Cisco ASA 5500 Series Adaptive
Security Appliance Getting Started Guide
For the Cisco ASA 5510, ASA 5520, and ASA
Corporate Headquarters
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS
Installing Optional SSMs
C O N T E N T S
Ports and LEDs
Before You Begin
Scenario DMZ Configuration
Configuring Client Attributes
Configuring the Other Side of the VPN Connection
Implementing the Site-to-SiteScenario
Configuration Requirements
Run the CSC Setup Wizard
Configuring the 4GE SSM for Fiber
What to Do Next
Before You Begin
Install the chassis
Chapter 2, “Installing the Cisco ASA
Chapter 4, “Connecting Interface
Configure the adaptive security appliance for
Configuration”
Remote-AccessVPN Configuration”
VPN Configuration”
ASA 5500 with CSC SSM
To Do This .... continued
To Do This
To Do This
ASA 5500 with 4GE SSM
Install the chassis
Chapter 2, “Installing the Cisco ASA
Install the 4GE SSM
Installing the Cisco ASA
•Verifying the Package Contents, page
•Installing the Chassis, page
C H A P T E R
Verifying the Package Contents
Figure 2-1Contents of ASA 5500 Package
Installing the Chassis
Rack-Mountingthe Chassis
Figure 2-2Installing the Right and Left Brackets
Ports and LEDs
Figure 2-3 Rack-Mountingthe Chassis
Color
State
Description
Management Port1
Indicator
Color
Description
What to Do Next
Chapter 3, “Installing Optional SSMs”
Chapter 4, “Connecting Interface
Chapter 2 Installing the Cisco ASA
Chapter 2 Installing the Cisco ASA
2-10
What to Do Next
78-17611-01
Installing Optional SSMs
Cisco 4GE SSM
•Installing the Cisco 4GE SSM, page
Installing the SFP Modules, page
4GE SSM Components
Color
State
Description
Installing the Cisco 4GE SSM
Color
State
Description
Installing the SFP Modules
•Installing the SFP Module, page
•SFP Module, page
SFP Module
SFP Module
Type of Connection
Cisco Part Number
Installing the SFP Module
Optical port plug
Cisco AIP SSM and CSC SSM
DRAM
Installing an SSM
1 2 3
Color
State
What to Do Next
3-10
Figure 3-6Removing the Screws from the Slot Cover
Figure 3-7Inserting the SSM into the Slot
Connecting Interface Cables
•Connecting Cables to Interfaces, page
C H A P T E R
•What to Do Next, page
Connecting Cables to Interfaces
Figure 4-1Connecting to the Management Port
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces
78-17611-01
b.Console port
c.Auxiliary port
d.Cisco 4GE SSM Ethernet port
•SFP modules
LC connector
Figure 4-7Connecting to the Management Port
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces
78-17611-01
What to Do Next
f.Ethernet ports
4-10
Configuring the Adaptive Security Appliance
About the Factory-DefaultConfiguration
•About the Factory-DefaultConfiguration, page
•Using the Startup Wizard, page
About the Adaptive Security Device Manager
About the Adaptive Security Device Manager
78-17611-01
Before Launching the Startup Wizard
Using the Startup Wizard
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
VPN Configuration”
Chapter 9, “Configuring the AIP SSM”
Chapter 10, “Configuring the CSC
To Do This
SSM”
Scenario: DMZ Configuration
Example DMZ Network Topology
C H A P T E R
Example DMZ Network Topology, page
Network Layout for DMZ Configuration Scenario
Security
Incoming request
Configuration Requirements
•Configuration Requirements, page
•Starting ASDM, page
Starting ASDM
Creating IP Pools for Network Address Translation
a.In the Features pane, click NAT
d.From the Interfaces drop-downlist, choose DMZ
b.Under the Global Pools tab, click Add
6-10
g.Click OK
6-11
Step 4 Click Apply in the main ASDM window
6-12
Step 2 In the Features pane, click NAT
6-13
c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window
6-14
6-15
Step 2 In the Features pane, click NAT
6-16
a.From the Interface drop-downlist, choose Outside
6-17
6-18
Step 1 In the ASDM window
6-19
Step 2 In the Interface and Action area
6-20
Step 4 In the Destination area
6-21
d.Click OK
6-22
Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running
6-23
Refine configuration and configure
What to Do Next
To Do This
6-24
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
VPN Configuration”
Chapter 6 Scenario: DMZ Configuration
Chapter 6 Scenario DMZ Configuration
6-26
What to Do Next
