Cisco ASA Series General Operations CLI Configuration Guide Software Version 9.2 For the ASA 5505, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA Services Module, and the Adaptive Security Virtual Appliance Released: April 24, 2014 Updated: September 16, 2014 Cisco Systems, Inc www.cisco.com Cisco has more than 200 offices worldwide Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices Text Part Number: N/A, Online only THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S and other countries To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks Third-party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental Cisco ASA Series General Operations CLI Configuration Guide Copyright © 2014 Cisco Systems, Inc All rights reserved CONTENTS About This Guide xxxv Document Objectives xxxv Related Documentation Conventions xxxv xxxv Obtaining Documentation and Submitting a Service Request PART Getting Started with the ASA CHAPTER xxxvi Introduction to the Cisco ASA 1-1 Hardware and Software Compatibility VPN Compatibility 1-1 1-1 New Features 1-2 New Features in ASA 9.2(2.4) 1-2 New Features in ASA 9.2(1) 1-2 How the ASA Services Module Works with the Switch 1-8 Firewall Functional Overview 1-9 Security Policy Overview 1-10 Firewall Mode Overview 1-12 Stateful Inspection Overview 1-13 VPN Functional Overview Security Context Overview ASA Clustering Overview Legacy Features CHAPTER 1-14 1-14 1-15 1-15 Switch Configuration for the ASA Services Module Information About the Switch 2-1 Supported Switch Hardware and Software Backplane Connection 2-2 ASA and IOS Feature Interaction 2-2 Information About SVIs 2-3 Guidelines and Limitations 2-1 2-1 2-3 Verifying the Module Installation 2-4 Assigning VLANs to the ASA Services Module 2-5 Cisco ASA Series General Operations CLI Configuration Guide iii Contents Using the MSFC as a Directly Connected Router (SVIs) 2-8 Configuring the Switch for ASA Failover 2-9 Assigning VLANs to the Secondary ASA Services Module 2-9 Adding a Trunk Between a Primary Switch and Secondary Switch 2-9 Ensuring Compatibility with Transparent Firewall Mode 2-9 Enabling Autostate Messaging for Rapid Link Failure Detection 2-9 Resetting the ASA Services Module 2-10 Monitoring the ASA Services Module 2-10 Feature History for the Switch for Use with the ASA Services Module CHAPTER Cisco Adaptive Security Virtual Appliance Deployment Information About the ASAv 3-1 VMware System Requirements 3-1 VMware Feature Support for the ASAv Prerequisites for the ASAv 2-13 3-1 3-2 3-2 Guidelines and Limitations for the ASAv Licensing Requirements for the ASAv 3-3 3-5 Deploying the ASAv 3-5 Accessing the vSphere Web Client and Installing the Client Integration Plug-In Deploying the ASAv Using the VMware vSphere Web Client 3-7 Connecting to the CLI or ASDM 3-12 Managing the ASAv License 3-13 Applying the ASAv License 3-13 Upgrading the vCPU License 3-13 CHAPTER Getting Started 4-1 Accessing the Console for Command-Line Interface 4-1 Accessing the Appliance Console 4-1 Accessing the ASA Services Module Console 4-2 Accessing the ASAv Console 4-6 Configuring ASDM Access 4-8 Configuring ASDM Access for Appliances and the ASAv Configuring ASDM Access for the ASA Services Module Starting ASDM 4-17 Factory Default Configurations 4-18 Restoring the Factory Default Configuration 4-19 Restoring the ASAv Deployment Configuration 4-20 ASA 5505 Default Configuration 4-20 Cisco ASA Series General Operations CLI Configuration Guide iv 4-8 4-13 3-5 Contents ASA 5512-X and Higher Default Configuration ASAv Deployment Configuration 4-24 4-24 Working with the Configuration 4-25 Saving Configuration Changes 4-26 Copying the Startup Configuration to the Running Configuration Viewing the Configuration 4-28 Clearing and Removing Configuration Settings 4-28 Creating Text Configuration Files Offline 4-29 Applying Configuration Changes to Connections Reloading the ASA CHAPTER Feature Licenses 4-27 4-29 4-30 5-1 Supported Feature Licenses Per Model 5-1 Licenses Per Model 5-1 License Notes 5-15 VPN License and Feature Compatibility 5-20 Information About Feature Licenses 5-21 Preinstalled License 5-21 Permanent License 5-21 Time-Based Licenses 5-21 Shared AnyConnect Premium Licenses 5-24 Failover or ASA Cluster Licenses 5-27 No Payload Encryption Models 5-30 Licenses FAQ 5-30 Guidelines and Limitations 5-31 Configuring Licenses 5-32 Obtaining an Activation Key 5-32 Activating or Deactivating Keys 5-33 Configuring a Shared License 5-34 Monitoring Licenses 5-38 Viewing Your Current License 5-38 Monitoring the Shared License 5-49 Feature History for Licensing CHAPTER 5-50 Transparent or Routed Firewall Mode 6-1 Information About the Firewall Mode 6-1 Information About Routed Firewall Mode 6-1 Information About Transparent Firewall Mode 6-2 Cisco ASA Series General Operations CLI Configuration Guide v Contents Licensing Requirements for the Firewall Mode Default Settings 6-7 6-7 Guidelines and Limitations 6-8 Setting the Firewall Mode 6-9 Configuring ARP Inspection for the Transparent Firewall Task Flow for Configuring ARP Inspection 6-10 Adding a Static ARP Entry 6-10 Enabling ARP Inspection 6-11 