 21-34

C H A P T E R 22 NAT 22-1

NAT 22-1Add/Edit Static NAT Rule 22-4Add/Edit Dynamic NAT Rule 22-5

NAT Options 22-6Global Pools 22-7

Add/Edit Static Policy NAT Rule 22-8Add/Edit Dynamic Policy NAT Rule 22-9Add/Edit NAT Exempt Rule 22-11Add/Edit Identity NAT Rule 22-12

C H A P T E R 23 Configuring ARP Inspection and Bridging Parameters 23-1

Configuring ARP Inspection 23-1ARP Inspection 23-1Edit ARP Inspection Entry 23-2ARP Static Table 23-3Add/Edit ARP Static Configuration 23-4

Customizing the MAC Address Table 23-4MAC Address Table 23-4Add/Edit MAC Address Entry 23-6MAC Learning 23-6xviiCisco ASDM User Guide

OL-10106-04

Contents

C H A P T E R 24 Preventing Network Attacks 24-1

Connection Settings (Transparent Mode Only) 24-1Set/Edit Connection Settings 24-2

IP Audit 24-3IP Audit Policy 24-3Add/Edit IP Audit Policy Configuration 24-4IP Audit Signatures 24-5IP Audit Signature List 24-5

Fragment 24-9Show Fragment 24-10Edit Fragment 24-11

Anti-Spoofing 24-12

TCP Options 24-13TCP Reset Settings 24-14

Timeouts 24-15

C H A P T E R 25 Configuring QoS 25-1

Priority Queue 25-1Add/Edit Priority Queue 25-1WCCP 25-2

WCCP Service Groups 25-2Add or Edit WCCP Service Group 25-3Redirection 25-3Add or Edit WCCP Redirection 25-4

WCCP 25-4WCCP Service Groups 25-4Redirection 25-5

C H A P T E R 26 VPN 26-1

VPN Wizard 26-1VPN Tunnel Type 26-2Remote Site Peer 26-3IKE Policy 26-4IPSec Encryption and Authentication 26-5Local Hosts and Networks 26-6Summary 26-7Remote Access Client 26-8xviiiCisco ASDM User Guide

OL-10106-04

VPN Client Authentication Method and Tunnel Group Name 26-9

Contents

Client Authentication 26-10New Authentication Server Group 26-10User Accounts 26-11Address Pool 26-12Attributes Pushed to Client 26-12Address Translation Exemption 26-13

C H A P T E R 26 IKE 26-1

Certificate Group Matching 26-1Policy 26-1Rules 26-2

Add/Edit Certificate Matching Rule 26-3Add/Edit Certificate Matching Rule Criterion 26-3

Global Parameters 26-5

Policies 26-8Add/Edit IKE Policy 26-9

IP Address Management 26-10Assignment 26-10IP Pools 26-11

Add/Edit IP Pool 26-11

IPSec 26-12IPSec Rules 26-13

Tunnel Policy (Crypto Map) - Basic 26-14Tunnel Policy (Crypto Map) - Advanced 26-16Tunnel Policy (Crypto Map) -Traffic Selection 26-16

Pre-Fragmentation 26-18Edit IPSec Pre-Fragmentation Policy 26-19

Transform Sets 26-20Add/Edit Transform Set 26-20

Load Balancing 26-21

NAC 26-24

C H A P T E R 27 General 27-1

Client Update 27-1Edit Client Update Entry 27-3

Default Tunnel Gateway 27-4

Group Policy 27-4xixCisco ASDM User Guide

OL-10106-04

Add/Edit External Group Policy 27-6

Contents

Add AAA Server Group 27-6Add/Edit Internal Group Policy > General Tab 27-7

Browse Time Range 27-8Add/Edit Time Range 27-9Add/Edit Recurring Time Range 27-10

ACL Manager 27-11Standard ACL Tab 27-11Extended ACL Tab 27-12

Add/Edit/Paste ACE 27-13Browse Source/Destination Address 27-14Browse Source/Destination Port 27-15Add TCP Service Group 27-16Browse ICMP 27-16Add ICMP Group 27-17Browse Other 27-17Add Protocol Group 27-18Add/Edit Internal Group Policy > IPSec Tab 27-19Add/Edit Client Access Rule 27-20Add/Edit Internal Group Policy > Client Configuration Tab 27-20Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab 27-21View/Config Banner 27-22Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab 27-22Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab 27-23Add/Edit Standard Access List Rule 27-24Add/Edit Internal Group Policy > Client Firewall Tab 27-25Add/Edit Internal Group Policy > Hardware Client Tab 27-27Add/Edit Internal Group Policy > NAC Tab 27-30Add/Edit Posture Validation Exception 27-31WebVPN Tab > Functions Tab 27-31Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab 27-34Add/Edit Group Policy > WebVPN Tab > Homepage Tab 27-34Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab 27-35Add/Edit Port Forwarding List 27-35Add/Edit Port Forwarding Entry 27-36Add/Edit Group Policy > WebVPN Tab > Other Tab 27-36Add/Edit Server and URL List 27-37Add/Edit Server or URL 27-38xxCisco ASDM User Guide

OL-10106-04

Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab 27-38

Contents

Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab 27-39ACLs 27-40

Tunnel Group 27-41Add/Edit Tunnel Group > General Tab > Basic Tab 27-42Add/Edit Tunnel Group > General Tab > Authentication Tab 27-44Add/Edit Tunnel Group > General Tab > Authorization Tab 27-44Add/Edit Tunnel Group > General Tab > Accounting Tab 27-46Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab 27-46Add/Edit Tunnel Group > General Tab > Advanced Tab 27-47Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab 27-48Add/Edit Tunnel Group > PPP Tab 27-49Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab 27-50Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab 27-51Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab 27-53Add/Edit Tunnel Group > WebVPN Tab > Basic Tab 27-54Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab 27-55Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server 27-56Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab 27-57Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab 27-58

