hit counter script
Cisco ASA 5505 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. 5505 - ASA Firewall Edition Bundle
  6. Getting started manual

Cisco ASA 5505 Getting Started Manual

Adaptive security appliance
Hide thumbs Also See for ASA 5505:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Getting Started Manual
Cisco ASA 5505
Getting Started Guide
Software Version 7.2
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Customer Order Number: DOC-7817612=
Text Part Number: 78-17612-02

Advertisement

Table of Contents
loading

Related Manuals for Cisco ASA 5505

Summary of Contents for Cisco ASA 5505

  • Page 1 Cisco ASA 5505 Getting Started Guide Software Version 7.2 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817612= Text Part Number: 78-17612-02...
  • Page 2 CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,...

  • Page 3: Table Of Contents

    Scenario 1: Private Network with External Connectivity Scenario 2: Basic Installation with DMZ Scenario 3: IPSec Remote-Access VPN Scenario 4: Site-to-Site VPN Scenario 5: ASA 5505 Deployed as a Hardware VPN Client Configuration Procedures for Scenarios What to Do Next Planning for a VLAN Configuration...
  • Page 4 C H A P T E R Verifying the Package Contents PoE Ports and Devices Installing the Chassis Connecting to Network Interfaces Powering on the Cisco ASA 5505 Setting Up a PC for System Administration Optional Procedures Connecting to the Console Installing a Cable Lock...
  • Page 5 Example IPSec Remote-Access VPN Network Topology Implementing the IPSec Remote-Access VPN Scenario Information to Have Available Starting ASDM Configuring the ASA 5505 for an IPSec Remote-Access VPN Selecting VPN Client Types Specifying the VPN Tunnel Group Name and Authentication Method Specifying a User Authentication Method...
  • Page 6 8-14 Scenario: Easy VPN Hardware Client Configuration C H A P T E R Using an ASA 5505 as an Easy VPN Hardware Client Client Mode and Network Extension Mode Configuring the Easy VPN Hardware Client Configuring Advanced Easy VPN Attributes...

  • Page 7: Chapter 1 Before You Begin

    Learn about VLANs and port allocation Chapter 3, “Planning for a VLAN on the ASA 5505 Configuration” Install the chassis Chapter 4, “Installing the ASA 5505” Perform initial setup of the adaptive Chapter 5, “Configuring the security appliance Adaptive Security Appliance”...
  • Page 8 To Do This... (continued) See... Refine configuration Cisco Security Appliance Command Line Configuration Guide Configure optional and advanced features Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 9: Scenarios For Deployment Planning And Configuration

    Scenario 3: IPSec Remote-Access VPN, page 2-5 • Scenario 4: Site-to-Site VPN, page 2-6 • Scenario 5: ASA 5505 Deployed as a Hardware VPN Client, page 2-7 • Scenarios for Deployment Planning and Configuration An extended adaptive security appliance deployment can include two or more of the different deployment scenarios described in this chapter.
  • Page 10 Scenario 3: IPSec VPN Scenario 6: Site-to-site VPN Connection Connection Adaptive Security Appliance A SS r ETH co ns Web Server Email Server Scenario 1: Basic Installation Scenario 2: Basic Installation with DMZ Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 11: Scenario 1: Private Network With External Connectivity

    PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. Cisco ASA 5505 Getting Started Guide...

  • Page 12: Scenario 2: Basic Installation With Dmz

    Internet. Figure 2-3 Private Network with DMZ Outside Network (Internet Connection) Internet Router Adaptive Security Appliance A SS r ETH co ns Web Server Printer Personal computers Email Server Private (Inside) Network Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 13: Scenario 3: Ipsec Remote-Access Vpn

    Adaptive Security Appliance Personal computers running Cisco VPN Personal Client software computer For information about how to configure an IPSec remote-access VPN deployment, see Chapter 7, “Scenario: IPSec Remote-Access VPN Configuration.” Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 14: Scenario 4: Site-To-Site Vpn

