Cisco Systems ASA 5500 User Manual 3
Cisco ASA 5500 Series Adaptive
Security Appliance Getting Started
Guide
For the Cisco ASA 5510, ASA 5520, and ASA 5540
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7817611=
Text Part Number: 78-17611-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We
Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the
Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers
logo, Networking Academy, Network Registrar, Pa cke t, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast,
SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates
in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0601R)
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
© 2006 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER
CHAPTER
CHAPTER
1 Before You Begin 1-1
ASA 5500 1-1
ASA 5500 with AIP SSM 1-2
ASA 5500 with CSC SSM 1-3
ASA 5500 with 4GE SSM 1-4
2 Installing the Cisco ASA 5500 2-1
Verifying the Package Contents 2-2
Installing the Chassis 2-3
Rack-Mounting the Chassis 2-4
Ports and LEDs 2-5
What to Do Next 2-9
3 Installing Optional SSMs 3-1
Cisco 4GE SSM 3-1
4GE SSM Components 3-2
Installing the Cisco 4GE SSM 3-3
Installing the SFP Modules 3-4
SFP Module 3-5
Installing the SFP Module 3-6
78-17611-01
Cisco AIP SSM and CSC SSM 3-8
Installing an SSM 3-9
What to Do Next 3-10
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
iii
Contents
CHAPTER
CHAPTER
CHAPTER
4 Connecting Interface Cables 4-1
Connecting Cables to Interfaces 4-2
What to Do Next 4-10
5 Configuring the Adaptive Security Appliance 5-1
About the Factory-Default Configuration 5-1
About the Adaptive Security Device Manager 5-2
Before Launching the Startup Wizard 5-3
Using the Startup Wizard 5-4
What to Do Next 5-5
6 Scenario: DMZ Configuration 6-1
Example DMZ Network Topology 6-1
Configuring the Security Appliance for a DMZ Deployment 6-4
Configuration Requirements 6-5
Starting ASDM 6-6
Creating IP Pools for Network Address Translation 6-7
Configuring NAT for Inside Clients to Communicate with the DMZ Web
Server
6-12
Configuring NAT for Inside Clients to Communicate with Devices on the
Internet
6-15
Configuring an External Identity for the DMZ Web Server 6-16
Providing Public HTTP Access to the DMZ Web Server 6-18
CHAPTER
iv
What to Do Next 6-24
7 Scenario: Remote-Access VPN Configuration 7-1
Example IPsec Remote-Access VPN Network Topology 7-1
Implementing the IPsec Remote-Access VPN Scenario 7-2
Information to Have Available 7-3
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Starting ASDM 7-4
Configuring the FWSM for an IPsec Remote-Access VPN 7-5
Selecting VPN Client Types 7-6
Specifying the VPN Tunnel Group Name and Authentication Method 7-7
Specifying a User Authentication Method 7-8
(Optional) Configuring User Accounts 7-10
Configuring Address Pools 7-11
Configuring Client Attributes 7-12
Configuring the IKE Policy 7-13
Configuring IPsec Encryption and Authentication Parameters 7-15
Specifying Address Translation Exception and Split Tunneling 7-16
Verifying the Remote-Access VPN Configuration 7-17
What to Do Next 7-18
Contents
CHAPTER
78-17611-01
8 Scenario: Site-to-Site VPN Configuration 8-1
Example Site-to-Site VPN Network Topology 8-1
Implementing the Site-to-Site Scenario 8-2
Information to Have Available 8-2
Configuring the Site-to-Site VPN 8-3
Starting ASDM 8-3
Configuring the Security Appliance at the Local Site 8-4
Providing Information About the Remote VPN Peer 8-6
Configuring the IKE Policy 8-7
Configuring IPSec Encryption and Authentication Parameters 8-9
Specifying Hosts and Networks 8-10
Viewing VPN Attributes and Completing the Wizard 8-11
Configuring the Other Side of the VPN Connection 8-13
What to Do Next 8-13
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
v
Contents
CHAPTER
CHAPTER
