Cisco ASA 5500 Series Adaptive

Security Appliance Getting Started

Guide
For the Cisco ASA 5510, ASA 5520, and ASA 5540

Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100

Customer Order Number: DOC-7817611=

Text Part Number: 78-17611-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We
Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the
Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers
logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast,
SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates
in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0601R)

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
© 2006 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 Before You Begin 1-1

ASA 5500 1-1
ASA 5500 with AIP SSM 1-2
ASA 5500 with CSC SSM 1-3
ASA 5500 with 4GE SSM 1-4

CHAPTER 2 Installing the Cisco ASA 5500 2-1

Verifying the Package Contents 2-2
Installing the Chassis 2-3
Rack-Mounting the Chassis 2-4
Ports and LEDs 2-6
What to Do Next 2-9

CHAPTER 3 Installing Optional SSMs 3-1

Cisco 4GE SSM 3-1
4GE SSM Components 3-2
Installing the Cisco 4GE SSM 3-3
Installing the SFP Modules 3-4
SFP Module 3-5
Installing the SFP Module 3-6
Cisco AIP SSM and CSC SSM 3-8
Installing an SSM 3-9
What to Do Next 3-10

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17372-01 i
 Contents

CHAPTER 4 Connecting Interface Cables 4-1

Connecting Cables to Interfaces 4-2
What to Do Next 4-10

CHAPTER 5 Configuring the Adaptive Security Appliance 5-1

About the Factory-Default Configuration 5-1
About the Adaptive Security Device Manager 5-2
Before Launching the Startup Wizard 5-3
Using the Startup Wizard 5-4
What to Do Next 5-5

CHAPTER 6 Scenario: DMZ Configuration 6-1

Example DMZ Network Topology 6-1
Configuring the Security Appliance for a DMZ Deployment 6-4
Configuration Requirements 6-5
Starting ASDM 6-6
Creating IP Pools for Network Address Translation 6-7
Configuring NAT for Inside Clients to Communicate with the DMZ Web
Server 6-12
Configuring NAT for Inside Clients to Communicate with Devices on the
Internet 6-15
Configuring an External Identity for the DMZ Web Server 6-16
Providing Public HTTP Access to the DMZ Web Server 6-18
What to Do Next 6-24

CHAPTER 7 Scenario: Remote-Access VPN Configuration 7-1

Example IPsec Remote-Access VPN Network Topology 7-1
Implementing the IPsec Remote-Access VPN Scenario 7-2
Information to Have Available 7-3

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
ii 78-17372-01
 Contents

Starting ASDM 7-4

Configuring the FWSM for an IPsec Remote-Access VPN 7-5
Selecting VPN Client Types 7-6
Specifying the VPN Tunnel Group Name and Authentication Method 7-7
Specifying a User Authentication Method 7-8
(Optional) Configuring User Accounts 7-10
Configuring Address Pools 7-11
Configuring Client Attributes 7-12
Configuring the IKE Policy 7-13
Configuring IPsec Encryption and Authentication Parameters 7-15
Specifying Address Translation Exception and Split Tunneling 7-16
Verifying the Remote-Access VPN Configuration 7-17
What to Do Next 7-18

CHAPTER 8 Scenario: Site-to-Site VPN Configuration 8-1

Example Site-to-Site VPN Network Topology 8-1
Implementing the Site-to-Site Scenario 8-2
Information to Have Available 8-2
Configuring the Site-to-Site VPN 8-3
Starting ASDM 8-3
Configuring the Security Appliance at the Local Site 8-4
Providing Information About the Remote VPN Peer 8-6
Configuring the IKE Policy 8-7
Configuring IPSec Encryption and Authentication Parameters 8-9
Specifying Hosts and Networks 8-10
Viewing VPN Attributes and Completing the Wizard 8-11
Configuring the Other Side of the VPN Connection 8-13
What to Do Next 8-14

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17372-01 iii
 Contents

CHAPTER 9 Configuring the AIP SSM 9-1

AIP SSM Configuration 9-1
Overview of Configuration Process 9-2
Configuring the ASA 5500 to Divert Traffic to the AIP SSM 9-2
Sessioning to the AIP SSM and Running Setup 9-5
What to Do Next 9-7

CHAPTER 10 Configuring the CSC SSM 10-1

About the CSC SSM 10-1
About Deploying the Security Appliance with the CSC SSM 10-2
Scenario: Security Appliance with CSC SSM Deployed for Content Security 10-4
Configuration Requirements 10-5
Configuring the CSC SSM for Content Security 10-5
Obtain Software Activation Key from Cisco.com 10-6
Collect Information 10-6
Launch ASDM 10-7
Verify Time Settings 10-8
Run the CSC Setup Wizard 10-9
Divert Traffic to the CSC SSM for Content Scanning 10-17
What to Do Next 10-22

CHAPTER 11 Configuring the 4GE SSM for Fiber 11-1

Cabling 4GE SSM Interfaces 11-2
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) 11-3
What to Do Next 11-5

APPENDIX A Obtaining a DES License or a 3DES-AES License A-1

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
iv 78-17372-01
 C H A P T E R 1
Before You Begin

Use the following table to find the installation and configuration steps that are
required for your implementation of the adaptive security appliance.
The adaptive security appliance implementations included in this document are as
follows:
• ASA 5500, page 1-1
• ASA 5500 with AIP SSM, page 1-2
• ASA 5500 with CSC SSM, page 1-3
• ASA 5500 with 4GE SSM, page 1-4

ASA 5500
To Do This ... See ...
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup of the adaptive security Chapter 5, “Configuring the
appliance Adaptive Security Appliance”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 1-1
 Chapter 1 Before You Begin
ASA 5500 with AIP SSM

To Do This ... (continued) See ...

Configure the adaptive security appliance for Chapter 6, “Scenario: DMZ
your implementation
Configure optional and advanced features
Operate the system on a daily basis
Configuration”
Chapter 7, “Scenario:
Remote-Access VPN Configuration”
Chapter 8, “Scenario: Site-to-Site
VPN Configuration”
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages

ASA 5500 with AIP SSM

To Do This .... See ....
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Install the AIP SSM Chapter 3, “Installing Optional
SSMs”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup the adaptive security Chapter 5, “Configuring the
appliance Adaptive Security Appliance”
Configure the adaptive security appliance for Chapter 9, “Configuring the AIP
AIP SSM SSM”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
1-2 78-17611-01
Chapter 1 Before You Begin
ASA 5500 with CSC SSM

To Do This .... (continued) See ....

Configure IPS software for intrusion
prevention
Refine configuration and configure optional
and advanced features
Configuring the Cisco Intrusion
Prevention System Sensor Using the
Command Line Interface
Cisco Intrusion Prevention System
Command Reference
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages

ASA 5500 with CSC SSM

To Do This .... To Do This ....
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Install the CSC SSM Chapter 3, “Installing Optional
SSMs”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup of the adaptive Chapter 5, “Configuring the
security appliance Adaptive Security Appliance”
Configure the adaptive security appliance Chapter 10, “Configuring the CSC
for content security SSM”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 1-3
 Chapter 1 Before You Begin
ASA 5500 with 4GE SSM

To Do This .... (continued) To Do This ....

Configure the CSC SSM
Refine configuration and configure
optional and advanced features
Cisco Content Security and Control
SSM Administrator Guide
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages

ASA 5500 with 4GE SSM

To Do This ... See ...
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Install the 4GE SSM Chapter 3, “Installing Optional
SSMs”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup of the adaptive Chapter 5, “Configuring the
security appliance Adaptive Security Appliance”
Install the fiber optic module Chapter 3, “Installing Optional
SSMs”
Refine configuration and configure Cisco Security Appliance Command
optional and advanced features Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
1-4 78-17611-01
Chapter 1 Before You Begin
ASA 5500 with 4GE SSM

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 1-5
 Chapter 1 Before You Begin
ASA 5500 with 4GE SSM

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
1-6 78-17611-01
 C H A P T E R 2
Installing the Cisco ASA 5500

Warning Only trained and qualified personnel should be allowed to install, replace, or
service this equipment.

Caution Read the safety warnings in the Regulatory Compliance and Safety Information
for the Cisco ASA 5500 Series and follow proper safety procedures when
performing these steps.

This chapter describes the product overview, memory requirements and

rack-mount and installation procedures for the adaptive security appliance. This
chapter includes the following sections:
• Verifying the Package Contents, page 2-2
• Installing the Chassis, page 2-3
• Ports and LEDs, page 2-6
• What to Do Next, page 2-9

Note The illustrations in this document show the Cisco ASA 5540 adaptive security
appliance. The Cisco ASA 5510 adaptive security appliance and Cisco ASA 5520
adaptive security appliance are identical, containing the same back panel features
and indicators.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 2-1
 Chapter 2 Installing the Cisco ASA 5500
Verifying the Package Contents

Verifying the Package Contents

Verify the contents of the packing box to ensure that you have received all items
necessary to install your Cisco ASA 5500 series adaptive security appliance. See
Figure 2-1.

Figure 2-1 Contents of ASA 5500 Package

Cisco ASA 5500 adaptive

security appliance
MGMT
USB2
USB1

LINK FLASH
SPD LINK
3 SPD LINK
2 SPD LINK
1 SPD
0 WER US
PO AT
ST TIVE N
AC VP ASH
FL

Mounting brackets Yellow Ethernet cable

(700-18797-01 AO) right (72-1482-01)
(700-18798-01 AO) left

2 long cap screws

(48-0654-01 AO) Blue console cable
PC terminal adapter

4 flathead screws
(48-0451-01 AO)
Cable holder

4 cap screws
(48-0523-01 AO) Se 550 Cisc
CoSafe
m t
c 0 o
Prourity Ada ASA Gu pliay an
du App ptiv ide nc d
ct
CD lianc e e
e
92574

4 rubber feet Documentation

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-2 78-17611-01
 Chapter 2 Installing the Cisco ASA 5500
Installing the Chassis

Installing the Chassis

This section describes how to rack-mount and install the adaptive security
appliance. You can mount the adaptive security appliance in a 19-inch rack (with
a 17.5- or 17.75-inch opening).

Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must
take special precautions to ensure that the system remains stable. The
following guidelines are provided to ensure your safety.

The following information can help plan equipment rack installation:

• Allow clearance around the rack for maintenance.
• When mounting a device in an enclosed rack ensure adequate ventilation. An
enclosed rack should never be overcrowded. Make sure that the rack is not
congested, because each unit generates heat.
• When mounting a device in an open rack, make sure that the rack frame does
not block the intake or exhaust ports.
• If the rack contains only one unit, mount the unit at the bottom of the rack.
• If the rack is partially filled, load the rack from the bottom to the top, with the
heaviest component at the bottom of the rack.
• If the rack contains stabilizing devices, install the stabilizers prior to
mounting or servicing the unit in the rack.

Warning Before performing any of the following procedures, ensure that power is
removed from the DC circuit. To ensure that all power is OFF, locate the circuit
breaker on the panel board that services the DC circuit, switch the circuit
breaker to the OFF position, and tape the switch handle of the circuit breaker in
the OFF position.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 2-3
 Chapter 2 Installing the Cisco ASA 5500
Installing the Chassis

Rack-Mounting the Chassis

To rack-mount the chassis, perform the following steps:

Note You can use the mounting brackets to mount the chassis to the front or the back
of the rack, with the front panel or the rear panel of the chassis facing outward.

Step 1 Attach the rack-mount brackets to the chassis using the supplied screws. Attach
the brackets to the holes as shown in Figure 2-2 and Figure 2-3. After the brackets
are secured to the chassis, you can rack-mount it.

Figure 2-2 Installing the Left Bracket on the Rear Panel of the Chassis
132187

Figure 2-3 Installing the Right Bracket on the Rear Panel of the Chassis
132186

Step 2 Attach the chassis to the rack using the supplied screws, as shown in Figure 2-4.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-4 78-17611-01
Chapter 2 Installing the Cisco ASA 5500
Installing the Chassis

Figure 2-4 Rack-Mounting the Chassis

CISCO
ASA
POWER
STATUS Adap 5540
tive Secu SERIES
ACTIVE VPN rity Appli
FLASH ance

119633
Note Figure 2-2 and Figure 2-3 show the rack mounting brackets attached to the rear of
the chassis while Figure 2-4 shows the rack mounting brackets attached to the
front of the chassis. You can attach the mounting brackets to the front or the rear
of the chassis so that you can have the front panel or the rear panel of the chassis
facing outward.
Figure 2-2 and Figure 2-3 show the brackets attached to the rear so you can see
how that configuration appears while Figure 2-4 shows the brackets attached to
the front so that you can see how that configuration appears. In Step 1 and Step 2,
you will choose to have either the brackets rear mounted or front mounted but not
both.

To remove the chassis from the rack, remove the screws that attach the chassis to
the rack, and then remove the chassis.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 2-5
 Chapter 2 Installing the Cisco ASA 5500
Ports and LEDs

Ports and LEDs

This section describes the front and rear panels. Figure 2-5 shows the front panel
LEDs.

