Cisco Systems ASA 5500 инструкция обслуживания

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

Идти на страницу of

Хорошее руководство по эксплуатации

Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации Cisco Systems ASA 5500. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции Cisco Systems ASA 5500 или обучающее видео для пользователей. Условием остается четкая и понятная форма.

Что такое руководство?

Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции Cisco Systems ASA 5500 можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.

К сожалению немного пользователей находит время для чтения инструкций Cisco Systems ASA 5500, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.

Из чего должно состоять идеальное руководство по эксплуатации?

Прежде всего в инструкции Cisco Systems ASA 5500 должна находится:
- информация относительно технических данных устройства Cisco Systems ASA 5500
- название производителя и год производства оборудования Cisco Systems ASA 5500
- правила обслуживания, настройки и ухода за оборудованием Cisco Systems ASA 5500
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам

Почему мы не читаем инструкций?

Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск Cisco Systems ASA 5500 это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок Cisco Systems ASA 5500 и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта Cisco Systems, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания Cisco Systems ASA 5500, как это часто бывает в случае бумажной версии.

Почему стоит читать инструкции?

Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства Cisco Systems ASA 5500, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.

После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции Cisco Systems ASA 5500. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.

Содержание руководства

  • Страница 1

    Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 C i s c o ASA 5 5 0 0 Se r i e s Ad a p t i ve S ecurity Appliance Get ting Star ted Guide For t he Cisco AS A 551 0, A SA 5520 , and AS A 5540 Customer Order Number: DO C-7817611=[...]

  • Страница 2

    THE SPECIFICA TIONS AND IN FORMA TION REGARDING THE PRODUCTS IN THIS MAN U AL ARE SUBJECT TO CHANGE WITHOUT NO TICE. ALL ST A TEMENTS, INFORMA TION, AND RECOMMEND A TION S IN THIS MANU AL ARE BELIEVED TO BE A CCURA TE BUT ARE PRESENTED WITHOUT W ARRANTY OF ANY KIN D, EXPRESS OR IMPLIED . USERS MUST T AKE FU LL RESPONSIBILITY FO R THEIR APPLICA TION[...]

  • Страница 3

    iii Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 CONTENTS CHAPTER 1 Before You Begin 1-1 ASA 5500 1-1 ASA 5500 with AIP SSM 1-2 ASA 5500 with CSC SSM 1-3 ASA 5500 with 4GE SSM 1-4 CHAPTER 2 Installing the Cisco ASA 5500 2-1 Verifying the Pack age Contents 2-2 Installing the Chassis 2-3 Rack-Mounting the Chass[...]

  • Страница 4

    Contents iv Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 CHAPTER 4 Connecting Interfa ce Cables 4-1 Connecting Cable s to Interfaces 4-2 What to Do Nex t 4-10 CHAPTER 5 Configuring the Adaptiv e Security Appliance 5-1 About the Factory-Default Configuratio n 5-1 About the Ad aptive Secu rity Device Manager 5-2[...]

  • Страница 5

    v Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Contents Starting ASDM 7-4 Configuring the FWSM for an IPsec Remote-Access VPN 7-5 Selecting VP N Client Types 7-6 Specifying the VPN Tunnel Group Name and Authentication Method 7-7 Specifying a User Authentication Method 7-8 (Optional) Configuring User Accounts [...]

  • Страница 6

    Contents vi Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 CHAPTER 9 Configuring the AIP SSM 9-1 AIP SSM Configuration 9-1 Overview of Configuration Process 9-2 Configuring the ASA 5500 to Divert Traffic to the AIP SSM 9-2 Sessioning to the AIP SSM and Running Setup 9-5 What to Do Nex t 9-7 CHAPTER 10 Configurin[...]

  • Страница 7

    CH A P T E R 1-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 1 Before You Begin Use the follo wing table to f ind the instal lation and configuration steps that are required for your impl ementation of the adapti ve security appliance. The adaptiv e security appliance implementa tions included in this docume[...]

  • Страница 8

    Chapter 1 Be fore You Begin ASA 5500 with AIP SSM 1-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 ASA 5500 with AIP SSM Conf igure the adapti ve security ap pliance for your implementation Chapter 6, “Scenario: DMZ Conf iguration” Chapter 7, “Scenario: Remote-Access VPN Conf iguration” Chapter 8, “S[...]

  • Страница 9

    1-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 1 Before You Begin ASA 5500 with CSC SSM ASA 5500 with CSC SSM Configure IPS soft ware for intrusion pre vention Conf iguring the Cisco Intrusi on Pr evention System Sensor Using the Command Line Interface Cisco Intrusi on Pr eventi on System Command Re[...]

