Cisco ASA 5580 Getting Started Guide Software Version 8.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS CHAPTER 1 Before You Begin 1-1 CHAPTER 2 Maximizing Throughput on the ASA 5580 2-1 Network Interfaces 2-1 Expansion Boards 2-2 Supported PCI Cards 2-5 Optimizing Performance 2-6 What to Do Next 2-8 CHAPTER 3 Installing the ASA 5580 3-1 Verifying the Package Contents 3-1 Installing the Chassis 3-3 Rack-Mounting the Chassis 3-3 Ports and LEDs 3-13 Front Panel LEDs 3-13 Rear Panel LEDs and Ports 3-16 Connecting Interface Cables 3-20 What to Do Next 3-24 CHAPTER 4 Configuring the Adaptive S
Contents Preparing to Use ASDM 4-3 Gathering Configuration Information for Initial Setup 4-4 Installing the ASDM Launcher 4-5 Starting ASDM with a Web Browser 4-7 Running the ASDM Startup Wizard 4-8 What to Do Next 4-9 CHAPTER 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client 5-1 About SSL VPN Client Connections 5-1 Obtaining the Cisco AnyConnect VPN Client Software 5-2 Example Topology Using AnyConnect SSL VPN Clients 5-3 Implementing the Cisco SSL VPN Scenario 5-3 Information to Ha
Contents Configuring the ASA 5580 for Browser-Based SSL VPN Connections 6-7 Specifying the SSL VPN Interface 6-8 Specifying a User Authentication Method 6-10 Specifying a Group Policy 6-11 Creating a Bookmark List for Remote Users 6-12 Verifying the Configuration 6-16 What to Do Next 6-18 CHAPTER 7 Scenario: Site-to-Site VPN Configuration 7-1 Example Site-to-Site VPN Network Topology 7-1 Implementing the Site-to-Site Scenario 7-2 Information to Have Available 7-3 Configuring the Site-to-Site VPN 7-3 Sta
Contents Selecting VPN Client Types 8-6 Specifying the VPN Tunnel Group Name and Authentication Method 8-7 Specifying a User Authentication Method 8-9 (Optional) Configuring User Accounts 8-10 Configuring Address Pools 8-11 Configuring Client Attributes 8-13 Configuring the IKE Policy 8-14 Configuring IPsec Encryption and Authentication Parameters 8-15 Specifying Address Translation Exception and Split Tunneling 8-16 Verifying the Remote-Access VPN Configuration 8-18 What to Do Next 8-19 APPENDIX A Obta
CH A P T E R 1 Before You Begin Use the following table to find the installation and configuration steps that are required for your implementation of the Cisco ASA 5580 adaptive security appliance. To Do This... See...
Chapter 1 Before You Begin To Do This... See...
CH A P T E R 2 Maximizing Throughput on the ASA 5580 The Cisco ASA 5580 adaptive security appliance is designed to deliver maximum throughput when configured according to the guidelines described in this chapter. This chapter includes the following sections: • Network Interfaces, page 2-1 • Optimizing Performance, page 2-6 • What to Do Next, page 2-8 Network Interfaces The ASA 5580 has two built-in Gigabit Ethernet network ports and nine expansion slots.
Chapter 2 Maximizing Throughput on the ASA 5580 Network Interfaces The appliance has two I/O bridges and the I/O slots connect to one of the two buses. The management ports and adapters in slot 3, slot 4, slot 5, and slot 6 are on I/O bridge 1 and slot 7 and slot 8 are on I/O bridge 2. Figure 2-1 shows the embedded ports and slots on the ASA 5580.
Chapter 2 Maximizing Throughput on the ASA 5580 Network Interfaces Slots 5, 7, and 8 utilize a high-capacity bus (PCIe x8) and slot 3, slot 4, and slot 6 utilize a PCIe x4 bus for slots. Figure 2-2 shows the interface expansion slots available on the ASA 5580.
