Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide For the Cisco ASA 5510, ASA 5520, and ASA 5540 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS CHAPTER 1 Before You Begin 1-1 ASA 5500 1-1 ASA 5500 with AIP SSM 1-2 ASA 5500 with CSC SSM 1-3 ASA 5500 with 4GE SSM 1-4 CHAPTER 2 Installing the Cisco ASA 5500 2-1 Verifying the Package Contents 2-2 Installing the Chassis 2-3 Rack-Mounting the Chassis 2-4 Ports and LEDs 2-5 What to Do Next 2-9 CHAPTER 3 Installing Optional SSMs 3-1 Cisco 4GE SSM 3-1 4GE SSM Components 3-2 Installing the Cisco 4GE SSM 3-3 Installing the SFP Modules 3-4 SFP Module 3-5 Installing the SFP Module 3-6 Cisco AI
Contents CHAPTER 4 Connecting Interface Cables 4-1 Connecting Cables to Interfaces 4-2 What to Do Next 4-10 CHAPTER 5 Configuring the Adaptive Security Appliance 5-1 About the Factory-Default Configuration 5-1 About the Adaptive Security Device Manager 5-2 Before Launching the Startup Wizard 5-3 Using the Startup Wizard 5-4 What to Do Next 5-5 CHAPTER 6 Scenario: DMZ Configuration 6-1 Example DMZ Network Topology 6-1 Configuring the Security Appliance for a DMZ Deployment 6-4 Configuration Requirem
Contents Starting ASDM 7-4 Configuring the FWSM for an IPsec Remote-Access VPN 7-5 Selecting VPN Client Types 7-6 Specifying the VPN Tunnel Group Name and Authentication Method 7-7 Specifying a User Authentication Method 7-8 (Optional) Configuring User Accounts 7-10 Configuring Address Pools 7-11 Configuring Client Attributes 7-12 Configuring the IKE Policy 7-13 Configuring IPsec Encryption and Authentication Parameters 7-15 Specifying Address Translation Exception and Split Tunneling 7-16 Verifying the Re
Contents CHAPTER Configuring the AIP SSM 9-1 9 AIP SSM Configuration 9-1 Overview of Configuration Process 9-2 Configuring the ASA 5500 to Divert Traffic to the AIP SSM 9-2 Sessioning to the AIP SSM and Running Setup 9-5 What to Do Next 9-7 CHAPTER 10 Configuring the CSC SSM 10-1 About the CSC SSM 10-1 About Deploying the Security Appliance with the CSC SSM 10-2 Scenario: Security Appliance with CSC SSM Deployed for Content Security 10-4 Configuration Requirements 10-5 Configuring the CSC SSM for Con
C H A P T E R 1 Before You Begin Use the following table to find the installation and configuration steps that are required for your implementation of the adaptive security appliance. The adaptive security appliance implementations included in this document are as follows: • ASA 5500, page 1-1 • ASA 5500 with AIP SSM, page 1-2 • ASA 5500 with CSC SSM, page 1-3 • ASA 5500 with 4GE SSM, page 1-4 ASA 5500 To Do This ... See ...
Chapter 1 Before You Begin ASA 5500 with AIP SSM To Do This ... (continued) See ...
Chapter 1 Before You Begin ASA 5500 with CSC SSM To Do This .... (continued) See ....
Chapter 1 Before You Begin ASA 5500 with 4GE SSM To Do This .... (continued) To Do This .... Configure the CSC SSM Cisco Content Security and Control SSM Administrator Guide Refine configuration and configure optional and advanced features Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages ASA 5500 with 4GE SSM To Do This ... See ...
C H A P T E R 2 Installing the Cisco ASA 5500 Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps. This chapter describes the product overview, memory requirements and rack-mount and installation procedures for the adaptive security appliance.
Chapter 2 Installing the Cisco ASA 5500 Verifying the Package Contents Verifying the Package Contents Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5500 series adaptive security appliance. See Figure 2-1.
Chapter 2 Installing the Cisco ASA 5500 Installing the Chassis Installing the Chassis This section describes how to rack-mount and install the adaptive security appliance. You can mount the adaptive security appliance in a 19-inch rack (with a 17.5- or 17.75-inch opening). Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety.
