Cisco ASA 5505 Getting Started Guide

Software Version 7.2

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Customer Order Number: DOC-7817612= Text Part Number: 78-17612-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

Cisco ASA 5505 Getting Started Guide © 2006 Cisco Systems, Inc. All rights reserved.

CONTENTS
1

CHAPTER

Before You Begin 1-1 Deployment Planning 2-1 Scenarios for Deployment Planning and Configuration 2-1 Scenario 1: Private Network with External Connectivity 2-3 Scenario 2: Basic Installation with DMZ 2-4 Scenario 3: IPSec Remote-Access VPN 2-5 Scenario 4: Site-to-Site VPN 2-6 Scenario 5: ASA 5505 Deployed as a Hardware VPN Client 2-7 Configuration Procedures for Scenarios 2-8 What to Do Next 2-9

CHAPTER

2

CHAPTER

3

Planning for a VLAN Configuration 3-1 Understanding VLANs on the ASA 5505 3-1 About Physical Ports on the ASA 5505 3-2 About VLANs 3-2 Maximum Number and Types of VLANs 3-3 Deployment Scenarios Using VLANs 3-4 Basic Deployment Using Two VLANs 3-5 DMZ Deployment 3-7 Teleworker Deployment Using Three VLANs 3-8 What to Do Next 3-9

Cisco ASA 5505 Getting Started Guide 78-17612-02

1

Contents CHAPTER 4 Installing the ASA 5505 4-1 Verifying the Package Contents 4-1 PoE Ports and Devices 4-3 Installing the Chassis 4-4 Connecting to Network Interfaces 4-4 Powering on the Cisco ASA 5505 4-6 Setting Up a PC for System Administration 4-6 Optional Procedures 4-7 Connecting to the Console 4-8 Installing a Cable Lock 4-9 Ports and LEDs 4-9 Front Panel Components 4-9 Rear Panel Components 4-12 What to Do Next 4-13 CHAPTER 5 Configuring the Adaptive Security Appliance 5-1 About the Factory Default Configuration 5-1 About the Adaptive Security Device Manager 5-3 Using the Startup Wizard 5-4 Before Launching the Startup Wizard 5-4 Running the Startup Wizard 5-5 What to Do Next 5-7 CHAPTER 6 Scenario: DMZ Configuration 6-1 Example DMZ Network Topology 6-1 Configuring the Security Appliance for a DMZ Deployment 6-5 Configuration Requirements 6-5 Starting ASDM 6-6 Cisco ASA 5505 Getting Started Guide 2 78-17612-02 .

Contents Enabling Inside Clients to Communicate with Devices on the Internet 6-7 Enabling Inside Clients to Communicate with the DMZ Web Server 6-8 Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces 6-8 Translating the Public Address of the Web Server to its Real Address 6-10 Configuring an External Identity for the DMZ Web Server 6-12 Providing Public HTTP Access to the DMZ Web Server 6-15 What to Do Next 6-18 7 CHAPTER Scenario: IPSec Remote-Access VPN Configuration 7-1 Example IPSec Remote-Access VPN Network Topology 7-1 Implementing the IPSec Remote-Access VPN Scenario 7-2 Information to Have Available 7-3 Starting ASDM 7-3 Configuring the ASA 5505 for an IPSec Remote-Access VPN 7-5 Selecting VPN Client Types 7-6 Specifying the VPN Tunnel Group Name and Authentication Method 7-7 Specifying a User Authentication Method 7-8 (Optional) Configuring User Accounts 7-10 Configuring Address Pools 7-11 Configuring Client Attributes 7-12 Configuring the IKE Policy 7-13 Configuring IPSec Encryption and Authentication Parameters 7-15 Specifying Address Translation Exception and Split Tunneling 7-16 Verifying the Remote-Access VPN Configuration 7-17 What to Do Next 7-18 CHAPTER 8 Scenario: Site-to-Site VPN Configuration 8-1 Example Site-to-Site VPN Network Topology 8-1 Cisco ASA 5505 Getting Started Guide 78-17612-02 3 .