VPN System Options 27-59

Zone Labs Integrity Server 27-60

Easy VPN Remote 27-61

Advanced Easy VPN Properties 27-63

C H A P T E R 28 WebVPN 28-1

WebVPN Security Precautions 28-1ACLs 28-2Add ACL 28-3Add/Edit ACE 28-3

APCF 28-4Add/Edit APCF Profile 28-4Upload APCF package 28-5

Auto Signon 28-6Add/Edit Auto Signon Entry 28-7

CSD Setup 28-8Upload Image 28-9

Cache 28-10xxiCisco ASDM User Guide

OL-10106-04

Contents

Content Rewrite 28-11Add/Edit Content Rewrite Rule 28-12

Java Trustpoint 28-12

Encoding 28-13Add\Edit Encoding 28-14

Port Forwarding 28-15Add/Edit Port Forwarding List 28-17Add/Edit Port Forwarding Entry 28-17

Proxies 28-18

Proxy Bypass 28-18Add/Edit Proxy Bypass Rule 28-19

SSL VPN Client 28-20Add SSL VPN Client Image 28-21Add SSL VPN Client Browse Flash Dialog 28-21Add SSL VPN Client Upload Flash Dialog 28-22Replace SSL VPN Client Image 28-22Replace SSL VPN Client Upload Flash Dialog 28-23

SSO Servers 28-23Add/Edit SSO Server 28-25

Servers and URLs 28-26

WebVPN Access 28-26

Webpage Customization 28-28Add/Edit Webpage Customization Object > Select Font 28-28Add/Edit Webpage Customization Object > Select Foreground Color 28-29Add/Edit Webpage Customization Object > Select Background Color 28-30Add/Edit Webpage Customization Object > Page Title Tab 28-30

Add/Edit Webpage Customization Object > Page Title Tab > Upload Logo 28-31Add/Edit Webpage Customization Object > Login Page Tab > Login Box Tab 28-32Add/Edit Webpage Customization Object > Login Page Tab > Login Prompts Tab 28-33Add/Edit Webpage Customization Object > Login Page Tab > Login Buttons Tab 28-34Add/Edit Webpage Customization Object > Logout Page Tab 28-35Add/Edit Webpage Customization Object > Home Page Tab > Border Color Tab 28-36Add/Edit Webpage Customization Object > Home Page Tab > Web Applications Tab 28-37Add/Edit Webpage Customization Object > Home Page Tab > Application Access Tab 28-38Add/Edit Webpage Customization Object > Home Page Tab > Browse Network Tab 28-39Add/Edit Webpage Customization Object > Home Page Tab > Web Bookmarks Tab 28-40Add/Edit Webpage Customization Object > Home Page Tab > File Bookmarks Tab 28-41Add/Edit Webpage Customization Object > Application Access Window Tab 28-42xxiiCisco ASDM User Guide

OL-10106-04

Add/Edit Webpage Customization Object > Prompt Dialog Tab 28-43

Contents

Add/Edit Webpage Customization Object > Quick Style Configuration 28-44

C H A P T E R 29 WebVPN End User Set-up 29-1

Requiring Usernames and Passwords 29-1

Communicating Security Tips 29-2

Configuring Remote Systems to Use WebVPN Features 29-2

Capturing WebVPN Data 29-7Creating a Capture File 29-8Using a Browser to Display Capture Data 29-8

C H A P T E R 30 E-Mail Proxy 30-1

Configuring E-Mail Proxy 30-1

AAA 30-2POP3S Tab 30-2IMAP4S Tab 30-4SMTPS Tab 30-5

Access 30-7Edit E-Mail Proxy Access 30-7

Authentication 30-8

Default Servers 30-9

Delimiters 30-10

C H A P T E R 31 Configuring SSL Settings 31-1

SSL 31-1Edit SSL Trustpoint 31-3

C H A P T E R 32 Configuring Certificates 32-1

Authentication 32-1

Enrollment 32-2

Import Certificate 32-3

Key Pair 32-3Add Key Pair 32-4Key Pair Details 32-5

Manage Certificate 32-5Add Certificate 32-6

Trustpoint 32-7xxiiiCisco ASDM User Guide

OL-10106-04

Configuration 32-7

Contents

Add/Edit Trustpoint Configuration > Enrollment Settings Tab 32-8Add/Edit Key Pair 32-9Certificate Parameters 32-9Edit DN 32-10Add/Edit Trustpoint Configuration > Revocation Check Tab 32-11Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab 32-11Add/Edit Static URL 32-12Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab 32-12Add/Edit Trustpoint Configuration > OCSP Rules Tab 32-13Add/Edit Trustpoint OCSP Rule dialog box 32-14Add/Edit Trustpoint Configuration > Advanced Tab 32-15

Export 32-16Import 32-17

Authenticating, Enrolling for, and Managing Digital Certificates 32-17Summary of Configuration Steps 32-18Generating the Key Pair 32-18Enrolling for a Certificate Using Automatic Enrollment (SCEP) 32-18Authenticating to the CA 32-19Enrolling with the CA 32-19Enrolling for a Certificate Using Manual Enrollment 32-20Additional Steps for a Failover Configuration 32-21

Exporting the Certificate to a File or PKCS12 data 32-21Importing the Certificate onto the Standby Device 32-21

Managing Certificates 32-22

C H A P T E R 33 CSD 33-1

C H A P T E R 34 Configuring IPS 34-1

Accessing IDM from ASDM 34-1

Resetting the AIP SSM Password 34-2

C H A P T E R 35 Configuring Trend Micro Content Security 35-1

Managing the CSC SSM 35-1About the CSC SSM 35-1Getting Started with the CSC SSM 35-3Determining What Traffic to Scan 35-5

CSC Setup 35-7Activation/License 35-8xxivCisco ASDM User Guide

OL-10106-04

IP Configuration 35-9

Contents

Host/Notification Settings 35-10Management Access Host/Networks 35-11Password 35-11Restoring the Default Password 35-12Wizard Setup 35-13Summary 35-13