78-17611-01
Scenario: Remote-AccessVPN Configuration
Example IPsec Remote-AccessVPN Network Topology
C H A P T E R
•What to Do Next, page
Implementing the IPsec Remote-AccessVPN Scenario
•Information to Have Available, page
•Starting ASDM, page
•Selecting VPN Client Types, page
Information to Have Available
•Specifying a User Authentication Method, page
•Optional Configuring User Accounts, page
•Configuring Address Pools, page
Starting ASDM
The Main ASDM window appears
a.Click the Remote Access VPN radio button
Selecting VPN Client Types
Page
Specifying a User Authentication Method
Step 3 Click Next to continue
Optional Configuring User Accounts
7-10
Configuring Address Pools
7-11
Configuring Client Attributes
7-12
Configuring the IKE Policy
7-13
Step 2 Click Next to continue
7-14
Step 2 Click Next to continue
7-15
7-16
Verifying the Remote-AccessVPN Configuration
7-17
If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance
What to Do Next
To Do This
7-18
Configuration”
VPN Configuration”
To Do This
Chapter 6, “Scenario: DMZ
7-20
What to Do Next
78-17611-01
Scenario: Site-to-SiteVPN Configuration
Example Site-to-SiteVPN Network Topology
C H A P T E R
Example Site-to-SiteVPN Network Topology, page
Implementing the Site-to-SiteScenario
•Configuring the Site-to-SiteVPN, page
Information to Have Available
•Information to Have Available, page
Configuring the Site-to-SiteVPN
Starting ASDM
•Configuring the IKE Policy, page
•Starting ASDM, page
Page
a.Click the Site-to-SiteVPN radio button
Providing Information About the Remote VPN Peer
Configuring the IKE Policy
Step 2 Click Next to continue
Step 2 Click Next to continue
Specifying Hosts and Networks
8-10
Viewing VPN Attributes and Completing the Wizard
8-11
If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save
8-12
Configuring the Other Side of the VPN Connection
Chapter 8 Scenario Site-to-SiteVPN Configuration
Configuring the Other Side of the VPN Connection
What to Do Next
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
To Do This
Configuring the AIP SSM
AIP SSM Configuration
•AIP SSM Configuration, page
C H A P T E R
Overview of Configuration Process
•Overview of Configuration Process, page
hostnameconfig-cmap# match access-list acl-name
hostnameconfig#
interface interface_ID
Sessioning to the AIP SSM and Running Setup
cisco
AIP SSM
Configure the IPS sensor
What to Do Next
To Do This
To Do This
Configuration”
Chapter 7, “Scenario Remote-Access
VPN Configuration”
VPN Configuration”
Configuring the CSC SSM
About the CSC SSM
C H A P T E R
•About the CSC SSM, page
CSC SSM
About Deploying the Security Appliance with the
10-2
1.The client initiates a request
10-3
Chapter 10 Configuring the CSC SSM
10-4
Figure 10-2CSC SSM Deployment Scenario
78-17611-01
Configuring the CSC SSM for Content Security
Configuration Requirements
10-5
78-17611-01
Obtain Software Activation Key from Cisco.com
Gather Information
10-6
Launch ASDM
10-7
Verify Time Settings
10-8
Run the CSC Setup Wizard
10-9
•IP address for the Primary DNS server
10-10
10-11
Step 8 Click Next
Chapter 10 Configuring the CSC SSM
10-12
Step 10 Click Next
78-17611-01
10-13
Step 12 Click Next
10-14
The Add Service Policy Rule appears
10-15
Step 5 Click Next. The Traffic Classification Criteria page appears
10-16
Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab
10-17
Chapter 10 Configuring the CSC SSM
10-18
Step 10 Click Finish
78-17611-01
10-19
Step 11 Click Apply
Configuration or Monitoring tab
then click the Trend Micro Content
What to Do Next
To Do This
Configuration”
Chapter 7, “Scenario: Remote-Access
VPN Configuration”
VPN Configuration”
Chapter 10 Configuring the CSC SSM
10-22
What to Do Next
78-17611-01
Configuring the 4GE SSM for Fiber
C H A P T E R
•Cabling 4GE SSM Interfaces, page
•What to Do Next, page
Cabling 4GE SSM Interfaces
11-2
LC connector
11-3
Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use
11-4
What to Do Next
To Do This
11-5
Chapter 11 Configuring the 4GE SSM for Fiber
11-6
What to Do Next
78-17611-01
Obtaining a DES License or a 3DES-AESLicense
C H A P T E R A
Command
Purpose
replacing the activation-4-tuple-key
activation-5-tuple-key variable is a