Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual •Configuration Requirements, page, •Starting ASDM, page

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 51

Chapter 6 Scenario: DMZ Configuration

Configuring the Security Appliance for a DMZ Deployment

This configuration procedure assumes that the adaptive security appliance already has interfaces configured for the inside interface, the DMZ interface, and the outside interface. Set up interfaces of the adaptive security appliance by using the Startup Wizard in ASDM. Be sure that the DMZ interface security level is set between 0 and 100. (A common choice is 50.)

For more information about using the Startup Wizard, see Chapter 5, “Configuring the Adaptive Security Appliance.”

The section includes the following topics:

•Configuration Requirements, page 6-5

•Starting ASDM, page 6-6

•Creating IP Pools for Network Address Translation, page 6-7

•Configuring NAT for Inside Clients to Communicate with the DMZ Web Server, page 6-12

•Configuring NAT for Inside Clients to Communicate with Devices on the Internet, page 6-15

•Configuring an External Identity for the DMZ Web Server, page 6-16

•Providing Public HTTP Access to the DMZ Web Server, page 6-18

The following sections provide detailed instructions for how to perform each step.

Configuration Requirements

Configuring the adaptive security appliance for this DMZ deployment requires the following configuration tasks:

•For the internal clients to have HTTP access to the DMZ web server, you must create a pool of IP addresses for address translation and identify which clients should use addresses from the pool. To accomplish this task, you should configure the following:

–A pool of IP addresses for the DMZ interface. In this scenario, the IP pool is 10.30.30.50–10.30.30.60.

–A dynamic NAT translation rule for the inside interface that specifies which client IP addresses can be assigned an address from the IP pool.

		Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

	78-17611-01			6-5
	78-17611-01			6-5

Image 51

Cisco Systems ASA 5500 manual •Configuration Requirements, page, •Starting ASDM, page

Contents

Corporate Headquarters Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide For the Cisco ASA 5510, ASA 5520, and ASATHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Before You Begin Installing Optional SSMsC O N T E N T S Ports and LEDsScenario DMZ Configuration Configuring Client Attributes Configuring the Other Side of the VPN ConnectionImplementing the Site-to-SiteScenario What to Do Next Configuration RequirementsRun the CSC Setup Wizard Configuring the 4GE SSM for FiberChapter 4, “Connecting Interface Before You BeginInstall the chassis Chapter 2, “Installing the Cisco ASAVPN Configuration” Configure the adaptive security appliance forConfiguration” Remote-AccessVPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisInstall the 4GE SSM ASA 5500 with 4GE SSMInstall the chassis Chapter 2, “Installing the Cisco ASAC H A P T E R Installing the Cisco ASA•Verifying the Package Contents, page •Installing the Chassis, pageFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsColor StateDescription Management Port1 Indicator ColorDescription Chapter 2 Installing the Cisco ASA What to Do NextChapter 3, “Installing Optional SSMs” Chapter 4, “Connecting Interface78-17611-01 Chapter 2 Installing the Cisco ASA2-10 What to Do NextInstalling the SFP Modules, page Installing Optional SSMsCisco 4GE SSM •Installing the Cisco 4GE SSM, pageDescription 4GE SSM ComponentsColor StateDescription Installing the Cisco 4GE SSMColor StateInstalling the SFP Modules •Installing the SFP Module, page•SFP Module, page Cisco Part Number SFP ModuleSFP Module Type of ConnectionInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSMState Installing an SSM1 2 3 ColorFigure 3-7Inserting the SSM into the Slot What to Do Next3-10 Figure 3-6Removing the Screws from the Slot Cover•What to Do Next, page Connecting Interface Cables•Connecting Cables to Interfaces, page C H A P T E RConnecting Cables to Interfaces 78-17611-01 Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to Interfacesb.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector 78-17611-01 Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables Connecting Cables to InterfacesWhat to Do Next f.Ethernet ports4-10 •Using the Startup Wizard, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •About the Factory-DefaultConfiguration, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”SSM” Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC To Do ThisExample DMZ Network Topology, page Scenario: DMZ ConfigurationExample DMZ Network Topology C H A P T E RNetwork Layout for DMZ Configuration Scenario Security Incoming request Configuration Requirements •Configuration Requirements, page•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running6-24 Refine configuration and configureWhat to Do Next To Do ThisChapter 6 Scenario: DMZ Configuration Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”78-17611-01 Chapter 6 Scenario DMZ Configuration6-26 What to Do Next•What to Do Next, page Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology C H A P T E R•Selecting VPN Client Types, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Starting ASDM, page•Configuring Address Pools, page Information to Have Available•Specifying a User Authentication Method, page •Optional Configuring User Accounts, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN Configuration7-18 If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next To Do ThisChapter 6, “Scenario: DMZ Configuration”VPN Configuration” To Do This7-20 What to Do Next78-17611-01 Example Site-to-SiteVPN Network Topology, page Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology C H A P T E R•Information to Have Available, page Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page Information to Have Available•Starting ASDM, page Configuring the Site-to-SiteVPNStarting ASDM •Configuring the IKE Policy, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveWhat to Do Next Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionTo Do This Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”C H A P T E R Configuring the AIP SSMAIP SSM Configuration •AIP SSM Configuration, page•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”•About the CSC SSM, page Configuring the CSC SSMAbout the CSC SSM C H A P T E RCSC SSM About Deploying the Security Appliance with the10-2 10-3 1.The client initiates a request78-17611-01 Chapter 10 Configuring the CSC SSM10-4 Figure 10-2CSC SSM Deployment Scenario78-17611-01 Configuring the CSC SSM for Content SecurityConfiguration Requirements 10-5Obtain Software Activation Key from Cisco.com Gather Information10-6 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1178-17611-01 Chapter 10 Configuring the CSC SSM10-12 Step 10 Click NextStep 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab78-17611-01 Chapter 10 Configuring the CSC SSM10-18 Step 10 Click FinishStep 11 Click Apply 10-19To Do This Configuration or Monitoring tabthen click the Trend Micro Content What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”78-17611-01 Chapter 10 Configuring the CSC SSM10-22 What to Do Next•What to Do Next, page Configuring the 4GE SSM for FiberC H A P T E R •Cabling 4GE SSM Interfaces, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you useWhat to Do Next To Do This11-5 78-17611-01 Chapter 11 Configuring the 4GE SSM for Fiber11-6 What to Do NextC H A P T E R A Obtaining a DES License or a 3DES-AESLicenseactivation-5-tuple-key variable is a CommandPurpose replacing the activation-4-tuple-key