Cisco ASA 5500 Series Getting Started Guide For the Cisco ASA 5510, ASA 5520, ASA 5540, and ASA 5550 Software Version 8.0 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-78-18002-01 Text Part Number: 78-18002-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0705R) Cisco ASA 5500 Series Getting Started Guide © 2007 Cisco Systems, Inc All rights reserved CONTENTS CHAPTER Before You Begin 1-1 ASA 5500 1-1 ASA 5500 with AIP SSM 1-2 ASA 5500 with CSC SSM 1-3 ASA 5500 with 4GE SSM 1-4 ASA 5550 1-5 CHAPTER Maximizing Throughput on the ASA 5550 2-1 Embedded Network Interfaces 2-1 Balancing Traffic to Maximize Throughput 2-2 What to Do Next 2-5 CHAPTER Installing the ASA 5550 3-1 Verifying the Package Contents 3-2 Installing the Chassis 3-3 Rack-Mounting the Chassis 3-4 Installing SFP Modules 3-5 SFP Module 3-6 Installing an SFP Module 3-7 Ports and LEDs 3-9 Front Panel LEDs 3-9 Rear Panel LEDs and Ports in Slot 3-10 Ports and LEDs in Slot 3-12 Connecting Interface Cables 3-13 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 iii Contents What to Do Next 3-19 CHAPTER Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 4-1 Verifying the Package Contents 4-2 Installing the Chassis 4-3 Rack-Mounting the Chassis 4-4 Ports and LEDs 4-6 What to Do Next 4-9 CHAPTER Installing Optional SSMs 5-1 Cisco 4GE SSM 5-1 4GE SSM Components 5-2 Installing the Cisco 4GE SSM 5-3 Installing the SFP Modules 5-4 SFP Module 5-5 Installing the SFP Module 5-6 Cisco AIP SSM and CSC SSM 5-8 Installing an SSM 5-9 What to Do Next 5-10 CHAPTER Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms 6-1 Connecting Interface Cables 6-2 Connecting to SSMs 6-5 Connecting to a 4GE SSM 6-7 Powering On the Adaptive Security Appliance 6-9 What to Do Next 6-9 Cisco ASA 5500 Series Getting Started Guide iv 78-18002-01 Contents CHAPTER Configuring the Adaptive Security Appliance 7-1 About the Factory Default Configuration 7-1 Using the CLI for Configuration 7-2 Using the Adaptive Security Device Manager for Configuration 7-3 Preparing to Use ASDM 7-4 Gathering Configuration Information for Initial Setup 7-5 Installing the ASDM Launcher 7-5 Starting ASDM with a Web Browser 7-8 Running the ASDM Startup Wizard 7-9 What to Do Next 7-10 CHAPTER Scenario: DMZ Configuration 8-1 Basic Network Layout for a DMZ Configuration 8-1 Example DMZ Network Topology 8-2 An Inside User Visits a Web Server on the Internet 8-4 An Internet User Visits the DMZ Web Server 8-6 An Inside User Visits the DMZ Web Server 8-8 Configuring the Adaptive Security Appliance for a DMZ Deployment 8-10 Configuration Requirements 8-11 Information to Have Available 8-11 Starting ASDM 8-12 Enabling Inside Clients to Communicate with Devices on the Internet 8-14 Enabling Inside Clients to Communicate with the DMZ Web Server 8-15 Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces 8-16 Translating the Public Address of the Web Server to its Real Address 8-20 Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding) 8-22 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 v Contents Providing Public HTTP Access to the DMZ Web Server 8-26 What to Do Next 8-29 CHAPTER Scenario: IPsec Remote-Access VPN Configuration 9-1 Example IPsec Remote-Access VPN Network Topology 9-1 Implementing the IPsec Remote-Access VPN Scenario 9-2 Information to Have Available 9-3 Starting ASDM 9-3 Configuring an IPsec Remote-Access VPN 9-5 Selecting VPN Client Types 9-7 Specifying the VPN Tunnel Group Name and Authentication Method 9-8 Specifying a User Authentication Method 9-9 (Optional) Configuring User Accounts 9-11 Configuring Address Pools 9-12 Configuring Client Attributes 9-13 Configuring the IKE Policy 9-14 Configuring IPsec Encryption and Authentication Parameters 9-16 Specifying Address Translation Exception and Split Tunneling 9-17 Verifying the Remote-Access VPN Configuration 9-18 What to Do Next 9-20 CHAPTER 10 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client 10-1 About SSL VPN Client Connections 10-1 Obtaining the Cisco AnyConnect VPN Client Software 10-2 Example Topology Using AnyConnect SSL VPN Clients 10-3 Implementing the Cisco SSL VPN Scenario 10-3 Information to Have Available 10-4 Starting ASDM 10-5 Cisco ASA 5500 Series Getting Started Guide vi 78-18002-01 Contents Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client 10-7 Specifying the SSL VPN Interface 10-8 Specifying a User Authentication Method 10-9 Specifying a Group Policy 10-11 Configuring the Cisco AnyConnect VPN Client 10-12 Verifying the Remote-Access VPN Configuration 10-14 What to Do Next 10-15 CHAPTER 11 Scenario: SSL VPN Clientless Connections 11-1 About Clientless SSL VPN 11-1 Security Considerations for Clientless SSL VPN Connections 11-2 Example Network with Browser-Based SSL VPN Access 11-3 Implementing the Clientless SSL VPN Scenario 11-4 Information to Have Available 11-5 Starting ASDM 11-5 Configuring the Adaptive Security Appliance for Browser-Based SSL VPN Connections 11-7 Specifying the SSL VPN