Page 1 Cisco ASA 5500 Series Getting Started Guide For the Cisco ASA 5510, ASA 5520, ASA 5540, and ASA 5550 Software Version 8.3 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Installing the ASA 5550 C H A P T E R Verifying the Package Contents Installing the Chassis Rack-Mounting the Chassis Installing SFP Modules SFP Module Installing an SFP Module Ports and LEDs Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 4 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA C H A P T E R 5540 Platforms Connecting Interface Cables Connecting to SSMs Connecting to a 4GE SSM Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 5 8-11 Translating the Public Address of the Web Server to its Real Address on the Inside Interface 8-14 Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding) 8-17 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 6 Example Topology Using AnyConnect SSL VPN Clients 10-3 Implementing the Cisco SSL VPN Scenario 10-3 Information to Have Available 10-4 Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client 10-5 Specifying the SSL VPN Interface 10-6 Specifying a User Authentication Method...
Page 7 Configuring the Site-to-Site VPN 12-3 Configuring the Security Appliance at the Local Site 12-3 Providing Information About the Remote VPN Peer 12-5 Configuring the IKE Policy 12-6 Configuring IPsec Encryption and Authentication Parameters 12-8 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 8 Configuring the CSC SSM for Content Security 14-6 Obtain Software Activation Key from Cisco.com 14-6 Gather Information 14-7 Verify Time Settings 14-7 Run the CSC Setup Wizard 14-8 What to Do Next 14-17 Cisco ASA 5500 Series Getting Started Guide viii 78-19186-01...
Page 9 Cabling 4GE SSM Interfaces 15-2 Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) 15-3 What to Do Next 15-5 Obtaining a 3DES/AES License A P P E N D I X Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 10 Contents Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 11: Before You Begin
Before You Begin Use the following table to find the installation and configuration steps that are required for your implementation of the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance implementations included in this document are as...
Page 12: Asa 5500
ASA 5500 with AIP SSM To Do This ... See ... Install the chassis Chapter 4, “Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540” Install the AIP SSM Chapter 5, “Installing Optional SSMs” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 13: Asa 5500 With Csc Ssm
Chapter 6, “Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms” Perform initial setup of the adaptive Chapter 7, “Configuring the security appliance Adaptive Security Appliance” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 14: Asa 5500 With 4Ge Ssm
Chapter 6, “Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms” Perform initial setup of the adaptive Chapter 7, “Configuring the security appliance Adaptive Security Appliance” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 15: Asa 5550
Cisco ASA 5500 Series Command Reference Cisco ASA 5500 Series System Log Messages Related Documents For more information, see the following documentation: Documentation Roadmap for the Cisco ASA 5500 Series • Cisco ASA 5500 Series Release Notes • Release Notes for Cisco ASDM •...
Page 16 Cisco ASA 5500 Series System Log Messages • Migrating to ASA for VPN 3000 Series Concentrator Administrators • Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series • Administrators Open Source Software Licenses for ASA and PIX Security Appliances •...
Page 17: Chapter 2 Maximizing Throughput On The Asa 5550
5550 This chapter applies only to the Cisco ASA 5550. Note The Cisco ASA 5550 adaptive security appliance is designed to deliver maximum throughput when configured according to the guidelines described in this chapter. This chapter includes the following sections: •...
Page 18: Balancing Traffic To Maximize Throughput
SFP modules for each fiber port you want to use. For more information on fiber ports and SFP modules, see the “Installing SFP Modules” section on page 3-6. Figure 2-1 shows the embedded ports on the Cisco ASA 5550. Figure 2-1 Embedded Ports on the ASA 5550 Slot 1 Slot 0 FLASH...
Page 19 Traffic Evenly Distributed for Maximum Throughput (Copper to Fiber) Maximum throughput Slot 1 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and Incoming and outgoing traffic outgoing traffic Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 20 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and outgoing traffic Slot 1 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and outgoing traffic Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 21: What To Do Next
What to Do Next You can use the show traffic command to see the traffic throughput over each bus. Note For more information about using the command, see the Cisco ASA 5500 Series Command Reference. What to Do Next Continue with Chapter 3, “Installing the ASA 5550.”...
Page 22 Chapter 2 Maximizing Throughput on the ASA 5550 What to Do Next Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 23: Installing The Asa 5550
Installing the ASA 5550 Read the safety warnings in the Regulatory Compliance and Safety Information Caution for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps. Only trained and qualified personnel should install, replace, or service this...
Page 24: Verifying The Package Contents
Verifying the Package Contents Verify the contents of the packing box, shown in Figure 3-1, to ensure that you have received all items necessary to install the Cisco ASA 5550. Figure 3-1 Contents of ASA 5550 Package Cisco ASA 5550 adaptive...
Page 25: Installing The Chassis
DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 26: Rack-Mounting The Chassis
Figure 3-2 Installing the Right and Left Brackets L N K Attach the chassis to the rack using the supplied screws, as shown in Figure 3-3. Step 2 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 27 To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 28: Installing Sfp Modules
Use fiber cables with LC connectors to connect to an SFP module. The SFP modules support 850 to 1550 nm nominal wavelengths. The cables must not exceed the required cable length for reliable communications. Table 3-2 lists the cable length requirements. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 29 Use only Cisco-certified SFP modules on the adaptive security appliance. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the adaptive security appliance.
Page 30: Installing An Sfp Module
Remove the port plug; then connect the network cable to the SFP module. Step 2 Connect the other end of the cable to your network. For more information on Step 3 connecting the cables, see Chapter 3, “Connecting Interface Cables.” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 31: Ports And Leds
LEDs on the front panel of the adaptive security appliance. Figure 3-5 Front Panel LEDs CISCO ASA 5540 SERIES Adaptive Security Appliance POWER STATUS ACTIVE FLASH Color State Description Power Green The system has power. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 32 Status indicator LED Power connector 5 Power indicator LED 10 Active LED 1. The management 0/0 interface is a Fast Ethernet interface designed for management traffic only. 2. Reserved for future use. Cisco ASA 5500 Series Getting Started Guide 3-10 78-19186-01...
Page 33 3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3. For more information on the Management Port, see the management-only command in the Cisco ASA 5500 Series Command Reference. Figure 3-7 shows the adaptive security appliance rear panel LEDs.