Figure 2-5 Front Panel LEDs

CISCO ASA 5540 SERIES
Adaptive Security Appliance

119638
POWER STATUS ACTIVE VPN FLASH

1 3 5
2 4

LED Color State Description

1 Power Green On The system has power.
2 Status Green Flashing The power-up diagnostics are running or the system is booting.
Solid The system has passed power-up diagnostics.
Amber Solid The power-up diagnostics have failed.
3 Active Green Solid This is the active failover device.
Amber Solid This is the standby failover device.
4 VPN Green Solid VPN tunnel is established.
5 Flash Green Solid The CompactFlash is being accessed.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-6 78-17611-01
 Chapter 2 Installing the Cisco ASA 5500
Ports and LEDs

Figure 2-6 shows the rear panel features for the adaptive security appliance.

Figure 2-6 Rear Panel LEDs and Ports (AC Power Supply Model Shown)

1 2 3 4 5

MGMT

CONSOLE
USB2 USB1
FLASH

119572
AUX
ER

VE
S

SH
U

N
LINK SPD LINK SPD LINK SPD LINK SPD

TI
W

AT

VP

A
AC
PO
3 2 1 0

FL
ST
6 7 8 10 12 13 14
9 11

1 Management Port1 6 USB 2.0 interfaces2 11 VPN LED

3
2 External CompactFlash slot 7 Network interfaces 12 Flash LED
3 Serial Console port 8 Power indicator LED 13 AUX port
4 Power switch 9 Status indicator LED 14 Power connector
5 Power indicator LED 10 Active LED
1. The management 0/0 interface is a Fast Ethernet interface designed for management traffic only.
2. Not supported at this time.
3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and
GigabitEthernet 0/3.

For more information on the Management Port, see the “Management-Only”

section in the Cisco Security Appliance Command Reference.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 2-7
 Chapter 2 Installing the Cisco ASA 5500
Ports and LEDs

Figure 2-7 shows the adaptive security appliance rear panel LEDs.

Figure 2-7 Rear Panel Link and Speed Indicator LEDs

1 2
MGMT
USB2
USB1

126917
LNK SPD LNK SPD LNK SPD LNK SPD
3 2 1 0

1 MGMT indicator LEDs 2 Network interface LEDs

Table 2-1 lists the rear MGMT and Network interface LEDs.

Table 2-1 Link and Speed LEDs

Indicator Color Description

Left side Solid green Physical link
Green flashing Network activity
Right side Not lit 10 Mbps
Green 100 Mbps
Amber 1000 Mbps

Note The ASA 5510 adaptive security appliance only supports 10/100BaseTX. The
ASA 5520 adaptive security appliance and the ASA 5540 adaptive security
appliance support 1000BaseT.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-8 78-17611-01
Chapter 2 Installing the Cisco ASA 5500
What to Do Next

What to Do Next
Continue with one of the following chapters:

To Do This ... See ...

Install SSMs you purchased but that Chapter 3, “Installing Optional SSMs”
have not yet been installed
Continue with connecting interface Chapter 4, “Connecting Interface
cables Cables”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 2-9
 Chapter 2 Installing the Cisco ASA 5500
What to Do Next

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-10 78-17611-01
 C H A P T E R 3
Installing Optional SSMs

This chapter provides information about installing optional SSMs (Security

Services Modules) and their components. You only need to use the procedures in
this chapter if you purchased an optional SSM but it is not yet installed.
This chapter includes the following sections:
• Cisco 4GE SSM, page 3-1
• Cisco AIP SSM and CSC SSM, page 3-8
• What to Do Next, page 3-10

Cisco 4GE SSM

The 4GE Security Services Module (SSM) has eight Ethernet ports: four
10/100/1000 Mbps, copper, RJ-45 ports or four optional 1000 Mbps, Small
Form-Factor Pluggable (SFP) fiber ports.
This section describes how to install and replace the Cisco 4GE SSM in the
adaptive security appliance. This section includes the following topics:
• 4GE SSM Components, page 3-2
• Installing the Cisco 4GE SSM, page 3-3
• Installing the SFP Modules, page 3-4

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 3-1
 Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

4GE SSM Components

Figure 3-1 lists the Cisco 4GE SSM ports and LEDs.

Figure 3-1 Cisco 4GE SSM Ports and LEDs

2 3 7 8

LNK 3 2 1 0 SPD

132983
Cisco SSM-4GE

1 4 5 6

1 RJ-45 ports 5 Status LED

2 RJ-45 Link LED 6 SFP ports
3 RJ-45 Speed LED 7 SFP Link LED
4 Power LED 8 SFP Speed LED

Note Figure 3-1 shows SFP modules installed in the port slots. You must order and
install the SFP modules if you want to use this feature. For more information on
SFP ports and modules, see the “Installing the SFP Modules” section on page 3-4.

Table 3-1 describes the Cisco 4GE SSM LEDs.

Table 3-1 Cisco 4GE SSM LEDs

LED Color State Description

2, 7 LINK Green Solid There is an Ethernet link.
Flashing There is Ethernet activity.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-2 78-17611-01
 Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

Table 3-1 Cisco 4GE SSM LEDs (continued)

LED Color State Description

3, 8 SPEED Off 10 MB There is no network activity.
Green 100 MB There is network activity at
100 Mbps.
Amber
1000 MB There is network activity at
(GigE) 1000 Mbps.
4 POWER Green On The system has power.
5 STATUS Green Flashing The system is booting.
Green Solid The system booted correctly.
Amber Solid The system diagnostics failed.

Installing the Cisco 4GE SSM

To install a new Cisco 4GE SSM for the first time, perform the following steps:

Step 1 Power off the adaptive security appliance.

Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so
that it contacts your bare skin. Attach the other end to the chassis.
Step 3 Remove the two screws (as shown in Figure 3-2) at the left rear end of the chassis,
and remove the slot cover.

Figure 3-2 Removing the Screws from the Slot Cover

MGMT
USB2
USB1

LINK FLASH
SPD LIN
3 K SPD
2 LINK
SPD LIN
K SPD
1 ER
119642

0 W US
PO AT E
ST TIV N H
AC VP AS
FL

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 3-3
 Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

Step 4 Insert the Cisco 4GE SSM through the slot opening as shown in Figure 3-3.

Figure 3-3 Inserting the Cisco 4GE SSM into the Slot

MGMT
MGMT USB2
USB2 USB1
LNK
3
2
1

USB1
0 SPD

Cisco FLASH
SSM-4G LINK
R

SPD LIN
US
POWE

E 3 K SPD
STAT

2 LINK
SPD LIN
K SPD
1 ER S
0 W U
PO

132984
AT IV
E
ST T
VP
N H
AC AS
FL

Step 5 Attach the screws to secure the Cisco 4GE SSM to the chassis.
Step 6 Power on the adaptive security appliance.
Step 7 Check the LEDs. If the Cisco 4GE SSM is installed properly the STATUS LED
flashes during boot up and is solid when operational.
Step 8 Connect one end of the RJ-45 cable to the port and the other end of the cable to your
network devices. For more information, see “Chapter 4, “Connecting Interface
Cables.”

Installing the SFP Modules

The SFP (Small Form-Factor Pluggable) is a hot-swappable input/output device
that plugs into the SFP ports. The following SFP module types are supported:
• Long wavelength/long haul 1000BASE-LX/LH (GLC-LH-SM=)
• Short wavelength 1000BASE-SX (GLC-SX-MM=)
This section describes how to install and remove the SFP modules in the adaptive
security appliance to provide optical Gigabit Ethernet connectivity. This section
contains the following topics:
• SFP Module, page 3-5
• Installing the SFP Module, page 3-6

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-4 78-17611-01
 Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

SFP Module
The adaptive security appliance uses a field-replaceable SFP module to establish
Gigabit connections.

Note If you install an SFP module after the switch has powered on, you must reload the
adaptive security appliance to enable the SFP module.

Table 3-2 lists the SFP modules that are supported by the adaptive security
appliance.

Table 3-2 Supported SFP Modules

SFP Module Type of Connection Cisco Part Number

1000BASE-LX/LH Fiber-optic GLC-LH-SM=
1000BASE-SX Fiber-optic GLC-SX-MM=

The 1000BASE-LX/LH and 1000BASE-SX SFP modules are used to establish

fiber-optic connections. Use fiber-optic cables with LC connectors to connect to
an SFP module. The SFP modules support 850 to 1550 nm nominal wavelengths.
The cables must not exceed the required cable length for reliable communications.
Table 3-3 lists the cable length requirements.

Table 3-3 Cabling Requirements for Fiber-Optic SFP Modules

62.5/125 micron 50/125 micron 62.5/125 micron 50/125 micron 9/125 micron
Multimode 850 Multimode 850 Multimode Multimode Single-mode
SFP Module nm Fiber nm Fiber 1310 nm Fiber 1310 nm Fiber 1310 nm Fiber

— — 550 m at 550 m at 10 km
500 Mhz-km 400 Mhz-km
LX/LH

275 m at 550 m at — — —
200 Mhz-km 500 Mhz-km
SX

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 3-5
 Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

Use only Cisco-certified SFP modules on the adaptive security appliance. Each
SFP module has an internal serial EEPROM that is encoded with security
information. This encoding provides a way for Cisco to identify and validate that
the SFP module meets the requirements for the adaptive security appliance.

Note Only SFP modules certified by Cisco are supported on the adaptive security
appliance.

Caution Protect your SFP modules by inserting clean dust plugs into the SFPs after the
cables are extracted from them. Be sure to clean the optic surfaces of the fiber
cables before you plug them back in the optical bores of another SFP module.
Avoid getting dust and other contaminants into the optical bores of your SFP
modules: The optics do not work correctly when obstructed with dust.

Warning Because invisible laser radiation may be emitted from the aperture of the port
when no cable is connected, avoid exposure to laser radiation and do not stare
into open apertures. Statement 70

Installing the SFP Module

To install the SFP module in the Cisco 4GE SSM, perform the following steps:

Step 1 Line up the SFP module with the port and slide the SFP module into the port slot
until it locks into position as shown in Figure 3-4.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-6 78-17611-01
Chapter 3 Installing Optional SSMs
Cisco 4GE SSM

Figure 3-4 Installing an SFP Module

132985
1

1 Optical port plug 3 SFP module

2 SFP port slot

Caution Do not remove the optical port plugs from the SFP until you are ready to connect
the cables.

Step 2 Remove the Optical port plug; then connect the network cable to the SFP module.
Connect the other end of the cable to your network. For more information on
connecting the cables, see Chapter 4, “Connecting Interface Cables.”

Caution The latching mechanism used on many SFPs locks them into place when cables
are connected. Do not pull on the cabling in an attempt to remove the SFP.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 3-7
 Chapter 3 Installing Optional SSMs
Cisco AIP SSM and CSC SSM

Cisco AIP SSM and CSC SSM

The ASA 5500 series adaptive security appliance supports the AIP SSM
(Advanced Inspection and Prevention Security Services Module) and the CSC
SSM (Content Security Control Security Services Module), also referred to as the
intelligent SSM.
The AIP SSM runs advanced IPS software that provides security inspection.
There are two models of the AIP SSM: the AIP SSM 10 and the AIP SSM 20. Both
types look identical, but the AIP SSM 20 has a faster processor and more memory
than the AIP SSM 10. Only one module (the AIP SSM 10 or the AIP SSM 20) can
populate the slot at a time.
Table 3-4 lists the memory specifications for the AIP SSM 10 and the
AIP SSM 20.

Table 3-4 SSM Memory Specifications

SSM CPU DRAM

AIP SSM 10 2.0 GHz Celeron 1.0 GB
AIP SSM 20 2.4 GHz Pentium 4 2.0 GB

For more information on the AIP SSM, see the Cisco Security Appliance Command
Line Configuration Guide.
The CSC SSM runs Content Security and Control software. The CSC SSM
provides protection against viruses, spyware, spam, and other unwanted traffic.
For more information on the CSC SSM, see the Cisco Security Appliance Command
Line Configuration Guide.
This section describes how to install and replace the SSM in the adaptive security
appliance. Figure 3-5 lists the SSM LEDs.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-8 78-17611-01
 Chapter 3 Installing Optional SSMs
Cisco AIP SSM and CSC SSM

Figure 3-5 SSM LEDs

CT
/A

D
EE
NK

SP
LI

119644
SU
AT
R
PW

ST
1 2 3 4

Table 3-5 describes the SSM LEDs.

Table 3-5 SSM LEDs

LED Color State Description

1 PWR Green On The system has power.
2 STATUS Green Flashing The system is booting.
Solid The system has passed power-up
diagnostics.
3 LINK/ACT Green Solid There is an Ethernet link.
Flashing There is Ethernet activity.
4 SPEED Green 100 MB There is network activity.
Amber 1000 MB (GigE) There is network activity.

Installing an SSM
To install a new SSM, perform the following steps:

Step 1 Power off the adaptive security appliance.

Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so
that it contacts your bare skin. Attach the other end to the chassis.
Step 3 Remove the two screws (as shown in Figure 3-6) at the left rear end of the chassis,
and remove the slot cover.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 3-9
 Chapter 3 Installing Optional SSMs
What to Do Next

Figure 3-6 Removing the Screws from the Slot Cover

MGMT
USB2
USB1
LINK FLASH
SPD LIN
3 K SPD
2 LINK
SPD LIN
K SPD
1 ER

119642
0 W U S
PO AT E
ST TIV N
SH
AC VP A
FL

Step 4 Insert the SSM into the slot opening as shown in Figure 3-7.

Figure 3-7 Inserting the SSM into the Slot

MGMT
USB2
USB1

D
EE CT
SP K/A LINK
SPD LIN
LIN 3 K SPD
2 LINK
SPD LIN
K SPD
S 1 ER

119643
R TU 0 W S
PW U
STA PO AT IV
E
ST T
VP
N H
AC AS
FL

Step 5 Attach the screws to secure the SSM to the chassis.