Contents Implementing the Site-to-Site Scenario 8-2 Information to Have Available 8-3 Configuring the Site-to-Site VPN 8-3 Starting ASDM 8-3 Configuring the Security Appliance at the Local Site 8-4 Providing Information About the Remote VPN Peer 8-6 Configuring the IKE Policy 8-7 Configuring IPSec Encryption and Authentication Parameters 8-9 Specifying Hosts and Networks 8-10 Viewing VPN Attributes and Completing the Wizard 8-11 Configuring the Other Side of the VPN Connection 8-13 What to Do Next 8-14 9 CHAPTER Scenario: Easy VPN Hardware Client Configuration 9-1 Using an ASA 5505 as an Easy VPN Hardware Client 9-1 Client Mode and Network Extension Mode 9-3 Configuring the Easy VPN Hardware Client 9-5 Configuring Advanced Easy VPN Attributes 9-8 What to Do Next 9-9 APPENDIX A Obtaining a 3DES/AES License A-1 Cisco ASA 5505 Getting Started Guide 4 78-17612-02 .

“Scenario: Easy VPN Hardware Client Configuration” Cisco ASA 5505 Getting Started Guide 78-17612-02 1-1 . “Deployment Planning” Chapter 3.. “Installing the ASA 5505” Chapter 5. Learn about typical deployments of the ASA 5505 Learn about VLANs and port allocation on the ASA 5505 Install the chassis Perform initial setup of the adaptive security appliance Configure the adaptive security appliance for your implementation See. To Do This.. “Scenario: DMZ Configuration” Chapter 7.C H A P T E R 1 Before You Begin Use the following table to find the installation and configuration steps that are required for your implementation of the adaptive security appliance.. “Scenario: Site-to-Site VPN Configuration” Chapter 9.. Chapter 2. “Scenario: IPSec Remote-Access VPN Configuration” Chapter 8. “Planning for a VLAN Configuration” Chapter 4. “Configuring the Adaptive Security Appliance” Chapter 6.

Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5505 Getting Started Guide 1-2 78-17612-02 ...Chapter 1 Before You Begin To Do This... (continued) Refine configuration Configure optional and advanced features See.

You can use the deployment scenarios in this chapter to help you determine how you want to deploy the adaptive security appliance on your network. page 2-7 Scenarios for Deployment Planning and Configuration An extended adaptive security appliance deployment can include two or more of the different deployment scenarios described in this chapter. page 2-4 Scenario 3: IPSec Remote-Access VPN. Cisco ASA 5505 Getting Started Guide 78-17612-02 2-1 . page 2-3 Scenario 2: Basic Installation with DMZ.C H A P T E R 2 Deployment Planning This document is based on several example scenarios that represent typical customer deployments of the ASA 5505. This chapter includes the following sections: • • • • • • Scenarios for Deployment Planning and Configuration. page 2-6 Scenario 5: ASA 5505 Deployed as a Hardware VPN Client. page 2-1 Scenario 1: Private Network with External Connectivity. page 2-5 Scenario 4: Site-to-Site VPN. and then determine which configuration chapters apply to you. The deployment scenarios in this chapter correspond to subsequent configuration chapters. Figure 2-1 illustrates an extended network that includes most of the deployment and configuration scenarios included in this document.

Chapter 2 Scenarios for Deployment Planning and Configuration Deployment Planning Figure 2-1 Extended Network Deployment Mobile Client Using Cisco SSL VPN Client software Mobile Client Clientless SSL VPN Scenario 4: Cisco SSL VPN Client Mobile Client Using VPN software client Scenario 5: Cisco SSL VPN Client Remote Site Adaptive Security Appliance POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card Internet Scenario 3: IPSec VPN Connection 5 4 3 2 1 0 cons ole 1 2 RESE T Scenario 6: Site-to-site VPN Connection Adaptive Security Appliance POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Web Server Email Server Scenario 1: Basic Installation Scenario 2: Basic Installation with DMZ 190924 Cisco ASA 5505 Getting Started Guide 2-2 78-17612-02 .

