Provision Secure Firewall ASA naar CSM
Inleiding
Dit document beschrijft het proces om een beveiligde firewall adaptieve security applicatie (ASA) te provisioneren voor Cisco Security Manager (CSM).
Voorwaarden
Vereisten
Cisco raadt kennis van de volgende onderwerpen aan:
- Secure-firewall ASA
- CSM
Gebruikte componenten
De informatie in dit document is gebaseerd op de volgende software- en hardware-versies:
- Secure Firewall ASA versie 9.18.3
- CSM versie 4.28
De informatie in dit document is gebaseerd op de apparaten in een specifieke laboratoriumomgeving. Alle apparaten die in dit document worden beschreven, hadden een opgeschoonde (standaard)configuratie. Als uw netwerk live is, moet u zorgen dat u de potentiële impact van elke opdracht begrijpt.
Achtergrondinformatie
CSM helpt om consistente beleidshandhaving en snelle probleemoplossing van security gebeurtenissen mogelijk te maken, met samengevatte rapporten over de security implementaties. Door gebruik te maken van de gecentraliseerde interface kunnen organisaties een brede reeks Cisco-beveiligingsapparaten efficiënt schalen en beheren met verbeterde zichtbaarheid.
Configureren
In het volgende voorbeeld wordt een virtuele ASA toegewezen aan een CSM voor gecentraliseerd beheer.
Configuraties
ASA voor HTTPS-beheer configureren
Stap 1. Een gebruiker met alle rechten maken.
CLI-syntaxis (Command Line):
configure terminal
username < user string > password < password > privilege < level number >Dit vertaalt zich in het volgende opdrachtvoorbeeld, dat de gebruiker csm-user en het wachtwoord cisco123 heeft als volgt:
ciscoasa# configure terminal
ciscoasa(config)# username csm-user password cisco123 privilege 15
Tip: Extern geverifieerde gebruikers worden ook voor deze integratie geaccepteerd.
Stap 2. HTTP-server inschakelen.
CLI-syntaxis (Command Line):
configure terminal
http server enableStap 3. Verleen HTTPS-toegang voor het IP-adres van de CSM-server.
CLI-syntaxis (Command Line):
configure terminal
http < hostname > < netmask > < interface name >Dit vertaalt zich in het volgende opdrachtvoorbeeld, waarmee elk netwerk toegang tot de ASA kan krijgen via HTTPS op de buiteninterface (Gigabit Ethernet0/0):
ciscoasa# configure terminal
ciscoasa(config)# http 0.0.0.0 0.0.0.0 outsideStap 4. Controleer of HTTPS bereikbaar is vanaf de CSM-server.
Open een webbrowser en typ de volgende syntaxis:
https://< ASA IP address >/Dit vertaalt zich in het volgende voorbeeld voor het IP-adres van de externe interface dat bij de vorige stap voor HTTPS-toegang was toegestaan:
https://10.8.4.11/
ASA HTTPS-respons
Tip: fout 404 niet gevonden wordt verwacht in deze stap omdat bij deze ASA Cisco Adaptive Security Device Manager (ASDM) niet is geïnstalleerd, maar de HTTPS-respons is aanwezig als de pagina wordt omgeleid naar URL /admin/public/index.html.
Provision Secure Firewall ASA naar CSM
Stap 1. Open de CSM-client en log in.
CSM-clientaanmelding
Stap 2. Open Configuration Manager.
CSM-clientdashboard
Stap 3. Ga naar Apparaten > Nieuw apparaat.
CSM Configuration Manager
Stap 4. Selecteer de toevoeging optie die voldoet aan het vereiste op basis van het gewenste resultaat. Aangezien de geconfigureerde ASA al in het netwerk is ingesteld, is de beste optie voor dit voorbeeld Add Device From Network en klik op Next.
Methode voor toevoegen van apparaat
Stap 5. Vul de vereiste gegevens in volgens de configuratie op de Secure Firewall ASA en de instellingen voor detectie. Klik vervolgens op Volgende.
ASA-instellingen
Stap 6. Voltooi de vereiste referenties van zowel de geconfigureerde CSM-gebruiker op ASA als van het wachtwoord Enable.
ASA-referenties
Stap 7. Selecteer de gewenste groepen of sla deze stap over als er geen groepen nodig zijn en klik op Voltooien.
CSM-groepsselectie
Stap 8. Een kaartaanvraag wordt gegenereerd voor controledoeleinden, klik op OK.
CSM-ticketontwikkeling
Stap 9. Bevestig dat de ontdekking zonder fouten eindigt en klik op Sluiten.
ASA-detectie
Tip: waarschuwingen worden geaccepteerd als een succesvolle uitvoer, omdat niet alle ASA-functies door CSM worden ondersteund.
