Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual Network Layout for DMZ Configuration Scenario

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 48

Figure 6-1

Chapter 6 Scenario: DMZ Configuration

Example DMZ Network Topology

Figure 6-1	Network Layout for DMZ Configuration Scenario
		Security
HTTP client		Appliance
HTTP client
	inside interface	outside interface		HTTP client
	10.10.10.0	209.165.200.225	Internet	HTTP client
(private address)		(public address)	Internet
(private address)		(public address)
10.10.10.0	DMZ interface
(private address)	DMZ interface
		10.30.30.0		HTTP client
	(private address)			HTTP client

DMZ Web	Private IP address: 10.30.30.30
Server	Public IP address: 209.165.200.226

132064

This example scenario has the following characteristics:

•The web server is on the DMZ interface of the adaptive security appliance.

•HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet.

•Clients on the Internet are permitted HTTP access to the DMZ web server; all other traffic is denied.

•The network has two routable IP addresses that are publicly available: one for the outside interface of the adaptive security appliance (209.165.200.225), and one for the public IP address of the DMZ web server (209.165.200.226).

Figure 6-2shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-2	78-17611-01

Image 48

Cisco Systems ASA 5500 manual Network Layout for DMZ Configuration Scenario

Contents

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started GuideFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Installing Optional SSMs C O N T E N T SPorts and LEDs Before You BeginScenario DMZ Configuration Configuring Client Attributes Configuring the Other Side of the VPN ConnectionImplementing the Site-to-SiteScenario Configuration Requirements Run the CSC Setup WizardConfiguring the 4GE SSM for Fiber What to Do NextBefore You Begin Install the chassisChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfigure the adaptive security appliance for Configuration”Remote-AccessVPN Configuration” VPN Configuration”ASA 5500 with CSC SSM To Do This .... continuedTo Do This To Do ThisASA 5500 with 4GE SSM Install the chassisChapter 2, “Installing the Cisco ASA Install the 4GE SSMInstalling the Cisco ASA •Verifying the Package Contents, page•Installing the Chassis, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisColor StateDescription Management Port1 Indicator ColorDescription What to Do Next Chapter 3, “Installing Optional SSMs”Chapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASAChapter 2 Installing the Cisco ASA 2-10What to Do Next 78-17611-01Installing Optional SSMs Cisco 4GE SSM•Installing the Cisco 4GE SSM, page Installing the SFP Modules, page4GE SSM Components ColorState DescriptionInstalling the Cisco 4GE SSM ColorState DescriptionInstalling the SFP Modules •Installing the SFP Module, page•SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMInstalling an SSM 1 2 3Color StateWhat to Do Next 3-10Figure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the SlotConnecting Interface Cables •Connecting Cables to Interfaces, pageC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Figure 4-1Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Figure 4-7Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-01What to Do Next f.Ethernet ports4-10 Configuring the Adaptive Security Appliance About the Factory-DefaultConfiguration•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 9, “Configuring the AIP SSM” Chapter 10, “Configuring the CSCTo Do This SSM”Scenario: DMZ Configuration Example DMZ Network TopologyC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request Configuration Requirements •Configuration Requirements, page•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23Refine configuration and configure What to Do NextTo Do This 6-24Chapter 7, “Scenario: Remote-Access VPN Configuration”VPN Configuration” Chapter 6 Scenario: DMZ ConfigurationChapter 6 Scenario DMZ Configuration 6-26What to Do Next 78-17611-01Scenario: Remote-AccessVPN Configuration Example IPsec Remote-AccessVPN Network TopologyC H A P T E R •What to Do Next, pageImplementing the IPsec Remote-AccessVPN Scenario •Information to Have Available, page•Starting ASDM, page •Selecting VPN Client Types, pageInformation to Have Available •Specifying a User Authentication Method, page•Optional Configuring User Accounts, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance What to Do NextTo Do This 7-18Configuration” VPN Configuration”To Do This Chapter 6, “Scenario: DMZ7-20 What to Do Next78-17611-01 Scenario: Site-to-SiteVPN Configuration Example Site-to-SiteVPN Network TopologyC H A P T E R Example Site-to-SiteVPN Network Topology, pageImplementing the Site-to-SiteScenario •Configuring the Site-to-SiteVPN, pageInformation to Have Available •Information to Have Available, pageConfiguring the Site-to-SiteVPN Starting ASDM•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Chapter 8 Scenario Site-to-SiteVPN ConfigurationConfiguring the Other Side of the VPN Connection What to Do NextConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” To Do ThisConfiguring the AIP SSM AIP SSM Configuration•AIP SSM Configuration, page C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM Configure the IPS sensor What to Do NextTo Do This To Do ThisConfiguration” Chapter 7, “Scenario Remote-AccessVPN Configuration” VPN Configuration”Configuring the CSC SSM About the CSC SSMC H A P T E R •About the CSC SSM, pageCSC SSM About Deploying the Security Appliance with the10-2 1.The client initiates a request 10-3Chapter 10 Configuring the CSC SSM 10-4Figure 10-2CSC SSM Deployment Scenario 78-17611-01Configuring the CSC SSM for Content Security Configuration Requirements10-5 78-17611-01Obtain Software Activation Key from Cisco.com Gather Information10-6 Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextChapter 10 Configuring the CSC SSM 10-12Step 10 Click Next 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Chapter 10 Configuring the CSC SSM 10-18Step 10 Click Finish 78-17611-0110-19 Step 11 Click ApplyConfiguration or Monitoring tab then click the Trend Micro ContentWhat to Do Next To Do ThisConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 10 Configuring the CSC SSM 10-22What to Do Next 78-17611-01Configuring the 4GE SSM for Fiber C H A P T E R•Cabling 4GE SSM Interfaces, page •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-4What to Do Next To Do This11-5 Chapter 11 Configuring the 4GE SSM for Fiber 11-6What to Do Next 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R ACommand Purposereplacing the activation-4-tuple-key activation-5-tuple-key variable is a