Chapter 2 Maximizing Throughput on the ASA 5580 Network Interfaces Figure 2-2 Interface Expansion Slots 1 2 3 5 4 6 241974 7 1, 3 Power supply 4, 5, 7 Fans 6 Diagnostic panel Cisco ASA 5580 Getting Started Guide 2-4 78-18101-01
Chapter 2 Maximizing Throughput on the ASA 5580 Network Interfaces Supported PCI Cards The ASA 5580 supports the following PCI cards: • 4-Port Gigabit Ethernet Copper PCI card Provides four 10/100/1000BASE-T interfaces, which allow up to 24 total Gigabit Ethernet interfaces. Figure 2-3 shows the Gigabit Ethernet interface card.
Chapter 2 Maximizing Throughput on the ASA 5580 Optimizing Performance 2-Port 10-Gigabit Ethernet Fiber PCI Card 190474 Figure 2-4 • 4-Port Gigabit Ethernet Fiber PCI card Provides four 10000BASE-SX (fiber) interfaces (allowing up to 24 total Gigabit Ethernet fiber interfaces in a fully populated chassis). The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor.
Chapter 2 Maximizing Throughput on the ASA 5580 Optimizing Performance • If using 10-Gigabit Ethernet adapters, which require optimal performance from the adapters, place the adapters in a slot on the high-capacity I/O bridge (PCIe X8)—slot 5, slot 7, and slot 8. Note • Four-port adapters can be placed in any slot, but the bus might be a bottleneck if each port has 1 Gigabit full duplex worth of traffic.
Chapter 2 Maximizing Throughput on the ASA 5580 What to Do Next Figure 2-5 Example of Traffic Flow for Optimum Performance Maximum throughput PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 CONSOLE UID MGMT0/1 1 MGMT0/0 241229 PS2 Incoming and outgoing traffic What to Do Next Continue with Chapter 3, “Installing the ASA 5580.
CH A P T E R 3 Installing the ASA 5580 Caution Warning Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5580 Adaptive Security Appliance and follow proper safety procedures when performing these steps. Only trained and qualified personnel should install, replace, or service this equipment. Statement 49 This chapter describes the adaptive security appliance and rack-mount and installation procedures for the adaptive security appliance.
Chapter 3 Installing the ASA 5580 Verifying the Package Contents Figure 3-1 Contents of ASA 5580 Package Cisco ASA 5580 adaptive security appliance 1 2 3 4 5 6 7 8 Cisco ASA 5580 Adaptive SERIES Security Appliance US EM STAT 0 1 UID SYST R MT MT PW MG MG Safety and Compliance Guide C Se 5580 isco cu A A Pro rity A dapt SA duc ppl ive t C ianc D e Yellow Ethernet cable RJ-45 to DB-9 adapter Blue console cable PC terminal adapter 241232 Documentation In addition to the contents shown in
Chapter 3 Installing the ASA 5580 Installing the Chassis Installing the Chassis This section describes how to rack-mount and install the adaptive security appliance. Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety.
Chapter 3 Installing the ASA 5580 Installing the Chassis This unit should be mounted at the bottom of the rack if it is the only unit in the rack. When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack. If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack.
Chapter 3 Installing the ASA 5580 Installing the Chassis To remove the chassis side rail, lift the latch, and slide the rail forward, as shown in Figure 3-3. Step 3 Figure 3-3 1 2 Removal from the Chassis Side Rail 3 4 5 6 7 8 Cisco IPS 4270 Intrusion SERIES Preventio n Sensor 250120 US EM STAT 0 1 UID SYST R MT MT PW MG MG 2 1 Step 4 If you are installing the adaptive security appliance in a shallow rack, one that is less than 28.5 in. (72.
Chapter 3 Installing the ASA 5580 Installing the Chassis Figure 3-4 Screw Inside the Slide Assembly 201991 < 28.5” Step 5 Attach the slide assemblies to the rack, as shown in Figure 3-5.
Chapter 3 Installing the ASA 5580 Installing the Chassis • For round- and square-hole racks: a. Line up the studs on the slide assembly with the holes on the inside of the rack and snap into place. b. Adjust the slide assembly lengthwise to fit the rack. The spring latch locks the slide assembly into position.
Chapter 3 Installing the ASA 5580 Installing the Chassis c. Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. d. Lift the spring latch to release the slide assembly if you need to reposition it. • For threaded-hole racks: a. Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver, as shown in Figure 3-6. Note You may need a pair of pliers to hold the retaining nut.