6-10 Customizing the MAC Address Table for the Transparent Firewall 6-12 Monitoring the Transparent Firewall 6-13 Monitoring ARP Inspection 6-13 Monitoring the MAC Address Table 6-13 Firewall Mode Examples 6-14 How Data Moves Through the ASA in Routed Firewall Mode How Data Moves Through the Transparent Firewall 6-20 Feature History for the Firewall Mode PART 6-25 High Availability and Scalability CHAPTER Multiple Context Mode 7-1 Information About Security Contexts 7-1 Common Uses for Security Contexts 7-2 Context Configuration Files 7-2 How the ASA Classifies Packets 7-3 Cascading Security Contexts 7-6 Management Access to Security Contexts Information About Resource Management Information About MAC Addresses 7-11 7-7 7-8 Licensing Requirements for Multiple Context Mode Prerequisites 7-13 7-13 Guidelines and Limitations Default Settings 7-14 7-14 Configuring Multiple Contexts 7-15 Task Flow for Configuring Multiple Context Mode 7-15 Enabling or Disabling Multiple Context Mode 7-15 Configuring a Class for Resource Management 7-16 Configuring a Security Context 7-19 Automatically Assigning MAC Addresses to Context Interfaces Cisco ASA Series General Operations CLI Configuration Guide vi 6-14 7-24 Contents Changing Between Contexts and the System Execution Space 7-24 Managing Security Contexts 7-25 Removing a Security Context 7-25 Changing the Admin Context 7-26 Changing the Security Context URL 7-26 Reloading a Security Context 7-27 Monitoring Security Contexts 7-28 Viewing Context Information 7-29 Viewing Resource Allocation 7-30 Viewing Resource Usage 7-33 Monitoring SYN Attacks in Contexts 7-34 Viewing Assigned MAC Addresses 7-36 Configuration Examples for Multiple Context Mode Feature History for Multiple Context Mode CHAPTER Failover 7-39 7-40 8-1 Introduction to Failover 8-1 Failover Overview 8-2 Failover System Requirements 8-2 Failover and Stateful Failover Links 8-3 MAC Addresses and IP Addresses 8-7 Intra- and Inter-Chassis Module Placement for the ASA Services Module Stateless and Stateful Failover 8-12 Transparent Firewall Mode Requirements 8-14 Failover Health Monitoring 8-16 Failover Times 8-18 Configuration Synchronization 8-18 Information About Active/Standby Failover 8-20 Information About Active/Active Failover 8-21 Licensing Requirements Failover Prerequisites for Failover Guidelines and Limitations Default Settings 8-8 8-24 8-25 8-25 8-26 Configuring Active/Standby Failover 8-26 Configuring the Primary Unit for Active/Standby Failover 8-26 Configuring the Secondary Unit for Active/Standby Failover 8-30 Configuring Active/Active Failover 8-31 Configuring the Primary Unit for Active/Active Failover 8-31 Cisco ASA Series General Operations CLI Configuration Guide vii Contents Configuring the Secondary Unit for Active/Active Failover 8-36 Configuring Optional Failover Parameters 8-36 Configuring Failover Criteria, HTTP Replication, Group Preemption, and MAC Addresses Configuring Interface Monitoring 8-39 Configuring Support for Asymmetrically Routed Packets (Active/Active Mode) 8-40 Managing Failover 8-43 Remote Command Execution 8-46 Sending a Command 8-46 Changing Command Modes 8-47 Security Considerations 8-48 Limitations of Remote Command Execution 8-48 Monitoring Failover 8-49 Failover Messages 8-49 Monitoring Failover 8-50 Feature History for Failover CHAPTER ASA Cluster 8-50 9-1 Information About ASA Clustering 9-1 How the ASA Cluster Fits into Your Network 9-2 Performance Scaling Factor 9-2 Cluster Members 9-2 Cluster Interfaces 9-4 Cluster Control Link 9-6 High Availability Within the ASA Cluster 9-9 Configuration Replication 9-11 ASA Cluster Management 9-11 Load Balancing Methods 9-13 Inter-Site Clustering 9-18 How the ASA Cluster Manages Connections 9-21 ASA Features and Clustering 9-23 Licensing Requirements for ASA Clustering Prerequisites for ASA Clustering Guidelines and Limitations Default Settings 9-31 9-31 9-32 9-36 Configuring ASA Clustering 9-36 Task Flow for ASA Cluster Configuration 9-36 Cabling the Cluster Units and Configuring Upstream and Downstream Equipment Configuring the Cluster Interface Mode on Each Unit 9-39 Cisco ASA Series General Operations CLI Configuration Guide viii 9-37 8-37 Contents Configuring Interfaces on the Master Unit 9-40 Configuring the Master Unit Bootstrap Settings 9-47 Configuring Slave Unit Bootstrap Settings 9-53 Managing ASA Cluster Members 9-57 Becoming an Inactive Member 9-58 Inactivating a Member 9-58 that Leaving the Cluster 9-59 Changing the Master Unit 9-60 Executing a Command Cluster-Wide 9-61 Monitoring the ASA Cluster 9-62 Monitoring Commands 9-62 Related Commands 9-64 Configuration Examples for ASA Clustering 9-66 Sample ASA and Switch Configuration 9-66 Firewall on a Stick 9-69 Traffic Segregation 9-71 Spanned EtherChannel with Backup Links (Traditional Active/8 Standby) Feature History for ASA Clustering PART 9-78 Interfaces CHAPTER 9-73 10 Basic Interface Configuration (ASA 5512-X and Higher) 10-1 Information About Starting ASA 5512-X and Higher Interface Configuration 10-1 Auto-MDI/MDIX Feature 10-2 Interfaces in Transparent Mode 10-2 Management Interface 10-2 Redundant Interfaces 10-4 