Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA 5500 Series Quick Start Guide, Version 7.0

Downloads

Table Of Contents

Cisco ASA 5500 Series Adaptive Security Appliance
Quick Start Guide

About the Cisco ASA 5500 Series Adaptive Security Appliance

About This Document

Verifying the Package Contents

Installing the Cisco ASA 5500 Series Adaptive Security Appliance

Rack Mounting the Chassis

Connecting the Interface Cables

Configuring the Cisco ASA 5500 Series Adaptive Security Appliance

About the Factory Default Configuration

About the Adaptive Security Device Manager

About Configuration from the Command-Line Interface

Using the Startup Wizard

Common Configuration Scenarios

Scenario 1: DMZ Configuration

Step 1: Configure IP Pools for Network Translations.

Step 2: Configure Address Translations on Private Networks.

Step 3: Configure External Identity for the DMZ Web Server.

Step 4: Provide HTTP Access to the DMZ Web Server.

Scenario 2: Remote Access VPN

Step 1: Configure the adaptive security appliance for remote access VPN.

Step 2: Select VPN clients.

Step 3: Specify the VPN tunnel group name and authentication method.

Step 4: Specify a user authentication method.

Step 5: Configure user accounts, if necessary.

Step 6: Configure address pools.

Step 7: Configure client attributes.

Step 8: Configure the IKE Policy.

Step 9: Configure IPSec Encryption and Authentication parameters.

Step 10: Address translation exception and split tunneling.

Step 11: Verify the remote access VPN configuration.

Scenario 3: Site-to-Site VPN Configuration

ASDM provides a configuration wizard to guide you through the process of configuring a site-to-site VPN.

Step 1: Configure the adaptive security appliance at the first site.

Step 2: Provide information about the VPN peer.

Step 3: Configure the IKE Policy.

Step 4: Configure IPSec Encryption and Authentication parameters.

Step 5: Specify Local Hosts and Networks.

Step 6: Specify Remote Hosts and Networks.

Step 7: View VPN Attributes and Complete Wizard.

What to Do Next

Optional SSM Setup and Configuration Procedures

4GE SSM Procedures

Step 1: Cabling 4GE SSM Interfaces

Step 2: (Optional) Setting the 4GE SSM Media Type for Fiber Interfaces

AIP SSM Procedures

Step 1: Cabling the AIP SSM Management Interface

Step 2: Configuring the ASA 5500 to Divert Traffic to the AIP SSM

Step 3: Sessioning to the AIP SSM and Running Setup

What to Do Next

Optional Maintenance and Upgrade Procedures

Obtaining DES and 3DES/AES Encryption Licenses

Restoring the Default Configuration

Checking the LEDs

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Quick Start Guide

Quick Start Guide

Cisco ASA 5500 Series Adaptive Security Appliance
Quick Start Guide

About the Cisco ASA 5500 Series Adaptive Security Appliance

The Cisco ASA 5500 series adaptive security appliance family delivers enterprise-class security for medium business-to-enterprise networks in a modular, purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 8 10/100/1000 Gigabit Ethernet interfaces (on the 5520 and 5540) and 1 10/100 Fast Ethernet Management interface, making it an excellent choice for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support. The optional 4GE SSM provides four ports, each with two interfaces, copper RJ-45 (Ethernet) and SFP for optical fiber connections. Part of the market-leading Cisco adaptive security appliance series, the
Cisco ASA 5500 provides a wide range of integrated security services, hardware VPN acceleration, full intrusion prevention, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.

About This Document

This document describes how to install and configure the Cisco ASA 5510, 5520, and 5540 adaptive security appliance to be used in VPN, DMZ, remote-access, and intrusion protection deployments.

When you have completed the procedures outlined in this document, the adaptive security appliance will be running a robust VPN, DMZ, or remote-access configuration appropriate for most deployments. The document provides only enough information to get the adaptive security appliance up and running with a basic configuration.

For more information, see the following documentation:

Cisco ASA 5500 Series Release Notes

Cisco ASA 5500 Series Hardware Installation Guide

Cisco Security Appliance Command Line Configuration Guide

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages

1 Verifying the Package Contents

Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5500 series adaptive security appliance.

