Cisco 5510 - ASA SSL / IPsec VPN Edition, ASA 5520, ASA 5540, ASA 5550, ASA 5510 Getting Started Manual

Download

Page 1

Cisco ASA 5500 Series Getting Started Guide

For the Cisco ASA 5510, ASA 5520, ASA 5540, and ASA 5550

Software Version 8.3

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Customer Order Number: DOC-78-19186-01 Text Part Number: 78-19186-01

Page 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR

IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco

SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco (Stylized), Cisco Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco logo, Cisco Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS,

IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,

Capital, Cisco Capital (Design), Cisco:Financed

Certified Internetwork Expert

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

Cisco ASA 5500 Series Getting Started Guide

Page 3

iii

CONTENTS

CHAPTER

1 Before You Begin 1-1

ASA 5500 1-1

ASA 5500 with AIP SSM 1-2

ASA 5500 with CSC SSM 1-3

ASA 5500 with 4GE SSM 1-4

ASA 5550 1-5

Related Documents

Chapter 1 Before You Begin

• Cisco ASA 5500 Series Command Reference

• Cisco ASA 5500 Series Configuration Guide using the CLI

• Cisco ASA 5500 Series System Log Messages

• Migrating to ASA for VPN 3000 Series Concentrator Administrators

• Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series

Administrators

• Open Source Software Licenses for ASA and PIX Security Appliances

Cisco ASA 5500 Series Getting Started Guide

1-6

78-19186-01

Page 17

CHAPTER

Maximizing Throughput on the ASA 5550

Note This chapter applies only to the Cisco ASA 5550.

The Cisco ASA 5550 adaptive security appliance is designed to deliver maximum throughput when configured according to the guidelines described in this chapter.

This chapter includes the following sections:

• Embedded Network Interfaces, page 2-1

• Balancing Traffic to Maximize Throughput, page 2-2

• What to Do Next, page 2-5

Embedded Network Interfaces

The adaptive security appliance has two internal buses providing copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity:

• Slot 0 (corresponding to Bus 0) has four embedded copper Gigabit Ethernet

ports

• Slot 1 (corresponding to Bus 1) has four embedded copper Gigabit Ethernet

ports and four embedded SFPs that support fiber Gigabit Ethernet connectivity

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

2-1

Page 18

Balancing Traffic to Maximize Throughput

153217

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATU S

FLASH

VPN

ACTIVE

PWR

STATUS

LNK

SPD0123

Slot 1

Slot 0

Ethernet Fiber

Ethernet

Note To establish fiber connectivity on the adaptive security appliance, you must order

and install SFP modules for each fiber port you want to use. For more information on fiber ports and SFP modules, see the

page 3-6.

Figure 2-1 shows the embedded ports on the Cisco ASA 5550.

Figure 2-1 Embedded Ports on the ASA 5550

Chapter 2 Maximizing Throughput on the ASA 5550

“Installing SFP Modules” section on

Note Although Slot 1 has four copper Ethernet ports and four fiber Ethernet ports, you

can use only four Slot 1 ports at a time. For example, you could use two Slot 1 copper ports and two fiber ports, but you cannot use fiber ports if you are already using all four Slot 1 copper ports.

Balancing Traffic to Maximize Throughput

To maximize traffic throughput, configure the adaptive security appliance so that traffic is distributed equally between the two buses in the device. To achieve this, lay out the network so that all traffic flows through both Bus 0 (Slot 0) and Bus 1

2-2

(Slot 1), entering through one bus and exiting through the other.

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Page 19

Chapter 2 Maximizing Throughput on the ASA 5550

153104

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

PWR

STATUS

LNK

SPD0123

Slot 1

Slot 0

Incoming and

outgoing traffic

Incoming and

outgoing traffic

Maximum

throughput

153305

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

PWR

STATUS

LNK

SPD0123

Slot 1

Slot 0

Maximum

throughput

Incoming and

outgoing traffic

Incoming and

outgoing traffic

Balancing Traffic to Maximize Throughput

In Figure 2-2 and Figure 2-3, network traffic is distributed so that all traffic flows through both buses in the device, enabling the adaptive security appliance to deliver maximum throughput.

Figure 2-2 Traffic Evenly Distributed for Maximum Throughput (Copper to Copper)

Figure 2-3 Traffic Evenly Distributed for Maximum Throughput (Copper to Fiber)

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

2-3

Page 20

Balancing Traffic to Maximize Throughput

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

LNK

SPD0123

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATU S

FLASH

VPN

ACTIVE

LNK

SPD0123

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATU S

FLASH

VPN

ACTIVE

LNK

SPD0123

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

LNK

SPD0123

Slot 1

Slot 0

Incoming and

outgoing traffic

Slot 1

Slot 0

Slot 1

Slot 0

153306

Slot 1

Slot 0

Incoming and

outgoing traffic

Incoming and

outgoing traffic

Incoming and outgoing traffic

Figure 2-4 illustrates several configurations that do not enable the adaptive

security appliance to deliver maximum throughput because network traffic flows through only one bus on the device.

Figure 2-4 Configurations Not Enabling Maximum Throughput

Chapter 2 Maximizing Throughput on the ASA 5550

Cisco ASA 5500 Series Getting Started Guide

2-4

78-19186-01

Page 21

Chapter 2 Maximizing Throughput on the ASA 5550

Note You can use the show traffic command to see the traffic throughput over each bus.

For more information about using the command, see the Cisco ASA 5500 Series Command Reference.

What to Do Next

Continue with Chapter 3, “Installing the ASA 5550.”

What to Do Next

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

2-5

Page 22

What to Do Next

Chapter 2 Maximizing Throughput on the ASA 5550

Cisco ASA 5500 Series Getting Started Guide

2-6

78-19186-01

Page 23

CHAPTER

Installing the ASA 5550

Caution Read the safety warnings in the Regulatory Compliance and Safety Information

for the Cisco

performing these steps.

ASA 5500 Series and follow proper safety procedures when

Warning

Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

This chapter describes the ASA 5550 adaptive security appliance and rack-mount and installation procedures for the adaptive security appliance. This chapter includes the following sections:

• Verifying the Package Contents, page 3-2

• Installing the Chassis, page 3-3

• Installing SFP Modules, page 3-6

• Ports and LEDs, page 3-9

• Connecting Interface Cables, page 3-13

• What to Do Next, page 3-19

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

3-1

Page 24

Verifying the Package Contents

Yellow Ethernet cable

(72-1482-01)

Mounting brackets

(700-18797-01 AO) right

(700-18798-01 AO) left

4 flathead screws

(48-0451-01 AO)

2 long cap screws

(48-0654-01 AO)

4 cap screws

(48-0523-01 AO)

Safety and

Compliance

Guide

Cisco ASA 5550 adaptive

security appliance

Documentation

Cisco ASA

5550 Adaptive

Security Appliance

Product CD

4 rubber feet

Cable holder

153215

Blue console cable

PC terminal adapter

I N

MGMT

USB2

USB1

Cisco SSM-4GE

POWER

STATUS

Verifying the Package Contents

Verify the contents of the packing box, shown in Figure 3-1, to ensure that you have received all items necessary to install the Cisco ASA 5550.

Figure 3-1 Contents of ASA 5550 Package

Chapter 3 Installing the ASA 5550

Cisco ASA 5500 Series Getting Started Guide

3-2

78-19186-01

Page 25

Chapter 3 Installing the ASA 5550

Installing the Chassis

This section describes how to rack-mount and install the adaptive security appliance. You can mount the adaptive security appliance in a 19-inch rack (with a 17.5- or 17.75-inch opening).

Installing the Chassis

Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety.

The following information can help plan equipment rack installation:

• Allow clearance around the rack for maintenance.

• When mounting a device in an enclosed rack ensure adequate ventilation. An

enclosed rack should never be overcrowded.

Make sure that the rack is not

congested, because each unit generates heat.

• When mounting a device in an open rack, make sure that the rack frame does

not block the intake or exhaust ports.

• If the rack contains only one unit, mount the unit at the bottom of the rack.

• If the rack is partially filled, load the rack from the bottom to the top, with the

heaviest component at the bottom of the rack.

• If the rack contains stabilizing devices, install the stabilizers prior to

mounting or servicing the unit in the rack.

Warning

78-19186-01

Before performing any of the following procedures, ensure that the power source is off. (AC or DC). To ensure that power is removed from the DC circuit, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.

Cisco ASA 5500 Series Getting Started Guide

3-3

Page 26

Installing the Chassis

153216

LNK

Rack-Mounting the Chassis

To rack-mount the chassis, perform the following steps:

Note You can use the mounting brackets to mount the chassis to the front or the back

of the rack, with the front panel or the rear panel of the chassis facing outward.

Step 1 Attach the rack-mount brackets to the chassis using the supplied screws. Attach

the brackets to the holes as shown in the chassis, you can rack-mount it.

Figure 3-2 Installing the Right and Left Brackets

Chapter 3 Installing the ASA 5550

Figure 3-2. After the brackets are secured to

Step 2 Attach the chassis to the rack using the supplied screws, as shown in Figure 3-3.