Web 35-15

Mail 35-16Mail > SMTP Tab 35-16Mail > POP3 Tab 35-17

File Transfer 35-18

Updates 35-19

Connecting to CSC/Content Security and Control Password 35-20

C H A P T E R 36 Monitoring System Log Messages 36-1

About Log Viewing 36-1

Log Buffer 36-1Log Buffer Viewer 36-2

Real-Time Log Viewer 36-3Real-Time Log Viewer 36-3

C H A P T E R 37 Monitoring Trend Micro Content Security 37-1

Threats 37-1

Live Security Events 37-2Live Security Events Viewer 37-2

Software Updates 37-3

Resource Graphs 37-4CSC CPU 37-4CSC Memory 37-5

C H A P T E R 38 Monitoring Failover 38-1

Single Context Mode 38-1Failover 38-1

Status 38-1Graphs 38-4

Multiple Context Mode 38-5System 38-5xxvCisco ASDM User Guide

OL-10106-04

Failover Group 1 and Failover Group 2 38-8

Contents

C H A P T E R 39 Monitoring Interfaces 39-1

ARP Table 39-1

DHCP 39-1DHCP Server Table 39-2DHCP Client Lease Information 39-2DHCP Statistics 39-3

MAC Address Table 39-4

Dynamic ACLs 39-5

Interface Graphs 39-5Graph/Table 39-8

PPPoE Client 39-8

interface connection 39-9Track Status for 39-9Monitoring Statistics for 39-9

C H A P T E R 40 Monitoring Routing 40-1

OSPF LSAs 40-1Type 1 40-1Type 2 40-2Type 3 40-3Type 4 40-3Type 5 40-4Type 7 40-4

OSPF Neighbors 40-5

Routes 40-7

C H A P T E R 41 Monitoring VPN 41-1

VPN Connection Graphs 41-1IPSec Tunnels 41-1Sessions 41-2

VPN Statistics 41-3Sessions 41-3Sessions Details 41-6

Sub-session Details NAC Details 41-8Encryption Statistics 41-9NAC Session Summary 41-10Protocol Statistics 41-11xxviCisco ASDM User Guide

OL-10106-04

Global IKE/IPSec Statistics 41-12

Contents

Crypto Statistics 41-12Compression Statistics 41-13Cluster Loads 41-13WebVPN SSO Statistics 41-14VPN Connection Status 41-15

C H A P T E R 42 Monitoring Properties 42-1

AAA Servers 42-1

CRL 42-2

Connection Graphs 42-2Xlates 42-2Perfmon 42-3

DNS Cache 42-4

Device Access 42-5AAA Local Locked Out Users 42-5Authenticated Users 42-5HTTPS/ASDM Sessions 42-6Secure Shell Sessions 42-6Telnet Sessions 42-7

IP Audit 42-8

System Resources Graphs 42-10Blocks 42-11CPU 42-11Memory 42-12

I N D E XxxviiCisco ASDM User Guide

OL-10106-04

Contents xxviiiCisco ASDM User Guide

OL-10106-04

About This Guide

The ASDM User Guide contains the information that is available in the ASDM online help system. This preface contains the following topics: Related Documentation, page xxix Obtaining Documentation and Submitting a Service Request, page xxix

Related Documentation For more information, refer to the following documentation: Release Notes for Cisco ASDM Cisco ASA 5500 Series Configuration Guide using the CLI Cisco ASA 5500 Series Command Reference Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco ASA 5500 Series System Log Messages

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free xxixCisco ASDM User Guide

OL-10106-04

service and Cisco currently supports RSS version 2.0.

About This Guide xxxCisco ASDM User Guide

OL-10106-04

OL-10106-04

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Changing OS Color SchemesIf you chang

ASDM is running, you should restart ASDM If you enable TCP normalization, the default a

drop to allow (the exceed-mss command).e the color scheme of your operating system while or some ASDM screens might not display correctly.ction for packets that exceed MSS has changed from C H A P T E R

1Welcome to ASDM

Welcome to ASDM, a browser-based, Java applet used to configure and monitor the software on security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.For more information about this release, see the following topics: Important Notes

New in This Release Unsupported Commands About the ASDM Window About the Help Window Home Page

Important Notes CLI Command SupportWith a few exceptions, almost all CLI commands are fully supported by

ASDM. For a list of commands ASDM does not support, see Unsupported Commands. Multiple ASDM SessionsASDM allows multiple PCs or workstations to each have one browser

session open with the same security appliance software. A single security appliance can support up to 5 concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a particular security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a limit of 32 connections total per security appliance.

Security Appliance ReleaseThis release of ASDM requires Version 7.1 and does not run with earlier security appliance releases.

CaveatsUse the Bug Toolkit on cisco.com to view current caveat information. You can access Bug Toolkit at:1-1Cisco ASDM User Guide

Chapter 1 Welcome to ASDM New in This ReleaseNew in This ReleaseThis section contains the following topics: Features Introduced in the 5.2(1) Release, page 1-2 Features Introduced in the 5.2(2) Release, page 1-2 Features Introduced in the 5.2(3) Release, page 1-3 Features Introduced in the 5.2(4) Release, page 1-4For a complete list of new platform and ASDM features, refer to the Cisco ASDM Release Notes on Cisco.com.

Features Introduced in the 5.2(1) ReleaseSee the following topics for more information about the new features in the 5.2(1) release: Enhanced and new inspection engines. See Service Policy Rules, page 21-1 and Global Objects,

page 6-1. Sub-second failover and the High Availability and Scalability Wizard. See Failover, page 12-1. Packet Tracer tool. See Packet Tracer, page 1-13. Traceroute tool. See Traceroute, page 1-17. Expanded VPN Support:

ZoneLabs Integrity Server. See Zone Labs Integrity Server, page 27-60. Easy VPN Remote. See Easy VPN Remote, page 27-61. Online Certificate Status Protocol (OCSP) support. See Add/Edit Trustpoint Configuration >

Revocation Check Tab, page 32-11 and Add/Edit Trustpoint Configuration > OCSP Rules Tab, page 32-13.