Page 34 Table 3-4 describes the LEDs in Slot 1. Table 3-4 LEDs on Bus G1 Color State Description 2, 7 LINK Green Solid There is an Ethernet link. Flashing There is Ethernet activity. Cisco ASA 5500 Series Getting Started Guide 3-12 78-19186-01...
Page 35 Note the management-only command. You can also disable management-only mode on the management interface. For more information about this command, see the management-only command in the Cisco ASA 5500 Series Command Reference. Cisco ASA 5500 Series Getting Started Guide 3-13...
Page 36 Flow Control (FC) = Hardware. Locate the serial console cable, which has an RJ-45 connector on one end and a DB-9 connector on the other end for the serial port on your computer. Cisco ASA 5500 Series Getting Started Guide 3-14 78-19186-01...
Page 37 Connect the RJ-45 connector of the cable to the Auxiliary port (labeled AUX) on the adaptive security appliance, as shown in Figure 3-11. Connect the other end of the cable, the DB-9 connector, to the serial port on your computer. Cisco ASA 5500 Series Getting Started Guide 3-15 78-19186-01...
Page 38 You must use a port in Slot 0 for the inside interface, and a port in Slot 1 Note for the outside interface. Connect one end of an Ethernet cable to a copper Ethernet port, as shown in Figure 3-12 Figure 3-13. Cisco ASA 5500 Series Getting Started Guide 3-16 78-19186-01...
Page 39 RJ-45 connector Figure 3-13 Connecting to a Copper Ethernet Interfaces in Slot 1 L N K S P D C is c o S S M -4 Copper Ethernet ports RJ-45 connector Cisco ASA 5500 Series Getting Started Guide 3-17 78-19186-01...
Page 40 Remove the port plug from the installed SFP as shown in Figure 3-14. – Figure 3-14 Removing the Fiber Port Plug Port plug SFP module Connect the LC connector to the SFP module as shown in Figure 3-15. Cisco ASA 5500 Series Getting Started Guide 3-18 78-19186-01...
Page 41: What To Do Next
Connect the power cord to the adaptive security appliance and plug the other end Step 7 to the power source. Power on the chassis. Step 8 What to Do Next Continue with Chapter 7, “Configuring the Adaptive Security Appliance.” Cisco ASA 5500 Series Getting Started Guide 3-19 78-19186-01...
Page 42 Chapter 3 Installing the ASA 5550 What to Do Next Cisco ASA 5500 Series Getting Started Guide 3-20 78-19186-01...
Page 43 Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information Caution for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps. This chapter provides a product overview and describes the memory requirements, rack-mount, and installation procedures for the adaptive security appliance.
Page 44 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Verifying the Package Contents The illustrations in this document show the Cisco ASA 5540 adaptive security Note appliance. The Cisco ASA 5510 adaptive security appliance and Cisco ASA 5520 adaptive security appliance are identical, containing the same back panel features and indicators.
Page 45 Installing the Chassis This section describes how to rack-mount and install the adaptive security appliance. You can mount the adaptive security appliance in a 19-inch rack (with a 17.5- or 17.75-inch opening). Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 46 You can use the mounting brackets to mount the chassis to the front or the back Note of the rack, with the front panel or the rear panel of the chassis facing outward. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 47 Installing the Left Bracket on the Rear Panel of the Chassis Figure 4-3 Installing the Right Bracket on the Rear Panel of the Chassis Attach the chassis to the rack using the supplied screws, as shown in Figure 4-4. Step 2 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 48 To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 49 The power-up diagnostics have failed. Active Green Solid This is the active failover device. Amber Solid This is the standby failover device. Green Solid VPN tunnel is established. Flash Green Solid The CompactFlash is being accessed. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 50 3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3. For more information on the Management Port, see the “Management-Only” section in the Cisco ASA 5500 Series Command Reference. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 51 10 Mbps Green 100 Mbps Amber 1000 Mbps The ASA 5510 adaptive security appliance only supports 10/100BaseTX. The Note ASA 5520 adaptive security appliance and the ASA 5540 adaptive security appliance support 1000BaseT. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 52 Chapter 5, “Installing Optional SSMs” have not yet been installed Continue with connecting interface Chapter 6, “Connecting Interface cables Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms” Cisco ASA 5500 Series Getting Started Guide 4-10 78-19186-01...
Page 53 10/100/1000 Mbps, copper, RJ-45 ports or four optional 1000 Mbps, Small Form-Factor Pluggable (SFP) fiber ports. This section describes how to install and replace the Cisco 4GE SSM in the adaptive security appliance. This section includes the following topics: 4GE SSM Components, page 5-2 •...
Page 54: Installing Optional Ssms
Chapter 5 Installing Optional SSMs Cisco 4GE SSM 4GE SSM Components Figure 5-1 lists the Cisco 4GE SSM ports and LEDs. Figure 5-1 Cisco 4GE SSM Ports and LEDs Cisco SSM-4GE RJ-45 ports Status LED RJ-45 Link LED SFP ports...
Page 55: Installing The Cisco 4Ge Ssm
The system diagnostics failed. Amber Installing the Cisco 4GE SSM To install a new Cisco 4GE SSM for the first time, perform the following steps: Power off the adaptive security appliance. Step 1 Locate the grounding strap from the accessory kit and fasten it to your wrist so Step 2 that it contacts your bare skin.
Page 56: Installing The Sfp Modules
Step 5 Power on the adaptive security appliance. Step 6 Check the LEDs. If the Cisco 4GE SSM is installed properly the STATUS LED Step 7 flashes during boot up and is solid when operational. Connect one end of the RJ-45 cable to the port and the other end of the cable to your Step 8 network devices.
Page 57: Sfp Module
1310 nm Fiber 1310 nm Fiber — — 550 m at 550 m at 10 km LX/LH 500 Mhz-km 400 Mhz-km 275 m at 550 m at — — — 200 Mhz-km 500 Mhz-km Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 58: Installing The Sfp Module
Statement 70 Installing the SFP Module To install the SFP module in the Cisco 4GE SSM, perform the following steps: Step 1 Line up the SFP module with the port and slide the SFP module into the port slot...
Page 59 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms.” The latching mechanism used on many SFPs locks them into place when cables Caution are connected. Do not pull on the cabling in an attempt to remove the SFP. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 60: Cisco Aip Ssm And Csc Ssm
1.0 GB AIP SSM 20 2.4 GHz Pentium 4 2.0 GB For more information on the AIP SSM, see the Cisco ASA 5500 Series Configuration Guide using the CLI. The CSC SSM runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic.
Page 61: Installing An Ssm
Attach the other end to the chassis. Remove the two screws (as shown in Figure 5-6) at the left rear end of the chassis, Step 3 and remove the slot cover. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 62 Connect one end of the RJ-45 cable to the port and the other end of the cable to your Step 7 network devices. What to Do Next Continue with Chapter 6, “Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms.” Cisco ASA 5500 Series Getting Started Guide 5-10 78-19186-01...
Page 63: Connecting Interface Cables On The Asa 5500, Asa 5510, Asa 5520, And Asa 5540 Platforms
Only trained and qualified personnel should install, replace, or service this equipment Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information Caution for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 64: Connecting Interface Cables
