Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 Configuring the CSC SSM for Content Security, Configuration Requirements

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 119

Chapter 10 Configuring the CSC SSM

Scenario: Security Appliance with CSC SSM Deployed for Content Security

In this scenario, the customer has deployed an adaptive security appliance with a CSC SSM for content security. Of particular interest are the following points:

•The adaptive security appliance is on a dedicated management network. Although using a dedicated management network is not required, we recommend it for security purposes.

•This adaptive security appliance configuration has two management ports: one for the adaptive security appliance itself, and another for the CSC SSM. All administration hosts must be able to access both IP addresses.

•The HTTP proxy server is connected to both the inside network and the dedicated management network. This enables the CSC SSM to retrieve updated content security filters from the Trend Micro update server.

•The management network includes an SMTP server so that administrators can be notified of CSC SSM events. The management network also includes a syslog server to store logs generated by the CSC SSM.

Configuration Requirements

When you plan the adaptive security appliance deployment, it is critical that the network adheres to the following requirements:

•The SSM management port IP address must be accessible by the hosts used to run ASDM. However, the IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.

•The SSM management port must be able to connect to the Internet so that the CSC SSM can reach the Trend Micro update server.

Configuring the CSC SSM for Content Security

If you ordered your adaptive security appliance with the optional CSC SSM module, there are several steps you need to perform to complete the initial configuration. Some configuration steps are performed on the adaptive security appliance, and some steps are performed in the software running on the CSC SSM.

		Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

	78-17611-01			10-5
	78-17611-01			10-5

Image 119

Cisco Systems ASA 5500 manual Configuring the CSC SSM for Content Security, Configuration Requirements, 10-5, 78-17611-01

Contents

Corporate Headquarters Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide For the Cisco ASA 5510, ASA 5520, and ASATHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Before You Begin Installing Optional SSMsC O N T E N T S Ports and LEDsScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection What to Do Next Configuration RequirementsRun the CSC Setup Wizard Configuring the 4GE SSM for FiberChapter 4, “Connecting Interface Before You BeginInstall the chassis Chapter 2, “Installing the Cisco ASAVPN Configuration” Configure the adaptive security appliance forConfiguration” Remote-AccessVPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisInstall the 4GE SSM ASA 5500 with 4GE SSMInstall the chassis Chapter 2, “Installing the Cisco ASAC H A P T E R Installing the Cisco ASA•Verifying the Package Contents, page •Installing the Chassis, pageFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsDescription ColorState Management Port1 Description IndicatorColor Chapter 2 Installing the Cisco ASA What to Do NextChapter 3, “Installing Optional SSMs” Chapter 4, “Connecting Interface78-17611-01 Chapter 2 Installing the Cisco ASA2-10 What to Do NextInstalling the SFP Modules, page Installing Optional SSMsCisco 4GE SSM •Installing the Cisco 4GE SSM, pageDescription 4GE SSM ComponentsColor StateDescription Installing the Cisco 4GE SSMColor State•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page Cisco Part Number SFP ModuleSFP Module Type of ConnectionInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSMState Installing an SSM1 2 3 ColorFigure 3-7Inserting the SSM into the Slot What to Do Next3-10 Figure 3-6Removing the Screws from the Slot Cover•What to Do Next, page Connecting Interface Cables•Connecting Cables to Interfaces, page C H A P T E RConnecting Cables to Interfaces 78-17611-01 Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to Interfacesb.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector 78-17611-01 Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to Interfaces4-10 What to Do Nextf.Ethernet ports •Using the Startup Wizard, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •About the Factory-DefaultConfiguration, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”SSM” Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC To Do ThisExample DMZ Network Topology, page Scenario: DMZ ConfigurationExample DMZ Network Topology C H A P T E RNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running6-24 Refine configuration and configureWhat to Do Next To Do ThisChapter 6 Scenario: DMZ Configuration Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”78-17611-01 Chapter 6 Scenario DMZ Configuration6-26 What to Do Next•What to Do Next, page Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology C H A P T E R•Selecting VPN Client Types, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Starting ASDM, page•Configuring Address Pools, page Information to Have Available•Specifying a User Authentication Method, page •Optional Configuring User Accounts, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN Configuration7-18 If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next To Do ThisChapter 6, “Scenario: DMZ Configuration”VPN Configuration” To Do This78-17611-01 7-20What to Do Next Example Site-to-SiteVPN Network Topology, page Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology C H A P T E R•Information to Have Available, page Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page Information to Have Available•Starting ASDM, page Configuring the Site-to-SiteVPNStarting ASDM •Configuring the IKE Policy, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveWhat to Do Next Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionTo Do This Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”C H A P T E R Configuring the AIP SSMAIP SSM Configuration •AIP SSM Configuration, page•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”•About the CSC SSM, page Configuring the CSC SSMAbout the CSC SSM C H A P T E R10-2 CSC SSMAbout Deploying the Security Appliance with the 10-3 1.The client initiates a request78-17611-01 Chapter 10 Configuring the CSC SSM10-4 Figure 10-2CSC SSM Deployment Scenario78-17611-01 Configuring the CSC SSM for Content SecurityConfiguration Requirements 10-510-6 Obtain Software Activation Key from Cisco.comGather Information 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1178-17611-01 Chapter 10 Configuring the CSC SSM10-12 Step 10 Click NextStep 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab78-17611-01 Chapter 10 Configuring the CSC SSM10-18 Step 10 Click FinishStep 11 Click Apply 10-19To Do This Configuration or Monitoring tabthen click the Trend Micro Content What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”78-17611-01 Chapter 10 Configuring the CSC SSM10-22 What to Do Next•What to Do Next, page Configuring the 4GE SSM for FiberC H A P T E R •Cabling 4GE SSM Interfaces, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use11-5 What to Do NextTo Do This 78-17611-01 Chapter 11 Configuring the 4GE SSM for Fiber11-6 What to Do NextC H A P T E R A Obtaining a DES License or a 3DES-AESLicenseactivation-5-tuple-key variable is a CommandPurpose replacing the activation-4-tuple-key