Download  Print this page

Cisco ASA 5550 Series Getting Started Manual

Hide thumbs

Advertisement

Cisco ASA 5550
Getting Started Guide
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Customer Order Number: DOC-7817644=
Text Part Number: 78-17644-01

Advertisement

Table of Contents
loading

  Related Manuals for Cisco ASA 5550 Series

  Summary of Contents for Cisco ASA 5550 Series

  • Page 1 Cisco ASA 5550 Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817644= Text Part Number: 78-17644-01...
  • Page 2 CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,...
  • Page 3: Table Of Contents

    C H A P T E R Embedded Network Interfaces Balancing Traffic to Maximize Throughput What to Do Next Installing the Cisco ASA 5550 Security Appliance C H A P T E R Verifying the Package Contents Installing the Chassis...
  • Page 4 C H A P T E R Example IPsec Remote-Access VPN Network Topology Implementing the IPsec Remote-Access VPN Scenario Information to Have Available Starting ASDM Configuring the ASA 5550 for an IPsec Remote-Access VPN Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 5 Viewing VPN Attributes and Completing the Wizard 8-11 Configuring the Other Side of the VPN Connection 8-13 What to Do Next 8-13 Obtaining a DES License or a 3DES-AES License A P P E N D I X Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 6 Contents Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 7: Before You Begin

    Use the following table to find the installation and configuration steps that are required for your implementation of the adaptive security appliance. To Do This ... See ... Install the chassis Chapter 3, “Installing the Cisco ASA 5550 Security Appliance” Connect cables to network interfaces Chapter 4, “Connecting Cables to Network Interfaces”...
  • Page 8: Chapter 1 Before You Begin

    Chapter 1 Before You Begin Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 9 C H A P T E R Maximizing Throughput on the ASA 5550 Adaptive Security Appliance The Cisco ASA 5550 Series Security Appliance is designed to deliver maximum throughput when configured according to the guidelines described in this chapter. This chapter includes the following sections: Embedded Network Interfaces, page 2-1 •...
  • Page 10 To achieve this, lay out the network so that all traffic flows through both Bus 0 (Slot 0) and Bus 1 (Slot 1), entering through one bus and exiting through the other. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 11: C H A P T E R 2 Maximizing Throughput On The Asa 5550 Adaptive Security Appliance

    Figure 2-3 Traffic Evenly Distributed for Maximum Throughput (Copper to Fiber) Maximum throughput Slot 1 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and Incoming and outgoing traffic outgoing traffic Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 12: Balancing Traffic To Maximize Throughput

    Slot 1 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and outgoing traffic Slot 1 Slot 0 FLASH LINK SPD LINK SPD LINK SPD LINK SPD Incoming and outgoing traffic Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 13 What to Do Next You can use the show traffic command to see the traffic throughput over each bus. Note For more information about using the command, see the Cisco Security Appliance Command Reference. What to Do Next Continue with Chapter 3, “Installing the Cisco ASA 5550 Security Appliance.”...
  • Page 14 Chapter 2 Maximizing Throughput on the ASA 5550 Adaptive Security Appliance What to Do Next Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 15 Read the safety warnings in the Regulatory Compliance and Safety Information Caution for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps. This chapter describes the ASA 5550 adaptive security appliance and rack-mount and installation procedures for the adaptive security appliance.
  • Page 16: C H A P T E R 3 Installing The Cisco Asa 5550 Security Appliance

    Verifying the Package Contents Verify the contents of the packing box, shown in Figure 3-1, to ensure that you have received all items necessary to install the Cisco ASA 5550. Figure 3-1 Contents of ASA 5550 Package Cisco ASA 5550 adaptive...
  • Page 17 Chapter 3 Installing the Cisco ASA 5550 Security Appliance Installing the Chassis Installing the Chassis This section describes how to rack-mount and install the adaptive security appliance. You can mount the adaptive security appliance in a 19-inch rack (with a 17.5- or 17.75-inch opening).
  • Page 18: Installing The Chassis

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Installing the Chassis Rack-Mounting the Chassis To rack-mount the chassis, perform the following steps: Attach the rack-mount brackets to the chassis using the supplied screws. Attach Step 1 the brackets to the holes as shown in Figure 3-2.
  • Page 19: Rack-Mounting The Chassis

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Installing SFP Modules Figure 3-3 Rack-Mounting the Chassis CI SC O AS A 55 PO WE R Ad ap tiv ST AT US SE RIE e Se cur AC TI VE...
  • Page 20: Installing Sfp Modules

