Cisco ASA 1000V Cloud Firewall Getting Started Guide
Configuring the ASA 1000V Using ASDM
Downloads: This chapterpdf (PDF - 1.04MB) The complete bookPDF (PDF - 2.26MB) | Feedback

Configuring the ASA 1000V Using ASDM

Table Of Contents

Configuring the ASA 1000V Using ASDM

Launching ASDM

Running the Startup Wizard in ASDM

Registering the ASA 1000V Using ASDM

Creating and Configuring Edge Security Profiles in ASDM

Creating Security Profiles in VSM in ASDM Mode

Making Internal Services Accessible from the Internet

Running the Site-to-Site Wizard to Configure VPN Tunnels

Other Wizards in ASDM

Advanced Configuration


Configuring the ASA 1000V Using ASDM


ASDM is a graphical user interface that allows you to manage the ASA 1000V from any location through a web browser. With ASDM, you can use wizards to configure basic and advanced features.

This chapter includes the following sections:

Launching ASDM

Running the Startup Wizard in ASDM

Registering the ASA 1000V Using ASDM

Creating and Configuring Edge Security Profiles in ASDM

Creating Security Profiles in VSM in ASDM Mode

Making Internal Services Accessible from the Internet

Running the Site-to-Site Wizard to Configure VPN Tunnels

Other Wizards in ASDM

Advanced Configuration

Launching ASDM

You can launch ASDM for the ASA 1000V after completing the tasks in "Setting Up ASDM to Be Used by the ASA 1000V" section.

See the Cisco ASA 1000V ASDM Release Notes for the requirements to run ASDM.

Detailed Steps


Step 1 In the Address field, enter the following URL:

https://ip_address_of_management_interface/admin

The Cisco ASDM web page appears.

Step 2 Click Run Startup Wizard.

Step 3 Accept any certificates according to the dialog boxes that appear.

The Cisco ASDM-IDM Launcher appears.

Step 4 Leave the username and password fields empty, and click OK.

The main ASDM window appears and the Startup Wizard opens.


Running the Startup Wizard in ASDM

Run the Startup Wizard to modify the existing configuration so that you can customize the security policy to suit your deployment.

Detailed Steps


Step 1 In the main ASDM window, choose Wizards > Startup Wizard.

Step 2 Follow the instructions in the Startup Wizard to configure your ASA 1000V.

Step 3 While running the wizard, you can accept the default settings or change them as required. (For information about any wizard field, click Help.)


Registering the ASA 1000V Using ASDM

When ASDM is used to manage policies for the ASA 1000V, the Cisco VNMC appliance must be installed because it coordinates the creation and use of security profiles between Cisco Nexus 1000V and the ASA 1000V. For this reason, the ASA 1000V should be configured with a user account that has privileges to create and delete security profiles in Cisco VNMC.

See the Cisco VNMC documentation for information about creating user accounts.

Detailed Steps


Step 1 Choose Configuration > Device Setup > Interfaces. The Interfaces panel appears.

Step 2 If necessary, expand the VNMC parameters section by clicking the Show VNMC Parameters section bar. The VNMC Access Parameters section appears.

Step 3 In the Host Address field, enter the IP address or hostname of the host on which the Cisco VNMC is running. The IP address might have been provided already through OVF deployment.

Step 4 In the Username and Password fields, enter the username and password that are the login credentials for the Cisco VNMC. The credentials must allow creation and deletion of all objects in Cisco VNMC.

Step 5 Under Shared Secret, enter and verify the shared secret for encryption of the ASA 1000V connection to the Cisco VNMC. The shared secret that you specify must match what was configured during Cisco VNMC OVF deployment.

Step 6 Under Organizational Path, enter an Organization Path for this instance of the ASA 1000V.

As shown above, the ASA 1000V is configured with root/Fanta-ASDM. The ASA 1000V is attached as an edge firewall for the tenant called Fanta-ASDM under root in Cisco VNMC. (You can also create nested paths, such as root/tenant1/datacenter1/application1/tier1/ASA1.)