2 Installing the Cisco ASA 5500 Series Adaptive Security Appliance

Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps.

Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:

 

This unit should be mounted at the bottom of the rack if it is the only unit in the rack.

 

When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack.

 

If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack. Statement 1006

Use the following guidelines when installing the adaptive security appliance in a rack:

Allow clearance around the rack for maintenance.

When mounting a device in an enclosed rack, ensure adequate ventilation. An enclosed rack should never be overcrowded. Each unit generates heat.

When mounting a device in an open rack, make sure that the rack frame does not block the intake or exhaust ports.

Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position. Statement 7

Rack Mounting the Chassis

To rack mount the chassis, perform the following steps:

Step 1 Attach the rack-mount brackets to the chassis by using the supplied screws. Attach the brackets to the holes near the front or at the rear of the chassis. (See Figure 1.)

Figure 1 Installing the Brackets

Step 2 Attach the chassis to the rack by using the supplied screws. (See Figure 2.)

Figure 2 Rack Mounting the Chassis

Connecting the Interface Cables

To connect the interface cables, perform the following steps:

Step 1 Connect a computer or terminal to the adaptive security appliance for management access.

Note Before connecting a computer or terminal to the Console port, check the baud rate. The baud rate must match the default baud rate (9600 baud) of the console port on the adaptive security appliance. Set up the computer or terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and FC=hardware.

Step 2 Locate the blue console cable from the accessory kit. The console cable has an RJ-45 connector on one end and a DB-9 connector on the other.

Step 3 Connect the RJ-45 connector of the blue console cable to the Console port on the rear panel of the adaptive security appliance. (See Figure 3.)

Step 4 Connect the DB-9 connector of the blue cable to the serial port on your computer or terminal.

Figure 3 Connecting the Chassis Console Cable

1

RJ-45 console port

2

RJ-45 to DB-9 serial console cable (null modem)


Note Alternatively, for management purposes, you can also connect an Ethernet cable to the adaptive security appliance MGMT port. The MGMT port is a Fast Ethernet interface designed for management traffic only and is specified as Management0/0. The MGMT port is similar to the Console port, but the MGMT port accepts only incoming traffic.

Step 5 Locate the yellow Ethernet cable in the accessory kit.

Step 6 Attach one end of the Ethernet cable to an Ethernet port and the other end to a network device, such as a router, switch, or hub.

Step 7 Attach the power cord to the adaptive security appliance and the power source.

Step 8 Power on the chassis.

3 Configuring the Cisco ASA 5500 Series Adaptive Security Appliance

This section describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI).

Note To use ASDM, you must have a DES license or a 3DES-AES license. For more information, see Obtaining DES and 3DES/AES Encryption Licenses.

About the Factory Default Configuration

Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. This configuration meets the needs of most small and medium business networking environments. By default, the adaptive security appliance is configured as follows:

The inside (GigabitEthernet0/1) interface is configured with a default DHCP address pool.

This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance in order to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM.

The outside (GigabitEthernet0/0) interface is used to connect to the public network and is configured to deny all inbound traffic.

This configuration protects your inside network from unsolicited traffic.

Based on your network security policy, you should also consider configuring the adaptive security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, see the Cisco Security Appliance Command Reference.

About the Adaptive Security Device Manager

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the adaptive security appliance. Its web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser.

In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance.

To use ASDM, you must have a DES license or a 3DES-AES license. In addition, Java and JavaScript must be enabled in your web browser.

About Configuration from the Command-Line Interface

In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface. For more information, see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference.

Using the Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network (GigabitEthernet0/1) and the outside network (GigabitEthernet0/0).

Before you launch the Startup Wizard, gather the following information:

A unique hostname to identify the adaptive security appliance on your network.

The IP addresses of your outside interface, inside interface, and any other interfaces.

The IP addresses to use for NAT or PAT configuration.

The IP address range for the DHCP server.

To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps:

Step 1 If you have not already done so, connect the MGMT interface to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the adaptive security appliance), or assign a static IP address to your PC by selecting an address out of the 192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.)

Note The MGMT interface of the adaptive security appliance is assigned 192.168.1.1 by default, so this address is unavailable.