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Installing SFP Modules SFP Module The SFP (Small Form-Factor Pluggable) module is a hot-swappable input/output device that plugs into the fiber ports. If you install an SFP module after the switch has powered on, you must reload the Note adaptive security appliance to enable the SFP module.
  • Page 21: Sfp Module

    Use only Cisco-certified SFP modules on the adaptive security appliance. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the adaptive security appliance.
  • Page 22: Installing An Sfp Module

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Installing SFP Modules Figure 3-4 Installing an SFP Module Port plug SFP module Port slot Do not remove the port plugs from the SFP module until you are ready to connect Caution the cables.
  • Page 23: Front Panel Leds

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Ports and LEDs Ports and LEDs This section describes the front and rear panels. Figure 3-5 shows the front panel LEDs. This section includes the following topics: Front Panel LEDs, page 3-9 •...
  • Page 24: Ports And Leds

    3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3. For more information on the Management Port, see the management-only command in the Cisco Security Appliance Command Reference. Cisco ASA 5550 Getting Started Guide 3-10...
  • Page 25 Chapter 3 Installing the Cisco ASA 5550 Security Appliance Ports and LEDs Figure 3-7 shows the adaptive security appliance rear panel LEDs. Figure 3-7 Rear Panel Link and Speed Indicator LEDs LNK SPD LNK SPD LNK SPD LNK SPD MGMT indicator LEDs...
  • Page 26: Ports And Leds In Slot 1

    Chapter 3 Installing the Cisco ASA 5550 Security Appliance Ports and LEDs Ports and LEDs in Slot 1 Figure 3-8 illustrates the ports and LEDs in Slot 1. Figure 3-8 Ports and LEDs in Slot 1 Cisco SSM-4GE Copper Ethernet ports...
  • Page 27 Chapter 3 Installing the Cisco ASA 5550 Security Appliance What to Do Next Table 3-4 LEDs on Bus G1 (continued) Color State Description 3, 8 SPEED 10 MB There is no network activity. 100 MB There is network activity at Green 100 Mbps.
  • Page 28 Chapter 3 Installing the Cisco ASA 5550 Security Appliance What to Do Next Cisco ASA 5550 Getting Started Guide 3-14 78-17644-01...
  • Page 29: Connecting Interface Cables

    To connect cables to the network interfaces, perform the following steps: Step 1 Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it). Connect to the Management port. Step 2 Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 30: C H A P T E R 4 Connecting Cables To Network Interfaces

    You can also disable management-only mode on the management interface. For more information about this command, see the management-only command in the Cisco Security Appliance Command Reference. Locate an Ethernet cable, which has an RJ-45 connector on each end.
  • Page 31 DB-9 connector on the other end for the serial port on your computer. Connect the RJ-45 connector of the cable to the Auxiliary port (labeled AUX) on the adaptive security appliance, as shown in Figure 4-3. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 32 You must use a port in Slot 0 for the inside interface, and a port in Slot 1 Note for the outside interface. Connect one end of an Ethernet cable to a copper Ethernet port, as shown in Figure 4-4 Figure 4-5. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 33 Copper Ethernet ports RJ-45 connector Figure 4-5 Connecting to a Copper Ethernet Interfaces in Slot 1 L N K S P D C is c o S S M -4 Copper Ethernet ports RJ-45 connector Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 34 Remove the port plug from the installed SFP as shown in Figure 4-6. – Figure 4-6 Removing the Fiber Port Plug Port plug SFP module Connect the LC connector to the SFP module as shown in Figure 4-7. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 35 Connect the power cord to the adaptive security appliance and plug the other end Step 7 to the power source. Power on the chassis. Step 8 What to Do Next Continue with Chapter 5, “Configuring the Adaptive Security Appliance.” Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 36 Chapter 4 Connecting Cables to Network Interfaces What to Do Next Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 37: Configuring The Adaptive Security Appliance

    Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). However, the procedures in this chapter refer to the method using ASDM.
  • Page 38: About The Factory-Default Configuration

    About the Factory-Default Configuration About the Factory-Default Configuration Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The factory-default configuration automatically configures an interface for management so you can quickly connect to the device and use ASDM to complete your configuration.
  • Page 39: Using The Startup Wizard

    In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface. For more information, see Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference.
  • Page 40: Before Launching The Startup Wizard