Chapter 2 Installing the Cisco ASA 5500 Installing the Chassis Rack-Mounting the Chassis To rack-mount the chassis, perform the following steps: Attach the rack-mount brackets to the chassis using the supplied screws. Attach the brackets to the holes as shown in Figure 2-2. After the brackets are secured to the chassis, you can rack-mount it.
Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figure 2-3 Rack-Mounting the Chassis CISCO ASA 554 Adaptive 0 POWER STATUS ACTI SERIE S Security Appli FLASH ance 119633 VE VPN To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis. Ports and LEDs This section describes the front and rear panels. Figure 2-4 shows the front panel LEDs.
Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figure 2-4 Front Panel LEDs CISCO ASA 5540 SERIES POWER STATUS ACTIVE 1 3 2 LED Color State Description VPN FLASH 119638 Adaptive Security Appliance 5 4 1 Power Green On The system has power. 2 Status Flashing The power-up diagnostics are running or the system is booting. Solid The system has passed power-up diagnostics. Green Amber Solid 3 Active Green Solid The power-up diagnostics have failed.
Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figure 2-5 shows the rear panel features for the adaptive security appliance. Rear Panel LEDs and Ports (AC Power Supply Model Shown) 3 2 1 4 5 USB2 USB1 CONSOLE MGMT FLASH FL A SH TI VE VP N S 8 AC ST AT U LINK SPD LINK SPD LINK SPD LINK SPD 2 1 0 3 PO W ER AUX 119572 Figure 2-5 10 12 13 9 11 6 7 6 USB 2.
Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figure 2-6 shows the adaptive security appliance rear panel LEDs. Figure 2-6 1 Rear Panel Link and Speed Indicator LEDs 2 MGMT USB1 1 LNK SPD 2 MGMT indicator LEDs LNK SPD 1 2 LNK SPD 0 126917 USB2 LNK SPD 3 Network interface LEDs Table 2-1 lists the rear MGMT and Network interface LEDs.
Chapter 2 Installing the Cisco ASA 5500 What to Do Next What to Do Next Continue with one of the following chapters: To Do This ... See ...
Chapter 2 Installing the Cisco ASA 5500 What to Do Next Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 2-10 78-17611-01
C H A P T E R 3 Installing Optional SSMs This chapter provides information about installing optional SSMs (Security Services Modules) and their components. You only need to use the procedures in this chapter if you purchased an optional SSM but it is not yet installed.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM 4GE SSM Components Figure 3-1 lists the Cisco 4GE SSM ports and LEDs. Figure 3-1 Cisco 4GE SSM Ports and LEDs 3 2 2 1 8 0 SPD 132983 LNK 3 7 Cisco SSM-4GE 4 1 Note 5 6 1 RJ-45 ports 5 Status LED 2 RJ-45 Link LED 6 SFP ports 3 RJ-45 Speed LED 7 SFP Link LED 4 Power LED 8 SFP Speed LED Figure 3-1 shows SFP modules installed in the port slots. You must order and install the SFP modules if you want to use this feature.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM Table 3-1 3, 8 Cisco 4GE SSM LEDs (continued) LED Color State Description SPEED Off 10 MB There is no network activity. Green 100 MB There is network activity at 100 Mbps. 1000 MB (GigE) There is network activity at 1000 Mbps. Amber 4 POWER Green On The system has power. 5 STATUS Green Flashing The system is booting. Green Solid The system booted correctly. Amber Solid The system diagnostics failed.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM Step 4 Figure 3-3 2 1 0 SPD SSM-4G E LINK SPD LIN K SPD 3 LINK 2 SPD LIN K SPD 1 0 POWE R STAT US Cisco FLASH ER W PO US AT ST E TIV AC N VP 132984 3 Inserting the Cisco 4GE SSM into the Slot MGMT USB1 USB2 USB1 MGMT USB2 LNK Insert the Cisco 4GE SSM through the slot opening as shown in Figure 3-3. H AS FL Step 5 Attach the screws to secure the Cisco 4GE SSM to the chassis. Step 6 Power on the adaptive security appliance.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM SFP Module The adaptive security appliance uses a field-replaceable SFP module to establish Gigabit connections. Note If you install an SFP module after the switch has powered on, you must reload the adaptive security appliance to enable the SFP module. Table 3-2 lists the SFP modules that are supported by the adaptive security appliance.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM Use only Cisco-certified SFP modules on the adaptive security appliance. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the adaptive security appliance. Note Caution Warning Only SFP modules certified by Cisco are supported on the adaptive security appliance.