Each ASA 1000V instance must belong to a different organization hierarchy in Cisco VNMC so that profiles created by one ASA 1000V do not collide with those created by another ASA 1000V. The organization hierarchy can be thought of as an absolute path name of a file in a file system starting at root.

Each ASA 1000V (including those ASA 1000Vs managed through Cisco VNMC) must be configured using a unique path name that does not collide with any other ASA 1000V, including those that are managed through VNMC.


Note Policies created in Cisco VNMC at the same level do not work on an ASA 1000V managed through ASDM.


Step 7 Under Security Profiles, Click Add.

The Add Security Profile dialog box appears.

Step 8 Complete the fields in the Add Security Profile dialog box to specify the physical interface to use for sending or receiving vPath traffic from the Cisco Nexus 1000V. The interface name you specify allows vPath traffic to enter the ASA 1000V.


Creating and Configuring Edge Security Profiles in ASDM

Edge security profiles are created in ASDM, then sent to the ASA 1000V. ASDM does not include options to configure Cisco VNMC device profiles or edge device profiles. Policies that belong to these profiles are natively configured through ASDM.

For the steps to create edge security profiles in ASDM, see step 7 in Registering the ASA 1000V Using ASDM.

An edge security profile is created by creating an interface security profile and assigning a security profile name to it. A security profile defined in ASDM creates an edge security profile with the same name in Cisco VNMC automatically, and it can be used in port profiles.

Each ASA 1000V instance must also belong to a different organization hierarchy in Cisco VNMC so that profiles created by one ASA 1000V do not collide with those created by another ASA 1000V. The organization hierarchy can be thought of as an absolute path name of a file in a file system starting at root.

Each ASA 1000V (including those ASA 1000Vs managed through Cisco VNMC) must be configured using a unique path name that does not collide with any other ASA 1000V, including those that are managed through VNMC.

For example, the ASA 1000V is configured with root/tenant1/DC1/App1/ASA-51. The ASA 1000V is attached as an edge firewall for the tenant tenant1 under root/tenant1/DC1/App1/ASA-51 in Cisco VNMC. Policies created in Cisco VNMC at the same level do not work on an ASA 1000V managed through ASDM.

Creating Security Profiles in VSM in ASDM Mode

Follow the steps in the "Configuring Security Profiles in VSM" section to complete this task.

Making Internal Services Accessible from the Internet

The Public Server pane automatically configures the security policy to make an inside server accessible from the Internet. As a business owner, you might have internal network services, such as a web or FTP server, that need to be available to an outside user. You can place these services behind the ASA 1000V on a public server in the inside network. The ASA 1000V can allow outside access to its public servers. Any attacks launched against the public servers do not affect your inside networks.

Detailed Steps


Step 1 In the main ASDM window, choose Configuration > Firewall > Public Servers.

The Public Server pane appears.

Step 2 Click Add, then enter the public server settings in the Public Server dialog box. (For information about any field, click Help.)

Step 3 Click OK.

The server appears in the list.

Step 4 Click Apply to submit the configuration to the ASA 1000V.


Running the Site-to-Site Wizard to Configure VPN Tunnels

The VPN Wizard helps you configure basic IPsec site-to-site VPN connections.

Detailed Steps


Step 1 In the main ASDM window, choose Wizards > VPN Wizards > Site-to-Site VPN Wizard.

Step 2 Follow the wizard instructions. (For information about any wizard field, click Help.)


Other Wizards in ASDM

You can optionally run the following additional wizards in ASDM:

High Availability and Scalability Wizard—Configures active/standby failover.

Packet Capture Wizard—Configures and runs captures. The wizard runs one capture on each of the ingress and egress interfaces. After capturing packets, you can save the captures to your PC for examination and replay in the packet analyzer.

Advanced Configuration

To continue configuring your ASA 1000V, see the Cisco ASA 1000V CLI Configuration Guide or the Cisco ASA 1000V ASDM Configuration Guide at: ASA 1000V Documentation