Cisco ASA 5500 Series Getting Started Guide

3-4

78-19186-01

Page 27

Chapter 3 Installing the ASA 5550

119633

POWER

STATUS

FLASH

ACTIVE

VPN

5 4

ptiv

e S

ecurity

lian

Figure 3-3 Rack-Mounting the Chassis

Installing the Chassis

78-19186-01

Note Figure 3-2 shows the rack mounting brackets attached to the rear of the chassis

while Figure 3-3 shows the rack mounting brackets attached to the front of the chassis. You can attach the mounting brackets to the front or the rear of the chassis so that you can have the front panel or the rear panel of the chassis facing outward.

Figure 3-2 shows the brackets attached to the rear so you can see how that

configuration appears while Figure 3-3 shows the brackets attached to the front so that you can see how that configuration appears. In Step 1 and Step 2, you will choose to have either the brackets rear mounted or front mounted but not both.

To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis.

Cisco ASA 5500 Series Getting Started Guide

3-5

Page 28

Installing SFP Modules

The adaptive security appliance uses a field-replaceable SFP module to establish fiber Gigabit Ethernet connections.

This section describes how to install and remove SFP modules in the adaptive security appliance. This section includes the following topics:

• SFP Module, page 3-6

• Installing an SFP Module, page 3-8

SFP Module

The SFP (Small Form-Factor Pluggable) module is a hot-swappable input/output device that plugs into the fiber ports.

Chapter 3 Installing the ASA 5550

Note If you install an SFP module after the switch has powered on, you must reload the

adaptive security appliance to enable the SFP module.

Table 3-1 lists the SFP modules that are supported by the adaptive security

appliance.

Ta b l e 3-1 Supported SFP Modules

SFP Module Type of Connection Cisco Part Number

1000BASE-LX/LH Fiber GLC-LH-SM=

1000BASE-SX Fiber GLC-SX-MM=

The 1000BASE-LX/LH and 1000BASE-SX SFP modules are used to establish fiber connections. Use fiber cables with LC connectors to connect to an SFP module. The SFP modules support 850 to 1550 nm nominal wavelengths. The cables must not exceed the required cable length for reliable communications.

Table 3-2 lists the cable length requirements.

Cisco ASA 5500 Series Getting Started Guide

3-6

78-19186-01

Page 29

Chapter 3 Installing the ASA 5550

Ta b l e 3-2 Cabling Requirements for Fiber-Optic SFP Modules

Installing SFP Modules

SFP Module

LX/LH

62.5/125 micron Multimode 850 nm

Fiber

— — 550 m at

275 m at 200 Mhz-km

50/125 micron Multimode 850 nm Fiber

550 m at 500 Mhz-km

62.5/125 micron Multimode 1310 nm Fiber

500 Mhz-km

50/125 micron Multimode 1310 nm Fiber

550 m at 400 Mhz-km

9/125 micron Single-mode 1310 nm Fiber

10 km

— — —

Use only Cisco-certified SFP modules on the adaptive security appliance. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the adaptive security appliance.

Note Only SFP modules certified by Cisco are supported on the adaptive security

appliance.

78-19186-01

Caution Protect your SFP modules by inserting clean port plugs into the SFPs after the

cables are extracted from them. Be sure to clean the optic surfaces of the fiber cables before you plug them back into the optical bores of another SFP module. Avoid getting dust and other contaminants into the optical bores of your SFP modules: The optics do not work correctly when obstructed with dust.

Warning

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

Statement 70

Cisco ASA 5500 Series Getting Started Guide

3-7

Page 30

Installing SFP Modules

132985

Installing an SFP Module

To install an SFP module in a fiber port in Slot 1, perform the following steps:

Step 1 Line up the SFP module with the port and slide the SFP module into the port slot

until it locks into position as shown in

Figure 3-4 Installing an SFP Module

Chapter 3 Installing the ASA 5550

Figure 3-4.

3-8

1 Port plug 3 SFP module

2 Port slot

Caution Do not remove the port plugs from the SFP module until you are ready to connect

the cables.

Step 2 Remove the port plug; then connect the network cable to the SFP module.

Step 3 Connect the other end of the cable to your network. For more information on

connecting the cables, see

Chapter 3, “Connecting Interface Cables.”

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Page 31

Chapter 3 Installing the ASA 5550

119638

POWER STATUS

FLASH

ACTIVE

VPN

CISCO ASA 5540

SERIES

Adaptive Security Appliance

Caution The latching mechanism used on many SFP modules locks them into place when

cables are connected. Do not pull on the cabling in an attempt to remove the SFP module.

Ports and LEDs

This section describes the front and rear panels. Figure 3-5 shows the front panel LEDs. This section includes the following topics:

• Front Panel LEDs, page 3-9

Ports and LEDs

• Rear Panel LEDs and Ports in Slot 0, page 3-10

• Ports and LEDs in Slot 1, page 3-12

Front Panel LEDs

Figure 3-5 shows the LEDs on the front panel of the adaptive security appliance.

Figure 3-5 Front Panel LEDs

LED Color State Description

1 Power Green On The system has power.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

3-9

Page 32

Chapter 3 Installing the ASA 5550

153103

LINK SPD2LINK SPD1LINK SPD

LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

8 10 12

VPN

ACTIVE

PWR

STATUS

LNK

SPD0123

Ports and LEDs

LED Color State Description

2 Status Green Flashing The power-up diagnostics are running or the system is booting.

Solid The system has passed power-up diagnostics.

Amber Solid The power-up diagnostics have failed.

3 Active Green Flashing There is network activity.

4 VPN Green Solid VPN tunnel is established.

5 Flash Green Solid The CompactFlash is being accessed.

Rear Panel LEDs and Ports in Slot 0

Figure 3-6 shows the rear panel LEDs and ports in Slot 0.

Figure 3-6 Rear Panel LEDs and Ports on Slot 0 (AC Power Supply Model Shown)

1 Management Port

6 USB 2.0 interfaces

2 External CompactFlash slot 7 Network interfaces

11 VPN LED

12 Flash LED

3 Serial Console port 8 Power indicator LED 13 AUX port

4 Power switch 9 Status indicator LED 14 Power connector

5 Power indicator LED 10 Active LED

1. The management 0/0 interface is a Fast Ethernet interface designed for management traffic only.

2. Reserved for future use.

Cisco ASA 5500 Series Getting Started Guide

3-10

78-19186-01

Page 33

Chapter 3 Installing the ASA 5550

126917

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

Ports and LEDs

3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3.

For more information on the Management Port, see the management-only command in the Cisco ASA 5500 Series Command Reference.

Figure 3-7 shows the adaptive security appliance rear panel LEDs.

Figure 3-7 Rear Panel Link and Speed Indicator LEDs

78-19186-01

1 MGMT indicator LEDs 2 Network interface LEDs

Table 3-3 lists the rear MGMT and Network interface LEDs.

Ta b l e 3-3 Link and Speed LEDs

Indicator Color Description

Left side Solid green

Green flashing

Right side Not lit

Green

Amber

Cisco ASA 5500 Series Getting Started Guide

Physical link

Network activity

10 Mbps

100 Mbps

1000 Mbps

3-11

Page 34

Ports and LEDs

153212

PWR

STATUS

LNK

SPD0123

Cisco SSM-4GE

Ports and LEDs in Slot 1

Figure 3-8 illustrates the ports and LEDs in Slot 1.

Figure 3-8 Ports and LEDs in Slot 1

Chapter 3 Installing the ASA 5550

1 Copper Ethernet ports 5 Status LED

2 RJ-45 Link LED 6 Fiber Ethernet ports

3 RJ-45 Speed LED 7 SFP Link LED

4 Power LED 8 SFP Speed LED

Note Figure 3-8 shows SFP modules installed in the fiber Ethernet ports. You must

order and install the SFP modules if you want to establish fiber Ethernet connectivity. For more information on fiber ports and SFP modules, see the

“Installing SFP Modules” section on page 3-6.

Table 3-4 describes the LEDs in Slot 1.

Ta b l e 3-4 LEDs on Bus G1

LED Color State Description

2, 7 LINK Green Solid There is an Ethernet link.

Flashing There is Ethernet activity.

3-12

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Page 35

Chapter 3 Installing the ASA 5550

Table 3-4 LEDs on Bus G1 (continued)

Connecting Interface Cables

LED Color State Description

3, 8 SPEED Off

Green

10 MB There is no network activity.

100 MB There is network activity at

Amber

1000 MB (GigE)

4 POWER Green On The system has power.

5 STATUS Green

Green

Amber

Flashing The system is booting.

Solid The system booted correctly.

Solid The system diagnostics failed.

Connecting Interface Cables

This section describes how to connect the appropriate cables to the Console, Auxiliary, Management, copper Ethernet, and fiber Ethernet ports.

To connect cables to the network interfaces, perform the following steps:

100

Mbps.

There is network activity at 1000

Mbps.

78-19186-01

Step 1 Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it).

Step 2 Connect to the Management port.

The adaptive security appliance has a dedicated interface for device management that is referred to as the Management0/0 port. The Management0/0 port is a Fast Ethernet interface. This port is similar to the Console port, but the Management0/0 port only accepts incoming traffic to the adaptive security appliance.