    Connect the other end of the Ethernet cable to the Ethernet port on your computer or to your management network. If you connected to your management network, connect a PC for configuring the adaptive security appliance to your management network. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 41 ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, see the Cisco Security Appliance Command Reference. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 42: Setting The Media Type For Fiber Interfaces

    Repeat this procedure for each fiber interface. Step 7 You can also set the media type from the command line. For more information, see Configuring Ethernet Settings and Subinterfaces in the Cisco Security Appliance Command Line Configuration Guide. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 43: What To Do Next

    DMZ web server Configuration” Configure the adaptive security Chapter 7, “Scenario: Remote-Access appliance for remote-access VPN VPN Configuration” Configure the adaptive security Chapter 8, “Scenario: Site-to-Site appliance for Site-to-Site VPN VPN Configuration” Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 44 Chapter 5 Configuring the Adaptive Security Appliance What to Do Next Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 45: Scenario: Dmz Configuration

    Configuring the Security Appliance for a DMZ Deployment, page 6-4 • What to Do Next, page 6-24 • Example DMZ Network Topology The example network topology shown in Figure 6-1 is typical of most DMZ implementations of the adaptive security appliance. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 46: Chapter 6 Scenario: Dmz Configuration

    IP address of the DMZ web server (209.165.200.226). Figure 6-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 47 IP address of the adaptive security appliance. Outgoing traffic appears to come from this address. Figure 6-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 48: Configuring The Security Appliance For A Dmz Deployment

    Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure the adaptive security appliance for the configuration scenario shown in Figure 6-1. The procedure uses sample parameters based on the scenario. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 49: Configuration Requirements

    A pool of IP addresses for the DMZ interface. In this scenario, the IP pool – is 10.30.30.50–10.30.30.60. A dynamic NAT translation rule for the inside interface that specifies – which client IP addresses can be assigned an address from the IP pool. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 50: Starting Asdm

    Remember to add the “s” in “https” or the connection fails. HTTPS Note (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 51: Creating Ip Pools For Network Address Translation

    DMZ interface and outside interface can use for address translation. A single IP pool can contain both NAT and PAT entries, and it can contain entries for more than one interface. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 52 Click Add to create a new global pool for the DMZ interface. The Add Global Address Pool dialog box appears. Note For most configurations, IP pools are added to the less secure, or public, interfaces. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 53 Enter the Starting IP address and Ending IP address of the range. In this – scenario, the range of IP addresses is 10.30.30.50–10.30.30.60. (Optional) Enter the Netmask for the range of IP addresses. – Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 54 Specify a Pool ID for the Outside interface. You can add these addresses to the same IP pool that contains the address pool used by the DMZ interface (in this scenario, the Pool ID is 200). Cisco ASA 5550 Getting Started Guide 6-10 78-17644-01...
  • Page 55 IP address of the outside interface. To the devices on the Internet, it appears that all traffic is coming from this one IP address. Click the Add button to add this new address to the IP pool. Click OK. Cisco ASA 5550 Getting Started Guide 6-11 78-17644-01...
  • Page 56: Configuring Nat For Inside Clients To Communicate With The Dmz Web Server

    Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure, you created a pool of IP addresses that could be used by the adaptive security appliance to mask the private IP addresses of inside clients. Cisco ASA 5550 Getting Started Guide 6-12 78-17644-01...
  • Page 57 Select check box next to Global Pool ID. In this scenario, the IP pool ID is 200. In this scenario, the IP pool that we want to use is already created. If it was not already created, you would click Add to create a new IP pool. Cisco ASA 5550 Getting Started Guide 6-13 78-17644-01...
  • Page 58 A translation rule between the inside and outside interfaces to be used when • inside clients communicate with the Internet. ASDM is able to create both rules because the addresses to be used for translation are both in the same IP pool. Cisco ASA 5550 Getting Started Guide 6-14 78-17644-01...
  • Page 59: Configuring Nat For Inside Clients To Communicate With Devices On The Internet

    In the previous procedure, you configured a Network Address Translation (NAT) rule that associates IP addresses from the IP pool with the inside clients so they can communicate securely with the DMZ web server. Cisco ASA 5550 Getting Started Guide 6-15 78-17644-01...
  • Page 60: Configuring An External Identity For The Dmz Web Server

    From the Interface drop-down list, choose the DMZ interface. Enter the real IP address of the DMZ web server. In this scenario, the IP address is 10.30.30.30. From the Netmask drop-down list, choose the Netmask 255.255.255.255. Cisco ASA 5550 Getting Started Guide 6-16 78-17644-01...
  • Page 61 Click OK to add the rule and return to the list of Address Translation Rules. Step 6 This rule maps the real web server IP address (10.30.30.30) statically to the public IP address of the web server (209.165.200.226). Cisco ASA 5550 Getting Started Guide 6-17 78-17644-01...
  • Page 62: Providing Public Http Access To The Dmz Web Server