    Adaptive Security Adaptive Security Appliance 1 Appliance 2 Printer Printer Personal Personal computers computers For information about configuring a site-to-site VPN deployment, see Chapter 8, “Scenario: Site-to-Site VPN Configuration.” Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 15: Scenario 5: Asa 5505 Deployed As A Hardware Vpn Client

    Scenario 5: ASA 5505 Deployed as a Hardware VPN Client In this scenario, an ASA 5505 is deployed as a hardware client (sometimes called a remote device). Deploying one or more VPN hardware clients in conjunction with a VPN headend device enables companies with multiple sites to establish secure communications among them and share network resources.

  • Page 16: Configuration Procedures For Scenarios

    Cisco IOS router with IPSec support Central LAN For information about how to configure the ASA 5505 as a VPN hardware client, Chapter 9, “Scenario: Easy VPN Hardware Client Configuration.” Configuration Procedures for Scenarios Each deployment scenario in this chapter has a corresponding configuration chapter in this document that describes how to configure the ASA 5505 for that type of deployment.

  • Page 17: What To Do Next

    Chapter 2 Deployment Planning What to Do Next To Configure the ASA 5505 For This Scenario..See This Chapter... Scenario 1: Private Network with Chapter 5, “Configuring the External Connectivity Adaptive Security Appliance” Scenario 2: Basic Installation with Chapter 6, “Scenario: DMZ Configuration”...
  • Page 18 Chapter 2 Deployment Planning What to Do Next Cisco ASA 5505 Getting Started Guide 2-10 78-17612-02...

  • Page 19: Chapter 3 Planning For A Vlan Configuration

    • Understanding VLANs on the ASA 5505 After you have made a decision about how to deploy the ASA 5505 in your network, you must decide how many VLANs you need to support that deployment and how many ports to allocate to each VLAN.

  • Page 20: About Physical Ports On The Asa 5505

    • About Physical Ports on the ASA 5505 The ASA 5505 has a built-in switch with eight Fast Ethernet ports, called switch ports. Two of the eight physical ports are Power Over Ethernet (PoE) ports. You can connect PoE ports directly to user equipment such as PCs, IP phones, or a DSL modem.

  • Page 21: Maximum Number And Types Of Vlans

    Planning for a VLAN Configuration Understanding VLANs on the ASA 5505 Before you can enable a switch port on the ASA 5505, it must be assigned to a VLAN. With the Base platform, each switch port can be assigned to only one VLAN at a time.

  • Page 22: Deployment Scenarios Using Vlans

    Because there are only 8 physical ports, the additional VLANs are useful for assigning to trunk ports, which aggregate multiple VLANs on a single physical port. The ASA 5505 adaptive security appliance supports active and standby failover, Note but not Stateful Failover. Deployment Scenarios Using VLANs The number of VLANs you need depends on the complexity of the network into which you are installing the adaptive security appliance.

  • Page 23: Basic Deployment Using Two Vlans

    VLAN consists of a single ISP connection using an external WAN router. Figure 3-1, the Inside VLAN uses four switch ports on the ASA 5505 and the Outside VLAN uses only one. Three switch ports are unused. Cisco ASA 5505 Getting Started Guide...
  • Page 24 PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. If this same customer needed to have two Internet connections, the Outside VLAN...

  • Page 25: Dmz Deployment

    In this example, three physical switch ports are allocated to the Inside VLAN, two switch ports are allocated to the DMZ VLAN, and one switch port is allocated to the Outside VLAN. Two switch ports are left unused. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 26: Teleworker Deployment Using Three Vlans

    • Inside and DMZ VLANs In this case, the ASA 5505 protects the critical assets on the Inside (Work) VLAN so that these devices cannot be infected by traffic from the DMZ (Home) VLAN. To enable devices in the Inside (Work) VLAN to establish secure connections...

