Cisco Systems ASA 5500 manual 78-17611-01

Page 59

Chapter 6 Scenario: DMZ Configuration

Configuring the Security Appliance for a DMZ Deployment

In this procedure, you configure a Network Address Translation (NAT) rule that associates IP addresses from this pool with the inside clients so they can communicate securely with the DMZ web server.

To configure NAT between the inside interface and the DMZ interface, perform the following steps starting from the main ASDM window:

Step 1 In the main ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.

Step 3 From the Add drop-down list, choose Add Dynamic NAT Rule.

The Add Dynamic NAT Rule dialog box appears.

Step 4 In the Real Address area, specify the IP address to be translated. For this scenario, address translation for inside clients is done according to the IP address of the subnet.

a.From the Interface drop-down list, choose the Inside interface.

b.Enter the IP address of the client or network. In this scenario, the IP address of the network is 10.10.10.0.

c.From the Netmask drop-down list, choose the Netmask. In this scenario, the netmask is 255.255.255.0.

Step 5 In the Dynamic Translation area:

a.From the Interface drop-down list, choose the DMZ interface.

b.To specify the address pool to be used for this Dynamic NAT rule, check the Select check box next to Global Pool ID. In this scenario, the IP pool ID is 200.

In this scenario, the IP pool that we want to use is already created. If it was not already created, you would click Add to create a new IP pool.

 

 

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

 

 

 

 

 

 

78-17611-01

 

 

6-13

 

 

 

Image 59
Contents For the Cisco ASA 5510, ASA 5520, and ASA Page Iii N T E N T SScenario DMZ Configuration Implementing the Site-to-Site Scenario What to Do Next ASA Before You BeginASA 5500 with AIP SSM ASA 5500 with CSC SSM ASA 5500 with 4GE SSM Installing the Cisco ASA Verifying the Package Contents Installing the Chassis Rack-Mounting the Chassis Installing the Right and Left BracketsRack-Mounting the Chassis Ports and LEDsLED Section in the Cisco Security Appliance Command Reference Indicator Color Description To Do This See What to Do NextInstalling the Cisco ASA What to Do Next Cisco 4GE SSM Installing Optional SSMsLink 4GE SSM ComponentsSpeed Installing the Cisco 4GE SSMSFP Module, Installing the SFP Module, Installing the SFP ModulesSFP Module Type of Connection Cisco Part Number SFP ModuleInstalling the SFP Module Installing an SFP Module SSM CPU Dram Cisco AIP SSM and CSC SSMInstalling an SSM Continue with , Connecting Interface Cables Connecting Interface Cables Connecting Cables to Interfaces Management port RJ-45 to RJ-45 Ethernet cable RJ-45 Console port RJ-45 to DB-9 console cable RJ-45 AUX port RJ-45 to DB-9 console cable Ethernet ports RJ-45 connector Removing the Optical Port Plug Connecting the LC Connector SSM management port RJ-45 to RJ-45 cable Continue with , Configuring the Adaptive Security Appliance About the Factory-Default Configuration Configuring the Adaptive Security ApplianceAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard Scenario Remote-Access SSM Example DMZ Network Topology Scenario DMZ ConfigurationNetwork Layout for DMZ Configuration Scenario Outgoing Http Traffic Flow from the Private Network Incoming Http Traffic Flow From the Internet Configuring the Security Appliance for a DMZ DeploymentConfiguration Requirements Starting Asdm Creating IP Pools for Network Address Translation 78-17611-01 78-17611-01 78-17611-01 78-17611-01 78-17611-01 78-17611-01 78-17611-01 78-17611-01 Configuring an External Identity for the DMZ Web Server 78-17611-01 Providing Public Http Access to the DMZ Web Server 78-17611-01 78-17611-01 78-17611-01 78-17611-01 78-17611-01 Scenario DMZ Configuration What to Do Next Configure a remote-access VPN Scenario DMZ Configuration What to Do Next Example IPsec Remote-Access VPN Network Topology Scenario Remote-Access VPN ConfigurationNetwork Layout for Remote Access VPN Scenario Implementing the IPsec Remote-Access VPN ScenarioInformation to Have Available Starting Asdm Configuring the Fwsm for an IPsec Remote-Access VPN Selecting VPN Client Types 78-17611-01 Specifying a User Authentication Method 78-17611-01 Optional Configuring User Accounts Configuring Address Pools Configuring Client Attributes Configuring the IKE Policy 78-17611-01 Configuring IPsec Encryption and Authentication Parameters Specifying Address Translation Exception and Split Tunneling Verifying the Remote-Access VPN Configuration Scenario Remote-Access VPN Configuration What to Do Next DMZ Scenario Remote-Access VPN Configuration What to Do Next Example Site-to-Site VPN Network Topology Scenario Site-to-Site VPN ConfigurationImplementing the Site-to-Site Scenario Network Layout for Site-to-Site VPN Configuration ScenarioStarting Asdm Configuring the Site-to-Site VPNConfiguring the Security Appliance at the Local Site 78-17611-01 Providing Information About the Remote VPN Peer Configuring the IKE Policy Click Next to continue Configuring IPSec Encryption and Authentication Parameters Specifying Hosts and Networks Viewing VPN Attributes and Completing the Wizard 78-17611-01 Configuring the Other Side of the VPN Connection Scenario Site-to-Site VPN Configuration What to Do Next AIP SSM Configuration Configuring the AIP SSMConfiguring the ASA 5500 to Divert Traffic to the AIP SSM Overview of Configuration ProcessHostnameconfig# class-mapclassmapname hostnameconfig-cmap# Interface interfaceID Cisco Sessioning to the AIP SSM and Running SetupLicense Notice Configuring the AIP SSM What to Do Next Configure protection of a DMZ web 10-1 About the CSC SSM10-2 CSC SSMCSC SSM Traffic Flow 10-3CSC SSM 10-410-5 Configuring the CSC SSM for Content Security10-6 Obtain Software Activation Key from Cisco.comGather Information 10-7 Launch Asdm10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 10-11 10-12 10-13 10-14 Divert Traffic to the CSC SSM for Content Scanning10-15 10-16 10-17 10-18 10-19 10-20 Security tab10-21 10-22 11-1 Configuring the 4GE SSM for Fiber11-2 Cabling 4GE SSM Interfaces11-3 Setting the 4GE SSM Media Type for Fiber Interfaces Optional11-4 11-5 11-6 Obtaining a DES License or a 3DES-AES License Command Purpose
Related manuals
Manual 49 pages 36.1 Kb Manual 16 pages 48.09 Kb Manual 16 pages 52 Kb