  • Страница 10

    Chapter 1 Be fore You Begin ASA 5500 with 4GE SSM 1-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 ASA 5500 with 4GE SSM Conf igure the CSC SSM Ci sco Content Security and Contr ol SSM Administrator Guide Refine con figurati on and config ure optional and advanced features Cisco Security Applia nce Command Lin[...]

  • Страница 11

    CH A P T E R 2-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 2 Installing the Cisco ASA 5500 War ni ng Only trained and qualified pe rsonnel should be allowed to in stall, replace, or service this equipment. Caution Read the safety warnings in the Re gulatory Compliance a nd Safety Informatio n for the Cisco[...]

  • Страница 12

    Chapter 2 Installing the Cisco ASA 5500 Verifying the Package Contents 2-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Verifying the Package Contents V erify the contents of the packing box t o ensure that you have received all items necessary to install your Cisco ASA 5500 se ries adaptive security appliance[...]

  • Страница 13

    2-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 2 Installing the Cisco ASA 5500 Installing the Chassis Installing the Chassis This section descri bes how to rack-mou nt and install the adapti ve security appliance. Y ou can mount the adaptiv e security applian ce in a 19-inch rack (with a 17.5- or 17[...]

  • Страница 14

    Chapter 2 Installing the Cisco ASA 5500 Installing the Chassis 2-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Rack-Mounting the Chassis T o rack-mount the chassis, perform the following steps: Step 1 Attach the rack-mount brackets to the ch assis using the supplied screws. Attach the brackets to the holes as[...]

  • Страница 15

    2-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figur e 2-3 Rack-Mounting the Chassis T o remov e the chassis from the rack, remove the screws that a ttach the chassis to the rack, and then remov e the chassis. Ports and LEDs This section descri bes the [...]

  • Страница 16

    Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs 2-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 2-4 F ront P anel LEDs LED Color State Description 1 Power Green On The system has po wer . 2 Status Green Flashing The po wer-up d iagnostics are running or the system is bo oting. Solid The system [...]

  • Страница 17

    2-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs Figure 2-5 sho ws the rear panel features fo r the adapti ve security appliance. Figur e 2-5 Rear P anel LEDs and P orts (A C P ow er Supply Mode l Shown) For more inf ormation on the Management Port, see t[...]

  • Страница 18

    Chapter 2 Installing the Cisco ASA 5500 Ports and LEDs 2-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figure 2-6 sho ws the adaptive security appliance rear panel LEDs. Figur e 2-6 Rear Pa nel Link and Speed Indicator LEDs Ta b l e 2 - 1 lists the rear MGMT and Network interface LEDs. Note The ASA 5510 adapt[...]

  • Страница 19

    2-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 2 Installing the Cisco ASA 5500 What to Do Next What to Do Next Continue w ith one of the f ollowing chapters: T o Do This ... See ... Install SSMs you purch ased bu t that hav e not yet been installed Chapter 3, “Install ing Optional SSMs” Continue[...]

  • Страница 20

    Chapter 2 Installing the Cisco ASA 5500 What to D o Next 2-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01[...]

  • Страница 21

    CH A P T E R 3-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 3 Installing Optional SSMs This chapter pro vides information about installing optional SSMs (Secu rity Services Modules) and their com ponents. Y ou only need to use the procedures in this chapter if you purchased an opti onal SSM b ut it is not y[...]

  • Страница 22

    Chapter 3 Installing Optional SSMs Cisco 4GE SSM 3-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 4GE SSM Components Figure 3-1 lists the Cisco 4GE SSM ports and LEDs. Figur e 3-1 Cisco 4GE SSM P orts and LEDs Note Figure 3-1 sho ws SFP modules installed in the port slots. Y ou must order and install the SFP m[...]

  • Страница 23

    3-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 3 Installing Opti onal SSMs Cisco 4GE SSM Installing the Ci sc o 4 GE S SM T o install a new C isc o 4 GE S SM for the f irst time, perform the foll owing steps: Step 1 Po wer of f the adapti ve security appliance. Step 2 Locate the grounding strap fr o[...]

  • Страница 24

    Chapter 3 Installing Optional SSMs Cisco 4GE SSM 3-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 4 Insert the C isc o 4 GE S SM through the slot openin g as shown i n Figure 3-3 . Figur e 3-3 Inser ting the Cisco 4GE SSM into the Slot Step 5 Attach the screws to secure the C is co 4GE S SM to the chassis[...]

  • Страница 25

    3-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 3 Installing Opti onal SSMs Cisco 4GE SSM SFP Module The adapti ve securi ty appliance uses a field-replaceable SFP module to establish Gigabit connect ions. Note I f you install an SFP mo dule after the switch has powered on, you must reload the adapti[...]