  • Page 27: What To Do Next

    Game System DMZ (Home) VLAN In this example, the physical ports of the ASA 5505 are used as follows: The Inside (Work) VLAN consists of three physical switch ports, one of • which is a Power over Ethernet (PoE) switch port that is used for an IP phone.
  • Page 28 Chapter 3 Planning for a VLAN Configuration What to Do Next Cisco ASA 5505 Getting Started Guide 3-10 78-17612-02...

  • Page 29: Verifying The Package Contents

    C H A P T E R Installing the ASA 5505 This chapter describes how to install the Cisco ASA 5505 adaptive security appliance. This chapter includes the following sections: Verifying the Package Contents, page 4-1 • PoE Ports and Devices, page 4-3 •...
  • Page 30 Chapter 4 Installing the ASA 5505 Verifying the Package Contents Figure 4-1 Contents of Cisco ASA 5505 Package Se cu rit P O W E R Se rv ic es C ar d Sl VD C C O N SO...

  • Page 31: Poe Ports And Devices

    PoE Ports and Devices PoE Ports and Devices On the Cisco ASA 5505, switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with the IEEE 802.3af standard, such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the ports and the device must be powered on its own.

  • Page 32: Installing The Chassis

    You can wall-mount or rack-mount the Cisco ASA 5505. The part number for ordering a wall-mount kit for the Cisco ASA 5505 is ASA-5505-WALL-MNT= , the part number for ordering a rack-mount kit for the Cisco ASA 5505 is ASA5505-RACK-MNT=. For information on wall-mounting or rack-mounting the Cisco ASA 5505, see "Mounting the ASA 5505 Chassis"...
  • Page 33 0 through 5 are switched ports and ports 6 and 7 are PoE ports and both require that you connect a straight through cable. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 34: Powering On The Cisco Asa 5505

    For more information about using ASDM for setup and configuration, see Chapter 5, “Configuring the Adaptive Security Appliance.” To set up a PC from which you can configure and manage the Cisco ASA 5505, perform the following steps: Make sure that the speed of the PC interface to be connected to one of the Cisco Step 1 ASA 5505 inside ports is set to autonegotiate.

  • Page 35: Optional Procedures

    Use an Ethernet cable to connect the PC to a switched inside port on the rear panel Step 3 of the Cisco ASA 5505 (one of the ports numbered 1 through 7). Check the LINK LED to verify that the PC has basic connectivity to the Cisco Step 4 ASA 5505.

  • Page 36: Connecting To The Console

    Connecting to the Console You can access the command line for administration using the console port on the Cisco ASA 5505. To do so, you must run a serial terminal emulator on a PC or workstation, as shown in Figure 4-3.

  • Page 37: Installing A Cable Lock

    Step 2 Attach the cable lock to the lock slot on the back panel of the Cisco ASA 5505. Ports and LEDs This section describes the front and rear panels of the ASA 5505. This section...
  • Page 38 Chapter 4 Installing the ASA 5505 Ports and LEDs Figure 4-4 shows the front panel of the Cisco ASA 5505. Figure 4-4 ASA 5505 Front Panel LINK/ACT Power Status Active 100 MBPS Cisco ASA 5505 series Adaptive Security Appliance Port / LED...
  • Page 39 If the LINK/ACT LED does not light up, the link could be down if there is a duplex mismatch. You can fix the problem by changing the settings either on the Cisco ASA 5505 or on the other end. If auto-negotiation is disabled (it is enabled by default), you might be using the wrong type of cable.

  • Page 40: Rear Panel Components

    Chapter 4 Installing the ASA 5505 Ports and LEDs Rear Panel Components Figure 4-5 shows the back panel of the Cisco ASA 5505. Figure 4-5 ASA 5505 Rear Panel Security Console Services Card Slot power RESET POWER over ETHERNET Port or LED...