EtherChannels 10-5 Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size 10-7 Licensing Requirements for ASA 5512-X and Higher Interfaces Guidelines and Limitations Default Settings 10-10 10-11 10-13 Starting Interface Configuration (ASA 5512-X and Higher) 10-13 Task Flow for Starting Interface Configuration 10-14 Enabling the Physical Interface and Configuring Ethernet Parameters Configuring a Redundant Interface 10-17 Configuring an EtherChannel 10-19 Configuring VLAN Subinterfaces and 802.1Q Trunking 10-22 10-14 Cisco ASA Series General Operations CLI Configuration Guide ix Contents Enabling Jumbo Frame Support 10-24 Converting In-Use Interfaces to a Redundant or EtherChannel Interface Monitoring Interfaces 10-34 10-34 Configuration Examples for ASA 5512-X and Higher Interfaces Physical Interface Parameters Example 10-35 Subinterface Parameters Example 10-35 Multiple Context Mode Example 10-35 EtherChannel Example 10-35 Where to Go Next 10-36 Feature History for ASA 5512-X and Higher Interfaces CHAPTER 11 10-35 Basic Interface Configuration (ASA 5505) 10-36 11-1 Information About ASA 5505 Interfaces 11-1 Understanding ASA 5505 Ports and Interfaces 11-2 Maximum Active VLAN Interfaces for Your License 11-2 VLAN MAC Addresses 11-4 Power over Ethernet 11-4 Monitoring Traffic Using SPAN 11-4 Auto-MDI/MDIX Feature 11-4 Licensing Requirements for ASA 5505 Interfaces Guidelines and Limitations Default Settings 11-4 11-5 11-5 Starting ASA 5505 Interface Configuration 11-6 Task Flow for Starting Interface Configuration 11-6 Configuring VLAN Interfaces 11-6 Configuring and Enabling Switch Ports as Access Ports 11-7 Configuring and Enabling Switch Ports as Trunk Ports 11-9 Monitoring Interfaces 11-11 Configuration Examples for ASA 5505 Interfaces Access Port Example 11-11 Trunk Port Example 11-12 Where to Go Next 11-13 Feature History for ASA 5505 Interfaces CHAPTER 12 11-11 Basic Interface Configuration (ASAv) 11-13 12-1 Information About Starting ASAv Interface Configuration ASAv Interfaces and Virtual NICs 12-1 Cisco ASA Series General Operations CLI Configuration Guide x 12-1 10-25 Chapter 52 Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks • Class B addresses (128.0.xxx.xxx through 191.255.xxx.xxx) use the first two octets as the network prefix • Class C addresses (192.0.0.xxx through 223.255.255.xxx) use the first three octets as the network prefix Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets Private Networks If you need large numbers of addresses on your network, and they not need to be routed on the Internet, you can use private IP addresses that the Internet Assigned Numbers Authority (IANA) recommends (see RFC 1918) The following address ranges are designated as private networks that should not be advertised: • 10.0.0.0 through 10.255.255.255 • 172.16.0.0 through 172.31.255.255 • 192.168.0.0 through 192.168.255.255 Subnet Masks A subnet mask lets you convert a single Class A, B, or C network into multiple networks With a subnet mask, you can create an extended network prefix that adds bits from the host number to the network prefix For example, a Class C network prefix always consists of the first three octets of the IP address But a Class C extended network prefix uses part of the fourth octet as well Subnet masking is easy to understand if you use binary notation instead of dotted decimal The bits in the subnet mask have a one-to-one correspondence with the Internet address: • The bits are set to if the corresponding bit in the IP address is part of the extended network prefix • The bits are set to if the bit is part of the host number Example 1: If you have the Class B address 129.10.0.0 and you want to use the entire third octet as part of the extended network prefix instead of the host number, then you must specify a subnet mask of 11111111.11111111.11111111.00000000 This subnet mask converts the Class B address into the equivalent of a Class C address, where the host number consists of the last octet only Example 2: If you want to use only part of the third octet for the extended network prefix, then you must specify a subnet mask like 11111111.11111111.11111000.00000000, which uses only bits of the third octet for the extended network prefix You can write a subnet mask as a dotted-decimal mask or as a /bits (“slash bits”) mask In Example 1, for a dotted-decimal mask, you convert each binary octet into a decimal number: 255.255.255.0 For a /bits mask, you add the number of 1s: /24 In Example 2, the decimal number is 255.255.248.0 and the /bits is /21 You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix For example, 192.168.0.0/20 This section includes the following topics: • Determining the Subnet Mask, page 52-3 • Determining the Address to Use with the Subnet Mask, page 52-3 Cisco ASA Series General Operations CLI Configuration Guide 52-2 Chapter 52 Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Determining the Subnet Mask To determine the subnet mask based on how many hosts you want, see Table 52-1 Table 52-1 Hosts, Bits, and Dotted-Decimal Masks Hosts1 /Bits Mask Dotted-Decimal Mask 16,777,216 /8 255.0.0.0 Class A Network 