The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use Note at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.
Page 65 Before connecting a computer or terminal to any ports, check to determine the baud rate of the serial port. The baud rate must match the default baud rate (9600 baud) of the Console port of the adaptive security appliance. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 66: Connecting To Ssms
FLASH 1 RJ-45 Console port RJ-45 to DB-9 console cable Connecting to SSMs SSMs are optional; this procedure is necessary only if you have installed an SSM on the adaptive security appliance. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 67 Connect to Ethernet ports to be used for network connections. Step 3 Connect the RJ-45 connector to the Ethernet port. Connect the other end of the Ethernet cable to your network device, such as a router, switch or hub. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 68: Connecting To A 4Ge Ssm
Ethernet cable to link the units directly. For more information, see the Configuring Failover chapter in the Cisco ASA 5500 Series Configuration Guide using the CLI. See also Chapter 4, “Ports and LEDs”for information about the Ethernet...
Page 69 Step 1 Connect one end of an Ethernet cable to a copper Ethernet port. Connect the other end of the Ethernet cable to a network device, such as a router, switch or hub. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 70 Connect the LC connector to the SFP module as shown in Figure 6-6. – Figure 6-6 Connecting the LC Connector L N K S P D C is c o S S M -4 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 71: Powering On The Adaptive Security Appliance
Connect the power cord to the adaptive security appliance and plug the other end to the power source. Power on the chassis. Step 2 What to Do Next Continue with Chapter 7, “Configuring the Adaptive Security Appliance.” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 72 Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms What to Do Next Cisco ASA 5500 Series Getting Started Guide 6-10 78-19186-01...
Page 73: Configuring The Adaptive Security Appliance
Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). The procedures in this chapter describe how to configure the adaptive security appliance using ASDM.
Page 74: Using The Cli For Configuration
Cisco ASA 5500 Series Command Reference. For step-by-step configuration procedures for all functional areas of the adaptive security appliance, see the Cisco ASA 5500 Series Configuration Guide using the CLI. Cisco ASA 5500 Series Getting Started Guide...
Page 75: Using The Adaptive Security Device Manager For Configuration
Preparing to Use ASDM, page 7-4 • Gathering Configuration Information for Initial Setup, page 7-4 • Installing the ASDM Launcher, page 7-5 • Starting ASDM with a Web Browser, page 7-8 • Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 76: Preparing To Use Asdm
Gathering Configuration Information for Initial Setup Gather the following information to be used with the ASDM Startup Wizard: A unique hostname to identify the adaptive security appliance on your • network. The domain name. • Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 77: Installing The Asdm Launcher
To install the ASDM Launcher, perform the following steps: On the PC connected to the switch or hub, launch an Internet browser. Step 1 In the address field of the browser, enter this URL: https://192.168.1.1/admin. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 78 It is not necessary to save the installation software to your hard drive. When the InstallShield Wizard appears, follow the instructions to install the ASDM Launcher software. From your desktop, start the Cisco ASDM Launcher software. Step 2 A dialog box appears. Step 3 Enter the IP address or the host name of your adaptive security appliance.
Page 79 Enter the IP address or host name of your adaptive security appliance. Step 4 Leave the Username and Password fields blank. Step 5 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Click OK.
Page 80: Starting Asdm With A Web Browser
Follow the instructions in the Startup Wizard to set up your adaptive security Step 2 appliance. For information about any field in the Startup Wizard, click Help at the bottom of the window. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 81: What To Do Next
Configure the adaptive security appliance for SSL Chapter 11, “Scenario: SSL VPN Clientless VPN connections using a web browser Connections” Configure the adaptive security appliance for Chapter 12, “Scenario: Site-to-Site VPN site-to-site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 82 Chapter 7 Configuring the Adaptive Security Appliance What to Do Next Cisco ASA 5500 Series Getting Started Guide 7-10 78-19186-01...
Page 83: Scenario: Dmz Configuration
Figure 8-1. In this example, the web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 84 The network has one IP address that is publicly available: the outside interface of the adaptive security appliance (209.165.200.225). This public address is shared by the adaptive security appliance and the DMZ web server. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 85: An Inside User Visits A Web Server On The Internet
Internet Source Address Translation Public IP Address 192.168.1.2 209.165.200.225 209.165.200.225 (outside interface) DMZ interface Inside interface 10.30.30.1 192.168.1.1 Inside User Web Server 192.168.1.2 Private IP Address: 10.30.30.30 Public IP Address: 209.165.200.225 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 86: An Internet User Visits The Dmz Web Server
An Internet User Visits the DMZ Web Server Figure 8-3 shows the traffic flow through the adaptive security appliance when a user on the Internet requests a web page from the DMZ web server. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 87 IP address of the adaptive security appliance (209.165.200.225, the IP address of the outside interface). The adaptive security appliance receives the packet and, because it is a new session, verifies that the packet is allowed. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 88: An Inside User Visits The Dmz Web Server
DMZ web server (209.165.200.225). The adaptive security appliance forwards the packet to the outside user. An Inside User Visits the DMZ Web Server Figure 8-4 shows an inside user accessing the DMZ web server. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 89: Figure
DNS server, internal client requests for the DMZ web server are handled as follows: A lookup request is sent to the DNS server of the ISP. The public IP address of the DMZ web server is returned to the client. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 90: Configuring The Adaptive Security Appliance For A Dmz Deployment
Chapter 7, “Configuring the Adaptive Security Appliance.” The section includes the following topics: Configuration Requirements, page 8-9 • Information to Have Available, page 8-10 • • Enabling Inside Clients to Communicate with Devices on the Internet, page 8-10 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 91: Configuration Requirements
IP address of the DMZ web server to its private the DMZ web server IP address (209.165.200.225 to 10.30.30.30). An access control rule permitting incoming HTTP traffic that is • destined for the DMZ web server. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 92: Information To Have Available
IP address of the DMZ web server to its public IP address (10.30.30.30 to 209.165.200.225). This is necessary because when an internal client sends a DNS lookup request, the DNS server returns the public IP address of the DMZ web server. Cisco ASA 5500 Series Getting Started Guide 8-10 78-19186-01...
Page 93: Translating Internal Client Ip Addresses Between The Inside And Dmz Interfaces
