Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual hostnameconfig-cmap# match access-list acl-name

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 109

hostname(config-cmap)# match access-listacl-name

Chapter 9 Configuring the AIP SSM

AIP SSM Configuration

To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps:

Step 1 Create an access list that matches all traffic: hostname(config)# access-list acl-namepermit ip any any

Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-mapcommand to do so, as follows:

hostname(config)# class-mapclass_map_name hostname(config-cmap)#

where class_map_name is the name of the traffic class. When you enter the class-mapcommand, the CLI enters class map configuration mode.

Step 3 With the access list you created in Step 1, use a match access-listcommand to identify the traffic to be scanned:

hostname(config-cmap)# match access-listacl-name

Step 4 Create a policy map or modify an existing traffic to the AIP SSM. To do so, use the

policy map that you want to use to send policy-mapcommand, as follows:

hostname(config-cmap)# policy-mappolicy_map_name hostname(config-pmap)#

where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly.

Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command to do so, as follows:

hostname(config-pmap)# class class_map_name hostname(config-pmap-c)#

where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly.

Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM. Use the ips command to do so, as follows:

hostname(config-pmap-c)# ips {inline promiscuous} {fail-close fail-open}

		Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

	78-17611-01			9-3
	78-17611-01			9-3

Image 109

Cisco Systems ASA 5500 manual hostnameconfig-cmap# match access-list acl-name

Contents

Security Appliance Getting Started Guide Cisco ASA 5500 Series AdaptiveFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS C O N T E N T S Installing Optional SSMsPorts and LEDs Before You BeginScenario DMZ Configuration Configuring the Other Side of the VPN Connection Configuring Client AttributesImplementing the Site-to-SiteScenario Run the CSC Setup Wizard Configuration RequirementsConfiguring the 4GE SSM for Fiber What to Do NextInstall the chassis Before You BeginChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfiguration” Configure the adaptive security appliance forRemote-AccessVPN Configuration” VPN Configuration”To Do This .... continued ASA 5500 with CSC SSMTo Do This To Do ThisInstall the chassis ASA 5500 with 4GE SSMChapter 2, “Installing the Cisco ASA Install the 4GE SSM•Verifying the Package Contents, page Installing the Cisco ASA•Installing the Chassis, page C H A P T E RFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsState ColorDescription Management Port1 Color IndicatorDescription Chapter 3, “Installing Optional SSMs” What to Do NextChapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASA2-10 Chapter 2 Installing the Cisco ASAWhat to Do Next 78-17611-01Cisco 4GE SSM Installing Optional SSMs•Installing the Cisco 4GE SSM, page Installing the SFP Modules, pageColor 4GE SSM ComponentsState DescriptionColor Installing the Cisco 4GE SSMState Description•Installing the SFP Module, page Installing the SFP Modules•SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSM1 2 3 Installing an SSMColor State3-10 What to Do NextFigure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the Slot•Connecting Cables to Interfaces, page Connecting Interface CablesC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Chapter 4 Connecting Interface Cables Figure 4-1Connecting to the Management PortConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Chapter 4 Connecting Interface Cables Figure 4-7Connecting to the Management PortConnecting Cables to Interfaces 78-17611-01f.Ethernet ports What to Do Next4-10 About the Factory-DefaultConfiguration Configuring the Adaptive Security Appliance•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard Chapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”Chapter 10, “Configuring the CSC Chapter 9, “Configuring the AIP SSM”To Do This SSM”Example DMZ Network Topology Scenario: DMZ ConfigurationC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Configuration Requirements, page Configuration Requirements•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently runningWhat to Do Next Refine configuration and configureTo Do This 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ Configuration6-26 Chapter 6 Scenario DMZ ConfigurationWhat to Do Next 78-17611-01Example IPsec Remote-AccessVPN Network Topology Scenario: Remote-AccessVPN ConfigurationC H A P T E R •What to Do Next, page•Information to Have Available, page Implementing the IPsec Remote-AccessVPN Scenario•Starting ASDM, page •Selecting VPN Client Types, page•Specifying a User Authentication Method, page Information to Have Available•Optional Configuring User Accounts, page •Configuring Address Pools, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN ConfigurationWhat to Do Next If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceTo Do This 7-18VPN Configuration” Configuration”To Do This Chapter 6, “Scenario: DMZWhat to Do Next 7-2078-17611-01 Example Site-to-SiteVPN Network Topology Scenario: Site-to-SiteVPN ConfigurationC H A P T E R Example Site-to-SiteVPN Network Topology, page•Configuring the Site-to-SiteVPN, page Implementing the Site-to-SiteScenarioInformation to Have Available •Information to Have Available, pageStarting ASDM Configuring the Site-to-SiteVPN•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionConfiguring the Other Side of the VPN Connection What to Do NextChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” To Do ThisAIP SSM Configuration Configuring the AIP SSM•AIP SSM Configuration, page C H A P T E R•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM What to Do Next Configure the IPS sensorTo Do This To Do ThisChapter 7, “Scenario Remote-Access Configuration”VPN Configuration” VPN Configuration”About the CSC SSM Configuring the CSC SSMC H A P T E R •About the CSC SSM, pageAbout Deploying the Security Appliance with the CSC SSM10-2 10-3 1.The client initiates a request10-4 Chapter 10 Configuring the CSC SSMFigure 10-2CSC SSM Deployment Scenario 78-17611-01Configuration Requirements Configuring the CSC SSM for Content Security10-5 78-17611-01Gather Information Obtain Software Activation Key from Cisco.com10-6 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1110-12 Chapter 10 Configuring the CSC SSMStep 10 Click Next 78-17611-01Step 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab10-18 Chapter 10 Configuring the CSC SSMStep 10 Click Finish 78-17611-01Step 11 Click Apply 10-19then click the Trend Micro Content Configuration or Monitoring tabWhat to Do Next To Do ThisChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”10-22 Chapter 10 Configuring the CSC SSMWhat to Do Next 78-17611-01C H A P T E R Configuring the 4GE SSM for Fiber•Cabling 4GE SSM Interfaces, page •What to Do Next, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you useTo Do This What to Do Next11-5 11-6 Chapter 11 Configuring the 4GE SSM for FiberWhat to Do Next 78-17611-01C H A P T E R A Obtaining a DES License or a 3DES-AESLicensePurpose Commandreplacing the activation-4-tuple-key activation-5-tuple-key variable is a