Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual 7-16

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 88

7-16

Chapter 7 Scenario: Remote-Access VPN Configuration

Implementing the IPsec Remote-Access VPN Scenario

Specifying Address Translation Exception and Split Tunneling

Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form.

The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally. You can make exceptions to this network protection by identifying local hosts and networks that should be made accessible to authenticated remote users. (In this scenario, the entire inside network 10.10.10.0 is exposed to all remote clients.)

In Step 10 of the VPN Wizard, perform the following steps:

Step 1 Specify hosts, groups, and networks that should be in the list of internal resources made accessible to authenticated remote users.

To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks pane, click Add or Delete, respectively.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-16	78-17611-01

Image 88

Cisco Systems ASA 5500 manual 7-16

Contents

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started GuideFor the Cisco ASA 5510, ASA 5520, and ASA Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Installing Optional SSMs C O N T E N T SPorts and LEDs Before You BeginScenario DMZ Configuration Configuring the Other Side of the VPN Connection Configuring Client AttributesImplementing the Site-to-SiteScenario Configuration Requirements Run the CSC Setup WizardConfiguring the 4GE SSM for Fiber What to Do NextBefore You Begin Install the chassisChapter 2, “Installing the Cisco ASA Chapter 4, “Connecting InterfaceConfigure the adaptive security appliance for Configuration”Remote-AccessVPN Configuration” VPN Configuration”ASA 5500 with CSC SSM To Do This .... continuedTo Do This To Do ThisASA 5500 with 4GE SSM Install the chassisChapter 2, “Installing the Cisco ASA Install the 4GE SSMInstalling the Cisco ASA •Verifying the Package Contents, page•Installing the Chassis, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisState ColorDescription Management Port1 Color IndicatorDescription What to Do Next Chapter 3, “Installing Optional SSMs”Chapter 4, “Connecting Interface Chapter 2 Installing the Cisco ASAChapter 2 Installing the Cisco ASA 2-10What to Do Next 78-17611-01Installing Optional SSMs Cisco 4GE SSM•Installing the Cisco 4GE SSM, page Installing the SFP Modules, page4GE SSM Components ColorState DescriptionInstalling the Cisco 4GE SSM ColorState Description•Installing the SFP Module, page Installing the SFP Modules•SFP Module, page SFP Module SFP ModuleType of Connection Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMInstalling an SSM 1 2 3Color StateWhat to Do Next 3-10Figure 3-6Removing the Screws from the Slot Cover Figure 3-7Inserting the SSM into the SlotConnecting Interface Cables •Connecting Cables to Interfaces, pageC H A P T E R •What to Do Next, pageConnecting Cables to Interfaces Figure 4-1Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Figure 4-7Connecting to the Management Port Chapter 4 Connecting Interface CablesConnecting Cables to Interfaces 78-17611-01f.Ethernet ports What to Do Next4-10 Configuring the Adaptive Security Appliance About the Factory-DefaultConfiguration•About the Factory-DefaultConfiguration, page •Using the Startup Wizard, pageAbout the Adaptive Security Device Manager About the Adaptive Security Device Manager78-17611-01 Before Launching the Startup Wizard Using the Startup Wizard Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 9, “Configuring the AIP SSM” Chapter 10, “Configuring the CSCTo Do This SSM”Scenario: DMZ Configuration Example DMZ Network TopologyC H A P T E R Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Configuration Requirements, page Configuration Requirements•Starting ASDM, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23Refine configuration and configure What to Do NextTo Do This 6-24Chapter 7, “Scenario: Remote-Access VPN Configuration”VPN Configuration” Chapter 6 Scenario: DMZ ConfigurationChapter 6 Scenario DMZ Configuration 6-26What to Do Next 78-17611-01Scenario: Remote-AccessVPN Configuration Example IPsec Remote-AccessVPN Network TopologyC H A P T E R •What to Do Next, pageImplementing the IPsec Remote-AccessVPN Scenario •Information to Have Available, page•Starting ASDM, page •Selecting VPN Client Types, pageInformation to Have Available •Specifying a User Authentication Method, page•Optional Configuring User Accounts, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance What to Do NextTo Do This 7-18Configuration” VPN Configuration”To Do This Chapter 6, “Scenario: DMZWhat to Do Next 7-2078-17611-01 Scenario: Site-to-SiteVPN Configuration Example Site-to-SiteVPN Network TopologyC H A P T E R Example Site-to-SiteVPN Network Topology, pageImplementing the Site-to-SiteScenario •Configuring the Site-to-SiteVPN, pageInformation to Have Available •Information to Have Available, pageConfiguring the Site-to-SiteVPN Starting ASDM•Configuring the IKE Policy, page •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Chapter 8 Scenario Site-to-SiteVPN ConfigurationConfiguring the Other Side of the VPN Connection What to Do NextConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” To Do ThisConfiguring the AIP SSM AIP SSM Configuration•AIP SSM Configuration, page C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM Configure the IPS sensor What to Do NextTo Do This To Do ThisConfiguration” Chapter 7, “Scenario Remote-AccessVPN Configuration” VPN Configuration”Configuring the CSC SSM About the CSC SSMC H A P T E R •About the CSC SSM, pageAbout Deploying the Security Appliance with the CSC SSM10-2 1.The client initiates a request 10-3Chapter 10 Configuring the CSC SSM 10-4Figure 10-2CSC SSM Deployment Scenario 78-17611-01Configuring the CSC SSM for Content Security Configuration Requirements10-5 78-17611-01Gather Information Obtain Software Activation Key from Cisco.com10-6 Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextChapter 10 Configuring the CSC SSM 10-12Step 10 Click Next 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Chapter 10 Configuring the CSC SSM 10-18Step 10 Click Finish 78-17611-0110-19 Step 11 Click ApplyConfiguration or Monitoring tab then click the Trend Micro ContentWhat to Do Next To Do ThisConfiguration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” VPN Configuration”Chapter 10 Configuring the CSC SSM 10-22What to Do Next 78-17611-01Configuring the 4GE SSM for Fiber C H A P T E R•Cabling 4GE SSM Interfaces, page •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-4To Do This What to Do Next11-5 Chapter 11 Configuring the 4GE SSM for Fiber 11-6What to Do Next 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R ACommand Purposereplacing the activation-4-tuple-key activation-5-tuple-key variable is a