(Optional) In the Description field, enter a description of the network object • (up to 200 characters in length). If the NAT section is hidden, click NAT to expand the section. Note Check the Add Automatic Translation Rules check box. Step 3 Cisco ASA 5500 Series Getting Started Guide 8-11 78-19186-01...
Page 94 In the Source Interface drop-down list, choose the Inside interface. • In the Destination Interface drop-down list, choose the DMZ interface. • These two settings specify the real and/or mapped interfaces where this NAT rule should apply. Cisco ASA 5500 Series Getting Started Guide 8-12 78-19186-01...
Page 95 Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following. Click Apply to complete the adaptive security appliance configuration changes. Step 9 Cisco ASA 5500 Series Getting Started Guide 8-13 78-19186-01...
Page 96: Translating The Public Address Of The Web Server To Its Real Address On The Inside Interface
In the Translated Addr. field, enter the public address (or mapped address) of the Step 5 DMZ web server, or click ..., and choose an the address from the Browse Translated Addr dialog box. In this scenario, the IP address is 209.165.200.225. Cisco ASA 5500 Series Getting Started Guide 8-14 78-19186-01...
Page 97 In the Source Interface drop-down list, choose the DMZ interface. • In the Destination Interface drop-down list, choose the Inside interface. • These two settings specify the real and/or mapped interfaces where this NAT rule should apply. Cisco ASA 5500 Series Getting Started Guide 8-15 78-19186-01...
Page 98 Click OK to add the rule and return to the list of Address Translation Rules. Step 8 Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following. Cisco ASA 5500 Series Getting Started Guide 8-16 78-19186-01...
Page 99: Forwarding)
If the NAT section is hidden, click NAT to expand the section. Note Check the Add Automatic Translation Rules check box. Step 3 From the Type drop-down list, choose Static. Step 4 Cisco ASA 5500 Series Getting Started Guide 8-17 78-19186-01...
Page 100 To configure static NAT with port translation, under Service, choose the tcp • from the Protocol drop-down list. In the Real Port field, enter 80. • In the Mapped Port field, enter 80. • Cisco ASA 5500 Series Getting Started Guide 8-18 78-19186-01...
Page 101 Click OK to add the rule and return to the list of Address Translation Rules. Step 8 Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following. Cisco ASA 5500 Series Getting Started Guide 8-19 78-19186-01...
Page 102: Providing Public Http Access To The Dmz Web Server
Internet, if the destination of the traffic is the web server on the DMZ network. All other traffic coming in from the public network is denied. Cisco ASA 5500 Series Getting Started Guide 8-20 78-19186-01...
Page 103 In the Destination field, enter the public IP address of the web server (209.165.200.225). In the Service field, enter TCP/HTTP. At this point, the entries in the Add Access Rule dialog box should be similar to the following: Cisco ASA 5500 Series Getting Started Guide 8-21 78-19186-01...
Page 104 Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. Cisco ASA 5500 Series Getting Started Guide 8-22 78-19186-01...
Page 105: What To Do Next
AnyConnect software clients Connections for a Cisco AnyConnect VPN Client” Configure a browser-based SSL VPN Chapter 11, “Scenario: SSL VPN Clientless Connections” Configure a site-to-site VPN Chapter 12, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 8-23 78-19186-01...
Page 106 Chapter 8 Scenario: DMZ Configuration What to Do Next Cisco ASA 5500 Series Getting Started Guide 8-24 78-19186-01...
Page 107: Scenario: Ipsec Remote-Access Vpn Configuration
Topology Figure 9-1 shows an adaptive security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN software or hardware clients, over the Internet. Cisco ASA 5500 Series Getting Started Guide...
Page 108: Implementing The Ipsec Remote-Access Vpn Scenario
Configuring an IPsec Remote-Access VPN, page 9-3 • Selecting VPN Client Types, page 9-5 • Specifying the VPN Tunnel Group Name and Authentication Method, • page 9-6 Specifying a User Authentication Method, page 9-7 • Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 109: Configuring An Ipsec Remote-Access Vpn
To configure a remote-access VPN, perform the following steps: In the main ASDM window, choose IPsec VPN Wizard from the Wizards Step 1 drop-down menu. The VPN Wizard Step 1 screen appears. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 110 In Step 1 of the VPN Wizard, perform the following steps: Step 2 Click the Remote Access radio button. From the drop-down list, choose Outside as the enabled interface for the incoming VPN tunnels. Click Next to continue. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 111: Selecting Vpn Client Types
Specify the type of VPN client that will enable remote users to connect to this Step 1 adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.
Page 112: Specifying The Vpn Tunnel Group Name And Authentication Method
To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations. To use digital certificates for authentication, click the Certificate radio •...
Page 113: Specifying A User Authentication Method
Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use common connection parameters and client attributes to connect to this adaptive security appliance.
Page 114 Click the Authenticate Using an AAA Server Group radio button. Choose a preconfigured server group from the Authenticate using a AAA server group drop-down list, or click New to add a new AAA server group. Click Next to continue. Step 3 Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 115: (Optional) Configuring User Accounts
In Step 5 of the VPN Wizard, perform the following steps: To add a new user, enter a username and password, and then click Add. Step 1 Step 2 When you have finished adding new users, click Next to continue. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...
Page 116: Configuring Address Pools
Enter a pool name or choose a preconfigured pool from the Pool Name drop-down Step 1 list. Alternatively, click New to create a new address pool. The Add IP Pool dialog box appears. Cisco ASA 5500 Series Getting Started Guide 9-10 78-19186-01...
Page 117: Configuring Client Attributes
DNS names for resolution or use Windows networking. In Step 7 of the VPN Wizard, perform the following steps: Enter the network configuration information to be pushed to remote clients. Step 1 Cisco ASA 5500 Series Getting Started Guide 9-11 78-19186-01...
Page 118: Configuring The Ike Policy
IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. Cisco ASA 5500 Series Getting Started Guide 9-12 78-19186-01...
Page 119 Choose the Encryption (DES/3DES/AES), authentication algorithms Step 1 (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Click Next to continue. Step 2 Cisco ASA 5500 Series Getting Started Guide 9-13 78-19186-01...
Page 120: Specifying Address Translation Exception And Split Tunneling
Specify hosts, groups, and networks that should be in the list of internal resources Step 1 made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks area, click Add or Delete, respectively. Cisco ASA 5500 Series Getting Started Guide 9-14 78-19186-01...
Page 121 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC). Click Next to continue. Step 5 Cisco ASA 5500 Series Getting Started Guide 9-15 78-19186-01...
Page 122: Verifying The Remote-Access Vpn Configuration
Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. Cisco ASA 5500 Series Getting Started Guide 9-16 78-19186-01...
Page 123: What To Do Next
To establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers, obtain the Cisco VPN client software. For more information about the Cisco Systems VPN client, see the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html. If you are deploying the adaptive security appliance solely in a remote-access VPN environment, you have completed the initial configuration.
