How it Works
Cisco Systems
Loading...
ASASSMCSC10K9
User Manual
14 pgs713.27 Kb0
Table of contents
Loading...

Cisco Systems ASASSMCSC10K9 User Manual

QUICK START GUIDE
Cisco ASA Services Module
1 Information About the ASA Services Module in the Switch Network
2 Verifying the Module Installation
3 Assigning VLANs to the ASA Services Module
4 Using the MSFC as a Directly-Connected Router
5 Logging Into the ASA Services Module
7 Launching ASDM
8 Running the Startup Wizard
9 (Optional) Allowing Access to Public Servers Behind the ASA Services Module
10 (Optional) Running Other Wizards in ASDM
11 Advanced Configuration
Related Documentation
To access all documents related to this product, go to:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
ASASM
ASASM
MSFC/Router Behind the ASASM MSFC/Router In Front of the ASASM
MSFC/Router
Router
VLAN 200
VLAN 201
VLAN 302
VLAN 303VLAN 301
DMZ
Inside HR
MSFC/Router
VLAN 200
VLAN 100
VLAN 201
VLAN 202
VLAN 203
DMZ
Inside HR
Internet
Internet
Updated: May 15, 2013, 78-19998-02
1 Information About the ASA Services Module in the
Switch Network
For switch and software compatibility with the ASA Services Module (ASASM), see the following:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. The switch runs Cisco
IOS software on both the switch supervisor engine and the integrated Multilayer Switch Feature Card (MSFC). The ASASM runs its own operating system.
Although you need the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one or more VLAN interfaces to the MSFC (known as switched virtual interfaces (SVIs)). You can alternatively use an external router instead of the MSFC.
In single context mode, you can place the MSFC or router in front of the ASASM or behind the ASASM; location depends on the VLANs that you assign to the ASASM interfaces.
2
Context A Context B Context C
VLAN 203VLAN 202VLAN 201
VLAN 100
Admin
Context
VLAN 200
VLAN 300 VLAN 303
VLAN 302VLAN 301
MSFC/Router
Internet
Inside
Customer A
Inside
Customer B
Inside
Customer C
Admin
Network
For multiple context mode, if you place the MSFC or router behind the ASASM, you should only connect it to a single context. If you connect it to multiple contexts, the MSFC/router will route between the contexts, which might not be your intention. The typical scenario for multiple contexts is to use a router in front of all the contexts to route between the Internet and the switched networks.
3

2 Verifying the Module Installation

Verify that the switch acknowledges the ASASM and has brought it online. (If you need to install your ASASM, see the module installation guide on Cisco.com.) Enter the following command to ensure that the Status column shows “Ok” for the ASASM:
show module [switch {1 |2}] [mod-num | all]
For a switch in a VSS, enter the switch argument.
For example:
Router# show module Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ ----------­ 2 3 ASA Service Module WS-SVC-ASA-SM1 SAD143502E8
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ ------­ 2 0022.bdd4.016f to 0022.bdd4.017e 0.201 12.2(2010080 12.2(2010121 Ok ...

3 Assigning VLANs to the ASA Services Module

The ASASM does not include any external physical interfaces. Instead, it uses VLAN interfaces passed down from the supervisor. Perform the following steps at the switch CLI to pass down VLANs from the supervisor:
Command Purpose
Step 1
Step 2
4
firewall vlan-group firewall_group_num vlan_range
Example:
Router(config)# firewall vlan-group 50 55-57 Router(config)# firewall vlan-group 51 58-63 Router(config)# firewall vlan-group 52 64,66-74
firewall [switch {1 |2}] module module_number vlan-group firewall_group_num
Example:
Router(config)# firewall module 5 vlan-group 50,52 Router(config)# firewall module 8 vlan-group 51,52
Assigns VLANs to a firewall group.
Assigns the firewall groups to the ASASM
enter the switch argument.
. For a switch in a VSS,

4 Using the MSFC as a Directly-Connected Router

If you want to use the MSFC as a directly-connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI). By default, you can add only one SVI; to add multiple SVIs, and understand the caveats for multiple SVIs, see the configuration guide on Cisco.com.
Perform the following steps at the switch CLI:
Command Purpose
Step 1
Step 2
Step 3
interface vlan vlan_number
Example:
Router(config)# interface vlan 100
ip address address mask
Example:
Router(config)# ip address 192.168.1.2
255.255.255.0
no shutdown
Adds a VLAN interface to the MSFC.
Sets the IP address for this interface on the MSFC.
Enables the interface.
Example:
Router(config)# no shutdown
5
Loading...
+ 9 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use