Chapter 3 Installing the ASA 5580 Installing the Chassis Attachment in Threaded Hole Racks 2 3 3 2 1 b. 201993 Figure 3-6 Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly, as shown in Figure 3-7.
Chapter 3 Installing the ASA 5580 Installing the Chassis Figure 3-7 Lining up the Bracket 201994 1 c. Step 6 Repeat for each slide assembly. Extend the slide assemblies out of the rack, as shown in Figure 3-8.
Chapter 3 Installing the ASA 5580 Installing the Chassis Slide Assemblies Extended 201995 Figure 3-8 Step 7 Align the chassis side rails on the adaptive security appliance with the slide assembly on both sides of the rack, release the blue slide tab (by either pulling the tab forward or pushing the tab back), and carefully push the adaptive security appliance in to place, as shown in Figure 3-9.
Chapter 3 Installing the ASA 5580 Installing the Chassis When installing a adaptive security appliance in an empty rack, you must support the adaptive security appliance from the front until the blue slide tabs are activated and the adaptive security appliance is pushed completely in to the rack, or the rack can tip.
Chapter 3 Installing the ASA 5580 Ports and LEDs Caution Keep the adaptive security appliance parallel to the floor as you slide it into the rails. Tilting the adaptive security appliance up or down can damage the slide rails. Ports and LEDs This section describes the front and rear panels. This section includes the following topics: • Front Panel LEDs, page 3-13 • Rear Panel LEDs and Ports, page 3-16 Front Panel LEDs Figure 3-10 shows the LEDs on the front panel of the adaptive security appliance.
Chapter 3 Installing the ASA 5580 Ports and LEDs Figure 3-10 Front View 3 4 5 2 6 1 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor 241233 US AT EM ST T 0 T 1 ST R M M UID SY PW MG MG 1 Active LED 2 System LED 3 Power Status LED 4 Management 0/0 LED 5 Management 0/1 LED 6 Power Table 3-1 describes the front panel switches and indicators on the ASA 5580.
Chapter 3 Installing the ASA 5580 Ports and LEDs Table 3-1 Front Panel Switches and Indicators Indicator Description Active Toggles between Active and Standby Failover status of the chassis: System indicator Power status indicator MGMT0/0 indicator • On—Failover active • Off—Standby Status Indicates internal system health: • Green—System on • Flashing amber—System health degraded • Flashing red—System health critical • Off—System off Indicates the power supply status: • Green—Power s
Chapter 3 Installing the ASA 5580 Ports and LEDs Table 3-1 Front Panel Switches and Indicators (continued) Indicator Description MGMT0/1 indicator Indicates the status of the management port: Power switch and indicator • Green—Linked to network • Flashing green—Linked with activity on the network • Off—No network connection Turns power on and off: • Amber—System has AC power and is in standby mode • Green—System has AC power and is turned on • Off—System has no AC power For more inform
Chapter 3 Installing the ASA 5580 Ports and LEDs Back Panel Features 1 2 PS2 PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 3 PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 CONSOLE UID 5 6 7 4 8 MGMT0/1 9 1 Power supply 2 Interface expansion slots 3 Power supply 4 T-15 Torx screwdriver 5 USB ports 6 Reserved slot 7 Example of a populated slot 8 Reserved slot 9 Console port 10 Management ports MGMT0/0 241226 Figure 3-11 10 Cisco ASA 5580 Getting Started Guide 78-18101-01 3-1
Chapter 3 Installing the ASA 5580 Ports and LEDs Figure 3-12 shows the activity indicators on the Ethernet ports, which has two indicators per port and the power supply indicators. Rear Panel LEDs PS2 PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 PCI-E x4 4 3 UID PCI-X 100 MHz 1 2 PS1 2 3 CONSOLE MGMT0/1 MGMT0/0 241230 Figure 3-12 1 1 Power indicator 3 Activity indicator 2 Link indicator Table 3-2 describes the Ethernet port indicators.