9 Configuring the AIP SSM 9-1
AIP SSM Configuration 9-1
Overview of Configuration Process 9-2
Configuring the ASA 5500 to Divert Traffic to the AIP SSM 9-2
Sessioning to the AIP SSM and Running Setup 9-5
What to Do Next 9-7
10 Configuring the CSC SSM 10-1
About the CSC SSM 10-1
About Deploying the Security Appliance with the CSC SSM 10-2
Scenario: Security Appliance with CSC SSM Deployed for Content Security 10-4
Configuration Requirements 10-5
Configuring the CSC SSM for Content Security 10-5
Obtain Software Activation Key from Cisco.com 10-6
Gather Information 10-6
Launch ASDM 10-7
Verify Time Settings 10-8
Run the CSC Setup Wizard 10-9
Divert Traffic to the CSC SSM for Content Scanning 10-14
CHAPTER
APPENDIX
vi
What to Do Next 10-20
11 Configuring the 4GE SSM for Fiber 11-1
Cabling 4GE SSM Interfaces 11-2
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional) 11-3
What to Do Next 11-5
A Obtaining a DES License or a 3DES-AES License A-1
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
ASA 5500
CHA P T E R
1
Before You Begin
Use the following table to find the installation and configuration steps that are
required for your implementation of the adaptive security appliance.
The adaptive security appliance implementations included in this document are as
follows:
• ASA 5500, page 1-1
• ASA 5500 with AIP SSM, page 1-2
• ASA 5500 with CSC SSM, page 1-3
• ASA 5500 with 4GE SSM, page 1-4
78-17611-01
To Do This ... See ...
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup of the adaptive security
appliance
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
Chapter 5, “Configuring the
Adaptive Security Appliance”
1-1
ASA 5500 with AIP SSM
To Do This ... (continued) See ...
Configure the adaptive security appliance for
your implementation
Configure optional and advanced features Cisco Security Appliance Command
Operate the system on a daily basis Cisco Security Appliance Command
ASA 5500 with AIP SSM
Chapter 1 Before You Begin
Chapter 6, “Scenario: DMZ
Configuration”
Chapter 7, “Scenario:
Remote-Access VPN Configuration”
Chapter 8, “Scenario: Site-to-Site
VPN Configuration”
Line Configuration Guide
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
1-2
To Do This .... See ....
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Install the AIP SSM Chapter 3, “Installing Optional
SSMs”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup the adaptive security
appliance
Configure the adaptive security appliance for
AIP SSM
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
Chapter 5, “Configuring the
Adaptive Security Appliance”
Chapter 9, “Configuring the AIP
SSM”
78-17611-01
Chapter 1 Before You Begin
To Do This .... (continued) See ....
Configure IPS software for intrusion
prevention
Refine configuration and configure optional
and advanced features
ASA 5500 with CSC SSM
ASA 5500 with CSC SSM
Configuring the Cisco Intrusion
Prevention System Sensor Using the
Command Line Interface
Cisco Intrusion Prevention System
Command Reference
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
78-17611-01
To Do This .... To Do This ....
Install the chassis Chapter 2, “Installing the Cisco ASA
5500”
Install the CSC SSM Chapter 3, “Installing Optional
SSMs”
Connect interface cables Chapter 4, “Connecting Interface
Cables”
Perform initial setup of the adaptive
security appliance
Configure the adaptive security appliance
for content security
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
Chapter 5, “Configuring the
Adaptive Security Appliance”
Chapter 10, “Configuring the CSC
SSM”
1-3
ASA 5500 with 4GE SSM
To Do This .... (continued) To Do This ....
Configure the CSC SSM Cisco Content Security and Control
Refine configuration and configure
optional and advanced features
ASA 5500 with 4GE SSM
To Do This ... See ...
Install the chassis Chapter 2, “Installing the Cisco ASA
Install the 4GE SSM Chapter 3, “Installing Optional
Connect interface cables Chapter 4, “Connecting Interface
Perform initial setup of the adaptive
security appliance
Install the fiber optic module Chapter 3, “Installing Optional
Refine configuration and configure
optional and advanced features
Chapter 1 Before You Begin
SSM Administrator Guide
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
Cisco Security Appliance Logging
Configuration and System Log
Messages
5500”
SSMs”
Cables”
Chapter 5, “Configuring the
Adaptive Security Appliance”
SSMs”
Cisco Security Appliance Command
Line Configuration Guide
Cisco Security Appliance Command
Reference
1-4
Cisco Security Appliance Logging
Configuration and System Log
Messages
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
CHA P T E R
Installing the Cisco ASA 5500
2
Warning
Caution Read the safety warnings in the Regulatory Compliance and Safety Information
Note The illustrations in this document show the Cisco ASA 5540 adaptive security
Only trained and qualified personnel should be allowed to install, replace, or
service this equipment.
for the Cisco ASA 5500 Series and follow proper safety procedures when
performing these steps.
This chapter describes the product overview, memory requirements and
rack-mount and installation procedures for the adaptive security appliance. This
chapter includes the following sections:
• Verifying the Package Contents, page 2-2
• Installing the Chassis, page 2-3
• Ports and LEDs, page 2-5
• What to Do Next, page 2-9
appliance. The Cisco ASA 5510 adaptive security appliance and Cisco ASA 5520
adaptive security appliance are identical, containing the same back panel features
and indicators.
78-17611-01
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-1
Verifying the Package Contents
Verifying the Package Contents
Verify the contents of the packing box to ensure that you have received all items
necessary to install your Cisco ASA 5500 series adaptive security appliance. See
Figure 2-1.
Figure 2-1 Contents of ASA 5500 Package
MGMT
USB2
USB1
LINK SPD
LINK SPD
3
FL
A
SH
LINK SPD
2
LINK SPD
1
ER
0
POW
STATUS
VPN
ACTIVE
FLASH
Chapter 2 Installing the Cisco ASA 5500
Cisco ASA 5500 adaptive
security appliance
2-2
Mounting brackets
(700-18797-01 AO) right
(700-18798-01 AO) left
2 long cap screws
(48-0654-01 AO)
4 flathead screws
(48-0451-01 AO)
Cable holder
4 cap screws
(48-0523-01 AO)
5500 Adaptive
Security Appliance
Product CD
4 rubber feet
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
Yellow Ethernet cable
(72-1482-01)
Blue console cable
PC terminal adapter
Safety and
Cisco ASA
Compliance
Guide
Documentation
92574
78-17611-01
Chapter 2 Installing the Cisco ASA 5500
Installing the Chassis
This section describes how to rack-mount and install the adaptive security
appliance. You can mount the adaptive security appliance in a 19-inch rack (with
a 17.5- or 17.75-inch opening).
Installing the Chassis
Warning
Warning
To prevent bodily injury when mounting or servicing this unit in a rack, you must
take special precautions to ensure that the system remains stable. The
following guidelines are provided to ensure your safety.
The following information can help plan equipment rack installation:
• Allow clearance around the rack for maintenance.
• When mounting a device in an enclosed rack ensure adequate ventilation. An
enclosed rack should never be overcrowded.
Make sure that the rack is not
congested, because each unit generates heat.
• When mounting a device in an open rack, make sure that the rack frame does
not block the intake or exhaust ports.
• If the rack contains only one unit, mount the unit at the bottom of the rack.
• If the rack is partially filled, load the rack from the bottom to the top, with the
heaviest component at the bottom of the rack.
• If the rack contains stabilizing devices, install the stabilizers prior to
mounting or servicing the unit in the rack.
Before performing any of the following procedures, ensure that power is
removed from the DC circuit. To ensure that all power is OFF, locate the circuit
breaker on the panel board that services the DC circuit, switch the circuit
breaker to the OFF position, and tape the switch handle of the circuit breaker in
the OFF position.
78-17611-01
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-3
Installing the Chassis
Rack-Mounting the Chassis
To rack-mount the chassis, perform the following steps:
Step 1 Attach the rack-mount brackets to the chassis using the supplied screws. Attach
the brackets to the holes as shown in Figure 2-2. After the brackets are secured to
the chassis, you can rack-mount it.