    You must create an access control rule on the adaptive security appliance to permit specific traffic types from the public network to resources in the DMZ. This access control rule specifies the interface of the adaptive security Cisco ASA 5550 Getting Started Guide 6-18 78-17644-01...
  • Page 63 Click the Configuration tool. In the Features pane, click Security Policy. Click the Access Rules tab, and then from the Add pull-down list, choose Add Access Rule. The Add Access Rule dialog box appears. Cisco ASA 5550 Getting Started Guide 6-19 78-17644-01...
  • Page 64 Step 3 From the Type drop-down list, choose IP Address. Enter the IP address of the source host or source network. Use 0.0.0.0 to allow traffic originating from any host or network. Cisco ASA 5550 Getting Started Guide 6-20 78-17644-01...
  • Page 65 Service drop-down list, and then choose Any from the next drop-down list. In the Destination Port area, click the Service radio button, choose “=” (equal to) from the Service drop-down list, and then choose HTTP/WWW from the next drop-down list. Cisco ASA 5550 Getting Started Guide 6-21 78-17644-01...
  • Page 66 At this point, the entries in the Add Access Rule dialog box should be similar to the following: Click OK. The displayed configuration should be similar to the following. Verify that the Step 6 information you entered is accurate. Cisco ASA 5550 Getting Started Guide 6-22 78-17644-01...
  • Page 67 The address translation (209.165.200.226 to 10.30.30.30) allows the traffic to be permitted. For information about creating the translation rule, see the “Configuring NAT for Inside Clients to Communicate with the DMZ Web Server” section on page 6-12. Cisco ASA 5550 Getting Started Guide 6-23 78-17644-01...
  • Page 68: What To Do Next

    To Do This ... See ... Configure a remote-access VPN Chapter 7, “Scenario: Remote-Access VPN Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5550 Getting Started Guide 6-24 78-17644-01...
  • Page 69: Scenario: Remote-Access Vpn Configuration

    Example IPsec Remote-Access VPN Network Topology Figure 7-1 shows an adaptive security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN hardware client, over the Internet. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 70: Implementing The Ipsec Remote-Access Vpn Scenario

    This section includes the following topics: Information to Have Available, page 7-3 • Starting ASDM, page 7-4 • Configuring the ASA 5550 for an IPsec Remote-Access VPN, page 7-5 • Selecting VPN Client Types, page 7-6 • Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 71: Information To Have Available

    IP addresses for the primary and secondary WINS servers – Default domain name – List of IP addresses for local hosts, groups, and networks that should be – made accessible to authenticated remote clients Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 72: Starting Asdm

    Remember to add the “s” in “https” or the connection fails. HTTPS Note (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 73: Configuring The Asa 5550 For An Ipsec Remote-Access Vpn

    In Step 1 of the VPN Wizard, perform the following steps: Step 2 Click the Remote Access VPN radio button. From the drop-down list, choose Outside as the enabled interface for the incoming VPN tunnels. Click Next to continue. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 74: Selecting Vpn Client Types

    Specify the type of VPN client that will enable remote users to connect to this Step 1 adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.
  • Page 75: Specifying The Vpn Tunnel Group Name And Authentication Method

    To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. To use digital certificates for authentication, click the Certificate radio •...
  • Page 76: Specifying A User Authentication Method

    Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use Step 2 common connection parameters and client attributes to connect to this adaptive security appliance.
  • Page 77 Click the Authenticate Using an AAA Server Group radio button. Choose a preconfigured server group from the drop-down list, or click New to add a new server group. Click Next to continue. Step 3 Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 78: (Optional) Configuring User Accounts

    In Step 5 of the VPN Wizard, perform the following steps: To add a new user, enter a username and password, and then click Add. Step 1 When you have finished adding new users, click Next to continue. Step 2 Cisco ASA 5550 Getting Started Guide 7-10 78-17644-01...
  • Page 79: Configuring Address Pools

    Enter the Starting IP address and Ending IP address of the range. (Optional) Enter the Netmask for the range of IP addresses. Click OK to return to Step 6 of the VPN Wizard. Cisco ASA 5550 Getting Started Guide 7-11 78-17644-01...
  • Page 80: Configuring Client Attributes

