Quick Start Guide Quick Start Guide Cisco ASA 5500 Series Adaptive Security Appliance Quick Start Guide 1 Verifying the Package Contents 2 Installing the Cisco ASA 5500 Series Adaptive Security Appliance 3 Configuring the Cisco ASA 5500 Series Adaptive Security Appliance 4 Common Configuration Scenarios 5 Optional SSM Setup and Configuration Procedures 6 Optional Maintenance and Upgrade Procedures
POWER STATUS ACTIVE CISCO ASA Adaptiv5530 VPN FLASH SERIES e Securit y Applian ce 132228 About the Cisco ASA 5500 Series Adaptive Security Appliance The Cisco ASA 5500 series adaptive security appliance family delivers enterprise-class security for medium business-to-enterprise networks in a modular, purpose-built appliance.
1 Verifying the Package Contents Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5500 series adaptive security appliance.
2 Installing the Cisco ASA 5500 Series Adaptive Security Appliance Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device.
Use the following guidelines when installing the adaptive security appliance in a rack: • Allow clearance around the rack for maintenance. • When mounting a device in an enclosed rack, ensure adequate ventilation. An enclosed rack should never be overcrowded. Each unit generates heat. • When mounting a device in an open rack, make sure that the rack frame does not block the intake or exhaust ports.
Figure 2 Rack Mounting the Chassis CISCO ASA 554 Adaptive 0 VE VPN FLASH SERIES Security Appliance 92592 POWER STATUS ACTI Connecting the Interface Cables To connect the interface cables, perform the following steps: Step 1 Note Step 2 6 Connect a computer or terminal to the adaptive security appliance for management access. Before connecting a computer or terminal to the Console port, check the baud rate.
Step 3 Connect the RJ-45 connector of the blue console cable to the Console port on the rear panel of the adaptive security appliance. (See Figure 3.) Step 4 Connect the DB-9 connector of the blue cable to the serial port on your computer or terminal.
3 Configuring the Cisco ASA 5500 Series Adaptive Security Appliance This section describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). Note To use ASDM, you must have a DES license or a 3DES-AES license. For more information, see Obtaining DES and 3DES/AES Encryption Licenses, page 52.
About the Adaptive Security Device Manager The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the adaptive security appliance. Its web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser.
• The IP address range for the DHCP server. To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps: Step 1 If you have not already done so, connect the MGMT interface to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.
4 Common Configuration Scenarios This section provides configuration examples for three common deployments of the adaptive security appliance: • Hosting a web server on a DMZ network • Establishing remote-access VPN connections so that off-site clients can establish secure communications with the internal network • Establishing a site-to-site VPN connection with other business partners or remote offices Use these scenarios as a guide when you set up your network.
Because the DMZ web server is located on a private DMZ network, it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to access the DMZ web server in the same way that they access any server on the Internet. The DMZ configuration scenario shown in Figure 4 provides two routable IP addresses that are publicly available: one for the outside interface (209.165.200.
2. Click Configuration at the top of the ASDM window. 3. Choose the NAT feature on the left side of the ASDM window.
4. Click Manage Pools at the bottom of the ASDM window. The Manage Global Address Pools dialog box appears, allowing you to add or edit global address pools. Note 5. For most configurations, global pools are added to the less secure, or public, interfaces. In the Manage Global Address Pools dialog box: a. Choose the dmz interface (configured using the Startup Wizard before beginning this procedure).
b. Click Add. The Add Global Pool Item dialog box appears. 6. In the Add Global Pool Item dialog box: a. Choose dmz from the Interface drop-down menu. b. Click Range to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is 209.165.200.230 to 209.165.200.240. d. Enter a unique Pool ID. In this scenario, the Pool ID is 200. e. Click OK to return to the Manage Global Address Pools dialog box. Note 7.
