Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual The client initiates a request, 10-3

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 117

1.The client initiates a request.

Chapter 10 Configuring the CSC SSM

		About Deploying the Security Appliance with the CSC SSM
Figure 10-1	CSC SSM Traffic Flow
		Security Appliance
		Main System
		modular
		service
Request sent		policy	Request forwarded
Request sent			Request forwarded
	inside		outside
Reply forwarded		Diverted Traffic	Reply sent	Server
				Server
Client
Client
		content security scan		148386
		CSC SSM		148386
		CSC SSM

In this example, clients could be network users who are accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server.

In this configuration, the traffic flow is as follows:

1.The client initiates a request.

2.The adaptive security appliance receives the request and forwards it to the Internet.

3.When the requested content is retrieved, the adaptive security appliance determines whether its service policies define this content type as one that should be diverted to the CSC SSM for scanning, and does so if appropriate.

4.The CSC SSM receives the content from the adaptive security appliance, scans it and compares it to its latest update of the Trend Micro content filters.

5.If the content is suspicious, the CSC SSM blocks the content and reports the event. If the content is not suspicious, the CSC SSM forwards the requested content back to the adaptive security appliance for routing.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

	78-17611-01	10-3

Image 117

Cisco Systems ASA 5500 manual The client initiates a request, 10-3

Contents

Security Appliance Getting Started Guide Cisco ASA 5500 Series AdaptiveFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS C O N T E N T S Installing Optional SSMsPorts and LEDs Before You BeginScenario DMZ Configuration Configuring Client Attributes Configuring the Other Side of the VPN ConnectionImplementing the Site-to-SiteScenario Run the CSC Setup Wizard Configuration RequirementsConfiguring the 4GE SSM for Fiber What to Do NextInstall the chassis Before You BeginChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfiguration” Configure the adaptive security appliance forRemote-AccessVPN Configuration” VPN Configuration”To Do This .... continued ASA 5500 with CSC SSMTo Do This To Do ThisInstall the chassis ASA 5500 with 4GE SSMChapter 2, “Installing the Cisco ASA Install the 4GE SSM•Verifying the Package Contents, page Installing the Cisco ASA•Installing the Chassis, page C H A P T E RFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsColor StateDescription Management Port1 Indicator ColorDescription Chapter 3, “Installing Optional SSMs” What to Do NextChapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASA2-10 Chapter 2 Installing the Cisco ASAWhat to Do Next 78-17611-01Cisco 4GE SSM Installing Optional SSMs•Installing the Cisco 4GE SSM, page Installing the SFP Modules, pageColor 4GE SSM ComponentsState DescriptionColor Installing the Cisco 4GE SSMState DescriptionInstalling the SFP Modules •Installing the SFP Module, page•SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSM1 2 3 Installing an SSMColor State3-10 What to Do NextFigure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the Slot•Connecting Cables to Interfaces, page Connecting Interface CablesC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Chapter 4 Connecting Interface Cables Figure 4-1Connecting to the Management PortConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Chapter 4 Connecting Interface Cables Figure 4-7Connecting to the Management PortConnecting Cables to Interfaces 78-17611-01What to Do Next f.Ethernet ports4-10 About the Factory-DefaultConfiguration Configuring the Adaptive Security Appliance•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard Chapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”Chapter 10, “Configuring the CSC Chapter 9, “Configuring the AIP SSM”To Do This SSM”Example DMZ Network Topology Scenario: DMZ ConfigurationC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request Configuration Requirements •Configuration Requirements, page•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently runningWhat to Do Next Refine configuration and configureTo Do This 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ Configuration6-26 Chapter 6 Scenario DMZ ConfigurationWhat to Do Next 78-17611-01Example IPsec Remote-AccessVPN Network Topology Scenario: Remote-AccessVPN ConfigurationC H A P T E R •What to Do Next, page•Information to Have Available, page Implementing the IPsec Remote-AccessVPN Scenario•Starting ASDM, page •Selecting VPN Client Types, page•Specifying a User Authentication Method, page Information to Have Available•Optional Configuring User Accounts, page •Configuring Address Pools, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN ConfigurationWhat to Do Next If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceTo Do This 7-18VPN Configuration” Configuration”To Do This Chapter 6, “Scenario: DMZ7-20 What to Do Next78-17611-01 Example Site-to-SiteVPN Network Topology Scenario: Site-to-SiteVPN ConfigurationC H A P T E R Example Site-to-SiteVPN Network Topology, page•Configuring the Site-to-SiteVPN, page Implementing the Site-to-SiteScenarioInformation to Have Available •Information to Have Available, pageStarting ASDM Configuring the Site-to-SiteVPN•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionConfiguring the Other Side of the VPN Connection What to Do NextChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” To Do ThisAIP SSM Configuration Configuring the AIP SSM•AIP SSM Configuration, page C H A P T E R•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM What to Do Next Configure the IPS sensorTo Do This To Do ThisChapter 7, “Scenario Remote-Access Configuration”VPN Configuration” VPN Configuration”About the CSC SSM Configuring the CSC SSMC H A P T E R •About the CSC SSM, pageCSC SSM About Deploying the Security Appliance with the10-2 10-3 1.The client initiates a request10-4 Chapter 10 Configuring the CSC SSMFigure 10-2CSC SSM Deployment Scenario 78-17611-01Configuration Requirements Configuring the CSC SSM for Content Security10-5 78-17611-01Obtain Software Activation Key from Cisco.com Gather Information10-6 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1110-12 Chapter 10 Configuring the CSC SSMStep 10 Click Next 78-17611-01Step 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab10-18 Chapter 10 Configuring the CSC SSMStep 10 Click Finish 78-17611-01Step 11 Click Apply 10-19then click the Trend Micro Content Configuration or Monitoring tabWhat to Do Next To Do ThisChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”10-22 Chapter 10 Configuring the CSC SSMWhat to Do Next 78-17611-01C H A P T E R Configuring the 4GE SSM for Fiber•Cabling 4GE SSM Interfaces, page •What to Do Next, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you useWhat to Do Next To Do This11-5 11-6 Chapter 11 Configuring the 4GE SSM for FiberWhat to Do Next 78-17611-01C H A P T E R A Obtaining a DES License or a 3DES-AESLicensePurpose Commandreplacing the activation-4-tuple-key activation-5-tuple-key variable is a