How it Works
Cisco
Loading...
Cisco ASA 5520
Quick Start Manual
62 pgs2.25 Mb0

Cisco ASA 5510, Cisco ASA 5520, Cisco ASA 5540 Quick Start Manual

Download
Quick Start Guide
Quick Start Guide
Cisco ASA 5500 Series Adaptive Security Appliance Quick Start Guide
1 Verifying the Package Contents 2 Installing the Cisco ASA 5500 Series Adaptive Security Appliance 3 Configuring the Cisco ASA 5500 Series Adaptive Security Appliance 4 Common Configuration Scenarios 5 Optional SSM Setup and Configuration Procedures 6 Optional Maintenance and Upgrade Procedures
About the Cisco ASA 5500 Series Adaptive Security Appliance
C
I
S
C
O
A
S
A
POWERSTATUS
ACTI
VE
VP
N
FLASH
The Cisco ASA 5500 series adaptive security appliance family delivers enterprise-class security for medium business-to-enterprise networks in a modular, purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 8 10/100/1000 Gigabit Ethernet interfaces (on the 5520 and 5540) and 1 10/100 Fast Ethernet Management interface, making it an excellent choice for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support. The optional 4GE SSM provides four ports, each with two interfaces, copper RJ-45 (Ethernet) and SFP for optical fiber connections. Part of the market-leading Cisco adaptive security appliance series, the Cisco ASA 5500 provides a wide range of integrated security services, hardware VPN acceleration, full intrusion prevention, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.
About This Document
This document describes how to install and configure the Cisco ASA 5510, 5520, and 5540 adaptive security appliance to be used in VPN, DMZ, remote-access, and intrusion protection deployments.
When you have completed the procedures outlined in this document, the adaptive security appliance will be running a robust VPN, DMZ, or remote-access configuration appropriate for most deployments. The document provides only enough information to get the adaptive security appliance up and running with a basic configuration.
For more information, see the following documentation:
Cisco ASA 5500 Series Release Notes
Cisco ASA 5500 Series Hardware Installation Guide
Cisco Security Appliance Command Line Configuration Guide
Cisco Security Appliance Command Reference
Cisco Security Appliance Logging Configuration and System Log Messages
5
5
3
Adaptive Security Appliance
0
S
E
R
IE
S
132228
2
1 Verifying the Package Contents
Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5500 series adaptive security appliance.
Cisco ASA 5500 adaptive
security appliance
MGMT
USB2
USB1
L
IN
K
S
P
D
L
IN
3
F
L
A
S
K
S
P
2
H
D
L
I
N
K
S
P
D
L
IN
K
1
S
R
P
D
E
S
0
W
U
O
T
E
P
IV
TA
N
T
H
S
P
S
C
V
A
A
L
F
Mounting brackets
(700-18797-01 AO) right
(700-18798-01 AO) left
2 long cap screws
(48-0654-01 AO)
4 flathead screws
(48-0451-01 AO)
4 cap screws
(48-0523-01 AO)
4 rubber feet
Cisco ASA
5500 Adaptive
Security Appliance
Product CD
Yellow Ethernet cable
(72-1482-01)
Blue console cable
PC terminal adapter
Cable holder
Safety and
Compliance
Guide
Documentation
Cisco ASA
5500 Series
Hardware
Installation Guide
92574
3
2 Installing the Cisco ASA 5500 Series Adaptive Security
Appliance
Warning
Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information
Warning
This warning symbol means danger. You are in a situation that could cause bo dily inju ry. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device.
for the Cisco ASA 5500 Series and follow proper safety procedures when performing these steps.
To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:
This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
When mounting this unit in a partially filled rack, load the rack from the bottom to the top
with the heaviest component at the bottom of the rack.
If the rack is provided with stabilizing devices, install the stabilizers before mounting or
servicing the unit in the rack. Statement 1006
Statement 1071
4
Use the following guidelines when installing the adaptive security appliance in a rack:
Allow clearance around the rack for maintenance.
When mounting a device in an enclosed rack, ensure ad equate ventilation. An enclosed ra ck
should never be overcrowded. Each unit generates heat.