Chapter 3 Installing the ASA 5580 Ports and LEDs Table 3-2 Ethernet Port Indicators Indicator Description Gigabit Ethernet Green (top): link to network Flashing Green (top): linked with activity on the network Amber (bottom): Speed 1000 Green (bottom): Speed 100 Off (bottom): Speed 10 10-Gigabit Ethernet Fiber (one LED) Green: link to network Gigabit Ethernet Fiber (one LED) Green: link to network Management port Green (right): link to network Flashing green: linked with activity on the networ
Chapter 3 Installing the ASA 5580 Connecting Interface Cables Table 3-3 Power Supply Indicators (continued) Fail Indicator 1 Amber Power Indicator 2 Green Off Flashing Off On Description • AC power present • Standby mode Normal Connecting Interface Cables This section describes how to connect the appropriate cables to the Console, Management, copper Ethernet, and fiber Ethernet ports.
Chapter 3 Installing the ASA 5580 Connecting Interface Cables Figure 3-13 Connecting to the Management Port Interface expansion slots PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 CONSOLE UID Reserved MGMT0/1 1 MGMT0/0 241231 PS2 Reserved RJ-45 to RJ-45 Ethernet cable Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns. Step 3 Connect to the Console port.
Chapter 3 Installing the ASA 5580 Connecting Interface Cables Note You can use a 180/rollover or straight-through patch cable to connect the appliance to a port on a terminal server with RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the Console port on the appliance to a port on the terminal server.
Chapter 3 Installing the ASA 5580 Connecting Interface Cables By default, the ASA 5580 ships with slot 3 through slot 8 available. You can purchase bundles for the I/O adapter options. See Optimizing Performance in Chapter 2, “Maximizing Throughput on the ASA 5580”. Connect one end of an Ethernet cable to an Ethernet port in slots 3 through 8, as shown in Figure 3-15.
Chapter 3 Installing the ASA 5580 What to Do Next Figure 3-16 Electrical Cable Installation PCI-E x4 4 3 PCI-X 100 MHz 2 1 PS1 Reserv ed for Future Use CONSO LE MGMT 0/0 PS2 PCI-E x4 9 8 PCI-E x8 7 PCI-E x4 PCI-E x8 6 5 4 PCI-E x4 3 PCI-X 100 MHz 2 1 PS1 UID CONSO LE Reserv ed for Future Use REAR Step 6 201997 MGMT10/0 Power on the chassis. What to Do Next Continue with Chapter 4, “Configuring the Adaptive Security Appliance.
CH A P T E R 4 Configuring the Adaptive Security Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). The procedures in this chapter describe how to configure the adaptive security appliance using ASDM.
Chapter 4 Configuring the Adaptive Security Appliance Using the CLI for Configuration • The DHCP server is enabled on the adaptive security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.
Chapter 4 Configuring the Adaptive Security Appliance Using the Adaptive Security Device Manager for Configuration In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance.
Chapter 4 Configuring the Adaptive Security Appliance Using the Adaptive Security Device Manager for Configuration Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the adaptive security appliance), which enables the PC to communicate with the adaptive security appliance and the Internet as well as to run ASDM for configuration and management tasks. Alternatively, you can assign a static IP address to your PC by selecting an address in the 192.168.1.0 subnet.
Chapter 4 Configuring the Adaptive Security Appliance Using the Adaptive Security Device Manager for Configuration • Static routes to be configured. • If you want to create a DMZ, you must create a third VLAN and assign ports to that VLAN. (By default, there are two VLANs configured.) • Interface configuration information: whether traffic is permitted between interfaces at the same security level, and whether traffic is permitted between hosts on the same interface.
Chapter 4 Configuring the Adaptive Security Appliance Using the Adaptive Security Device Manager for Configuration Step 2 d. Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes. e. When the File Download dialog box opens, click Open to run the installation program directly. It is not necessary to save the installation software to your hard drive. f.
Chapter 4 Configuring the Adaptive Security Appliance Using the Adaptive Security Device Manager for Configuration The main ASDM window appears. Starting ASDM with a Web Browser To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/. Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.
Chapter 4 Configuring the Adaptive Security Appliance Running the ASDM Startup Wizard The Main ASDM window appears. Running the ASDM Startup Wizard ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network and the outside network.