65,536 /16 255.255.0.0 Class B Network 32,768 /17 255.255.128.0 16,384 /18 255.255.192.0 8192 /19 255.255.224.0 4096 /20 255.255.240.0 2048 /21 255.255.248.0 1024 /22 255.255.252.0 512 /23 255.255.254.0 256 /24 255.255.255.0 Class C Network 128 /25 255.255.255.128 64 /26 255.255.255.192 32 /27 255.255.255.224 16 /28 255.255.255.240 /29 255.255.255.248 /30 255.255.255.252 Do not use /31 255.255.255.254 /32 255.255.255.255 Single Host Address The first and last number of a subnet are reserved, except for /32, which identifies a single host Determining the Address to Use with the Subnet Mask The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network This section includes the following topics: • Class C-Size Network Address, page 52-3 • Class B-Size Network Address, page 52-4 Class C-Size Network Address For a network between and 254 hosts, the fourth octet falls on a multiple of the number of host addresses, starting with For example, Table 52-2 shows the 8-host subnets (/29) of 192.168.0.x Table 52-2 Class C-Size Network Address Subnet with Mask /29 (255.255.255.248) Address Range1 192.168.0.0 192.168.0.0 to 192.168.0.7 192.168.0.8 192.168.0.8 to 192.168.0.15 Cisco ASA Series General Operations CLI Configuration Guide 52-3 Chapter 52 Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Table 52-2 Class C-Size Network Address (continued) Subnet with Mask /29 (255.255.255.248) Address Range1 192.168.0.16 192.168.0.16 to 192.168.0.31 — — 192.168.0.248 192.168.0.248 to 192.168.0.255 The first and last address of a subnet are reserved In the first subnet example, you cannot use 192.168.0.0 or 192.168.0.7 Class B-Size Network Address To determine the network address to use with the subnet mask for a network with between 254 and 65,534 hosts, you need to determine the value of the third octet for each possible extended network prefix For example, you might want to subnet an address like 10.1.x.0, where the first two octets are fixed because they are used in the extended network prefix, and the fourth octet is because all bits are used for the host number To determine the value of the third octet, follow these steps: Step Calculate how many subnets you can make from the network by dividing 65,536 (the total number of addresses using the third and fourth octet) by the number of host addresses you want For example, 65,536 divided by 4096 hosts equals 16 Therefore, there are 16 subnets of 4096 addresses each in a Class B-size network Step Determine the multiple of the third octet value by dividing 256 (the number of values for the third octet) by the number of subnets: In this example, 256/16 = 16 The third octet falls on a multiple of 16, starting with Therefore, Table 52-3 shows the 16 subnets of the network 10.1 Table 52-3 Subnets of Network Subnet with Mask /20 (255.255.240.0) Address Range1 10.1.0.0 10.1.0.0 to 10.1.15.255 10.1.16.0 10.1.16.0 to 10.1.31.255 10.1.32.0 10.1.32.0 to 10.1.47.255 — — 10.1.240.0 10.1.240.0 to 10.1.255.255 The first and last address of a subnet are reserved In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255 Cisco ASA Series General Operations CLI Configuration Guide 52-4 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses IPv6 Addresses IPv6 is the next generation of the Internet Protocol after IPv4 It provides an expanded address space, a simplified header format, improved support for extensions and options, flow labeling capability, and authentication and privacy capabilities IPv6 is described in RFC 2460 The IPv6 addressing architecture is described in RFC 3513 This section describes the IPv6 address format and architecture and includes the following topics: Note • IPv6 Address Format, page 52-5 • IPv6 Address Types, page 52-6 • IPv6 Address Prefixes, page 52-10 This section describes the IPv6 address format, the types, and prefixes For information about configuring the ASA to use IPv6, see Configuring IPv6 Addressing, page 13-12 IPv6 Address Format IPv6 addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons (:) in the format: x:x:x:x:x:x:x:x The following are two examples of IPv6 addresses: Note • 2001:0DB8:7654:3210:FEDC:BA98:7654:3210 • 2001:0DB8:0000:0000:0008:0800:200C:417A The hexadecimal letters in IPv6 addresses are not case-sensitive You not need to include the leading zeros in an individual field of the address, but each field must contain at least one digit So the example address 2001:0DB8:0000:0000:0008:0800:200C:417A can be shortened to 2001:0DB8:0:0:8:800:200C:417A by removing the leading zeros from the third through sixth fields from the left The fields that contained all zeros (the third and fourth fields from the left) were shortened to a single zero The fifth field from the left had the three leading zeros removed, leaving a single in that field, and the sixth field from the left had the one leading zero removed, leaving 800 in that field It is common for IPv6 addresses to contain several consecutive hexadecimal fields of zeros You can use two colons (::) to compress consecutive fields of zeros at the beginning, middle, or end of an IPv6 address (the colons represent the successive hexadecimal fields of zeros) Table 