When mounting a device in an open rack, make sure that the rack frame does not block the intake
or exhaust ports.
Warning
Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.
Statement 7
Rack Mounting the Chassis
To rack mount the chassis, perform the following steps:
Step 1 Attach the rack-mount bracke ts to the chassis by using the supp lied screws. Attach the
brackets to the holes near the front or at the rear of the chassis. (S ee Figure 1.)
Figure 1 Installing the Brackets
CISCO ASA 5540
Adaptive Security Appliance
S
ER
IE
S
92591
Step 2 Attach the chassis to the rack by using the supplied screws. (See Figure 2.)
5
Figure 2 Rack Mounting the Chassis
P
O
W
E
R
S
T A
T
U
S
ACTIVE
VPN
F
L
A
S
H
C
IS
C
O
A
S
A
5
5
4
A
0
d
a
S
p
E
tiv
R
IE
e
S
S
e
c
u
r
it
y
A
p
p
lia
n
c
e
92592
Connecting the Interface Cables
To connect the interface cables, perform the following steps:
Step 1 Connect a computer or terminal to the adaptive security appliance for manage ment access.
Note Before connecting a computer or terminal to the Console port, check the baud rate. The baud
rate must match the default baud rate (9600 baud) of the console port on the adaptive security appliance. Set up the computer or terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and FC=hardware.
Step 2 Locate the blue console cable from the accessory kit. The console cable has an RJ-45
connector on one end and a DB-9 connector on the other.
6
Step 3
Connect the RJ-45 connector of th e blue console cab le to the Console port o n the rear panel of the adaptive security appliance. (See Figure 3.)
Step 4 Connect the DB-9 connector of the blue cable to the serial port on your computer or terminal.
Figure 3 Connecting the Chassis Console Cable
CONSOLE
POWER
STATUS
FLASH
ACTIVE
VPN
FLASH
AUX
1
2
92593
1 RJ-45 console port 2 RJ-45 to DB-9 serial console cable (null modem)
Note Alternatively, for management purposes, you can also connect an Ethernet cable to th e
adaptive security appliance MGMT port. The MGMT port is a Fa st E ther net int erf ace des ign ed for management traffic only and is specified as Management0/0. The MGMT port is similar to the Console port, but the MGMT port accepts only incoming traffic.
Step 5 Locate the yellow Ethernet cable in the accessory kit. Step 6 Attach one end of the Ethernet cable to an Ethernet port and the other end to a network
device, such as a router, switch, or hub.
Step 7 Attach the power cord to the adaptive security appliance and the power source. Step 8 Power on the chassis.
7
3 Configuring the Cisco ASA 5500 Series Adaptive Security
Appliance
This section describes the initial configuration of the adaptive security appliance. Y ou can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI).
Note To use ASDM, you must have a DES license or a 3DES-AES license. For more information,
see Obtaining DES and 3DES/AES Encryption Licenses, page 52.
About the Factory Default Configuration
Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. This configuration meets the needs of most small and medium business networking environments. By default, the adaptive security appliance is configured as follows:
The inside (GigabitEthernet0/1) interface is configured with a default DHCP address pool.
This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance in order to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM.
The outside (GigabitEthernet0/0) interface is used to connect to the public network and is
configured to deny all inbound traffic. This configuration protects your inside network from unsolicited traffic.
Based on your network security policy, you should also consider configuring the adaptive security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary . Y ou can configure this access control policy using the icmp command. For more information about the icmp command, see the Cisco Security Appliance Command Reference.
8
About the Adaptive Security Device Manager
The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the adaptive security appliance. Its web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser.
In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance.
To use ASDM, you must have a DES license or a 3DES-AES license. In addition, Java and JavaScript must be enabled in your web browser.
About Configuration from the Command-Line Interface
In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface. For more information, see the Cisco Security Appliance Command
Line Configuration Guide and the Cisco Security Appliance Command Reference.
Using the Startup Wizard
ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network (GigabitEthernet0/1) and the outside network (GigabitEthernet0/0).