Chapter 4 Configuring the Adaptive Security Appliance What to Do Next What to Do Next Configure the adaptive security appliance for your deployment using one or more of the following chapters: To Do This... See...
Chapter 4 Configuring the Adaptive Security Appliance What to Do Next Cisco ASA 5580 Getting Started Guide 4-10 78-18101-01
CH A P T E R 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client This chapter describes how to configure the adaptive security appliance so that remote users can establish SSL connections using a Cisco AnyConnect VPN Client.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Obtaining the Cisco AnyConnect VPN Client Software Note Administrative rights are required the first time the Cisco AnyConnect VPN Client is installed or downloaded. After downloading, the client installs and configures itself and then establishes a secure SSL connection. When the connection terminates, the client software either remains or uninstalls itself, depending on how you configure the adaptive security appliance.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Example Topology Using AnyConnect SSL VPN Clients Example Topology Using AnyConnect SSL VPN Clients Figure 5-1 shows an adaptive security appliance configured to accept requests for and establish SSL connections from clients running the AnyConnect SSL VPN software. The adaptive security appliance can support connections to both clients running the AnyConnect VPN software and browser-based clients.
Chapter 5 Implementing the Cisco SSL VPN Scenario Scenario: Configuring Connections for a Cisco AnyConnect VPN Client • Configuring the ASA 5580 for the Cisco AnyConnect VPN Client, page 5-6 • Specifying the SSL VPN Interface, page 5-7 • Specifying a User Authentication Method, page 5-8 • Specifying a Group Policy, page 5-10 • Configuring the Cisco AnyConnect VPN Client, page 5-11 • Verifying the Remote-Access VPN Configuration, page 5-13 Information to Have Available Before you begin configur
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Starting ASDM This section describes how to start ASDM using the ASDM Launcher software. If you have not installed the ASDM Launcher software, see Installing the ASDM Launcher, page 4-5. If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 4-7.
Chapter 5 Implementing the Cisco SSL VPN Scenario Scenario: Configuring Connections for a Cisco AnyConnect VPN Client The ASA 5580 checks to see if there is updated software and if so, downloads it automatically. The main ASDM window appears. Configuring the ASA 5580 for the Cisco AnyConnect VPN Client To begin the configuration process, perform the following steps: Step 1 In the main ASDM window, choose SSL VPN Wizard from the Wizards drop-down menu. The SSL VPN Wizard Step 1 screen appears.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Step 2 In Step 1 of the SSL VPN Wizard, perform the following steps: a. Check the Cisco SSL VPN Client check box. b. Click Next to continue. Specifying the SSL VPN Interface In Step 2 of the SSL VPN Wizard, perform the following steps: Step 1 Specify a Connection Name to which remote users connect.
Chapter 5 Implementing the Cisco SSL VPN Scenario Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Step 3 From the Certificate drop-down list, choose the certificate the ASA 5580 sends to the remote user to authenticate the ASA 5580. Step 4 Click Next to continue. Specifying a User Authentication Method In Step 3 of the SSL VPN Wizard, perform the following steps: Step 1 If you are using a AAA server or server group for authentication, perform the following steps: a.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario b. Specify a AAA Server Group Name. c. You can either choose an existing AAA server group name from the drop down list, or you can create a new server group by clicking New. To create a new AAA Server Group, click New. The New Authentication Server Group dialog box appears.
Chapter 5 Implementing the Cisco SSL VPN Scenario Step 2 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface. To add a new user, enter a username and password, and then click Add. Step 3 When you have finished adding new users, click Next to continue.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Step 3 Click Next. Step 4 Step 5 of the SSL VPN Wizard appears. This step does not apply to AnyConnect VPN client connections, so click Next again.
Chapter 5 Implementing the Cisco SSL VPN Scenario Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Step 1 To use a preconfigured address pool, choose the name of the pool from the IP Address Pool drop-down list. Step 2 Alternatively, click New to create a new address pool. Step 3 Specify the location of the AnyConnect VPN Client software image. To obtain the most current version of the software, click Download Latest AnyConnect VPN Client from cisco.com.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Verifying the Remote-Access VPN Configuration In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The displayed configuration should be similar to the following: If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.
