Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual 10-14

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 128

10-14

Chapter 10 Configuring the CSC SSM

Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 13 In Step 6 of the CSC Setup Wizard, review configuration settings you just entered for the CSC SSM.

If you are satisfied with these settings, click Finish.

ASDM shows a message indicating that the CSC device is now active.

Divert Traffic to the CSC SSM for Content Scanning

The adaptive security appliance diverts packets to the CSC SSM after firewall policies are applied but before the packets exit the egress interface. For example, packets that are blocked by an access list are not forwarded to the CSC SSM.

Configure service policies to specify which traffic the adaptive security appliance should divert to the CSC SSM. The CSC SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well-known ports for those protocols.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-14	78-17611-01

Image 128

Cisco Systems ASA 5500 manual 10-14

Contents

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started GuideFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Installing Optional SSMs C O N T E N T SPorts and LEDs Before You BeginScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection Configuration Requirements Run the CSC Setup WizardConfiguring the 4GE SSM for Fiber What to Do NextBefore You Begin Install the chassisChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfigure the adaptive security appliance for Configuration”Remote-AccessVPN Configuration” VPN Configuration”ASA 5500 with CSC SSM To Do This .... continuedTo Do This To Do ThisASA 5500 with 4GE SSM Install the chassisChapter 2, “Installing the Cisco ASA Install the 4GE SSMInstalling the Cisco ASA •Verifying the Package Contents, page•Installing the Chassis, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisDescription ColorState Management Port1 Description IndicatorColor What to Do Next Chapter 3, “Installing Optional SSMs”Chapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASAChapter 2 Installing the Cisco ASA 2-10What to Do Next 78-17611-01Installing Optional SSMs Cisco 4GE SSM•Installing the Cisco 4GE SSM, page Installing the SFP Modules, page4GE SSM Components ColorState DescriptionInstalling the Cisco 4GE SSM ColorState Description•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMInstalling an SSM 1 2 3Color StateWhat to Do Next 3-10Figure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the SlotConnecting Interface Cables •Connecting Cables to Interfaces, pageC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Figure 4-1Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Figure 4-7Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-014-10 What to Do Nextf.Ethernet ports Configuring the Adaptive Security Appliance About the Factory-DefaultConfiguration•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 9, “Configuring the AIP SSM” Chapter 10, “Configuring the CSCTo Do This SSM”Scenario: DMZ Configuration Example DMZ Network TopologyC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23Refine configuration and configure What to Do NextTo Do This 6-24Chapter 7, “Scenario: Remote-Access VPN Configuration”VPN Configuration” Chapter 6 Scenario: DMZ ConfigurationChapter 6 Scenario DMZ Configuration 6-26What to Do Next 78-17611-01Scenario: Remote-AccessVPN Configuration Example IPsec Remote-AccessVPN Network TopologyC H A P T E R •What to Do Next, pageImplementing the IPsec Remote-AccessVPN Scenario •Information to Have Available, page•Starting ASDM, page •Selecting VPN Client Types, pageInformation to Have Available •Specifying a User Authentication Method, page•Optional Configuring User Accounts, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance What to Do NextTo Do This 7-18Configuration” VPN Configuration”To Do This Chapter 6, “Scenario: DMZ78-17611-01 7-20What to Do Next Scenario: Site-to-SiteVPN Configuration Example Site-to-SiteVPN Network TopologyC H A P T E R Example Site-to-SiteVPN Network Topology, pageImplementing the Site-to-SiteScenario •Configuring the Site-to-SiteVPN, pageInformation to Have Available •Information to Have Available, pageConfiguring the Site-to-SiteVPN Starting ASDM•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Chapter 8 Scenario Site-to-SiteVPN ConfigurationConfiguring the Other Side of the VPN Connection What to Do NextConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” To Do ThisConfiguring the AIP SSM AIP SSM Configuration•AIP SSM Configuration, page C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM Configure the IPS sensor What to Do NextTo Do This To Do ThisConfiguration” Chapter 7, “Scenario Remote-AccessVPN Configuration” VPN Configuration”Configuring the CSC SSM About the CSC SSMC H A P T E R •About the CSC SSM, page10-2 CSC SSMAbout Deploying the Security Appliance with the 1.The client initiates a request 10-3Chapter 10 Configuring the CSC SSM 10-4Figure 10-2CSC SSM Deployment Scenario 78-17611-01Configuring the CSC SSM for Content Security Configuration Requirements10-5 78-17611-0110-6 Obtain Software Activation Key from Cisco.comGather Information Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextChapter 10 Configuring the CSC SSM 10-12Step 10 Click Next 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Chapter 10 Configuring the CSC SSM 10-18Step 10 Click Finish 78-17611-0110-19 Step 11 Click ApplyConfiguration or Monitoring tab then click the Trend Micro ContentWhat to Do Next To Do ThisConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 10 Configuring the CSC SSM 10-22What to Do Next 78-17611-01Configuring the 4GE SSM for Fiber C H A P T E R•Cabling 4GE SSM Interfaces, page •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-411-5 What to Do NextTo Do This Chapter 11 Configuring the 4GE SSM for Fiber 11-6What to Do Next 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R ACommand Purposereplacing the activation-4-tuple-key activation-5-tuple-key variable is a