Corporate Headquarters
Cisco ASA 5500 Series Adaptive
Security Appliance Getting Started Guide
For the Cisco ASA 5510, ASA 5520, and ASA
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS
Before You Begin
Installing Optional SSMs
C O N T E N T S
Ports and LEDs
Scenario DMZ Configuration
Configuring Client Attributes
Configuring the Other Side of the VPN Connection
Implementing the Site-to-SiteScenario
What to Do Next
Configuration Requirements
Run the CSC Setup Wizard
Configuring the 4GE SSM for Fiber
Chapter 4, “Connecting Interface
Before You Begin
Install the chassis
Chapter 2, “Installing the Cisco ASA
VPN Configuration”
Configure the adaptive security appliance for
Configuration”
Remote-AccessVPN Configuration”
To Do This
ASA 5500 with CSC SSM
To Do This .... continued
To Do This
Install the 4GE SSM
ASA 5500 with 4GE SSM
Install the chassis
Chapter 2, “Installing the Cisco ASA
C H A P T E R
Installing the Cisco ASA
•Verifying the Package Contents, page
•Installing the Chassis, page
Figure 2-1Contents of ASA 5500 Package
Verifying the Package Contents
Installing the Chassis
Figure 2-2Installing the Right and Left Brackets
Rack-Mountingthe Chassis
Figure 2-3 Rack-Mountingthe Chassis
Ports and LEDs
Color
State
Description
Management Port1
Indicator
Color
Description
Chapter 2 Installing the Cisco ASA
What to Do Next
Chapter 3, “Installing Optional SSMs”
Chapter 4, “Connecting Interface
78-17611-01
Chapter 2 Installing the Cisco ASA
2-10
What to Do Next
Installing the SFP Modules, page
Installing Optional SSMs
Cisco 4GE SSM
•Installing the Cisco 4GE SSM, page
Description
4GE SSM Components
Color
State
Description
Installing the Cisco 4GE SSM
Color
State
Installing the SFP Modules
•Installing the SFP Module, page
•SFP Module, page
Cisco Part Number
SFP Module
SFP Module
Type of Connection
Installing the SFP Module
Optical port plug
DRAM
Cisco AIP SSM and CSC SSM
State
Installing an SSM
1 2 3
Color
Figure 3-7Inserting the SSM into the Slot
What to Do Next
3-10
Figure 3-6Removing the Screws from the Slot Cover
•What to Do Next, page
Connecting Interface Cables
•Connecting Cables to Interfaces, page
C H A P T E R
Connecting Cables to Interfaces
78-17611-01
Figure 4-1Connecting to the Management Port
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces
b.Console port
c.Auxiliary port
d.Cisco 4GE SSM Ethernet port
•SFP modules
LC connector
78-17611-01
Figure 4-7Connecting to the Management Port
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces
What to Do Next
f.Ethernet ports
4-10
•Using the Startup Wizard, page
Configuring the Adaptive Security Appliance
About the Factory-DefaultConfiguration
•About the Factory-DefaultConfiguration, page
About the Adaptive Security Device Manager
About the Adaptive Security Device Manager
78-17611-01
Before Launching the Startup Wizard
Using the Startup Wizard
VPN Configuration”
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
SSM”
Chapter 9, “Configuring the AIP SSM”
Chapter 10, “Configuring the CSC
To Do This
Example DMZ Network Topology, page
Scenario: DMZ Configuration
Example DMZ Network Topology
C H A P T E R
Network Layout for DMZ Configuration Scenario
Security
Incoming request
Configuration Requirements
•Configuration Requirements, page
•Starting ASDM, page
Starting ASDM
Creating IP Pools for Network Address Translation
a.In the Features pane, click NAT
d.From the Interfaces drop-downlist, choose DMZ
6-10
b.Under the Global Pools tab, click Add
6-11
g.Click OK
6-12
Step 4 Click Apply in the main ASDM window
6-13
Step 2 In the Features pane, click NAT
6-14
c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window
6-15
6-16
Step 2 In the Features pane, click NAT
6-17
a.From the Interface drop-downlist, choose Outside
6-18
6-19
Step 1 In the ASDM window
6-20
Step 2 In the Interface and Action area
6-21
Step 4 In the Destination area
6-22
d.Click OK
6-23
Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running
6-24
Refine configuration and configure
What to Do Next
To Do This
Chapter 6 Scenario: DMZ Configuration
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
VPN Configuration”
78-17611-01
Chapter 6 Scenario DMZ Configuration