  • Страница 26

    Chapter 3 Installing Optional SSMs Cisco 4GE SSM 3-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Use only Cisco-certif ied SFP modules on th e adapti ve security appliance. Each SFP module has an internal serial EEP R OM that is encode d with security information. Thi s encoding pro vides a way for Cisco to i[...]

  • Страница 27

    3-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 3 Installing Opti onal SSMs Cisco 4GE SSM Figure 3-4 Installing an SFP Module Caution Do not remov e the optical port plugs fro m the SFP until you are ready t o connect the cables . Step 2 Re m ove t he O pt ic a l p o rt pl ug ; th e n connect the net[...]

  • Страница 28

    Chapter 3 Installing Optional SSMs Cisco AIP SSM and CSC SSM 3-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Cisco AIP SSM and CSC SSM The ASA 5500 series adapti ve security appliance su pports the AIP SSM (Adv anced Inspection and Pre vention Secu ri ty Services Module) and the CSC SSM (Content Security Cont[...]

  • Страница 29

    3-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 3 Installing Opti onal SSMs Cisco AIP SSM and CSC SSM Figur e 3-5 SSM LEDs Ta b l e 3 - 5 describes the SSM LEDs. Installing an SSM T o install a ne w SSM, perform the follo wing steps: Step 1 Po wer of f the adapti ve security appliance. Step 2 Locate [...]

  • Страница 30

    Chapter 3 Installing Optional SSMs What to D o Next 3-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 3-6 Removing the Scr ews from the Slot Co ver Step 4 Insert the SSM into the slot opening as sho wn in Figure 3-7 . Figur e 3-7 Inserting the SSM int o the Slot Step 5 Attach the screws to secure the S[...]

  • Страница 31

    CH A P T E R 4-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 4 Connecting Interface Cables This chapter d escribes ho w to connect the cables to the Console, Auxiliary , Management, Cisco 4GE SSM , and SSM ports . In this document, SSM refers to an intelligent SSM, the AIP SSM, or the CSC SSM. This chapter i[...]

  • Страница 32

    Chapter 4 Conn ecting Interface Cables Connecting Cab l es to Interfaces 4-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Connecting Cables to Interfaces T o connect cables to the interf aces, perform the follo wing steps: Step 1 Place the chassis on a flat, stable surface, or in a rack (i f you are rack-mount[...]

  • Страница 33

    4-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Figur e 4-1 Connecting t o the Management P ort 1 Management port 2 RJ-45 to RJ-45 Ethernet cable USB2 USB1 LNK SPD 3 LNK SPD 2 LNK SPD 1 LNK SPD 0 MGMT 92684 2 1[...]

  • Страница 34

    Chapter 4 Conn ecting Interface Cables Connecting Cab l es to Interfaces 4-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 b. Console port – Connect the serial console cable as shown in Figure 4-2 . The console cable has a DB-9 connector on one end for the seri al port on your computer , and the other end is [...]

  • Страница 35

    4-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces c. Auxiliary port – Connect the serial console cable as shown in Figure 4-2 . The console cable has a DB-9 connector on one end for the seri al port on your computer , and the other end is [...]

  • Страница 36

    Chapter 4 Conn ecting Interface Cables Connecting Cab l es to Interfaces 4-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 d. Cisco 4GE SSM • Ethernet port – Connect one RJ-45 connecto r to the Ethernet port of the Cisco 4GE SSM as sho wn in Figure 4-4 . – Connect the other end of the Ethernet cable to yo[...]

  • Страница 37

    4-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces • SFP modules – Insert and slide the SFP module into the SFP port until you hear a click. The click indicates that the SFP m odule is lock ed into the port. – Remov e the optical port p[...]

  • Страница 38

    Chapter 4 Conn ecting Interface Cables Connecting Cab l es to Interfaces 4-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 4-6 Connecting the LC Connector – Connect the other end to your networ k de vices, suc h as routers, switches, or hubs. e. SSM – Connect one RJ-45 connector to th e management p[...]

  • Страница 39

    4-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 4 Connecting Interface Cables Connecting Cables to Interfaces Figure 4-7 Connecting to the M an a gem e nt Port 1 SSM management port 2 RJ-4 5 to RJ-45 cable 143149 USB1 MGMT USB2 MGMT USB2 PO W ER STA TUS USB1 2 LINK?ACT SPEED 1[...]

  • Страница 40

    Chapter 4 Conn ecting Interface Cables What to D o Next 4-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 f. Ethernet port s – Connect the RJ-4 5 connector to the Et hernet port as sho wn in Figur e 4-8 . – Connect the other end of the Ethernet cable to your network de vice, such as a router , switch or hu[...]