Chapter 5 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client What to Do Next What to Do Next If you are deploying the adaptive security appliance solely to support AnyConnect VPN connections, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps: To Do This... See...
CH A P T E R 6 Scenario: SSL VPN Clientless Connections This chapter describes how to use the adaptive security appliance to accept remote access SSL VPN connections without a software client (clientless). A clientless SSL VPN allows you to create secure connections, or tunnels, across the Internet using a web browser. This provides secure access to off-site users without a software client or hardware client.
Chapter 6 Scenario: SSL VPN Clientless Connections About Clientless SSL VPN • MS Outlook Web Access • MAPI • Application Access (that is, port forwarding for access to other TCP-based applications) and Smart Tunnels Clientless SSL VPN uses the Secure Sockets Layer Protocol (SSL) and its successor, Transport Layer Security (TLSI), to provide the secure connection between remote users and specific, supported internal resources that you configure at a central site.
Chapter 6 Scenario: SSL VPN Clientless Connections Example Network with Browser-Based SSL VPN Access 2. Limit Internet access for Clientless SSL VPN users, for example, by limiting which resources a user can access using a clientless SSL VPN connection. To do this, you could restrict the user from accessing general content on the Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access. 3. Educate users.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Figure 6-1 Network Layout for SSL VPN Connections DNS Server 10.10.10.163 Cisco AnyConnect VPN Client Security Appliance Inside 10.10.10.0 Outside Internet Cisco AnyConnect VPN Client WINS Server 10.10.10.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Information to Have Available Before you begin configuring the adaptive security appliance to accept remote access IPsec VPN connections, make sure that you have the following information available: • Name of the interface on the adaptive security appliance to which remote users will connect. When remote users connect to this interface, the SSL VPN Portal Page is displayed.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 4-7. To start ASDM using the ASDM Launcher software, perform the following steps: Step 1 From your desktop, start the Cisco ASDM Launcher software. A dialog box appears. Step 2 Enter the IP address or the host name of your adaptive security appliance.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Configuring the ASA 5580 for Browser-Based SSL VPN Connections To begin the process for configuring a browser-based SSL VPN, perform the following steps: Step 1 In the main ASDM window, choose SSL VPN Wizard from the Wizards drop-down menu. The SSL VPN Wizard Step 1 screen appears.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 2 In Step 1 of the SSL VPN Wizard, perform the following steps: a. Check the Browser-based SSL VPN (Web VPN) check box. b. Click Next to continue. Specifying the SSL VPN Interface In Step 2 of the SSL VPN Wizard, perform the following steps: Step 1 Specify a Connection Name to which remote users connect.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 2 From the SSL VPN Interface drop-down list, choose the interface to which remote users connect. When users establish a connection to this interface, the SSL VPN portal page is displayed. Step 3 From the Certificate drop-down list, choose the certificate the ASA 5580 sends to the remote user to authenticate the ASA 5580. Note The ASA 5580 generates a self-signed certificate by default.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Specifying a User Authentication Method Users can be authenticated either by a local authentication database or by using external authentication, authorization, and accounting (AAA) servers (RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP). In Step 3 of the SSL VPN Wizard, perform the following steps: Step 1 If you are using a AAA server or server group for authentication, perform the following steps: a.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario – A server group name – The Authentication Protocol to be used (TACACS, SDI, NT, Kerberos, LDAP) – IP address of the AAA server – Interface of the adaptive security appliance – Secret key to be used when communicating with the AAA server Click OK. Step 2 If you have chosen to authenticate users with the local user database, you can create new user accounts here.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 2 Click Next. Creating a Bookmark List for Remote Users You can create a portal page, a special web page that comes up when browser-based clients establish VPN connections to the adaptive security appliance, by specifying a list of URLs to which users should have easy access.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario To add a new list or edit an existing list, click Manage. The Configure GUI Customization Objects dialog box appears.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 2 To create a new bookmark list, click Add. To edit an existing bookmark list, choose the list and click Edit. The Add Bookmark List dialog box appears.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 3 In the URL List Name field, specify a name for the list of bookmarks you are creating. This is used as the title for your VPN portal page. Step 4 Click Add to add a new URL to the bookmark list. The Add Bookmark Entry dialog box appears. Step 5 Specify a title for the list in the Bookmark Title field. Step 6 From the URL Value drop-down list, choose the type of URL you are specifying.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Step 8 If you are finished adding bookmark lists, click OK to return to the Configure GUI Customization Objects dialog box. Step 9 When you are finished adding and editing bookmark lists, click OK to return to Step 5 of the SSL VPN Wizard. Step 10 Choose the name of the bookmark list for this VPN group from the Bookmark List drop-down list. Step 11 Click Next to continue.