RIP routing enhancements. See RIP, page 14-21. Static Route Tracking/Dual ISP support. See Static Routes, page 14-28. Web Cache Communication Protocol (WCCP) support. See WCCP, page 25-2. ASA 5505 adaptive security appliance Power over Ethernet port support. See Configuring Switch

Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance, page 5-13.

Features Introduced in the 5.2(2) ReleaseSee the following topics for more information about the new features in the 5.2(2) release: IDM Integration. See Accessing IDM from ASDM, page 34-1. AIP SSM Password Reset. See Resetting the AIP SSM Password, page 34-2. CSC SSM Password Reset. See Restoring the Default Password, page 35-12. Additional Multicast Feature Support:

PIM neighbor-filter. See Neighbor Filter, page 15-13. PIM bidir-neighbor-filter. See Bidirectional Neighbor Filter, page 15-14.1-2Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM New in This Release PIM old-register-checksum. See the Generate IOS compatible register messages check box in Rendezvous Points, page 15-16.

Multicast Boundary. See MBoundary, page 15-8. MFIB forwarding. See PIM bidir-neighbor-filter. See MForwarding, page 15-10.

Support for HTTP/HTTPS interactive authentication. See Configuring Advanced AAA Features, page 19-12.

Added DNS (User Principle Name) to the Primary DN Field for tunnel groups. See. Add/Edit Tunnel Group > General Tab > Authorization Tab, page 27-44.

Per-interface authorization server groups for tunnel groups. See Add/Edit Tunnel Group > General Tab > Authorization Tab, page 27-44.

Support for Virtual Telnet Server. See Virtual Access, page 11-11.

Features Introduced in the 5.2(3) ReleaseSee the following topics for more information about the new features in the 5.2(3) release: Multiple ASDM Session SupportASDM allows multiple PCs or workstations to each have one

browser session open with the same adaptive security appliance software. A single adaptive security appliance can support up to five concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a specified adaptive security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a maximum of 32 total connections for each adaptive security appliance.

Added Enable DNS Guard checkbox to DNS Client panel for interfaces. See Configuration > Properties > DNS.

Added redirect-fqdn command to support DNS-based load balancing. Added support in Client Software Location list to allow client updates from Linux or Mac systems.

See Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Upload Software > Client Software.

Added new checkbox Cache Static Content to allow users to cache the static content. See Configuration>VPN>WebVPN>Cache.

Support for two new options, broadcast-flag and client-id interface interface in the dhcp-client command. See Configuration > Interfaces > Add or Edit Interfaces > Obtain Addresses via DHCP.

ASDM now reporting Damage Cleanup Services events and statistics. ASDM banner includes Continue and Disconnect button at startup. To configure banner with

these buttons, see Configuration > Properties > Device Administration > Banner. Added support for new ESMTP parameter allow-tls [action log] in the ESMTP policy map. When

parameter is on, traffic on an ESMTP session will not be inspected after the exchange of client's STARTTLS command and server's 220 reply code. To implement this parameter, see Configuration Global Objects > Inspect Maps > ESMTP. After map is inspected or edited, select the entry and click Advanced View to access the ESMTP policy map parameter.

Added the inspect waas command to support WAAS inspection. See Service Policy Rule > Protocol Inspection.

Added new command, smartcard-removal-disconnect [enable | disable] in group policy configuration mode, to specify that tunnels stay connected when the SmartCard is removed. Currently, the default behavior is that tunnels are disconnected when a SmartCard is removed.1-3Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM New in This Release Increased VLAN range for the ASA 5505--The ASA 5505 adaptive security appliance now supports VLAN IDs between 1 and 4090. Originally, only VLAN IDs between 1 and 1001 were supported.

Features Introduced in the 5.2(4) ReleaseSee the following topics for more information about the new features in the 5.2(4) release: Network Objects-- You can now add true network objects that you can use in firewall rules.

Objects can be named, and when you edit an object, the change is inherited wherever the object is used. Also, when you create a rule, the networks that you specify in the rule are automatically added to the network object list so you can reuse them elsewhere. You can name and edit these automatic entries as well. See Configuration > Objects > Network Objects/Groups.

QoS Traffic Shaping--If you have a device that transmits packets at a high speed, such as a security appliance with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the Configuration > Security Policy > Service Policy Rules pane, and then add or edit a rule to access the QoS tab. Note that the only traffic class supported for traffic shaping is class-default, which matches all traffic.See the crypto ipsec security-association replay command, which lets you configure the IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For IPSec packets, out-of-order packets that are not within the anti-replay window generate warning syslog messages. These warnings become false alarms in the case of priority queueing. This new command avoids possible false alarms.

Timeout for SIP provisional media--You can now configure the timeout for SIP provisional media on the Configuration > Properties > Timeouts pane.

Rate and burst limit sizes for ICMP messages can now be adjusted from the Configuration > Properties > ICMP Rules pane.

TCP normalization enhancements--You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets. TCP invalid ACK check TCP packet sequence past window check TCP SYN-ACK with data checkYou can also set the TCP out-of-order packet buffer timeout. Previously, the timeout was 4 seconds. You can now set the timeout to another value.The default action for packets that exceed MSS has changed from drop to allow. See the Configuration > Global Objects > TCP Maps pane. The following non-configurable actions have changed from drop to clear for these packet types: Bad option length in TCP TCP Window scale on non-SYN Bad TCP window scale value Bad TCP SACK ALLOW option 1-4Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM Unsupported CommandsUnsupported CommandsASDM supports almost all commands available for the security appliance, but some commands in an existing configuration are ignored by ASDM. Most of these commands can remain in your configuration; see Show Commands Ignored by ASDM on Device for the ignored commands in your configuration.In the case of the alias command, ASDM enters into Monitor-only mode until you remove the command from your configuration.This section contains the following topics:

Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations

Ignored and View-Only CommandsThe following table lists commands that ASDM supports in the configuration when added by the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If it is view-only, then the command appears in the GUI, but you cannot edit it.