Step 6 Power on the adaptive security appliance. Check the LEDs. If the SSM is installed
properly the POWER LED is solid green and the STATUS LED flashes green.
Step 7 Connect one end of the RJ-45 cable to the port and the other end of the cable to your
network devices.

What to Do Next
Continue with Chapter 4, “Connecting Interface Cables.”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-10 78-17611-01
 C H A P T E R 4
Connecting Interface Cables

This chapter describes how to connect the cables to the Console, Auxiliary,
Management, Cisco 4GE SSM, and SSM ports. In this document, SSM refers to an
intelligent SSM, the AIP SSM, or the CSC SSM.
This chapter includes the following sections:
• Connecting Cables to Interfaces, page 4-2
• What to Do Next, page 4-10

Note The 4GE SSM, AIP SSM, and CSC SSM are optional security services modules.
Skip these steps if your adaptive security appliance does not include these
modules.

Warning Only trained and qualified personnel should install, replace, or service this
equipment. Statement 49

Caution Read the safety warnings in the Regulatory Compliance and Safety Information
for the Cisco ASA 5500 Series and follow proper safety procedures when
performing these steps.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 4-1
 Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

Connecting Cables to Interfaces

To connect cables to the interfaces, perform the following steps:

Step 1 Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it).
Step 2 Before connecting a computer or terminal to the ports, check to determine the baud
rate of the serial port. The baud rate must match the default baud rate (9600 baud) of
the Console port of the adaptive security appliance. Set up the terminal as follows:
9600 baud (default), 8 data bits, no parity, 1 stop bits, and Flow Control (FC) =
Hardware.
Step 3 Connect the cables to the ports.
a. Management port–The adaptive security appliance has a dedicated
management interface referred to as the Management0/0 port. The
Management0/0 port is a Fast Ethernet interface with a dedicated port used
only for traffic management. Similar to the Console port, but the Management
port accepts only incoming traffic to the adaptive security appliance.

Note You can configure any interface to be a management-only interface using

the management-only command. You can also disable management-only
mode on the management interface. For more information about this
command, see the management-only command in the Cisco Security
Appliance Command Reference.

– Connect one RJ-45 connector to the Management0/0 port, as shown in

Figure 4-1.
– Connect the other end of the Ethernet cable to the Ethernet port on your
computer.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
4-2 78-17611-01
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

Figure 4-1 Connecting to the Management Port

MGMT
USB2
USB1

92684
LNK SPD LNK SPD LNK SPD LNK SPD
3 2 1 0

1 Management port 2 RJ-45 to RJ-45 Ethernet cable

Note When connecting a computer directly to the management port on the adaptive
security appliance, use a crossover Ethernet cable. When connecting a computer
to the adaptive security appliance through a hub or switch, use a straight through
Ethernet cable to connect the hub or switch to the management port.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 4-3
 Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

b. Console port
– Connect the serial console cable as shown in Figure 4-2. The console
cable has a DB-9 connector on one end for the serial port on your
computer, and the other end is an RJ-45 connector.
– Connect the RJ-45 connector to the Console port on the adaptive security
appliance.
– Connect the other end of the cable, the DB-9 connector, to the console
port on your computer.

Figure 4-2 Connecting the Console Cable

CONSOLE
FLASH

AUX
ER

VE
S

SH
U

N
TI
W

AT

VP

A
AC
PO

FL
ST

126982

1 RJ-45 Console port 2 RJ-45 to DB-9 console cable

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
4-4 78-17611-01
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

c. Auxiliary port
– Connect the serial console cable as shown in Figure 4-2. The console
cable has a DB-9 connector on one end for the serial port on your
computer, and the other end is an RJ-45 connector.
– Connect the RJ-45 connector to the Auxiliary port (labeled AUX) on the
adaptive security appliance, as shown in Figure 4-3.
– Connect the other end of the cable, the DB-9 connector, to the serial port
on your computer.

Figure 4-3 Connecting to the AUX Port

FLASH CONSOLE
AUX
ER

VE
S

SH
U

N
TI
W

AT

VP

A
AC
PO

FL
ST

92686

1 RJ-45 AUX port 2 RJ-45 to DB-9 console cable

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 4-5
 Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

d. Cisco 4GE SSM

• Ethernet port
– Connect one RJ-45 connector to the Ethernet port of the Cisco 4GE SSM
as shown in Figure 4-4.
– Connect the other end of the Ethernet cable to your network device, such
as a router, switch or hub.

Note The Cisco 4GE SSM is optional; this connection is necessary only if you
have installed the Cisco 4GE SSM on the adaptive security appliance.

Figure 4-4 Connecting to the RJ-45 port

LNK
3
2
1
0 SPD

MGMT
MGMT USB2
Cisco
SSM-4
ER
US

GE

USB1
POW
STAT

USB2
USB1
1

2 143147

1 Ethernet ports 2 RJ-45 connector

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
4-6 78-17611-01
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

• SFP modules
– Insert and slide the SFP module into the SFP port until you hear a click.
The click indicates that the SFP module is locked into the port.
– Remove the optical port plugs from the installed SFP as shown in Figure 4-5.

Figure 4-5 Removing the Optical Port Plug

2
1

143146
US
STAT
1 Optical port plug 2 SFP module

– Connect the LC connector to the SFP module as shown in Figure 4-6.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 4-7
 Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

Figure 4-6 Connecting the LC Connector

LNK
3
2
1
0 SPD

MGMT
MGMT USB2
Cisco
SSM-4

ER
US
GE

USB1
POW
STAT

USB1USB2

143148
2
1

1 LC connector 2 SFP module

– Connect the other end to your network devices, such as routers, switches,
or hubs.
e. SSM
– Connect one RJ-45 connector to the management port on the SSM, as
shown in Figure 4-7.
– Connect the other end of the RJ-45 cable to your network devices.

Note SSMs are optional; this connection is necessary only if you have installed
an SSM on the adaptive security appliance.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
4-8 78-17611-01
Chapter 4 Connecting Interface Cables
Connecting Cables to Interfaces

Figure 4-7 Connecting to the Management Port

MGMT
MGMT USB2
T
AC
K?
LIN D
EE

USB1
SP

USB2
ER S
POW TU
STA

USB1
1

143149
1 SSM management port 2 RJ-45 to RJ-45 cable

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 4-9
 Chapter 4 Connecting Interface Cables
What to Do Next

f. Ethernet ports
– Connect the RJ-45 connector to the Ethernet port as shown in Figure 4-8.
– Connect the other end of the Ethernet cable to your network device, such
as a router, switch or hub.

Figure 4-8
MGMT
Connecting Cables to Network Interfaces
USB2
USB1

92685
LNK SPD LNK SPD LNK SPD LNK SPD
3 2 1 0

1 RJ-45 Ethernet ports 2 RJ-45 connector

Step 4 Connect the power cord to the adaptive security appliance and plug the other end
to the power source.
Step 5 Power on the chassis.

What to Do Next
Continue with Chapter 5, “Configuring the Adaptive Security Appliance.”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
4-10 78-17611-01
 C H A P T E R 5
Configuring the Adaptive Security
Appliance

This chapter describes the initial configuration of the adaptive security appliance.
You can perform the configuration steps using either the browser-based Cisco
Adaptive Security Device Manager (ASDM) or the command-line interface
(CLI). However, the procedures in this chapter refer to the method using ASDM.

Note To use ASDM, you must have a DES license or a 3DES-AES license. For more
information, see Appendix A, “Obtaining a DES License or a 3DES-AES
License.”

This chapter includes the following sections:

• About the Factory-Default Configuration, page 5-1
• Before Launching the Startup Wizard, page 5-3
• Using the Startup Wizard, page 5-4
• What to Do Next, page 5-5

About the Factory-Default Configuration

Cisco adaptive security appliances are shipped with a factory-default configuration
that enables quick startup. This configuration meets the needs of most small and
medium business networking environments.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 5-1
 Chapter 5 Configuring the Adaptive Security Appliance
About the Adaptive Security Device Manager

By default, the adaptive security appliance Management interface is configured with

a default DHCP address pool. This configuration enables a client on the inside
network to obtain a DHCP address from the adaptive security appliance to connect to
the appliance. Administrators can then configure and manage the adaptive security
appliance using ASDM. Based on your network security policy, you should also
consider configuring the adaptive security appliance to deny all ICMP traffic through
the outside interface or any other interface that is necessary.

About the Adaptive Security Device Manager

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical

interface that enables you to manage and monitor the adaptive security appliance.
Its web-based design provides secure access so that you can connect to and
manage the adaptive security appliance from any location by using a web browser.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
5-2 78-17611-01
Chapter 5 Configuring the Adaptive Security Appliance
Before Launching the Startup Wizard

In addition to its complete configuration and management capability, ASDM

features intelligent wizards to simplify and accelerate the deployment of the
adaptive security appliance.
To use ASDM, you must have a DES license or a 3DES-AES license. In addition,
Java and JavaScript must be enabled in your web browser.
In addition to the ASDM web configuration tool, you can configure the adaptive
security appliance by using the command-line interface. For more information, see
the Cisco Security Appliance Command Line Configuration Guide and the Cisco
Security Appliance Command Reference.

Before Launching the Startup Wizard

Before you launch the Startup Wizard, perform the following steps:

Step 1 Obtain a DES license or a 3DES-AES license.

To run ASDM, you must have a DES license or a 3DES-AES license. If you did
not purchase one of these licenses with the adaptive security appliance, see
Appendix A, “Obtaining a DES License or a 3DES-AES License” for information
about how to obtain and activate one.
Step 2 Enable Java and Javascript in your Web browser.
Step 3 Gather the following information:
• A unique hostname to identify the adaptive security appliance on your
network.
• The IP addresses of your outside interface, inside interface, and any other
interfaces.
• The IP addresses to use for NAT or PAT configuration.
• The IP address range for the DHCP server.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 5-3
 Chapter 5 Configuring the Adaptive Security Appliance
Using the Startup Wizard

Using the Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your
adaptive security appliance. With a few steps, the Startup Wizard enables you to
configure the adaptive security appliance so that it allows packets to flow securely
between the inside network (GigabitEthernet0/1) and the outside network
(GigabitEthernet0/0).
To use the Startup Wizard to set up a basic configuration for the adaptive security
appliance, perform the following steps:

Step 1 If you have not already done so, perform one of the following steps:
• If you have an ASA 5520 or 5540, connect the inside GigabitEthernet0/1
interface to a switch or hub by using the Ethernet cable. To this same switch,
connect a PC for configuring the adaptive security appliance.
• If you have an ASA 5510, connect the inside Ethernet 1 interface to a switch
or hub by using the Ethernet cable. To this same switch, connect a PC for
configuring the adaptive security appliance.
Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the
adaptive security appliance), or assign a static IP address to your PC by selecting
an address out of the 192.168.1.0 network. (Valid addresses are 192.168.1.2 through
192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.)

Note The inside interface of the adaptive security appliance is assigned

192.168.1.1 by default, so this address is unavailable.

Step 3 Perform one of the following steps:

• If you have an ASA 5520 or 5540, check the LINK LED on the
GigabitEthernet0/1 interface.
• If you have an ASA 5510, check the LINK LED on the Ethernet 1 interface.
When a connection is established, the LINK LED interface on the adaptive security
appliance and the corresponding LINK LED on the switch or hub becomes solid
green.
Step 4 Launch the Startup Wizard.
a. On the PC connected to the switch or hub, launch an Internet browser.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
5-4 78-17611-01
Chapter 5 Configuring the Adaptive Security Appliance
What to Do Next

b. In the address field of the browser, enter this URL: https://192.168.1.1/.

Note The adaptive security appliance ships with a default IP address of

192.168.1.1. Remember to add the “s” in “https” or the connection
fails. HTTPS (HTTP over SSL) provides a secure connection between
your browser and the adaptive security appliance.

Step 5 In the dialog box that requires a username and password, leave both fields empty.
Press Enter.
Step 6 Click Yes to accept the certificates. Click Yes for all subsequent authentication
and certificate dialog boxes.
ASDM starts.
Step 7 From the Wizards menu at the top of the ASDM window, choose Startup Wizard.
Step 8 Follow the instructions in the Startup Wizard to set up your adaptive security
appliance.
For information about any field in the Startup Wizard, click Help at the bottom of
the window.

What to Do Next
Next, configure the adaptive security appliance for your deployment using one or
more of the following chapters:

To Do This ... See ...

Configure the adaptive security Chapter 6, “Scenario: DMZ
appliance to protect a DMZ web server Configuration”
Configure the adaptive security Chapter 7, “Scenario: Remote-Access
appliance for remote-access VPN VPN Configuration”
Configure the adaptive security Chapter 8, “Scenario: Site-to-Site
appliance for Site-to-Site VPN VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 5-5
 Chapter 5 Configuring the Adaptive Security Appliance
What to Do Next

To Do This ... See ...

Configure the AIP SSM for intrusion Chapter 9, “Configuring the AIP SSM”
prevention
Configure the CSC SSM for content Chapter 10, “Configuring the CSC
security SSM”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
5-6 78-17611-01
 C H A P T E R 6
Scenario: DMZ Configuration

This chapter describes a configuration scenario in which the adaptive security

appliance is used to protect network resources located in a demilitarized zone
(DMZ). A DMZ is a separate network located in the neutral zone between a
private (inside) network and a public (outside) network.
This chapter includes the following sections:
• Example DMZ Network Topology, page 6-1
• Configuring the Security Appliance for a DMZ Deployment, page 6-4
• What to Do Next, page 6-24

Example DMZ Network Topology

The example network topology shown in Figure 6-1 is typical of most DMZ
implementations of the adaptive security appliance.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-1
 Chapter 6 Scenario: DMZ Configuration
Example DMZ Network Topology

Figure 6-1 Network Layout for DMZ Configuration Scenario

Security
HTTP client Appliance
inside interface outside interface
192.168.1.1 209.165.200.225 HTTP client
Internet
(private address) (public address)
192.168.1.2
(private address) DMZ interface
10.30.30.1
(private address) HTTP server

DNS
server

132064
DMZ Web Private IP address: 10.30.30.30
Server Public IP address: 209.165.200.226

This example scenario has the following characteristics:

• The web server is on the DMZ interface of the adaptive security appliance.
• HTTP clients on the private network can access the web server in the DMZ
and can also communicate with devices on the Internet.
• Clients on the Internet are permitted HTTP access to the DMZ web server; all
other traffic is denied.
• The network has two routable IP addresses that are publicly available: one for
the outside interface of the adaptive security appliance (209.165.200.225),
and one for the public IP address of the DMZ web server (209.165.200.226).
Figure 6-2 shows the outgoing traffic flow of HTTP requests from the private
network to both the DMZ web server and to the Internet.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-2 78-17611-01
 Chapter 6 Scenario: DMZ Configuration
Example DMZ Network Topology

Figure 6-2 Outgoing HTTP Traffic Flow from the Private Network

Before an HTTP request

DNS
can be sent to the DMZ
server
web server, the URL
must be resolved to
an IP address
Security
HTTP
DNS request Appliance
client
(inside interface)
192.168.1.1 outside interface HTTP client
Internet
209.165.200.225
192.168.1.2 HTTP request (public address)
(private address)
DMZ interface
Client sends HTTP request 10.30.30.1 Web server
to ASA which forwards it (private address)
to the DMZ web server

DMZ network

153777
DMZ Web Private IP address: 10.30.30.30
Server Public IP address: 209.165.200.226

In Figure 6-2, the adaptive security appliance permits HTTP traffic originating
from inside clients and destined for both the DMZ web server and devices on the
Internet. To permit the traffic through, the adaptive security appliance
configuration includes the following:
• Access control rules permitting traffic destined for the DMZ web server and
for devices on the Internet.
• Address translation rules translating private IP addresses so that the private
addresses are not visible to the Internet.
For traffic destined for the DMZ web server, private IP addresses are
translated to an address from an IP pool.
For traffic destined for the Internet, private IP addresses are translated to the
public IP address of the adaptive security appliance. Outgoing traffic appears
to come from this address.
Figure 6-3 shows HTTP requests originating from the Internet and destined for
the public IP address of the DMZ web server.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-3
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Figure 6-3 Incoming HTTP Traffic Flow From the Internet

2 Incoming request 1 HTTP request

Security destined for public sent to public address
Appliance address of DMZ web of DMZ web server.
server intercepted.
Internet HTTP client

3 Destination IP address
translated to the private IP
address of the web server. Web server

4 Web server receives

request for content.

153779
DMZ Web Private IP address: 10.30.30.30
Server Public IP address: 209.165.200.226

To permit incoming traffic to access the DMZ web server, the adaptive security
appliance configuration includes the following:
• An address translation rule translating the public IP address of the DMZ web
server to the private IP address of the DMZ web server.
• An access control rule permitting incoming HTTP traffic that is destined for
the DMZ web server.
The procedures for creating this configuration are detailed in the remainder of this
chapter.

Configuring the Security Appliance for a DMZ

Deployment
This section describes how to use ASDM to configure the adaptive security
appliance for the configuration scenario shown in Figure 6-1. The procedure uses
sample parameters based on the scenario.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-4 78-17611-01
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

This configuration procedure assumes that the adaptive security appliance already
has interfaces configured for the inside interface, the DMZ interface, and the
outside interface. Set up interfaces of the adaptive security appliance by using the
Startup Wizard in ASDM. Be sure that the DMZ interface security level is set
between 0 and 100. (A common choice is 50.)
For more information about using the Startup Wizard, see Chapter 5,
“Configuring the Adaptive Security Appliance.”
The section includes the following topics:
• Configuration Requirements, page 6-5
• Starting ASDM, page 6-6
• Creating IP Pools for Network Address Translation, page 6-7
• Configuring NAT for Inside Clients to Communicate with the DMZ Web
Server, page 6-12
• Configuring NAT for Inside Clients to Communicate with Devices on the
Internet, page 6-15
• Configuring an External Identity for the DMZ Web Server, page 6-16
• Providing Public HTTP Access to the DMZ Web Server, page 6-18
The following sections provide detailed instructions for how to perform each step.

Configuration Requirements
Configuring the adaptive security appliance for this DMZ deployment requires the
following configuration tasks:
• For the internal clients to have HTTP access to the DMZ web server, you must
create a pool of IP addresses for address translation and identify which clients
should use addresses from the pool. To accomplish this task, you should
configure the following:
– A pool of IP addresses for the DMZ interface. In this scenario, the IP pool
is 10.30.30.50–10.30.30.60.
– A dynamic NAT translation rule for the inside interface that specifies
which client IP addresses can be assigned an address from the IP pool.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-5
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

• For the internal clients to have access to HTTP and HTTPS resources on the
Internet, you must create a rule that translates the real IP addresses of internal
clients to an external address that can be used as the source address.
To accomplish this task, you should configure a PAT translation rule (port
address translation rule, sometimes called an interface NAT) for the internal
interface that translates internal IP addresses to the external IP address of the
adaptive security appliance.
In this scenario, the internal address to be translated is that of a subnet of the
private network (10.10.10.0). Addresses from this subnet are translated to the
public address of the adaptive security appliance (209.165.200.225).
• For external clients to have HTTP access to the DMZ web server, you must
configure an external identity for the DMZ web server and an access rule that
permits HTTP requests coming from clients on the Internet. To accomplish
this task, you should configure the following:
– Create a static NAT rule. This rule translates the real IP address of the
DMZ web server to a single public IP address. In this scenario, the public
address of the web server is 209.165.200.226.
– Create a security access rule permitting traffic from the Internet if the
traffic is an HTTP request destined for the public IP address of the DMZ
web server.

Starting ASDM
To run ASDM in a web browser, enter the factory-default IP address in the address
field: https://192.168.1.1/admin/.

Note Remember to add the “s” in “https” or the connection fails. HTTPS
(HTTP over SSL) provides a secure connection between your browser and
the adaptive security appliance.

The Main ASDM window appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-6 78-17611-01
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Creating IP Pools for Network Address Translation

The adaptive security appliance uses Network Address Translation (NAT) and
Port Address Translation (PAT) to prevent internal IP addresses from being
exposed externally. This procedure describes how to create a pool of IP addresses
that the DMZ interface and outside interface can use for address translation.
A single IP pool can contain both NAT and PAT entries, and it can contain entries
for more than one interface.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-7
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

To configure a pool of IP addresses that can be used for network address

translation, perform the following steps:

Step 1 In the ASDM window, click the Configuration tool.

a. In the Features pane, click NAT.
The NAT Configuration screen appears.

b. In the right pane, click the Global Pools tab.

c. Click Add to create a new global pool for the DMZ interface.
The Add Global Address Pool dialog box appears.

Note For most configurations, IP pools are added to the less secure, or public,
interfaces.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-8 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

d. From the Interfaces drop-down list, choose DMZ.

e. To create a new IP pool, enter a unique Pool ID. In this scenario, the Pool ID
is 200.
f. In the IP Addresses to Add area, specify the range of IP addresses to be used
by the DMZ interface:
– Click the Range radio button.
– Enter the Starting IP address and Ending IP address of the range. In this
scenario, the range of IP addresses is 10.30.30.50–10.30.30.60.
– (Optional) Enter the Netmask for the range of IP addresses.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-9
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

g. Click Add to add this range of IP addresses to the Address Pool.

The Add Global Pool dialog box configuration should be similar to the
following:

h. Click OK to return to the Configuration > NAT window.

Step 2 Add addresses to the IP pool to be used by the outside interface. These addresses
are used to translate private IP addresses so that inside clients can communicate
securely with clients on the Internet.
In this scenario, there are limited public IP addresses available. Use Port Address
Translation (PAT) so that many internal IP addresses can map to the same public
IP address, as follows:
a. In the right pane of the NAT Configuration screen, click the Global Pools tab.
b. Under the Global Pools tab, click Add.
The Add Global Pool Item dialog box appears.
c. From the Interface drop-down list, choose Outside.
d. Specify a Pool ID for the Outside interface.
You can add these addresses to the same IP pool that contains the address pool
used by the DMZ interface (in this scenario, the Pool ID is 200).

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-10 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

e. Click the Port Address Translation (PAT) using the IP address of the
interface radio button.
If you select the option Port Address Translation using the IP address of the
interface, all traffic initiated from the inside network exits the adaptive
security appliance using the IP address of the outside interface. To the devices
on the Internet, it appears that all traffic is coming from this one IP address.
f. Click the Add button to add this new address to the IP pool.

g. Click OK.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-11
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

The displayed configuration should be similar to the following:

Step 3 Confirm that the configuration values are correct.

Step 4 Click Apply in the main ASDM window.

Configuring NAT for Inside Clients to Communicate with the DMZ

Web Server
In the previous procedure, you created a pool of IP addresses that could be used
by the adaptive security appliance to mask the private IP addresses of inside
clients.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-12 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

In this procedure, you configure a Network Address Translation (NAT) rule that
associates IP addresses from this pool with the inside clients so they can
communicate securely with the DMZ web server.
To configure NAT between the inside interface and the DMZ interface, perform
the following steps starting from the main ASDM window:

Step 1 In the main ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.
Step 3 From the Add drop-down list, choose Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears.

Step 4 In the Real Address area, specify the IP address to be translated. For this scenario,
address translation for inside clients is done according to the IP address of the
subnet.
a. From the Interface drop-down list, choose the Inside interface.
b. Enter the IP address of the client or network. In this scenario, the IP address
of the network is 10.10.10.0.
c. From the Netmask drop-down list, choose the Netmask. In this scenario, the
netmask is 255.255.255.0.
Step 5 In the Dynamic Translation area:
a. From the Interface drop-down list, choose the DMZ interface.
b. To specify the address pool to be used for this Dynamic NAT rule, check the
Select check box next to Global Pool ID. In this scenario, the IP pool ID is
200.
In this scenario, the IP pool that we want to use is already created. If it was
not already created, you would click Add to create a new IP pool.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-13
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

c. Click OK to add the Dynamic NAT Rule and return to the Configuration >
NAT window.
Review the configuration screen to verify that the translation rule appears as you
expected.

Note When you click OK to create this rule, notice that there are actually two
translation rules created:
• A translation rule between the inside and DMZ interfaces to be used when
inside clients communicate with the DMZ web server.
• A translation rule between the inside and outside interfaces to be used when
inside clients communicate with the Internet.
ASDM is able to create both rules because the addresses to be used for translation
are both in the same IP pool.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-14 78-17611-01
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

The displayed configuration should be similar to the following:

Step 6 Click Apply to complete the adaptive security appliance configuration changes.

Configuring NAT for Inside Clients to Communicate with Devices

on the Internet
In the previous procedure, you configured a Network Address Translation (NAT)
rule that associates IP addresses from the IP pool with the inside clients so they
can communicate securely with the DMZ web server.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-15
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

For many configurations, you would also need to create a NAT rule between the
inside interface and the outside interface to enable inside clients to communicate
with the Internet.
However, in this scenario you do not need to create this rule explicitly. The reason
is that the IP pool (pool ID 200) contains both types of addresses needed for
address translation: the range of IP addresses to be used by the DMZ interface,
and the IP address to be used for the outside interface. This enables ASDM to
create the second translation rule for you.

Configuring an External Identity for the DMZ Web Server

The DMZ web server needs to be accessible by all hosts on the Internet. This
configuration requires translating the private IP address of the DMZ web server
to a public IP address, enabling access to outside HTTP clients that are unaware
of the adaptive security appliance. To map the real web server IP address
(10.30.30.30) statically to a public IP address (209.165.200.226), perform the
following steps:

Step 1 In the ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.
Step 3 From the Add drop-down list, choose Add Static NAT Rule. The Add Static NAT
Rule dialog box appears.
Step 4 In the Real Address area, specify the real IP address of the web server:
a. From the Interface drop-down list, choose the DMZ interface.
b. Enter the real IP address of the DMZ web server. In this scenario, the IP
address is 10.30.30.30.
c. From the Netmask drop-down list, choose the Netmask 255.255.255.255.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-16 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Step 5 In the Static Translation area, specify the public IP address to be used for the web
server:
a. From the Interface drop-down list, choose Outside.
b. From the IP Address drop-down list, choose the public IP address of the DMZ
web server.
In this scenario, the public IP address of the DMZ web server is
209.165.200.226.
Step 6 Click OK to add the rule and return to the list of Address Translation Rules.
This rule maps the real web server IP address (10.30.30.30) statically to the public
IP address of the web server (209.165.200.226).

