Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual Specifying Hosts and Networks, 8-10

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 102

Specifying Hosts and Networks

Chapter 8 Scenario: Site-to-Site VPN Configuration

Implementing the Site-to-Site Scenario

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPSec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.

In addition, identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

In Step 5 of the VPN Wizard, perform the following steps:

Step 1 In the Source area, choose IP Address from the Type drop-down list.

Step 2 Enter the local IP address and netmask in the IP Address and Netmask fields.

Step 3 In the Destination area, choose IP Address from the Type drop-down list.

Step 4 Enter the IP address and Netmask for the remote host or network.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-10	78-17611-01

Image 102

Cisco Systems ASA 5500 manual Specifying Hosts and Networks, 8-10

Contents

For the Cisco ASA 5510, ASA 5520, and ASA Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Ports and LEDs Installing Optional SSMsC O N T E N T S Before You BeginScenario DMZ Configuration Configuring Client Attributes Configuring the Other Side of the VPN ConnectionImplementing the Site-to-SiteScenario Configuring the 4GE SSM for Fiber Configuration RequirementsRun the CSC Setup Wizard What to Do NextChapter 2, “Installing the Cisco ASA Before You BeginInstall the chassis Chapter 4, “Connecting InterfaceRemote-AccessVPN Configuration” Configure the adaptive security appliance forConfiguration” VPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisChapter 2, “Installing the Cisco ASA ASA 5500 with 4GE SSMInstall the chassis Install the 4GE SSM•Installing the Chassis, page Installing the Cisco ASA•Verifying the Package Contents, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisColor StateDescription Management Port1 Indicator ColorDescription Chapter 4, “Connecting Interface What to Do NextChapter 3, “Installing Optional SSMs” Chapter 2 Installing the Cisco ASAWhat to Do Next Chapter 2 Installing the Cisco ASA2-10 78-17611-01•Installing the Cisco 4GE SSM, page Installing Optional SSMsCisco 4GE SSM Installing the SFP Modules, pageState 4GE SSM ComponentsColor DescriptionState Installing the Cisco 4GE SSMColor DescriptionInstalling the SFP Modules •Installing the SFP Module, page•SFP Module, page Type of Connection SFP ModuleSFP Module Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMColor Installing an SSM1 2 3 StateFigure 3-6Removing the Screws from the Slot Cover What to Do Next3-10 Figure 3-7Inserting the SSM into the SlotC H A P T E R Connecting Interface Cables•Connecting Cables to Interfaces, page •What to Do Next, pageConnecting Cables to Interfaces Connecting Cables to Interfaces Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Connecting Cables to Interfaces Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-01What to Do Next f.Ethernet ports4-10 •About the Factory-DefaultConfiguration, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •Using the Startup Wizard, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”To Do This Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC SSM”C H A P T E R Scenario: DMZ ConfigurationExample DMZ Network Topology Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request Configuration Requirements •Configuration Requirements, page•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23To Do This Refine configuration and configureWhat to Do Next 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ ConfigurationWhat to Do Next Chapter 6 Scenario DMZ Configuration6-26 78-17611-01C H A P T E R Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology •What to Do Next, page•Starting ASDM, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Selecting VPN Client Types, page•Optional Configuring User Accounts, page Information to Have Available•Specifying a User Authentication Method, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17To Do This If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next 7-18To Do This Configuration”VPN Configuration” Chapter 6, “Scenario: DMZ7-20 What to Do Next78-17611-01 C H A P T E R Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology Example Site-to-SiteVPN Network Topology, pageInformation to Have Available Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page •Information to Have Available, page•Configuring the IKE Policy, page Configuring the Site-to-SiteVPNStarting ASDM •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access To Do This•AIP SSM Configuration, page Configuring the AIP SSMAIP SSM Configuration C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”C H A P T E R Configuring the CSC SSMAbout the CSC SSM •About the CSC SSM, pageCSC SSM About Deploying the Security Appliance with the10-2 1.The client initiates a request 10-3Figure 10-2CSC SSM Deployment Scenario Chapter 10 Configuring the CSC SSM10-4 78-17611-0110-5 Configuring the CSC SSM for Content SecurityConfiguration Requirements 78-17611-01Obtain Software Activation Key from Cisco.com Gather Information10-6 Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextStep 10 Click Next Chapter 10 Configuring the CSC SSM10-12 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Step 10 Click Finish Chapter 10 Configuring the CSC SSM10-18 78-17611-0110-19 Step 11 Click ApplyWhat to Do Next Configuration or Monitoring tabthen click the Trend Micro Content To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”What to Do Next Chapter 10 Configuring the CSC SSM10-22 78-17611-01•Cabling 4GE SSM Interfaces, page Configuring the 4GE SSM for FiberC H A P T E R •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-4What to Do Next To Do This11-5 What to Do Next Chapter 11 Configuring the 4GE SSM for Fiber11-6 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R Areplacing the activation-4-tuple-key CommandPurpose activation-5-tuple-key variable is a