Unsupported Commands ASDM Behavior

access-list Ignored if not used.capture Ignoredestablished Ignored.failover timeout Ignored.ipv6, any IPv6 addresses Ignored.pager Ignored.pim accept-register route-map Ignored. Only the list option can be configured

using ASDMprefix-list Ignored if not used in an OSPF area.route-map Ignored.service-policy global Ignored if it uses a match access-list class. For

example:access-list myacl line 1 extended permit ip any anyclass-map mycmmatch access-list myclpolicy-map mypmclass mycminspect ftpservice-policy mypm global

switchport trunk native vlan Ignoredin Ethernet interface mode.sysopt nodnsalias Ignored.sysopt uauth allow-http-cache Ignored.1-5Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowEffects of Unsupported Commands If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM

displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available.

If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, see Options > Show Commands Ignored by ASDM on Device.

If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode.Monitor-only mode allows access to the following functions: The Monitoring area

The CLI tool (Tools > Command Line Interface), which lets you use the CLI commands.To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco ASA 5500 Series Command Reference for more information.

Note You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to 3 by your system administrator, which allows Monitor-only mode. For more information, see Configuration > Properties > Device Administration > User Accounts and Configuration > Device Access > AAA Access.

Other CLI LimitationsASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:ip address inside 192.168.2.1 255.255.0.255

About the ASDM WindowThe ASDM Window is designed to provide easy access to the many features that the security appliance supports. The ASDM Window includes the following: MenusProvides quick access to files, tools, options and help. ToolbarLets you navigate ASDM. From the toolbar you can access the home page, configuration,

and monitoring panels. You can also search for features, save the configuration, get help and navigate back and forth between panels. The Home, Configuration, and Monitoring buttons each

terminal Ignored.virtual Ignored.

Unsupported Commands ASDM Behavior1-6Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM Windowopen a panel with a variety of useful tools. The home page offers much information at a glance. Configuration and monitoring offer a useful category tree along the left side of the frame, for access to more detailed configuration or monitoring information.

Status BarShows the time, connection status, user, and privilege level.

MenusASDM includes the following menus: File Menu Options Menu Tools Menu

Wizards Menu Help Menu

File Menu

The File menu manages security appliance configurations, and includes the following items: Refresh ASDM with the Running Configuration on the DeviceLoads a copy of the running

configuration to ASDM. Use refresh to make sure ASDM has a current copy of the running configuration.

Reset Device to the Factory Default ConfigurationRestores the configuration to the factory default. See Reset Device to the Factory Default Configuration dialog box for more information.

Show Running Configuration in New WindowDisplays the current running configuration in a new window.

Save Running Configuration to FlashWrites a copy of the running configuration to Flash memory. Save Running Configuration to TFTP ServerStores a copy of the current running configuration

file on a TFTP server. See the Save Running Configuration to TFTP Server dialog box for more information.

Save Running Configuration to Standby UnitSends a copy of the running configuration file on the primary unit to the running configuration of a failover standby unit.

Save Internal Log Buffer to FlashSaves the log buffer to flash memory. PrintPrints the current panel. We recommend landscape page orientation when printing rules. If

ASDM is running in Netscape Communicator and the user has not yet granted print privileges to the Java applet, a security dialog appears requesting Print privileges. Click Grant to grant the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet.

Clear ASDM CacheClears the local ASDM images. ASDM downloads an image locally when you connect to ASDM.

Clear Internal Log BufferClears the system log message buffer. ExitExits ASDM.1-7Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowReset Device to the Factory Default Configuration

The default configuration includes the minimum commands required to connect to the security appliance using ASDM. This feature is available only for routed firewall mode; transparent mode does not support IP addresses for interfaces, and setting the interface IP address is one of the actions this feature takes. This feature is also only available in single context mode; a security appliance with a cleared configuration does not have any defined contexts to automatically configure using this feature.This feature clears the current running configuration and then configures several commands. The configured interface depends on your platform. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside.The following commands apply to the dedicated management interface, Management 0/0 (for a platform without a dedicated management interface, the interface is Ethernet 1):interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdownasdm logging informational 100asdm history enablehttp server enablehttp 192.168.1.0 255.255.255.0 managementdhcpd address 192.168.1.2-192.168.1.254 managementdhcpd lease 3600dhcpd ping_timeout 750dhcpd enable management

If you set the IP address in this dialog box, then the http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify.After you restore the factory default configuration, save it to internal Flash memory using the File > Save Running Configuration to Flash item. This menu item saves the running configuration to the default location for the startup configuration, even if you previously configured the Boot Image/Configuration to set a different location; when the configuration was cleared, this path was also cleared.

Note This command also clears the Add Boot Image configuration, if present, along with the rest of the configuration. The Add Boot Image pane lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot.

Fields

Use this address for the Interface_ID interface which will be named as nameManually sets the IP address of the management interface, instead of using the default address, 192.168.1.1. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside.

Management IP AddressSets the management interface IP address. Management subnet maskSets the subnet mask of the interface. If you do not set a mask, the

security appliance uses the mask appropriate for the IP address class.

Modes

The following table shows the modes in which this feature is available:1-8Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowSave Running Configuration to TFTP Server

This dialog box stores a copy of the current running configuration file on a TFTP server.

Fields

TFTP Server IP AddressEnter the IP address of the TFTP server. Configuration File PathEnter path on the TFTP server where the file will be saved.

Modes

The following table shows the modes in which this feature is available:

Enter Log File Name

Saves the log buffer to flash memory.

Fields

Use default file nameSaves the log buffer using LOG-YYYY-MM-DD-hhmmss.txt as the file name.