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-17
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

The displayed configuration should be similar to the following:

Step 7 Click Apply to complete the adaptive security appliance configuration changes.

Providing Public HTTP Access to the DMZ Web Server

By default, the adaptive security appliance denies all traffic coming in from the
public network. You must create an access control rule on the adaptive security
appliance to permit specific traffic types from the public network to resources in
the DMZ. This access control rule specifies the interface of the adaptive security

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-18 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

appliance that processes the traffic, whether the traffic is incoming or outgoing,
the origin and destination of the traffic, and the type of traffic protocol and service
to be permitted.
In this section, you create an access rule that permits incoming HTTP traffic
originating from any host or network on the Internet, if the destination of the
traffic is the web server on the DMZ network. All other traffic coming in from the
public network is denied.
To configure the access control rule, perform the following steps:

Step 1 In the ASDM window:

a. Click the Configuration tool.
b. In the Features pane, click Security Policy.
c. Click the Access Rules tab, and then from the Add pull-down list, choose
Add Access Rule.
The Add Access Rule dialog box appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-19
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Step 2 In the Interface and Action area:

a. From the Interface drop-down list, choose Outside.
b. From the Direction drop-down list, choose Incoming.
c. From the Action drop-down list, choose Permit.

Step 3 In the Source area:

a. From the Type drop-down list, choose IP Address.
b. Enter the IP address of the source host or source network. Use 0.0.0.0 to allow
traffic originating from any host or network.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-20 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Alternatively, if the address of the source host or network is preconfigured,

choose the source IP address from the IP Address drop-down list.
c. Enter the netmask for the source IP address or select one from the Netmask
drop-down list.
Step 4 In the Destination area:
a. In the IP address field, enter the public IP address of the destination host or
network, such as a web server. (In this scenario, the public IP address of the
DMZ web server is 209.165.200.226.)
Step 5 In the Protocol and Service area, specify the type of traffic that you want to permit
through the adaptive security appliance.
a. From the Protocol drop-down list, choose tcp.
b. In the Source Port area, click the Service radio button, choose “=” (equal to)
from the Service drop-down list, and then choose Any from the next
drop-down list.
c. In the Destination Port area, click the Service radio button, choose “=” (equal
to) from the Service drop-down list, and then choose HTTP/WWW from the
next drop-down list.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-21
 Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

At this point, the entries in the Add Access Rule dialog box should be similar to
the following:

d. Click OK.
Step 6 The displayed configuration should be similar to the following. Verify that the
information you entered is accurate.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-22 78-17611-01
Chapter 6 Scenario: DMZ Configuration
Configuring the Security Appliance for a DMZ Deployment

Step 7 Click Apply to save the configuration changes to the configuration that the
adaptive security appliance is currently running.
Clients on both the private and public networks can now resolve HTTP requests
for content from the DMZ web server, while keeping the private network secure.

Note Although the destination address specified is the private address of the DMZ web
server (10.30.30.30), HTTP traffic from any host on the Internet destined for the
public address 209.165.200.226 is permitted through the adaptive security
appliance. The address translation (209.165.200.226 to 10.30.30.30) allows the
traffic to be permitted. For information about creating the translation rule, see the
“Configuring NAT for Inside Clients to Communicate with the DMZ Web Server”
section on page 6-12.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-23
 Chapter 6 Scenario: DMZ Configuration
What to Do Next

Step 8 If you want the configuration changes to be saved to the startup configuration so
that they are applied the next time the device starts, from the File menu, click
Save.
Alternatively, ASDM prompts you to save the configuration changes permanently
when you exit ASDM.
If you do not save the configuration changes, the old configuration takes effect the
next time the device starts.

What to Do Next
If you are deploying the adaptive security appliance solely to protect a web server
in a DMZ, you have completed the initial configuration. You may want to consider
performing some of the following additional steps:

To Do This ... See ...

Refine configuration and configure
optional and advanced features
Learn about daily operations
Review hardware maintenance and
troubleshooting information
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

You can configure the adaptive security appliance for more than one application.
The following sections provide configuration procedures for other common
applications of the adaptive security appliance.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-24 78-17611-01
Chapter 6 Scenario: DMZ Configuration
What to Do Next

To Do This ... See ...

Configure a remote-access VPN Chapter 7, “Scenario: Remote-Access
VPN Configuration”
Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site
VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 6-25
 Chapter 6 Scenario: DMZ Configuration
What to Do Next

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
6-26 78-17611-01
 C H A P T E R 7
Scenario: Remote-Access VPN
Configuration

This chapter describes how to use the adaptive security appliance to accept
remote-access IPsec VPN connections. A remote-access VPN enables you to
create secure connections, or tunnels, across the Internet, thus providing secure
access to off-site users.
If you are implementing an Easy VPN solution, this chapter describes how to
configure the Easy VPN server (sometimes called a headend device).
This chapter includes the following sections:
• Example IPsec Remote-Access VPN Network Topology, page 7-1
• Implementing the IPsec Remote-Access VPN Scenario, page 7-2
• What to Do Next, page 7-18

Example IPsec Remote-Access VPN Network

Topology
Figure 7-1 shows an adaptive security appliance configured to accept requests
from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN
hardware client, over the Internet.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-1
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Figure 7-1 Network Layout for Remote Access VPN Scenario

Implementing the IPsec Remote-Access VPN

Scenario
This section describes how to configure the adaptive security appliance to accept
IPsec VPN connections from remote clients and devices. If you are implementing
an Easy VPN solution, this section describes how to configure an Easy VPN
server (also known as a headend device).
Values for example configuration settings are taken from the remote-access
scenario illustrated in Figure 7-1.
This section includes the following topics:
• Information to Have Available, page 7-3
• Starting ASDM, page 7-4
• Configuring the FWSM for an IPsec Remote-Access VPN, page 7-5
• Selecting VPN Client Types, page 7-6

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-2 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

• Specifying the VPN Tunnel Group Name and Authentication Method,

page 7-7
• Specifying a User Authentication Method, page 7-8
• (Optional) Configuring User Accounts, page 7-10
• Configuring Address Pools, page 7-11
• Configuring Client Attributes, page 7-12
• Configuring the IKE Policy, page 7-13
• Configuring IPsec Encryption and Authentication Parameters, page 7-15
• Specifying Address Translation Exception and Split Tunneling, page 7-16
• Verifying the Remote-Access VPN Configuration, page 7-17

Information to Have Available

Before you begin configuring the adaptive security appliance to accept remote
access IPsec VPN connections, make sure that you have the following information
available:
• Range of IP addresses to be used in an IP pool. These addresses are assigned
to remote VPN clients as they are successfully connected.
• List of users to be used in creating a local authentication database, unless you
are using a AAA server for authentication.
• Networking information to be used by remote clients when connecting to the
VPN, including:
– IP addresses for the primary and secondary DNS servers
– IP addresses for the primary and secondary WINS servers
– Default domain name
– List of IP addresses for local hosts, groups, and networks that should be
made accessible to authenticated remote clients

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-3
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Starting ASDM
To run ASDM in a web browser, enter the factory default IP address in the address
field: https://192.168.1.1/admin/.

Note Remember to add the “s” in “https” or the connection fails. HTTPS
(HTTP over SSL) provides a secure connection between your browser and
the adaptive security appliance.

The Main ASDM window appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-4 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Configuring the FWSM for an IPsec Remote-Access VPN

To begin the process for configuring a remote-access VPN, perform the following
steps:

Step 1 In the main ASDM window, choose VPN Wizard from the Wizards drop-down
menu. The VPN Wizard Step 1 screen appears.

Step 2 In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Remote Access VPN radio button.
b. From the drop-down list, choose Outside as the enabled interface for the
incoming VPN tunnels.
c. Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-5
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Selecting VPN Client Types

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Specify the type of VPN client that will enable remote users to connect to this
adaptive security appliance. For this scenario, click the Cisco VPN Client radio
button.
You can also use any other Cisco Easy VPN remote product.

Step 2 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-6 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Specifying the VPN Tunnel Group Name and Authentication

Method
In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Specify the type of authentication that you want to use by performing one of the
following steps:
• To use a static preshared key for authentication, click the Pre-Shared Key
radio button and enter a preshared key (for example, “Cisco”). This key is
used for IPsec negotiations between the adaptive security appliances.
• To use digital certificates for authentication, click the Certificate radio
button, choose the Certificate Signing Algorithm from the drop-down list,
and then choose a pre-configured trustpoint name from the drop-down list.
If you want to use digital certificates for authentication but have not yet
configured a trustpoint name, you can continue with the Wizard by using one
of the other two options. You can revise the authentication configuration later
using the standard ASDM screens.
• Click the Challenge/Response Authentication (CRACK) radio button to
use that method of authentication.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-7
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use
common connection parameters and client attributes to connect to this adaptive
security appliance.
Step 3 Click Next to continue.

Specifying a User Authentication Method

Users can be authenticated either by a local authentication database or by using
external authentication, authorization, and accounting (AAA) servers (RADIUS,
TACACS+, SDI, NT, Kerberos, and LDAP).

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-8 78-17611-01
Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 If you want to authenticate users by creating a user database on the adaptive
security appliance, click the Authenticate Using the Local User Database radio
button.
Step 2 If you want to authenticate users with an external AAA server group:
a. Click the Authenticate Using an AAA Server Group radio button.
b. Choose a preconfigured server group from the drop-down list, or click New
to add a new server group.

Step 3 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-9
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

(Optional) Configuring User Accounts

If you have chosen to authenticate users with the local user database, you can
create new user accounts here. You can also add users later using the ASDM
configuration interface.
In Step 5 of the VPN Wizard, perform the following steps:

Step 1 To add a new user, enter a username and password, and then click Add.

Step 2 When you have finished adding new users, click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-10 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Configuring Address Pools

For remote clients to gain access to your network, you must configure a pool of
IP addresses that can be assigned to remote VPN clients as they are successfully
connected. In this scenario, the pool is configured to use the range of IP addresses
209.165.201.1–209.166.201.20.
In Step 6 of the VPN Wizard, perform the following steps:

Step 1 Enter a pool name or choose a preconfigured pool from the drop-down list.

Alternatively, click New to create a new address pool.

The Add IP Pool dialog box appears.

Step 2 In the Add IP Pool dialog box:

a. Enter the Starting IP address and Ending IP address of the range.
b. (Optional) Enter the Netmask for the range of IP addresses.
c. Click OK to return to Step 6 of the VPN Wizard.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-11
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Step 3 Click Next to continue.

Configuring Client Attributes

To access your network, each remote access client needs basic network
configuration information, such as which DNS and WINS servers to use and the
default domain name. Rather than configuring each remote client individually,
you can provide the client information to ASDM. The adaptive security appliance
pushes this information to the remote client or Easy VPN hardware client when a
connection is established.
Ensure that you specify the correct values, or remote clients will not be able to use
DNS names for resolution or use Windows networking.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-12 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

In Step 7 of the VPN Wizard, perform the following steps:

Step 1 Enter the network configuration information to be pushed to remote clients.

Step 2 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data
and ensure privacy; it is also an authentication method to ensure the identity of the
peers. In most cases, the ASDM default values are sufficient to establish secure
VPN tunnels.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-13
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

To specify the IKE policy in Step 8 of the VPN Wizard, perform the following
steps:

Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA),

and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance
during an IKE security association.

Step 2 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-14 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Configuring IPsec Encryption and Authentication Parameters

In Step 9 of the VPN Wizard, perform the following steps:

Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm

(MD5/SHA).

Step 2 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-15
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Specifying Address Translation Exception and Split Tunneling

Split tunneling lets a remote-access IPsec client conditionally direct packets over
an IPsec tunnel in encrypted form or to a network interface in clear text form.
The adaptive security appliance uses Network Address Translation (NAT) to
prevent internal IP addresses from being exposed externally. You can make
exceptions to this network protection by identifying local hosts and networks that
should be made accessible to authenticated remote users. (In this scenario, the
entire inside network 10.10.10.0 is exposed to all remote clients.)
In Step 10 of the VPN Wizard, perform the following steps:

Step 1 Specify hosts, groups, and networks that should be in the list of internal resources
made accessible to authenticated remote users.
To add or remove hosts, groups, and networks dynamically from the Selected
Hosts/Networks pane, click Add or Delete, respectively.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-16 78-17611-01
 Chapter 7 Scenario: Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario

Note Enable split tunneling by checking the Enable Split Tunneling check box
at the bottom of the screen. Split tunneling allows traffic outside the
configured networks to be sent out directly to the Internet instead of over
the encrypted VPN tunnel.

Step 2 Click Next to continue.

Verifying the Remote-Access VPN Configuration

In Step 11 of the VPN Wizard, review the configuration attributes for the VPN
tunnel you just created. The displayed configuration should be similar to the
following:

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-17
 Chapter 7 Scenario: Remote-Access VPN Configuration
What to Do Next

If you are satisfied with the configuration, click Finish to apply the changes to the
adaptive security appliance.
If you want the configuration changes to be saved to the startup configuration so
that they are applied the next time the device starts, from the File menu, click
Save. Alternatively, ASDM prompts you to save the configuration changes
permanently when you exit ASDM.
If you do not save the configuration changes, the old configuration takes effect the
next time the device starts.

What to Do Next
If you are deploying the adaptive security appliance solely in a remote-access
VPN environment, you have completed the initial configuration. In addition, you
may want to consider performing some of the following steps:

To Do This ... See ...

