Cisco ASA 5500 Series Getting Started Guide, 8.2
Configuring the Adaptive Security Appliance
Download this chapter
Configuring the Adaptive Security ApplianceConfiguring the Adaptive Security Appliance
Download the complete book
Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0 (PDF - 5 MB)
give_us_feedback

Table Of Contents

Configuring the Adaptive Security Appliance

About the Factory Default Configuration

Using the CLI for Configuration

Using the Adaptive Security Device Manager for Configuration

Preparing to Use ASDM

Gathering Configuration Information for Initial Setup

Installing the ASDM Launcher

Starting ASDM with a Web Browser

Running the ASDM Startup Wizard

What to Do Next


Configuring the Adaptive Security Appliance

This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). The procedures in this chapter describe how to configure the adaptive security appliance using ASDM.

This chapter includes the following sections:

About the Factory Default Configuration

Using the CLI for Configuration

Using the Adaptive Security Device Manager for Configuration

Running the ASDM Startup Wizard

What to Do Next

About the Factory Default Configuration

Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The ASA 5500 series comes preconfigured with the following:

Two VLANs: VLAN 1 and VLAN2

VLAN 1 has the following properties:

Named "inside"

Allocated switch ports Ethernet 0/1 through Ethernet 0/7

Security level of 100

Allocated switch ports Ethernet 0/1 through 0/7

IP address of 192.168.1.1 255.255.255.0

VLAN2 has the following properties:

Named "outside"

Allocated switch port Ethernet 0/0

Security level of 0

Configured to obtain its IP address using DHCP

Inside interface to connect to the device and use ASDM to complete your configuration.

By default, the adaptive security appliance Inside interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance to connect to the appliance. Administrators can then configure and manage the adaptive security appliance using ASDM.

Using the CLI for Configuration

In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface.

You can get step-by-step examples of how to configure basic remote access and LAN-to-LAN connections in the CLI itself by using the vpnsetup ipsec-remote-access steps and vpnsetup site-to-site steps commands. For more information about these commands, see the Cisco ASA 5500 Series Command Reference.

For step-by-step configuration procedures for all functional areas of the adaptive security appliance, see the Cisco ASA 5500 Series Configuration Guide using the CLI.

Using the Adaptive Security Device Manager for Configuration

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that allows you to manage and monitor the adaptive security appliance. The web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser.

In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance.

This section includes the following topics:

Preparing to Use ASDM

Gathering Configuration Information for Initial Setup

Installing the ASDM Launcher

Starting ASDM with a Web Browser

Preparing to Use ASDM

Before you can use ASDM, perform the following steps:

Step 1 If you have not already done so, connect the MGMT interface to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the adaptive security appliance.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the adaptive security appliance), which enables the PC to communicate with the adaptive security appliance and the Internet as well as to run ASDM for configuration and management tasks.

Alternatively, you can assign a static IP address to your PC by selecting an address in the 192.168.1.0 subnet. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.)

When you connect other devices to any of the inside ports, make sure that they do not have the same IP address.

Note The MGMT interface of the adaptive security appliance is assigned 192.168.1.1 by default, so this address is unavailable.

Step 3 Check the LINK LED on the MGMT interface.

When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub turn solid green.

Gathering Configuration Information for Initial Setup

Gather the following information to be used with the ASDM Startup Wizard:

A unique hostname to identify the adaptive security appliance on your network.

The domain name.

The IP addresses of your outside interface, inside interface, and any other interfaces to be configured.

IP addresses for hosts that should have administrative access to this device using HTTPS for ASDM, SSH, or Telnet.

The privileged mode password for administrative access.

The IP addresses to use for NAT or PAT address translation, if any.

The IP address range for the DHCP server.

The IP address for the WINS server.

Static routes to be configured.

If you want to create a DMZ, you must create a third VLAN and assign ports to that VLAN. (By default, there are two VLANs configured.)

Interface configuration information: whether traffic is permitted between interfaces at the same security level, and whether traffic is permitted between hosts on the same interface.

If you are configuring an Easy VPN hardware client, the IP addresses of primary and secondary Easy VPN servers; whether the client is to run in client or network extension mode; and user and group login credentials to match those configured on the primary and secondary Easy VPN servers.

Installing the ASDM Launcher

You can launch ASDM in either of two ways: by downloading the ASDM Launcher software so that ASDM runs locally on your PC, or by enabling Java and JavaScript in your web browser and accessing ASDM remotely from your PC. This procedure describes how to set up your system to run ASDM locally.

To install the ASDM Launcher, perform the following steps:

Step 1 On the PC connected to the switch or hub, launch an Internet browser.

a. In the address field of the browser, enter this URL: https://192.168.1.1/admin.

Note The adaptive security appliance ships with a default IP address of 192.168.1.1. Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

The Cisco ASDM splash screen appears.

b. Click Install ASDM Launcher and Run ASDM.

c. In the dialog box that requires a username and password, leave both fields empty. Click OK.

d. Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes.

e. When the File Download dialog box opens, click Open to run the installation program directly. It is not necessary to save the installation software to your hard drive.

f. When the InstallShield Wizard appears, follow the instructions to install the ASDM Launcher software.

Step 2 From your desktop, start the Cisco ASDM Launcher software.

A dialog box appears.

Step 3 Enter the IP address or the host name of your adaptive security appliance.

Step 4 Enter the IP address or host name of your adaptive security appliance.

Step 5 Leave the Username and Password fields blank.

Note By default, there is no Username and Password set for the Cisco ASDM Launcher.

Step 6 Click OK.

Step 7 If you receive a security warning containing a request to accept a certificate, click Yes.

The ASA checks to see if there is updated software and if so, downloads it automatically.

The main ASDM window appears.

ASDM starts and the main window appears.

Starting ASDM with a Web Browser

To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/.

Note Remember to add the "s" in "https" or the connection fails. HTTP over SSL (HTTP) provides a secure connection between your browser and the adaptive security appliance.

The Main ASDM window appears.

Running the ASDM Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. With a few steps, the Startup Wizard enables you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network and the outside network.

To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps:

Step 1 From the Wizards menu at the top of the ASDM window, choose Startup Wizard.

Step 2 Follow the instructions in the Startup Wizard to set up your adaptive security appliance.

For information about any field in the Startup Wizard, click Help at the bottom of the window.

Note If you get an error requesting a DES license or a 3DES-AES license, see Appendix A, "Obtaining a 3DES/AES License" for information.

Note Based on your network security policy, you should also consider configuring the adaptive security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using ASDM. From the ASDM main page, click Configuration > Properties > ICMP Rules. Add an entry for the outside interface. Set the IP address to 0.0.0.0, the netmask to 0.0.0.0, and Action to deny.

What to Do Next

Configure the adaptive security appliance for your deployment using one or more of the following chapters.

To Do This...
See...

Configure the adaptive security appliance to protect a DMZ web server

Chapter 8, "Scenario: DMZ Configuration"

Configure the adaptive security appliance for remote-access VPN

Chapter 9, "Scenario: IPsec Remote-Access VPN Configuration"

Configure the adaptive security appliance for SSL VPN connections using software clients

Chapter 10, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure the adaptive security appliance for SSL VPN connections using a web browser

Chapter 11, "Scenario: SSL VPN Clientless Connections"

Configure the adaptive security appliance for site-to-site VPN

Chapter 12, "Scenario: Site-to-Site VPN Configuration"