Step 3 Check the LINK LED on the MGMT interface.

When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub turn solid green.

Step 4 Launch the Startup Wizard.

a. On the PC connected to the switch or hub, launch an Internet browser.

b. In the address field of the browser, enter this URL: https://192.168.1.1/.

Note The adaptive security appliance ships with a default IP address of 192.168.1.1. Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

Step 5 In the dialog box that requires a username and password, leave both fields empty. Press Enter.

Step 6 Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes.

ASDM starts.

Step 7 From the Wizards menu at the top of the ASDM window, choose Startup Wizard.

Step 8 Follow the instructions in the Startup Wizard to set up your adaptive security appliance. For information about any field in the Startup Wizard, click Help at the bottom of the window.

4 Common Configuration Scenarios

This section provides configuration examples for three common deployments of the adaptive security appliance:

Hosting a web server on a DMZ network

Establishing remote-access VPN connections so that off-site clients can establish secure communications with the internal network

Establishing a site-to-site VPN connection with other business partners or remote offices

Use these scenarios as a guide when you set up your network. Substitute your own network addresses and apply additional policies as needed.

Scenario 1: DMZ Configuration

A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. This example network topology is similar to most DMZ implementations of the adaptive security appliance. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely.

In Figure 4, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (10.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool of addresses between 10.30.30.50 and 10.30.30.60. (The IP pool is the range of IP addresses available to the DMZ interface.)

Figure 4 Network Layout for DMZ Configuration Scenario

Because the DMZ web server is located on a private DMZ network, it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to access the DMZ web server in the same way that they access any server on the Internet.

The DMZ configuration scenario shown in Figure 4 provides two routable IP addresses that are publicly available: one for the outside interface (209.165.200.225) of the adaptive security appliance, and one for the public IP address of the DMZ web server (209.165.200.226). The following procedure describes how to use ASDM to configure the adaptive security appliance for secure communications between HTTP clients and the web server.

In this DMZ scenario, the adaptive security appliance already has an outside interface configured, called dmz. Set up the adaptive security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50.)

Information to Have Available

Before you begin this configuration procedure, gather the following information:

Internal IP addresses of the servers inside the DMZ that you want to make available to clients on the public network (in this scenario, a web server).

External IP addresses to be used for servers inside the DMZ. (Clients on the public network will use the external IP address to access the server inside the DMZ.)

Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.)

Step 1: Configure IP Pools for Network Translations.

For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (10.30.30.30), it is necessary to define a pool of IP addresses (10.30.30.50-10.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.200.225) is required for the inside HTTP client to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and to facilitate secure communications between protected network clients and devices on the Internet.

1. Launch ASDM by entering this factory default IP address in the address field of a web browser: https://192.168.1.1/admin/.

Note Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

2. Click Configuration at the top of the ASDM window.

3. Choose the NAT feature on the left side of the ASDM window.

4. Click Manage Pools at the bottom of the ASDM window. The Manage Global Address Pools dialog box appears, allowing you to add or edit global address pools.

Note For most configurations, global pools are added to the less secure, or public, interfaces.

5. In the Manage Global Address Pools dialog box:

a. Choose the dmz interface (configured using the Startup Wizard before beginning this procedure).

b. Click Add. The Add Global Pool Item dialog box appears.

6. In the Add Global Pool Item dialog box:

a. Choose dmz from the Interface drop-down menu.

b. Click Range to enter the IP address range.

c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is 209.165.200.230 to 209.165.200.240.

d. Enter a unique Pool ID. In this scenario, the Pool ID is 200.

e. Click OK to return to the Manage Global Address Pools dialog box.

Note You can also choose Port Address Translation (PAT) or Port Address Translation (PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.

7. In the Manage Global Address Pools dialog box:

a. Choose the outside interface.

b. Click Add.

8. When the Add Global Pool Item dialog box appears:

a. Choose outside from the Interface drop-down menu.

b. Click Port Address Translation (PAT) using the IP address of the interface.

c. Assign the same Pool ID for this pool as you did in Step 6d. (For this scenario, the Pool ID is 200.)

d. Click OK. The displayed configuration should be similar to the following:

9. Confirm that the configuration values are correct, then:

a. Click OK.

b. Click Apply in the main ASDM window.