Note You can configure any interface to be a management-only interface using

the management-only command. You can also disable management-only mode on the management interface. For more information about this command, see the management-only command in the Cisco ASA 5500 Series Command Reference.

Cisco ASA 5500 Series Getting Started Guide

3-13

Page 36

Connecting Interface Cables

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

92684

a. Locate an Ethernet cable, which has an RJ-45 connector on each end.

b. Connect one RJ-45 connector to the Management0/0 port, as shown in

c. Connect the other end of the Ethernet cable to the Ethernet port on your

Figure 3-9 Connecting to the Management Port

Chapter 3 Installing the ASA 5550

Figure 3-9.

computer or to your management network.

1 Management port 2 RJ-45 to RJ-45 Ethernet cable

Step 3 Connect to the Console port.

a. Before connecting a computer or terminal to any ports, check to determine the

baud rate of the serial port. The baud rate of the computer or terminal must

Cisco ASA 5500 Series Getting Started Guide

match the default baud rate (9600 baud) of the Console port of the adaptive security appliance.

Set up the terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and Flow Control (FC) = Hardware.

b. Locate the serial console cable, which has an RJ-45 connector on one end and

a DB-9 connector on the other end for the serial port on your computer.

3-14

78-19186-01

Page 37

Chapter 3 Installing the ASA 5550

126982

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

c. Connect the RJ-45 connector to the Console port of the adaptive security

appliance as shown in

d. Connect the DB-9 connector to the console port on your computer.

Figure 3-10 Connecting the Console Cable

Connecting Interface Cables

Figure 3-10.

1 RJ-45 Console port 2 RJ-45 to DB-9 console cable

Step 4 Connect to the Auxiliary port (labeled AUX).

a. Locate the serial console cable, which has an RJ-45 connector on one end and

a DB-9 connector on the other end for the serial port on your computer.

b. Connect the RJ-45 connector of the cable to the Auxiliary port (labeled AUX)

on the adaptive security appliance, as shown in

c. Connect the other end of the cable, the DB-9 connector, to the serial port on

your computer.

Figure 3-11.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

3-15

Page 38

Connecting Interface Cables

92686

FLASH

CONSOLE

AUX

POWER

STATU S

FLASH

VPN

ACTIVE

Figure 3-11 Connecting to the AUX Port

1 RJ-45 AUX port 2 RJ-45 to DB-9 console cable

Chapter 3 Installing the ASA 5550

Step 5 Connect to copper Ethernet ports to be used for network connections. Copper

Ethernet ports are available both in Slot 0 and Slot 1.

Note You must use a port in Slot 0 for the inside interface, and a port in Slot 1

for the outside interface.

a. Connect one end of an Ethernet cable to a copper Ethernet port, as shown in

Figure 3-12 and Figure 3-13.

Cisco ASA 5500 Series Getting Started Guide

3-16

78-19186-01

Page 39

Chapter 3 Installing the ASA 5550

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

92685

153213

MGMT

USB2

Cisco SSM-4GE

MGMT

USB2

USB1

Figure 3-12 Connecting to a Copper Ethernet Interface in Slot 0

Connecting Interface Cables

1 Copper Ethernet ports 2 RJ-45 connector

Figure 3-13 Connecting to a Copper Ethernet Interfaces in Slot 1

1 Copper Ethernet ports 2 RJ-45 connector

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

3-17

Page 40

Connecting Interface Cables

143146

b. Connect the other end of the Ethernet cable to a network device, such as a

Step 6 Connect to fiber Ethernet ports to be used for network connections.

Note Slot 1 contains four copper Ethernet ports and four fiber Ethernet ports.

For each fiber port you want to use, perform the following steps:

a. Install the SFP module:

Chapter 3 Installing the ASA 5550

router, switch or hub.

You can use both types of ports, but you can only have a total of four Slot

1 ports in use at a time. For example, you could use two copper

Ethernet ports and two fiber Ethernet ports.

–

Insert and slide the SFP module into the fiber port until you hear a click. The click indicates that the SFP module is locked into the port.

–

Remove the port plug from the installed SFP as shown in Figure 3-14.

Figure 3-14 Removing the Fiber Port Plug

1 Port plug 2 SFP module

b. Connect the LC connector to the SFP module as shown in Figure 3-15.

Cisco ASA 5500 Series Getting Started Guide

3-18

78-19186-01

Page 41

Chapter 3 Installing the ASA 5550

MGMT

USB2

Cisco SSM-4GE

MGMT

USB2

USB1

STATU S

153214

Figure 3-15 Connecting the LC Connector

What to Do Next

1 LC connector 2 SFP module

c. Connect the other end of the cable to a network device, such as a router,

switch, or hub.

Step 7 Connect the power cord to the adaptive security appliance and plug the other end

to the power source.

Step 8 Power on the chassis.

What to Do Next

Continue with Chapter 7, “Configuring the Adaptive Security Appliance.”

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

3-19

Page 42

What to Do Next

Chapter 3 Installing the ASA 5550

Cisco ASA 5500 Series Getting Started Guide

3-20

78-19186-01

Page 43

CHAPTER

Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Note This chapter does not apply to the ASA 5550.

Warning

Caution Read the safety warnings in the Regulatory Compliance and Safety Information

Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

for the Cisco

performing these steps.

This chapter provides a product overview and describes the memory requirements, rack-mount, and installation procedures for the adaptive security appliance. This chapter includes the following sections:

• Verifying the Package Contents, page 4-2

• Installing the Chassis, page 4-3

• Ports and LEDs, page 4-7

• What to Do Next, page 4-10

ASA 5500 Series and follow proper safety procedures when

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

4-1

Page 44

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Verifying the Package Contents

Note The illustrations in this document show the Cisco ASA 5540 adaptive security

appliance. The Cisco ASA 5510 adaptive security appliance and Cisco ASA 5520 adaptive security appliance are identical, containing the same back panel features and indicators.

Verifying the Package Contents

Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5500 series adaptive security appliance.

Cisco ASA 5500 Series Getting Started Guide

4-2

78-19186-01

Page 45

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Yellow Ethernet cable

(72-1482-01)

Mounting brackets

(700-18797-01 AO) right

(700-18798-01 AO) left

4 flathead screws

(48-0451-01 AO)

2 long cap screws

(48-0654-01 AO)

4 cap screws

(48-0523-01 AO)

Safety and

Compliance

Guide

Cisco ASA 5500 adaptive

security appliance

Documentation

Cisco ASA

5500 Adaptive

Security Appliance

Product CD

4 rubber feet

Cable holder

92574

Blue console cable

PC terminal adapter

I N

L I

P D

MGMT

USB2

USB1

S H

POWER

STATUS

FLASH

VPN

ACTIVE

Figure 4-1 Contents of ASA 5500 Package

Installing the Chassis

This section describes how to rack-mount and install the adaptive security appliance. You can mount the adaptive security appliance in a 19-inch rack (with a 17.5- or 17.75-inch opening).

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

4-3

Page 46

Installing the Chassis

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Warning

The following information can help plan equipment rack installation:

• Allow clearance around the rack for maintenance.

• When mounting a device in an enclosed rack ensure adequate ventilation. An

enclosed rack should never be overcrowded.

Make sure that the rack is not

congested, because each unit generates heat.

• When mounting a device in an open rack, make sure that the rack frame does

not block the intake or exhaust ports.

• If the rack contains only one unit, mount the unit at the bottom of the rack.

• If the rack is partially filled, load the rack from the bottom to the top, with the

heaviest component at the bottom of the rack.

• If the rack contains stabilizing devices, install the stabilizers prior to

mounting or servicing the unit in the rack.

Warning

Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.

Rack-Mounting the Chassis

To rack-mount the chassis, perform the following steps:

Note You can use the mounting brackets to mount the chassis to the front or the back

of the rack, with the front panel or the rear panel of the chassis facing outward.

Cisco ASA 5500 Series Getting Started Guide

4-4

78-19186-01

Page 47

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

191311

Step 1 Attach the rack-mount brackets to the chassis using the supplied screws. Attach

the brackets to the holes as shown in are secured to the chassis, you can rack-mount it.

Figure 4-2 Installing the Left Bracket on the Rear Panel of the Chassis

Installing the Chassis

Figure 4-2 and Figure 4-3. After the brackets

Figure 4-3 Installing the Right Bracket on the Rear Panel of the Chassis

Step 2 Attach the chassis to the rack using the supplied screws, as shown in Figure 4-4.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

4-5

Page 48

Installing the Chassis

119633

POWER

STATUS

FLASH

ACTIVE

VPN

5 4

ptiv

e S

ecurity

lian

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Figure 4-4 Rack-Mounting the Chassis

4-6

Note Figure 4-2 and Figure 4-3 show the rack mounting brackets attached to the rear of

the chassis while Figure 4-4 shows the rack mounting brackets attached to the front of the chassis. You can attach the mounting brackets to the front or the rear of the chassis so that you can have the front panel or the rear panel of the chassis facing outward.

Figure 4-2 and Figure 4-3 show the brackets attached to the rear so you can see

how that configuration appears while Figure 4-4 shows the brackets attached to the front so that you can see how that configuration appears. In Step 1 and Step 2, you will choose to have either the brackets rear mounted or front mounted but not both.