Interface 11-8 Specifying a User Authentication Method 11-10 Specifying a Group Policy 11-11 Creating a Bookmark List for Remote Users 11-12 Verifying the Configuration 11-16 What to Do Next 11-18 CHAPTER 12 Scenario: Site-to-Site VPN Configuration 12-1 Example Site-to-Site VPN Network Topology 12-1 Implementing the Site-to-Site Scenario 12-2 Information to Have Available 12-3 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 vii Contents Configuring the Site-to-Site VPN 12-3 Starting ASDM 12-3 Configuring the Security Appliance at the Local Site 12-5 Providing Information About the Remote VPN Peer 12-7 Configuring the IKE Policy 12-8 Configuring IPsec Encryption and Authentication Parameters 12-10 Specifying Hosts and Networks 12-11 Viewing VPN Attributes and Completing the Wizard 12-12 Configuring the Other Side of the VPN Connection 12-14 What to Do Next 12-14 CHAPTER 13 Configuring the AIP SSM 13-1 Understanding the AIP SSM 13-2 How the AIP SSM Works with the Adaptive Security Appliance 13-2 Operating Modes 13-3 Using Virtual Sensors 13-4 Configuring the AIP SSM 13-6 AIP SSM Procedure Overview 13-6 Sessioning to the AIP SSM 13-6 Configuring the Security Policy on the AIP SSM 13-8 Assigning Virtual Sensors to Security Contexts 13-9 Diverting Traffic to the AIP SSM 13-11 What to Do Next 13-14 CHAPTER 14 Configuring the CSC SSM 14-1 About the CSC SSM 14-1 About Deploying the Security Appliance with the CSC SSM 14-2 Scenario: Security Appliance with CSC SSM Deployed for Content Security 14-4 Configuration Requirements 14-5 Cisco ASA 5500 Series Getting Started Guide viii 78-18002-01 Contents Configuring the CSC SSM for Content Security 14-5 Obtain Software Activation Key from Cisco.com 14-6 Gather Information 14-6 Starting ASDM 14-7 Verify Time Settings 14-9 Run the CSC Setup Wizard 14-10 What to Do Next 14-17 CHAPTER 15 Configuring the 4GE SSM for Fiber 15-1 Cabling 4GE SSM Interfaces 15-2 Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) 15-3 What to Do Next 15-5 APPENDIX A Obtaining a 3DES/AES License A-1 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 ix Contents Cisco ASA 5500 Series Getting Started Guide x 78-18002-01 Chapter 14 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security • Administrator e-mail address and the e-mail server IP address and port to be used for notifications Step Click Next Step In Step of the CSC Setup Wizard, enter the IP address and mask for each subnet and host that should have management access to the CSC SSM Cisco ASA 5500 Series Getting Started Guide 14-12 78-18002-01 Chapter 14 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security By default, all networks have management access to the CSC SSM For security purposes, we recommend that you restrict access to specific subnets or management hosts Step 10 Click Next Cisco ASA 5500 Series Getting Started Guide 78-18002-01 14-13 Chapter 14 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security Step 11 In Step of the CSC Setup Wizard, enter a new password for management access Enter the factory default password, “cisco,” in the Old Password field Step 12 Click Next Step 13 In Step of the CSC Setup Wizard, specify the type of traffic to be scanned The adaptive security appliance diverts packets to the CSC SSM after firewall policies are applied but before the packets exit the egress interface For example, packets that are blocked by an access list are not forwarded to the CSC SSM Configure service policies to specify which traffic the adaptive security appliance should divert to the CSC SSM The CSC SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well-known ports for those protocols To simplify the initial configuration process, this procedure creates a global service policy that diverts all traffic for the supported protocols to the CSC SSM, both inbound and outbound Because scanning all traffic coming through the adaptive security appliance may reduce the performance of the adaptive security appliance and the CSC SSM, you may want to revise this security policy later For Cisco ASA 5500 Series Getting Started Guide 14-14 78-18002-01 Chapter 14 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security example, it is not usually necessary to scan all traffic coming from your inside network because it is coming from a trusted source By refining the service policies so that the CSC SSM scans only traffic from untrusted sources, you can achieve your security goals and maximize performance of the adaptive security appliance and the CSC SSM To create a global service policy that identifies traffic to be scanned, perform the following steps: a To add a new type of traffic, click Add The Traffic Selection for CSC Scan dialog box appears b From the Interface drop-down list, choose Global c Leave the Source and Destination fields set to Any d In the Service are, click the ellipsis ( ) radio button In this dialog box, select a predefined service or click Add to define a new service Cisco ASA 5500 Series