Note Because there are only two public IP addresses available, with one reserved for the DMZ server, all traffic initiated by the inside HTTP client exits the adaptive security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.

Step 2: Configure Address Translations on Private Networks.

Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two interfaces on the adaptive security appliance. This translation permits routing through the public networks while preventing internal IP addresses from being exposed on the public networks.

Port Address Translation (PAT) is an extension of the NAT function that allows several hosts on a private network to map into a single IP address on the public network. PAT is essential for small and medium businesses that have a limited number of public IP addresses available to them.

To configure NAT between the inside interface and the DMZ interface for the inside HTTP client, perform the following steps starting from the main ASDM page:

1. Click Configuration at the top of the ASDM window.

2. Choose the NAT feature on the left side of the ASDM window.

3. Click Translation Rules, and then click Add at the right side of the ASDM page.

4. In the Add Address Translation Rule dialog box, make sure that Use NAT is selected, and then choose the inside interface.

5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10.

6. Choose 255.255.255.224 from the Mask drop-down menu.

7. Select the DMZ interface from the Translate Address on Interface drop-down menu.

8. Click Dynamic in the Translate Address To section.

9. Choose 200 from the Address Pools drop-down menu for the Pool ID.

10. Click OK.

11. A dialog box appears asking if you want to proceed. Click Proceed.

12. On the NAT Translation Rules page, check the displayed configuration for accuracy.

13. Click Apply to complete the adaptive security appliance configuration changes.

The displayed configuration should be similar to the following:

Step 3: Configure External Identity for the DMZ Web Server.

The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration requires translating the web server's IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the adaptive security appliance. Complete the following steps to map the web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225):

1. Click Configuration at the top of the ASDM window.

2. Choose the NAT feature on the left side of the ASDM window.

3. Click Translation Rules, then click Add at the right side of the page.

4. Choose the outside dmz interface from the drop-down list of interfaces.

5. Enter the IP address (10.30.30.30) for the web server.

6. Choose 255.255.255.224 from the Mask drop-down menu, then click Static.

7. Enter the external IP address (209.165.200.226) for the web server. Then click OK.

8. Verify the values that you entered, then click Apply.

The displayed configuration should be similar to the following:

Step 4: Provide HTTP Access to the DMZ Web Server.

By default, the adaptive security appliance denies all traffic coming in from the public network. You must create access control rules on the adaptive security appliance to allow specific traffic types from the public network through the adaptive security appliance to resources in the DMZ.

To configure an access control rule that allows HTTP traffic through the adaptive security appliance so that any client on the Internet can access a web server inside the DMZ, perform the following steps:

1. In the ASDM window:

a. Click Configuration.

b. Choose Security Policy on the left side of the ASDM screen.

c. In the table, click Add.

2. In the Add Access Rule dialog box:

a. Under Action, choose permit from the drop-down menu to allow traffic through the adaptive security appliance.

b. Under Source Host/Network, click IP Address.

c. Choose outside from the Interface drop-down menu.

d. Enter the IP address of the Source Host/Network information. (Use 0.0.0.0 to allow traffic originating from any host or network.)

e. Under Destination Host/Network, click IP Address.

f. Choose the dmz interface from the Interface drop-down menu.

g. In the IP address field, enter the IP address of the destination host or network, such as a web server. (In this scenario, the IP address of the web server is 10.30.30.30.)

h. Choose 255.255.255.224 from the Mask drop-down menu.

Note Alternatively, you can select the Hosts/Networks in both cases by clicking the respective Browse buttons.

3. Specify the type of traffic that you want to permit.

Note HTTP traffic is always directed from any TCP source port number toward a fixed destination TCP port number 80.

a. Click TCP under Protocol and Service.

b. Under Source Port, choose "=" (equal to) from the Service drop-down menu.

c. Click the button labeled with ellipses (...), scroll through the options, and then choose Any.

d. Under Destination Port, choose "=" (equal to) from the Service drop-down menu.

e. Click the button labeled with ellipses (...), scroll through the options, and then select HTTP.

f. Click OK.

Note For additional features, such as logging system messages by ACL, click More Options at the top at the top of the screen. You can provide a name for the access rule in the dialog box at the bottom.

g. Verify that the information you entered is accurate, and then click OK.