Use user-specified file nameSaves the log buffer using a file name that you specify. Field NameEnter the file name for the saved log buffer.

Options Menu

The Options menu lets you set ASDM preferences. Show Commands Ignored by ASDM on DeviceDisplays unsupported commands that have been

ignored by ASDM. See the Show Commands Ignored by ASDM on Device dialog box for more information.

PreferencesChanges the behavior of some ASDM functions between sessions using your web browser cookie feature. See the Preferences dialog box for more information.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System



Multiple

Context System

1-9Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowShow Commands Ignored by ASDM on Device

Some commands are unsupported in ASDM. Typically, they are ignored when encountered by ASDM, and are displayed in the list of unparsed commands invoked by Show Commands Ignored by ASDM on Device.

ASDM does not change or remove these commands from your configuration. See Unsupported Commands for more information.

Modes


Preferences

The Preferences dialog box lets you change the behavior of some ASDM functions between sessions by using your web browser cookie feature.

Fields

General tabSets general preferences. Preview commands before sending to the device check boxLets you view CLI commands

generated by ASDM. Enable Large Fonts (Requires ASDM Restart) check boxIncreases the ASDM icon font size,

after closing ASDM and reconnecting. Not all fonts are affected. Confirm before exiting from ASDM check boxDisplays a prompt when you try to close

ASDM to confirm that you want to exit. This option is checked by default. Rules Table tabSets preferences for the Rules Table.

Diplsay settingsLets you change the way rules are displayed in the Rules Table. Auto expand network and service object groups with specified prefixDisplays the network

and service object groups automatically expanded based on the Auto Expand-Prefix. Auto Expand-PrefixSpecifies the prefix of the network and service object groups to

automatically expand when displayed. Show members of network and service object groupsSelect to display members of network

and service object groups and the group name in the rules table. If the check box is not selected, only the group name is displayed.

Limit members toEnter the number of network and service object groups to display. When the object group members are displayed, then display only the first nn members.

Show all actions for service policy rulesSelect to display all action in the rules table. When cleared, a summary is displayed.

Deployment SettingsLets you configure the behavior the security appliance has when deploying changes to the rules table.



Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM Window Issue clear xlate command when deploying access listsCheck to clear the NAT table when deploying a new access lists. This ensures the access lists that are configured on the security appliance are applied to all translated addresses.

Show filter panel by defaultDisplays the filter panel by default. Show rule diagram panel by defaultDisplays the rule diagram by default.

Applications Inspections tabSets Application Inspection map options. Prompt to add inspect map before applying changesEnables a prompt that reminds you the

inspection map has not yet been added. Make advanced view the default inspect viewSelect to make the advanced view the default

application inspection view. Ask to make advanced view the default viewEnables a dialog box that asks to make the

advanced view the default application inspection view. Clear to disable the prompt. Syslog Color Settings tabSets the background and text colors for system log messages displayed

on the Home page.

Severity columnLists each severity level. Background Color columnShows the background color for messages for each severity level.

To change the color, click the appropriate row. The Pick a Color dialog box appears. Foreground Color columnShows the foreground (text) color for messages for each severity

level. To change the color, click the appropriate row. The Pick a Color dialog box appears. Restore Default buttonRestores the default settings of white background and colored text.

Note Each time a preference is checked or unchecked, the change is written to the .conf file and becomes available for all the other ASDM sessions running on the workstation at the time. Restarting ASDM maintains your preferences.

Modes


Tools Menu

The Tools menu provides you with troubleshooting tools on ASDM. Here you can upload new software to the ASDM, check connectivity, or issue commands at the command line. Command Line InterfaceProvides a text-based tool for sending commands to the security

appliance and viewing the results. See the Command Line Interface dialog box for more information.



Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM Window Packet TracerLets you trace a packet from a specified source address and interface to a destination. You can specify the protocol and port of any type of data and see the lifespan of a packet with detailed information about actions taken on it. See the Packet Tracer dialog box for more information.

PingProvides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. See the Ping dialog box for more information.

TracerouteLets you determine the route packets will take to their destination. See the Traceroute dialog box for more information.

File ManagementLets you view, move, copy and delete files stored in Flash memory. You can also create a directory in Flash memory. See the File Management dialog box for more information. You can also bring up the File Transfer dialog box to transfer files between various file systems, including TFTP, Flash memory, and your local PC.

Upload ASDM Assistant GuideLets you upload an XML file to Flash memory that contains information used in the ASDM Assistant. These files can be downloaded from Cisco.com.

Upgrade SoftwareLets you choose a security appliance image, ASDM image, or other image file on your PC, and upload it to Flash memory. See the Upload Image from Local PC dialog box for more information.

System ReloadLets you restart the system and reload the saved configuration into memory. See the System Reload dialog box for more information.

IPS/CSC Password ResetResets the password of an installed AIP SSM or CSC SSM to the default (cisco). See the Resetting the AIP SSM Password section on page 34-2 and the Restoring the Default Password section on page 35-12 for more information.

ASDM Java ConsoleShows the Java console.

Command Line Interface

The Command Line Interface dialog box provides a text-based tool for sending commands to the security appliance and viewing the results.

Note Commands entered via the ASDM CLI tool might function differently from commands entered through a terminal connection to the security appliance.

Command Errors

If an error occurs because you entered an incorrect command, the offending command is skipped and the remaining commands are processed anyway. A message displays in the Response box to let you know what, if any, errors were encountered as well as other pertinent information.

Note Refer to the Cisco ASA 5500 Series Command Reference for a list of commands. With a few exceptions, almost all CLI commands are fully supported by ASDM.

Interactive Commands

Interactive commands are not supported in the Command Line Interface dialog box. To use these commands in ASDM, use the noconfirm keyword if available, as follows:crypto key generate rsa modulus 1024 noconfirm1-12Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowAvoiding Conflicts with Other Administrators

Multiple administrative users can update the running configuration of the security appliance. Before using the ASDM Command Line Interface tool to make configuration changes, check for other active administrative sessions. If more than one user is configuring the security appliance at the same time, the last changes take effect. (Click the Monitoring tab to view other administrative sessions that are currently active on the same security appliance.)