Figure 2-2 Installing the Right and Left Brackets
Chapter 2 Installing the Cisco ASA 5500
132186
132187
2-4
Step 2
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
Attach the chassis to the rack using the supplied screws, as shown in Figure 2-3.
78-17611-01
Chapter 2 Installing the Cisco ASA 5500
Figure 2-3 Rack-Mounting the Chassis
Ports and LEDs
C
IS
CO
A
S
A
POWER
STATUS
ACT
IVE
VP
554
A
0
d
a
S
p
E
tiv
R
I
e
E
S
S
e
c
u
r
ity
A
p
p
N
FLASH
lia
n
c
e
119633
To remove the chassis from the rack, remove the screws that attach the chassis to
the rack, and then remove the chassis.
Ports and LEDs
This section describes the front and rear panels. Figure 2-4 shows the front panel
LEDs.
78-17611-01
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-5
Ports and LEDs
Figure 2-4 Front Panel LEDs
Chapter 2 Installing the Cisco ASA 5500
POWER STATUS
1
2
ACTIVE
3
CISCO ASA 5540
VPN
FLASH
5
4
SERIES
Adaptive Security Appliance
119638
LED Color State Description
1 Power Green On The system has power.
2 Status Green Flashing The power-up diagnostics are running or the system is booting.
Solid The system has passed power-up diagnostics.
Amber Solid The power-up diagnostics have failed.
3 Active Green Solid This is the active failover device.
Amber Solid This is the standby failover device.
4 VPN Green Solid VPN tunnel is established.
5 Flash Green Solid The CompactFlash is being accessed.
2-6
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Chapter 2 Installing the Cisco ASA 5500
Figure 2-5 shows the rear panel features for the adaptive security appliance.
Figure 2-5 Rear Panel LEDs and Ports (AC Power Supply Model Shown)
Ports and LEDs
1
MGMT
USB2
1 Management Port
USB1
6
1
6 USB 2.0 interfaces
LINK SPD2LINK SPD1LINK SPD
LINK SPD
3
0
7
2 External CompactFlash slot 7 Network interfaces
2
FLASH
ACTIVE
POWER
STATUS
8 10 12
9
2
3
3
CONSOLE
AUX
VPN
FLASH
13
11
11 VPN LED
12 Flash LED
4
5
119572
14
3 Serial Console port 8 Power indicator LED 13 AUX port
4 Power switch 9 Status indicator LED 14 Power connector
5 Power indicator LED 10 Active LED
1. The management 0/0 interface is a Fast Ethernet interface designed for management traffic only.
2. Not supported at this time.
3. GigabiteEthernet interfaces, from right to left, GigabitEthernet 0/0, GigabitEthernet 0/1, GigabitEthernet 0/2, and
GigabitEthernet 0/3.
For more information on the Management Port, see the “Management-Only”
section in the Cisco Security Appliance Command Reference.
78-17611-01
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-7
Ports and LEDs
Chapter 2 Installing the Cisco ASA 5500
Figure 2-6 shows the adaptive security appliance rear panel LEDs.
Figure 2-6 Rear Panel Link and Speed Indicator LEDs
21
MGMT
USB2
USB1
LNK SPD
LNK SPD2LNK SPD1LNK SPD
3
0
126917
1 MGMT indicator LEDs 2 Network interface LEDs
Table 2-1 lists the rear MGMT and Network interface LEDs.
Table 2-1 Link and Speed LEDs
Indicator Color Description
Left side Solid green
Green flashing
Right side Not lit
Green
Amber
Note The ASA 5510 adaptive security appliance only supports 10/100BaseTX. The
Physical link
Network activity
10 Mbps
100 Mbps
1000 Mbps
ASA 5520 adaptive security appliance and the ASA 5540 adaptive security
appliance support 1000BaseT.
2-8
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Chapter 2 Installing the Cisco ASA 5500
What to Do Next
Continue with one of the following chapters:
To Do This ... See ...