To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis.

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Page 49

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

119638

POWER STATUS

FLASH

ACTIVE

VPN

CISCO ASA 5540

SERIES

Adaptive Security Appliance

Ports and LEDs

This section describes the front and rear panels. Figure 4-5 shows the front panel LEDs.

Figure 4-5 Front Panel LEDs

LED Color State Description

Ports and LEDs

1 Power Green On The system has power.

2 Status Green Flashing The power-up diagnostics are running or the system is booting.

Solid The system has passed power-up diagnostics.

Amber Solid The power-up diagnostics have failed.

3 Active Green Solid This is the active failover device.

Amber Solid This is the standby failover device.

4 VPN Green Solid VPN tunnel is established.

5 Flash Green Solid The CompactFlash is being accessed.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

4-7

Page 50

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

119572

LINK SPD

LINK SPD2LINK SPD1LINK SPD

MGMT

USB2

USB1

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

8 10 12

VPN

ACTIVE

Ports and LEDs

Figure 4-6 shows the rear panel features for the adaptive security appliance.

Figure 4-6 Rear Panel LEDs and Ports (AC Power Supply Model Shown)

1 Management Port

6 USB 2.0 interfaces

2 External CompactFlash slot 7 Network interfaces

11 VPN LED

12 Flash LED

3 Serial Console port 8 Power indicator LED 13 AUX port

4 Power switch 9 Status indicator LED 14 Power connector

5 Power indicator LED 10 Active LED

1. The management 0/0 interface is a Fast Ethernet interface designed for management traffic only.

2. Not supported at this time.

3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3.

For more information on the Management Port, see the “Management-Only” section in the Cisco ASA 5500 Series Command Reference.

Cisco ASA 5500 Series Getting Started Guide

4-8

78-19186-01

Page 51

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

126917

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

Figure 4-7 shows the adaptive security appliance rear panel LEDs.

Figure 4-7 Rear Panel Link and Speed Indicator LEDs

Ports and LEDs

1 MGMT indicator LEDs 2 Network interface LEDs

Table 4-1 lists the rear MGMT and Network interface LEDs.

Ta b l e 4-1 Link and Speed LEDs

Indicator Color Description

Left side Solid green

Green flashing

Right side Not lit

Green

Amber

Note The ASA 5510 adaptive security appliance only supports 10/100BaseTX. The

ASA 5520 adaptive security appliance and the ASA 5540 adaptive security

Physical link

Network activity

10 Mbps

100 Mbps

1000 Mbps

appliance support 1000BaseT.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

4-9

Page 52

What to Do Next

Continue with one of the following chapters.

To Do This... See ..

Chapter 4 Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540

Install SSMs you purchased but that have not yet been installed

Continue with connecting interface cables

Chapter 5, “Installing Optional SSMs”

Chapter 6, “Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms”

Cisco ASA 5500 Series Getting Started Guide

4-10

78-19186-01

Page 53

CHAPTER

Installing Optional SSMs

Note This chapter does not apply to the ASA 5550.

This chapter provides information about installing optional SSMs (Security Services Modules) and their components. You only need to use the procedures in this chapter if you purchased an optional SSM and it is not yet installed.

This chapter includes the following sections:

• Cisco 4GE SSM, page 5-1

• Cisco AIP SSM and CSC SSM, page 5-8

• What to Do Next, page 5-10

Cisco 4GE SSM

The 4GE Security Services Module (SSM) has eight Ethernet ports: four 10/100/1000 Mbps, copper, RJ-45 ports or four optional 1000 Mbps, Small Form-Factor Pluggable (SFP) fiber ports.

This section describes how to install and replace the Cisco 4GE SSM in the adaptive security appliance. This section includes the following topics:

• 4GE SSM Components, page 5-2

• Installing the Cisco 4GE SSM, page 5-3

• Installing the SFP Modules, page 5-4

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

5-1

Page 54

Cisco 4GE SSM

132983

LNK

SPD0123

Cisco SSM-4GE

4GE SSM Components

Figure 5-1 lists the Cisco 4GE SSM ports and LEDs.

Figure 5-1 Cisco 4GE SSM Ports and LEDs

Chapter 5 Installing Optional SSMs

1 RJ-45 ports 5 Status LED

2 RJ-45 Link LED 6 SFP ports

3 RJ-45 Speed LED 7 SFP Link LED

4 Power LED 8 SFP Speed LED

Note Figure 5-1 shows SFP modules installed in the port slots. You must order and

install the SFP modules if you want to use this feature. For more information on SFP ports and modules, see the “Installing the SFP Modules” section on page 5-4.

Table 5-1 describes the Cisco 4GE SSM LEDs.

Ta b l e 5-1 Cisco 4GE SSM LEDs

LED Color State Description

2, 7 LINK Green Solid There is an Ethernet link.

Flashing There is Ethernet activity.

Cisco ASA 5500 Series Getting Started Guide

5-2

78-19186-01

Page 55

Chapter 5 Installing Optional SSMs

119642

MGMT

USB2

USB1

FLASH

POWER

STATUS

FLASH

VPN

ACTIVE

Table 5-1 Cisco 4GE SSM LEDs (continued)

LED Color State Description

Cisco 4GE SSM

3, 8 SPEED Off

Green

Amber

4 POWER Green On The system has power.

5 STATUS Green

Green

Amber

Installing the Cisco 4GE SSM

To install a new Cisco 4GE SSM for the first time, perform the following steps:

Step 1 Power off the adaptive security appliance.

Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so

that it contacts your bare skin. Attach the other end to the chassis.

10 MB There is no network activity.

100 MB There is network activity at 100

Mbps.

1000 MB (GigE)

There is network activity at 1000 Mbps.

Flashing The system is booting.

Solid The system booted correctly.

Solid The system diagnostics failed.

Step 3 Remove the two screws (as shown in Figure 5-2) at the left rear end of the chassis,

and remove the slot cover.

Figure 5-2 Removing the Screws from the Slot Cover

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

5-3

Page 56

Cisco 4GE SSM

132984

MGMT

USB2

USB1

POWER

STATUS

isco S

-4G E

LNK

SPD0

LIN

FLASH

STA

TUS

FLAS

VPN

ACTIV

MGMT

USB2

USB1

Step 4 Insert the Cisco 4GE SSM through the slot opening as shown in Figure 5-3.

Figure 5-3 Inserting the Cisco 4GE SSM into the Slot

Step 5 Attach the screws to secure the Cisco 4GE SSM to the chassis.

Step 6 Power on the adaptive security appliance.

Step 7 Check the LEDs. If the Cisco 4GE SSM is installed properly the STATUS LED

flashes during boot up and is solid when operational.

Chapter 5 Installing Optional SSMs

Step 8 Connect one end of the RJ-45 cable to the port and the other end of the cable to your

network devices. For more information, see

Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms.”

Installing the SFP Modules

The SFP (Small Form-Factor Pluggable) is a hot-swappable input/output device that plugs into the SFP ports. The following SFP module types are supported:

• Long wavelength/long haul 1000BASE-LX/LH (GLC-LH-SM=)

• Short wavelength 1000BASE-SX (GLC-SX-MM=)

This section describes how to install and remove the SFP modules in the adaptive security appliance to provide optical Gigabit Ethernet connectivity. This section includes the following topics:

• SFP Module, page 5-5

• Installing the SFP Module, page 5-6

Chapter 6, “Connecting Interface

5-4

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Page 57

Chapter 5 Installing Optional SSMs

SFP Module

The adaptive security appliance uses a field-replaceable SFP module to establish Gigabit connections.

Note If you install an SFP module after the switch has powered on, you must reload the

adaptive security appliance to enable the SFP module.

Table 5-2 lists the SFP modules that are supported by the adaptive security

appliance.

Ta b l e 5-2 Supported SFP Modules

SFP Module Type of Connection Cisco Part Number

Cisco 4GE SSM

1000BASE-LX/LH Fiber-optic GLC-LH-SM=

1000BASE-SX Fiber-optic GLC-SX-MM=

The 1000BASE-LX/LH and 1000BASE-SX SFP modules are used to establish fiber-optic connections. Use fiber-optic cables with LC connectors to connect to an SFP module. The SFP modules support 850 to 1550 nm nominal wavelengths. The cables must not exceed the required cable length for reliable communications.

Table 5-3 lists the cable length requirements.

Ta b l e 5-3 Cabling Requirements for Fiber-Optic SFP Modules

SFP Module

62.5/125 micron Multimode 850 nm

Fiber

50/125 micron Multimode 850 nm Fiber

62.5/125 micron Multimode 1310 nm Fiber

— — 550 m at

LX/LH

275 m at 200 Mhz-km

550 m at 500 Mhz-km

500 Mhz-km

— — —

50/125 micron Multimode 1310 nm Fiber

550 m at 400 Mhz-km

9/125 micron Single-mode 1310 nm Fiber

10 km

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

5-5

Page 58

Cisco 4GE SSM

Note Only SFP modules certified by Cisco are supported on the adaptive security

Caution Protect your SFP modules by inserting clean dust plugs into the SFPs after the

Chapter 5 Installing Optional SSMs

Use only Cisco certified SFP modules on the adaptive security appliance. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the adaptive security appliance.

appliance.

cables are extracted from them. Be sure to clean the optic surfaces of the fiber cables before you plug them back in the optical bores of another SFP module. Avoid getting dust and other contaminants into the optical bores of your SFP modules: The optics do not work correctly when obstructed with dust.

