Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual Configuring the AIP SSM, AIP SSM Configuration, C H A P T E R

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 107

Configuring the AIP SSM

C H A P T E R 9

Configuring the AIP SSM

The optional AIP SSM runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.

If you purchased an AIP SSM, use the procedures in this chapter to:

•Configure the adaptive security appliance to identify traffic to be diverted to the AIP SSM

•Session in to the AIP SSM and run setup

Note The AIP SSM is supported in ASA software versions 7.01 and later.

This chapter includes the following sections:

•AIP SSM Configuration, page 9-1

•What to Do Next, page 9-7

AIP SSM Configuration

This procedure describes the configuration steps you must take to configure the adaptive security appliance for AIP SSM.

		Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

	78-17611-01			9-1
	78-17611-01			9-1

Image 107

Cisco Systems ASA 5500 Configuring the AIP SSM, C H A P T E R, •AIP SSM Configuration, page, •What to Do Next, page

Contents

Corporate Headquarters Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide For the Cisco ASA 5510, ASA 5520, and ASATHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Before You Begin Installing Optional SSMsC O N T E N T S Ports and LEDsScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection What to Do Next Configuration RequirementsRun the CSC Setup Wizard Configuring the 4GE SSM for FiberChapter 4, “Connecting Interface Before You BeginInstall the chassis Chapter 2, “Installing the Cisco ASAVPN Configuration” Configure the adaptive security appliance forConfiguration” Remote-AccessVPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisInstall the 4GE SSM ASA 5500 with 4GE SSMInstall the chassis Chapter 2, “Installing the Cisco ASAC H A P T E R Installing the Cisco ASA•Verifying the Package Contents, page •Installing the Chassis, pageFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsDescription ColorState Management Port1 Description IndicatorColor Chapter 2 Installing the Cisco ASA What to Do NextChapter 3, “Installing Optional SSMs” Chapter 4, “Connecting Interface78-17611-01 Chapter 2 Installing the Cisco ASA2-10 What to Do NextInstalling the SFP Modules, page Installing Optional SSMsCisco 4GE SSM •Installing the Cisco 4GE SSM, pageDescription 4GE SSM ComponentsColor StateDescription Installing the Cisco 4GE SSMColor State•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page Cisco Part Number SFP ModuleSFP Module Type of ConnectionInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSMState Installing an SSM1 2 3 ColorFigure 3-7Inserting the SSM into the Slot What to Do Next3-10 Figure 3-6Removing the Screws from the Slot Cover•What to Do Next, page Connecting Interface Cables•Connecting Cables to Interfaces, page C H A P T E RConnecting Cables to Interfaces 78-17611-01 Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to Interfacesb.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector 78-17611-01 Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to Interfaces4-10 What to Do Nextf.Ethernet ports •Using the Startup Wizard, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •About the Factory-DefaultConfiguration, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”SSM” Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC To Do ThisExample DMZ Network Topology, page Scenario: DMZ ConfigurationExample DMZ Network Topology C H A P T E RNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running6-24 Refine configuration and configureWhat to Do Next To Do ThisChapter 6 Scenario: DMZ Configuration Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”78-17611-01 Chapter 6 Scenario DMZ Configuration6-26 What to Do Next•What to Do Next, page Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology C H A P T E R•Selecting VPN Client Types, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Starting ASDM, page•Configuring Address Pools, page Information to Have Available•Specifying a User Authentication Method, page •Optional Configuring User Accounts, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN Configuration7-18 If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next To Do ThisChapter 6, “Scenario: DMZ Configuration”VPN Configuration” To Do This78-17611-01 7-20What to Do Next Example Site-to-SiteVPN Network Topology, page Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology C H A P T E R•Information to Have Available, page Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page Information to Have Available•Starting ASDM, page Configuring the Site-to-SiteVPNStarting ASDM •Configuring the IKE Policy, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveWhat to Do Next Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionTo Do This Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”C H A P T E R Configuring the AIP SSMAIP SSM Configuration •AIP SSM Configuration, page•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”•About the CSC SSM, page Configuring the CSC SSMAbout the CSC SSM C H A P T E R10-2 CSC SSMAbout Deploying the Security Appliance with the 10-3 1.The client initiates a request78-17611-01 Chapter 10 Configuring the CSC SSM10-4 Figure 10-2CSC SSM Deployment Scenario78-17611-01 Configuring the CSC SSM for Content SecurityConfiguration Requirements 10-510-6 Obtain Software Activation Key from Cisco.comGather Information 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1178-17611-01 Chapter 10 Configuring the CSC SSM10-12 Step 10 Click NextStep 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab78-17611-01 Chapter 10 Configuring the CSC SSM10-18 Step 10 Click FinishStep 11 Click Apply 10-19To Do This Configuration or Monitoring tabthen click the Trend Micro Content What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”78-17611-01 Chapter 10 Configuring the CSC SSM10-22 What to Do Next•What to Do Next, page Configuring the 4GE SSM for FiberC H A P T E R •Cabling 4GE SSM Interfaces, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use11-5 What to Do NextTo Do This 78-17611-01 Chapter 11 Configuring the 4GE SSM for Fiber11-6 What to Do NextC H A P T E R A Obtaining a DES License or a 3DES-AESLicenseactivation-5-tuple-key variable is a CommandPurpose replacing the activation-4-tuple-key