Table Of Contents
Configuring Management Access
Configuring Device Access
Configuring CLI Parameters
Adding a Banner
Customizing a CLI Prompt
Changing the Console Timeout Period
Configuring File Access
Configuring the FTP Client Mode
Configuring the Security Appliance as a Secure Copy Server
Configuring the Security Appliance as a TFTP Client
Adding Mount Points
Adding a CIFS Mount Point
Adding an FTP Mount Point
Configuring Configuring ICMP Access
Configuring a Management Interface
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
Information About the Management Information Base and Traps
Configuring an SNMP Agent and Management Station
Configuring the SNMP Agent
Adding an SNMP Management Station
Configuring SNMP Traps
Configuring Management Access Rules
Configuring AAA for System Administrators
Configuring Authentication for CLI, ASDM, and enable command Access
Limiting User CLI and ASDM Access with Management Authorization
Configuring Command Authorization
Command Authorization Overview
About Preserving User Credentials
Configuring Local Command Authorization
Configuring TACACS+ Command Authorization
Configuring Management Access Accounting
Recovering from a Lockout
Configuring Management Access
This chapter contains the following topics:
•
Configuring Device Access
•Configuring CLI Parameters
•Configuring File Access
•Configuring Configuring ICMP Access
•Configuring a Management Interface
•Configuring SNMP
•Configuring Management Access Rules
•Configuring AAA for System Administrators
Configuring Device Access
To configure access to the security appliance, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH pane, click Add.
The Add Device Access Configuration dialog box appears in the right-hand pane.
Step 2 Choose the type of session from the three options listed: ASDM/HTTPS, Telnet, or SSH.
Step 3 From the Interface Name drop-down list, choose the interface to use for administrative access.
Step 4 In the IP Address field, add the IP address of the network or host that is allowed access.
Step 5 From the Mask drop-down list, choose the mask associated with the network or host that is allowed access.
Step 6 For ASDM/HTTPS sessions, verify that the Enable HTTP Server check box is checked (this is the default setting).
Step 7 Make sure that port number 443 is specified (this is the default setting).
Step 8 For Telnet sessions, the default timeout value is 5 minutes. To change this value, type a new one in the Telnet Timeout field.
Step 9 For SSH sessions, choose the allowed SSH version(s) from the drop-down list.
Step 10 For SSH sessions, the default timeout value is 60 minutes. To change this value, type a new one in the SSH Timeout field.
Step 11 Click Apply.
The changes are saved to the running configuration.
Configuring CLI Parameters
This section includes the following topics:
•Adding a Banner
•Customizing a CLI Prompt
•Changing the Console Timeout Period
Adding a Banner
You can configure a message to display when a user connects to the security appliance, before a user logs in, or before a user enters privileged EXEC mode.
See the following guidelines:
•From a security perspective, it is important that your banner discourage unauthorized access. Do not use the words welcome or please, as they appear to invite intruders in. The following banner sets the correct tone for unauthorized access:
You have logged in to a secure device. If you are not authorized to access this
device,
log out immediately or risk possible criminal consequences.
•See RFC 2196 for guidelines about banner messages.
•Only ASCII characters are allowed, including new line (Enter), which counts as two characters.
•Do not use tabs in the banner, because they are not preserved in the CLI version.
•There is no length limit for banners other than those for RAM and flash memory.
•You can dynamically add the hostname or domain name of the security appliance by including the strings $(hostname) and $(domain).
•If you configure a banner in the system configuration, you can use that banner text within a context by using the $(system) string in the context configuration
•After a banner is added, security appliance Telnet or SSH sessions may close if:
–There is not enough system memory available to process the banner message(s).
–A TCP write error occurs when attempting to display banner message(s).
To add a message of the day, login, or session banner, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Command Line (CLI) > Banner pane, add your banner text to the field for the type of banner you are creating for the CLI:
•Session (exec) banner—This banner appears when a user accesses privileged EXEC mode at the CLI.
•Login Banner—This banner appears when a user logs in to the CLI.
•Message-of-the-day (motd) Banner—This banner appears when a user first connects to the CLI.
•ASDM Banner—This banner appears when a user connects to ASDM, following user authentication. The user is given two options for dismissing the banner:
–Continue—Dismiss the banner and complete login as usual.
–Disconnect— Dismiss the banner and terminate the connection.
Step 2 Click Apply.
The banner is added and the changes are saved to the running configuration.
Customizing a CLI Prompt
The CLI Prompt pane lets you customize the prompt used during CLI sessions. By default, the prompt shows the hostname of the security appliance. In multiple context mode, the prompt also displays the context name. You can display the following items in the CLI prompt.
context
|
(Multiple mode only) Displays the name of the current context.
|
domain
|
Displays the domain name.
|
hostname
|
Displays the hostname.
|
priority
|
Displays the failover priority as pri (primary) or sec (secondary).
|
state
|
Displays the traffic-passing state of the unit. The following values are displayed for the state:
•act—Failover is enabled, and the unit is actively passing traffic.