Viewing Configuration Changes in ASDM

If you change the configuration using the Command Line Interface tool, click the Refresh button to view the changes in ASDM.

Prerequisites

The commands you can enter at the Command Line Interface tool depends on your user privileges. See the Authorization Tab. Review your privilege level in the status bar at the bottom of the main ASDM window to ensure you have privileges to execute privileged-level CLI commands.

Fields

CommandSends commands to the security appliance. Single LineLets you enter single commands, one at a time. The most recent commands

entered are listed, or you can type a new command. Multiple LineLets you enter multiple command lines. Enable context sensitive help (?)Shows CLI help for a command if you enter a question mark

(?) after it. You do not need to press enter; the help displays as soon as you type a ?. Clearing this check box causes ASDM to escape the question mark character before sending it to the device, allowing you to enter the question mark as part of a text string without causing the command line help to display.

ResponseDisplays the results of the commands you entered in the command box. SendSends all commands to the security appliance. Clear ResponseClears all text displayed in the Response box.

Modes


Packet Tracer

The packet tracer tool provides packet tracing capabilities for packet sniffing and network fault isolation.



Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowThe tool provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet tracer tool will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, packet dropped due to bad ip header (reason).In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet tracer tool lets you do the following: Debug all packet drops in production network. Verify the configuration is working as intended. Show all rules applicable to a packet along with the CLI lines which caused the rule addition. Show a time line of packet changes in a data path. Inject tracer packets into the data path.

Fields

InterfaceSpecifies the source interface for the packet trace. Packet typeSpecifies the protocol type for the packet trace. Available protocol types are icmp,

rawip, tcp or udp. Source IPSpecifies the source address for the packet trace. Source PortSpecifies the source port for the packet trace. Destination IP Specifies the destination address for the packet trace. Destination PortSpecifies the destination port for the packet trace.

Start Starts the packet trace. ClearClears all fields. Show animationCheck to display graphically the packet trace. Information Display AreaDisplays detailed messages about the packet trace.

Modes


Ping

The Ping dialog box provides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices.A ping is the network equivalent of sonar for submarines. A ping is sent to an IP address and it returns an echo, or reply. This simple process enables network devices to discover, identify, and test each other.



Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowThe Ping tool uses ICMP described in RFC-777 and RFC-792. ICMP defines an echo and echo reply transaction between two network devices, which has become known as a ping. The echo (request) packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Using the Ping Tool

Administrators can use the ASDM Ping tool as an interactive diagnostic aid in several ways, for example: Loopback testing of two interfacesA ping may be initiated from one interface to another on the

same security appliance, as an external loopback test to verify basic up status and operation of each interface.

Pinging to an security appliance interfaceAn interface on another security appliance may be pinged by the Ping tool or another source to verify that it is up and responding.

Pinging through an security appliancePing packets originating from the Ping tool may pass through an intermediate security appliance on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit.

Pinging to test questionable operation of a network deviceA ping may be initiated from an security appliance interface to a network device that is suspected to be functioning improperly. If the interface is configured properly and an echo is not received, there may be problems with the device.

Pinging to test intermediate communicationsA ping may be initiated from an security appliance interface to a network device which is known to be functioning properly and returning echo requests. If the echo is received, the proper operation of any intermediate devices and physical connectivity is confirmed.

Troubleshooting the Ping Tool

When pings fail to receive an echo, it may be the result of a configuration or operational error in a security appliance, and not always due to NO response from the IP address being pinged. Before using the Ping tool to ping from, to or through an security appliance interface, verify the following:Basic Interface Checks Verify that interfaces are configured properly in Configuration > Properties > Interfaces. Verify that devices in the intermediate communications path, such as switches or routers, are

properly delivering other types of network traffic. Make sure that traffic of other types from known good sources is being passed. Use Monitoring >

Interface Graphs. Pinging from an security appliance interfaceFor basic testing of an interface, a ping may be initiated from an security appliance interface to a network device which, by other means, is known to be functioning properly and returning echoes via the intermediate communications path. Verify receipt of the ping from the security appliance interface by the known good device. If it is

not received, there may be a problem with the transmit hardware or configuration of the interface. If the security appliance interface is configured properly and it does not receive an echo from the

known good device, there may be problems with the interface hardware receive function. If a different interface with known good receive capability can receive an echo after pinging the same known good device, the hardware receive problem of the first interface is confirmed. 1-15Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowPinging to an security appliance interfaceWhen attempting to ping to an security appliance interface, verify that pinging response (ICMP echo reply), is enabled for that interface in the Configuration > Properties > Administration > ICMP panel. When pinging is disabled, the security appliance cannot be detected by other devices or software applications, and will not respond to the ASDM Ping tool.Pinging through the security appliance First, verify that other types of network traffic from known good sources is being passed through

through the security appliance. Use Monitoring > Interface Graphs, or an SNMP management station.

To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Configuration > Access Rules.

Fields

IP AddressThe destination IP address for the ICMP echo request packets.

Note If a host name has been assigned in the Configuration > Network Objects/Groups pane, you can use the host name in place of the IP address.

Interface(Optional). The security appliance interface that transmits the echo request packets is specified. If it is not specified, the security appliance checks the routing table to find the destination address and uses the required interface.

Ping OutputThe result of the ping. When you click Ping, three attempts are made to ping the IP address, and three results display the following fields: Reply IP address/Device nameThe IP address of the device pinged or a device name, if

available. The name of the device, if assigned as a Network Object, may be displayed, even if NO response is the result.

Response time/timeout (ms)When the ping is transmitted, a millisecond timer starts with a specified maximum, or timeout value. This is useful for testing the relative response times of different routes or activity levels, for example. Example Ping Output:Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the ping fails, the output is as follows:

Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds:?????Success rate is 0 percent (0/5)

PingSends an ICMP echo request packet from the specified or default interface to the specified IP address and starts the response timer.