Refine configuration and configure
optional and advanced features
Learn about daily operations
Review hardware maintenance and
troubleshooting information
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

You can configure the adaptive security appliance for more than one application.
The following sections provide configuration procedures for other common
applications of the adaptive security appliance.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-18 78-17611-01
Chapter 7 Scenario: Remote-Access VPN Configuration
What to Do Next

To Do This ... See ...

Configure the adaptive security Chapter 6, “Scenario: DMZ
appliance to protect a Web server in a Configuration”
DMZ
Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site
VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 7-19
 Chapter 7 Scenario: Remote-Access VPN Configuration
What to Do Next

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
7-20 78-17611-01
 C H A P T E R 8
Scenario: Site-to-Site VPN
Configuration

This chapter describes how to use the adaptive security appliance to create a
site-to-site VPN.
Site-to-site VPN features provided by the adaptive security appliance enable
businesses to extend their networks across low-cost public Internet connections to
business partners and remote offices worldwide while maintaining their network
security. A VPN connection enables you to send data from one location to another
over a secure connection, or tunnel, first by authenticating both ends of the
connection, and then by automatically encrypting all data sent between the two
sites.
This chapter includes the following sections:
• Example Site-to-Site VPN Network Topology, page 8-1
• Implementing the Site-to-Site Scenario, page 8-2
• Configuring the Other Side of the VPN Connection, page 8-13
• What to Do Next, page 8-14

Example Site-to-Site VPN Network Topology

Figure 8-1 shows an example VPN tunnel between two adaptive security
appliances.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-1
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Figure 8-1 Network Layout for Site-to-Site VPN Configuration Scenario

Site A Site B

Security Security
Appliance 1 Appliance 2

132066
Inside Outside Outside Inside
Internet
10.10.10.0 209.165.200.226 209.165.200.236 10.20.20.0

Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you
to configure two adaptive security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

This section describes how to configure the adaptive security appliance in a
site-to-site VPN deployment, using example parameters from the remote-access
scenario shown in Figure 8-1.
This section includes the following sections:
• Information to Have Available, page 8-2
• Configuring the Site-to-Site VPN, page 8-3

Information to Have Available

Before you begin the configuration procedure, gather the following information:
• IP address of the remote adaptive security appliance peer
• IP addresses of local hosts and networks permitted to use the tunnel to
communicate with resources on the remote site
• IP addresses of remote hosts and networks permitted to use the tunnel to
communicate with local resources

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-2 78-17611-01
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Configuring the Site-to-Site VPN

This section describes how to use the ASDM VPN Wizard to configure the
adaptive security appliance for a site-to-site VPN.
For information about using the CLI to configure a site-to-site VPN, see the
configuration topics for a LAN-to-LAN IPSec VPN in the Cisco Security
Appliance Command Line Configuration Guide.
This section includes the following topics:
• Starting ASDM, page 8-3
• Configuring the Security Appliance at the Local Site, page 8-4
• Providing Information About the Remote VPN Peer, page 8-6
• Configuring the IKE Policy, page 8-7
• Configuring IPSec Encryption and Authentication Parameters, page 8-9
• Specifying Hosts and Networks, page 8-10
• Viewing VPN Attributes and Completing the Wizard, page 8-11
The following sections provide detailed instructions for how to perform each
configuration step.

Starting ASDM
To run ASDM in a web browser, enter the factory default IP address in the address
field: https://192.168.1.1/admin/.

Note Remember to add the “s” in “https” or the connection fails. HTTPS
(HTTP over SSL) provides a secure connection between your browser and
the adaptive security appliance.

The Main ASDM window appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-3
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Configuring the Security Appliance at the Local Site

Note The adaptive security appliance at the first site is referred to as Security
Appliance 1 from this point forward.

To configure the Security Appliance 1, perform the following steps:

Step 1 In the main ASDM window, choose the VPN Wizard option from the Wizards
drop-down menu. ASDM opens the first VPN Wizard screen.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-4 78-17611-01
Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Site-to-Site VPN radio button.

Note The Site-to-Site VPN option connects two IPSec security gateways,
which can include adaptive security appliances, VPN concentrators,
or other devices that support site-to-site IPSec connectivity.

b. From the drop-down list, choose Outside as the enabled interface for the
current VPN tunnel.

c. Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-5
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are
configuring, usually at a remote site.

Note In this scenario, the remote VPN peer is referred to as Security Appliance 2 from
this point forward.

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario
209.165.200.236) and a Tunnel Group Name (for example “Cisco”).
Step 2 Specify the type of authentication that you want to use by performing one of the
following steps:
• To use a static preshared key for authentication, click the Pre-Shared Key
radio button and enter a preshared key (for example, “Cisco”). This key is
used for IPSec negotiations between the adaptive security appliances.

Note When you configure Security Appliance 2 at the remote site, the VPN
peer is Security Appliance 1. Be sure to enter the same preshared key
(Cisco) that you use here.

• Click the Challenge/Response Authentication radio button to use that

method of authentication.
• To use digital certificates for authentication, click the Certificate radio
button, choose the Certificate Signing Algorithm from the drop-down list,
and then choose a preconfigured trustpoint name from the drop-down list.
If you want to use digital certificates for authentication but have not yet
configured a trustpoint name, you can continue with the Wizard by using one
of the other two options. You can revise the authentication configuration later
using the standard ASDM screens.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-6 78-17611-01
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Step 3 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data
and ensure privacy; it is also an authentication method to ensure the identity of the
peers. In most cases, the ASDM default values are sufficient to establish secure
VPN tunnels between two peers.
In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA),

and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance
during an IKE security association.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-7
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Note When configuring Security Appliance 2, enter the exact values for each
of the options that you chose for Security Appliance 1. Encryption
mismatches are a common cause of VPN tunnel failures and can slow
down the process.

Step 2 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-8 78-17611-01
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Configuring IPSec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm

(MD5/SHA) from the drop-down lists.

Step 2 Click Next to continue.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-9
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPSec
tunnel to communicate with the remote-site peer. Add or remove hosts and
networks dynamically by clicking Add or Delete, respectively. In the current
scenario, traffic from Network A (10.10.10.0) is encrypted by Security
Appliance 1 and transmitted through the VPN tunnel.
In addition, identify hosts and networks at the remote site to be allowed to use this
IPSec tunnel to access local hosts and networks. Add or remove hosts and
networks dynamically by clicking Add or Delete respectively. In this scenario, for
Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic
encrypted from this network is permitted through the tunnel.
In Step 5 of the VPN Wizard, perform the following steps:

Step 1 In the Source area, choose IP Address from the Type drop-down list.
Step 2 Enter the local IP address and netmask in the IP Address and Netmask fields.
Step 3 In the Destination area, choose IP Address from the Type drop-down list.
Step 4 Enter the IP address and Netmask for the remote host or network.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-10 78-17611-01
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

Step 5 Click Next to continue.

Viewing VPN Attributes and Completing the Wizard

In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you
just created. If you are satisfied with the configuration, click Finish to apply the
changes to the adaptive security appliance.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-11
 Chapter 8 Scenario: Site-to-Site VPN Configuration
Implementing the Site-to-Site Scenario

If you want the configuration changes to be saved to the startup configuration so

that they are applied the next time the device starts, from the File menu, click
Save.
Alternatively, ASDM prompts you to save the configuration changes permanently
when you exit ASDM.
If you do not save the configuration changes, the old configuration takes effect the
next time the device starts.

This concludes the configuration process for Security Appliance 1.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-12 78-17611-01
Chapter 8 Scenario: Site-to-Site VPN Configuration
Configuring the Other Side of the VPN Connection

Configuring the Other Side of the VPN Connection

You have just configured the local adaptive security appliance. Now you need to
configure the adaptive security appliance at the remote site.
At the remote site, configure the second adaptive security appliance to serve as a
VPN peer. Use the procedure you used to configure the local adaptive security
appliance, starting with the “Configuring the Security Appliance at the Local
Site” section on page 8-4 and finishing with the “Viewing VPN Attributes and
Completing the Wizard” section on page 8-11.

Note When configuring Security Appliance 2, enter the exact same values for each of
the options that you selected for Security Appliance 1. Mismatches are a common
cause of VPN configuration failures.

For information about verifying or troubleshooting the configuration for the

Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the
Cisco Security Appliance Command Line Configuration Guide.
For specific troubleshooting issues, see the Troubleshooting Technotes at the
following location:
http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html
For help troubleshooting configuration issues, see the Configuration Examples
and TechNotes at the following location:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_lis
t.html
In particular, see the technotes for Site to Site VPN (L2L) with ASA in the
Troubleshooting Technotes. The troubleshooting technotes walk you through
using commands like the following to troubleshoot the Site-to-site VPN
configuration:
• show run isakmp
• show run ipsec
• show run tunnel-group
• show run crypto map
• debug crypto ipsec sa
• debug crypto isakmp sa

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 8-13
 Chapter 8 Scenario: Site-to-Site VPN Configuration
What to Do Next

See also the Cisco Security Appliance Command Reference for detailed
information about each of these commands.

What to Do Next
If you are deploying the adaptive security appliance solely in a site-to-site VPN
environment, you have completed the initial configuration. In addition, you may
want to consider performing some of the following steps:

To Do This ... See ...

Refine configuration and configure
optional and advanced features
Learn about daily operations
Review hardware maintenance and
troubleshooting information
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

You can configure the adaptive security appliance for more than one application.
The following sections provide configuration procedures for other common
applications of the adaptive security appliance.

To Do This ... See ...

Configure the adaptive security Chapter 6, “Scenario: DMZ
appliance to protect a web server in a Configuration”
DMZ
Configure a remote-access VPN Chapter 7, “Scenario: Remote-Access
VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
8-14 78-17611-01
 C H A P T E R 9
Configuring the AIP SSM

The optional AIP SSM runs advanced IPS software that provides further security
inspection either in inline mode or promiscuous mode. The adaptive security
appliance diverts packets to the AIP SSM just before the packet exits the egress
interface (or before VPN encryption occurs, if configured) and after other firewall
policies are applied. For example, packets that are blocked by an access list are
not forwarded to the AIP SSM.
If you purchased an AIP SSM, use the procedures in this chapter to:
• Configure the adaptive security appliance to identify traffic to be diverted to
the AIP SSM
• Session in to the AIP SSM and run setup

Note The AIP SSM is supported in ASA software versions 7.01 and later.

This chapter includes the following sections:

• AIP SSM Configuration, page 9-1
• What to Do Next, page 9-7

AIP SSM Configuration

This procedure describes the configuration steps you must take to configure the
adaptive security appliance for AIP SSM.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 9-1
 Chapter 9 Configuring the AIP SSM
AIP SSM Configuration

This section includes the following topics:

• Overview of Configuration Process, page 9-2
• Configuring the ASA 5500 to Divert Traffic to the AIP SSM, page 9-2
• Sessioning to the AIP SSM and Running Setup, page 9-5

Overview of Configuration Process

Configuring the AIP SSM is a three-part process that involves configuration of the
adaptive security appliance first, then configuration of the AIP SSM, and then the
configuration of the IPS software:
1. On the ASA 5500 series adaptive security appliance, identify traffic to divert
to the AIP SSM (as described in the “Configuring the ASA 5500 to Divert
Traffic to the AIP SSM” section on page 9-2).
2. On the AIP SSM, configure the inspection and protection policy, which
determines how to inspect traffic and what to do when an intrusion is
detected.
3. Configure the IPS software that runs on the AIP SSM. Information about the
IPS software is beyond the scope of this document. Detailed information
about IPS software configuration is available in the following separate
documentation that came with your IPS product:
• Configuring the Cisco Intrusion Prevention System Sensor Using the
Command Line Interface
• Cisco Intrusion Prevention System Command Reference

Configuring the ASA 5500 to Divert Traffic to the AIP SSM

You use MPF (Modular Policy Framework) commands to configure the adaptive
security appliance to divert traffic to the AIP SSM. This procedure provides
sufficient information to configure a simple set of policies in an AIP SSM
deployment. If you want to create a more complex set of policies, read the
Modular Policy Framework chapter in Cisco Security Appliance Command Line
Configuration Guide which introduces Modular Policy Framework concepts and
common commands.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
9-2 78-17611-01
Chapter 9 Configuring the AIP SSM
AIP SSM Configuration

To identify traffic to divert from the adaptive security appliance to the AIP SSM,
perform the following steps:

Step 1 Create an access list that matches all traffic:

hostname(config)# access-list acl-name permit ip any any

Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM.
Use the class-map command to do so, as follows:
hostname(config)# class-map class_map_name
hostname(config-cmap)#

where class_map_name is the name of the traffic class. When you enter the
class-map command, the CLI enters class map configuration mode.
Step 3 With the access list you created in Step 1, use a match access-list command to
identify the traffic to be scanned:
hostname(config-cmap)# match access-list acl-name

Step 4 Create a policy map or modify an existing policy map that you want to use to send
traffic to the AIP SSM. To do so, use the policy-map command, as follows:
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#

where policy_map_name is the name of the policy map. The CLI enters the policy
map configuration mode and the prompt changes accordingly.
Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned.
Use the class command to do so, as follows:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#

where class_map_name is the name of the class map you created in Step 2. The
CLI enters the policy map class configuration mode and the prompt changes
accordingly.
Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM.
Use the ips command to do so, as follows:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open}

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 9-3
 Chapter 9 Configuring the AIP SSM
AIP SSM Configuration

The inline and promiscuous keywords control the operating mode of the AIP
SSM. The fail-close and fail-open keywords control how the adaptive security
appliance treats traffic when the AIP SSM is unavailable. For more information
about the operating modes and failure behavior, see the “AIP SSM Configuration”
section on page 9-1.
Step 7 Use the service-policy command to apply the policy map globally or to a specific
interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global |
interface interface_ID]
hostname(config)#

where policy_map_name is the policy map you configured in Step 4. If you want
to apply the policy map to traffic on all the interfaces, use the global keyword. If
you want to apply the policy map to traffic on a specific interface, use the
interface interface_ID option, where interface_ID is the name assigned to the
interface with the nameif command.
Only one global policy is allowed. You can override the global policy on an
interface by applying a service policy to that interface. You can only apply one
policy map to each interface.
The adaptive security appliance begins diverting traffic to the AIP SSM as
specified.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode,
and blocks all IP traffic should the AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any any
hostname(config)# class-map my-ips-class
hostname(config-cmap)# match access-list IPS
hostname(config-cmap)# policy-map my-ips-policy
hostname(config-pmap)# class my-ips-class
hostname(config-pmap-c)# ips promiscuous fail-close
hostname(config-pmap-c)# service-policy my-ips-policy global

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
9-4 78-17611-01
 Chapter 9 Configuring the AIP SSM
AIP SSM Configuration

Sessioning to the AIP SSM and Running Setup

After you have completed configuration of the ASA 5500 series adaptive security
appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the
setup utility for initial configuration.