•stby— Failover is enabled, and the unit is not passing traffic and is in a standby, failed, or other non-active state.
•actNoFailover—Failover is not enabled, and the unit is actively passing traffic.
•stbyNoFailover—Failover is not enabled, and the unit is not passing traffic. This might happen when there is an interface failure above the threshold on the standby unit.
|
To customize the prompt used during CLI sessions so that it shows something other than the hostname or context name, complete the following steps:
Step 1 From the Configuration > Device Management > Management Access > CLI Prompt pane, do any of the following to customize the prompt:
•To add an attribute to the prompt, click the attribute in the Available Prompts list and then click Add. You can add multiple attributes to the prompt. The attribute is moved from the Available Prompts list to the Selected Prompts list.
•To remove an attribute from the prompt, click the attribute in the Selected Prompts list and then click Delete. The attribute is moved from the Selected Prompts list to the Available Prompts list.
•To change the order in which the attributes appear in the command prompt, click the attribute in the Selected Prompts list and click Move Up or Move Down to change the order.
The prompt is changed and displays in the CLI Prompt Preview field.
Step 2 Click Apply.
The new prompt is saved to the running configuration.
Changing the Console Timeout Period
To change the console timeout period, or the duration of time the management console remains active before automatically shutting down, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Command Line (CLI) > Console Timeout pane, add a new timeout value in minutes.
To specify unlimited, enter 0. The default value is 0.
Step 2 Click Apply.
The console timeout is changed, and the changes are saved to the running configuration.
Configuring File Access
This section includes the following topics.
•Configuring the FTP Client Mode
•Configuring the Security Appliance as a Secure Copy Server
•Configuring the Security Appliance as a TFTP Client
•Adding Mount Points
Configuring the FTP Client Mode
The security appliance can use FTP to upload or download image files or configuration files to or from an FTP server. In passive FTP, the client initiates both the control connection and the data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
To configure the FTP client to be in passive mode, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > FTP Client pane, check Specify FTP mode as passive.
Step 2 Click Apply.
The FTP client configuration is changed and the change is saved to the running configuration.
Configuring the Security Appliance as a Secure Copy Server
You can enable the secure copy server on the security appliance. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection.
This implementation of the secure copy server has the following limitations:
•The server can accept and terminate connections for secure copy, but cannot initiate them.
•The server does not have directory support. The lack of directory support limits remote client access to the security appliance internal files.
•The server does not support banners.
•The server does not support wildcards.
•The security appliance license must have the VPN-3DES-AES feature to support SSH version 2 connections.
To configure the security appliance as a Secure Copy (SCP) server, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > Secure Copy (SCP) Server pane, check Enable secure copy server.
Step 2 Click Apply.
The changes are saved to the running configuration. The security appliance can function as an SCP server for transferring files from/to the device.
Configuring the Security Appliance as a TFTP Client
TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. You can configure the security appliance as a TFTP client so that it can transfer a copy of its running configuration file to a TFTP server using File > Save Running Configuration to TFTP Client or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple security appliances.
The security appliance supports only one TFTP client. The full path to the TFTP client is specified in Configuration > Device Management > Management Access > File Access > TFTP Client. Once configured here, you can use a colon (:) to specify the IP address in the CLI configure net and copy commands. However, any other authentication or configuration of intermediate devices necessary for communication from the security appliance to the TFTP client is done apart from this function.
To configure the security appliance as a TFTP client for saving configuration files to a TFTP server, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > TFTP Client pane, check Enable.
Step 2 From the Interface Name drop-down list, choose the interface to use as a TFTP client.
Step 3 In the IP Address field, add the IP address of the TFTP server where configuration files will be saved.
Step 4 In the Path field, add the path to the TFTP server where configuration files will be saved.
For example: /tftpboot/asa/config3
Step 5 Click Apply.
The changes are saved to the running configuration. This TFTP server will be used to save the security appliance configuration files. For more information, see Save Running Configuration to TFTP Server, page 3-4.
Adding Mount Points
Common Internet File System (CIFS) and File Transfer Protocol (FTP) mount points
This section includes the following topics:
•Adding a CIFS Mount Point
•Adding an FTP Mount Point
Adding a CIFS Mount Point
To define a CIFS mount point, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > Mount-Points pane, click Add > CIFS Mount Point.
The Add CIFS Mount Point dialog box appears.
Step 2 Check Enable mount point.
This option attaches the CIFS file system on the security appliance to the UNIX file tree.
Step 3 In the Mount Point Name field, add the name of an existing CIFS location.