Before you launch the Startup Wizard, gather the following information:
A unique hostname to identify the adaptive security appliance on your network.
The IP addresses of your outside interface, inside interface, and any other interfaces.
The IP addresses to use for NAT or PAT configuration.
The IP address range for the DHCP server.
9
To use the Startup Wizard to set up a basic configur ation for the adaptive security appliance, perform the following steps:
Step 1 If you have not already done so, complete one of the following steps:
If you have an ASA 5520 or 5540, connect the inside GigabitEthernet0/1 interface to a
switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.
If you have an ASA 5510, connect the inside Ethernet 1 interface to a switch or hub by
using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.
Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the adaptive
security appliance), or assign a static IP address to your PC by selecting an address out of the
192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of
255.255.255.0 and default route of 192.168.1.1.)
Note The inside interface of the adaptive security appliance is assigned 192.168.1.1 by
default, so this address is unavailable.
Step 3 Complete one of the following steps:
If you have an ASA 5520 or 5540, check the LINK LED on the GigabitEthernet0/1
interface.
If you have an ASA 5510, check the LINK LED on the Ethernet 1 interface.
When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub becomes solid green.
Step 4 Launch the Startup Wizard.
a. On the PC connected to the switch or hub, launch an Internet browser. b. In the address field of the browser, enter this URL: https://192.168.1.1/.
Note The adaptive security appliance ships with a default IP address of 192.168.1.1.
Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.
Step 5 In the dialog box that requires a username and password, leave both fields empty. Press Enter. Step 6 Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate
dialog boxes.
10
Step 7
Step 8 Follow the instructions in the Startup Wizard to set up your adaptive security appliance.
After ASDM starts, choose the Startup Wizard from the Wizards menu at the top of the window.
For information about any field in the Startup Wizard, click Help at the bottom of the window.
4 Common Configuration Scenarios
This section provides configuration examples for three common deployments of the adaptive security appliance:
Hosting a web server on a DMZ network
Establishing remote-access VPN connections so that off-site clients can establish secure
communications with the internal network
Establishing a site-to-site VPN connection with other business partners or remote offices
Use these scenarios as a guide when you set up your network. Substitute your own network addresses and apply additional policies as needed.
Scenario 1: DMZ Configuration
A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. This example network topology is similar to most DMZ implementations of the adaptive security appliance. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely.
In Figure 4, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (10.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool of addresses between 10.30.30.50 and 10.30.30.60. (The IP pool is the range of IP addresses available to the DMZ interface.)
11
Figure 4 Network Layout for DMZ Configuration Scenario
ASA security
HTTP client
appliance
10.10.10.10
Inside
10.10.10.0 DMZ
10.30.30.0
Web server
10.30.30.30
Outside
209.165.200.225
Internet
HTTP client
HTTP client
132064
Because the DMZ web server is located on a private DMZ network, it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to access the DMZ web server in the same way that they access any server on the Internet.
The DMZ configuration scenario shown in Figure 4 provides two routable IP addresses that ar e publicly available: one for the outside interface (209.165.200.225) of the adaptive security appliance, and one for the public IP address of the DMZ web server (209.165.200.226). The following procedure describes how to use ASDM to configure the adaptive security appliance for secure communications between HTTP clients and the web server.
In this DMZ scenario, the adaptive security appliance already has an outside interfa ce configured, called dmz. Set up the adaptive security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50.)
Information to Have Available
Before you begin this configuration procedure, gather the following information:
Internal IP addresses of the servers inside the DMZ that you want to make available to clients on
the public network (in this scenario, a web server).
External IP addresses to be used for servers inside the DMZ. (Clients on the public network will
use the external IP address to access the server inside the DMZ.)
Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic
will appear to come from this address so that the internal IP address is not exposed.)
12
Step 1: Configure IP Pools for Network Translations.
For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (10.30.30.30), it is necessary to define a pool of IP addresses (10.30.30.50–10.30.30.60) for the DMZ interface. Similarly , an IP pool for the outside interface (209.165.200.225) is required for the inside HTTP client to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and to facilitate secure communications between protected network clients and devices on the Internet.