Install SSMs you purchased but that
have not yet been installed
Continue with connecting interface
cables
What to Do Next
Chapter 3, “Installing Optional SSMs”
Chapter 4, “Connecting Interface
Cables”
78-17611-01
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
2-9
What to Do Next
Chapter 2 Installing the Cisco ASA 5500
2-10
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Installing Optional SSMs
This chapter provides information about installing optional SSMs (Security
Services Modules) and their components. You only need to use the procedures in
this chapter if you purchased an optional SSM but it is not yet installed.
This chapter includes the following sections:
• Cisco 4GE SSM, page 3-1
• Cisco AIP SSM and CSC SSM, page 3-8
• What to Do Next, page 3-10
Cisco 4GE SSM
The 4GE Security Services Module (SSM) has eight Ethernet ports: four
10/100/1000 Mbps, copper, RJ-45 ports or four optional 1000 Mbps, Small
Form-Factor Pluggable (SFP) fiber ports.
CHA P T E R
3
78-17611-01
This section describes how to install and replace the Cisco 4GE SSM in the
adaptive security appliance. This section includes the following topics:
• 4GE SSM Components, page 3-2
• Installing the Cisco 4GE SSM, page 3-3
• Installing the SFP Modules, page 3-4
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-1
Cisco 4GE SSM
4GE SSM Components
Figure 3-1 lists the Cisco 4GE SSM ports and LEDs.
Figure 3-1 Cisco 4GE SSM Ports and LEDs
Chapter 3 Installing Optional SSMs
8
7
132983
LNK
Cisco SSM-4GE
3
2
SPD0123
5
1
4
6
1 RJ-45 ports 5 Status LED
2 RJ-45 Link LED 6 SFP ports
3 RJ-45 Speed LED 7 SFP Link LED
4 Power LED 8 SFP Speed LED
Note Figure 3-1 shows SFP modules installed in the port slots. You must order and
install the SFP modules if you want to use this feature. For more information on
SFP ports and modules, see the “Installing the SFP Modules” section on page 3-4.
Table 3-1 describes the Cisco 4GE SSM LEDs.
3-2
Table 3-1 Cisco 4GE SSM LEDs
LED Color State Description
2, 7 LINK Green Solid There is an Ethernet link.
Flashing There is Ethernet activity.
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Chapter 3 Installing Optional SSMs
Table 3-1 Cisco 4GE SSM LEDs (continued)
LED Color State Description
3, 8 SPEED Off
Green
Amber
4 POWER Green On The system has power.
5 STATUS Green
Green
Amber
Installing the Cisco 4GE SSM
To install a new Cisco 4GE SSM for the first time, perform the following steps:
Cisco 4GE SSM
10 MB There is no network activity.
100 MB There is network activity at
100 Mbps.
1000 MB
(GigE)
There is network activity at
1000 Mbps.
Flashing The system is booting.
Solid The system booted correctly.
Solid The system diagnostics failed.
Step 1 Power off the adaptive security appliance.
Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so
that it contacts your bare skin. Attach the other end to the chassis.
Step 3 Remove the two screws (as shown in Figure 3-2) at the left rear end of the chassis,
and remove the slot cover.
Figure 3-2 Removing the Screws from the Slot Cover
MGMT
USB2
USB1
LINK SPD
LINK SPD
3
LINK SPD
2
LINK SPD
1
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
FLASH
R
E
S
0
W
U
O
T
E
P
A
IV
T
N
T
S
P
C
V
A
FLASH
119642
3-3
Cisco 4GE SSM
Step 4 Insert the Cisco 4GE SSM through the slot opening as shown in Figure 3-3.
Figure 3-3 Inserting the Cisco 4GE SSM into the Slot
MGMT
MGMT
USB2
LNK
23
1
C
isco
SPD0
S
SM
-4G
S
U
T
E
A
T
POWER
S
USB2
USB1
USB1
L
IN
K
S
P
3
Chapter 3 Installing Optional SSMs
F
LA
S
D
L
IN
K
S
P
D
L
IN
K
2
S
P
D
L
IN
K
1
0
H
S
P
D
ER
S
W
PO
STATU
VPN
ACTIVE
FLASH
132984
Step 5
Attach the screws to secure the Cisco 4GE SSM to the chassis.
