Security Appliance Getting Started Guide
Cisco ASA 5500 Series Adaptive
For the Cisco ASA 5510, ASA 5520, and ASA
Corporate Headquarters
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS
C O N T E N T S
Installing Optional SSMs
Ports and LEDs
Before You Begin
Scenario DMZ Configuration
Configuring the Other Side of the VPN Connection
Configuring Client Attributes
Implementing the Site-to-SiteScenario
Run the CSC Setup Wizard
Configuration Requirements
Configuring the 4GE SSM for Fiber
What to Do Next
Install the chassis
Before You Begin
Chapter 2, “Installing the Cisco ASA
Chapter 4, “Connecting Interface
Configuration”
Configure the adaptive security appliance for
Remote-AccessVPN Configuration”
VPN Configuration”
To Do This .... continued
ASA 5500 with CSC SSM
To Do This
To Do This
Install the chassis
ASA 5500 with 4GE SSM
Chapter 2, “Installing the Cisco ASA
Install the 4GE SSM
•Verifying the Package Contents, page
Installing the Cisco ASA
•Installing the Chassis, page
C H A P T E R
Figure 2-1Contents of ASA 5500 Package
Verifying the Package Contents
Installing the Chassis
Figure 2-2Installing the Right and Left Brackets
Rack-Mountingthe Chassis
Figure 2-3 Rack-Mountingthe Chassis
Ports and LEDs
State
Color
Description
Management Port1
Color
Indicator
Description
Chapter 3, “Installing Optional SSMs”
What to Do Next
Chapter 4, “Connecting Interface
Chapter 2 Installing the Cisco ASA
2-10
Chapter 2 Installing the Cisco ASA
What to Do Next
78-17611-01
Cisco 4GE SSM
Installing Optional SSMs
•Installing the Cisco 4GE SSM, page
Installing the SFP Modules, page
Color
4GE SSM Components
State
Description
Color
Installing the Cisco 4GE SSM
State
Description
•Installing the SFP Module, page
Installing the SFP Modules
•SFP Module, page
SFP Module
SFP Module
Type of Connection
Cisco Part Number
Installing the SFP Module
Optical port plug
DRAM
Cisco AIP SSM and CSC SSM
1 2 3
Installing an SSM
Color
State
3-10
What to Do Next
Figure 3-6Removing the Screws from the Slot Cover
Figure 3-7Inserting the SSM into the Slot
•Connecting Cables to Interfaces, page
Connecting Interface Cables
C H A P T E R
•What to Do Next, page
Connecting Cables to Interfaces
Chapter 4 Connecting Interface Cables
Figure 4-1Connecting to the Management Port
Connecting Cables to Interfaces
78-17611-01
b.Console port
c.Auxiliary port
d.Cisco 4GE SSM Ethernet port
•SFP modules
LC connector
Chapter 4 Connecting Interface Cables
Figure 4-7Connecting to the Management Port
Connecting Cables to Interfaces
78-17611-01
f.Ethernet ports
What to Do Next
4-10
About the Factory-DefaultConfiguration
Configuring the Adaptive Security Appliance
•About the Factory-DefaultConfiguration, page
•Using the Startup Wizard, page
About the Adaptive Security Device Manager
About the Adaptive Security Device Manager
78-17611-01
Before Launching the Startup Wizard
Using the Startup Wizard
Chapter 7, “Scenario: Remote-Access
Configuration”
VPN Configuration”
VPN Configuration”
Chapter 10, “Configuring the CSC
Chapter 9, “Configuring the AIP SSM”
To Do This
SSM”
Example DMZ Network Topology
Scenario: DMZ Configuration
C H A P T E R
Example DMZ Network Topology, page
Network Layout for DMZ Configuration Scenario
Security
Incoming request
•Configuration Requirements, page
Configuration Requirements
•Starting ASDM, page
Starting ASDM
Creating IP Pools for Network Address Translation
a.In the Features pane, click NAT
d.From the Interfaces drop-downlist, choose DMZ
6-10
b.Under the Global Pools tab, click Add
6-11
g.Click OK
6-12
Step 4 Click Apply in the main ASDM window
6-13
Step 2 In the Features pane, click NAT
6-14
c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window
6-15
6-16
Step 2 In the Features pane, click NAT
6-17
a.From the Interface drop-downlist, choose Outside
6-18
6-19
Step 1 In the ASDM window
6-20
Step 2 In the Interface and Action area
6-21
Step 4 In the Destination area
6-22
d.Click OK
6-23
Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running
What to Do Next
Refine configuration and configure
To Do This
6-24
VPN Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
Chapter 6 Scenario: DMZ Configuration
6-26
Chapter 6 Scenario DMZ Configuration
What to Do Next
78-17611-01
Example IPsec Remote-AccessVPN Network Topology
Scenario: Remote-AccessVPN Configuration
C H A P T E R
•What to Do Next, page
•Information to Have Available, page
Implementing the IPsec Remote-AccessVPN Scenario
•Starting ASDM, page
•Selecting VPN Client Types, page
•Specifying a User Authentication Method, page
Information to Have Available
•Optional Configuring User Accounts, page
•Configuring Address Pools, page
The Main ASDM window appears
Starting ASDM
a.Click the Remote Access VPN radio button
Selecting VPN Client Types
Page
Specifying a User Authentication Method
Step 3 Click Next to continue
7-10
Optional Configuring User Accounts
7-11
Configuring Address Pools
7-12
Configuring Client Attributes
7-13
Configuring the IKE Policy
7-14
Step 2 Click Next to continue
7-15
Step 2 Click Next to continue
7-16
7-17
Verifying the Remote-AccessVPN Configuration
What to Do Next
If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance
To Do This
7-18
VPN Configuration”
Configuration”
To Do This
Chapter 6, “Scenario: DMZ
What to Do Next
7-20
78-17611-01
Example Site-to-SiteVPN Network Topology
Scenario: Site-to-SiteVPN Configuration
C H A P T E R
Example Site-to-SiteVPN Network Topology, page
•Configuring the Site-to-SiteVPN, page
Implementing the Site-to-SiteScenario
Information to Have Available
•Information to Have Available, page
Starting ASDM
Configuring the Site-to-SiteVPN
•Configuring the IKE Policy, page
•Starting ASDM, page
Page
a.Click the Site-to-SiteVPN radio button
Providing Information About the Remote VPN Peer
Configuring the IKE Policy
Step 2 Click Next to continue
Step 2 Click Next to continue
8-10
Specifying Hosts and Networks
8-11
Viewing VPN Attributes and Completing the Wizard
8-12
If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save
Chapter 8 Scenario Site-to-SiteVPN Configuration
Configuring the Other Side of the VPN Connection
Configuring the Other Side of the VPN Connection
What to Do Next
Chapter 7, “Scenario: Remote-Access
Configuration”
VPN Configuration”
To Do This
AIP SSM Configuration
Configuring the AIP SSM
•AIP SSM Configuration, page
C H A P T E R
•Overview of Configuration Process, page
Overview of Configuration Process
hostnameconfig-cmap# match access-list acl-name
interface interface_ID
hostnameconfig#
cisco
Sessioning to the AIP SSM and Running Setup
AIP SSM
What to Do Next
Configure the IPS sensor
To Do This
To Do This
Chapter 7, “Scenario Remote-Access
Configuration”
VPN Configuration”
VPN Configuration”
About the CSC SSM
Configuring the CSC SSM
C H A P T E R
•About the CSC SSM, page
About Deploying the Security Appliance with the
CSC SSM
10-2
10-3
1.The client initiates a request
10-4
Chapter 10 Configuring the CSC SSM
Figure 10-2CSC SSM Deployment Scenario
78-17611-01
Configuration Requirements
Configuring the CSC SSM for Content Security
10-5
78-17611-01
Gather Information
Obtain Software Activation Key from Cisco.com
10-6
10-7
Launch ASDM
10-8
Verify Time Settings
10-9
Run the CSC Setup Wizard
10-10
•IP address for the Primary DNS server
Step 8 Click Next
10-11
10-12
Chapter 10 Configuring the CSC SSM
Step 10 Click Next
78-17611-01
Step 12 Click Next
10-13
10-14
10-15
The Add Service Policy Rule appears
10-16
Step 5 Click Next. The Traffic Classification Criteria page appears
10-17
Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab
10-18
Chapter 10 Configuring the CSC SSM
Step 10 Click Finish
78-17611-01
Step 11 Click Apply
10-19
then click the Trend Micro Content
Configuration or Monitoring tab
What to Do Next
To Do This
Chapter 7, “Scenario: Remote-Access
Configuration”
VPN Configuration”
VPN Configuration”
10-22
Chapter 10 Configuring the CSC SSM
What to Do Next
78-17611-01
C H A P T E R
Configuring the 4GE SSM for Fiber
•Cabling 4GE SSM Interfaces, page
•What to Do Next, page
11-2
Cabling 4GE SSM Interfaces
11-3
LC connector
11-4
Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use
To Do This
What to Do Next
11-5
11-6
Chapter 11 Configuring the 4GE SSM for Fiber
What to Do Next
78-17611-01
C H A P T E R A
Obtaining a DES License or a 3DES-AESLicense
Purpose
Command
replacing the activation-4-tuple-key
activation-5-tuple-key variable is a