ASA 5500 specifications

Cisco Systems ASA 5500 is a robust security appliance designed to provide advanced network security and protection against both internal and external threats. Ideal for organizations of various sizes, the ASA 5500 series offers a wide range of features that combine firewall capabilities with intrusion prevention, VPN support, and application control, among others.

One of the key features of the ASA 5500 is its stateful firewall technology. This allows the device to monitor active connections and enforce security policies based on the state of the traffic. By maintaining the context of network sessions, the firewall can make informed decisions on whether to allow or deny traffic based on established rules.

In addition to traditional firewall functionalities, the ASA 5500 series integrates advanced intrusion prevention capabilities. By analyzing traffic patterns and identifying known threats, the IPS functionality helps organizations defend against a variety of malicious activities, such as DDoS attacks, malware, and unauthorized access attempts. The ASA 5500 continuously updates its threat intelligence through Cisco's global threat database, enhancing its ability to detect emerging threats in real-time.

Virtual Private Network (VPN) support is another significant aspect of the ASA 5500 series. The device offers secure, encrypted connections for remote users and branch offices, ensuring safe access to corporate resources over the Internet. It supports both IPsec and SSL VPN protocols, allowing organizations to choose the best option for their specific needs. This capability is crucial for businesses that require a secure environment for remote work.

The ASA 5500 series also features extensive application control and visibility tools. These tools enable organizations to manage and control the applications running on their network, ensuring that only authorized applications can communicate through the firewall. This level of control helps to mitigate risks associated with unauthorized applications, which can lead to data breaches or reduced productivity.

Moreover, the ASA 5500 is designed with high availability and scalability in mind. Its clustering support ensures that multiple units can work together to provide redundancy and load balancing, enhancing both performance and reliability. This characteristic is especially important for organizations looking to maintain continuous operation during traffic spikes or hardware failures.

In summary, Cisco Systems ASA 5500 is an all-in-one security solution that combines stateful firewall protection, intrusion prevention, VPN capabilities, and application control. With its robust feature set and focus on security, it is well-suited for organizations seeking to protect their networks from an ever-evolving landscape of cyber threats. Whether for small businesses or large enterprises, the ASA 5500 provides the necessary tools to create a secure networking environment.