Chapter 6 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.
Chapter 6 Scenario: SSL VPN Clientless Connections What to Do Next What to Do Next If you are deploying the adaptive security appliance solely in a clientless SSL VPN environment, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps: To Do This... See...
CH A P T E R 7 Scenario: Site-to-Site VPN Configuration This chapter describes how to use the adaptive security appliance to create a site-to-site VPN. Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Network Layout for Site-to-Site VPN Configuration Scenario Internet ISP Router Outside 209.165.200.236 Outside 209.165.200.226 Site A Site B 1 2 1 3 2 4 5 6 7 8 Inside 10.10.10.0 5580 Adaptive SERIES Security 3 4 5 6 7 8 Inside 10.20.20.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Information to Have Available Before you begin the configuration procedure, obtain the following information: • IP address of the remote adaptive security appliance peer • IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources at the remote site • IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources Configuring the
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario To start ASDM using the ASDM Launcher software, perform the following steps: Step 1 From your desktop, start the Cisco ASDM Launcher software. A dialog box appears. Step 2 Enter the IP address or the hostname of your adaptive security appliance. Step 3 Leave the Username and Password fields blank. Note By default, there is no Username and Password set for the Cisco ASDM Launcher. Step 4 Click OK.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Adaptive Security Appliance at the Local Site Note The adaptive security appliance at the first site is referred to as Security Appliance 1 in this scenario. To configure the Security Appliance 1, perform the following steps: Step 1 In the main ASDM window, choose the IPsec VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Note The Site-to-Site VPN option connects two IPsec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity. b. From the VPN tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel. c. Click Next to continue.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Note In this scenario, the remote VPN peer is referred to as Security Appliance 2. In Step 2 of the VPN Wizard, perform the following steps: Step 1 Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario 209.165.200.236) and a Tunnel Group Name (for example “Cisco”).
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it also provides authentication to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Note Step 2 When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 1 Choose the encryption algorithm (DES/3DES/AES) from the Encryption drop-down list, and the authentication algorithm (MD5/SHA) from the Authentication drop-down list. Step 2 Click Next to continue. Specifying Hosts and Networks Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with hosts and networks on the other side of the tunnel.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario In addition, identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.
Chapter 7 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.
Chapter 7 Scenario: Site-to-Site VPN Configuration Configuring the Other Side of the VPN Connection This concludes the configuration process for Security Appliance 1. Configuring the Other Side of the VPN Connection You have just configured the local adaptive security appliance. Next, you need to configure the adaptive security appliance at the remote site. At the remote site, configure the second adaptive security appliance to serve as a VPN peer.
Chapter 7 Scenario: Site-to-Site VPN Configuration What to Do Next You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance: To Do This... See...