Step 4 In the Server Name or IP Address field, add the name or IP address of the server where the mount point is located.
Step 5 In the Share Name field, add the name of the folder on the CIFS server.
Step 6 In the NT Domain Name field, add the name of the NT Domain where the server resides.
Step 7 In the User Name field, add the name of the user authorized for file system mounting on the server.
Step 8 In the Password field, add the password for the user authorized for file system mounting on the server.
Step 9 In the Confirm Password field, add the password again.
Step 10 Click OK.
The Add CIFS Mount Point dialog box closes.
Step 11 Click Apply.
The mount point is added to the security appliance and the change is saved to the running configuration.
Adding an FTP Mount Point
Note For an FTP mount point, the FTP Server must have a UNIX directory listing style. Microsoft FTP servers have a default of MS-DOS directory listing style.
To define an FTP mount point, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > Mount-Points pane, click Add > FTP Mount Point.
The Add FTP Mount Point dialog box appears.
Step 2 Check the Enable check box.
This option attaches the FTP file system on the security appliance to the UNIX file tree.
Step 3 In the Mount Point Name field, add the name of an existing FTP location.
Step 4 In the Server Name or IP Address field, add the name or IP address of the server where the mount point is located.
Step 5 In the Mode field, click the radio button for the FTP mode (Active or Passive). When you choose Passive mode, the client initiates both the FTP control connection and data connection. The server responds with the number of its listening port for this connection.
Step 6 In the Path to Mount field, add the directory path name to the FTP file server.
Step 7 In the User Name field, add the name of the user authorized for file system mounting on the server.
Step 8 In the Password field, add the password for the user authorized for file system mounting on the server.
Step 9 In the Confirm Password field, add the password again.
Step 10 Click OK.
The dialog box closes.
Step 11 Click Apply.
The mount point is added to the security appliance and the change is saved to the running configuration.
Configuring Configuring ICMP Access
By default, you can send ICMP packets to any security appliance interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address. You can protect the security appliance from attacks by limiting the addresses of hosts and networks that are allowed to have ICMP access to the security appliance.
Note For allowing ICMP traffic through the security appliance, see the "Configuring Access Rules" section on page 20-7.
It is recommended that permission is always granted for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If you configure ICMP rules, then the security appliance uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates a syslog message. An exception is when an ICMP rule is not configured; in that case, a permit statement is assumed.
To configure ICMP access rules, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > ICMP pane, click Add.
If you want to insert a rule in the ICMP table, click the rule that the new rule will precede, and click Insert.
The Create ICMP Rule dialog box appears in the right-hand pane.
Step 2 From the ICMP Type drop-down list, choose the type of ICMP message for this rule.
Table 16-1 lists the types of ICMP messages.
Table 16-1 ICMP Type Literals
ICMP Type
|
Literal
|
0
|
echo-reply
|
3
|
unreachable
|
4
|
source-quench
|
5
|
redirect
|
6
|
alternate-address
|
8
|
echo
|
9
|
router-advertisement
|
10
|
router-solicitation
|
11
|
time-exceeded
|
12
|
parameter-problem
|
13
|
timestamp-request
|
14
|
timestamp-reply
|
15
|
information-request
|
16
|
information-reply
|
17
|
mask-request
|
18
|
mask-reply
|
31
|
conversion-error
|
32
|
mobile-redirect
|
Step 3 From the Interface selection list, choose the destination security appliance interface the rule is to be applied to.
Step 4 In the IP Address field, do one of the following:
•Add a specific IP address for the host or network.
•Click Any Address and go to Step 7.
Step 5 From the Mask drop-down list, choose the network mask.
Step 6 Click OK.
The dialog box closes.
Step 7 (Optional) To set ICMP unreachable message limits, set the following options. Increasing the rate limit, along with enabling the "Decrement time to live for a connection" option on the Configuration > Firewall > Service Policy Rules > Rule Actions > Connection Settings dialog box, is required to allow a traceroute through the security appliance that shows the security appliance as one of the hops.
•Rate Limit—Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second.
•Burst Size—Sets the burst rate, between 1 and 10. This keyword is not currently used by the system, so you can choose any value.
Step 8 Click Apply.
The ICMP rule is added to the end of the ICMP table and the change is saved to the running configuration.
Configuring a Management Interface
A high-security interface can be identified to manage the security appliance. When a management interface is assigned, ASDM can run on it with a fixed IP address over an IPSec VPN tunnel. This is possible if VPN is configured on the security appliance and the external interface is using a dynamically assigned IP address. The management interface is also used when accessing and managing the security appliance securely from home using the VPN client.
To configure a management interface, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Management Interface pane, choose the interface with the highest security (the inside interface) from the Management Access Interface drop-down list.
Step 2 Click Apply.
The management interface is assigned and the change is saved to the running configuration.