Chapter 3 Installing Optional SSMs Cisco 4GE SSM Figure 3-4 Installing an SFP Module 3 132985 2 1 1 Optical port plug 2 SFP port slot 3 SFP module Caution Do not remove the optical port plugs from the SFP until you are ready to connect the cables. Step 2 Remove the Optical port plug; then connect the network cable to the SFP module. Connect the other end of the cable to your network. For more information on connecting the cables, see Chapter 4, “Connecting Interface Cables.
Chapter 3 Installing Optional SSMs Cisco AIP SSM and CSC SSM Cisco AIP SSM and CSC SSM The ASA 5500 series adaptive security appliance supports the AIP SSM (Advanced Inspection and Prevention Security Services Module) and the CSC SSM (Content Security Control Security Services Module), also referred to as the intelligent SSM. The AIP SSM runs advanced IPS software that provides security inspection. There are two models of the AIP SSM: the AIP SSM 10 and the AIP SSM 20.
Chapter 3 Installing Optional SSMs Cisco AIP SSM and CSC SSM R PW 1 D EE ST AT U S 119644 LI NK /A CT SSM LEDs SP Figure 3-5 2 3 4 Table 3-5 describes the SSM LEDs. Table 3-5 SSM LEDs LED Color State Description 1 PWR Green On The system has power. 2 STATUS Green Flashing The system is booting. Solid The system has passed power-up diagnostics. Solid There is an Ethernet link. Flashing There is Ethernet activity. 100 MB There is network activity.
Chapter 3 Installing Optional SSMs What to Do Next Figure 3-6 Removing the Screws from the Slot Cover MGMT USB2 USB1 ER U AT ST S T AC IV E VP N H AS FL Insert the SSM into the slot opening as shown in Figure 3-7.
C H A P T E R 4 Connecting Interface Cables This chapter describes how to connect the cables to the Console, Auxiliary, Management, Cisco 4GE SSM, and SSM ports. In this document, SSM refers to an intelligent SSM, the AIP SSM, or the CSC SSM. This chapter includes the following sections: Note Warning Caution • Connecting Cables to Interfaces, page 4-2 • What to Do Next, page 4-10 The 4GE SSM, AIP SSM, and CSC SSM are optional security services modules.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Connecting Cables to Interfaces To connect cables to the interfaces, perform the following steps: Step 1 Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it). Step 2 Before connecting a computer or terminal to the ports, check to determine the baud rate of the serial port. The baud rate must match the default baud rate (9600 baud) of the Console port of the adaptive security appliance.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Figure 4-1 Connecting to the Management Port 1 MGMT USB2 LNK SPD 2 LNK SPD 1 LNK SPD 0 92684 USB1 LNK SPD 3 2 1 Management port 2 RJ-45 to RJ-45 Ethernet cable Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 4-3
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces b. Console port – Connect the serial console cable as shown in Figure 4-2. The console cable has a DB-9 connector on one end for the serial port on your computer, and the other end is an RJ-45 connector. – Connect the RJ-45 connector to the Console port on the adaptive security appliance. – Connect the other end of the cable, the DB-9 connector, to the console port on your computer.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces c. Auxiliary port – Connect the serial console cable as shown in Figure 4-2. The console cable has a DB-9 connector on one end for the serial port on your computer, and the other end is an RJ-45 connector. – Connect the RJ-45 connector to the Auxiliary port (labeled AUX) on the adaptive security appliance, as shown in Figure 4-3. – Connect the other end of the cable, the DB-9 connector, to the serial port on your computer.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces d. Cisco 4GE SSM • Ethernet port – Connect one RJ-45 connector to the Ethernet port of the Cisco 4GE SSM as shown in Figure 4-4. – Connect the other end of the Ethernet cable to your network device, such as a router, switch or hub. Note The Cisco 4GE SSM is optional; this connection is necessary only if you have installed the Cisco 4GE SSM on the adaptive security appliance.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces • SFP modules – Insert and slide the SFP module into the SFP port until you hear a click. The click indicates that the SFP module is locked into the port. – Remove the optical port plugs from the installed SFP as shown in Figure 4-5. Figure 4-5 Removing the Optical Port Plug 2 1 Optical port plug 2 143146 STAT US 1 SFP module – Connect the LC connector to the SFP module as shown in Figure 4-6.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Connecting the LC Connector LNK 3 2 1 POW ER STAT US GE USB1 SSM-4 USB2 MGMT USB2 MGMT 0 SPD Cisco USB1 143148 Figure 4-6 2 1 1 LC connector 2 SFP module – Connect the other end to your network devices, such as routers, switches, or hubs. e. SSM – Connect one RJ-45 connector to the management port on the SSM, as shown in Figure 4-7. – Connect the other end of the RJ-45 cable to your network devices.
Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Figure 4-7 Connecting to the Management Port ER D EE SP S TU STA USB1 POW USB2 MGMT USB2 MGMT T AC K? LIN USB1 1 143149 2 1 SSM management port 2 RJ-45 to RJ-45 cable Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 4-9
Chapter 4 Connecting Interface Cables What to Do Next f. Ethernet ports – Connect the RJ-45 connector to the Ethernet port as shown in Figure 4-8. – Connect the other end of the Ethernet cable to your network device, such as a router, switch or hub.
C H A P T E R 5 Configuring the Adaptive Security Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). However, the procedures in this chapter refer to the method using ASDM. Note To use ASDM, you must have a DES license or a 3DES-AES license.
Chapter 5 Configuring the Adaptive Security Appliance About the Adaptive Security Device Manager By default, the adaptive security appliance Management interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM.
Chapter 5 Configuring the Adaptive Security Appliance Before Launching the Startup Wizard In addition to its complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance. To use ASDM, you must have a DES license or a 3DES-AES license. In addition, Java and JavaScript must be enabled in your web browser.
Chapter 5 Configuring the Adaptive Security Appliance Using the Startup Wizard Using the Startup Wizard ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network (GigabitEthernet0/1) and the outside network (GigabitEthernet0/0).
Chapter 5 Configuring the Adaptive Security Appliance What to Do Next b. In the address field of the browser, enter this URL: https://192.168.1.1/. The adaptive security appliance ships with a default IP address of 192.168.1.1. Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. Note Step 5 In the dialog box that requires a username and password, leave both fields empty. Press Enter.
Chapter 5 Configuring the Adaptive Security Appliance What to Do Next To Do This ... See ...
C H A P T E R 6 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the adaptive security appliance is used to protect network resources located in a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Chapter 6 Scenario: DMZ Configuration Example DMZ Network Topology Figure 6-1 Network Layout for DMZ Configuration Scenario Security Appliance inside interface 10.10.10.0 (private address) 10.10.10.0 (private address) outside interface 209.165.200.225 (public address) Internet DMZ interface 10.30.30.0 (private address) DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 6 Scenario: DMZ Configuration Example DMZ Network Topology Figure 6-2 Outgoing HTTP Traffic Flow from the Private Network Security Appliance HTTP client HTTP request 10.10.10.0 (private address) Internal IP address translated to address of outside interface outside interface 209.165.200.225 (public address) HTTP request Internet Internal IP address translated to address from IP pool HTTP client HTTP client DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Figure 6-3 Incoming HTTP Traffic Flow From the Internet 2 Incoming request 1 destined for public address of DMZ web server intercepted. Security Appliance HTTP request sent to public address of DMZ web server. Internet HTTP client 3 Destination IP address 4 Web server receives request for content. DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment This configuration procedure assumes that the adaptive security appliance already has interfaces configured for the inside interface, the DMZ interface, and the outside interface. Set up interfaces of the adaptive security appliance by using the Startup Wizard in ASDM. Be sure that the DMZ interface security level is set between 0 and 100. (A common choice is 50.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment • For the internal clients to have access to HTTP and HTTPS resources on the Internet, you must create a rule that translates the real IP addresses of internal clients to an external address that can be used as the source address.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Creating IP Pools for Network Address Translation The adaptive security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to prevent internal IP addresses from being exposed externally. This procedure describes how to create a pool of IP addresses that the DMZ interface and outside interface can use for address translation.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment To configure a pool of IP addresses that can be used for network address translation, perform the following steps: Step 1 In the ASDM window, click the Configuration tool. a. In the Features pane, click NAT. The NAT Configuration screen appears. b. In the right pane, click the Global Pools tab. c. Click Add to create a new global pool for the DMZ interface. The Add Global Address Pool dialog box appears.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment d. From the Interfaces drop-down list, choose DMZ. e. To create a new IP pool, enter a unique Pool ID. In this scenario, the Pool ID is 200. f. In the IP Addresses to Add area, specify the range of IP addresses to be used by the DMZ interface: – Click the Range radio button. – Enter the Starting IP address and Ending IP address of the range. In this scenario, the range of IP addresses is 10.30.30.50–10.30.