Warning

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

Installing the SFP Module

To install the SFP module in the Cisco 4GE SSM, perform the following steps:

Step 1 Line up the SFP module with the port and slide the SFP module into the port slot

until it locks into position as shown in

Statement 70

Figure 5-4.

Cisco ASA 5500 Series Getting Started Guide

5-6

78-19186-01

Page 59

Chapter 5 Installing Optional SSMs

132985

Figure 5-4 Installing an SFP Module

1 Optical port plug 3 SFP module

Cisco 4GE SSM

2 SFP port slot

Caution Do not remove the optical port plugs from the SFP until you are ready to connect

the cables.

Step 2 Remove the Optical port plug; then connect the network cable to the SFP module.

Step 3 Connect the other end of the cable to your network. For more information on

connecting the cables, see

Chapter 6, “Connecting Interface Cables on the ASA

5500, ASA 5510, ASA 5520, and ASA 5540 Platforms.”

Caution The latching mechanism used on many SFPs locks them into place when cables

are connected. Do not pull on the cabling in an attempt to remove the SFP.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

5-7

Page 60

Cisco AIP SSM and CSC SSM

The ASA 5500 series adaptive security appliance supports the AIP SSM (Advanced Inspection and Prevention Security Services Module) and the CSC SSM (Content Security Control Security Services Module), also referred to as the intelligent SSM.

The AIP SSM runs advanced IPS software that provides security inspection. There are two models of the AIP SSM: the AIP SSM 10 and the AIP SSM 20. Both types look identical, but the AIP SSM 20 has a faster processor and more memory than the AIP SSM 10. Only one module (the AIP SSM 10 or the AIP SSM 20) can populate the slot at a time.

Table 5-4 lists the memory specifications for the AIP SSM 10 and the

AIP SSM 20.

Ta b l e 5-4 SSM Memory Specifications

Chapter 5 Installing Optional SSMs

SSM CPU DRAM

AIP SSM 10 2.0 GHz Celeron 1.0 GB

AIP SSM 20 2.4 GHz Pentium 4 2.0 GB

For more information on the AIP SSM, see the Cisco ASA 5500 Series

Configuration Guide using the CLI.

The CSC SSM runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. For more information on the CSC SSM, see the Cisco ASA 5500 Series

Configuration Guide using the CLI.

This section describes how to install and replace the SSM in the adaptive security appliance.

Figure 5-5 lists the SSM LEDs.

Cisco ASA 5500 Series Getting Started Guide

5-8

78-19186-01

Page 61

Chapter 5 Installing Optional SSMs

119644

PWR

STATUS

SPEED

LINK/ACT

1 2

3 4

Figure 5-5 SSM LEDs

Table 5-5 describes the SSM LEDs.

Ta b l e 5-5 SSM LEDs

LED Color State Description

1 PWR Green On The system has power.

Cisco AIP SSM and CSC SSM

2 STATUS Green Flashing The system is booting.

3 LINK/ACT Green Solid There is an Ethernet link.

4 SPEED Green

Installing an SSM

To install a new SSM, perform the following steps:

Step 1 Power off the adaptive security appliance.

Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so

that it contacts your bare skin. Attach the other end to the chassis.

Step 3 Remove the two screws (as shown in Figure 5-6) at the left rear end of the chassis,

and remove the slot cover.

Amber

Solid The system has passed power-up

diagnostics.

Flashing There is Ethernet activity.

100 MB There is network activity.

1000 MB (GigE) There is network activity.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

5-9

Page 62

What to Do Next

119642

LINK SPD

MGMT

USB2

USB1

FLASH

POW

STATUS

VPN

ACTIVE

119643

STATUS

SPEED

LINK/ACT

LINK SPD

MGMT

USB2

USB1

POWER

STATUS

FLASH

VPN

ACTIVE

Figure 5-6 Removing the Screws from the Slot Cover

Step 4 Insert the SSM into the slot opening as shown in Figure 5-7.

Figure 5-7 Inserting the SSM into the Slot

Chapter 5 Installing Optional SSMs

Step 5 Attach the screws to secure the SSM to the chassis.

Step 6 Power on the adaptive security appliance. Check the LEDs. If the SSM is installed

properly, the POWER LED is solid green and the STATUS LED flashes green.

Step 7 Connect one end of the RJ-45 cable to the port and the other end of the cable to your

network devices.

What to Do Next

Continue with Chapter 6, “Connecting Interface Cables on the ASA 5500, ASA

5510, ASA 5520, and ASA 5540 Platforms.”

Cisco ASA 5500 Series Getting Started Guide

5-10

78-19186-01

Page 63

CHAPTER

Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Note This chapter does not apply to the ASA 5550.

This chapter describes how to connect the cables to the Console, Auxiliary, Management, 4GE SSM, and SSM ports. In this document, SSM refers to an intelligent SSM, the AIP SSM, or CSC SSM.

78-19186-01

Note The 4GE SSM, AIP SSM, and CSC SSM are optional security services modules.

If your adaptive security appliance does not include these modules, continue with

Chapter 7, “Configuring the Adaptive Security Appliance.”

Warning

Caution Read the safety warnings in the Regulatory Compliance and Safety Information

Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

for the Cisco

performing these steps.

ASA 5500 Series and follow proper safety procedures when

Cisco ASA 5500 Series Getting Started Guide

6-1

Page 64

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Connecting Interface Cables

This chapter includes the following sections:

• Connecting Interface Cables, page 6-2

• Connecting to SSMs, page 6-4

• Connecting to a 4GE SSM, page 6-6

• Powering On the Adaptive Security Appliance, page 6-9

• What to Do Next, page 6-9

Connecting Interface Cables

This section describes how to connect the appropriate cables to the Console, Management, copper Ethernet, and fiber Ethernet ports.

Note The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use

at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.

To connect cables to the network interfaces, perform the following steps:

Step 1 Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it).

Step 2 Connect to the Management port.

Note You can configure any interface to be a management-only interface using

a. Locate an Ethernet cable, which has an RJ-45 connector on each end.

Cisco ASA 5500 Series Getting Started Guide

6-2

78-19186-01

Page 65

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

92684

Connecting Interface Cables

b. Connect one RJ-45 connector to the Management0/0 port, as shown in

Figure 6-1.

c. Connect the other end of the Ethernet cable to the Ethernet port on your

computer or to your management network.

Note When connecting a computer directly to the management port on the

adaptive security appliance, use a crossover Ethernet cable. When connecting a computer to the adaptive security appliance through a hub or switch, use a straight through Ethernet cable to connect the hub or switch to the management port.

Figure 6-1 Connecting to the Management Port

1 Management port 2 RJ-45 to RJ-45 Ethernet cable

Step 3 Connect to the Console port.

a. Before connecting a computer or terminal to any ports, check to determine the

baud rate of the serial port. The baud rate must match the default baud rate (9600 baud) of the Console port of the adaptive security appliance.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

6-3

Page 66

Connecting to SSMs

126982

FLASH

CONSOLE

AUX

POWER

STATUS

FLASH

VPN

ACTIVE

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Set up the terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and Flow Control (FC) = Hardware.

b. Locate the serial console cable, which has an RJ-45 connector on one end and

a DB-9 connector on the other end for the serial port on your computer.

c. Connect the RJ-45 connector to the Console port of the adaptive security

appliance as shown in

d. Connect the DB-9 connector to the console port on your computer.

Figure 6-2 Connecting the Console Cable

Figure 6-2.

1 RJ-45 Console port 2 RJ-45 to DB-9 console cable

Connecting to SSMs

SSMs are optional; this procedure is necessary only if you have installed an SSM on the adaptive security appliance.

Cisco ASA 5500 Series Getting Started Guide

6-4

78-19186-01

Page 67

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

143149

USB1

MGMT

USB2

MGMT

USB2

STATUS

USB1

LINK?ACT

SPEED

Note This procedure does not apply to the 4GE SSM. See Connecting to a 4GE SSM,

page 6-6 for information about connecting to the 4GE SSM.

To connect to an SSM, perform the following steps:

Step 1 Connect one RJ-45 connector to the management port on the SSM, as shown in

Figure 6-3.

Step 2 Connect the other end of the RJ-45 cable to your network devices.

Figure 6-3 Connecting to the SSM Management Port

Connecting to SSMs

1 SSM management port 2 RJ-45 to RJ-45 cable

Step 3 Connect to Ethernet ports to be used for network connections.

a. Connect the RJ-45 connector to the Ethernet port.

b. Connect the other end of the Ethernet cable to your network device, such as

a router, switch or hub.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

6-5

Page 68

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

USB2

USB1

LNK SPD

LNK SPD2LNK SPD1LNK SPD

MGMT

92685

Connecting to a 4GE SSM

Note You can use any unused Ethernet interface on the device as the failover

Figure 6-4 Connecting Cables to Network Interfaces

link. The failover link interface is not configured as a normal networking interface; it should only be used for the failover link. You can connect the LAN-based failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover Ethernet cable to link the units directly. For more information, see the Configuring Failover chapter in the Cisco ASA 5500 Series Configuration Guide using the CLI. See also

Chapter 4, “Ports and LEDs”for information about the Ethernet

interfaces.