Configuring SNMP
This section describes how to configure SNMP, and includes the following topics:
•Information About SNMP
•Configuring the SNMP Agent
•Configuring SNMP Traps
Information About SNMP
The Simple Network Management Protocol (SNMP) enables the monitoring of network devices from a central location. The security appliance supports network monitoring using SNMP Versions 1 and 2c, as well as traps and SNMP read access, but does not support SNMP write access.
You can configure the security appliance to send traps (event notifications) to a network management station (NMS), or you can use the NMS to browse the MIBs on the security appliance. Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps and browse a MIB.
The security appliance has an SNMP agent that notifies designated management stations if events occur that are pre-defined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, identifying itself to the management stations.
The security appliance SNMP agent also replies when a management station asks for information.
This section includes the following topics:
•Information About SNMP Terminology
•Information About the Management Information Base and Traps
Information About SNMP Terminology
The following terms are commonly used when working with SNMP.
Term
|
Description
|
Management stations
|
The PCs or workstations set up to monitor SNMP events and manage devices such as the security appliance.
|
SNMP Agent
|
The SNMP server running on the security appliance. The agent responds to requests for information and actions from the management station. The agent also controls access to the its management information base (MIB), the collection of objects that can be viewed or changed by the SNMP manager.
|
OID
|
The system object identifier (OID) that identifies a device to its a management station and indicates to users the source of information monitored and displayed.
|
MIB
|
Management Information Bases, or standardized data structures, for collecting information about packets, connections, buffers, failovers, etc. MIBs are defined by product and the protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs and request specific data or events be sent as they occur. Some MIB data can be modified for administrative purposes.
|
Trap
|
Predefined events that generate a message from the SNMP agent to the management station. Events include alarm conditions such as link up, link down, or syslog event.
|
Browsing
|
Monitoring the health of a device from the management station by pulling required information from the device SNMP agent. This activity may include doing an snmpget or snmpwalk of the MIB tree from the management station.
|
Information About the Management Information Base and Traps
MIBs are either standard or enterprise-specific. Standard MIBs are created by the IETF and documented in various RFCs. A trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. Standard traps are compiled into the security appliance software.
If needed, you can also download RFCs, standard MIBS, and standard traps from the IETF website:
http://www.ietf.org/
Download Cisco MIBs from the following location:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
Download Cisco OIDs from the following location:
ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
The following table describes the SNMP MIB support that the security appliance provides:
MIB or Trap Support
|
Description of Security Appliance Support
|
SNMP core traps
|
The security appliance sends the following SNMP core traps:
•authentication—An SNMP request fails because the NMS did not authenticate with the correct community string.
•linkup—An interface has transitioned to the "up" state.
•linkdown—An interface is down, for example, if you removed the nameif command.
•coldstart—The adaptive security appliance is running after a reload.
|
IF-MIB
|
Browsing of the following tables:
•ifXTable
The following objects are supported:
IF-MIB::ifInMulticastPkts.1 = Counter32: 0
IF-MIB::ifInBroadcastPkts.1 = Counter32: 0
IF-MIB::ifOutMulticastPkts.1 = Counter32: 0
IF-MIB::ifOutBroadcastPkts.1 = Counter32: 0
IF-MIB::ifHCInOctets.1 = Counter64: 231678
IF-MIB::ifHCInUcastPkts.1 = Counter64: 963
IF-MIB::ifHCInMulticastPkts.1 = Counter64: 0
IF-MIB::ifHCInBroadcastPkts.1 = Counter64: 0
IF-MIB::ifHCOutOctets.1 = Counter64: 27251
IF-MIB::ifHCOutUcastPkts.1 = Counter64: 325
IF-MIB::ifHCOutMulticastPkts.1 = Counter64: 0
IF-MIB::ifHCOutBroadcastPkts.1 = Counter64: 0
IF-MIB::ifLinkUpDownTrapEnable.1 = enabled(1)
IF-MIB::ifHighSpeed.1 = Gauge32: 10000 (supports 10GE interfaces)
IF-MIB::ifPromiscuousMode.1 = false(2)
IF-MIB::ifConnectorPresent.1 = true(1)
IF-MIB::ifCounterDiscontinuityTime.1 = Timeticks: (0) 0:00:00.00
|
RFC1213-MIB
|
Browsing of the following table:
•ip.ipAddrTable
•ifTable
The following objects are supported:
RFC1213-MIB::ifNumber.0 = 1
RFC1213-MIB::ifIndex.1 = 1
RFC1213-MIB::ifDescr.1 = "Adaptive Security Appliance 'mgmt' interface"
RFC1213-MIB::ifType.1 = ethernet-csmacd(6)
RFC1213-MIB::ifMtu.1 = 1500
RFC1213-MIB::ifSpeed.1 = Gauge32: 4294967295
RFC1213-MIB::ifPhysAddress.1 = Hex: 00 15 17 15 AB 08
RFC1213-MIB::ifAdminStatus.1 = up(1)
RFC1213-MIB::ifOperStatus.1 = up(1)
RFC1213-MIB::ifLastChange.1 = Timeticks: (200) 0:00:02.00
RFC1213-MIB::ifInOctets.1 = Counter32: 231678
RFC1213-MIB::ifInUcastPkts.1 = Counter32: 963
RFC1213-MIB::ifInNUcastPkts.1 = Counter32: 0
RFC1213-MIB::ifInDiscards.1 = Counter32: 630
RFC1213-MIB::ifInErrors.1 = Counter32: 0
RFC1213-MIB::ifOutOctets.1 = Counter32: 27251
RFC1213-MIB::ifOutUcastPkts.1 = Counter32: 325
RFC1213-MIB::ifOutNUcastPkts.1 = Counter32: 0
RFC1213-MIB::ifOutDiscards.1 = Counter32: 0
RFC1213-MIB::ifOutErrors.1 = Counter32: 0
RFC1213-MIB::ifOutQLen.1 = Gauge32: 6
RFC1213-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero
•system
The following objects are supported:
RFC1213-MIB::sysDescr.0 = "Cisco Adaptive Security Appliance Version
8.1(0)15"
RFC1213-MIB::sysObjectID.0 = OID: CISCO-PRODUCTS-MIB::ciscoASA5580
RFC1213-MIB::sysUpTime.0 = Timeticks: (390500) 1:05:05.00
RFC1213-MIB::sysContact.0 = "yourname@yourcompany.com"
RFC1213-MIB::sysName.0 = "sw8-5580"
RFC1213-MIB::sysLocation.0 = "YourCity, YourState"
RFC1213-MIB::sysServices.0 = 4
|
SNMPv2-MIB
|
SNMP browsing
|
ENTITY-MIB
|
Browsing of the following groups and tables:
•entPhysicalTable
•entLogicalTable
The following objects are supported:
ENTITY-MIB::entPhysicalDescr.1 = ASA 5580 Series SPE40 or SPE20
ENTITY-MIB::entPhysicalDescr.2 = ASA 5580 Series CPU
ENTITY-MIB::entPhysicalDescr.3 = ASA 5580 Series CPU
ENTITY-MIB::entPhysicalDescr.4 = ASA 5580 Series CPU
ENTITY-MIB::entPhysicalDescr.5 = ASA 5580 Series CPU
ENTITY-MIB::entPhysicalDescr.6 = ASA 5580 4 port GE Fiber If Card
ENTITY-MIB::entPhysicalDescr.7 = ASA 5580 4 port GE Copper If Card