    Easy VPN hardware client when a connection is established. Ensure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking. Cisco ASA 5550 Getting Started Guide 7-12 78-17644-01...
  • Page 81: Configuring The Ike Policy

    IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. Cisco ASA 5550 Getting Started Guide 7-13 78-17644-01...
  • Page 82 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Click Next to continue. Step 2 Cisco ASA 5550 Getting Started Guide 7-14 78-17644-01...
  • Page 83: Configuring Ipsec Encryption And Authentication Parameters

    Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA). Step 2 Click Next to continue. Cisco ASA 5550 Getting Started Guide 7-15 78-17644-01...
  • Page 84: Specifying Address Translation Exception And Split Tunneling

    Specify hosts, groups, and networks that should be in the list of internal resources Step 1 made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks pane, click Add or Delete, respectively. Cisco ASA 5550 Getting Started Guide 7-16 78-17644-01...
  • Page 85: Verifying The Remote-Access Vpn Configuration

    Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard, review the configuration attributes for the VPN tunnel you just created. The displayed configuration should be similar to the following: Cisco ASA 5550 Getting Started Guide 7-17 78-17644-01...
  • Page 86: What To Do Next

    Configuration and System Log Messages You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance. Cisco ASA 5550 Getting Started Guide 7-18 78-17644-01...
  • Page 87 To Do This ... See ... Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a Web server in a Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5550 Getting Started Guide 7-19 78-17644-01...
  • Page 88 Chapter 7 Scenario: Remote-Access VPN Configuration What to Do Next Cisco ASA 5550 Getting Started Guide 7-20 78-17644-01...
  • Page 89: Scenario: Site-To-Site Vpn Configuration

    Configuring the Other Side of the VPN Connection, page 8-13 • What to Do Next, page 8-13 • Example Site-to-Site VPN Network Topology Figure 8-1 shows an example VPN tunnel between two adaptive security appliances. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 90: Implementing The Site-To-Site Scenario

    IP addresses of local hosts and networks permitted to use the tunnel to • communicate with resources on the remote site IP addresses of remote hosts and networks permitted to use the tunnel to • communicate with local resources Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 91: Configuring The Site-To-Site Vpn

    Remember to add the “s” in “https” or the connection fails. HTTPS Note (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 92 To configure the Security Appliance 1, perform the following steps: In the main ASDM window, choose the VPN Wizard option from the Wizards Step 1 drop-down menu. ASDM opens the first VPN Wizard screen. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 93 VPN concentrators, or other devices that support site-to-site IPsec connectivity. From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel. Click Next to continue. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 94 To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. When you configure Security Appliance 2 at the remote site, the VPN Note peer is Security Appliance 1.
  • Page 95 In Step 3 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 96 Note of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue. Step 2 Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 97 Configuring IPsec Encryption and Authentication Parameters In Step 4 of the VPN Wizard, perform the following steps: Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA) from the drop-down lists. Click Next to continue. Step 2 Cisco ASA 5550 Getting Started Guide 78-17644-01...
  • Page 98 Enter the local IP address and netmask in the IP Address and Netmask fields. Step 2 In the Destination area, choose IP Address from the Type drop-down list. Step 3 Enter the IP address and Netmask for the remote host or network. Step 4 Cisco ASA 5550 Getting Started Guide 8-10 78-17644-01...
  • Page 99 In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. Cisco ASA 5550 Getting Started Guide 8-11 78-17644-01...
  • Page 100 ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. This concludes the configuration process for Security Appliance 1. Cisco ASA 5550 Getting Started Guide 8-12 78-17644-01...
  • Page 101: Configuring The Other Side Of The Vpn Connection

    Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5550 Getting Started Guide 8-13 78-17644-01...
  • Page 102 To Do This ... See ... Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a web server in a Configuration” Configure a remote-access VPN Chapter 7, “Scenario: Remote-Access VPN Configuration” Cisco ASA 5550 Getting Started Guide 8-14 78-17644-01...
  • Page 103: Obtaining A Des License Or A 3Des-Aes License

    If you ordered your adaptive security appliance with a DES or 3DES-AES license, the encryption license key comes with the adaptive security appliance. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license...
  • Page 104 Step 4 Exits global configuration mode. hostname(config)# exit Step 5 Saves the configuration. hostname# copy running-config startup-config Step 6 Reboots the adaptive security appliance and hostname# reload reloads the configuration. Cisco ASA 5550 Getting Started Guide 78-17644-01...