1 RJ-45 Ethernet ports 2 RJ-45 connector

Connecting to a 4GE SSM

The 4GE SSM is optional; therefore, this step is necessary only if you have

Cisco ASA 5500 Series Getting Started Guide

6-6

installed a 4GE SSM on the adaptive security appliance.

78-19186-01

Page 69

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Connecting to a 4GE SSM

To connect to a 4GE SSM, perform the following steps:

Step 1 Connect to copper Ethernet ports to be used for network connections.

a. Connect one end of an Ethernet cable to a copper Ethernet port.

b. Connect the other end of the Ethernet cable to a network device, such as a

router, switch or hub.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

6-7

Page 70

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

143146

USB1

MGMT

USB2

MGMT

USB2

USB1

Cisco SSM-4GE

123

143148

Connecting to a 4GE SSM

Step 2 Connect to fiber Ethernet ports to be used for network connections. For each fiber

port you want to use, perform the following steps:

Figure 6-5 Removing the Fiber Port Plug

a. Install the SFP module:

–

Insert and slide the SFP module into the fiber port until you hear a click. The click indicates that the SFP module is locked into the port.

–

Remove the port plug from the installed SFP as shown in Figure 6-5.

1 Port plug 2 SFP module

–

Connect the LC connector to the SFP module as shown in Figure 6-6.

Figure 6-6 Connecting the LC Connector

Cisco ASA 5500 Series Getting Started Guide

6-8

78-19186-01

Page 71

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Powering On the Adaptive Security Appliance

b. Connect the other end of the cable to a network device, such as a router,

switch, or hub.

Powering On the Adaptive Security Appliance

To power on the adaptive security appliance, perform the following steps:

Step 1 Connect the power cord to the adaptive security appliance and plug the other end

to the power source.

Step 2 Power on the chassis.

What to Do Next

Continue with Chapter 7, “Configuring the Adaptive Security Appliance.”

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

6-9

Page 72

What to Do Next

Chapter 6 Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms

Cisco ASA 5500 Series Getting Started Guide

6-10

78-19186-01

Page 73

CHAPTER

Configuring the Adaptive Security Appliance

This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). The procedures in this chapter describe how to configure the adaptive security appliance using ASDM.

This chapter includes the following sections:

• About the Factory Default Configuration, page 7-1

• Using the CLI for Configuration, page 7-2

• Using the Adaptive Security Device Manager for Configuration, page 7-3

• Running the ASDM Startup Wizard, page 7-8

• What to Do Next, page 7-9

About the Factory Default Configuration

Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The ASA 5500 series comes preconfigured with the following:

• Two VLANs: VLAN 1 and VLAN2

• VLAN 1 has the following properties:

–

Named “inside”

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

7-1

Page 74

Using the CLI for Configuration

–

• VLAN2 has the following properties:

–

• Inside interface to connect to the device and use ASDM to complete your

configuration.

By default, the adaptive security appliance Inside interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM.

Chapter 7 Configuring the Adaptive Security Appliance

Allocated switch ports Ethernet 0/1 through Ethernet 0/7

Security level of 100

Allocated switch ports Ethernet 0/1 through 0/7

IP address of 192.168.1.1 255.255.255.0

Named “outside”

Allocated switch port Ethernet 0/0

Security level of 0

Configured to obtain its IP address using DHCP

Using the CLI for Configuration

In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface.

You can get step-by-step examples of how to configure basic remote access and LAN-to-LAN connections in the CLI itself by using the vpnsetup ipsec-remote-access steps and vpnsetup site-to-site steps commands. For more information about these commands, see the Cisco ASA 5500 Series Command

Reference.

For step-by-step configuration procedures for all functional areas of the adaptive security appliance, see the Cisco ASA 5500 Series Configuration Guide using the CLI.

Cisco ASA 5500 Series Getting Started Guide

7-2

78-19186-01

Page 75

Chapter 7 Configuring the Adaptive Security Appliance

Using the Adaptive Security Device Manager for Configuration

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that allows you to manage and monitor the adaptive security appliance. The web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser.

In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance.

This section includes the following topics:

• Preparing to Use ASDM, page 7-4

• Gathering Configuration Information for Initial Setup, page 7-4

• Installing the ASDM Launcher, page 7-5

• Starting ASDM with a Web Browser, page 7-8

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

7-3

Page 76

Using the Adaptive Security Device Manager for Configuration

Preparing to Use ASDM

Before you can use ASDM, perform the following steps:

Step 1 If you have not already done so, connect the MGMT interface to a switch or hub

by using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the

adaptive security appliance), which enables the PC to communicate with the adaptive security appliance and the Internet as well as to run ASDM for configuration and management tasks.

Alternatively, you can assign a static IP address to your PC by selecting an address in the 192.168.1.0 subnet. (Valid addresses are 192.168.1.2 through

192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.)

Chapter 7 Configuring the Adaptive Security Appliance

When you connect other devices to any of the inside ports, make sure that they do not have the same IP address.

Note The MGMT interface of the adaptive security appliance is assigned

192.168.1.1 by default, so this address is unavailable.

Step 3 Check the LINK LED on the MGMT interface.

When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub turn solid green.

Gathering Configuration Information for Initial Setup

Gather the following information to be used with the ASDM Startup Wizard:

• A unique hostname to identify the adaptive security appliance on your

network.

• The domain name.

Cisco ASA 5500 Series Getting Started Guide

7-4

78-19186-01

Page 77

Chapter 7 Configuring the Adaptive Security Appliance

• The IP addresses of your outside interface, inside interface, and any other

interfaces to be configured.

• IP addresses for hosts that should have administrative access to this device

using HTTPS for ASDM, SSH, or Telnet.

• The privileged mode password for administrative access.

• The IP addresses to use for NAT or PAT address translation, if any.

• The IP address range for the DHCP server.

• The IP address for the WINS server.

• Static routes to be configured.

• If you want to create a DMZ, you must create a third VLAN and assign ports

to that VLAN. (By default, there are two VLANs configured.)

• Interface configuration information: whether traffic is permitted between

interfaces at the same security level, and whether traffic is permitted between hosts on the same interface.

Using the Adaptive Security Device Manager for Configuration

• If you are configuring an Easy VPN hardware client, the IP addresses of

primary and secondary Easy VPN servers; whether the client is to run in client or network extension mode; and user and group login credentials to match those configured on the primary and secondary Easy VPN servers.

Installing the ASDM Launcher

You can launch ASDM in either of two ways: by downloading the ASDM Launcher software so that ASDM runs locally on your PC, or by enabling Java and JavaScript in your web browser and accessing ASDM remotely from your PC. This procedure describes how to set up your system to run ASDM locally.

To install the ASDM Launcher, perform the following steps:

Step 1 On the PC connected to the switch or hub, launch an Internet browser.

a. In the address field of the browser, enter this URL:

https://192.168.1.1/admin.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

7-5

Page 78

Using the Adaptive Security Device Manager for Configuration

Note The adaptive security appliance ships with a default IP address of

192.168.1.1. Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

The Cisco ASDM splash screen appears.

b. Click Install ASDM Launcher and Run ASDM.

c. In the dialog box that requires a username and password, leave both fields

empty. Click OK.

d. Click Ye s to accept the certificates. Click Ye s for all subsequent

authentication and certificate dialog boxes.

e. When the File Download dialog box opens, click Open to run the installation

program directly. It is not necessary to save the installation software to your hard drive.

Chapter 7 Configuring the Adaptive Security Appliance

f. When the InstallShield Wizard appears, follow the instructions to install the

ASDM Launcher software.

Step 2 From your desktop, start the Cisco ASDM Launcher software.

A dialog box appears.

Step 3 Enter the IP address or the host name of your adaptive security appliance.

Cisco ASA 5500 Series Getting Started Guide

7-6

78-19186-01

Page 79

Chapter 7 Configuring the Adaptive Security Appliance

Step 4 Enter the IP address or host name of your adaptive security appliance.

Step 5 Leave the Username and Password fields blank.

Note By default, there is no Username and Password set for the Cisco ASDM

Launcher.

Step 6 Click OK.

Step 7 If you receive a security warning containing a request to accept a certificate, click

Ye s.

The ASA checks to see if there is updated software and if so, downloads it automatically.

The main ASDM window appears.

Using the Adaptive Security Device Manager for Configuration

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

7-7

Page 80

Chapter 7 Configuring the Adaptive Security Appliance

Running the ASDM Startup Wizard

ASDM starts and the main window appears.

Starting ASDM with a Web Browser

To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/.

Note Remember to add the “s” in “https” or the connection fails. HTTP over SSL

(HTTP) provides a secure connection between your browser and the adaptive security appliance.

The Main ASDM window appears.

Running the ASDM Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network and the outside network.

To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps:

Step 1 From the Wizards menu at the top of the ASDM window, choose Startup Wizard.

Step 2 Follow the instructions in the Startup Wizard to set up your adaptive security

appliance.