ENTITY-MIB::entPhysicalDescr.8 = ASA 5580 2 port 10GE SR Fiber If Card
ENTITY-MIB::entPhysicalVendorType.1 = OID:
CISCO-ENTITY-VENDORTYPE-OID-MIB::cevChassisASA5580
ENTITY-MIB::entPhysicalVendorType.2 = OID: 0.0
ENTITY-MIB::entPhysicalVendorType.3 = OID: 0.0
ENTITY-MIB::entPhysicalVendorType.4 = OID: 0.0
ENTITY-MIB::entPhysicalVendorType.5 = OID: 0.0
ENTITY-MIB::entPhysicalVendorType.6 = OID:
CISCO-ENTITY-VENDORTYPE-OID-MIB:: cevModuleASA5580Pm4x1geFi
ENTITY-MIB::entPhysicalVendorType.7 = OID:
CISCO-ENTITY-VENDORTYPE-OID-MIB:: cevModuleASA5580Pm4x1geCu
ENTITY-MIB::entPhysicalVendorType.8 = OID:
CISCO-ENTITY-VENDORTYPE-OID-MIB:: cevModuleASA5580Pm2x10geFi
ENTITY-MIB::entPhysicalContainedIn.1 = 0
ENTITY-MIB::entPhysicalContainedIn.2 = 1
ENTITY-MIB::entPhysicalContainedIn.3 = 1
ENTITY-MIB::entPhysicalContainedIn.4 = 1
ENTITY-MIB::entPhysicalContainedIn.5 = 1
ENTITY-MIB::entPhysicalContainedIn.6 = 1
ENTITY-MIB::entPhysicalContainedIn.7 = 1
ENTITY-MIB::entPhysicalContainedIn.8 = 1
ENTITY-MIB::entPhysicalClass.1 = chassis(3)
ENTITY-MIB::entPhysicalClass.2 = cpu(12)
ENTITY-MIB::entPhysicalClass.3 = cpu(12)
ENTITY-MIB::entPhysicalClass.4 = cpu(12)
ENTITY-MIB::entPhysicalClass.5 = cpu(12)
ENTITY-MIB::entPhysicalClass.6 = module(9)
ENTITY-MIB::entPhysicalClass.7 = module(9)
ENTITY-MIB::entPhysicalClass.8 = module(9)
ENTITY-MIB::entPhysicalParentRelPos.1 = 0
ENTITY-MIB::entPhysicalParentRelPos.2 = 0
ENTITY-MIB::entPhysicalParentRelPos.3 = 1
ENTITY-MIB::entPhysicalParentRelPos.4 = 2
ENTITY-MIB::entPhysicalParentRelPos.5 = 3
ENTITY-MIB::entPhysicalParentRelPos.6 = 0
ENTITY-MIB::entPhysicalParentRelPos.7 = 0
ENTITY-MIB::entPhysicalParentRelPos.8 = 0
ENTITY-MIB::entPhysicalName.1 = Chassis
ENTITY-MIB::entPhysicalName.2 = 0
ENTITY-MIB::entPhysicalName.3 = 1
ENTITY-MIB::entPhysicalName.4 = 2
|
ENTITY-MIB (continued)
|
ENTITY-MIB::entPhysicalName.5 = 3
ENTITY-MIB::entPhysicalName.6 = slot 4
ENTITY-MIB::entPhysicalName.7 = slot 5
ENTITY-MIB::entPhysicalName.8 = slot 7
ENTITY-MIB::entPhysicalHardwareRev.1 = V01
ENTITY-MIB::entPhysicalHardwareRev.2 =
ENTITY-MIB::entPhysicalHardwareRev.3 =
ENTITY-MIB::entPhysicalHardwareRev.4 =
ENTITY-MIB::entPhysicalHardwareRev.5 =
ENTITY-MIB::entPhysicalHardwareRev.6 = D5618404
ENTITY-MIB::entPhysicalHardwareRev.7 = D4577407
ENTITY-MIB::entPhysicalHardwareRev.8 = D7555203
ENTITY-MIB::entPhysicalFirmwareRev.1 = 1.1(0)4
ENTITY-MIB::entPhysicalFirmwareRev.2 =
ENTITY-MIB::entPhysicalFirmwareRev.3 =
ENTITY-MIB::entPhysicalFirmwareRev.4 =
ENTITY-MIB::entPhysicalFirmwareRev.5 =
ENTITY-MIB::entPhysicalFirmwareRev.6 =
ENTITY-MIB::entPhysicalFirmwareRev.7 =
ENTITY-MIB::entPhysicalFirmwareRev.8 =
ENTITY-MIB::entPhysicalSoftwareRev.1 = 8.1(0)1
ENTITY-MIB::entPhysicalSoftwareRev.2 =
ENTITY-MIB::entPhysicalSoftwareRev.3 =
ENTITY-MIB::entPhysicalSoftwareRev.4 =
ENTITY-MIB::entPhysicalSoftwareRev.5 =
ENTITY-MIB::entPhysicalSoftwareRev.6 =
ENTITY-MIB::entPhysicalSoftwareRev.7 =
ENTITY-MIB::entPhysicalSoftwareRev.8 =
ENTITY-MIB::entPhysicalSerialNum.1 = JAB12345678
ENTITY-MIB::entPhysicalSerialNum.2 =
ENTITY-MIB::entPhysicalSerialNum.3 =
ENTITY-MIB::entPhysicalSerialNum.4 =
ENTITY-MIB::entPhysicalSoftwareRev.5 =
ENTITY-MIB::entPhysicalSerialNum.6 = 001517154451
ENTITY-MIB::entPhysicalSerialNum.7 = 0015171559DC
ENTITY-MIB::entPhysicalSerialNum.8 = 0015171D9752
ENTITY-MIB::entPhysicalMfgName.1 = Cisco Systems Inc.