52-4 shows several examples of address compression for different types of IPv6 address Table 52-4 IPv6 Address Compression Examples Address Type Standard Form Compressed Form Unicast 2001:0DB8:0:0:0:BA98:0:3210 2001:0DB8::BA98:0:3210 Multicast FF01:0:0:0:0:0:0:101 FF01::101 Loopback 0:0:0:0:0:0:0:1 ::1 Unspecified 0:0:0:0:0:0:0:0 :: Cisco ASA Series General Operations CLI Configuration Guide 52-5 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses Note Two colons (::) can be used only once in an IPv6 address to represent successive fields of zeros An alternative form of the IPv6 format is often used when dealing with an environment that contains both IPv4 and IPv6 addresses This alternative has the format x:x:x:x:x:x:y.y.y.y, where x represent the hexadecimal values for the six high-order parts of the IPv6 address and y represent decimal values for the 32-bit IPv4 part of the address (which takes the place of the remaining two 16-bit parts of the IPv6 address) For example, the IPv4 address 192.168.1.1 could be represented as the IPv6 address 0:0:0:0:0:0:FFFF:192.168.1.1 or ::FFFF:192.168.1.1 IPv6 Address Types The following are the three main types of IPv6 addresses: Note • Unicast—A unicast address is an identifier for a single interface A packet sent to a unicast address is delivered to the interface identified by that address An interface may have more than one unicast address assigned to it • Multicast—A multicast address is an identifier for a set of interfaces A packet sent to a multicast address is delivered to all addresses identified by that address • Anycast—An anycast address is an identifier for a set of interfaces Unlike a multicast address, a packet sent to an anycast address is only delivered to the “nearest” interface, as determined by the measure of distances for the routing protocol There are no broadcast addresses in IPv6 Multicast addresses provide the broadcast functionality This section includes the following topics: • Unicast Addresses, page 52-6 • Multicast Address, page 52-8 • Anycast Address, page 52-9 • Required Addresses, page 52-10 Unicast Addresses This section describes IPv6 unicast addresses Unicast addresses identify an interface on a network node This section includes the following topics: • Global Address, page 52-7 • Site-Local Address, page 52-7 • Link-Local Address, page 52-7 • IPv4-Compatible IPv6 Addresses, page 52-7 • Unspecified Address, page 52-8 • Loopback Address, page 52-8 • Interface Identifiers, page 52-8 Cisco ASA Series General Operations CLI Configuration Guide 52-6 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses Global Address The general format of an IPv6 global unicast address is a global routing prefix followed by a subnet ID followed by an interface ID The global routing prefix can be any prefix not reserved by another IPv6 address type (see IPv6 Address Prefixes, page 52-10, for information about the IPv6 address type prefixes) All global unicast addresses, other than those that start with binary 000, have a 64-bit interface ID in the Modified EUI-64 format See Interface Identifiers, page 52-8, for more information about the Modified EUI-64 format for interface identifiers Global unicast address that start with the binary 000 not have any constraints on the size or structure of the interface ID portion of the address One example of this type of address is an IPv6 address with an embedded IPv4 address (see IPv4-Compatible IPv6 Addresses, page 52-7) Site-Local Address Site-local addresses are used for addressing within a site They can be used to address an entire site without using a globally unique prefix Site-local addresses have the prefix FEC0::/10, followed by a 54-bit subnet ID, and end with a 64-bit interface ID in the modified EUI-64 format Site-local routers not forward any packets that have a site-local address for a source or destination outside of the site Therefore, site-local addresses can be considered private addresses Link-Local Address All interfaces are required to have at least one link-local address You can configure multiple IPv6 addresses per interfaces, but only one link-local address A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 and the interface identifier in modified EUI-64 format Link-local addresses are used in the neighbor discovery protocol and the stateless autoconfiguration process Nodes with a link-local address can communicate; they not need a site-local or globally unique address to communicate Routers not forward any packets that have a link-local address for a source or destination Therefore, link-local addresses can be considered private addresses IPv4-Compatible IPv6 Addresses There are two types of IPv6 addresses that can contain IPv4 addresses The first type is the IPv4-compatibly IPv6 address The IPv6 transition mechanisms include a technique for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure IPv6 nodes that use this technique are assigned special IPv6 unicast addresses that carry a global IPv4 address in the low-order 32 bits This type of address is termed an IPv4-compatible IPv6 address and has the format ::y.y.y.y, where y.y.y.y is an