For the Cisco ASA 5510, ASA 5520, and ASA
Cisco ASA 5500 Series Adaptive
Security Appliance Getting Started Guide
Corporate Headquarters
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS
Ports and LEDs
Installing Optional SSMs
C O N T E N T S
Before You Begin
Scenario DMZ Configuration
Configuring the Other Side of the VPN Connection
Configuring Client Attributes
Implementing the Site-to-SiteScenario
Configuring the 4GE SSM for Fiber
Configuration Requirements
Run the CSC Setup Wizard
What to Do Next
Chapter 2, “Installing the Cisco ASA
Before You Begin
Install the chassis
Chapter 4, “Connecting Interface
Remote-AccessVPN Configuration”
Configure the adaptive security appliance for
Configuration”
VPN Configuration”
To Do This
ASA 5500 with CSC SSM
To Do This .... continued
To Do This
Chapter 2, “Installing the Cisco ASA
ASA 5500 with 4GE SSM
Install the chassis
Install the 4GE SSM
•Installing the Chassis, page
Installing the Cisco ASA
•Verifying the Package Contents, page
C H A P T E R
Verifying the Package Contents
Figure 2-1Contents of ASA 5500 Package
Installing the Chassis
Rack-Mountingthe Chassis
Figure 2-2Installing the Right and Left Brackets
Ports and LEDs
Figure 2-3 Rack-Mountingthe Chassis
State
Color
Description
Management Port1
Color
Indicator
Description
Chapter 4, “Connecting Interface
What to Do Next
Chapter 3, “Installing Optional SSMs”
Chapter 2 Installing the Cisco ASA
What to Do Next
Chapter 2 Installing the Cisco ASA
2-10
78-17611-01
•Installing the Cisco 4GE SSM, page
Installing Optional SSMs
Cisco 4GE SSM
Installing the SFP Modules, page
State
4GE SSM Components
Color
Description
State
Installing the Cisco 4GE SSM
Color
Description
•Installing the SFP Module, page
Installing the SFP Modules
•SFP Module, page
Type of Connection
SFP Module
SFP Module
Cisco Part Number
Installing the SFP Module
Optical port plug
Cisco AIP SSM and CSC SSM
DRAM
Color
Installing an SSM
1 2 3
State
Figure 3-6Removing the Screws from the Slot Cover
What to Do Next
3-10
Figure 3-7Inserting the SSM into the Slot
C H A P T E R
Connecting Interface Cables
•Connecting Cables to Interfaces, page
•What to Do Next, page
Connecting Cables to Interfaces
Connecting Cables to Interfaces
Figure 4-1Connecting to the Management Port
Chapter 4 Connecting Interface Cables
78-17611-01
b.Console port
c.Auxiliary port
d.Cisco 4GE SSM Ethernet port
•SFP modules
LC connector
Connecting Cables to Interfaces
Figure 4-7Connecting to the Management Port
Chapter 4 Connecting Interface Cables
78-17611-01
f.Ethernet ports
What to Do Next
4-10
•About the Factory-DefaultConfiguration, page
Configuring the Adaptive Security Appliance
About the Factory-DefaultConfiguration
•Using the Startup Wizard, page
About the Adaptive Security Device Manager
About the Adaptive Security Device Manager
78-17611-01
Before Launching the Startup Wizard
Using the Startup Wizard
VPN Configuration”
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
To Do This
Chapter 9, “Configuring the AIP SSM”
Chapter 10, “Configuring the CSC
SSM”
C H A P T E R
Scenario: DMZ Configuration
Example DMZ Network Topology
Example DMZ Network Topology, page
Network Layout for DMZ Configuration Scenario
Security
Incoming request
•Configuration Requirements, page
Configuration Requirements
•Starting ASDM, page
Starting ASDM
Creating IP Pools for Network Address Translation
a.In the Features pane, click NAT
d.From the Interfaces drop-downlist, choose DMZ
b.Under the Global Pools tab, click Add
6-10
g.Click OK
6-11
Step 4 Click Apply in the main ASDM window
6-12
Step 2 In the Features pane, click NAT
6-13
c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window
6-14
6-15
Step 2 In the Features pane, click NAT
6-16
a.From the Interface drop-downlist, choose Outside
6-17
6-18
Step 1 In the ASDM window
6-19
Step 2 In the Interface and Action area
6-20
Step 4 In the Destination area
6-21
d.Click OK
6-22
Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running
6-23
To Do This
Refine configuration and configure
What to Do Next
6-24
VPN Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
Chapter 6 Scenario: DMZ Configuration
What to Do Next
Chapter 6 Scenario DMZ Configuration