Page 124 Chapter 9 Scenario: IPsec Remote-Access VPN Configuration What to Do Next Cisco ASA 5500 Series Getting Started Guide 9-18 78-19186-01...
Page 125: Chapter 10 Scenario: Configuring Connections For A Cisco Anyconnect Vpn Client
IP address or FQDN of the SSL VPN interface of the adaptive security appliance. The browser connects to the SSL VPN-enabled interface and displays the login screen. Administrative rights are required the first time the Cisco AnyConnect VPN client Note is installed or downloaded.
Page 126: Obtaining The Cisco Anyconnect Vpn Client Software
The adaptive security appliance obtains the AnyConnect VPN client software from the Cisco website. This chapter provides instructions for configuring the SSL VPN using a configuration Wizard. You can download the Cisco SSL VPN software during the configuration process. Users can download the AnyConnect VPN client from the adaptive security appliance, or it can be installed manually on the remote PC by the system administrator.
Page 127: Example Topology Using Anyconnect Ssl Vpn Clients
SSL VPN scenario illustrated in Figure 10-1. This section includes the following topics: Information to Have Available, page 10-4 • Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN • Client, page 10-5 Cisco ASA 5500 Series Getting Started Guide 10-3 78-19186-01...
Page 128: Information To Have Available
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Specifying the SSL VPN Interface, page 10-6 • Specifying a User Authentication Method, page 10-7 • Specifying a Group Policy, page 10-8 •...
Page 129: Configuring The Adaptive Security Appliance For The Cisco Anyconnect Vpn Client
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client To begin the configuration process, perform the following steps: In the main ASDM window, choose SSL VPN Wizard from the Wizards Step 1 drop-down menu.
Page 130: Specifying The Ssl Vpn Interface
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Specifying the SSL VPN Interface In Step 2 of the SSL VPN Wizard, perform the following steps: Specify a Connection Name to which remote users connect.
Page 131: Specifying A User Authentication Method
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Specifying a User Authentication Method In Step 3 of the SSL VPN Wizard, perform the following steps: If you are using a AAA server or server group for authentication, perform the...
Page 132: Specifying A Group Policy
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario In this dialog box, specify the following: A server group name – The Authentication Protocol to be used (RADIUS, TACACS, SDI, NT, –...
Page 133: Configuring The Cisco Anyconnect Vpn Client
VPN client connections, so click Next again. Configuring the Cisco AnyConnect VPN Client For remote clients to gain access to your network with a Cisco AnyConnect VPN client, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected.
Page 134 Step 3 Specify the location of the AnyConnect VPN client software image. To obtain the most current version of the software, click Download Latest AnyConnect VPN Client from cisco.com. This downloads the client software to your PC. Click Next to continue.
Page 135: Verifying The Remote-Access Vpn Configuration
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Verifying the Remote-Access VPN Configuration In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The displayed configuration should be similar to the following.
Page 136: What To Do Next
Chapter 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client What to Do Next What to Do Next If you are deploying the adaptive security appliance solely to support AnyConnect VPN connections, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps.
Page 137: Scenario: Ssl Vpn Clientless Connections
Internet. They include the following: Internal websites • Web-enabled applications • NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • Cisco ASA 5500 Series Getting Started Guide 11-1 78-19186-01...
Page 138: Security Considerations For Clientless Ssl Vpn Connections
Nor does the adaptive security appliance perform trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. Cisco ASA 5500 Series Getting Started Guide 11-2 78-19186-01...
Page 139: Example Network With Browser-Based Ssl Vpn Access
• IP address. Example Network with Browser-Based SSL VPN Access Figure 11-1 shows an adaptive security appliance configured to accept SSL VPN connection requests over the Internet using a web browser. Cisco ASA 5500 Series Getting Started Guide 11-3 78-19186-01...
Page 140: Implementing The Clientless Ssl Vpn Scenario
Specifying a User Authentication Method, page 11-8 • Specifying a Group Policy, page 11-10 • Creating a Bookmark List for Remote Users, page 11-11 • Verifying the Configuration, page 11-15 • Cisco ASA 5500 Series Getting Started Guide 11-4 78-19186-01...
Page 141: Information To Have Available
Because this is the page users see when they first establish a connection, it should contain the most frequently used targets for remote users. Cisco ASA 5500 Series Getting Started Guide 11-5 78-19186-01...
Page 142: Configuring The Adaptive Security Appliance For Browser-Based Ssl Vpn Connections
The SSL VPN Feature Step 1 screen appears. In Step 1 of the SSL VPN Wizard, perform the following steps: Step 2 Check the Browser-based SSL VPN (Web VPN) check box. Click Next to continue. Cisco ASA 5500 Series Getting Started Guide 11-6 78-19186-01...
Page 143: Specifying The Ssl Vpn Interface
When users establish a connection to this interface, the SSL VPN portal page is displayed. From the Certificate drop-down list, choose the certificate the adaptive security Step 3 appliance sends to the remote user to authenticate the adaptive security appliance. Cisco ASA 5500 Series Getting Started Guide 11-7 78-19186-01...
Page 144: Specifying A User Authentication Method
In Step 3 of the SSL VPN Wizard, perform the following steps: If you are using a AAA server or server group for authentication, perform the Step 1 following steps: Click the Authenticate using a AAA server group radio button. Cisco ASA 5500 Series Getting Started Guide 11-8 78-19186-01...
Page 145 The Authentication Protocol to be used (TACACS, SDI, NT, Kerberos, – LDAP) IP address of the AAA server – Interface of the adaptive security appliance – Secret key to be used when communicating with the AAA server – Click OK. Cisco ASA 5500 Series Getting Started Guide 11-9 78-19186-01...
Page 146: Specifying A Group Policy
Click the Create new group policy radio button and specify a group name. Step 1 Click the Modify an existing group policy radio button and choose a group from the drop-down list. Cisco ASA 5500 Series Getting Started Guide 11-10 78-19186-01...
Page 147: Creating A Bookmark List For Remote Users
In Step 5 of the SSL VPN Wizard, specify URLs to appear on the VPN portal page by performing the following steps: To specify an existing bookmark list, choose the Bookmark List name from the Step 1 drop-down list. Cisco ASA 5500 Series Getting Started Guide 11-11 78-19186-01...
Page 148 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario To add a new list or edit an existing list, click Manage. The Configure GUI Customization Objects dialog box appears. Cisco ASA 5500 Series Getting Started Guide 11-12 78-19186-01...
Page 149 The Add Bookmark List dialog box appears. In the URL List Name field, specify a name for the list of bookmarks you are Step 3 creating. This is used as the title for your VPN portal page. Cisco ASA 5500 Series Getting Started Guide 11-13 78-19186-01...