  • Страница 41

    CH A P T E R 5-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 5 Configuring the Adaptive Security Appliance This chapter describes t he initial conf iguration of the ad ap ti v e sec ur it y a ppl ia nc e. Y ou can perform th e configuration steps using either the bro wser-b ased Cisco Adapti ve Security De v[...]

  • Страница 42

    Chapter 5 Co nfiguring the Adaptive Secu rity Appliance About the Adaptive Security Device Manager 5-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 By default, the adapti ve security appliance Management interface is conf igured with a default DHCP address pool. This configuration enables a client on the insid[...]

  • Страница 43

    5-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 5 Con figuring the Adaptive Security A ppliance Before Launching the Startup Wizard In addition to it s complete conf iguration and management capabili ty , ASDM features intelligent wi zards to simplify and accelerate the deployment of th e adapti ve s[...]

  • Страница 44

    Chapter 5 Co nfiguring the Adaptive Secu rity Appliance Using the Startup Wizard 5-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Using the Startup Wizard ASDM includes a Startup W izard to simplify the initial conf iguration of your adaptiv e security appliance. W ith a fe w steps, the Startup W izard enables[...]

  • Страница 45

    5-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 5 Con figuring the Adaptive Security A ppliance What to Do Next b. In the address field of the bro wser, enter this URL: https://192 .168.1.1/ . Note T he adapti ve security appliance shi ps w it h a d ef au lt I P a dd r es s of 192.168.1.1. Remember t[...]

  • Страница 46

    Chapter 5 Co nfiguring the Adaptive Secu rity Appliance What to D o Next 5-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Conf igure the AIP SSM for intrusion pre vention Chapter 9, “Conf iguring the AIP SSM” Conf igure the CSC SSM for content security Chapter 10, “Con figur ing the CSC SSM” T o Do Thi[...]

  • Страница 47

    CH A P T E R 6-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 6 Scenario: DMZ Configuration This chapter descri bes a configuration s cenario in whic h the adaptiv e sec urity appliance is used to protect network re sources located in a demilitari zed zone (DMZ). A DMZ is a se parate network l o cated in the [...]

  • Страница 48

    Chapter 6 Scen ario: DMZ Configuration Example DMZ Network Topology 6-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figure 6-1 Networ k Layo ut for DMZ Configuration Scenar io This exampl e scenario has the follo wing characteristics: • The web server is on the DMZ interface of the adaptive security applian[...]

  • Страница 49

    6-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Example DMZ Network Topology Figur e 6-2 Outg oing HT TP T r affi c Flow fr om the Pr iv ate Networ k In Figure 6-2 , the adaptiv e sec urity appliance permits HTTP traf fic or iginating from inside clients and desti ned f[...]

  • Страница 50

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 6-3 Incomi ng HTTP T raf fic Flow F rom the Int er net T o permit incoming traf fic to access the DMZ web serv er , the adaptive security appliance conf igur[...]

  • Страница 51

    6-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt This confi guration procedure assumes th at the adapti ve security appliance already has interfaces configured for the inside interface, the DMZ interface, and the [...]

  • Страница 52

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 • For the internal clients to hav e a cce ss to HTTP and HTTPS resources on the Internet, you must create a rule that transl ates the real IP ad dresses of interna[...]

  • Страница 53

    6-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt Creating IP Pools for Ne twork Address Translation The adaptiv e se curity appliance uses Network Address T ranslation (N A T) and Port Address T ranslation (P A T)[...]

  • Страница 54

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 T o configure a pool of IP addresses that can be used for netw ork address translation, perform t he follo wing steps: Step 1 In the ASDM windo w , click the Conf ig[...]

  • Страница 55

    6-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt d. From the Interf aces drop-do wn list, choose DMZ. e. T o create a ne w IP pool, enter a unique Po ol ID. In this scenario, the Pool ID is 200. f. In the IP Addr [...]

  • Страница 56

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 g. Click Add to add this range of IP ad dresses to the Address Pool. The Add Global Pool dialog box config uration should be similar to th e follo wing: h. Click OK[...]

  • Страница 57

    6-11 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt e. Click the Port Address T ranslation (P A T) using the IP addr ess of the interfac e radio b utton. If you select the option Po rt Address T r anslati on using t[...]

  • Страница 58

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-12 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 The displayed conf iguration should be similar to the follo wing: Step 3 Confirm that the conf iguration values are correct. Step 4 Click Apply in the main ASDM win[...]

  • Страница 59

    6-13 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt In this procedure, you conf igure a Network Address T ranslation (N A T) rule that associates IP addresses from this pool with the inside clients so they can commu[...]