1. Launch ASDM by entering this factory default IP address in the address field of a web browser:
https://192.168.1.1/admin/.
Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL)
provides a secure connection between your browser and the adaptive security appliance.
2. Click Configuration at the top of the ASDM window.
3. Choose the NAT feature on the left side of the ASDM window.
13
4.
Click Manage Pools at the bottom of the ASDM window. The Manage Global Address Pools dialog box appears, allowing you to add or edit global address pools.
Note For most configurations, global pools are added to the less secure, or public, interfaces.
5. In the Manage Global Address Pools dialog box: a. Choose the dmz interface (configured using the Startup Wizard before beginning this
procedure).
14
b.
Click Add. The Add Global Pool Item dialog box appears.
6. In the Add Global Pool Item dialog box: a. Choose dmz from the Interface drop-down menu. b. Click Range to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is
209.165.200.230 to 209.165.200.240.
d. Enter a unique Pool ID. In this scenario, the Pool ID is 200. e. Click OK to return to the Manage Global Address Pools dialog box.
Note You can also choose Port Address Translation (PAT) or Port Address Translation
(PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.
7. In the Manage Global Address Pools dialog box: a. Choose the outside interface. b. Click Add.
15
8.
When the Add Global Pool Item dialog box appears:
a. Choose outside from the Interface drop-down menu. b. Click Port Address Translation (PAT) using the IP address of the interface. c. Assign the same Pool ID for this pool as you did in Step 6d. (For this scenario, the Pool ID is
200.)
d. Click OK. The displayed configuration should be similar to the following:
9. Confirm that the configuration values are correct, then: a. Click OK. b. Click Apply in the main ASDM window.
Note Because there are only two public IP addresses available, with one reserved for the
DMZ server, all traffic initiated by the inside HTTP client exits the adaptive security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.
16
Step 2: Configure Address Translations on Private Networks.
Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two interfaces on the adaptive security appliance. This translation permits routing through the public networks while preventing internal IP addresses from being exposed on the public networks.
Port Address Translation (PAT) is an extension of the NAT function that allows several hosts on a private network to map into a single IP address on the public network. PAT is essential for small and medium businesses that have a limited number of public IP addresses available to them.
To configure NAT between the inside interface and the DMZ interface for the inside HTTP client, perform the following steps starting from the main ASDM page:
1. Click Configuration at the top of the ASDM window.
2. Choose the NAT feature on the left side of the ASDM window.
3. Click Translation Rules, and then click Add at the right side of the ASDM page.
4. In the Add Address Translation Rule dialog box, mak e sure that Use NAT is selected, and then
choose the inside interface.
5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10.
17
6.
Choose 255.255.255.224 from the Mask drop-down menu.
7. Select the DMZ interface from the Translate Address on Interface drop-down menu.
8. Click Dynamic in the Translate Address To section.
9. Choose 200 from the Address Pools drop-down menu for the Pool ID.
10. Click OK.
11. A dialog box appears asking if you wa nt to proceed. C lick Pro ceed.
12. On the NAT Transla tion Rules page, check the di splayed config uration for accuracy.
13. Click Apply to complete the adaptive security appliance configuration changes.
The displayed configuration should be similar to the following:
18
Step 3: Configure External Identity for the DMZ Web Server.
The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration requires translating the web server’s IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the adaptive security appliance. Complete the following steps to map the web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225):
1. Click Configuration at the top of the ASDM window.
2. Choose the NAT feature on the left side of the ASDM window.
3. Click Translation Rules, then click Add at the right side of the page.
4. Choose the outside dmz interface from the drop-down list of interfaces.
5. Enter the IP address (10.30.30.30) for the web server.
6. Choose 255.255.255.224 from the Mask drop-down menu, then click Static.
7. Enter the external IP address (209.165.200.226) for the web server. Then click OK.
8. Verify the values that you entered, then click Apply.
The displayed configuration should be similar to the following:
19
Loading...
+ 43 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use