Page 150 Step 5 of the SSL VPN Wizard. Choose the name of the bookmark list for this VPN group from the Bookmark List Step 10 drop-down list. Click Next to continue. Step 11 Cisco ASA 5500 Series Getting Started Guide 11-14 78-19186-01...
Page 151: Verifying The Configuration
Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. Cisco ASA 5500 Series Getting Started Guide 11-15 78-19186-01...
Page 152: What To Do Next
Chapter 9, “Scenario: IPsec Remote-Access VPN Configuration” Configure an AnyConnect VPN Chapter 10, “Scenario: Configuring Connections for a Cisco AnyConnect VPN Client” Configure a site-to-site VPN Chapter 12, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 11-16 78-19186-01...
Page 153: Scenario: Site-To-Site Vpn Configuration
Configuring the Other Side of the VPN Connection, page 12-12 • What to Do Next, page 12-13 • Example Site-to-Site VPN Network Topology Figure 12-1 shows an example VPN tunnel between two adaptive security appliances. Cisco ASA 5500 Series Getting Started Guide 12-1 78-19186-01...
Page 154: Implementing The Site-To-Site Scenario
VPN deployment, using example parameters from the remote-access scenario shown in Figure 12-1. This section includes the following topics: Information to Have Available, page 12-3 • Configuring the Site-to-Site VPN, page 12-3 • Cisco ASA 5500 Series Getting Started Guide 12-2 78-19186-01...
Page 155: Information To Have Available
The following sections provide detailed instructions for how to perform each configuration step. Configuring the Security Appliance at the Local Site The adaptive security appliance at the first site is referred to as Security Note Appliance 1 in this scenario. Cisco ASA 5500 Series Getting Started Guide 12-3 78-19186-01...
Page 156 VPN concentrators, or other devices that support site-to-site IPsec connectivity. From the VPN tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel. Cisco ASA 5500 Series Getting Started Guide 12-4 78-19186-01...
Page 157 To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. When using preshared key authentication, the Tunnel Group Name Note must be the IP address of the peer.
Page 158 In Step 3 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. Cisco ASA 5500 Series Getting Started Guide 12-6 78-19186-01...
Page 159 Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue. Step 2 Cisco ASA 5500 Series Getting Started Guide 12-7 78-19186-01...
Page 160 PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys. Cisco ASA 5500 Series Getting Started Guide 12-8 78-19186-01...
Page 161: Specifying Hosts And Networks
(...) button to select from a list of hosts and networks. Enter the IP address of remote networks to be protected or not protected, or click Step 2 the ellipsis (...) button to select from a list of hosts and networks. Cisco ASA 5500 Series Getting Started Guide 12-9 78-19186-01...
Page 162: Viewing Vpn Attributes And Completing The Wizard
Click Next to continue. Step 4 Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. Cisco ASA 5500 Series Getting Started Guide 12-10 78-19186-01...
Page 163 ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. This concludes the configuration process for Security Appliance 1. Cisco ASA 5500 Series Getting Started Guide 12-11 78-19186-01...
Page 164: Configuring The Other Side Of The Vpn Connection
For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section “Troubleshooting the Security Appliance” in the Cisco ASA 5500 Series Configuration Guide using the CLI. For specific troubleshooting issues, see the Troubleshooting Technotes at the following location: http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html...
Page 165: What To Do Next
• debug crypto isakmp sa • See also the Cisco ASA 5500 Series Command Reference for detailed information about each of these commands. What to Do Next If you are deploying the adaptive security appliance only in a site-to-site VPN environment, then you have completed the initial configuration.
Page 166 Chapter 12 Scenario: Site-to-Site VPN Configuration What to Do Next Cisco ASA 5500 Series Getting Started Guide 12-14 78-19186-01...
Page 167: Chapter 13 Configuring The Aip Ssm
AIP SSM Session in to the AIP SSM and run setup • The AIP SSM is supported in the Cisco ASA 5500 series software versions 7.0(1) Note and later. You can install the AIP SSM into an ASA 5500 series adaptive security appliance.
Page 168: Understanding The Aip Ssm
AIP SSM in inline mode. In this example, the AIP SSM automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance. Cisco ASA 5500 Series Getting Started Guide 13-2 78-19186-01...
Page 169: Operating Modes
Figure 13-2 shows the AIP SSM in promiscuous mode. In this example, the AIP SSM sends a shun message to the adaptive security appliance for traffic it identified as a threat. Cisco ASA 5500 Series Getting Started Guide 13-3 78-19186-01...
Page 170: Using Virtual Sensors
Figure 13-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor. Cisco ASA 5500 Series Getting Started Guide 13-4 78-19186-01...
Page 171 (in inline mode); each defined traffic flow goes to a different sensor. Figure 13-4 Single Mode Security Appliance with Multiple Virtual Sensors Security Appliance Main System Traffic 1 Traffic 2 Traffic 3 Sensor Sensor Sensor AIP SSM Cisco ASA 5500 Series Getting Started Guide 13-5 78-19186-01...
Page 172: Configuring The Aip Ssm
To begin configuring the AIP SSM, session to the AIP SSM from the adaptive adaptive security appliance. (You can alternatively connect directly to the AIP SSM management interface using SSH or Telnet.) Cisco ASA 5500 Series Getting Started Guide 13-6 78-19186-01...
Page 173 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Enter the username and password. The default username and password is “cisco.” Step 2 The first time you log in to the AIP SSM, you are prompted to change the Note default password.
Page 174: Configuring The Security Policy On The Aip Ssm
Because the IPS software that runs on the AIP SSM is beyond the scope of this document, detailed configuration information is available in the following documents: Configuring the Cisco Intrusion Prevention System Sensor Using the • Command Line Interface Command Reference for Cisco Intrusion Prevention System •...
Page 175: Assigning Virtual Sensors To Security Contexts
All available sensors are listed. You can also enter the show ips command. In the system execution space, the show ips command lists all available sensors; if you enter it in the context, it shows the sensors you already Cisco ASA 5500 Series Getting Started Guide 13-9 78-19186-01...
Page 176 In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used. hostname(config-ctx)# context A hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2 Cisco ASA 5500 Series Getting Started Guide 13-10 78-19186-01...
Page 177: Diverting Traffic To The Aip Ssm
IPS hostname(config-cmap)# match any To match specific traffic, you can match an access list: hostname(config)# access list IPS extended permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map IPS hostname(config-cmap)# match access-list IPS Cisco ASA 5500 Series Getting Started Guide 13-11 78-19186-01...
Page 178 (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, Step 4 enter the following commands: hostname(config-pmap-c)# class class_map_name2 hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor sensor_name] Cisco ASA 5500 Series Getting Started Guide 13-12 78-19186-01...
Page 179 AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0 Cisco ASA 5500 Series Getting Started Guide 13-13 78-19186-01...
Page 180: What To Do Next
Prevention System Sensor Using the Command Line Interface Optimize performance for the AIP Cisco ASA 5500 Series Configuration SSM and CSC SSM by creating more Guide using the CLI efficient service policies Cisco ASA 5500 Series Getting Started Guide 13-14 78-19186-01...