  • Страница 60

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-14 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 c. Click OK to add the Dynamic N A T Rule and return to the Conf iguration > NA T w i n do w . Re view the conf iguration sc r een to verify that the tran slatio[...]

  • Страница 61

    6-15 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt The displayed conf iguration should be similar to the follo wing: Step 6 Click Apply to complete the adaptiv e security applia nce configuration changes. Configuri[...]

  • Страница 62

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-16 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 For man y conf igurations, yo u would also need to create a N A T rule between the inside interface and the outside interface to enable inside cl ients to communica[...]

  • Страница 63

    6-17 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt Step 5 In the Static T ranslation area , specify the public IP address to be used for the web server: a. From the Interf ace drop-do wn list, choose Outside. b. Fr[...]

  • Страница 64

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-18 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 The displayed conf iguration should be similar to the follo wing: Step 7 Click Apply to complete the adaptiv e security applia nce configuration changes. Providing [...]

  • Страница 65

    6-19 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt appliance that processes the traff ic, whet her the traff ic is incoming or outgoing, the origin and destinati on of the traf fic, and the t ype of traff ic protoc[...]

  • Страница 66

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-20 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 2 In the Interface and Action area: a. From the Interf ace drop-do wn list, choose Outside. b. From the Direction drop-do wn list, choose Incoming. c. From the[...]

  • Страница 67

    6-21 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt Alternati vely , if the address of th e source host or netw ork is preconf igured, choose the source IP address from the IP A ddress drop-do wn list. c. Enter the [...]

  • Страница 68

    Chapter 6 Scen ario: DMZ Configuration Configuring the Se curity Appliance for a D MZ Deployment 6-22 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 At this point, the entries in the Add Access Rule dialog box should be similar to the following: d. Click OK . Step 6 The displayed conf iguration should be similar[...]

  • Страница 69

    6-23 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration Configuring the Security Applia nce for a DMZ Deployme nt Step 7 Click Apply to sav e the configuration changes t o the conf iguration that the adapti ve secur ity appliance is current ly running. Clients on both the pri [...]

  • Страница 70

    Chapter 6 Scen ario: DMZ Configuration What to D o Next 6-24 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 8 If you want the conf iguration changes to be sav ed to the startup configurati on so that they are applied t he next time the de vice starts, from the File menu, click Sa ve . Alternati vely , ASDM [...]

  • Страница 71

    6-25 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 6 Scenario: DMZ Configu ration What to Do Next T o Do This ... See ... Conf igure a remote-access VPN Chapter 7, “Scenario: Remote-Access VPN Conf iguratio n” Conf igure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Conf iguratio n”[...]

  • Страница 72

    Chapter 6 Scen ario: DMZ Configuration What to D o Next 6-26 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01[...]

  • Страница 73

    CH A P T E R 7-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 7 Scenario: Remote-Access VPN Configuration This chapter descri bes how to use the adapti ve security appliance to accept remote-access IPsec VPN c onnections. A remote-access VPN enables you to create secure connections, or tunnels, across the Int[...]

  • Страница 74

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 7 -1 Netw or k Layout f or Remote A ccess VPN Scenario Implementing the IPsec Remote-Access VPN Scenario This section describes how to conf igure the a[...]

  • Страница 75

    7-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario • Specifying the VPN T unnel Group Name and Authentication Method, page 7-7 • Specifying a User Authenticatio n Method, page 7-8 • (Optional) Conf igur[...]

  • Страница 76

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Starting ASDM T o run ASDM in a web browser , enter the f actory defaul t IP address in the address fie l d : https://192.168.1.1/admin/ . Note Remember to add[...]

  • Страница 77

    7-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario Configuring the FWSM for an IPsec Remote-Access VPN T o begin the process for configuring a remote-access VPN, perform the following steps: Step 1 In the mai[...]

  • Страница 78

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Selecting VPN Client Types In Step 2 of the VPN W izard, perform the follo wing steps: Step 1 Specify the type of VPN cl ient that will enable remote users to [...]

  • Страница 79

    7-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario Specifying the VPN Tunnel Group Name and Authentication Method In Step 3 of the VPN W izard, perform the follo wing steps: Step 1 Specify the type of authent[...]

  • Страница 80

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 2 Enter a T unnel Group Name (such as “C isco”) for the set of users that use common connection parameters and client at tributes to con nect to this [...]

  • Страница 81

    7-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario In Step 4 of the VPN W izard , perform the following steps: Step 1 If you want to authenticate users by cr eating a user database on the adaptive security ap[...]

  • Страница 82

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 (Optional) Configuring User Accounts If you ha ve chosen t o authenticate user s with the local user database, you can create new user accounts here. Y ou can[...]