IPv4 unicast address Note The IPv4 address used in the IPv4-compatible IPv6 address must be a globally unique IPv4 unicast address The second type of IPv6 address, which holds an embedded IPv4 address, is called the IPv4-mapped IPv6 address This address type is used to represent the addresses of IPv4 nodes as IPv6 addresses This type of address has the format ::FFFF:y.y.y.y, where y.y.y.y is an IPv4 unicast address Cisco ASA Series General Operations CLI Configuration Guide 52-7 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses Unspecified Address The unspecified address, 0:0:0:0:0:0:0:0, indicates the absence of an IPv6 address For example, a newly initialized node on an IPv6 network may use the unspecified address as the source address in its packets until it receives its IPv6 address Note The IPv6 unspecified address cannot be assigned to an interface The unspecified IPv6 addresses must not be used as destination addresses in IPv6 packets or the IPv6 routing header Loopback Address The loopback address, 0:0:0:0:0:0:0:1, may be used by a node to send an IPv6 packet to itself The loopback address in IPv6 functions the same as the loopback address in IPv4 (127.0.0.1) Note The IPv6 loopback address cannot be assigned to a physical interface A packet that has the IPv6 loopback address as its source or destination address must remain within the node that created the packet IPv6 routers not forward packets that have the IPv6 loopback address as their source or destination address Interface Identifiers Interface identifiers in IPv6 unicast addresses are used to identify the interfaces on a link They need to be unique within a subnet prefix In many cases, the interface identifier is derived from the interface link-layer address The same interface identifier may be used on multiple interfaces of a single node, as long as those interfaces are attached to different subnets For all unicast addresses, except those that start with the binary 000, the interface identifier is required to be 64 bits long and to be constructed in the Modified EUI-64 format The Modified EUI-64 format is created from the 48-bit MAC address by inverting the universal/local bit in the address and by inserting the hexadecimal number FFFE between the upper three bytes and lower three bytes of the of the MAC address For example, and interface with the MAC address of 00E0.b601.3B7A would have a 64-bit interface ID of 02E0:B6FF:FE01:3B7A Multicast Address An IPv6 multicast address is an identifier for a group of interfaces, typically on different nodes A packet sent to a multicast address is delivered to all interfaces identified by the multicast address An interface may belong to any number of multicast groups An IPv6 multicast address has a prefix of FF00::/8 (1111 1111) The octet following the prefix defines the type and scope of the multicast address A permanently assigned (well known) multicast address has a flag parameter equal to 0; a temporary (transient) multicast address has a flag parameter equal to A multicast address that has the scope of a node, link, site, or organization, or a global scope has a scope parameter of 1, 2, 5, 8, or E, respectively For example, a multicast address with the prefix FF02::/16 is a permanent multicast address with a link scope Figure 52-1 shows the format of the IPv6 multicast address Cisco ASA Series General Operations CLI Configuration Guide 52-8 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses Figure 52-1 IPv6 Multicast Address Format 128 bits 1111 1111 F F bits bits bits Flag Scope bits Interface ID Flag = if permanent if temporary = node = link Scope = = admin = site = organization E = global 92617 IPv6 nodes (hosts and routers) are required to join the following multicast groups: • The All Nodes multicast addresses: – FF01:: (interface-local) – FF02:: (link-local) • The Solicited-Node Address for each IPv6 unicast and anycast address on the node: FF02:0:0:0:0:1:FFXX:XXXX/104, where XX:XXXX is the low-order 24-bits of the unicast or anycast address Note Solicited-Node addresses are used in Neighbor Solicitation messages IPv6 routers are required to join the following multicast groups: • FF01::2 (interface-local) • FF02::2 (link-local) • FF05::2 (site-local) Multicast address should not be used as source addresses in IPv6 packets Note There are no broadcast addresses in IPv6 IPv6 multicast addresses are used instead of broadcast addresses Anycast Address The IPv6 anycast address is a unicast address that is assigned to more than one interface (typically belonging to different nodes) A packet that is routed to an anycast address is routed to the nearest interface having that address, the nearness being determined by the routing protocol in effect Anycast addresses are allocated from the unicast address space An anycast address is simply a unicast address that has been assigned to more than one interface, and the interfaces must be configured to recognize the address as an anycast address The following restrictions apply to anycast addresses: • An anycast address cannot be used as the source address for an IPv6 packet Cisco ASA Series General Operations