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment g. Click Add to add this range of IP addresses to the Address Pool. The Add Global Pool dialog box configuration should be similar to the following: h. Step 2 Click OK to return to the Configuration > NAT window. Add addresses to the IP pool to be used by the outside interface.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment e. Click the Port Address Translation (PAT) using the IP address of the interface radio button. If you select the option Port Address Translation using the IP address of the interface, all traffic initiated from the inside network exits the adaptive security appliance using the IP address of the outside interface. To the devices on the Internet, it appears that all traffic is coming from this one IP address. f.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 3 Confirm that the configuration values are correct. Step 4 Click Apply in the main ASDM window. Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure, you created a pool of IP addresses that could be used by the adaptive security appliance to mask the private IP addresses of inside clients.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment In this procedure, you configure a Network Address Translation (NAT) rule that associates IP addresses from this pool with the inside clients so they can communicate securely with the DMZ web server. To configure NAT between the inside interface and the DMZ interface, perform the following steps starting from the main ASDM window: Step 1 In the main ASDM window, click the Configuration tool.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment c. Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window. Review the configuration screen to verify that the translation rule appears as you expected.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 6 Click Apply to complete the adaptive security appliance configuration changes.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment For many configurations, you would also need to create a NAT rule between the inside interface and the outside interface to enable inside clients to communicate with the Internet. However, in this scenario you do not need to create this rule explicitly.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 5 In the Static Translation area, specify the public IP address to be used for the web server: a. From the Interface drop-down list, choose Outside. b. From the IP Address drop-down list, choose the public IP address of the DMZ web server. In this scenario, the public IP address of the DMZ web server is 209.165.200.226.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 7 Click Apply to complete the adaptive security appliance configuration changes. Providing Public HTTP Access to the DMZ Web Server By default, the adaptive security appliance denies all traffic coming in from the public network.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment appliance that processes the traffic, whether the traffic is incoming or outgoing, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted. In this section, you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet, if the destination of the traffic is the web server on the DMZ network.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 2 Step 3 In the Interface and Action area: a. From the Interface drop-down list, choose Outside. b. From the Direction drop-down list, choose Incoming. c. From the Action drop-down list, choose Permit. In the Source area: a. From the Type drop-down list, choose IP Address. b. Enter the IP address of the source host or source network. Use 0.0.0.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Alternatively, if the address of the source host or network is preconfigured, choose the source IP address from the IP Address drop-down list. c. Step 4 In the Destination area: a. Step 5 Enter the netmask for the source IP address or select one from the Netmask drop-down list. In the IP address field, enter the public IP address of the destination host or network, such as a web server.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment At this point, the entries in the Add Access Rule dialog box should be similar to the following: d. Step 6 Click OK. The displayed configuration should be similar to the following. Verify that the information you entered is accurate.
Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 7 Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running. Clients on both the private and public networks can now resolve HTTP requests for content from the DMZ web server, while keeping the private network secure. Note Although the destination address specified is the private address of the DMZ web server (10.30.30.
Chapter 6 Scenario: DMZ Configuration What to Do Next Step 8 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts.
Chapter 6 Scenario: DMZ Configuration What to Do Next To Do This ... See ...
Chapter 6 Scenario: DMZ Configuration What to Do Next Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 6-26 78-17611-01
C H A P T E R 7 Scenario: Remote-Access VPN Configuration This chapter describes how to use the adaptive security appliance to accept remote-access IPsec VPN connections. A remote-access VPN enables you to create secure connections, or tunnels, across the Internet, thus providing secure access to off-site users. If you are implementing an Easy VPN solution, this chapter describes how to configure the Easy VPN server (sometimes called a headend device).