ENTITY-MIB::entPhysicalMfgName.2 =
ENTITY-MIB::entPhysicalMfgName.3 =
ENTITY-MIB::entPhysicalMfgName.4 =
ENTITY-MIB::entPhysicalMfgName.5 =
ENTITY-MIB::entPhysicalMfgName.6 =
ENTITY-MIB::entPhysicalMfgName.7 =
ENTITY-MIB::entPhysicalMfgName.8 =
ENTITY-MIB::entPhysicalMfgName.9 =
ENTITY-MIB::entPhysicalModelName.1 = ASA5580-SPE40 or SPE20
ENTITY-MIB::entPhysicalModelName.2 =
ENTITY-MIB::entPhysicalModelName.3 =
ENTITY-MIB::entPhysicalModelName.4 =
ENTITY-MIB::entPhysicalModelName.5 =
ENTITY-MIB::entPhysicalModelName.6 = ASA5580-4GE-FI
ENTITY-MIB::entPhysicalModelName.7 = ASA5580-4GE-CU
ENTITY-MIB::entPhysicalModelName.8 = ASA5580-2X10GE-SR
ENTITY-MIB::entPhysicalAlias.1 =
ENTITY-MIB::entPhysicalAlias.2 =
ENTITY-MIB::entPhysicalAlias.3 =
ENTITY-MIB::entPhysicalAlias.4 =
ENTITY-MIB::entPhysicalAlias.5 =
ENTITY-MIB::entPhysicalAlias.6 =
ENTITY-MIB::entPhysicalAlias.7 =
|
ENTITY-MIB (continued)
|
ENTITY-MIB::entPhysicalAlias.8 =
ENTITY-MIB::entPhysicalAssetID.1 =
ENTITY-MIB::entPhysicalAssetID.2 =
ENTITY-MIB::entPhysicalAssetID.3 =
ENTITY-MIB::entPhysicalAssetID.8 =
ENTITY-MIB::entPhysicalIsFRU.1 = false(2)
ENTITY-MIB::entPhysicalIsFRU.2 = false(2)
ENTITY-MIB::entPhysicalIsFRU.4 = false(2)
ENTITY-MIB::entPhysicalIsFRU.5 = false(2)
ENTITY-MIB::entPhysicalIsFRU.6 = true(1)
ENTITY-MIB::entPhysicalIsFRU.7 = true(1)
ENTITY-MIB::entPhysicalIsFRU.8 = true(1)
Browsing of the following traps:
•config-change
•fru-insert
•fru-remove
|
CISCO-IPSEC-FLOW-MONITOR-MIB
|
Browsing of the MIB.
Browsing of the following traps:
•start
•stop
|
CISCO-REMOTE-ACCESS-
MONITOR-MIB
|
Browsing of the MIB.
Browsing of the following traps:
•session-threshold-exceeded
|
CISCO-CRYPTO-
ACCELERATOR-MIB
|
Browsing of the MIB.
|
ALTIGA-GLOBAL-REG
|
Browsing of the MIB.
|
CISCO-FIREWALL-MIB
|
Browsing of the following groups:
•cfwSystem
The information in cfwSystem.cfwStatus, which relates to failover status, applies to the entire device and not just a single context.
|
CISCO-MEMORY-POOL-MIB
|
Browsing of the following table:
•ciscoMemoryPoolTable—The memory usage described in this table applies only to the security appliance general-purpose processor, and not to the network processors.
The following objects are supported:
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.1 = System memory
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.6 = DMA ALT1
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.7 = DMA
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.8 = Global Shared
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.1 = 0
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.6 = 0
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.7 = 0
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.8 = 0
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.1 = true(1)
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.6 = true(1)
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.7 = true(1)
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.8 = true(1)
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.1 = Gauge32: 102805792 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.6 = Gauge32: 32012672 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.7 = Gauge32: 32012672 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.8 = Gauge32: 38752248 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.1 = Gauge32: 1432686304
bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.6 = Gauge32: 198862416 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.7 = Gauge32: 198862416 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.8 = Gauge32: 229683208 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.1 = Gauge32: 0 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.6 = Gauge32: 0 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.7 = Gauge32: 0 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.8 = Gauge32: 0 bytes
|
CISCO-PROCESS- MIB
|
Browsing of the following table:
•cpmCPUTotalTable
The following objects are supported:
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.1 = 1
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.2 = 2
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.3 = 3
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.4 = 4
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.5 = 5
CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.6 = 1
CISCO-PROCESS-MIB::cpmCPUTotal5sec.1 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5sec.2 = Gauge32: 100
CISCO-PROCESS-MIB::cpmCPUTotal5sec.3 = Gauge32: 0
CISCO-PROCESS-MIB::cpmCPUTotal5sec.4 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5sec.5 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5sec.6 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal1min.1 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal1min.2 = Gauge32: 100
CISCO-PROCESS-MIB::cpmCPUTotal1min.3 = Gauge32: 0
CISCO-PROCESS-MIB::cpmCPUTotal1min.4 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal1min.5 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal1min.6 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5min.1 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5min.2 = Gauge32: 100
CISCO-PROCESS-MIB::cpmCPUTotal5min.3 = Gauge32: 0
CISCO-PROCESS-MIB::cpmCPUTotal5min.4 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5min.5 = Gauge32: 50
CISCO-PROCESS-MIB::cpmCPUTotal5min.6 = Gauge32: 50
The first row in the cpmCPUTotalTable reflects either the CPU load for the system in single security context mode or the CPU load for the context in multiple context mode.
The last row in cpmCPUTotalTable always reflects the system CPU load. This row is identical to the first row in single context mode and is only available through the admin context in multiple context mode. The row represents the load for all CPUs, and is equivalent to the output from the show cpu command.