  • Page 41: What To Do Next

    Chapter 4 Installing the ASA 5505 What to Do Next What to Do Next Continue with Chapter 5, “Configuring the Adaptive Security Appliance.” Cisco ASA 5505 Getting Started Guide 4-13 78-17612-02...
  • Page 42 Chapter 4 Installing the ASA 5505 What to Do Next Cisco ASA 5505 Getting Started Guide 4-14 78-17612-02...

  • Page 43: Configuring The Adaptive Security Appliance

    Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). The procedures in this chapter describe how to configure the adaptive security appliance using ASDM.
  • Page 44 DHCP address from the adaptive security appliance to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM. For more information about CLI configuration, see the Cisco Security Appliance Command Line Configuration Guide. Cisco ASA 5505 Getting Started Guide...

  • Page 45: About The Adaptive Security Device Manager

    In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface. For more information, see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference. Cisco ASA 5505 Getting Started Guide...

  • Page 46: Using The Startup Wizard

    Static routes to be configured. • If you want to create a DMZ, you must create a third VLAN and assign ports • to that VLAN. (By default, there are two VLANs configured.) Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 47: Running The Startup Wizard

    To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps: If you have not already done so, connect a PC to a switch port on the ASA 5505. Step 1 Locate an Ethernet cable, which has an RJ-45 connector on each end.
  • Page 48 Follow the instructions in the Startup Wizard to set up your adaptive security Step 6 appliance. For information about any field in the Startup Wizard, click Help at the bottom of the window. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 49: What To Do Next

    Configure the adaptive security Chapter 8, “Scenario: Site-to-Site appliance for site-to-site VPN VPN Configuration” Configure the adaptive security Chapter 9, “Scenario: Easy VPN appliance as an Easy VPN remote device Hardware Client Configuration” Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 50 Chapter 5 Configuring the Adaptive Security Appliance What to Do Next Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 51: Scenario: Dmz Configuration

    C H A P T E R Scenario: DMZ Configuration Cisco ASA 5505 DMZ configurations are possible only with the Security Plus Note license. This chapter includes the following sections: Example DMZ Network Topology, page 6-1 • • Configuring the Security Appliance for a DMZ Deployment, page 6-5 What to Do Next, page 6-18 •...
  • Page 52 The network has one routable IP address that is publicly available: the outside • interface of the adaptive security appliance (209.165.200.225). Figure 6-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 53 The DMZ web server returns the HTTP content to the adaptive security appliance with a destination address of the real IP address of the internal client. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 54 Internet Destination IP address translated to the private IP address of the web server. Web server Web server receives request for content. DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.226 Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 55: Configuring The Security Appliance For A Dmz Deployment

    The following sections provide detailed instructions for how to perform each step. Configuration Requirements Configuring the adaptive security appliance for this DMZ deployment requires the following: • Internal clients need to be able to communicate with devices on the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 56: Starting Asdm

    Remember to add the “s” in “https,” or the connection fails. HTTP over Note SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance. The ASDM main window appears. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 57: Enabling Inside Clients To Communicate With Devices On The Internet

    (that is, the public IP address of the adaptive security appliance). Outgoing traffic appears to come from this address. The ASA 5505 comes with a default configuration that includes the necessary address translation rule. Unless you want to change the IP address of the inside interface, you do not need to configure any settings to allow inside clients to access the Internet.

  • Page 58: Enabling Inside Clients To Communicate With The Dmz Web Server

    In the ASDM main window, click the Configuration tool. Step 1 In the Features pane, click NAT. Step 2 From the Add drop-down list, choose Add Static NAT Rule. Step 3 The Add Static NAT Rule dialog box appears. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 59 Click OK to add the static NAT rule and return to the Configuration > NAT pane. Review the configuration pane to verify that the translation rule appears as you Step 6 expected. The rule should appear similar to the following: Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 60: Address

    From the Add drop-down list, choose Add Static NAT Rule. Step 2 The Add Static NAT Rule dialog box appears. In the Real Address area, do the following: Step 3 From the Interface drop-down list, choose DMZ. Cisco ASA 5505 Getting Started Guide 6-10 78-17612-02...
  • Page 61 From the Interface drop-down list, choose Inside. Enter or choose from the IP Address drop-down list the real address of the DMZ web server. In this scenario, the IP address is 10.30.30.30. Cisco ASA 5505 Getting Started Guide 6-11 78-17612-02...