Stap 10. Controleer of de ASA nu op de CSM-client is geregistreerd en geeft de juiste informatie weer.
ASA-informatie geregistreerd
Verifiëren
Er is een HTTPS-debug beschikbaar op ASA voor probleemoplossing. De volgende opdracht wordt gebruikt:
debug httpDit is een voorbeeld van een succesvolle CSM-registratiedebug:
ciscoasa# debug http
debug http enabled at level 1.
ciscoasa# HTTP: processing handoff to legacy admin server [/admin/exec//show%20version]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20version HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^^u
HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/config]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/config HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒e
HTTP: processing GET URL '/admin/config' from host 10.8.4.12
HTTP: Authentication username = ''
HTTP: processing handoff to legacy admin server [/admin/exec//show%20version]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20version HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^^u
HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5)]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5) HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^2▒^aware_123▒
HTTP: processing GET URL '/admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5)' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//sh%20module%20%7c%20in%20(FirePOWER)]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//sh%20module%20%7c%20in%20(FirePOWER) HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒▒▒▒
HTTP: processing GET URL '/admin/exec//sh%20module%20%7c%20in%20(FirePOWER)' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//sh%20cluster%20info]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//sh%20cluster%20info HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^
HTTP: processing GET URL '/admin/exec//sh%20cluster%20info' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//sh%20inventory]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//sh%20inventory HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^^u
HTTP: processing GET URL '/admin/exec//sh%20inventory' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//sh%20vm]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//sh%20vm HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒
2▒^^^u
HTTP: processing GET URL '/admin/exec//sh%20vm' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/config]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/config HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒e
HTTP: processing GET URL '/admin/config' from host 10.8.4.12
HTTP: Authentication username = ''
HTTP: processing handoff to legacy admin server [/admin/exec//show%20version]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20version HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^^u
HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20inventory]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20inventory HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒u
HTTP: processing GET URL '/admin/exec//show%20inventory' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20password%20encryption]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20password%20encryption HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^^
HTTP: processing GET URL '/admin/exec//show%20password%20encryption' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20all%20tunnel-group]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20running-config%20all%20tunnel-group HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒2▒^▒^e
HTTP: processing GET URL '/admin/exec//show%20running-config%20all%20tunnel-group' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20all%20group-policy]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20running-config%20all%20group-policy HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒2▒^▒^e
HTTP: processing GET URL '/admin/exec//show%20running-config%20all%20group-policy' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20crypto%20ca%20trustpool%20detail]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20crypto%20ca%20trustpool%20detail HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒2▒^2▒^▒^e
HTTP: processing GET URL '/admin/exec//show%20crypto%20ca%20trustpool%20detail' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20snmp-server%20engineID]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20snmp-server%20engineID HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^P_▒
HTTP: processing GET URL '/admin/exec//show%20snmp-server%20engineID' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20version]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20version HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒▒^u
HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20failover]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20failover HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^u
HTTP: processing GET URL '/admin/exec//show%20failover' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//dir%20%2frecursive%20all-filesystems]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//dir%20%2frecursive%20all-filesystems HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒2▒^2▒^2▒^▒^e
HTTP: processing GET URL '/admin/exec//dir%20%2frecursive%20all-filesystems' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20asdm%20image]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20asdm%20image HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒^
2▒^^^
HTTP: processing GET URL '/admin/exec//show%20asdm%20image' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20webvpn]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20running-config%20webvpn HTTP/1.1
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
Cache-Control: no-cache
Pragma: no-cache
Host: 10.8.4.11
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
▒▒▒P_▒
HTTP: processing GET URL '/admin/exec//show%20running-config%20webvpn' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20webvpn]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20webvpn HTTP/1.1
Host: 10.8.4.1110.8.4.11
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
▒▒▒^2▒^1
HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20webvpn' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec HTTP/1.1
Host: 10.8.4.1110.8.4.11
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
▒▒▒
HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec HTTP/1.1
Host: 10.8.4.1110.8.4.11
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
▒▒▒
HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20anyconnect]
HTTP: admin session verified = [0]
HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20anyconnect HTTP/1.1
Host: 10.8.4.1110.8.4.11
Authorization: Basic OmNpc2NvMTIz
User-Agent: CSM
▒▒▒1
HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20anyconnect' from host 10.8.4.12
HTTP: Authentication username = ''
Exited from HTTP Cli Exec
Revisiegeschiedenis
| Revisie | Publicatiedatum | Opmerkingen |
|---|---|---|
1.0 |
12-Feb-2024 |
Eerste vrijgave |
FeedbackContact Cisco
- Een ondersteuningscase openen
- (Vereist een Cisco-servicecontract)