Step 6 Power on the adaptive security appliance.
Step 7 Check the LEDs. If the Cisco 4GE SSM is installed properly the STATUS LED
flashes during boot up and is solid when operational.
Step 8 Connect one end of the RJ-45 cable to the port and the other end of the cable to your
network devices. For more information, see “Chapter 4, “Connecting Interface
Cables.”
Installing the SFP Modules
The SFP (Small Form-Factor Pluggable) is a hot-swappable input/output device
that plugs into the SFP ports. The following SFP module types are supported:
• Long wavelength/long haul 1000BASE-LX/LH (GLC-LH-SM=)
• Short wavelength 1000BASE-SX (GLC-SX-MM=)
This section describes how to install and remove the SFP modules in the adaptive
security appliance to provide optical Gigabit Ethernet connectivity. This section
contains the following topics:
• SFP Module, page 3-5
3-4
• Installing the SFP Module, page 3-6
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Chapter 3 Installing Optional SSMs
SFP Module
The adaptive security appliance uses a field-replaceable SFP module to establish
Gigabit connections.
Note If you install an SFP module after the switch has powered on, you must reload the
adaptive security appliance to enable the SFP module.
Table 3-2 lists the SFP modules that are supported by the adaptive security
appliance.
Table 3-2 Supported SFP Modules
SFP Module Type of Connection Cisco Part Number
1000BASE-LX/LH Fiber-optic GLC-LH-SM=
1000BASE-SX Fiber-optic GLC-SX-MM=
Cisco 4GE SSM
The 1000BASE-LX/LH and 1000BASE-SX SFP modules are used to establish
fiber-optic connections. Use fiber-optic cables with LC connectors to connect to
an SFP module. The SFP modules support 850 to 1550 nm nominal wavelengths.
The cables must not exceed the required cable length for reliable communications.
Table 3-3 lists the cable length requirements.
Table 3-3 Cabling Requirements for Fiber-Optic SFP Modules
SFP Module
62.5/125 micron
Multimode 850
nm Fiber
50/125 micron
Multimode 850
nm Fiber
62.5/125 micron
Multimode
1310 nm Fiber
— — 550 m at
LX/LH
SX
78-17611-01
275 m at
200 Mhz-km
550 m at
500 Mhz-km
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
500 Mhz-km
———
50/125 micron
Multimode
1310 nm Fiber
550 m at
400 Mhz-km
9/125 micron
Single-mode
1310 nm Fiber
10 km
3-5
Cisco 4GE SSM
Note Only SFP modules certified by Cisco are supported on the adaptive security
Caution Protect your SFP modules by inserting clean dust plugs into the SFPs after the
Chapter 3 Installing Optional SSMs
Use only Cisco-certified SFP modules on the adaptive security appliance. Each
SFP module has an internal serial EEPROM that is encoded with security
information. This encoding provides a way for Cisco to identify and validate that
the SFP module meets the requirements for the adaptive security appliance.
appliance.
cables are extracted from them. Be sure to clean the optic surfaces of the fiber
cables before you plug them back in the optical bores of another SFP module.
Avoid getting dust and other contaminants into the optical bores of your SFP
modules: The optics do not work correctly when obstructed with dust.
Warning
Because invisible laser radiation may be emitted from the aperture of the port
when no cable is connected, avoid exposure to laser radiation and do not stare
into open apertures.
Installing the SFP Module
To install the SFP module in the Cisco 4GE SSM, perform the following steps:
Step 1 Line up the SFP module with the port and slide the SFP module into the port slot
until it locks into position as shown in Figure 3-4.
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-6
Statement 70
78-17611-01
Chapter 3 Installing Optional SSMs
Figure 3-4 Installing an SFP Module
1 Optical port plug 3 SFP module
2 SFP port slot
Cisco 4GE SSM
3
2
132985
1
78-17611-01
Caution Do not remove the optical port plugs from the SFP until you are ready to connect
the cables.
Step 2 Remove the Optical port plug; then connect the network cable to the SFP module.
Connect the other end of the cable to your network. For more information on
connecting the cables, see Chapter 4, “Connecting Interface Cables.”
Caution The latching mechanism used on many SFPs locks them into place when cables
are connected. Do not pull on the cabling in an attempt to remove the SFP.
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-7
Cisco AIP SSM and CSC SSM
Cisco AIP SSM and CSC SSM
The ASA 5500 series adaptive security appliance supports the AIP SSM
(Advanced Inspection and Prevention Security Services Module) and the CSC
SSM (Content Security Control Security Services Module), also referred to as the
intelligent SSM.
The AIP SSM runs advanced IPS software that provides security inspection.
There are two models of the AIP SSM: the AIP SSM 10 and the AIP SSM 20. Both
types look identical, but the AIP SSM 20 has a faster processor and more memory
than the AIP SSM 10. Only one module (the AIP SSM 10 or the AIP SSM 20) can
populate the slot at a time.
Table 3-4 lists the memory specifications for the AIP SSM 10 and the
AIP SSM 20.
Table 3-4 SSM Memory Specifications
SSM CPU DRAM
AIP SSM 10 2.0 GHz Celeron 1.0 GB
AIP SSM 20 2.4 GHz Pentium 4 2.0 GB
Chapter 3 Installing Optional SSMs
3-8
For more information on the AIP SSM, see the “Managing the AIP SSM” section
in the Cisco Security Appliance Command Line Configuration Guide.
The CSC SSM runs Content Security and Control software. The CSC SSM
provides protection against viruses, spyware, spam, and other unwanted traffic.
For more information on the CSC SSM, see the “Managing the CSC SSM” section
in the Cisco Security Appliance Command Line Configuration Guide.
This section describes how to install and replace the SSM in the adaptive security
appliance. Figure 3-5 lists the SSM LEDs.
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Chapter 3 Installing Optional SSMs
Figure 3-5 SSM LEDs
PWR
STATUS
LINK/ACT
Cisco AIP SSM and CSC SSM
SPEED
119644
Table 3-5 describes the SSM LEDs.
Ta b l e 3 - 5 S S M L E D s
1 PWR Green On The system has power.
2 STATUS Green Flashing The system is booting.
3 LINK/ACT Green Solid There is an Ethernet link.
4 SPEED Green
Installing an SSM
To install a new SSM, perform the following steps:
1 2
3 4
LED Color State Description
Solid The system has passed power-up
diagnostics.
Flashing There is Ethernet activity.
100 MB There is network activity.
Amber
1000 MB (GigE) There is network activity.
78-17611-01
Step 1 Power off the adaptive security appliance.
Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so
that it contacts your bare skin. Attach the other end to the chassis.
Step 3 Remove the two screws (as shown in Figure 3-6) at the left rear end of the chassis,
and remove the slot cover.
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
3-9
What to Do Next
Figure 3-6 Removing the Screws from the Slot Cover
MGMT
USB2
USB1
LINK SPD
LINK SPD
3
LINK SPD
2
LINK SPD
1
0
Chapter 3 Installing Optional SSMs
FLASH
POWER
H
STATUS
S
VPN
ACTIVE
A
L
F
119642
Step 4
Insert the SSM into the slot opening as shown in Figure 3-7.
Figure 3-7 Inserting the SSM into the Slot
SPEED
LINK/ACT
PWR
STATUS
Step 5 Attach the screws to secure the SSM to the chassis.
Step 6 Power on the adaptive security appliance. Check the LEDs. If the SSM is installed
properly the POWER LED is solid green and the STATUS LED flashes green.
Step 7 Connect one end of the RJ-45 cable to the port and the other end of the cable to your
network devices.
What to Do Next
MGMT
USB2
USB1
LINK SPD
LINK SPD
3
LINK SPD
2
LINK SPD
1
0
POWER
STATUS
VPN
ACTIVE
FLASH
119643
3-10
Continue with Chapter 4, “Connecting Interface Cables.”
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
Loading...