CLI Configuration Guide 52-9 Chapter 52 Addresses, Protocols, and Ports IPv6 Addresses • Note An anycast address cannot be assigned to an IPv6 host; it can only be assigned to an IPv6 router Anycast addresses are not supported on the ASA Required Addresses IPv6 hosts must, at a minimum, be configured with the following addresses (either automatically or manually): • A link-local address for each interface • The loopback address • The All-Nodes multicast addresses • A Solicited-Node multicast address for each unicast or anycast address IPv6 routers must, at a minimum, be configured with the following addresses (either automatically or manually): • The required host addresses • The Subnet-Router anycast addresses for all interfaces for which it is configured to act as a router • The All-Routers multicast addresses IPv6 Address Prefixes An IPv6 address prefix, in the format ipv6-prefix/prefix-length, can be used to represent bit-wise contiguous blocks of the entire address space The IPv6-prefix must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons The prefix length is a decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address) For example, 2001:0DB8:8086:6502::/32 is a valid IPv6 prefix The IPv6 prefix identifies the type of IPv6 address Table 52-5 shows the prefixes for each IPv6 address type Table 52-5 IPv6 Address Type Prefixes Address Type Binary Prefix IPv6 Notation Unspecified 000 (128 bits) ::/128 Loopback 000 (128 bits) ::1/128 Multicast 11111111 FF00::/8 Link-Local (unicast) 1111111010 FE80::/10 Site-Local (unicast) 1111111111 FEC0::/10 Global (unicast) All other addresses Anycast Taken from the unicast address space Cisco ASA Series General Operations CLI Configuration Guide 52-10 Chapter 52 Addresses, Protocols, and Ports Protocols and Applications Protocols and Applications Table 52-6 lists the protocol literal values and port numbers; either can be entered in ASA commands Table 52-6 Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6, RFC 1826 eigrp 88 Enhanced Interior Gateway Routing Protocol esp 50 Encapsulated Security Payload for IPv6, RFC 1827 gre 47 Generic Routing Encapsulation icmp Internet Control Message Protocol, RFC 792 icmp6 58 Internet Control Message Protocol for IPv6, RFC 2463 igmp Internet Group Management Protocol, RFC 1112 igrp Interior Gateway Routing Protocol ip Internet Protocol ipinip IP-in-IP encapsulation ipsec 50 IP Security Entering the ipsec protocol literal is equivalent to entering the esp protocol literal nos 94 Network Operating System (Novell’s NetWare) ospf 89 Open Shortest Path First routing protocol, RFC 1247 pcp 108 Payload Compression Protocol pim 103 Protocol Independent Multicast pptp 47 Point-to-Point Tunneling Protocol Entering the pptp protocol literal is equivalent to entering the gre protocol literal snp 109 Sitara Networks Protocol tcp Transmission Control Protocol, RFC 793 udp 17 User Datagram Protocol, RFC 768 Protocol numbers can be viewed online at the IANA website: http://www.iana.org/assignments/protocol-numbers TCP and UDP Ports Table 52-7 lists the literal values and port numbers; either can be entered in ASA commands See the following caveats: • The ASA uses port 1521 for SQL*Net This is the default port used by Oracle for SQL*Net This value, however, does not agree with IANA port assignments • The ASA listens for RADIUS on ports 1645 and 1646 If your RADIUS server uses the standard ports 1812 and 1813, you can configure the ASA to listen to those ports using the authentication-port and accounting-port commands Cisco ASA Series General Operations CLI Configuration Guide 52-11 Chapter 52 Addresses, Protocols, and Ports TCP and UDP Ports • To assign a port for DNS access, use the domain literal value, not dns If you use dns, the ASA assumes you meant to use the dnsix literal value Port numbers can be viewed online at the IANA website: http://www.iana.org/assignments/port-numbers Table 52-7 Port Literal Values Literal TCP or UDP? Value Description aol TCP 5190 America Online bgp TCP 179 Border Gateway Protocol, RFC 1163 biff UDP 512 Used by mail system to notify users that new mail is received bootpc UDP 68 Bootstrap Protocol Client bootps UDP 67 Bootstrap Protocol Server chargen TCP 19 Character Generator citrix-ica TCP 1494 Citrix Independent Computing Architecture (ICA) protocol cmd TCP 514 Similar to exec except that cmd has automatic authentication ctiqbe TCP 2748 Computer Telephony Interface Quick Buffer Encoding daytime TCP 13 Day time, RFC 867 discard TCP, UDP Discard domain TCP, UDP 53 DNS dnsix UDP 195 DNSIX Session Management Module Audit Redirector echo TCP, UDP Echo exec TCP 512 Remote process execution finger TCP 79 Finger ftp TCP 21 File Transfer Protocol (control port) ftp-data TCP 20 File Transfer Protocol (data port) gopher TCP 70 Gopher https TCP 443 HTTP over SSL h323 TCP 1720 H.323 call signalling hostname TCP 101 NIC Host Name Server ident TCP 113 Ident authentication service imap4 TCP 143 Internet Message Access Protocol, version irc TCP 194 Internet Relay Chat protocol isakmp UDP 500 Internet Security Association and Key Management Protocol kerberos TCP, UDP 750 