For information about any field in the Startup Wizard, click Help at the bottom of the window.

Cisco ASA 5500 Series Getting Started Guide

7-8

78-19186-01

Page 81

Chapter 7 Configuring the Adaptive Security Appliance

Note If you get an error requesting a DES license or a 3DES-AES license, see

Appendix A, “Obtaining a 3DES/AES License” for information.

Note Based on your network security policy, you should also consider configuring the

adaptive security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using ASDM. From the ASDM main page, click Configuration > Properties > ICMP Rules. Add an entry for the outside interface. Set the IP address to 0.0.0.0, the netmask to 0.0.0.0, and Action to deny.

What to Do Next

Configure the adaptive security appliance for your deployment using one or more of the following chapters.

To Do This... See...

Configure the adaptive security appliance to protect a DMZ web server

Configure the adaptive security appliance for remote-access VPN

Configure the adaptive security appliance for SSL VPN connections using software clients

Configure the adaptive security appliance for SSL VPN connections using a web browser

Configure the adaptive security appliance for site-to-site VPN

Chapter 8, “Scenario: DMZ Configuration”

Chapter 9, “Scenario: IPsec Remote-Access VPN Configuration”

Chapter 10, “Scenario: Configuring Connections for a Cisco AnyConnect VPN Client”

Chapter 11, “Scenario: SSL VPN Clientless Connections”

Chapter 12, “Scenario: Site-to-Site VPN Configuration”

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

7-9

Page 82

What to Do Next

Chapter 7 Configuring the Adaptive Security Appliance

Cisco ASA 5500 Series Getting Started Guide

7-10

78-19186-01

Page 83

CHAPTER

Scenario: DMZ Configuration

A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

This chapter includes the following sections:

• Example DMZ Network Topology, page 8-1

• Configuring the Adaptive Security Appliance for a DMZ Deployment,

page 8-8

• What to Do Next, page 8-23

Example DMZ Network Topology

The chapter describes how to configure a DMZ deployment of the adaptive security appliance as shown in

In this example, the web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server.

78-19186-01

Figure 8-1.

Cisco ASA 5500 Series Getting Started Guide

8-1

Page 84

Example DMZ Network Topology

User

192.168.1.2

Inside

DMZ

191634

www.example.com

Internet

Public IP Address

209.165.200.225 (outside interface)

Inside interface

192.168.1.1

DMZ interface

10.30.30.1

Web Server

Private IP Address: 10.30.30.30 Public IP Address: 209.165.200.225

Figure 8-1 Network Layout for DMZ Configuration Scenario

Chapter 8 Scenario: DMZ Configuration

This example scenario has the following characteristics:

• The web server is on the DMZ interface of the adaptive security appliance.

• Clients on the inside network can access the web server in the DMZ and can

• Clients on the Internet are permitted HTTP access to the DMZ web server; all

• The network has one IP address that is publicly available: the outside

also communicate with devices on the Internet.

other traffic coming from the Internet is denied.

interface of the adaptive security appliance (209.165.200.225). This public address is shared by the adaptive security appliance and the DMZ web server.

Cisco ASA 5500 Series Getting Started Guide

8-2

78-19186-01

Page 85

Chapter 8 Scenario: DMZ Configuration

Example DMZ Network Topology

This section includes the following topics:

• An Inside User Visits a Web Server on the Internet, page 8-3

• An Internet User Visits the DMZ Web Server, page 8-4

• An Inside User Visits the DMZ Web Server, page 8-6

An Inside User Visits a Web Server on the Internet

Figure 8-2 shows the traffic flow through the adaptive security appliance when an

inside user requests an HTTP page from a web server on the Internet.

Figure 8-2 An Inside User Visits an Internet Web Server

www.example.com

Source Address Translation

209.165.200.225192.168.1.2

Inside interface

192.168.1.1

Inside

User

192.168.1.2

Internet

Public IP Address

209.165.200.225 (outside interface)

DMZ interface

10.30.30.1

DMZ

Web Server Private IP Address: 10.30.30.30 Public IP Address: 209.165.200.225

191799

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-3

Page 86

Example DMZ Network Topology

When an inside user requests an HTTP page from a web server on the Internet, data moves through the adaptive security appliance as follows:

1. The user on the inside network requests a web page from www.example.com.

2. The adaptive security appliance receives the packet and, because it is a new

session, verifies that the packet is allowed.

3. The adaptive security appliance performs Network Address Translation

(NAT) to translate the local source address (192.168.1.2) to the public address of the outside interface (209.165.200.225).

4. The adaptive security appliance records that a session is established and

forwards the packet from the outside interface.

5. When www.example.com responds to the request, the packet goes through the

adaptive security appliance using the established session.

6. The adaptive security appliance uses NAT to translate the public destination

(209.165.200.225) address to the local user address, 192.168.1.2.

Chapter 8 Scenario: DMZ Configuration

7. The adaptive security appliance forwards the packet to the inside user.

An Internet User Visits the DMZ Web Server

Figure 8-3 shows the traffic flow through the adaptive security appliance when a user on the Internet requests a web page from the DMZ web server.

Cisco ASA 5500 Series Getting Started Guide

8-4

78-19186-01

Page 87

Chapter 8 Scenario: DMZ Configuration

Figure 8-3 An Outside User Visits the DMZ Web Server

Example DMZ Network Topology

www.example.com

Internet

Public IP Address

209.165.200.225 (outside interface)

Destination Address Translation

209.165.200.225 10.30.30.30

Inside interface

192.168.1.1

Inside

User

192.168.1.2

DMZ interface

10.30.30.1

Web Server Private IP Address: 10.30.30.30 Public IP Address: 209.165.200.225

DMZ

191800

When a user on the Internet requests an HTTP page from the DMZ web server, traffic flows through the adaptive security appliance as follows:

1. A user on the outside network requests a web page from the DMZ web server

using the public IP address of the adaptive security appliance (209.165.200.225, the IP address of the outside interface).

2. The adaptive security appliance receives the packet and, because it is a new

session, verifies that the packet is allowed.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-5

Page 88

Example DMZ Network Topology

3. The adaptive security appliance translates the destination address to the local

address of the DMZ web server (10.30.30.30) and forwards the packet through the DMZ interface.

4. When the DMZ web server responds to the request, the adaptive security

appliance translates the local address of the DMZ web server (10.30.30.30) to the public address of the DMZ web server (209.165.200.225).

5. The adaptive security appliance forwards the packet to the outside user.

An Inside User Visits the DMZ Web Server

Figure 8-4 shows an inside user accessing the DMZ web server.

Chapter 8 Scenario: DMZ Configuration

Cisco ASA 5500 Series Getting Started Guide

8-6

78-19186-01

Page 89

Chapter 8 Scenario: DMZ Configuration

User

192.168.1.2

Inside

DMZ

191801

www.example.com

Internet

Public IP Address

209.165.200.225 (outside interface)

Inside interface

192.168.1.1

DMZ interface

10.30.30.1

Web Server

Private IP Address: 10.30.30.30 Public IP Address: 209.165.200.225

Figure 8-4 An Inside User Visits a Web Server on the DMZ

Example DMZ Network Topology

In Figure 8-4, the adaptive security appliance permits HTTP traffic originating from inside clients and destined for the DMZ web server. Because the internal network does not include a DNS server, internal client requests for the DMZ web server are handled as follows:

1. A lookup request is sent to the DNS server of the ISP. The public IP address

of the DMZ web server is returned to the client.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-7

Page 90

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

2. The internal client requests a web page from the public IP address of the DMZ

web server. The adaptive security appliance receives the request on its inside interface.

3. The adaptive security appliance translates the public IP address of the DMZ

web server to its real address (209.165.200.225 -> 10.30.30.30) and forwards the request out of its DMZ interface to the web server.

4. When the DMZ web server responds to the request, the adaptive security

appliance receives the data on its DMZ interface and forwards the data out of its inside interface to the user.

The procedures for creating this configuration are detailed in the remainder of this chapter.

Configuring the Adaptive Security Appliance for a DMZ Deployment

This section describes how to use ASDM to configure the adaptive security appliance for the configuration scenario shown in sample parameters based on the scenario.

This configuration procedure assumes that the adaptive security appliance already has interfaces configured for the inside interface, the outside interface, and the DMZ interface. Be sure that the DMZ interface security level is set between 0 and

100. (A common choice is 50.)

Note If you need to set up interfaces on the adaptive security appliance, you can use the

Startup Wizard in ASDM. For more information about using the Startup Wizard, see Chapter 7, “Configuring the Adaptive Security Appliance.”

The section includes the following topics:

• Configuration Requirements, page 8-9

• Information to Have Available, page 8-10

• Enabling Inside Clients to Communicate with Devices on the Internet,

page 8-10

Figure 8-1. The procedure uses

Cisco ASA 5500 Series Getting Started Guide

8-8

78-19186-01

Page 91

Chapter 8 Scenario: DMZ Configuration

• Enabling Inside Clients to Communicate with Devices on the Internet,

page 8-10

• Enabling Inside Clients to Communicate with the DMZ Web Server,

page 8-10

• Configuring Static PAT for Public Access to the DMZ Web Server (Port

Forwarding), page 8-17

• Providing Public HTTP Access to the DMZ Web Server, page 8-20

The remainder of this chapter provides instructions for how to implement this configuration.