Note Although the destination address specified is the private address of the DMZ web server (10.30.30.30), HTTP traffic from any host on the Internet destined for 209.165.200.225 is permitted through the adaptive security appliance. The address translation (10.30.30.30 = 209.165.200.225) allows the traffic to be permitted.

h. Click Apply in the main window.

The displayed configuration should be similar to the following:

The HTTP clients on the private and public networks can now access the DMZ web server securely.

Scenario 2: Remote Access VPN

A remote-access Virtual Private Network (VPN) enables you to provide secure access to off-site users. ASDM enables you to configure the adaptive security appliance to create secure connections, or tunnels, across the Internet.

Figure 5 shows an adaptive security appliance configured to accept requests from and establish secure connections with VPN clients over the Internet.

Figure 5 Network Layout for Remote Access VPN Scenario

The ASDM VPN Wizard enables you to configure the adaptive security appliance as a remote access VPN headend device in a series of simple steps.

Step 1: Configure the adaptive security appliance for remote access VPN.

1. Launch ASDM by entering the factory default IP address in the address field of a web browser: https://192.168.1.1/admin/.

2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu. The VPN Wizard Step 1 window appears.

3. In Step 1 of the VPN Wizard, complete the following steps:

a. Select the Remote Access VPN option.

b. From the drop-down menu, choose outside as the enabled interface for the incoming VPN tunnels.

c. Click Next to continue.

Step 2: Select VPN clients.

1. In Step 2 of the VPN Wizard, click the radio button to allow remote access users to connect to the adaptive security appliance using either a Cisco VPN client or any other Easy VPN Remote products.

Note Although there is currently only one selection on this screen, it is set up so that other tunnel types can be enabled easily as they become available.

2. Click Next to continue.

Step 3: Specify the VPN tunnel group name and authentication method.

In Step 3 of the VPN Wizard, complete the following steps:

1. Enter a Tunnel Group Name (such as "CiscoASA") for the set of users that use common connection parameters and client attributes.

2. Specify the type of authentication that you want to use by performing one of the following steps:

To use static pre-shared keys for authentication, click Pre-Shared Key, and enter a key (such as "CisCo").

To use digital certificates for authentication, click Certificate, choose the Certificate Signing Algorithm (rsa-sig/dsa-sig) from the drop-down menu, and then choose a pre-configured trustpoint name from the drop-down menu.

3. Click Next to continue.

Step 4: Specify a user authentication method.

Users can be authenticated either by a local authentication database or by using external authentication, authorization, and accounting (AAA) servers (RADIUS, TACACS+, SDI, NT, and Kerberos).

In Step 4 of the VPN Wizard, complete the following steps:

1. Click the appropriate radio button to specify the type of user authentication that you want to use:

A local authentication database

An external AAA server group

2. Select a preconfigured server group from the drop down list, or click New to add a new server group.

3. Click Next to continue.

Step 5: Configure user accounts, if necessary.

If you chose to authenticate users with a local user database, create individual user accounts in Step 5 of the VPN Wizard.

1. To add a new user, enter a username and password, then click Add.

2. When you have finished adding new users, click Next to continue.

Step 6: Configure address pools.

For remote clients to gain access to your network, it is necessary to configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1 to 209.166.201.20.

To configure an address pool, perform the following steps:

1. Enter a pool name, or choose a pre-configured pool from the drop down list.

2. Enter the start of the range of IP addresses to be used in the pool.

3. Enter the end of the range of IP addresses to be used in the pool.

4. Enter the subnet mask, or select a pre-configured value from the drop down list.

5. Click Next to continue.

Step 7: Configure client attributes.

To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Rather than configuring each remote client individually, you can provide the client information to ASDM. The adaptive security appliance pushes this information to the remote client when a connection is established.

Ensure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking.

In Step 7 of the VPN Wizard, perform the following steps:

1. Enter the network configuration information to be used by remote clients.

2. Click Next to continue.

Step 8: Configure the IKE Policy.

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels.

To specify the IKE policy, perform the following steps:

1. Select the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association.

2. Click Next to continue.

Step 9: Configure IPSec Encryption and Authentication parameters.

1. Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA).

2. Click Next to continue.

Step 10: Address translation exception and split tunneling.

The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally. You can make exceptions to this network protection by identifying local hosts and networks that should be exposed to authenticated remote users. Specify the resources to be exposed by host or network IP address, by name, or by group. (In this scenario, the entire inside network 10.10.10.0 is exposed to all remote clients.)

In Step 10 of the VPN Wizard, add or remove hosts, groups, and networks dynamically from the Selected panel.

1. Click Add or Delete, as appropriate.

Note Enable split tunneling by checking the radio button at the bottom of the screen. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel.

2. When you have finished specifying resources to expose to remote clients, click Next to continue.

Step 11: Verify the remote access VPN configuration.

Review the configuration attributes for the VPN tunnel you just created. The displayed configuration should be similar to the following:

If you are satisfied with the configuration, click Finish to complete the Wizard and apply the configuration changes to the adaptive security appliance.

Scenario 3: Site-to-Site VPN Configuration

Site-to-site VPN (Virtual Private Networking) features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or "tunnel," first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

Figure 6 shows an example VPN tunnel between two adaptive security appliances.

Figure 6 Network Layout for Site-to-Site VPN Configuration Scenario

Creating a VPN site-to-site deployment such as the one in Figure 6 requires you to configure two adaptive security appliances, one on each side of the connection.

ASDM provides a configuration wizard to guide you through the process of configuring a site-to-site VPN.

Step 1: Configure the adaptive security appliance at the first site.

Configure the adaptive security appliance at the first site, which in this scenario is ASA security appliance 1, from this point forward referred to as ASA 1.

1. Launch ASDM by entering the factory default IP address in the address field of a web browser: https://192.168.1.1/admin/.

2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard page.

In the first page of the VPN Wizard, complete the following steps:

a. Choose the Site-to-Site VPN option.

Note The Site-to-Site VPN option connects two IPSec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.

b. From the drop-down menu, choose outside as the enabled interface for the current VPN tunnel.

c. Click Next to continue.

Step 2: Provide information about the VPN peer.

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

On page 2 of the VPN Wizard, provide information about the remote VPN peer. In this scenario, the remote VPN peer is ASA security appliance 2, from this point forward referred to as ASA 2. Perform the following steps:

1. Enter the Peer IP Address (ASA 2) and a Tunnel Group Name.

2. Specify the type of authentication that you want to use by performing one of the following steps:

To use a pre-shared key for authentication (for example, "CisCo"), click the Pre-Shared Key radio button, and enter a pre-shared key, which is shared for IPSec negotiations between both adaptive security appliances.

Note When you configure the ASA 2 at the remote site, the VPN peer is ASA 1. Be sure to enter the same Pre-shared Key (CisCo) that you use here.

To use digital certificates for authentication instead, click the Certificate radio button, and then choose a Trustpoint Name from the drop-down menu.

3. Click Next to continue.

Step 3: Configure the IKE Policy.

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.

To specify the IKE policy, perform the following steps:

1. Select the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association.

Note When configuring ASA 2, enter the exact values for each of the options that you chose for ASA 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

2. Click Next to continue.

Step 4: Configure IPSec Encryption and Authentication parameters.

1. Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA).

2. Click Next to continue.

Step 5: Specify Local Hosts and Networks.

Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with the remote-site peers. (The remote-site peers will be specified in a later step.)

On page 5 of the VPN Wizard, add or remove hosts and networks dynamically by clicking on Add or Delete respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by SA 1 and transmitted through the VPN tunnel.

On page 5 of the VPN Wizard, specify a local host or network to be allowed access to the IPSec tunnel. Perform the following steps:

1. Click IP Address.

2. Specify whether the interface is inside or outside by choosing an interface from the drop-down menu.

3. Enter the IP address and mask.

4. Click Add.

5. Repeat Steps 1 through Step 5 for each host or network that you want to have access to the tunnel.

6. Click Next to continue.

Step 6: Specify Remote Hosts and Networks.

Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate with the local hosts and networks you identified in Step 5. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In the current scenario, for ASA 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

To specify a remote host or network to be allowed access to the IPSec tunnel, perform the following steps:

1. Click IP Address.

2. Specify whether the interface is inside or outside by choosing one interface from the Interface drop-down menu.

3. Enter the IP address and mask.

4. Click Add.

5. Repeat Step 1 through Step 5 for each host or network that you want to have access to the tunnel.

6. Click Next to continue.

Step 7: View VPN Attributes and Complete Wizard.

Review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the configuration changes to the adaptive security appliance.

This concludes the configuration process for ASA 1.

What to Do Next

You have just configured the local adaptive security appliance. Now you need to configure the adaptive security appliance at the remote site.

At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting at Step 1: Configure the adaptive security appliance at the first site on page 36, and finishing with Step 7: View VPN Attributes and Complete Wizard on page 43.

Note When configuring ASA 2, enter the exact same values for each of the options that you selected for ASA 1. Mismatches are a common cause of VPN configuration failures.

5 Optional SSM Setup and Configuration Procedures

The adaptive security appliance supports optional security service modules (SSMs) that plug into the chassis and provide additional functionality. This section describes setup and configuration procedures for the 4GE SSM and the AIP SSM.

4GE SSM Procedures

The 4GE Security Services Module (SSM) has eight Ethernet ports: four 10/100/1000 Mbps, copper, RJ-45 ports and four 1000 Mbps, small form-factor pluggable (SFP) fiber ports. You can mix the copper and fiber ports using the same 4GE card.

If you purchased a 4GE SSM, use the procedures in this section to:

Cable the interfaces you want to use.

Change the media type setting for any SFP interfaces you want to use.

Note Because the default media type setting is Ethernet, you do not need to change the media type setting for any Ethernet interfaces you use.

Step 1: Cabling 4GE SSM Interfaces

To cable 4GE SSM interfaces, perform the following steps for each port you want to connect to a network device:

Step 1 To connect an RJ-45 (Ethernet) interface to a network device, perform the following steps for each interface:

a. Locate a yellow Ethernet cable from the accessory kit.

b. Connect one end of the cable to an Ethernet port on the 4GE SSM.

Figure 7 Connecting the Ethernet port

1

RJ-45 (Ethernet) port


c. Connect the other end of the cable to your network device.

Step 2 (Optional) If you want to use an SFP (fiber optic) port, install and cable the SFP modules as shown in Figure 8:

a. Insert and slide the SFP module into the SFP port until you hear a click. The click indicates that the SFP module is locked into the port.

b. Remove the optical port plugs from the installed SFP.

a. Locate the LC connector (fiber optic cable) in the 4GE SSM accessory kit.

b. Connect the LC connector to the SFP port.

Figure 8 Connecting the LC Connector

1

LC connector

2

SFP module


c. Connect the other end of the LC connector to your network device.

After you have attached any SFP ports to your network devices, you must also change the media type setting for each SFP interface. Continue with the following procedure, "Step 2: (Optional) Setting the 4GE SSM Media Type for Fiber Interfaces."

Step 2: (Optional) Setting the 4GE SSM Media Type for Fiber Interfaces

For each SFP interface, you must change the media type setting from the default setting (Ethernet) to Fiber Connector.

Note Because the default media type setting is Ethernet, you do not need to change the media type setting for Ethernet interfaces you use.

To set the media type for SFP interfaces using ASDM, perform the following steps starting from the main ASDM page:

Step 1 Click Configuration, at the top of the ASDM window.

Step 2 Choose the Interfaces feature on the left side of the ASDM window.

Step 3 Choose the 4GE SSM interface and click Edit. The Edit Interface dialog box appears.

Step 4 Click Configure Hardware Properties. The Hardware Properties dialog box appears.

Step 5 Click the Media Type drop-down menu and choose Fiber Connector.

Step 6 Click OK to return to the Edit Interfaces dialog box, then click OK to return to the interfaces configuration dialog box.

Step 7 Repeat this procedure for each SFP interface.

You can also set the media type from the command line. For more information, see Configuring Ethernet Settings and Subinterfaces in the Cisco Security Appliance Command Line Configuration Guide.

AIP SSM Procedures

The optional AIP SSM runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode. The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.

If you purchased an AIP SSM, use the procedures in this section to: