Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual In the ASDM window, 6-19

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 65

Image 65

Chapter 6 Scenario: DMZ Configuration

Configuring the Security Appliance for a DMZ Deployment

appliance that processes the traffic, whether the traffic is incoming or outgoing, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted.

In this section, you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet, if the destination of the traffic is the web server on the DMZ network. All other traffic coming in from the public network is denied.

To configure the access control rule, perform the following steps:

Step 1 In the ASDM window:

a.Click the Configuration tool.

b.In the Features pane, click Security Policy.

c.Click the Access Rules tab, and then from the Add pull-down list, choose Add Access Rule.

The Add Access Rule dialog box appears.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

78-17611-01		6-19
78-17611-01		6-19

Page 65

Image 65

Cisco Systems ASA 5500 manual In the ASDM window, 6-19

Contents

Security Appliance Getting Started Guide Cisco ASA 5500 Series AdaptiveFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS C O N T E N T S Installing Optional SSMsPorts and LEDs Before You BeginScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection Run the CSC Setup Wizard Configuration RequirementsConfiguring the 4GE SSM for Fiber What to Do NextInstall the chassis Before You BeginChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfiguration” Configure the adaptive security appliance forRemote-AccessVPN Configuration” VPN Configuration”To Do This .... continued ASA 5500 with CSC SSMTo Do This To Do ThisInstall the chassis ASA 5500 with 4GE SSMChapter 2, “Installing the Cisco ASA Install the 4GE SSM•Verifying the Package Contents, page Installing the Cisco ASA•Installing the Chassis, page C H A P T E RFigure 2-1Contents of ASA 5500 Package Verifying the Package ContentsInstalling the Chassis Figure 2-2Installing the Right and Left Brackets Rack-Mountingthe ChassisFigure 2-3 Rack-Mountingthe Chassis Ports and LEDsDescription ColorState Management Port1 Description IndicatorColor Chapter 3, “Installing Optional SSMs” What to Do NextChapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASA2-10 Chapter 2 Installing the Cisco ASAWhat to Do Next 78-17611-01Cisco 4GE SSM Installing Optional SSMs•Installing the Cisco 4GE SSM, page Installing the SFP Modules, pageColor 4GE SSM ComponentsState DescriptionColor Installing the Cisco 4GE SSMState Description•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug DRAM Cisco AIP SSM and CSC SSM1 2 3 Installing an SSMColor State3-10 What to Do NextFigure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the Slot•Connecting Cables to Interfaces, page Connecting Interface CablesC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Chapter 4 Connecting Interface Cables Figure 4-1Connecting to the Management PortConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Chapter 4 Connecting Interface Cables Figure 4-7Connecting to the Management PortConnecting Cables to Interfaces 78-17611-014-10 What to Do Nextf.Ethernet ports About the Factory-DefaultConfiguration Configuring the Adaptive Security Appliance•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard Chapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”Chapter 10, “Configuring the CSC Chapter 9, “Configuring the AIP SSM”To Do This SSM”Example DMZ Network Topology Scenario: DMZ ConfigurationC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ 6-10 b.Under the Global Pools tab, click Add6-11 g.Click OK6-12 Step 4 Click Apply in the main ASDM window6-13 Step 2 In the Features pane, click NAT6-14 c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window6-15 6-16 Step 2 In the Features pane, click NAT6-17 a.From the Interface drop-downlist, choose Outside6-18 6-19 Step 1 In the ASDM window6-20 Step 2 In the Interface and Action area6-21 Step 4 In the Destination area6-22 d.Click OK6-23 Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently runningWhat to Do Next Refine configuration and configureTo Do This 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ Configuration6-26 Chapter 6 Scenario DMZ ConfigurationWhat to Do Next 78-17611-01Example IPsec Remote-AccessVPN Network Topology Scenario: Remote-AccessVPN ConfigurationC H A P T E R •What to Do Next, page•Information to Have Available, page Implementing the IPsec Remote-AccessVPN Scenario•Starting ASDM, page •Selecting VPN Client Types, page•Specifying a User Authentication Method, page Information to Have Available•Optional Configuring User Accounts, page •Configuring Address Pools, pageThe Main ASDM window appears Starting ASDMa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue 7-10 Optional Configuring User Accounts7-11 Configuring Address Pools7-12 Configuring Client Attributes7-13 Configuring the IKE Policy7-14 Step 2 Click Next to continue7-15 Step 2 Click Next to continue7-16 7-17 Verifying the Remote-AccessVPN ConfigurationWhat to Do Next If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceTo Do This 7-18VPN Configuration” Configuration”To Do This Chapter 6, “Scenario: DMZ78-17611-01 7-20What to Do Next Example Site-to-SiteVPN Network Topology Scenario: Site-to-SiteVPN ConfigurationC H A P T E R Example Site-to-SiteVPN Network Topology, page•Configuring the Site-to-SiteVPN, page Implementing the Site-to-SiteScenarioInformation to Have Available •Information to Have Available, pageStarting ASDM Configuring the Site-to-SiteVPN•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue 8-10 Specifying Hosts and Networks8-11 Viewing VPN Attributes and Completing the Wizard8-12 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click SaveChapter 8 Scenario Site-to-SiteVPN Configuration Configuring the Other Side of the VPN ConnectionConfiguring the Other Side of the VPN Connection What to Do NextChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” To Do ThisAIP SSM Configuration Configuring the AIP SSM•AIP SSM Configuration, page C H A P T E R•Overview of Configuration Process, page Overview of Configuration Processhostnameconfig-cmap# match access-list acl-name interface interface_ID hostnameconfig#cisco Sessioning to the AIP SSM and Running SetupAIP SSM What to Do Next Configure the IPS sensorTo Do This To Do ThisChapter 7, “Scenario Remote-Access Configuration”VPN Configuration” VPN Configuration”About the CSC SSM Configuring the CSC SSMC H A P T E R •About the CSC SSM, page10-2 CSC SSMAbout Deploying the Security Appliance with the 10-3 1.The client initiates a request10-4 Chapter 10 Configuring the CSC SSMFigure 10-2CSC SSM Deployment Scenario 78-17611-01Configuration Requirements Configuring the CSC SSM for Content Security10-5 78-17611-0110-6 Obtain Software Activation Key from Cisco.comGather Information 10-7 Launch ASDM10-8 Verify Time Settings10-9 Run the CSC Setup Wizard10-10 •IP address for the Primary DNS serverStep 8 Click Next 10-1110-12 Chapter 10 Configuring the CSC SSMStep 10 Click Next 78-17611-01Step 12 Click Next 10-1310-14 10-15 The Add Service Policy Rule appears10-16 Step 5 Click Next. The Traffic Classification Criteria page appears10-17 Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab10-18 Chapter 10 Configuring the CSC SSMStep 10 Click Finish 78-17611-01Step 11 Click Apply 10-19then click the Trend Micro Content Configuration or Monitoring tabWhat to Do Next To Do ThisChapter 7, “Scenario: Remote-Access Configuration”VPN Configuration” VPN Configuration”10-22 Chapter 10 Configuring the CSC SSMWhat to Do Next 78-17611-01C H A P T E R Configuring the 4GE SSM for Fiber•Cabling 4GE SSM Interfaces, page •What to Do Next, page11-2 Cabling 4GE SSM Interfaces11-3 LC connector11-4 Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use11-5 What to Do NextTo Do This 11-6 Chapter 11 Configuring the 4GE SSM for FiberWhat to Do Next 78-17611-01C H A P T E R A Obtaining a DES License or a 3DES-AESLicensePurpose Commandreplacing the activation-4-tuple-key activation-5-tuple-key variable is a