Configuration Requirements

This DMZ deployment of the adaptive security appliance requires configuration rules as follows.

Configuring the Adaptive Security Appliance for a DMZ Deployment

So That... Create These Rules...

Internal clients can request information from web servers on the

The adaptive security appliance comes with a default configuration that permits inside clients access to devices on the Internet. No additional configuration is required.

Internet

Internal clients can request information from the DMZ web server

• A NAT rule between the DMZ and inside interfaces that translates the

real IP address of the DMZ web server to its public IP address (10.30.30.30 to 209.165.200.225).

• A NAT rule between the inside and DMZ interfaces that translates the

real addresses of the internal client network. In this scenario, the real IP address of the internal network is “translated” to itself, that is, the real IP address of the internal network is used when internal clients communicate with the DMZ web server (10.30.30.30).

External clients can request information from the DMZ web server

• An address translation rule between the outside and DMZ interfaces

that translates the public IP address of the DMZ web server to its private IP address (209.165.200.225 to 10.30.30.30).

• An access control rule permitting incoming HTTP traffic that is

destined for the DMZ web server.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-9

Page 92

Configuring the Adaptive Security Appliance for a DMZ Deployment

Information to Have Available

Before you begin this configuration procedure, gather the following information:

• Internal IP address of the server inside the DMZ that you want to make

available to clients on the public network (in this scenario, a web server).

• Public IP addresses to be used for servers inside the DMZ. (Clients on the

public network will use the public IP address to access the server inside the DMZ.)

• Client IP address to substitute for internal IP addresses in outgoing traffic (in

this scenario the IP address of the outside interface). Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.

Chapter 8 Scenario: DMZ Configuration

Enabling Inside Clients to Communicate with Devices on the Internet

To permit internal clients to request content from devices on the Internet, the adaptive security appliance translates the real IP addresses of internal clients to the external address of the outside interface (that is, the public IP address of the adaptive security appliance). Outgoing traffic appears to come from this address.

Enabling Inside Clients to Communicate with the DMZ Web Server

In this procedure, you configure the adaptive security appliance to allow internal clients to communicate securely with the web server in the DMZ. To accomplish this, you must configure a translation rule.

Configure a NAT rule between the DMZ and inside interfaces that translates the real IP address of the DMZ web server to its public IP address (10.30.30.30 to

209.165.200.225).

This is necessary because when an internal client sends a DNS lookup request, the DNS server returns the public IP address of the DMZ web server.

Cisco ASA 5500 Series Getting Started Guide

8-10

78-19186-01

Page 93

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

Note Because there is not a DNS server on the inside network, DNS requests must exit

the adaptive security appliance to be resolved by a DNS server on the Internet.

This section includes the following topics:

• Translating Internal Client IP Addresses Between the Inside and DMZ

Interfaces, page 8-11

• Translating the Public Address of the Web Server to its Real Address on the

Inside Interface, page 8-14

Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces

To configure NAT to translate internal client IP addresses between the inside interface and the DMZ interface, perform the following steps:

Step 1 In the Configuration > Firewall > NAT Rules pane, click the green + (plus) icon

and choose and choose Add “Network Object” NAT Rule.

The Add Network Object dialog box appears.

Step 2 Fill in the following values:

• In the Name field, enter the object name. Use characters a to z, A to Z, 0 to

9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

• From the Type drop-down list, choose Network.

• In the IP Address field, enter the real IP address of the client or network. In

this scenario, the IP address of the network is 192.168.1.0.

• In the Netmask field, enter the subnet mask if the IP address is an IPv4

address, or enter the prefix if the IP address is an IPv6 address.

• (Optional) In the Description field, enter a description of the network object

(up to 200 characters in length).

Note If the NAT section is hidden, click NAT to expand the section.

Step 3 Check the Add Automatic Translation Rules check box.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-11

Page 94

Configuring the Adaptive Security Appliance for a DMZ Deployment

Step 4 From the Type drop-down list, choose Static.

Step 5 In the Translated Addr. field, enter the IP address of the internal client or network,

or click ..., and choose an the address from the Browse Translated Addr dialog box. In the IP Address field, enter In this scenario, the IP address of the network is 192.168.1.0.

Chapter 8 Scenario: DMZ Configuration

Step 6 Click Advanced, and configure the following options in the Advanced NAT

Settings dialog box.

• In the Source Interface drop-down list, choose the Inside interface.

• In the Destination Interface drop-down list, choose the DMZ interface.

These two settings specify the real and/or mapped interfaces where this NAT rule should apply.

Cisco ASA 5500 Series Getting Started Guide

8-12

78-19186-01

Page 95

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

Step 7 Click OK. You return to the Add Network Object dialog box.

Step 8 Click OK to add the rule and return to the list of Address Translation Rules.

Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following.

Step 9 Click Apply to complete the adaptive security appliance configuration changes.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-13

Page 96

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

Translating the Public Address of the Web Server to its Real Address on the Inside Interface

To configure a NAT rule that translates the public IP address of the web server to its real IP address, perform the following steps:

Step 1 In the Configuration > Firewall > NAT Rules pane, click the green + (plus) icon

and choose and choose Add “Network Object” NAT Rule.

The Add Network Object dialog box appears.

Step 2 Fill in the following values:

• In the Name field, enter the object name. Use characters a to z, A to Z, 0 to

9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

• From the Type drop-down list, choose Host.

• In the IP Address field, enter the real (private) address of the DMZ web

server. In this scenario, the IP address is 10.30.30.30.

• (Optional) In the Description field, enter a description of the network object

(up to 200 characters in length).

Note If the NAT section is hidden, click NAT to expand the section.

Step 3 Check the Add Automatic Translation Rules check box.

Step 4 From the Type drop-down list, choose Static.

Step 5 In the Translated Addr. field, enter the public address (or mapped address) of the

DMZ web server, or click ..., and choose an the address from the Browse Translated Addr dialog box. In this scenario, the IP address is 209.165.200.225.

Cisco ASA 5500 Series Getting Started Guide

8-14

78-19186-01

Page 97

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

Step 6 Click Advanced, and configure the following options in the Advanced NAT

Settings dialog box.

• In the Source Interface drop-down list, choose the DMZ interface.

• In the Destination Interface drop-down list, choose the Inside interface.

These two settings specify the real and/or mapped interfaces where this NAT rule should apply.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-15

Page 98

Configuring the Adaptive Security Appliance for a DMZ Deployment

Chapter 8 Scenario: DMZ Configuration

Step 7 Click OK. You return to the Add Network Object dialog box.

Step 8 Click OK to add the rule and return to the list of Address Translation Rules.

Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following.

Cisco ASA 5500 Series Getting Started Guide

8-16

78-19186-01

Page 99

Chapter 8 Scenario: DMZ Configuration

Configuring the Adaptive Security Appliance for a DMZ Deployment

Step 9 Click Apply to complete the adaptive security appliance configuration changes.

Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)

The DMZ web server needs to be accessible by all hosts on the Internet. This configuration requires translating the private IP address of the DMZ web server to a public IP address, which allows outside HTTP clients to access the web server without being aware of the adaptive security appliance. In this scenario the DMZ web server shares a public IP address with the outside interface of the adaptive security appliance (209.165.200.225).

To map the real web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225), perform the following steps:

Step 1 In the Configuration > Firewall > NAT Rules pane, click the green + (plus) icon

and choose and choose Add “Network Object” NAT Rule.

The Add Network Object dialog box appears.

Step 2 Fill in the following values:

• In the Name field, enter the object name. Use characters a to z, A to Z, 0 to

9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

• From the Type drop-down list, choose Host.

• In the IP Address field, enter the real IP address of the DMZ web server. In

this scenario, the IP address is 10.30.30.30.

• (Optional) In the Description field, enter a description of the network object

(up to 200 characters in length).

Note If the NAT section is hidden, click NAT to expand the section.

Step 3 Check the Add Automatic Translation Rules check box.

Step 4 From the Type drop-down list, choose Static.

78-19186-01

Cisco ASA 5500 Series Getting Started Guide

8-17

Page 100

Configuring the Adaptive Security Appliance for a DMZ Deployment

Step 5 In the Translated Addr. field, enter the public IP address to be used for the web

server. This is the IP address for the specified interface, in this case, the outside interface, or click ..., and choose an the address from the Browse Translated Addr dialog box.

Chapter 8 Scenario: DMZ Configuration

8-18

Step 6 Click Advanced, and configure the following options in the Advanced NAT

Settings dialog box.

• In the Source Interface drop-down list, choose the DMZ interface.

• In the Destination Interface drop-down list, choose the Outside interface.

These two settings specify the real and/or mapped interfaces where this NAT rule should apply.

• To configure static NAT with port translation, under Service, choose the tcp

from the Protocol drop-down list.

• In the Real Port field, enter 80.

• In the Mapped Port field, enter 80.

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Cisco 5510 - ASA SSL / IPsec VPN Edition, ASA 5520, ASA 5540, ASA 5550, ASA 5510 Getting Started Manual

Specifications and Main Features

Frequently Asked Questions

User Manual