CH A P T E R 8 Scenario: IPsec Remote-Access VPN Configuration This chapter describes how to use the adaptive security appliance to accept remote-access IPsec VPN connections. A remote-access VPN allows you to create secure connections, or tunnels, across the Internet, which provides secure access to off-site users. In this type of VPN configuration, remote users must be running the Cisco VPN client to connect to the adaptive security appliance.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Figure 8-1 Network Layout for Remote Access VPN Scenario DNS Server 10.10.10.163 VPN client (user 1) Security Appliance Internal network Inside 10.10.10.0 Outside Internet WINS Server 10.10.10.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario • Specifying a User Authentication Method, page 8-9 • (Optional) Configuring User Accounts, page 8-10 • Configuring Address Pools, page 8-11 • Configuring Client Attributes, page 8-13 • Configuring the IKE Policy, page 8-14 • Configuring IPsec Encryption and Authentication Parameters, page 8-15 • Specifying Address Translation Exception and Split Tunneling, page 8-16 • Verifying the R
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 4-7. To start ASDM using the ASDM Launcher software, perform the following steps: Step 1 From your desktop, start the Cisco ASDM Launcher software. A dialog box appears. Step 2 Enter the IP address or the hostname of your adaptive security appliance.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring an IPsec Remote-Access VPN To configure a remote-access VPN, perform the following steps: Step 1 In the main ASDM window, choose IPsec VPN Wizard from the Wizards drop-down menu. The VPN Wizard Step 1 screen appears.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 In Step 1 of the VPN Wizard, perform the following steps: a. Click the Remote Access radio button. b. From the drop-down list, choose Outside as the enabled interface for the incoming VPN tunnels. c. Click Next to continue.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 1 Specify the type of VPN client that will enable remote users to connect to this adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product. Step 2 Click Next to continue.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 1 Specify the type of authentication that you want to use by performing one of the following steps: • To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use common connection parameters and client attributes to connect to this security appliance. Step 3 Click Next to continue.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 3 Click Next to continue. (Optional) Configuring User Accounts If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface. In Step 5 of the VPN Wizard, perform the following steps: Step 1 To add a new user, enter a username and password, and then click Add.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 When you have finished adding new users, click Next to continue. Configuring Address Pools For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1–209.166.201.20.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Alternatively, click New to create a new address pool. The Add IP Pool dialog box appears.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Step 3 In the Add IP Pool dialog box, do the following: a. Enter the Starting IP address and Ending IP address of the range. b. (Optional) Enter a subnet mask or choose a subnet mask for the range of IP addresses from the Subnet Mask drop-down list. c. Click OK to return to Step 6 of the VPN Wizard. Click Next to continue.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 7 of the VPN Wizard, perform the following steps: Step 1 Enter the network configuration information to be pushed to remote clients. Step 2 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps: Step 1 Choose the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Step 2 Click Next to continue.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA). Step 2 Click Next to continue. Specifying Address Translation Exception and Split Tunneling Split tunneling enables remote-access IPsec clients to send packets conditionally over an IPsec tunnel in encrypted form or to a network interface in text form.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 10 of the VPN Wizard, perform the following steps: Step 1 Specify hosts, groups, and networks that should be in the list of internal resources made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks area, click Add or Delete, respectively.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard, review the configuration attributes for the new VPN tunnel. The displayed configuration should be similar to the following: If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration What to Do Next If you do not save the configuration changes, the old configuration takes effect the next time the device starts. What to Do Next To establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers, obtain the Cisco VPN client software. For more information about the Cisco Systems VPN client, see the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html.
Chapter 8 Scenario: IPsec Remote-Access VPN Configuration What to Do Next To Do This... See...
APPENDIX A Obtaining a 3DES/AES License The Cisco ASA 5580 comes with a DES license that provides encryption. You can obtain a 3DES/AES license that provides encryption technology to enable specific features, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. You need an encryption license key to enable this license. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.
Appendix A Obtaining a 3DES/AES License Command Purpose Step 1 hostname# show version Shows the software release, hardware configuration, license key, and related uptime data. Step 2 hostname# activation-key activation-5-tuple-key Updates the encryption activation key by replacing the activation-5-tuple-key variable with the activation key obtained with your new license. The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element.
INDEX Numerics G 10-Gigabit Ethernet fiber interface card Gigabit Ethernet fiber interface card described 2-5 illustration 2-6 described 2-6 Gigabit Ethernet interface card described 2-5 illustration 2-5 A ASA 5580 Ethernet port indicators 3-18 I I/O bridges 2-6 I/O bridges 2-6 installing in a rack 3-4 Interface expansion slots 2-3 power supply indicators 3-19 M C Management Port 3-20 CA MGMT port 3-16, 3-20 certificate validation, not done in WebVPN 6-2 Console port 3-21 P Power supply i
Index R Rack installation ASA 5580 3-4 Rail system kit contents 3-2 S security, WebVPN 6-2 W WebVPN CA certificate validation not done 6-2 security preautions 6-2 unsupported features 6-3 Cisco ASA 5580 Getting Started Guide IN-2 78-18101-01