  • Page 62: Configuring An External Identity For The Dmz Web Server

    To map the real web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225), perform the following steps: In the ASDM main window, choose Configuration > NAT. Step 1 Cisco ASA 5505 Getting Started Guide 6-12 78-17612-02...
  • Page 63 IP address of the adaptive security appliance. To configure Port Address Translation, perform the following steps: Check the Enable Port Address Translation (PAT) check box. From the Protocol drop-down list, choose tcp. In the Original Port field, enter 80. Cisco ASA 5505 Getting Started Guide 6-13 78-17612-02...
  • Page 64 Confirm that the rule was created the way you expected. The displayed Step 6 configuration should be similar to the following: Click Apply to complete the adaptive security appliance configuration changes. Step 7 Cisco ASA 5505 Getting Started Guide 6-14 78-17612-02...

  • Page 65: Providing Public Http Access To The Dmz Web Server

    From the Interface drop-down list, choose Outside. In the Protocol and Service area, specify the type of traffic that you want to permit Step 5 through the adaptive security appliance. From the Protocol drop-down list, choose tcp. Cisco ASA 5505 Getting Started Guide 6-15 78-17612-02...
  • Page 66 Click OK to return to the Security Policy > Access Rules pane. The displayed configuration should be similar to the following. Verify that the Step 6 information you entered is accurate. Cisco ASA 5505 Getting Started Guide 6-16 78-17612-02...
  • Page 67 Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the previous configuration takes effect the next time that the device starts. Cisco ASA 5505 Getting Started Guide 6-17 78-17612-02...

  • Page 68: What To Do Next

    The following sections provide configuration procedures for other common applications of the adaptive security appliance. To Do This... See... Configure a remote-access VPN Chapter 7, “Scenario: IPSec Remote-Access VPN Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 6-18 78-17612-02...

  • Page 69: Scenario: Ipsec Remote-Access Vpn Configuration

    Topology Figure 7-1 shows an adaptive security appliance configured to accept requests from and establish IPSec connections with VPN clients, such as a Cisco Easy VPN software or hardware clients, over the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 70: Implementing The Ipsec Remote-Access Vpn Scenario

    Information to Have Available, page 7-3 • Starting ASDM, page 7-3 • Configuring the ASA 5505 for an IPSec Remote-Access VPN, page 7-5 • Selecting VPN Client Types, page 7-6 • Specifying the VPN Tunnel Group Name and Authentication Method, •...

  • Page 71: Information To Have Available

    List of IP addresses for local hosts, groups, and networks that should be – made accessible to authenticated remote clients Starting ASDM To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 72 Remember to add the “s” in “https” or the connection fails. HTTP over Note SSL (HTTP) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 73: Configuring The Asa 5505 For An Ipsec Remote-Access Vpn

    Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Configuring the ASA 5505 for an IPSec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: In the main ASDM window, choose VPN Wizard from the Wizards drop-down Step 1 menu.

  • Page 74: Selecting Vpn Client Types

    Specify the type of VPN client that will enable remote users to connect to this Step 1 adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.

  • Page 75: Specifying The Vpn Tunnel Group Name And Authentication Method

    To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPSec negotiations between the adaptive security appliances. To use digital certificates for authentication, click the Certificate radio •...

  • Page 76: Specifying A User Authentication Method

    Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use Step 2 common connection parameters and client attributes to connect to this adaptive security appliance.
  • Page 77 Click the Authenticate Using an AAA Server Group radio button. Choose a preconfigured server group from the Authenticate using an AAA server group drop-down list, or click New to add a new AAA server group. Click Next to continue. Step 3 Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 78: (Optional) Configuring User Accounts

    In Step 5 of the VPN Wizard, perform the following steps: To add a new user, enter a username and password, and then click Add. Step 1 When you have finished adding new users, click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 7-10 78-17612-02...

  • Page 79: Configuring Address Pools

    (Optional) Enter a subnet mask or choose a subnet mask for the range of IP addresses from the Subnet Mask drop-down list. Click OK to return to Step 6 of the VPN Wizard. Cisco ASA 5505 Getting Started Guide 7-11 78-17612-02...

  • Page 80: Configuring Client Attributes

    Easy VPN hardware client when a connection is established. Make sure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking. Cisco ASA 5505 Getting Started Guide 7-12 78-17612-02...

  • Page 81: Configuring The Ike Policy

    IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. Cisco ASA 5505 Getting Started Guide 7-13 78-17612-02...
  • Page 82 Choose the Encryption (DES/3DES/AES), authentication algorithms Step 1 (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 7-14 78-17612-02...

  • Page 83: Configuring Ipsec Encryption And Authentication Parameters

    Configuring IPSec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA). Step 2 Click Next to continue. Cisco ASA 5505 Getting Started Guide 7-15 78-17612-02...

  • Page 84: Specifying Address Translation Exception And Split Tunneling

    Specify hosts, groups, and networks that should be in the list of internal resources Step 1 made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks pane, click Add or Delete, respectively. Cisco ASA 5505 Getting Started Guide 7-16 78-17612-02...

  • Page 85: Verifying The Remote-Access Vpn Configuration

    Step 2 Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard, review the configuration attributes for the new VPN tunnel. The displayed configuration should be similar to the following: Cisco ASA 5505 Getting Started Guide 7-17 78-17612-02...

  • Page 86: What To Do Next

    To establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers, obtain the Cisco VPN client software. For more information about the Cisco Systems VPN client, see the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html. If you are deploying the adaptive security appliance solely in a remote-access VPN environment, you have completed the initial configuration.
  • Page 87 What to Do Next To Do This... See... Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a web server in a Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 7-19 78-17612-02...
  • Page 88 Chapter 7 Scenario: IPSec Remote-Access VPN Configuration What to Do Next Cisco ASA 5505 Getting Started Guide 7-20 78-17612-02...

  • Page 89: Scenario: Site-To-Site Vpn Configuration

    Configuring the Other Side of the VPN Connection, page 8-13 • What to Do Next, page 8-14 • Example Site-to-Site VPN Network Topology Figure 8-1 shows an example VPN tunnel between two adaptive security appliances. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 90: Implementing The Site-To-Site Scenario

    VPN deployment, using example parameters from the remote-access scenario shown in Figure 8-1. This section includes the following topics: Information to Have Available, page 8-3 • Configuring the Site-to-Site VPN, page 8-3 • Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 91: Information To Have Available

    To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/. Make sure you add the “s” in “https,” or the connection fails. HTTP over Note SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 92 To configure Security Appliance 1, perform the following steps: In the ASDM main window, choose the VPN Wizard option from the Wizards Step 1 drop-down menu. ASDM opens the first VPN Wizard screen. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 93 VPN concentrators, or other devices that support site-to-site IPSec connectivity. From the VPN tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel. Click Next to continue. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 94 To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPSec negotiations between the adaptive security appliances. For site-to-site connections with pre-shared key authentication such...

  • Page 95: Configuring The Ike Policy

    In Step 3 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 96 When configuring Security Appliance 2, enter the same values for each of Note the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 97: Configuring Ipsec Encryption And Authentication Parameters

    In Step 4 of the VPN Wizard, perform the following steps: Choose the encryption algorithm (DES/3DES/AES) from the Encryption Step 1 drop-down list, and the authentication algorithm (MD5/SHA) from the Authentication drop-down list. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 78-17612-02...
  • Page 98 (...) button to select from a list of hosts and networks. If a remote peer has a dynamic IP address, you can use the hostname as Note the peer IP address. Cisco ASA 5505 Getting Started Guide 8-10 78-17612-02...
  • Page 99 In Step 6 of the VPN Wizard, review the configuration settings for the VPN tunnel that you just created. If you are satisfied with the configuration settings, click Finish to apply the changes to the adaptive security appliance. Cisco ASA 5505 Getting Started Guide 8-11 78-17612-02...
  • Page 100 ASDM. If you do not save the configuration changes, the previous configuration takes effect the next time that the device starts. This concludes the configuration process for Security Appliance 1. Cisco ASA 5505 Getting Started Guide 8-12 78-17612-02...