6-26
What to Do Next
•What to Do Next, page
Scenario: Remote-AccessVPN Configuration
Example IPsec Remote-AccessVPN Network Topology
C H A P T E R
•Selecting VPN Client Types, page
Implementing the IPsec Remote-AccessVPN Scenario
•Information to Have Available, page
•Starting ASDM, page
•Configuring Address Pools, page
Information to Have Available
•Specifying a User Authentication Method, page
•Optional Configuring User Accounts, page
The Main ASDM window appears
Starting ASDM
a.Click the Remote Access VPN radio button
Selecting VPN Client Types
Page
Specifying a User Authentication Method
Step 3 Click Next to continue
7-10
Optional Configuring User Accounts
7-11
Configuring Address Pools
7-12
Configuring Client Attributes
7-13
Configuring the IKE Policy
7-14
Step 2 Click Next to continue
7-15
Step 2 Click Next to continue
7-16
7-17
Verifying the Remote-AccessVPN Configuration
7-18
If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance
What to Do Next
To Do This
Chapter 6, “Scenario: DMZ
Configuration”
VPN Configuration”
To Do This
7-20
What to Do Next
78-17611-01
Example Site-to-SiteVPN Network Topology, page
Scenario: Site-to-SiteVPN Configuration
Example Site-to-SiteVPN Network Topology
C H A P T E R
•Information to Have Available, page
Implementing the Site-to-SiteScenario
•Configuring the Site-to-SiteVPN, page
Information to Have Available
•Starting ASDM, page
Configuring the Site-to-SiteVPN
Starting ASDM
•Configuring the IKE Policy, page
Page
a.Click the Site-to-SiteVPN radio button
Providing Information About the Remote VPN Peer
Configuring the IKE Policy
Step 2 Click Next to continue
Step 2 Click Next to continue
8-10
Specifying Hosts and Networks
8-11
Viewing VPN Attributes and Completing the Wizard
8-12
If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save
What to Do Next
Configuring the Other Side of the VPN Connection
Chapter 8 Scenario Site-to-SiteVPN Configuration
Configuring the Other Side of the VPN Connection
To Do This
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
C H A P T E R
Configuring the AIP SSM
AIP SSM Configuration
•AIP SSM Configuration, page
•Overview of Configuration Process, page
Overview of Configuration Process
hostnameconfig-cmap# match access-list acl-name
interface interface_ID
hostnameconfig#
cisco
Sessioning to the AIP SSM and Running Setup
AIP SSM
To Do This
Configure the IPS sensor
What to Do Next
To Do This
VPN Configuration”
Configuration”
Chapter 7, “Scenario Remote-Access
VPN Configuration”
•About the CSC SSM, page
Configuring the CSC SSM
About the CSC SSM
C H A P T E R
CSC SSM
About Deploying the Security Appliance with the
10-2
10-3
1.The client initiates a request
78-17611-01
Chapter 10 Configuring the CSC SSM
10-4
Figure 10-2CSC SSM Deployment Scenario
78-17611-01
Configuring the CSC SSM for Content Security
Configuration Requirements
10-5
Obtain Software Activation Key from Cisco.com
Gather Information
10-6
10-7
Launch ASDM
10-8
Verify Time Settings
10-9
Run the CSC Setup Wizard
10-10
•IP address for the Primary DNS server
Step 8 Click Next
10-11
78-17611-01
Chapter 10 Configuring the CSC SSM
10-12
Step 10 Click Next
Step 12 Click Next
10-13
10-14
10-15
The Add Service Policy Rule appears
10-16
Step 5 Click Next. The Traffic Classification Criteria page appears
10-17
Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab
78-17611-01
Chapter 10 Configuring the CSC SSM
10-18
Step 10 Click Finish
Step 11 Click Apply
10-19
To Do This
Configuration or Monitoring tab
then click the Trend Micro Content
What to Do Next
VPN Configuration”
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
78-17611-01
Chapter 10 Configuring the CSC SSM
10-22
What to Do Next
•What to Do Next, page
Configuring the 4GE SSM for Fiber
C H A P T E R
•Cabling 4GE SSM Interfaces, page
11-2
Cabling 4GE SSM Interfaces
11-3
LC connector
11-4
Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use
What to Do Next
To Do This
11-5
78-17611-01
Chapter 11 Configuring the 4GE SSM for Fiber
11-6
What to Do Next
C H A P T E R A
Obtaining a DES License or a 3DES-AESLicense
activation-5-tuple-key variable is a
Command
Purpose
replacing the activation-4-tuple-key