  • Страница 83

    7-11 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario Configuring Address Pools For remo te clients to gain access to your network, y ou must config ure a pool of IP addresse s that can be as signed to remo te [...]

  • Страница 84

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-12 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 3 Click Next to continue. Configuring Client Attributes T o a ccess your network, each remote access client needs basic network configuration information[...]

  • Страница 85

    7-13 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario In Step 7 of the VPN W izard, perform the follo wing steps: Step 1 Enter the netw ork conf iguration informat ion to be pushed to remote clien ts. Step 2 Cl[...]

  • Страница 86

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-14 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 T o specify the IKE policy in Step 8 of the VPN W izard, perform the follo wing steps: Step 1 Click the Encryption (DES/3DES/AES), authentication algori thms [...]

  • Страница 87

    7-15 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN W izard, perform the follo wing steps: Step 1 Click the Encryption algorith [...]

  • Страница 88

    Chapter 7 Scenario : Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario 7-16 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Specifying Address Translation Exception and Split Tunneling Split tunneling lets a remote-access IPsec client condition ally direct packet s ov er an IPsec t[...]

  • Страница 89

    7-17 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration Implementing the IPse c Remote-Access VPN Scenario Note Enable split tunnelin g b y checking the Enable Split T unneling check box at the bottom of the screen. Split tunneling allo ws traffic ou tside the co[...]

  • Страница 90

    Chapter 7 Scenario : Remote-Access VPN Configuration What to D o Next 7-18 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 If you are satisf ied with the configuration, click Finish to apply the changes to the adaptiv e se curity appliance. If you want the conf iguration changes to be sav ed to the startup config[...]

  • Страница 91

    7-19 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 7 Sce nario: Remote-Access VPN Configuration What to Do Next T o Do This ... See ... Conf igure the adaptive security appliance to protect a W eb server in a DMZ Chapter 6, “Scenario: DMZ Conf iguration” Conf igure a site-to-site VPN Chapter 8, “[...]

  • Страница 92

    Chapter 7 Scenario : Remote-Access VPN Configuration What to D o Next 7-20 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01[...]

  • Страница 93

    CH A P T E R 8-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 8 Scenario: Site-to-Site VPN Configuration This chapter descri bes how to use the ad apti ve security appliance to create a site-to-site VPN. Site-to-site VPN features pro vided by the adapti ve security appliance enable businesses to extend their [...]

  • Страница 94

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Figur e 8-1 Networ k Lay out fo r Site-t o-Site VPN Configuration Scenar io Creating a VPN site-to-site de ployment such as the one in Figure 8-1 r equires you to configu[...]

  • Страница 95

    8-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Site-to-Site VPN This section describes how to use the ASDM VPN W izard to configure the adaptiv e se curity appliance for a site-to-site VPN. This secti[...]

  • Страница 96

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Configuring the Security Ap pliance at the Local Site Note The adaptiv e security appliance at the first site is referred to as Security Appliance 1 from this point forwa[...]

  • Страница 97

    8-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Implementing the Site-to-Site Scenario In Step 1 of the VPN W izard , perform the following steps: a. Click the Site-to -Site VP N radio button. Note The Site-to-Site VPN option connects two IPSec security ga[...]

  • Страница 98

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Providing Information A bout the Remote VPN Peer The VPN peer is the system on the othe r end of the connection that you are confi guring, usually at a remote site. Note [...]

  • Страница 99

    8-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. Configuring the IKE Policy IKE is a negotiation prot ocol that includ e s an encryption method to p rotect data and ensure pri v acy; it i[...]

  • Страница 100

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Note When configuri ng Security Appliance 2 , enter the e xact values for each of the options that you cho se for Security Appliance 1. Encryption mismatches are a common[...]

  • Страница 101

    8-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring IPSec Encryption and Authentication Parameters In Step 4 of the VPN W izard, perform the follo wing steps: Step 1 Choose the Encryption algorit hm (DES/3DES/[...]

  • Страница 102

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Specifying Hosts and Networks Identify hosts and netw orks at the local site that are permitted to use th is IPSec tunnel to communi cate with the remote-site p eer . Ad[...]

  • Страница 103

    8-11 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 5 Click Next to continue. Viewing VPN Attributes and Completing the Wizard In Step 6 of the V PN W izard, re view the conf iguration list for the VPN tunnel you ju[...]

  • Страница 104

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration Implementing the Site-to-Site Scenario 8-12 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 If you want the conf iguration changes to be sav ed to the startup configurati on so that they are applied t he next time the de vice starts, from the File menu, click S[...]

  • Страница 105

    8-13 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 8 Sce nario: S ite-to-Site VPN Configuration Configuring the Other Sid e of the VPN Connection Configuring the Other Side of the VPN Connection Y ou ha ve just conf igured th e local adaptive security a ppliance. No w you need to configure the adapti v[...]

  • Страница 106

    Chapter 8 Sc enario: Si te-to-Site VPN Configuration What to D o Next 8-14 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Y o u can configure the adapti ve security appliance for more than one application. The follo wing sections p rovide conf iguration procedures for oth er common applications of the adap tiv e[...]

  • Страница 107

    CH A P T E R 9-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 9 Configuring the AIP SSM The optional AIP SSM runs advanced IPS so ftw are that pro vides further security inspection either in inline mode or p romiscuous mode. The adapti ve security appliance di verts packets to the AIP SSM just before the pack[...]

  • Страница 108

    Chapter 9 Configuring the AIP SSM AIP SSM Configuration 9-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 This section includes the following topics: • Overvie w of Configuration Process, pag e 9-2 • Config uring the ASA 5500 to Di vert T raff ic to the AIP SSM, page 9-2 • Sessioning to the AIP SSM and Ru[...]

  • Страница 109

    9-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 9 Configuring the AIP SSM AIP SSM Configuration T o identify traffic to div ert from the adap ti ve security a ppliance t o the AIP SSM, perform the follo wing steps: Step 1 Create an access list that matches all t raf fic: hostname(config)# access-list[...]

  • Страница 110

    Chapter 9 Configuring the AIP SSM AIP SSM Configuration 9-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 The inline and promiscuous k eyw ords control the operating mode of the AIP SSM. The fail-close and fail-open keywords control ho w the adaptiv e security appliance treats traff ic when the AI P SSM is una [...]

  • Страница 111

    9-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 9 Configuring the AIP SSM AIP SSM Configuration Sessioning to the AIP SSM and Running Setup After you ha ve complet ed conf iguration of the ASA 5500 series adapti ve security appliance to di vert traff ic to the AIP SSM, session to the AIP SSM and run [...]

  • Страница 112

    Chapter 9 Configuring the AIP SSM AIP SSM Configuration 9-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 this product you agree to comply with applicab le laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptogr[...]

  • Страница 113

    9-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 9 Configuring the AIP SSM What to Do Next What to Do Next Y ou are now ready to co nfig ure the adapti ve security appliance for intrusion pre vention. Use th e follow ing documents to continu e conf iguring the adapti ve security appliance for your imp[...]

  • Страница 114

    Chapter 9 Configuring the AIP SSM What to D o Next 9-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Y o u can configure the adapti ve security appliance for more than one application. The follo wing sections p rovide conf iguration procedures for oth er common applications of the adap tiv e security appliance.[...]

  • Страница 115

    CH A P T E R 10-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 10 Configuring the CSC SSM The ASA 5500 series adaptiv e security appliance supports the CSC SSM, which runs Content Security and Control software. The CS C SSM provides protectio n against viruses, spyware, spam, and other unwanted traf fic. It a[...]

  • Страница 116

    Chapter 10 Configuring the CSC SSM About Deploying the Secur ity Appliance with the CSC SSM 10-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 In addition to o btaining content prof iles from T rend Micro, system administrators can also customize the conf igurat ion so that the CSC SSM scans for additional traf[...]

  • Страница 117

    10-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM About Deploying the Sec urity Appliance with the CSC SSM Figur e 1 0-1 CSC SSM T raffic Flo w In this e xample, clients could be network u sers who are accessing a website, do wnloading f iles from an FTP serv er , or retriev[...]

  • Страница 118

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Note The CSC SSM handles SMTP traff ic some what dif ferently than other content types. After the CSC SSM recei ves SMTP tr af fic and scans it, it doe[...]

  • Страница 119

    10-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security In this scenari o, the customer has deployed an adapti ve security appliance with a CSC SSM for content security . Of particular interest are the follo [...]

  • Страница 120

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 If you follo wed the procedures in earlier chapters of this document, at this po int you ha ve an ASA syst em running with licensed soft ware, and you [...]

  • Страница 121

    10-7 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addre sses for the SSM ma nagement port and the adapti [...]

  • Страница 122

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-8 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 4 Click Ye s to accept the certificates. Click Ye s for all subsequent authenti cation and certif icate dialog bo xes. The ASDM Main window appear[...]

  • Страница 123

    10-9 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security • If you are using NTP to control time settings, v erify the NTP configurati on. In ASDM, click Configuration > Pr operties > Device Administrat[...]

  • Страница 124

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-10 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 4 Click Next . Step 5 In Step 2 of the CSC W izard, en ter the follo wing information: • IP address, netmask and gate way IP address for the CS[...]

