ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2021 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE About This Guide xix Document Objectives xix Related Documentation xix Document Conventions xix Communications, Services, and Additional Information xxi CHAPTER 1 Introduction to Cisco ASA Firewall Services 1 How to Implement Firewall Services 1 Basic Access Control 2 Application Filtering 2 URL Filtering 3 Threat Protection 3 Firewall Services for Virtual Environments 4 Network Address Translation 4 Application Inspection 5 Use Case: Expose a Server to the Public 5 PART I Access Control 9 CHAPTER 2 Access Rules 11 Controlling Network Access 11 General Information About Rules 12 Interface Access Rules and Global Access Rules 12 Inbound and Outbound Rules 12 Rule Order 13 Implicit Permits 13 ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 iii Contents Implicit Deny 14 NAT and Access Rules 14 Same Security Level Interfaces and Access Rules 14 Extended Access Rules 15 Extended Access Rules for Returning Traffic 15 Allowing Broadcast and Multicast Traffic 15 Management Access Rules 15 EtherType Rules 16 Supported EtherTypes and Other Traffic 16 EtherType Rules for Returning Traffic 16 Allowing MPLS 16 Licensing for Access Rules 17 Guidelines for Access Control 17 Configure Access Control 18 Configure Access Rules 18 Access Rule Properties 19 Configure Advanced Options for Access Rules 21 Configure Management Access Rules 23 Configure EtherType Rules 24 Configure ICMP Access Rules 25 Monitoring Access Rules 26 Evaluating Syslog Messages for Access Rules 26 History for Access Rules 27 CHAPTER 3 Objects for Access Control 29 Guidelines for Objects 29 Configure Objects 30 Configure Network Objects and Groups 30 Configure a Network Object 30 Configure a Network Object Group 31 Configure Service Objects and Service Groups 31 Configure a Service Object 31 Configure a Service Group 32 Configure Local User Groups 33 ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 iv Contents Configure Security Group Object Groups 34 Configure Time Ranges 35 Monitoring Objects 36 History for Objects 36 CHAPTER 4 Access Control Lists 37 About ACLs 37 ACL Types 37 The ACL Manager 39 ACL Names 39 Access Control Entry Order 39 Permit/Deny vs. Match/Do Not Match 40 Access Control Implicit Deny 40 IP Addresses Used for Extended ACLs When You Use NAT 40 Time-Based ACEs 41 Licensing for Access Control Lists 41 Guidelines for ACLs 42 Configure ACLs 43 Configure Extended ACLs 43 Extended ACE Properties 44 Service Specifications in Extended ACEs 46 Configure Standard ACLs 47 Configure Webtype ACLs 48 Webtype ACE Properties 48 Examples for Webtype ACLs 50 Monitoring ACLs 50 History for ACLs 51 CHAPTER 5 Identity Firewall 53 About the Identity Firewall 53 Architecture for Identity Firewall Deployments 54 Features of the Identity Firewall 55 Deployment Scenarios 57 Guidelines for the Identity Firewall 59 ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 v Contents Prerequisites for the Identity Firewall 61 Configure the Identity Firewall 62 Configure the Active Directory Domain 62 Configure Active Directory Server Groups 63 Configure Active Directory Agents 64 Configure Active Directory Agent Groups 64 Configure Identity Options 65 Configure Identity-Based Security Policy 67 Monitoring the Identity Firewall 68 History for the Identity Firewall 69 CHAPTER 6 ASA and Cisco TrustSec 71 About Cisco TrustSec 71 About SGT and SXP Support in Cisco TrustSec 72 Roles in the Cisco TrustSec Feature 72 Security Group Policy Enforcement 73 How the ASA Enforces Security Group-Based Policies 74 Effects of Changes to Security Groups on the ISE 75 Speaker and Listener Roles on the ASA 76 Register the ASA with the ISE 77 Create a Security Group on the ISE 78 Generate the PAC File 78 Guidelines for Cisco TrustSec 78 Configure the ASA to Integrate with Cisco Trustsec 81 Configure the AAA Server for Cisco TrustSec Integration 82 Import a PAC File 83 Configure the Security Exchange Protocol 84 Add an SXP Connection Peer 85 Refresh Environment Data 86 Configure the Security Policy 87 Configure Layer 2 Security Group Tagging Imposition 87 Usage Scenarios 88 Configure a Security Group Tag on an Interface 89 Configure IP-SGT Bindings Manually 90 ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 vi Contents AnyConnect VPN Support for Cisco TrustSec 90 Add an SGT to Remote Access VPN Group Policies and Local Users 91 Monitoring Cisco TrustSec 91 History for Cisco TrustSec 92 CHAPTER 7 ASA FirePOWER Module 95 About the ASA FirePOWER Module 95 How the ASA FirePOWER Module Works with the ASA 95 ASA FirePOWER Inline Mode 96 ASA FirePOWER Inline Tap Monitor-Only Mode 97 ASA FirePOWER Passive Monitor-Only Traffic Forwarding Mode 97 ASA FirePOWER Management 98 Compatibility with ASA Features 98 What to Do if the ASA FirePOWER Module Cannot Filter URLs 98 Licensing Requirements for the ASA FirePOWER Module 99 Guidelines for ASA FirePOWER 99 Defaults for ASA FirePOWER 101 Perform Initial ASA FirePOWER Setup 101 Deploy the ASA FirePOWER Module in Your Network 101 Routed Mode 101 Transparent Mode 104 Register the ASA FirePOWER Module with a Management Center 106 Access the ASA FirePOWER CLI 106 Configure ASA FirePOWER Basic Settings 107 Configure the ASA FirePOWER Module for ASDM Management 108 Configure the ASA FirePOWER Module 110 Configure the Security Policy on the ASA FirePOWER Module 110 Redirect Traffic to the ASA FirePOWER Module 110 Configure Inline or Inline Tap Monitor-Only Modes 110 Configure Passive Traffic Forwarding 111 Enable Captive Portal for Active Authentication 112 Managing the ASA FirePOWER Module 113 Install or Reimage the Module 113 Install or Reimage the Software Module 114 ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10 vii Contents Reimage the 5585-X ASA FirePOWER Hardware Module 117 Reset the Password 119 Reload or Reset the Module 119 Shut Down the Module 120 Uninstall a Software Module Image 120 Session to the Software Module From the ASA 121 Upgrade the System Software 121 Monitoring the ASA FirePOWER Module 122 Showing Module Status 122 Showing Module Statistics 122 Analyzing Operational Behavior (ASDM Management) 122 Monitoring Module Connections 123 History for the ASA FirePOWER Module 124 CHAPTER 8 Cisco Umbrella 127 About Cisco Umbrella Connector 127 Cisco Umbrella Enterprise Security Policy 127 Cisco Umbrella Registration 128 Licensing Requirements for Cisco Umbrella Connector 128 Guidelines and Limitations for Cisco Umbrella 128 Configure Cisco Umbrella Connector