  • Page 101: Configuring The Other Side Of The Vpn Connection

    For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the Cisco Security Appliance Command Line Configuration Guide. For specific troubleshooting issues, see the Troubleshooting Technotes at the following location: http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html...

  • Page 102: What To Do Next

    What to Do Next debug crypto isakmp sa • See also the Cisco Security Appliance Command Reference for detailed information about each of these commands. What to Do Next If you are deploying the adaptive security appliance only in a site-to-site VPN environment, then you have completed the initial configuration.

  • Page 103: Scenario: Easy Vpn Hardware Client Configuration

    Easy VPN server at the main site and Easy VPN hardware clients at the remote offices. The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client or as a Cisco Easy VPN server (sometimes called a “headend device”), but not both at the same time.

  • Page 104: C H A P T E R 9 Scenario: Easy Vpn Hardware Client Configuration

    Cisco VPN 30xx, or Cisco IOS 12.2(8)T) When used as an Easy VPN hardware client, the ASA 5505 can also be configured to perform basic firewall services, such as protecting devices in a DMZ from from unauthorized access. However, if the ASA 5505 is configured to function as an Easy VPN hardware client, it cannot establish other types of tunnels.

  • Page 105: Client Mode And Network Extension Mode

    ASA 5505 running in Easy VPN Client Mode. When configured in Client Mode, devices on the inside interface of the ASA 5505 cannot be accessed by devices behind the Easy VPN server. Cisco ASA 5505 Getting Started Guide...
  • Page 106 LAN from remote LAN When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.

  • Page 107: Configuring The Easy Vpn Hardware Client

    Configuring the Easy VPN Hardware Client The Easy VPN server controls the security policies enforced on the ASA 5505 Easy VPN hardware client. However, to establish the initial connection to the Easy VPN server, you must complete some configuration locally.
  • Page 108 ASDM. To configure the ASA 5505 as an Easy VPN hardware client, perform the following steps: At a PC that has access to the inside interface of the ASA 5505, start ASDM. Step 1 Start a web browser. In the address field of the browser, enter the factory default IP address in the address field: https://192.168.1.1/.
  • Page 109 Group Password radio button and enter a Group Name and Group Password. In the User Settings area, specify the User Name and User Password to be used by Step 7 the ASA 5505 when establishing a VPN connection. Cisco ASA 5505 Getting Started Guide 78-17612-02...

  • Page 110: Configuring Advanced Easy Vpn Attributes

    Easy VPN connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the Note NAT device unless you add static NAT mappings on the NAT device.

  • Page 111: What To Do Next

    You may want to consider performing some of the following additional steps: To Do This... See... Configure the ASA 5505 to protect a Chapter 6, “Scenario: DMZ DMZ web server Configuration” Refine configuration and configure...
  • Page 112 Chapter 9 Scenario: Easy VPN Hardware Client Configuration What to Do Next Cisco ASA 5505 Getting Started Guide 9-10 78-17612-02...

  • Page 113: Appendix

    (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. You need an encryption license key to enable this license. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license...
  • Page 114 Step 4 Exits global configuration mode. hostname(config)# exit Step 5 Saves the configuration. hostname# copy running-config startup-config Step 6 Reboots the adaptive security appliance and hostname# reload reloads the configuration. Cisco ASA 5505 Getting Started Guide 78-17612-02...

Table of Contents