8. When the Add Global Pool Item dialog box appears: a. Choose outside from the Interface drop-down menu. b. Click Port Address Translation (PAT) using the IP address of the interface. c. Assign the same Pool ID for this pool as you did in Step 6d. (For this scenario, the Pool ID is 200.) d. Click OK. The displayed configuration should be similar to the following: 9. Confirm that the configuration values are correct, then: a. Click OK. b. Click Apply in the main ASDM window.
Step 2: Configure Address Translations on Private Networks. Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two interfaces on the adaptive security appliance. This translation permits routing through the public networks while preventing internal IP addresses from being exposed on the public networks.
6. Choose 255.255.255.224 from the Mask drop-down menu. 7. Select the DMZ interface from the Translate Address on Interface drop-down menu. 8. Click Dynamic in the Translate Address To section. 9. Choose 200 from the Address Pools drop-down menu for the Pool ID. 10. Click OK. 11. A dialog box appears asking if you want to proceed. Click Proceed. 12. On the NAT Translation Rules page, check the displayed configuration for accuracy. 13.
Step 3: Configure External Identity for the DMZ Web Server. The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration requires translating the web server’s IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the adaptive security appliance. Complete the following steps to map the web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225): 1.
Step 4: Provide HTTP Access to the DMZ Web Server. By default, the adaptive security appliance denies all traffic coming in from the public network. You must create access control rules on the adaptive security appliance to allow specific traffic types from the public network through the adaptive security appliance to resources in the DMZ.
3. Specify the type of traffic that you want to permit. Note HTTP traffic is always directed from any TCP source port number toward a fixed destination TCP port number 80. a. Click TCP under Protocol and Service. b. Under Source Port, choose “=” (equal to) from the Service drop-down menu. c. Click the button labeled with ellipses (...), scroll through the options, and then choose Any. d. Under Destination Port, choose “=” (equal to) from the Service drop-down menu. e.
f. Click OK. Note For additional features, such as logging system messages by ACL, click More Options at the top at the top of the screen. You can provide a name for the access rule in the dialog box at the bottom. g. Verify that the information you entered is accurate, and then click OK. Note Although the destination address specified is the private address of the DMZ web server (10.30.30.30), HTTP traffic from any host on the Internet destined for 209.165.200.
Scenario 2: Remote Access VPN A remote-access Virtual Private Network (VPN) enables you to provide secure access to off-site users. ASDM enables you to configure the adaptive security appliance to create secure connections, or tunnels, across the Internet. Figure 5 shows an adaptive security appliance configured to accept requests from and establish secure connections with VPN clients over the Internet. Figure 5 Network Layout for Remote Access VPN Scenario DNS Server 10.10.10.
3. In Step 1 of the VPN Wizard, complete the following steps: a. Select the Remote Access VPN option. b. From the drop-down menu, choose outside as the enabled interface for the incoming VPN tunnels. c. Click Next to continue.
Step 2: Select VPN clients. 1. In Step 2 of the VPN Wizard, click the radio button to allow remote access users to connect to the adaptive security appliance using either a Cisco VPN client or any other Easy VPN Remote products. Note 2. Although there is currently only one selection on this screen, it is set up so that other tunnel types can be enabled easily as they become available. Click Next to continue.
Step 3: Specify the VPN tunnel group name and authentication method. In Step 3 of the VPN Wizard, complete the following steps: 1. Enter a Tunnel Group Name (such as "CiscoASA") for the set of users that use common connection parameters and client attributes. 2. Specify the type of authentication that you want to use by performing one of the following steps: – To use static pre-shared keys for authentication, click Pre-Shared Key, and enter a key (such as "CisCo").
Step 4: Specify a user authentication method. Users can be authenticated either by a local authentication database or by using external authentication, authorization, and accounting (AAA) servers (RADIUS, TACACS+, SDI, NT, and Kerberos). In Step 4 of the VPN Wizard, complete the following steps: 1. Click the appropriate radio button to specify the type of user authentication that you want to use: – A local authentication database – An external AAA server group 2.
Step 5: Configure user accounts, if necessary. If you chose to authenticate users with a local user database, create individual user accounts in Step 5 of the VPN Wizard. 1. To add a new user, enter a username and password, then click Add. 2. When you have finished adding new users, click Next to continue.
