Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual interface interface_ID, hostnameconfig#

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 110

interface interface_ID]

Chapter 9 Configuring the AIP SSM

AIP SSM Configuration

The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-closeand fail-openkeywords control how the adaptive security appliance treats traffic when the AIP SSM is unavailable. For more information about the operating modes and failure behavior, see the “AIP SSM Configuration” section on page 9-1.

Step 7 Use the service-policycommand to apply the policy map globally or to a specific interface, as follows:

hostname(config-pmap-c)# service-policypolicy_map_name [global

interface interface_ID]

hostname(config)#

where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

The adaptive security appliance begins diverting traffic to the AIP SSM as specified.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:

hostname(config)# access-list IPS permit ip any any hostname(config)# class-mapmy-ips-classhostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-mapmy-ids-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips promiscuous fail-closehostname(config-pmap-c)# service-policymy-ips-policy global

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
9-4	78-17611-01

Image 110

Cisco Systems ASA 5500 manual interface interface_ID, hostnameconfig#

Contents

For the Cisco ASA 5510, ASA 5520, and ASA Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Ports and LEDs Installing Optional SSMsC O N T E N T S Before You BeginScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection Configuring the 4GE SSM for Fiber Configuration RequirementsRun the CSC Setup Wizard What to Do NextChapter 2, “Installing the Cisco ASA Before You BeginInstall the chassis Chapter 4, “Connecting InterfaceRemote-AccessVPN Configuration” Configure the adaptive security appliance forConfiguration” VPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisChapter 2, “Installing the Cisco ASA ASA 5500 with 4GE SSMInstall the chassis Install the 4GE SSM•Installing the Chassis, page Installing the Cisco ASA•Verifying the Package Contents, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisDescription ColorState Management Port1 Description IndicatorColor Chapter 4, “Connecting Interface What to Do NextChapter 3, “Installing Optional SSMs” Chapter 2 Installing the Cisco ASAWhat to Do Next Chapter 2 Installing the Cisco ASA2-10 78-17611-01•Installing the Cisco 4GE SSM, page Installing Optional SSMsCisco 4GE SSM Installing the SFP Modules, pageState 4GE SSM ComponentsColor DescriptionState Installing the Cisco 4GE SSMColor Description•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page Type of Connection SFP ModuleSFP Module Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMColor Installing an SSM1 2 3 StateFigure 3-6Removing the Screws from the Slot Cover What to Do Next3-10 Figure 3-7Inserting the SSM into the SlotC H A P T E R Connecting Interface Cables•Connecting Cables to Interfaces, page •What to Do Next, pageConnecting Cables to Interfaces Connecting Cables to Interfaces Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Connecting Cables to Interfaces Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-014-10 What to Do Nextf.Ethernet ports •About the Factory-DefaultConfiguration, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •Using the Startup Wizard, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”To Do This Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC SSM”C H A P T E R Scenario: DMZ ConfigurationExample DMZ Network Topology Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23To Do This Refine configuration and configureWhat to Do Next 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ ConfigurationWhat to Do Next Chapter 6 Scenario DMZ Configuration6-26 78-17611-01C H A P T E R Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology •What to Do Next, page•Starting ASDM, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Selecting VPN Client Types, page•Optional Configuring User Accounts, page Information to Have Available•Specifying a User Authentication Method, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17To Do This If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next 7-18To Do This Configuration”VPN Configuration” Chapter 6, “Scenario: DMZ78-17611-01 7-20What to Do Next C H A P T E R Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology Example Site-to-SiteVPN Network Topology, pageInformation to Have Available Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page •Information to Have Available, page•Configuring the IKE Policy, page Configuring the Site-to-SiteVPNStarting ASDM •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access To Do This•AIP SSM Configuration, page Configuring the AIP SSMAIP SSM Configuration C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”C H A P T E R Configuring the CSC SSMAbout the CSC SSM •About the CSC SSM, page10-2 CSC SSMAbout Deploying the Security Appliance with the 1.The client initiates a request 10-3Figure 10-2CSC SSM Deployment Scenario Chapter 10 Configuring the CSC SSM10-4 78-17611-0110-5 Configuring the CSC SSM for Content SecurityConfiguration Requirements 78-17611-0110-6 Obtain Software Activation Key from Cisco.comGather Information Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextStep 10 Click Next Chapter 10 Configuring the CSC SSM10-12 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Step 10 Click Finish Chapter 10 Configuring the CSC SSM10-18 78-17611-0110-19 Step 11 Click ApplyWhat to Do Next Configuration or Monitoring tabthen click the Trend Micro Content To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”What to Do Next Chapter 10 Configuring the CSC SSM10-22 78-17611-01•Cabling 4GE SSM Interfaces, page Configuring the 4GE SSM for FiberC H A P T E R •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-411-5 What to Do NextTo Do This What to Do Next Chapter 11 Configuring the 4GE SSM for Fiber11-6 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R Areplacing the activation-4-tuple-key CommandPurpose activation-5-tuple-key variable is a