Note You can either session to the SSM from the adaptive security appliance (by using
the session 1 command) or you can connect directly to the SSM using SSH or
Telnet on its management interface. Alternatively, you can use ASDM.

To session to the AIP SSM from the adaptive adaptive security appliance, perform
the following steps:

Step 1 Enter the session 1 command to session from the ASA 5500 series adaptive
security appliance to the AIP SSM:
hostname# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Step 2 Enter the username and password. The default username and password are both
cisco:

Note The first time you log in to the AIP SSM you are prompted to change the
default password. Passwords must be at least eight characters long and not
a dictionary word.

login: cisco
Password:
Last login: Fri Sep 2 06:21:20 from xxx.xxx.xxx.xxx
***NOTICE***
This product contains cryptographic features and is subject to United
States
and local country laws governing import, export, transfer and use.
Delivery
of Cisco cryptographic products does not imply third-party authority
to import,
export, distribute or use encryption. Importers, exporters,
distributors and
users are responsible for compliance with U.S. and local country laws.
By using

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 9-5
 Chapter 9 Configuring the AIP SSM
AIP SSM Configuration

this product you agree to comply with applicable laws and regulations.
If you
are unable to comply with U.S. and local laws, return this product
immediately.

A summary of U.S. laws governing Cisco cryptographic products may be

found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email

to
[email protected].

***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
AIP SSM#

Note If you see the license notice above (which displays only is some versions of
software), you can ignore the message until you need to upgrade the signature
files on the AIP SSM. The AIP SSM continues to operate at the current signature
level until a valid license key is installed. You can install the license key at a later
time. The license key does not affect the current functionality of the AIP SSM.

Step 3 Enter the setup command to run the setup utility for initial configuration of the
AIP SSM:
AIP SSM# setup

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
9-6 78-17611-01
Chapter 9 Configuring the AIP SSM
What to Do Next

What to Do Next
You are now ready to configure the adaptive security appliance for intrusion
prevention. Use the following documents to continue configuring the adaptive
security appliance for your implementation.

To Do This ... See ...

Configure the IPS sensor
Optimize performance by creating
more efficient service policies
Configuring the Cisco Intrusion
Prevention System Sensor Using the
Command Line Interface
Cisco Intrusion Prevention System
Command Reference
“Managing AIP SSM and CSC SSM”
in Cisco Security Appliance Command
Line Configuration Guide

After you have configured the IPS sensory and AIP SSM software, you may want
to consider performing some of the following additional steps:

To Do This ... See ...

Refine configuration and configure
optional and advanced features
Learn about daily operations
Review hardware maintenance and
troubleshooting information
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 9-7
 Chapter 9 Configuring the AIP SSM
What to Do Next

You can configure the adaptive security appliance for more than one application.
The following sections provide configuration procedures for other common
applications of the adaptive security appliance.

To Do This ... See ...

Configure protection of a DMZ web Chapter 6, “Scenario: DMZ
server Configuration”
Configure a remote-access VPN Chapter 7, “Scenario: Remote-Access
VPN Configuration”
Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site
VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
9-8 78-17611-01
 C H A P T E R 10
Configuring the CSC SSM

The ASA 5500 series adaptive security appliance supports the CSC SSM, which
runs Content Security and Control software. The CSC SSM provides protection
against viruses, spyware, spam, and other unwanted traffic by scanning the FTP,
HTTP, POP3, and SMTP traffic that the adaptive security appliance diverts to it.

Note The CSC SSM requires ASA software release 7.1.1 or later.

This chapter includes the following sections:

• About the CSC SSM, page 10-1
• About Deploying the Security Appliance with the CSC SSM, page 10-2
• Scenario: Security Appliance with CSC SSM Deployed for Content Security,
page 10-4
• What to Do Next, page 10-22

About the CSC SSM

The CSC SSM maintains a file containing signature profiles of suspicious content,
updated regularly from an update server at Trend Micro. The CSC SSM scans
traffic it receives from the adaptive security appliance and compares it to the
content profiles it obtains from Trend Micro. It then forwards legitimate content
on to the adaptive security appliance for routing, or blocks and reports content that
is suspicious.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-1
 Chapter 10 Configuring the CSC SSM
About Deploying the Security Appliance with the CSC SSM

In addition to obtaining content profiles from Trend Micro, system administrators

can also customize the configuration so that the CSC SSM scans for additional
traffic types or locations. For example, system administrators can configure the
CSC SSM to block or filter specific URLs, as well as scan for FTP and e-mail
parameters.
You use ASDM for system setup and monitoring of the CSC SSM. For advanced
configuration of content security policies in the CSC SSM software, you access
the web-based GUI for the CSC SSM by clicking links within ASDM.
This chapter describes how to configure the adaptive security appliance for the
deployment. Use of the CSC SSM GUI is provided in the Cisco Content Security
and Control SSM Administrator Guide.

About Deploying the Security Appliance with the

CSC SSM
In a network in which the adaptive security appliance is deployed with the CSC
SSM, you configure the adaptive security appliance to send to the CSC SSM only
the types of traffic that you want to be scanned.
Figure 10-1 illustrates the basic traffic flow between a company network, the
adaptive security appliance and CSC SSM, and the Internet. The network
illustrated in Figure 10-1 includes the following:
• An adaptive security appliance with a CSC SSM installed and configured
• A service policy on the adaptive security appliance specifies which traffic is
diverted to the CSC SSM for scanning

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-2 78-17611-01
Chapter 10 Configuring the CSC SSM
About Deploying the Security Appliance with the CSC SSM

Figure 10-1 CSC SSM Traffic Flow

Adaptive
Security Appliance
Main System
modular
service
policy
Request sent Request forwarded
inside outside
Reply forwarded Reply sent
Diverted Traffic Server
Client

content security scan

148386
CSC SSM

In this example, clients could be network users who are accessing a website,
downloading files from an FTP server, or retrieving mail from a POP3 server.
In this configuration, the traffic flow is as follows:
1. The client initiates a request.
2. The adaptive security appliance receives the request and forwards it to the
Internet.
3. When the requested content is retrieved, the adaptive security appliance
determines whether its service policies define this content type as one that
should be diverted to the CSC SSM for scanning, and does so, if appropriate.
4. The CSC SSM receives the content from the adaptive security appliance,
scans the content and compares it to the most recent update of the Trend
Micro content filters.
5. If the content is suspicious, the CSC SSM blocks the content and reports the
event. If the content is not suspicious, the CSC SSM forwards the requested
content to the adaptive security appliance for routing.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-3
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Note The CSC SSM handles SMTP traffic differently than other content types. After
the CSC SSM receives SMTP traffic and scans it, the CSC SSM does not forward
the traffic to the adaptive security appliance for routing. Instead, the CSC SSM
forwards the SMTP traffic directly to the SMTP servers protected by the adaptive
security appliance.

Scenario: Security Appliance with CSC SSM

Deployed for Content Security
Figure 10-2 shows a typical deployment of the adaptive security appliance with
CSC SSM. Characteristics of this scenario are used as examples in the
configuration procedures later in this chapter.

Figure 10-2 CSC SSM Deployment Scenario

Adaptive Security
Appliance
inside Trend Micro
Update Server
192.168.100.1

HTTP Main System outside

Internet
Proxy management port 10.6.13.67
192.168.50.1

ASDM CSC SSM

192.168.50.38 SSM
management
port
Syslog
148387

Notifications
SMTP Server

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-4 78-17611-01
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

In this scenario, the customer has deployed an adaptive security appliance with a
CSC SSM for content security. Of particular interest are the following points:
• The adaptive security appliance is on a dedicated management network.
Although using a dedicated management network is not required, we
recommend it for security purposes.
• This adaptive security appliance configuration has two management ports:
one for the adaptive security appliance itself, and another for the CSC SSM.
All administration hosts must be able to access both IP addresses.
• The HTTP proxy server is connected to both the inside network and the
dedicated management network. This connection enables the CSC SSM to
retrieve updated content security filters from the Trend Micro Update Server.
• The management network includes an SMTP server so that administrators can
be notified of CSC SSM events. The management network also includes a
syslog server to store logs generated by the CSC SSM.

Configuration Requirements
When you plan the adaptive security appliance deployment, it is critical that the
network adhere to the following requirements:
• The SSM management port IP address must be accessible by the hosts used
to run ASDM. However, the IP addresses for the SSM management port and
the adaptive security appliance management interface can be in different
subnets.
• The SSM management port must be able to connect to the Internet so that the
CSC SSM can reach the Trend Micro Update Server.

Configuring the CSC SSM for Content Security

If you ordered your adaptive security appliance with the optional CSC SSM
module, to complete the initial configuration, you need to perform several steps
on the adaptive security appliance and in the software running on the CSC SSM.
If you followed the procedures in earlier chapters of this guide, at this point you
have an ASA system running with licensed software, and you have entered basic
system values using the Startup Wizard. Your next step is to configure the
adaptive security appliance for a content security deployment.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-5
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

The key steps are the following:

1. Obtain the software activation key from Cisco.com.
2. Collect the information you need to configure the CSC SSM.
3. Obtain activation keys from Cisco.com.
4. Open ASDM, which is used for all configuration tasks in this setup process.
5. Verify time settings.
6. Run the CSC Setup Wizard to configure the CSC SSM.
7. Configure the adaptive security appliance to divert traffic to the CSC SSM for
scanning.
These steps are described in detail in the sections that follow.

Obtain Software Activation Key from Cisco.com

With the CSC SSM, you should have received a Product Authorization Key
(PAK). Use the PAK to register the CSC SSM at the following URL:
http://www.cisco.com/go/license

After you register, you will receive activation keys by e-mail. The activation keys
are required before you can complete the procedure described in the “Run the
CSC Setup Wizard” section on page 10-9.

Collect Information
Before you start configuring the adaptive security appliance and the CSC SSM,
collect the following information:
• The IP address and netmask for the CSC SSM management port, gateway IP
address, and netmask. The adaptive security appliance IP address was
assigned when you completed the Startup Wizard, described in Chapter 5,
“Configuring the Adaptive Security Appliance.”

Note The SSM management port IP address must be accessible by the hosts used to run
ASDM. The IP addresses for the SSM management port and the adaptive security
appliance management interface can be in different subnets.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-6 78-17611-01
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

• Hostname and domain name to be used for the CSC SSM

• DNS Server IP address
• (Optional) HTTP proxy server IP address (only if your network uses a proxy
for HTTP access to the Internet)
• E-mail address to be used for e-mail notifications; IP address and port number
of the SMTP server
• IP addresses of hosts and networks to be allowed management access to the
CSC SSM

Launch ASDM
You use ASDM to configure and manage the CSC SSM. For advanced
configuration of content security policies in the CSC SSM software, you access
the web-based GUI for the CSC SSM by clicking links within ASDM.
To launch ASDM, perform the following steps:

Step 1 On a PC that has access to the management ports for the adaptive security
appliance and the CSC SSM, launch a web browser.
Step 2 In the address field of the web browser, enter this URL: https://IP_address/
where IP_address is the IP address of the adaptive security appliance.

Note The adaptive security appliance ships with a default IP address of

192.168.1.1. Remember to add the “s” in “https” or the connection fails.
HTTPS (HTTP over SSL) provides a secure connection between your web
browser and the adaptive security appliance.

Step 3 In the dialog box that requires a username and password, leave both fields blank.
Press Enter.
Step 4 Click Yes to accept the certificates. Click Yes for all subsequent authentication
and certificate dialog boxes.
The ASDM main application window appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-7
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Verify Time Settings

Verify the accuracy of the adaptive security appliance time settings, including the
time zone. Time accuracy is important for logging security events, automatic
updates of the content filter lists on the CSC SSM, and for licensing, because
licenses are time sensitive.
• If you control time settings manually, verify the clock settings. In ASDM,
choose Configuration > Device Setup > System Time > Clock..
• If you are using NTP to control time settings, verify the NTP configuration.
In ASDM, choose Configuration > Device Setup > System Time > NTP.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-8 78-17611-01
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Run the CSC Setup Wizard

Step 1 In the ASDM main application window, choose Configuration > Trend Micro
Content Security > Wizard Setup > Launch Wizard Setup.
The CSC Setup Wizard screen appears.
Step 2 In Step 1 of the CSC Setup Wizard, enter the product activation codes for the Base
license and if applicable, for the Plus license. You can enter the activation code
for the Plus license after the initial configuration of the CSC SSM.