Page 181 Connections for a Cisco AnyConnect VPN Client” Configure SSL connections for Chapter 11, “Scenario: SSL VPN browser-based remote access Clientless Connections” Configure a site-to-site VPN Chapter 12, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 13-15 78-19186-01...
Page 182 Chapter 13 Configuring the AIP SSM What to Do Next Cisco ASA 5500 Series Getting Started Guide 13-16 78-19186-01...
Page 183: Chapter 14 Configuring The Csc Ssm
FTP, HTTP, POP3, and SMTP traffic that the adaptive security appliance diverts to it. The CSC SSM requires the Cisco ASA 5500 series software Version 7.1(1) or Note later.
Page 184: About Deploying The Adaptive Security Appliance With The Csc Ssm
GUI for the CSC SSM by clicking links within ASDM. This chapter describes how to configure the adaptive security appliance for the deployment. Use of the CSC SSM GUI is explained in the Cisco Content Security and Control SSM Administrator Guide.
Page 185 If the content is suspicious, the CSC SSM blocks the content and reports the event. If the content is not suspicious, the CSC SSM forwards the requested content back to the adaptive security appliance for routing. Cisco ASA 5500 Series Getting Started Guide 14-3 78-19186-01...
Page 186: Scenario: Security Appliance With Csc Ssm Deployed For Content Security
CSC SSM Deployment Scenario Adaptive Security Appliance Trend Micro inside Update Server 192.168.100.1 Main System outside HTTP Internet 10.6.13.67 Proxy management port 192.168.50.1 CSC SSM ASDM 192.168.50.38 SSM management port Syslog Notifications SMTP Server Cisco ASA 5500 Series Getting Started Guide 14-4 78-19186-01...
Page 187: Configuration Requirements
The SSM management port must be able to connect to the Internet so that the • CSC SSM can reach the Trend Micro update server. Cisco ASA 5500 Series Getting Started Guide 14-5 78-19186-01...
Page 188: Configuring The Csc Ssm For Content Security
Using ASDM, configure the adaptive security appliance to divert traffic to the CSC SSM for scanning. These steps are described in detail in the sections that follow. This section includes the following topics: Obtain Software Activation Key from Cisco.com, page 14-6 • Gather Information, page 14-7 •...
Page 189: Gather Information
Verify the accuracy of the adaptive security appliance time settings, including the time zone. Time accuracy is important for logging security events, automatic updates of the content filter lists on the CSC SSM and for licensing, because licenses are time sensitive. Cisco ASA 5500 Series Getting Started Guide 14-7 78-19186-01...
Page 190: Run The Csc Setup Wizard
In Step 1 of the CSC Setup Wizard, enter the product activation codes for the Base Step 2 license and if applicable, for the Plus license. You can enter the activation code for the Plus license after the initial configuration of the CSC SSM. Cisco ASA 5500 Series Getting Started Guide 14-8 78-19186-01...
Page 191 In Step 2 of the CSC Setup Wizard, enter the following information: Step 4 IP address, network mask, and gateway IP address for the CSC management • interface • IP address for the Primary DNS server Cisco ASA 5500 Series Getting Started Guide 14-9 78-19186-01...
Page 192 (Optional) IP address and proxy port of the HTTP proxy server (only if your • network uses an HTTP proxy server to send HTTP requests to the Internet) Click Next. Step 5 Cisco ASA 5500 Series Getting Started Guide 14-10 78-19186-01...
Page 193 Anti-spam policies are applied only to e-mail traffic entering this Note domain. Administrator e-mail address, e-mail server IP address, and port to be used • for notifications. Click Next. Step 7 Cisco ASA 5500 Series Getting Started Guide 14-11 78-19186-01...
Page 194 To enter a new host and network combination of settings, click Add. • To remove an existing host and network combination, choose one from the • Selected Hosts/Networks list, and click Delete. Click Next. Step 9 Cisco ASA 5500 Series Getting Started Guide 14-12 78-19186-01...
Page 195 In Step 5 of the CSC Setup Wizard, enter the following information: Step 10 The default factory configuration password, “cisco.” • A new password for management access. • Confirmation of the new password. • Step 11 Click Next. Cisco ASA 5500 Series Getting Started Guide 14-13 78-19186-01...
Page 196 Scenario: Security Appliance with CSC SSM Deployed for Content Security In Step 6 of the CSC Setup Wizard, define traffic selections for CSC scanning. Step 12 Click Add. The Specify Traffic for CSC Scan dialog box appears. Cisco ASA 5500 Series Getting Started Guide 14-14 78-19186-01...
Page 197 Traffic Selection for CSC Scan screen. To discard these settings and return to the Traffic Selection for CSC Scan • screen, click Cancel. If you click Cancel, ASDM displays a dialog box to confirm your decision. Cisco ASA 5500 Series Getting Started Guide 14-15 78-19186-01...
Page 198 If you are satisfied with these settings, click Finish. To make changes, click Back Step 23 until you reach the screen whose settings you want to modify. An informational message appears, indicating that the CSC SSM is active. Cisco ASA 5500 Series Getting Started Guide 14-16 78-19186-01...
Page 199: What To Do Next
Cisco Content Security and Control SSM Administrator Guide. What to Do Next You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM software. Use the following documents to continue configuring the adaptive security appliance for your implementation.
Page 200 Connections for a Cisco AnyConnect VPN Client” Configure SSL connections for Chapter 11, “Scenario: SSL VPN browser-based remote access Clientless Connections” Configure a site-to-site VPN Chapter 12, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 14-18 78-19186-01...
Page 201: Chapter 15 Configuring The 4Ge Ssm For Fiber
SFP (Small Form-Factor Pluggable) fiber or RJ 45. You can mix the copper and fiber ports using the same 4GE SSM card. The 4GE SSM requires the Cisco ASA 5500 series software Version 7.1(1) or Note later.
Page 202: Cabling 4Ge Ssm Interfaces
SFP module is locked into the port. Remove the optical port plugs from the installed SFP. Locate the LC connector (fiber optic cable) in the 4GE SSM accessory kit. Connect the LC connector to the SFP port. Cisco ASA 5500 Series Getting Started Guide 15-2 78-19186-01...
Page 203: Setting The 4Ge Ssm Media Type For Fiber Interfaces (Optional)
(Ethernet) to Fiber Connector. Because the default media type setting is Ethernet, you do not need to change the Note media type setting for Ethernet interfaces you use. Cisco ASA 5500 Series Getting Started Guide 15-3 78-19186-01...
Page 204 Step 7 You can also set the media type from the command line. For more information, see “Configuring Ethernet Settings and Subinterfaces” in the Cisco ASA 5500 Series Configuration Guide using the CLI. Cisco ASA 5500 Series Getting Started Guide...
Page 205: What To Do Next
Guide using the CLI Learn about daily operations Cisco ASA 5500 Series Command Reference Cisco ASA 5500 Series System Log Messages Review hardware maintenance and Cisco ASA 5500 Series Hardware troubleshooting information Installation Guide Cisco ASA 5500 Series Getting Started Guide 15-5 78-19186-01...
Page 206 Chapter 15 Configuring the 4GE SSM for Fiber What to Do Next Cisco ASA 5500 Series Getting Started Guide 15-6 78-19186-01...
Page 207: Appendix
(SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. You need an encryption license key to enable this license. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license...
Page 208 Step 4 Exits global configuration mode. hostname(config)# exit Step 5 Saves the configuration. hostname# copy running-config startup-config Step 6 Reboots the adaptive security appliance and hostname# reload reloads the configuration. Cisco ASA 5500 Series Getting Started Guide 78-19186-01...

This manual is also suitable for:

Asa 5520 Asa 5540 Asa 5550 Asa 5510

Cisco 5510 - ASA SSL / IPsec VPN Edition Getting Started Manual

Before You Begin

Chapter 2 Maximizing Throughput on the ASA 5550

Installing the ASA 5550

Installing Optional Ssms

Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Configuring the Adaptive Security Appliance

Scenario: DMZ Configuration

Chapter 8 Scenario: DMZ Configuration

An Inside User Visits a Web Server on the Internet

An Internet User Visits the DMZ Web Server

An Inside User Visits the DMZ Web Server

User

Chapter 9 Scenario: Ipsec Remote-Access VPN Configuration

Step 1

(Optional) Configuring User Accounts

Configuring Address Pools

Configuring Client Attributes

Configuring the IKE Policy

Specifying Address Translation Exception and Split Tunneling

Verifying the Remote-Access VPN Configuration

Chapter 10 Scenario: Configuring Connections for a Cisco Anyconnect VPN Client

Scenario: SSL VPN Clientless Connections

Scenario: Site-To-Site VPN Configuration

Chapter 13 Configuring the AIP SSM

Chapter 14 Configuring the CSC SSM

Chapter 15 Configuring the 4GE SSM for Fiber

Appendix

Obtaining a 3DES/AES License

Quick Links

Related Manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Summary of Contents for Cisco 5510 - ASA SSL / IPsec VPN Edition

This manual is also suitable for:

Table of Contents