All rows in-between the first and last reflect the per-CPU load. They are only present for multi-CPU systems and only available in either single mode or the admin context in multiple mode.
|
CISCO-SYSLOG-MIB
|
The following trap:
•clogMessageGenerated
You cannot browse this MIB.
|
CISCO-UNIFIED-FIREWALL
-MIB
|
Browsing of the following tables:
•cuFwConnectionGlobals
•cufwUrlFilterGlobals
•cufwUrlFilterServers
|
Configuring an SNMP Agent and Management Station
This section includes the following topics:
•Configuring the SNMP Agent
•Adding an SNMP Management Station
Configuring the SNMP Agent
To configure an SNMP agent, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, in the Community String (default) field, add a default community string.
Enter the password used by the SNMP management stations when sending requests to the security appliance. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security appliance uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default is "public." SNMPv2c allows separate community strings to be set for each management station. If no community string is configured for any management station, the value set here will be used by default.
Step 2 In the Contact field, add the name of the security appliance system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 3 In the Location field, add the location of the security appliance being managed by SNMP. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 4 In the Listening Port field, add the number of the security appliance port that listens for SNMP requests from management stations; or keep the default, port number161.
Step 5 Click Apply.
The SNMP agent is configured and the changes are saved to the running configuration.
Adding an SNMP Management Station
To add an SNMP management station, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, Click Add.
The Add SNMP Host Access Entry dialog box appears.
Step 2 From the Interface Name drop-down menu, choose the interface where the SNMP host resides.
Step 3 In the IP Address field, add the SNMP host IP address.
Step 4 In the UDP Port field, add the SNMP host UDP port, or keep the default, port 162.
Step 5 In the Community String field, add the SNMP host community string. If no community string is specified for a management station, the value set in Community String (default) field on the SNMP pane will be used.
Step 6 From the SNMP Version drop-down menu, choose the SNMP version used by the SNMP host.
Step 7 Check the Poll or Trap check boxes to specify the method for communicating with this management station.
Step 8 Click OK.
The dialog box closes.
Step 9 Click Apply.
The management station is configured and changes are saved to the running configuration.
Configuring SNMP Traps
To designate which traps the SNMP agent generates and how they are collected and sent to network management stations, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, click Configure Traps.
The SNMP Trap Configuration dialog box appears.
Step 2 Click the SNMP events to notify through SNMP traps.
Step 3 Click OK.
The dialog box closes.
Step 4 Click Apply.
The SNMP traps are configured and the changes are saved to the running configuration.
Configuring Management Access Rules
Access Rules specifically permit or deny traffic to or from a particular peer (or peers) while Management Access Rules provide access control for to-the-box traffic. For example, in addition to detecting IKE Denial of Service attacks, you can block them using management access rules.
To add a Management Access Rule, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Management Access Rules pane, from the Add menu, click Add Management Access Rule.
The Add Management Access Rules dialog box appears.
Step 2 From the Interface drop-down list, choose an interface for applying the rule.
Step 3 In the Action field, click one of the following:
•Permit (permits this traffic)
•Deny (denies this traffic)
Step 4 In the Source field, choose Any, or click the ellipsis (...) to browse for an address.
Step 5 In the Service field, add a service name for the rule traffic, or click the ellipsis (...) to browse for a service.
Step 6 (Optional) In the Description field, add a description for this management access rule.
Step 7 (Optional) If you want to receive log messages for this management access rule, check Enable Logging and then from the Logging Level drop-down list, choose the level of logging to apply to this rule.
Step 8 (Optional) To configure advanced options, click More Options. You can configure the following settings:
•If you want to turn off this Management Access Rule, uncheck Enable Rule.
•To add a source service in the Source Service field; or click the ellipsis (...) to browse for a source service.
The destination service and source service must be the same. Copy and paste the destination Service field to the Source Service field.
•To configure the logging interval (if you enable logging and choose a non-default setting), enter a value in seconds in the Logging Interval field.
•To select a predefined time range for this rule, from the Time Range drop-down list, choose a time range; or click the ellipsis (...) to browse for a time range.
The Add Time Range dialog box appears. For information about adding a time range, see Configuring Time Ranges, page 19-15.
Step 9 Click OK.
The dialog box closes and the Management Access rule is added.
Step 10 Click Apply.
The rule is saved in the running configuration.
Configuring AAA for System Administrators
This section describes how to enable authentication and command authorization for system administrators. Before you configure AAA for system administrators, first configure the local database or AAA server according to the "Configuring the Local Database" section on page 12-7 or the "Identifying AAA Server Groups and Servers" section on page 12-12.
This section includes the following topics:
•Configuring Authentication for CLI, ASDM, and enable command Access
•Limiting User CLI and ASDM Access with Management Authorization
•Configuring Command Authorization
•Configuring Management Access Accounting
•Recovering from a Lockout
