Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual In the Features pane, click NAT, 6-16

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 62

6-16

Chapter 6 Scenario: DMZ Configuration

Configuring the Security Appliance for a DMZ Deployment

For many configurations, you would also need to create a NAT rule between the inside interface and the outside interface to enable inside clients to communicate with the Internet.

However, in this scenario you do not need to create this rule explicitly. The reason is that the IP pool (pool ID 200) contains both types of addresses needed for address translation: the range of IP addresses to be used by the DMZ interface, and the IP address to be used for the outside interface. This enables ASDM to create the second translation rule for you.

Configuring an External Identity for the DMZ Web Server

The DMZ web server needs to be accessible by all hosts on the Internet. This configuration requires translating the private IP address of the DMZ web server to a public IP address, enabling access to outside HTTP clients that are unaware of the adaptive security appliance. To map the real web server IP address (10.30.30.30) statically to a public IP address (209.165.200.226), perform the following steps:

Step 1 In the ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.

Step 3 From the Add drop-down list, choose Add Static NAT Rule. The Add Static NAT Rule dialog box appears.

Step 4 In the Real Address area, specify the real IP address of the web server:

a.From the Interface drop-down list, choose the DMZ interface.

b.Enter the real IP address of the DMZ web server. In this scenario, the IP address is 10.30.30.30.

c.From the Netmask drop-down list, choose the Netmask 255.255.255.255.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-16	78-17611-01

Image 62

Cisco Systems ASA 5500 manual In the Features pane, click NAT, 6-16

Contents

For the Cisco ASA 5510, ASA 5520, and ASA Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Ports and LEDs Installing Optional SSMsC O N T E N T S Before You BeginScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection Configuring the 4GE SSM for Fiber Configuration RequirementsRun the CSC Setup Wizard What to Do NextChapter 2, “Installing the Cisco ASA Before You BeginInstall the chassis Chapter 4, “Connecting InterfaceRemote-AccessVPN Configuration” Configure the adaptive security appliance forConfiguration” VPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisChapter 2, “Installing the Cisco ASA ASA 5500 with 4GE SSMInstall the chassis Install the 4GE SSM•Installing the Chassis, page Installing the Cisco ASA•Verifying the Package Contents, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisDescription ColorState Management Port1 Description IndicatorColor Chapter 4, “Connecting Interface What to Do NextChapter 3, “Installing Optional SSMs” Chapter 2 Installing the Cisco ASAWhat to Do Next Chapter 2 Installing the Cisco ASA2-10 78-17611-01•Installing the Cisco 4GE SSM, page Installing Optional SSMsCisco 4GE SSM Installing the SFP Modules, pageState 4GE SSM ComponentsColor DescriptionState Installing the Cisco 4GE SSMColor Description•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page Type of Connection SFP ModuleSFP Module Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMColor Installing an SSM1 2 3 StateFigure 3-6Removing the Screws from the Slot Cover What to Do Next3-10 Figure 3-7Inserting the SSM into the SlotC H A P T E R Connecting Interface Cables•Connecting Cables to Interfaces, page •What to Do Next, pageConnecting Cables to Interfaces Connecting Cables to Interfaces Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Connecting Cables to Interfaces Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-014-10 What to Do Nextf.Ethernet ports •About the Factory-DefaultConfiguration, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •Using the Startup Wizard, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”To Do This Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC SSM”C H A P T E R Scenario: DMZ ConfigurationExample DMZ Network Topology Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23To Do This Refine configuration and configureWhat to Do Next 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ ConfigurationWhat to Do Next Chapter 6 Scenario DMZ Configuration6-26 78-17611-01C H A P T E R Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology •What to Do Next, page•Starting ASDM, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Selecting VPN Client Types, page•Optional Configuring User Accounts, page Information to Have Available•Specifying a User Authentication Method, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17To Do This If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next 7-18To Do This Configuration”VPN Configuration” Chapter 6, “Scenario: DMZ78-17611-01 7-20What to Do Next C H A P T E R Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology Example Site-to-SiteVPN Network Topology, pageInformation to Have Available Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page •Information to Have Available, page•Configuring the IKE Policy, page Configuring the Site-to-SiteVPNStarting ASDM •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access To Do This•AIP SSM Configuration, page Configuring the AIP SSMAIP SSM Configuration C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”C H A P T E R Configuring the CSC SSMAbout the CSC SSM •About the CSC SSM, page10-2 CSC SSMAbout Deploying the Security Appliance with the 1.The client initiates a request 10-3Figure 10-2CSC SSM Deployment Scenario Chapter 10 Configuring the CSC SSM10-4 78-17611-0110-5 Configuring the CSC SSM for Content SecurityConfiguration Requirements 78-17611-0110-6 Obtain Software Activation Key from Cisco.comGather Information Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextStep 10 Click Next Chapter 10 Configuring the CSC SSM10-12 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Step 10 Click Finish Chapter 10 Configuring the CSC SSM10-18 78-17611-0110-19 Step 11 Click ApplyWhat to Do Next Configuration or Monitoring tabthen click the Trend Micro Content To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”What to Do Next Chapter 10 Configuring the CSC SSM10-22 78-17611-01•Cabling 4GE SSM Interfaces, page Configuring the 4GE SSM for FiberC H A P T E R •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-411-5 What to Do NextTo Do This What to Do Next Chapter 11 Configuring the 4GE SSM for Fiber11-6 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R Areplacing the activation-4-tuple-key CommandPurpose activation-5-tuple-key variable is a