Step 6: Configure address pools. For remote clients to gain access to your network, it is necessary to configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1 to 209.166.201.20. To configure an address pool, perform the following steps: 1. Enter a pool name, or choose a pre-configured pool from the drop down list. 2.
Step 7: Configure client attributes. To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Rather than configuring each remote client individually, you can provide the client information to ASDM. The adaptive security appliance pushes this information to the remote client when a connection is established.
Step 8: Configure the IKE Policy. IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. To specify the IKE policy, perform the following steps: 1.
Step 9: Configure IPSec Encryption and Authentication parameters. 1. Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA). 2. Click Next to continue. Step 10: Address translation exception and split tunneling. The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally.
In Step 10 of the VPN Wizard, add or remove hosts, groups, and networks dynamically from the Selected panel. 1. Click Add or Delete, as appropriate. Note 2. Enable split tunneling by checking the radio button at the bottom of the screen. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. When you have finished specifying resources to expose to remote clients, click Next to continue.
Step 11: Verify the remote access VPN configuration. Review the configuration attributes for the VPN tunnel you just created. The displayed configuration should be similar to the following: If you are satisfied with the configuration, click Finish to complete the Wizard and apply the configuration changes to the adaptive security appliance.
Scenario 3: Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security.
Step 1: Configure the adaptive security appliance at the first site. Configure the adaptive security appliance at the first site, which in this scenario is ASA security appliance 1, from this point forward referred to as ASA 1. 1. Launch ASDM by entering the factory default IP address in the address field of a web browser: https://192.168.1.1/admin/. 2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard page.
b. From the drop-down menu, choose outside as the enabled interface for the current VPN tunnel. c. Click Next to continue. Step 2: Provide information about the VPN peer. The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site. On page 2 of the VPN Wizard, provide information about the remote VPN peer. In this scenario, the remote VPN peer is ASA security appliance 2, from this point forward referred to as ASA 2. Perform the following steps: 1.
2. Specify the type of authentication that you want to use by performing one of the following steps: – To use a pre-shared key for authentication (for example, “CisCo”), click the Pre-Shared Key radio button, and enter a pre-shared key, which is shared for IPSec negotiations between both adaptive security appliances. Note When you configure the ASA 2 at the remote site, the VPN peer is ASA 1. Be sure to enter the same Pre-shared Key (CisCo) that you use here.
Step 3: Configure the IKE Policy. IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers. To specify the IKE policy, perform the following steps: 1.
Step 4: Configure IPSec Encryption and Authentication parameters. 1. Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA). 2. Click Next to continue. Step 5: Specify Local Hosts and Networks. Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with the remote-site peers. (The remote-site peers will be specified in a later step.
On page 5 of the VPN Wizard, specify a local host or network to be allowed access to the IPSec tunnel. Perform the following steps: 1. Click IP Address. 2. Specify whether the interface is inside or outside by choosing an interface from the drop-down menu. 3. Enter the IP address and mask. 4. Click Add. 5. Repeat Steps 1 through Step 5 for each host or network that you want to have access to the tunnel. 6. Click Next to continue.
Step 6: Specify Remote Hosts and Networks. Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate with the local hosts and networks you identified in Step 5. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In the current scenario, for ASA 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.
Step 7: View VPN Attributes and Complete Wizard. Review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the configuration changes to the adaptive security appliance. This concludes the configuration process for ASA 1. What to Do Next You have just configured the local adaptive security appliance. Now you need to configure the adaptive security appliance at the remote site.
5 Optional SSM Setup and Configuration Procedures The adaptive security appliance supports optional security service modules (SSMs) that plug into the chassis and provide additional functionality. This section describes setup and configuration procedures for the 4GE SSM and the AIP SSM. 4GE SSM Procedures The 4GE Security Services Module (SSM) has eight Ethernet ports: four 10/100/1000 Mbps, copper, RJ-45 ports and four 1000 Mbps, small form-factor pluggable (SFP) fiber ports.
