Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual Providing Information About the Remote VPN Peer

Models: ASA 5500

1 144

Download 144 pages 23.87 Kb

Page 98

Providing Information About the Remote VPN Peer

Chapter 8 Scenario: Site-to-Site VPN Configuration

Implementing the Site-to-Site Scenario

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

Note In this scenario, the remote VPN peer is referred to as Security Appliance 2 from this point forward.

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario 209.165.200.236) and a Tunnel Group Name (for example “Cisco”).

Step 2 Specify the type of authentication that you want to use by performing one of the following steps:

•To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, “Cisco”). This key is used for IPSec negotiations between the adaptive security appliances.

Note When you configure Security Appliance 2 at the remote site, the VPN peer is Security Appliance 1. Be sure to enter the same preshared key (Cisco) that you use here.

•Click the Challenge/Response Authentication radio button to use that method of authentication.

•To use digital certificates for authentication, click the Certificate radio button, choose the Certificate Signing Algorithm from the drop-down list, and then choose a preconfigured trustpoint name from the drop-down list.

If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the standard ASDM screens.

	Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-6	78-17611-01

Image 98

Cisco Systems ASA 5500 manual Providing Information About the Remote VPN Peer

Contents

For the Cisco ASA 5510, ASA 5520, and ASA Cisco ASA 5500 Series AdaptiveSecurity Appliance Getting Started Guide Corporate HeadquartersTHE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Ports and LEDs Installing Optional SSMsC O N T E N T S Before You BeginScenario DMZ Configuration Implementing the Site-to-SiteScenario Configuring Client AttributesConfiguring the Other Side of the VPN Connection Configuring the 4GE SSM for Fiber Configuration RequirementsRun the CSC Setup Wizard What to Do NextChapter 2, “Installing the Cisco ASA Before You BeginInstall the chassis Chapter 4, “Connecting InterfaceRemote-AccessVPN Configuration” Configure the adaptive security appliance forConfiguration” VPN Configuration”To Do This ASA 5500 with CSC SSMTo Do This .... continued To Do ThisChapter 2, “Installing the Cisco ASA ASA 5500 with 4GE SSMInstall the chassis Install the 4GE SSM•Installing the Chassis, page Installing the Cisco ASA•Verifying the Package Contents, page C H A P T E RVerifying the Package Contents Figure 2-1Contents of ASA 5500 PackageInstalling the Chassis Rack-Mountingthe Chassis Figure 2-2Installing the Right and Left BracketsPorts and LEDs Figure 2-3 Rack-Mountingthe ChassisDescription ColorState Management Port1 Description IndicatorColor Chapter 4, “Connecting Interface What to Do NextChapter 3, “Installing Optional SSMs” Chapter 2 Installing the Cisco ASAWhat to Do Next Chapter 2 Installing the Cisco ASA2-10 78-17611-01•Installing the Cisco 4GE SSM, page Installing Optional SSMsCisco 4GE SSM Installing the SFP Modules, pageState 4GE SSM ComponentsColor DescriptionState Installing the Cisco 4GE SSMColor Description•SFP Module, page Installing the SFP Modules•Installing the SFP Module, page Type of Connection SFP ModuleSFP Module Cisco Part NumberInstalling the SFP Module Optical port plug Cisco AIP SSM and CSC SSM DRAMColor Installing an SSM1 2 3 StateFigure 3-6Removing the Screws from the Slot Cover What to Do Next3-10 Figure 3-7Inserting the SSM into the SlotC H A P T E R Connecting Interface Cables•Connecting Cables to Interfaces, page •What to Do Next, pageConnecting Cables to Interfaces Connecting Cables to Interfaces Figure 4-1Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-01b.Console port c.Auxiliary port d.Cisco 4GE SSM Ethernet port •SFP modules LC connector Connecting Cables to Interfaces Figure 4-7Connecting to the Management PortChapter 4 Connecting Interface Cables 78-17611-014-10 What to Do Nextf.Ethernet ports •About the Factory-DefaultConfiguration, page Configuring the Adaptive Security ApplianceAbout the Factory-DefaultConfiguration •Using the Startup Wizard, page78-17611-01 About the Adaptive Security Device ManagerAbout the Adaptive Security Device Manager Before Launching the Startup Wizard Using the Startup Wizard VPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”To Do This Chapter 9, “Configuring the AIP SSM”Chapter 10, “Configuring the CSC SSM”C H A P T E R Scenario: DMZ ConfigurationExample DMZ Network Topology Example DMZ Network Topology, pageNetwork Layout for DMZ Configuration Scenario Security Incoming request •Starting ASDM, page Configuration Requirements•Configuration Requirements, page Starting ASDM Creating IP Pools for Network Address Translation a.In the Features pane, click NAT d.From the Interfaces drop-downlist, choose DMZ b.Under the Global Pools tab, click Add 6-10g.Click OK 6-11Step 4 Click Apply in the main ASDM window 6-12Step 2 In the Features pane, click NAT 6-13c.Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window 6-146-15 Step 2 In the Features pane, click NAT 6-16a.From the Interface drop-downlist, choose Outside 6-176-18 Step 1 In the ASDM window 6-19Step 2 In the Interface and Action area 6-20Step 4 In the Destination area 6-21d.Click OK 6-22Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running 6-23To Do This Refine configuration and configureWhat to Do Next 6-24VPN Configuration” Chapter 7, “Scenario: Remote-AccessVPN Configuration” Chapter 6 Scenario: DMZ ConfigurationWhat to Do Next Chapter 6 Scenario DMZ Configuration6-26 78-17611-01C H A P T E R Scenario: Remote-AccessVPN ConfigurationExample IPsec Remote-AccessVPN Network Topology •What to Do Next, page•Starting ASDM, page Implementing the IPsec Remote-AccessVPN Scenario•Information to Have Available, page •Selecting VPN Client Types, page•Optional Configuring User Accounts, page Information to Have Available•Specifying a User Authentication Method, page •Configuring Address Pools, pageStarting ASDM The Main ASDM window appearsa.Click the Remote Access VPN radio button Selecting VPN Client Types Page Specifying a User Authentication Method Step 3 Click Next to continue Optional Configuring User Accounts 7-10Configuring Address Pools 7-11Configuring Client Attributes 7-12Configuring the IKE Policy 7-13Step 2 Click Next to continue 7-14Step 2 Click Next to continue 7-157-16 Verifying the Remote-AccessVPN Configuration 7-17To Do This If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security applianceWhat to Do Next 7-18To Do This Configuration”VPN Configuration” Chapter 6, “Scenario: DMZ78-17611-01 7-20What to Do Next C H A P T E R Scenario: Site-to-SiteVPN ConfigurationExample Site-to-SiteVPN Network Topology Example Site-to-SiteVPN Network Topology, pageInformation to Have Available Implementing the Site-to-SiteScenario•Configuring the Site-to-SiteVPN, page •Information to Have Available, page•Configuring the IKE Policy, page Configuring the Site-to-SiteVPNStarting ASDM •Starting ASDM, pagePage a.Click the Site-to-SiteVPN radio button Providing Information About the Remote VPN Peer Configuring the IKE Policy Step 2 Click Next to continue Step 2 Click Next to continue Specifying Hosts and Networks 8-10Viewing VPN Attributes and Completing the Wizard 8-11If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save 8-12Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN ConnectionChapter 8 Scenario Site-to-SiteVPN Configuration What to Do NextVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access To Do This•AIP SSM Configuration, page Configuring the AIP SSMAIP SSM Configuration C H A P T E ROverview of Configuration Process •Overview of Configuration Process, pagehostnameconfig-cmap# match access-list acl-name hostnameconfig# interface interface_IDSessioning to the AIP SSM and Running Setup ciscoAIP SSM To Do This Configure the IPS sensorWhat to Do Next To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario Remote-Access VPN Configuration”C H A P T E R Configuring the CSC SSMAbout the CSC SSM •About the CSC SSM, page10-2 CSC SSMAbout Deploying the Security Appliance with the 1.The client initiates a request 10-3Figure 10-2CSC SSM Deployment Scenario Chapter 10 Configuring the CSC SSM10-4 78-17611-0110-5 Configuring the CSC SSM for Content SecurityConfiguration Requirements 78-17611-0110-6 Obtain Software Activation Key from Cisco.comGather Information Launch ASDM 10-7Verify Time Settings 10-8Run the CSC Setup Wizard 10-9•IP address for the Primary DNS server 10-1010-11 Step 8 Click NextStep 10 Click Next Chapter 10 Configuring the CSC SSM10-12 78-17611-0110-13 Step 12 Click Next10-14 The Add Service Policy Rule appears 10-15Step 5 Click Next. The Traffic Classification Criteria page appears 10-16Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab 10-17Step 10 Click Finish Chapter 10 Configuring the CSC SSM10-18 78-17611-0110-19 Step 11 Click ApplyWhat to Do Next Configuration or Monitoring tabthen click the Trend Micro Content To Do ThisVPN Configuration” Configuration”Chapter 7, “Scenario: Remote-Access VPN Configuration”What to Do Next Chapter 10 Configuring the CSC SSM10-22 78-17611-01•Cabling 4GE SSM Interfaces, page Configuring the 4GE SSM for FiberC H A P T E R •What to Do Next, pageCabling 4GE SSM Interfaces 11-2LC connector 11-3Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use 11-411-5 What to Do NextTo Do This What to Do Next Chapter 11 Configuring the 4GE SSM for Fiber11-6 78-17611-01Obtaining a DES License or a 3DES-AESLicense C H A P T E R Areplacing the activation-4-tuple-key CommandPurpose activation-5-tuple-key variable is a