Step 3 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-9
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 4 In Step 2 of the CSC Setup Wizard, enter the following information:
• IP address, network mask, and gateway IP address for the CSC management
interface
• IP address for the Primary DNS server
• (Optional) IP address and proxy port of the HTTP proxy server (only if your
network uses an HTTP proxy server to send HTTP requests to the Internet)

Step 5 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-10 78-17611-01
Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 6 In Step 3 of the CSC Setup Wizard, enter the following information:
• Hostname and domain name of the CSC SSM.
• Domain name used by the local mail server as the incoming domain.

Note Anti-spam policies are applied only to e-mail traffic entering this
domain.

• Administrator e-mail address, e-mail server IP address, and port to be used

for notifications.

Step 7 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-11
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 8 In Step 4 of the CSC Setup Wizard, enter the following information:
• IP address and network mask for each subnet and host that should have
management access to the CSC SSM. By default, all networks have
management access to the CSC SSM.

Note For security purposes, we recommend that you restrict access to

specific subnets or management hosts.

• To enter a new host and network combination of settings, click Add.

• To remove an existing host and network combination, choose one from the
Selected Hosts/Networks list, and click Delete.

Step 9 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-12 78-17611-01
Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 10 In Step 5 of the CSC Setup Wizard, enter the following information:
• The default factory configuration password, “cisco.”
• A new password for management access.
• Confirmation of the new password.

Step 11 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-13
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 12 In Step 6 of the CSC Setup Wizard, define traffic selections for CSC scanning.
Click Add.

The Specify Traffic for CSC Scan dialog box appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-14 78-17611-01
Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 13 Choose the interface from the drop-down list. Available options are global (all
interfaces), inside, management, and ssm management.
Step 14 Choose the source of network traffic from the IPv4 Network Objects list, and click
OK.
Step 15 To specify the destination of network traffic for the CSC to scan, click the ellipses
to display the Browse Destination dialog box.
Step 16 Choose the destination of network traffic from the IPv4 Network Objects list, and
click OK.
Step 17 To specify the type of service for the CSC to scan, click the ellipses to display the
Browse Service dialog box.
Step 18 Choose the service(s) from the list, and click OK.
Step 19 Enter a description for the network traffic that you want the CSC to scan in the
field provided.
Step 20 To specify whether or not to allow the CSC to scan network traffic if it fails, do
the following:
• To allow traffic through without being scanned, click Permit.
• To prevent traffic from going through without being scanned, click Deny.
• To save your settings, click OK. The added traffic details appear on the
Traffic Selection for CSC Scan screen.
• To discard these settings and return to the Traffic Selection for CSC Scan
screen, click Cancel. If you click Cancel, ASDM displays a dialog box to
confirm your decision.
Step 21 Click Next.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-15
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 22 In Step 7 of the CSC Setup Wizard, review the configuration settings that you have
entered for the CSC SSM in the Summary screen.

Step 23 If you are satisfied with these settings, click Finish. To make changes, click Back
until you reach the screen whose settings you want to modify.
An informational message appears, indicating that the CSC SSM is active.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-16 78-17611-01
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Divert Traffic to the CSC SSM for Content Scanning

The adaptive security appliance diverts packets to the CSC SSM after firewall
policies are applied, but before the packets exit the outside interface. For example,
packets that are blocked by an access list are not forwarded to the CSC SSM.
Configure service policies to specify which traffic the adaptive security appliance
should be diverted to the CSC SSM. The CSC SSM can scan HTTP, POP3, FTP,
and SMTP traffic that is sent to the well-known ports for those protocols.
To simplify the initial configuration process, this procedure creates a global
service policy that diverts both inbound and outbound traffic for the supported
protocols to the CSC SSM. Because scanning all traffic coming through the
adaptive security appliance may reduce the performance of the adaptive security
appliance and the CSC SSM, you may want to revise this security policy later. For
example, it is usually not necessary to scan all traffic from your inside network,
because it is from a trusted source. By refining service policies so that the CSC
SSM scans only traffic from untrusted sources, you can achieve your security
goals and optimize performance of the adaptive security appliance and the CSC
SSM.
To create a global service policy that identifies traffic to be scanned, perform the
following steps:

Step 1 In the ASDM main application window, choose Configuration > Firewall >
Service Policy Rules.
Step 2 Click Add.
The Add Service Policy Rule Wizard - Service Policy screen appears.
Step 3 Click the Global - applies to all interfaces option.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-17
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 4 Click Next.

The Add Service Policy Rule Wizard - Traffic Classification Criteria screen
appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-18 78-17611-01
Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 5 Click the Use class-default as the traffic class option.

Step 6 Click Next.
The Add Service Policy Rule Wizard - Rule Actions screen appears.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-19
 Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 7 Click the CSC Scan tab.

Step 8 Check the Enable CSC scan for this traffic flow check box.
In the If CSC Card fails, then area, choose whether the adaptive security
appliance should permit or deny selected traffic if the CSC SSM is unavailable.
Step 9 Click Finish to exit the wizard.
The new service policy appears in the Service Policy Rules pane.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-20 78-17611-01
Chapter 10 Configuring the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security

Step 10 Click Apply to save your changes.

By default, the CSC SSM is configured to perform content security scans that
were enabled according to the license that you purchased (which may include
anti-virus, anti-spam, anti-phishing, and content filtering). It is also configured to
obtain periodic updates from the Trend Micro Update Server.
If you purchased the Plus license, you can create custom settings for URL
blocking and URL filtering, as well as e-mail and FTP parameters. For more
information, see the Cisco Content Security and Control SSM Administrator
Guide.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-21
 Chapter 10 Configuring the CSC SSM
What to Do Next

What to Do Next
You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM
software. To continue configuring the adaptive security appliance for your
implementation, use the following documents:

To Perform This Task... See...

Configure CSC SSM software, such as Cisco Content Security and Control
advanced security policies. SSM Administrator Guide
Configure additional CSC SSM ASDM online help
features in ASDM, including content
filtering.
Optimize performance by creating “Managing AIP SSM and CSC SSM”
more efficient service policies. in the Cisco Security Appliance
Command Line Configuration Guide

After you have configured the CSC SSM software, you may want to perform
some of the following additional steps:

To Perform This Task... See...

Refine the existing configuration and
configure optional and advanced
features.
Learn about daily operations.
Review hardware maintenance and
troubleshooting information.
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-22 78-17611-01
Chapter 10 Configuring the CSC SSM
What to Do Next

You can configure the adaptive security appliance for more than one application.
The following chapters provide configuration procedures for other common
applications of the adaptive security appliance.

To Perform This Task... See...

Configure protection of a DMZ web Chapter 6, “Scenario: DMZ
server. Configuration”
Configure a remote-access VPN. Chapter 7, “Scenario: Remote-Access
VPN Configuration”
Configure a site-to-site VPN. Chapter 8, “Scenario: Site-to-Site
VPN Configuration”

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 10-23
 Chapter 10 Configuring the CSC SSM
What to Do Next

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
10-24 78-17611-01
 C H A P T E R 11
Configuring the 4GE SSM for Fiber

The 4GE Security Services Module (SSM) has four Ethernet ports, and each port
has two media type options: SFP (Small Form-Factor Pluggable) fiber or RJ 45.
You can mix the copper and fiber ports using the same 4GE card.

Note The 4GE SSM requires ASA software release 7.04 or later.

This chapter includes the following sections:

• Cabling 4GE SSM Interfaces, page 11-2
• Setting the 4GE SSM Media Type for Fiber Interfaces (Optional), page 11-3
• What to Do Next, page 11-5

Note Because the default media type setting is Ethernet, you do not need to change the
media type setting for any Ethernet interfaces you use.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 11-1
 Chapter 11 Configuring the 4GE SSM for Fiber
Cabling 4GE SSM Interfaces

Cabling 4GE SSM Interfaces

To cable 4GE SSM interfaces, perform the following steps for each port you want
to connect to a network device:

Step 1 To connect an RJ-45 (Ethernet) interface to a network device, perform the

following steps for each interface:
a. Locate a yellow Ethernet cable from the accessory kit.
b. Connect one end of the cable to an Ethernet port on the 4GE SSM as shown
in Figure 11-1.

Figure 11-1 Connecting the Ethernet port

LNK
3
2
1
0 SPD

MGMT
MGMT USB2
Cisco
SSM-4
ER
TUS

GE
POW

USB2
STA

USB1

143597
1

1 RJ-45 (Ethernet) port

c. Connect the other end of the cable to your network device.

Step 2 (Optional) If you want to use an SFP (fiber optic) port, install and cable the SFP
modules as shown in Figure 11-2:
a. Insert and slide the SFP module into the SFP port until you hear a click. The
click indicates that the SFP module is locked into the port.
b. Remove the optical port plugs from the installed SFP.
c. Locate the LC connector (fiber optic cable) in the 4GE SSM accessory kit.
d. Connect the LC connector to the SFP port.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
11-2 78-17611-01
Chapter 11 Configuring the 4GE SSM for Fiber
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional)

Figure 11-2 Connecting the LC Connector

LNK
3
2
1
0 SPD

MGMT
MGMT USB2
Cisco
SSM-4

ER
US
GE

POW
STAT

USB2

143647
USB1
2
1

1 LC connector 2 SFP module

e. Connect the other end of the LC connector to your network device.

After you have attached any SFP ports to your network devices, you must also
change the media type setting for each SFP interface. Continue with the following
procedure, “Setting the 4GE SSM Media Type for Fiber Interfaces (Optional).”

Setting the 4GE SSM Media Type for Fiber Interfaces

(Optional)
If you are using fiber interfaces, for each SFP interface you must change the
media type setting from the default setting (Ethernet) to Fiber Connector.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 11-3
 Chapter 11 Configuring the 4GE SSM for Fiber
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional)

Note Because the default media type setting is Ethernet, you do not need to change the
media type setting for Ethernet interfaces you use.

To set the media type for SFP interfaces using ASDM, perform the following steps
starting from the main ASDM window:

Step 1 At the top of the ASDM window, click the Configuration tab.
Step 2 On the left side of the ASDM window, click the Interfaces tab.
Step 3 Click the 4GE SSM interface and click Edit. The Edit Interface dialog box
appears.
Step 4 Click Configure Hardware Properties. The Hardware Properties dialog box
appears.
Step 5 From the Media Type drop-down list, choose Fiber Connector.
Step 6 Click OK to return to the Edit Interfaces dialog box, then click OK to return to
the interfaces configuration dialog box.
Step 7 Repeat this procedure for each SFP interface.

You can also set the media type from the command line. For more information,
see "Configuring Ethernet Settings and Subinterfaces" in the Cisco Security
Appliance Command Line Configuration Guide.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
11-4 78-17611-01
Chapter 11 Configuring the 4GE SSM for Fiber
What to Do Next

What to Do Next
You have completed the initial configuration. You may want to consider
performing some of the following additional steps:

To Do This ... See ...

Refine configuration and configure
optional and advanced features
Learn about daily operations
Review hardware maintenance and
troubleshooting information
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Hardware
Installation Guide

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 11-5
 Chapter 11 Configuring the 4GE SSM for Fiber
What to Do Next

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
11-6 78-17611-01
 APPENDIX A
Obtaining a DES License or a
3DES-AES License

Cisco adaptive security appliances are available either with a DES or 3DES-ASE
license that provides encryption technology to enable specific features, such as
secure remote management (SSH, ASDM, and so on), site-to-site VPN, and
remote access VPN. The license is enabled through an encryption license key.
If you ordered your adaptive security appliance with a DES or 3DES-AES license,
the encryption license key comes with the adaptive security appliance.
If you are a registered user of Cisco.com and would like to obtain a 3DES/AES
encryption license, go to the following website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, go to the following website:
https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet
Provide your name, e-mail address, and the serial number for the adaptive security
appliance as it appears in the show version command output.

Note You will receive the new activation key for your adaptive security appliance
within two hours of requesting the license upgrade.

For more information on activation key examples or upgrading software, see the
Cisco Security Appliance Command Line Configuration Guide.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01 A-1
 Appendix A Obtaining a DES License or a 3DES-AES License

To use the activation key, perform the following steps:

Command Purpose
Step 1 hostname# show version Shows the software release, hardware
configuration, license key, and related
uptime data.
Step 2 hostname# configure Enters global configuration mode.
terminal
Step 3 hostname(config)# Updates the encryption activation key by
activation-key replacing the activation-4-tuple-key
activation-5-tuple-key
variable with the activation key obtained
with your new license. The
activation-5-tuple-key variable is a
five-element hexadecimal string with one
space between each element. An example is
0xe02888da 0x4ba7bed6 0xf1c123ae
0xffd8624e. The “0x” is optional; all values
are assumed to be hexadecimal.
Step 4 hostname(config)# exit Exits global configuration mode.
Step 5 hostname# copy Saves the configuration.
running-config
startup-config
Step 6 hostname# reload Reboots the adaptive security appliance and
reloads the configuration.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
A-2 78-17611-01