Getting Started Guide 78-18002-01 14-15 Chapter 14 Configuring the CSC SSM Scenario: Security Appliance with CSC SSM Deployed for Content Security e f Click OK to return to the Traffic Selection for CSC Scan window g Step 14 In the If CSC card fails, then area, choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable Click Next In Step of the CSC Setup Wizard, review configuration settings you just entered for the CSC SSM If you are satisfied with these settings, click Finish ASDM shows a message indicating that the CSC device is now active By default, the CSC SSM is configured to perform content security scans enabled by the license you purchased (which may include anti-virus, anti-spam, anti-phishing, and content filtering) It is also configured to get periodic updates from the Trend Micro update server Cisco ASA 5500 Series Getting Started Guide 14-16 78-18002-01 Chapter 14 Configuring the CSC SSM What to Do Next If included in the license you purchased, you can create custom settings for URL blocking and URL filtering, as well as e-mail and FTP parameters For more information, see the Cisco Content Security and Control SSM Administrator Guide What to Do Next You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM software Use the following documents to continue configuring the adaptive security appliance for your implementation To Do This See Configure CSC SSM software, such as Cisco Content Security and Control advanced security policies SSM Administrator Guide Configure additional CSC SSM features in ASDM, including content filtering ASDM online help (click the Configuration or Monitoring tab, then click the Trend Micro Content Security tab) Optimize performance by creating more efficient service policies “Managing AIP SSM and CSC SSM” in Cisco Security Appliance Command Line Configuration Guide Cisco ASA 5500 Series Getting Started Guide 78-18002-01 14-17 Chapter 14 Configuring the CSC SSM What to Do Next After you have configured the CSC SSM software, you may want to consider performing some of the following additional steps: To Do This See Refine configuration and configure optional and advanced features Cisco Security Appliance Command Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Review hardware maintenance and troubleshooting information Cisco ASA 5500 Series Hardware Installation Guide You can configure the adaptive security appliance for more than one application The following sections provide configuration procedures for other common applications of the adaptive security appliance To Do This See Configure protection of a DMZ web server Chapter 8, “Scenario: DMZ Configuration” Configure a remote-access VPN Chapter 9, “Scenario: IPsec Remote-Access VPN Configuration” Configure remote-access SSL connection for software clients Chapter 10, “Scenario: Configuring Connections for a Cisco AnyConnect VPN Client” Configure SSL connections for browser-based remote access Chapter 11, “Scenario: SSL VPN Clientless Connections” Configure a site-to-site VPN Chapter 12, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5500 Series Getting Started Guide 14-18 78-18002-01 CH A P T E R 15 Configuring the 4GE SSM for Fiber The 4GE Security Services Module (SSM) has four Ethernet ports, and each port has two media type options: SFP (Small Form-Factor Pluggable) fiber or RJ 35 You can mix the copper and fiber ports using the same 4GE card Note The 4GE SSM requires ASA software Version 7.1(1) or later This chapter includes the following sections: • • Setting the 4GE SSM Media Type for Fiber Interfaces (Optional), page 15-3 • Note Cabling 4GE SSM Interfaces, page 15-2 What to Do Next, page 15-5 Because the default media type setting is Ethernet, you not need to change the media type setting for any Ethernet interfaces you use Cisco ASA 5500 Series Getting Started Guide 78-18002-01 15-1 Chapter 15 Configuring the 4GE SSM for Fiber Cabling 4GE SSM Interfaces Cabling 4GE SSM Interfaces To cable 4GE SSM interfaces, perform the following steps for each port you want to connect to a network device: Step To connect an RJ-45 (Ethernet) interface to a network device, perform the following steps for each interface: a Locate a yellow Ethernet cable from the accessory kit b Connect one end of the cable to an Ethernet port on the 4GE SSM as shown in Figure 15-1 Connecting the Ethernet port LNK GE POW ER STA TUS SSM-4 MGMT USB2 MGMT USB2 SPD Cisco USB1 143597 Figure 15-1 1 c Step RJ-45 (Ethernet) port Connect the other end of the cable to your network device (Optional) If you want to use an SFP (fiber optic) port, install and cable the SFP modules as shown in Figure 15-2: a Insert and slide the SFP module into the SFP port until you hear a click The click indicates that the SFP module is locked into the port b Remove the optical port plugs from the installed SFP c Locate the LC connector (fiber optic cable) in the 4GE SSM accessory kit d Connect the LC connector to the SFP port Cisco ASA 5500 Series Getting Started Guide 15-2 78-18002-01 Chapter 15 Configuring the 4GE SSM for Fiber Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) Connecting the LC Connector LNK POW ER STAT US SSM-4 GE MGMT USB2 MGMT USB2 SPD Cisco USB1 143647 Figure 15-2 1 e LC connector SFP module Connect the other end of the LC connector to your network device After you have attached any SFP ports to your network devices, you must also change the media type setting for each SFP interface Continue with the following procedure, “Setting the 4GE SSM Media Type for Fiber Interfaces (Optional).” Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) If you are using fiber interfaces, for each SFP interface you must change the media type setting from the default setting (Ethernet) to Fiber Connector Cisco ASA 5500 Series Getting Started Guide 78-18002-01 15-3 Chapter 15 Configuring the 4GE SSM for Fiber Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) Note Because the default media type setting is Ethernet, you not need to change the media type setting for Ethernet interfaces you use To set the media type for SFP interfaces using ASDM, perform the following steps starting from the main ASDM window: Step At the top of the ASDM window, click the Configuration tab Step On the left side of the ASDM window, click the Interfaces tab Step Click the 4GE SSM interface and click Edit The Edit Interface dialog box appears Step Click Configure Hardware Properties The Hardware Properties dialog box appears Step From the Media Type drop-down list, choose Fiber Connector Step Click OK to return to the Edit Interfaces dialog box, then click OK to return to the interfaces configuration dialog box Step Repeat this procedure for each SFP interface You can also set the media type from the command line For more information, see "Configuring Ethernet Settings and Subinterfaces" in the Cisco Security Appliance Command Line Configuration Guide Cisco ASA 5500 Series Getting Started Guide 15-4 78-18002-01 Chapter 15 Configuring the 4GE SSM for Fiber What to Do Next What to Do Next You have completed the initial configuration You may want to consider performing some of the following additional steps: To Do This See Refine configuration and configure optional and advanced features Cisco Security Appliance Command Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Review hardware maintenance and troubleshooting information Cisco ASA 5500 Series Hardware Installation Guide Cisco ASA 5500 Series Getting Started Guide 78-18002-01 15-5 Chapter 15 Configuring the 4GE SSM for Fiber What to Do Next Cisco ASA 5500 Series Getting Started Guide 15-6 78-18002-01 APPENDIX A Obtaining a 3DES/AES License The Cisco ASA 5500 series adaptive security appliance comes with a DES license that provides encryption You can obtain a 3DES-AES license that provides encryption technology to enable specific features, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN You need an encryption license key to enable this license If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license If you are not a registered user of Cisco.com, go to the following website: https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet Provide your name, e-mail address, and the serial number for the adaptive security appliance as it appears in the show version command output Note You will receive the new activation key for your adaptive security appliance within two hours of requesting the license upgrade For more information on activation key examples or upgrading software, see the Cisco Security Appliance Command Line Configuration Guide Cisco ASA 5500 Series Getting Started Guide 78-18002-01 A-1 Appendix A Obtaining a 3DES/AES License To use the activation key, perform the following steps: Command Purpose Step hostname# show version Shows the software release, hardware configuration, license key, and related uptime data Step hostname# configure terminal Enters global configuration mode Step hostname(config)# activation-key activation-5-tuple-key Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e The “0x” is optional; all values are assumed to be hexadecimal Step hostname(config)# exit Exits global configuration mode Step hostname# copy running-config startup-config Saves the configuration Step hostname# reload Reboots the adaptive security appliance and reloads the configuration Cisco ASA 5500 Series Getting Started Guide A-2 78-18002-01 ... install your Cisco ASA 5500 series adaptive security appliance Cisco ASA 5500 Series Getting Started Guide 4-2 78-18002-01 Chapter Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Installing... Adaptive Security Appliance.” Cisco ASA 5500 Series Getting Started Guide 78-18002-01 3-19 Chapter Installing the ASA 5550 What to Do Next Cisco ASA 5500 Series Getting Started Guide 3-20 78-18002-01... APPENDIX A Obtaining a 3DES/AES License A-1 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 ix Contents Cisco ASA 5500 Series Getting Started Guide x 78-18002-01 CH A P T E R Before You