6-26
78-17611-01
C H A P T E R
Scenario: Remote-AccessVPN Configuration
Example IPsec Remote-AccessVPN Network Topology
•What to Do Next, page
•Starting ASDM, page
Implementing the IPsec Remote-AccessVPN Scenario
•Information to Have Available, page
•Selecting VPN Client Types, page
•Optional Configuring User Accounts, page
Information to Have Available
•Specifying a User Authentication Method, page
•Configuring Address Pools, page
Starting ASDM
The Main ASDM window appears
a.Click the Remote Access VPN radio button
Selecting VPN Client Types
Page
Specifying a User Authentication Method
Step 3 Click Next to continue
Optional Configuring User Accounts
7-10
Configuring Address Pools
7-11
Configuring Client Attributes
7-12
Configuring the IKE Policy
7-13
Step 2 Click Next to continue
7-14
Step 2 Click Next to continue
7-15
7-16
Verifying the Remote-AccessVPN Configuration
7-17
To Do This
If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance
What to Do Next
7-18
To Do This
Configuration”
VPN Configuration”
Chapter 6, “Scenario: DMZ
What to Do Next
7-20
78-17611-01
C H A P T E R
Scenario: Site-to-SiteVPN Configuration
Example Site-to-SiteVPN Network Topology
Example Site-to-SiteVPN Network Topology, page
Information to Have Available
Implementing the Site-to-SiteScenario
•Configuring the Site-to-SiteVPN, page
•Information to Have Available, page
•Configuring the IKE Policy, page
Configuring the Site-to-SiteVPN
Starting ASDM
•Starting ASDM, page
Page
a.Click the Site-to-SiteVPN radio button
Providing Information About the Remote VPN Peer
Configuring the IKE Policy
Step 2 Click Next to continue
Step 2 Click Next to continue
Specifying Hosts and Networks
8-10
Viewing VPN Attributes and Completing the Wizard
8-11
If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save
8-12
Configuring the Other Side of the VPN Connection
Configuring the Other Side of the VPN Connection
Chapter 8 Scenario Site-to-SiteVPN Configuration
What to Do Next
VPN Configuration”
Configuration”
Chapter 7, “Scenario: Remote-Access
To Do This
•AIP SSM Configuration, page
Configuring the AIP SSM
AIP SSM Configuration
C H A P T E R
Overview of Configuration Process
•Overview of Configuration Process, page
hostnameconfig-cmap# match access-list acl-name
hostnameconfig#
interface interface_ID
Sessioning to the AIP SSM and Running Setup
cisco
AIP SSM
To Do This
Configure the IPS sensor
What to Do Next
To Do This
VPN Configuration”
Configuration”
Chapter 7, “Scenario Remote-Access
VPN Configuration”
C H A P T E R
Configuring the CSC SSM
About the CSC SSM
•About the CSC SSM, page
About Deploying the Security Appliance with the
CSC SSM
10-2
1.The client initiates a request
10-3
Figure 10-2CSC SSM Deployment Scenario
Chapter 10 Configuring the CSC SSM
10-4
78-17611-01
10-5
Configuring the CSC SSM for Content Security
Configuration Requirements
78-17611-01
Gather Information
Obtain Software Activation Key from Cisco.com
10-6
Launch ASDM
10-7
Verify Time Settings
10-8
Run the CSC Setup Wizard
10-9
•IP address for the Primary DNS server
10-10
10-11
Step 8 Click Next
Step 10 Click Next
Chapter 10 Configuring the CSC SSM
10-12
78-17611-01
10-13
Step 12 Click Next
10-14
The Add Service Policy Rule appears
10-15
Step 5 Click Next. The Traffic Classification Criteria page appears
10-16
Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab
10-17
Step 10 Click Finish
Chapter 10 Configuring the CSC SSM
10-18
78-17611-01
10-19
Step 11 Click Apply
What to Do Next
Configuration or Monitoring tab
then click the Trend Micro Content
To Do This
VPN Configuration”
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
What to Do Next
Chapter 10 Configuring the CSC SSM
10-22
78-17611-01
•Cabling 4GE SSM Interfaces, page
Configuring the 4GE SSM for Fiber
C H A P T E R
•What to Do Next, page
Cabling 4GE SSM Interfaces
11-2
LC connector
11-3
Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use
11-4
To Do This
What to Do Next
11-5
What to Do Next
Chapter 11 Configuring the 4GE SSM for Fiber
11-6
78-17611-01
Obtaining a DES License or a 3DES-AESLicense
C H A P T E R A
replacing the activation-4-tuple-key
Command
Purpose
activation-5-tuple-key variable is a