Kerberos Cisco ASA Series General Operations CLI Configuration Guide 52-12 Chapter 52 Addresses, Protocols, and Ports TCP and UDP Ports Table 52-7 Port Literal Values (continued) Literal TCP or UDP? Value Description klogin TCP 543 KLOGIN kshell TCP 544 Korn Shell ldap TCP 389 Lightweight Directory Access Protocol ldaps TCP 636 Lightweight Directory Access Protocol (SSL) lpd TCP 515 Line Printer Daemon - printer spooler login TCP 513 Remote login lotusnotes TCP 1352 IBM Lotus Notes mobile-ip UDP 434 MobileIP-Agent nameserver UDP 42 Host Name Server netbios-ns UDP 137 NetBIOS Name Service netbios-dgm UDP 138 NetBIOS Datagram Service netbios-ssn TCP 139 NetBIOS Session Service nntp TCP 119 Network News Transfer Protocol ntp UDP 123 Network Time Protocol pcanywhere-status UDP 5632 pcAnywhere status pcanywhere-data TCP 5631 pcAnywhere data pim-auto-rp TCP, UDP 496 Protocol Independent Multicast, reverse path flooding, dense mode pop2 TCP 109 Post Office Protocol - Version pop3 TCP 110 Post Office Protocol - Version pptp TCP 1723 Point-to-Point Tunneling Protocol radius UDP 1645 Remote Authentication Dial-In User Service radius-acct UDP 1646 Remote Authentication Dial-In User Service (accounting) rip UDP 520 Routing Information Protocol secureid-udp UDP 5510 SecureID over UDP smtp TCP 25 Simple Mail Transport Protocol snmp UDP 161 Simple Network Management Protocol snmptrap UDP 162 Simple Network Management Protocol - Trap sqlnet TCP 1521 Structured Query Language Network ssh TCP 22 Secure Shell sunrpc (rpc) TCP, UDP 111 Sun Remote Procedure Call syslog UDP 514 System Log tacacs TCP, UDP 49 Terminal Access Controller Access Control System Plus talk TCP, UDP 517 Talk telnet TCP 23 RFC 854 Telnet Cisco ASA Series General Operations CLI Configuration Guide 52-13 Chapter 52 Addresses, Protocols, and Ports Local Ports and Protocols Table 52-7 Port Literal Values (continued) Literal TCP or UDP? Value Description tftp UDP 69 Trivial File Transfer Protocol time UDP 37 Time uucp TCP 540 UNIX-to-UNIX Copy Program who UDP 513 Who whois TCP 43 Who Is www TCP 80 World Wide Web xdmcp UDP 177 X Display Manager Control Protocol Local Ports and Protocols Table 52-8 lists the protocols, TCP ports, and UDP ports that the ASA may open to process traffic destined to the ASA Unless you enable the features and services listed in Table 52-8, the ASA does not open any local protocols or any TCP or UDP ports You must configure a feature or service for the ASA to open the default listening protocol or port In many cases you can configure ports other than the default port when you enable a feature or service Table 52-8 Protocols and Ports Opened by Features and Services Feature or Service Protocol Port Number Comments DHCP UDP 67,68 — Failover Control 105 N/A — HTTP TCP 80 — HTTPS TCP 443 — ICMP N/A — IGMP N/A Protocol only open on destination IP address 224.0.0.1 ISAKMP/IKE UDP 500 Configurable IPsec (ESP) 50 N/A — IPsec over UDP (NAT-T) UDP 4500 — IPsec over UDP (Cisco VPN 3000 Series compatible) UDP 10000 Configurable IPsec over TCP (CTCP) TCP — No default port is used You must specify the port number when configuring IPsec over TCP NTP UDP 123 — OSPF 89 N/A Protocol only open on destination IP address 224.0.0.5 and 224.0.0.6 Cisco ASA Series General Operations CLI Configuration Guide 52-14 Chapter 52 Addresses, Protocols, and Ports ICMP Types Table 52-8 Protocols and Ports Opened by Features and Services (continued) Feature or Service Protocol Port Number Comments PIM 103 N/A Protocol only open on destination IP address 224.0.0.13 RIP UDP 520 — RIPv2 UDP 520 Port only open on destination IP address 224.0.0.9 SNMP UDP 161 Configurable SSH TCP 22 — Stateful Update (non-secure) (secure) N/A — Telnet TCP 23 — VPN Load Balancing UDP 9023 Configurable VPN Individual User Authentication Proxy UDP 1645, 1646 Port accessible only over VPN tunnel ICMP Types Table 52-9 lists the ICMP type numbers and names that you can enter in ASA commands Table 52-9 ICMP Types ICMP Number ICMP Name echo-reply unreachable source-quench redirect alternate-address echo router-advertisement 10 router-solicitation 11 time-exceeded 12 parameter-problem 13 timestamp-request 14 timestamp-reply 15 information-request 16 information-reply 17 mask-request 18 mask-reply Cisco ASA Series General Operations CLI Configuration Guide 52-15 Chapter 52 ICMP Types Table 52-9 ICMP Types (continued) ICMP Number ICMP Name 31 conversion-error 32 mobile-redirect Cisco ASA Series General Operations CLI Configuration Guide 52-16 Addresses, Protocols, and Ports ... Requirements for the ASAv 3-3 3-5 Deploying the ASAv 3-5 Accessing the vSphere Web Client and Installing the Client Integration Plug-In Deploying the ASAv Using the VMware vSphere Web Client 3-7 Connecting... 4-19 Restoring the ASAv Deployment Configuration 4-20 ASA 5505 Default Configuration 4-20 Cisco ASA Series General Operations CLI Configuration Guide iv 4-8 4-13 3-5 Contents ASA 5512-X and Higher... (ASAv) 11-13 12-1 Information About Starting ASAv Interface Configuration ASAv Interfaces and Virtual NICs 12-1 Cisco ASA Series General Operations CLI Configuration Guide x 12-1 10-25 Contents