Connecting the Ethernet port LNK 3 2 1 GE POW ER STA TUS SSM-4 USB2 MGMT USB2 MGMT 0 SPD Cisco USB1 143597 Figure 7 1 1 RJ-45 (Ethernet) port c. Step 2 Connect the other end of the cable to your network device. (Optional) If you want to use an SFP (fiber optic) port, install and cable the SFP modules as shown in Figure 8: a. Insert and slide the SFP module into the SFP port until you hear a click. The click indicates that the SFP module is locked into the port. b.
Connecting the LC Connector LNK 3 2 1 POW ER STAT US SSM-4 GE USB2 MGMT USB2 MGMT 0 SPD Cisco USB1 143647 Figure 8 2 1 1 LC connector c. 2 SFP module Connect the other end of the LC connector to your network device. After you have attached any SFP ports to your network devices, you must also change the media type setting for each SFP interface. Continue with the following procedure, “Step 2: (Optional) Setting the 4GE SSM Media Type for Fiber Interfaces.
To set the media type for SFP interfaces using ASDM, perform the following steps starting from the main ASDM page: Step 1 Click Configuration, at the top of the ASDM window. Step 2 Choose the Interfaces feature on the left side of the ASDM window. Step 3 Choose the 4GE SSM interface and click Edit. The Edit Interface dialog box appears. Step 4 Click Configure Hardware Properties. The Hardware Properties dialog box appears. Step 5 Click the Media Type drop-down menu and choose Fiber Connector.
Step 1: Cabling the AIP SSM Management Interface To cable the AIP SSM management interface, perform the following steps: Step 1 Locate a yellow Ethernet cable from the accessory kit. Step 2 Connect one end of the cable to the management port on the AIP SSM, as shown in Figure 9. Step 3 Connect the other end of the cable to your network device.
Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following command: hostname(config)# policy-map name Step 3 To identify the class map from Step 1 to which you want to assign an action, enter the following command: hostname(config-pmap)# class class_map_name Step 4 To assign traffic to the AIP SSM, enter the following command: hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} Where the inline keyword places the AIP SSM di
hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ids-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global Step 3: Sessioning to the AIP SSM and Running Setup After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration.
export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. AIP SSM# Note If you see this license notice (which appears only in some versions of the software), you can ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM continues to operate at the current signature level until a valid license key is installed.
6 Optional Maintenance and Upgrade Procedures Obtaining DES and 3DES/AES Encryption Licenses The adaptive security appliance offers the option to purchase a DES or 3DES-AES license to enable specific features that provide encryption technology, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. Enabling the license requires an encryption license key.
Command Purpose Step 3 hostname(config)# activation-key activation-5-tuple-key Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license. The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e. The “0x” is optional; all values are assumed to be hexadecimal.
Checking the LEDs This section describes the front, rear, and the panel LEDs for the adaptive security appliance. Figure 10 shows the front view of the adaptive security appliance. Figure 10 Cisco ASA 5540 Adaptive Security Appliance Front Panel Features CISCO ASA 5540 SERIES POWER STATUS ACTIVE 1 3 2 LED Color VPN FLASH 92594 Adaptive Security Appliance 5 4 State Description 1 Power Green On On when the adaptive security appliance has power.
Figure 11 shows the rear panel features for the adaptive security appliance. Cisco ASA 5540 Adaptive Security Appliance Rear Panel Features 3 2 1 4 5 USB2 USB1 CONSOLE MGMT FLASH 6 1 MGMT 8 Power indicator 2 External CompactFlash device 9 Status indicator 3 Serial Console port 10 Active 4 Power switch 11 VPN 5 Power indicator light 12 Flash 6 USB 2.
Table 1 lists the state of the adaptive security appliance rear panel LEDs. Table 1 Rear Panel LEDs Indicator Color Description Left side Solid Green Physical Link Green Flashing Network Activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources.
Cisco Marketplace: http://www.cisco.com/go/marketplace/ Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/ • Nonregistered Cisco.
• Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.
Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.