Clear ScreenClears the output on the screen from previous ping command attempts.

Modes

The following table shows the modes in which this feature is available:1-16Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowTraceroute

The Traceroute dialog box provides a useful tool to determine the route packets will take to their destination.

Traceroute Output

The traceroute tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following are the output symbols printed by the traceroute tool:

Fields

Hostname or IP addressSpecifies the hostname of the host to which the route is traced. If the hostname is specified, define it with Configuration > Global Objects/Groups, or configure a DNS server to enable traceroute to resolve the hostname to an IP address.

TimeoutSpecifies the amount of time in seconds to wait for a response before the connection times out. The default is three seconds.

PortSpecifies the destination port used by the UDP probe messages. The default is 33434. ProbeSpecifies the number of probes to be sent at each TTL level. The default count is 3. Min & Max TTLSpecifies the minimum and maximum time to live values for the first probes. The

minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The tool terminates when the traceroute packet reaches the destination or when the maximum value is reached.

Destination PortSpecifies the destination port used by the UDP probe messages. The default is 33434.

Specify Source Interface or IP AddressSpecifies the source interface or IP address for the packet trace. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the security appliance.

Reverse ResolveWhen checked, the output displays the names of hops encountered if name resolution is configured . If left unchecked, the output displays IP addresses.

Use ICMPSpecifies the use of ICMP probe packets instead of UDP probe packets.



Multiple

Context System

Output Symbol Description

* No response was received for the probe within the timeout period.nn msec For each node, the round-trip time (in milliseconds) for the specified

number of probes.!N. ICMP network unreachable.!H ICMP host unreachable.!P ICMP protocol unreachable.!A ICMP administratively prohibited.? Unknown ICMP error.1-17Cisco ASDM User Guide

OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM Window Traceroute OutputDisplays detailed messages about the traceroute. TracerouteStarts the traceroute. ClearClears all fields.

Modes


File Management

Lets you view, move, copy and delete files stored on Flash memory. You can also create a directory in Flash memory.

In multiple context mode, this tool is only available in the system.

Fields

FoldersDisplays the folders available in disk. Flash SpaceShows the size of Flash and how much is available.

TotalShows the total size of Flash memory.AvailableShows how much memory is available.

FilesDisplays information about the files in the selected folder. PathShows the selected path Filename Size (bytes) Time Modified Status

ViewDisplays the selected file in your browser. CutCuts the selected file for pasting to another directory. CopyCopies the selected file for pasting to another directory. PastePastes the copied file to the selected destination. DeleteDeletes the selected file from Flash. RenameLets you rename the file.

New DirectoryCreates a new directory for storing files. File TransferOpens the File Transfer dialog box.

Modes




Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowUpload Image from Local PC

The Upload Image from Local PC dialog box lets you choose a security appliance image file, ASDM image, or other images on your PC, and upload it to Flash memory.

Fields

Image to uploadSelect which image type to upload. Local File PathEnter the path to the file on your PC.

Browse LocalSelect to browse to the file on your PC. Flash File System PathEnter the path to copy the file in Flash memory.

Browse LocalSelect to browse to the directory or file in Flash memory.

Modes


File Transfer

File Transfer lets you copy files to and from your security appliance using HTTPS, TFTP, FTP or by browsing for a local image.

Fields

Source FileSelect the source file to be transferred. Remote ServerSelect to transfer a file from a remote server.

PathEnter the path to the location of the file, including the IP address of the server.Port/TypeEnter the port number or type (if FTP) of the remote server. Valid FTP types are:apASCII files in passive mode.anASCII files in non-passive mode.ipBinary image files in passive mode.inBinary image files in non-passive mode.

Flash File SystemSelect to copy the file from Flash memory.PathEnter the path to the location of the file.



Multiple

Context System



Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowBrowse FlashSelect to browse to the file location on your security appliance where the file will be copied from.

Local ComputerSelect to copy the file from the local PC.PathEnter the path to the location of the file.Browse LocalhostBrowses the local PC for the file to be transferred.

Destination FileSelect the destination file to be transferred. Depending on the source destination, the Flash File System or the Remote Server will automatically be selected. Flash File SystemTransfers the file to Flash memory.

PathEnter the path to the location of the file.Browse FlashSelect to browse to the file location on your security appliance where the file will be transferred.

Remote ServerTransfers a file to a remote server.PathEnter the path to the location of the file.TypeFor FTP transfers, enter the type. Valid types are:apASCII files in passive mode.anASCII files in non-passive mode.ipBinary image files in passive mode.inBinary image files in non-passive mode.

Transfer FileStarts the file transfer.

Modes


Upload ASDM Assistant Guide

Upload ASDM Assistant Gude lets you upload an XML file to flash that contains useful ASDM procedural help about certain tasks. You can obtain these files from Cisco.com. Once loaded the files are available in the Search field in the File Menu.

Fields

File to uploadThe name of the XML file located on your computer, typically obtained from Cisco.com

Flash File System PathThe path in the Flash memory where the XML file is loaded. Upload FileStarts the upload.

Modes




Multiple

Context System


OL-10106-04

Chapter 1 Welcome to ASDM About the ASDM WindowSystem Reload

System Reload lets you restart the system and reload the saved configuration into memory. The System Reload dialog box lets you choose when the system should be reloaded, whether you should save the running configuration to Flash memory, and send a message to connected users at reload.

Fields

Reload SchedulingLets you configure when the reload will take place. Configuration StateSelect whether to save the running configuration or not at reload.

Save the Running Configuration at Time of ReloadSelect to save the running configuration at reload.Reload Without Saving the Running ConfigurationSelect to discard configuration changes to the running configuration at reload.

Reload Start TimeLets you select the time of the reload. NowSelect to perform an i

Documents

Asdm Para Cisco Asa 5510