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Figure 7-1 Network Layout for Remote Access VPN Scenario DNS Server 10.10.10.163 VPN client (user 1) Security Appliance Internal network Inside 10.10.10.0 Outside Internet WINS Server 10.10.10.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario • Specifying the VPN Tunnel Group Name and Authentication Method, page 7-7 • Specifying a User Authentication Method, page 7-8 • (Optional) Configuring User Accounts, page 7-10 • Configuring Address Pools, page 7-11 • Configuring Client Attributes, page 7-12 • Configuring the IKE Policy, page 7-13 • Configuring IPsec Encryption and Authentication Parameters, page 7-15 • Specifying Address T
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Starting ASDM To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/. Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring the FWSM for an IPsec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: Step 1 In the main ASDM window, choose VPN Wizard from the Wizards drop-down menu. The VPN Wizard Step 1 screen appears. Step 2 In Step 1 of the VPN Wizard, perform the following steps: a. Click the Remote Access VPN radio button. b.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Selecting VPN Client Types In Step 2 of the VPN Wizard, perform the following steps: Step 1 Specify the type of VPN client that will enable remote users to connect to this adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product. Step 2 Click Next to continue.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying the VPN Tunnel Group Name and Authentication Method In Step 3 of the VPN Wizard, perform the following steps: Step 1 Specify the type of authentication that you want to use by performing one of the following steps: • To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, “Cisco”).
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use common connection parameters and client attributes to connect to this adaptive security appliance. Step 3 Click Next to continue.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 4 of the VPN Wizard, perform the following steps: Step 1 If you want to authenticate users by creating a user database on the adaptive security appliance, click the Authenticate Using the Local User Database radio button. Step 2 If you want to authenticate users with an external AAA server group: Step 3 a. Click the Authenticate Using an AAA Server Group radio button. b.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario (Optional) Configuring User Accounts If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface. In Step 5 of the VPN Wizard, perform the following steps: Step 1 To add a new user, enter a username and password, and then click Add.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring Address Pools For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1–209.166.201.20.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 3 Click Next to continue. Configuring Client Attributes To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Rather than configuring each remote client individually, you can provide the client information to ASDM.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 7 of the VPN Wizard, perform the following steps: Step 1 Enter the network configuration information to be pushed to remote clients. Step 2 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps: Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Step 2 Click Next to continue.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA). Step 2 Click Next to continue.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying Address Translation Exception and Split Tunneling Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form. The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally.
Chapter 7 Scenario: Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Note Step 2 Enable split tunneling by checking the Enable Split Tunneling check box at the bottom of the screen. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. Click Next to continue.
Chapter 7 Scenario: Remote-Access VPN Configuration What to Do Next If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.
Chapter 7 Scenario: Remote-Access VPN Configuration What to Do Next To Do This ... See ...
Chapter 7 Scenario: Remote-Access VPN Configuration What to Do Next Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 7-20 78-17611-01
C H A P T E R 8 Scenario: Site-to-Site VPN Configuration This chapter describes how to use the adaptive security appliance to create a site-to-site VPN. Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Network Layout for Site-to-Site VPN Configuration Scenario Site B Site A Security Appliance 1 Outside 209.165.200.226 Inside 10.10.10.0 Security Appliance 2 Internet Outside 209.165.200.236 132066 Figure 8-1 Inside 10.20.20.0 Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you to configure two adaptive security appliances, one on each side of the connection.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Site-to-Site VPN This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Security Appliance at the Local Site Note The adaptive security appliance at the first site is referred to as Security Appliance 1 from this point forward. To configure the Security Appliance 1, perform the following steps: Step 1 In the main ASDM window, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario In Step 1 of the VPN Wizard, perform the following steps: a. Click the Site-to-Site VPN radio button. Note The Site-to-Site VPN option connects two IPSec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity. b. From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel. c.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Providing Information About the Remote VPN Peer The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site. Note In this scenario, the remote VPN peer is referred to as Security Appliance 2 from this point forward.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Note Step 2 When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring IPSec Encryption and Authentication Parameters In Step 4 of the VPN Wizard, perform the following steps: Step 1 Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA) from the drop-down lists. Step 2 Click Next to continue.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Specifying Hosts and Networks Identify hosts and networks at the local site that are permitted to use this IPSec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 5 Click Next to continue. Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.
Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts.
Chapter 8 Scenario: Site-to-Site VPN Configuration Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN Connection You have just configured the local adaptive security appliance. Now you need to configure the adaptive security appliance at the remote site. At the remote site, configure the second adaptive security appliance to serve as a VPN peer.
Chapter 8 Scenario: Site-to-Site VPN Configuration What to Do Next You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance. To Do This ... See ...
C H A P T E R 9 Configuring the AIP SSM The optional AIP SSM runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.