  • Страница 125

    10-11 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security • Domain name used by the local mail serv er as the incoming domain. Note Anti-SP AM policies are applied only to email traff ic coming into this dom[...]

  • Страница 126

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-12 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 By default, all net works ha ve managemen t access to the CSC SSM. For securit y purposes, we recommend th at you rest rict access to specific subnets[...]

  • Страница 127

    10-13 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security Step 11 In Step 5 of the CSC Setup W izard, enter a new password for management access. Enter the fact ory default passw ord, “ci sco,” in the Old [...]

  • Страница 128

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-14 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 13 In Step 6 of the CSC Setup W izard, re view conf iguration settings you just entered for the CSC SSM. If you are satisf ied with these setting[...]

  • Страница 129

    10-15 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security T o simplify the initial configurati on process, this procedure creates a global service polic y that di verts all traf fic for the supported proto col[...]

  • Страница 130

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-16 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 5 Click Next. The T raffic Classif ication Criteria page appears. Step 6 In the T raff ic Cla ssificati on Criteria page, click the User class-de[...]

  • Страница 131

    10-17 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security Step 8 In the Service Polic y Rule W izard, click the CSC Scan tab . Step 9 On the CSC Scan tab page, check the Enable CSC scan f or this traff ic flow[...]

  • Страница 132

    Chapter 10 Configuring the CSC SSM Scenario: Security Ap pliance with CSC SSM Depl oyed for C ontent Security 10-18 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Step 10 Click Finish .[...]

  • Страница 133

    10-19 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM D eployed for Content Security The new service polic y appears in the Service Policy Rules pane. Step 11 Click Apply . By default, the CSC SSM is conf igured to perform content secu [...]

  • Страница 134

    Chapter 10 Configuring the CSC SSM What to D o Next 10-20 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 If included in the license you purchased, you can create custom settings fo r URL blocking and URL f iltering, as well as email an d FTP parameters. For more informatio n, see the Cisco Content Security and C[...]

  • Страница 135

    10-21 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 10 Configuring the CSC SSM What to Do Next After you have conf igured the CSC SSM software, you may want to cons ider performing some of the follo wing additional step s: Y o u can configure the adapti ve security appliance for more than one applicati[...]

  • Страница 136

    Chapter 10 Configuring the CSC SSM What to D o Next 10-22 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01[...]

  • Страница 137

    CH A P T E R 11-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 11 Configuring the 4GE SSM for Fiber The 4GE Security Services Module (SSM) has four Ethernet ports, and each port has two media type options: SFP (Small Form-F actor Pluggable) f iber or RJ 35. Y ou can mix the copper and f iber ports using the s[...]

  • Страница 138

    Chapter 11 Configuring the 4GE SSM for Fiber Cabling 4GE SSM Interfaces 11-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Cabling 4GE SSM Interfaces T o ca ble 4GE SSM interfaces, perform the follo wing steps for each port you want to connect to a netw ork de vice: Step 1 T o connect an RJ-45 (Ethernet) interf[...]

  • Страница 139

    11-3 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 11 Configuring the 4G E SSM for Fiber Setting the 4GE SSM Media Type for Fib er Interfaces (Optional) Figur e 1 1 -2 Connecting the LC Conn ector e. Connect the other end of t he LC connector to your netw ork de vice. After you hav e attached any SFP p[...]

  • Страница 140

    Chapter 11 Configuring the 4GE SSM for Fiber Setting the 4GE SSM Media Type for Fiber Interfaces (Optio nal) 11-4 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 Note Because the default media ty pe setting is Ethernet, y ou do not need to change the media type setting for Ethernet int erfaces you use. T o set th[...]

  • Страница 141

    11-5 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 Chapter 11 Configuring the 4G E SSM for Fiber What to Do Next What to Do Next Y ou have co mpleted the initial conf iguration. Y ou may want to consider performing some of the follo wing additional step s: T o Do This ... See ... Refine con figurati on and con[...]

  • Страница 142

    Chapter 11 Configuring the 4GE SSM for Fiber What to D o Next 11-6 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01[...]

  • Страница 143

    CH A P T E R A-1 Cisco ASA 5500 Series Adaptive Securi ty Appliance Getting Started Guide 78-17611-01 A Obtaining a DES License or a 3DES-AES License Cisco adapti ve security appl iances are av ailable either with a DES or 3DES-ASE license that pr ovides encrypti on technology to enable specific features, suc h as secure remote management (SSH, ASD[...]

  • Страница 144

    Chapter A Obtaining a DE S License o r a 3DES-AES License A-2 Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide 78-17611-01 T o use the activ ation ke y , perform the foll owing steps: Command Purpose Step 1 hostname# show version Sho ws the software release, hardware conf iguration, license k ey , and related uptime data. Ste[...]