Chapter 9 Configuring the AIP SSM AIP SSM Configuration This section includes the following topics: • Overview of Configuration Process, page 9-2 • Configuring the ASA 5500 to Divert Traffic to the AIP SSM, page 9-2 • Sessioning to the AIP SSM and Running Setup, page 9-5 Overview of Configuration Process Configuring the AIP SSM is a three-part process that involves configuration of the adaptive security appliance first, then configuration of the AIP SSM, and then the configuration of the IPS softwa
Chapter 9 Configuring the AIP SSM AIP SSM Configuration To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps: Step 1 Create an access list that matches all traffic: hostname(config)# access-list acl-name permit ip any any Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM.
Chapter 9 Configuring the AIP SSM AIP SSM Configuration The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-close and fail-open keywords control how the adaptive security appliance treats traffic when the AIP SSM is unavailable. For more information about the operating modes and failure behavior, see the “AIP SSM Configuration” section on page 9-1.
Chapter 9 Configuring the AIP SSM AIP SSM Configuration Sessioning to the AIP SSM and Running Setup After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration. Note You can either session to the SSM from the adaptive security appliance (by using the session 1 command) or you can connect directly to the SSM using SSH or Telnet on its management interface.
Chapter 9 Configuring the AIP SSM AIP SSM Configuration this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on the system.
Chapter 9 Configuring the AIP SSM What to Do Next What to Do Next You are now ready to configure the adaptive security appliance for intrusion prevention. Use the following documents to continue configuring the adaptive security appliance for your implementation. To Do This ... See ...
Chapter 9 Configuring the AIP SSM What to Do Next You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance. To Do This ... See ...
C H A P T E R 10 Configuring the CSC SSM The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptive security appliance. Note The CSC SSM requires ASA software release 7.1.1 or later.
Chapter 10 Configuring the CSC SSM About Deploying the Security Appliance with the CSC SSM In addition to obtaining content profiles from Trend Micro, system administrators can also customize the configuration so that the CSC SSM scans for additional traffic types or locations. For example, system administrators can configure the CSC SSM to block or filter specific URLs, as well as scan for FTP and email parameters. You use ASDM for system setup and monitoring of the CSC SSM.
Chapter 10 Configuring the CSC SSM About Deploying the Security Appliance with the CSC SSM Figure 10-1 CSC SSM Traffic Flow Security Appliance Main System modular service policy Request sent Request forwarded inside outside Reply forwarded Reply sent Diverted Traffic Server content security scan CSC SSM 148386 Client In this example, clients could be network users who are accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Note The CSC SSM handles SMTP traffic somewhat differently than other content types. After the CSC SSM receives SMTP traffic and scans it, it does not forward the traffic back to the adaptive security appliance for routing. Rather, the CSC SSM forwards the SMTP traffic directly to the SMTP servers protected by the adaptive security appliance.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security In this scenario, the customer has deployed an adaptive security appliance with a CSC SSM for content security. Of particular interest are the following points: • The adaptive security appliance is on a dedicated management network. Although using a dedicated management network is not required, we recommend it for security purposes.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security If you followed the procedures in earlier chapters of this document, at this point you have an ASA system running with licensed software, and you have entered basic system values using the setup Wizard. Your next steps are to configure the adaptive security appliance for a content security deployment. The basic steps are: 1. Obtain software activation key from Cisco.com. 2.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 4 Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes. The ASDM Main window appears. Verify Time Settings Verify the accuracy of the adaptive security appliance time settings, including the time zone. Time accuracy is important for logging security events, automatic updates of the content filter lists on the CSC SSM.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security • If you are using NTP to control time settings, verify the NTP configuration. In ASDM, click Configuration > Properties > Device Administration > NTP. Run the CSC Setup Wizard Step 1 In the main ASDM window, click the Configuration tab. Step 2 In the left pane, click the Trend Micro Content Security tab. The Wizard Setup screen appears.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 4 Click Next. Step 5 In Step 2 of the CSC Wizard, enter the following information: • IP address, netmask and gateway IP address for the CSC Management interface • IP address for the Primary DNS server • IP address and proxy port of the HTTP proxy server (only if your network uses an HTTP proxy for sending HTTP requests to the Internet) Step 6 Click Next.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security • Domain name used by the local mail server as the incoming domain. Anti-SPAM policies are applied only to email traffic coming into this domain. Note • Administrator email address and the email server IP address and port to be used for notifications. Step 8 Click Next.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security By default, all networks have management access to the CSC SSM. For security purposes, we recommend that you restrict access to specific subnets or management hosts. Step 10 Click Next.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 11 In Step 5 of the CSC Setup Wizard, enter a new password for management access. Enter the factory default password, “cisco,” in the Old Password field. Step 12 Click Next.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 13 In Step 6 of the CSC Setup Wizard, review configuration settings you just entered for the CSC SSM. If you are satisfied with these settings, click Finish. ASDM shows a message indicating that the CSC device is now active.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security To simplify the initial configuration process, this procedure creates a global service policy that diverts all traffic for the supported protocols to the CSC SSM, both inbound and outbound. Because scanning all traffic coming through the adaptive security appliance may reduce the performance of the adaptive security appliance and the CSC SSM, you may want to revise this security policy later.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 5 Click Next. The Traffic Classification Criteria page appears. Step 6 In the Traffic Classification Criteria page, click the User class-default as the traffic class radio button. Step 7 Click Next. The Add Service Policy Rule Wizard - Rule Actions page appears.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab. Step 9 On the CSC Scan tab page, check the Enable CSC scan for this traffic flow check box. In the If CSC card fails, then area, choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 10 Click Finish.
Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security The new service policy appears in the Service Policy Rules pane. Step 11 Click Apply. By default, the CSC SSM is configured to perform content security scans enabled by the license you purchased (which may include anti-virus, anti-spam, anti-phishing, and content filtering). It is also configured to get periodic updates from the Trend Micro update server.
Chapter 10 Configuring the CSC SSM What to Do Next If included in the license you purchased, you can create custom settings for URL blocking and URL filtering, as well as email and FTP parameters. For more information, see the Cisco Content Security and Control SSM Administrator Guide. What to Do Next You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM software. Use the following documents to continue configuring the adaptive security appliance for your implementation.
Chapter 10 Configuring the CSC SSM What to Do Next After you have configured the CSC SSM software, you may want to consider performing some of the following additional steps: To Do This ... See ...
Chapter 10 Configuring the CSC SSM What to Do Next Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 10-22 78-17611-01
C H A P T E R 11 Configuring the 4GE SSM for Fiber The 4GE Security Services Module (SSM) has four Ethernet ports, and each port has two media type options: SFP (Small Form-Factor Pluggable) fiber or RJ 35. You can mix the copper and fiber ports using the same 4GE card. Note The 4GE SSM requires ASA software release 7.04 or later.
Chapter 11 Configuring the 4GE SSM for Fiber Cabling 4GE SSM Interfaces Cabling 4GE SSM Interfaces To cable 4GE SSM interfaces, perform the following steps for each port you want to connect to a network device: To connect an RJ-45 (Ethernet) interface to a network device, perform the following steps for each interface: a. Locate a yellow Ethernet cable from the accessory kit. b. Connect one end of the cable to an Ethernet port on the 4GE SSM as shown in Figure 11-1.
Chapter 11 Configuring the 4GE SSM for Fiber Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) Connecting the LC Connector LNK 3 2 1 POW ER STAT US SSM-4 GE USB2 MGMT USB2 MGMT 0 SPD Cisco USB1 143647 Figure 11-2 2 1 1 e. LC connector 2 SFP module Connect the other end of the LC connector to your network device. After you have attached any SFP ports to your network devices, you must also change the media type setting for each SFP interface.
Chapter 11 Configuring the 4GE SSM for Fiber Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use. To set the media type for SFP interfaces using ASDM, perform the following steps starting from the main ASDM window: Step 1 At the top of the ASDM window, click the Configuration tab. Step 2 On the left side of the ASDM window, click the Interfaces tab.
Chapter 11 Configuring the 4GE SSM for Fiber What to Do Next What to Do Next You have completed the initial configuration. You may want to consider performing some of the following additional steps: To Do This ... See ...
Chapter 11 Configuring the 4GE SSM for Fiber What to Do Next Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 11-6 78-17611-01
C H A P T E R A Obtaining a DES License or a 3DES-AES License Cisco adaptive security appliances are available either with a DES or 3DES-ASE license that provides encryption technology to enable specific features, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. The license is enabled through an encryption license key.
Chapter A Obtaining a DES License or a 3DES-AES License To use the activation key, perform the following steps: Command Purpose Step 1 hostname# show version Shows the software release, hardware configuration, license key, and related uptime data. Step 2 hostname# configure terminal Enters global configuration mode.