Cisco ASA 5505 Getting Started Guide 78-17612-02 2-3 .Chapter 2 Deployment Planning Scenario 1: Private Network with External Connectivity Scenario 1: Private Network with External Connectivity A basic deployment that is typical for a small private network is shown in Figure 2-2. If you already have a security deployment with PIX 501 security appliances in which devices behind the firewall can communicate internally and externally. Figure 2-2 Private (Inside) Network with External Connectivity Internet ISP Router Adaptive Security Appliance Outside Network Cisco ASA SSC05 POW ER 48VDC 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Private Network Laptop computer Printer 190925 Personal computer IP Phone In this example. you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. Note This deployment is similar to the security deployments using the PIX 501. the adaptive security appliance enables all devices on the private network to communicate with each other and enables users on the private network to communicate with devices on the Internet.

see Chapter 5. Figure 2-3 Private Network with DMZ Outside Network (Internet Connection) Internet ISP Router DMZ Adaptive Security Appliance POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Web Server Printer Personal computers Private (Inside) Network Email Server Cisco ASA 5505 Getting Started Guide 2-4 78-17612-02 190926 . “Configuring the Adaptive Security Appliance. A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. the adaptive security appliance is used to protect network resources located in a demilitarized zone (DMZ) in addition to the inside network.” Scenario 2: Basic Installation with DMZ In this scenario.Chapter 2 Scenario 2: Basic Installation with DMZ Deployment Planning For information about how to configure your adaptive security appliance for this deployment. HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet.

” Cisco ASA 5505 Getting Started Guide 78-17612-02 2-5 . A remote-access VPN allows you to create secure connections. the adaptive security appliance is configured to accept remote-access IPSec VPN connections. or tunnels. “Scenario: DMZ Configuration.Chapter 2 Deployment Planning Scenario 3: IPSec Remote-Access VPN For information about configuring a DMZ deployment.” Scenario 3: IPSec Remote-Access VPN In this scenario. Figure 2-4 IPSec Remote-Access VPN Connection IPSec VPN Connection Private (Inside) Network WINS Server Internet Mobile Client running Cisco VPN Client software DNS Server POW ER 48VDC Cisco ASA SSC05 ISP Router Statu s Secur Servi ity ces Slot Card 7 POWER over ETHER NET 6 5 4 3 2 1 0 cons ole 1 2 RESE T Adaptive Security Appliance 190927 Personal computer Personal computers running Cisco VPN Client software For information about how to configure an IPSec remote-access VPN deployment. see Chapter 7. which provides secure access to off-site users. “Scenario: IPSec Remote-Access VPN Configuration. see Chapter 6. across the Internet.

and then by automatically encrypting all data sent between the two sites. Deploying a site-to-site VPN enables businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. Figure 2-5 Network Layout for Site-to-Site VPN Configuration Scenario ISP Router Internet Site A POW ER 48VDC Cisco ASA SSC05 Site B POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 6 Card 5 4 3 5 4 3 2 1 0 1 2 RESE T cons ole 2 1 0 cons ole 1 2 RESE T Adaptive Security Appliance 1 Adaptive Security Appliance 2 Printer Personal computers Printer 190928 Personal computers For information about configuring a site-to-site VPN deployment. first by authenticating both ends of the connection. or tunnel. two adaptive security appliances are configured to create a site-to-site VPN. “Scenario: Site-to-Site VPN Configuration. A VPN connection enables you to send data from one location to another over a secure connection. see Chapter 8.” Cisco ASA 5505 Getting Started Guide 2-6 78-17612-02 .Chapter 2 Scenario 4: Site-to-Site VPN Deployment Planning Scenario 4: Site-to-Site VPN In this scenario.

Deploying an Easy VPN solution with hardware clients simplifies the deployment and management of a VPN in the following ways: • • • Hosts at remote sites no longer have to run VPN client software. Figure 2-6 illustrates how the different Easy VPN components can be deployed. an ASA 5505 is deployed as a hardware client (sometimes called a remote device). Deploying one or more VPN hardware clients in conjunction with a VPN headend device enables companies with multiple sites to establish secure communications among them and share network resources. Few configuration parameters need to be set locally. Security policies reside on a central server and are pushed to the remote hardware clients when a VPN connection is established.Chapter 2 Deployment Planning Scenario 5: ASA 5505 Deployed as a Hardware VPN Client Scenario 5: ASA 5505 Deployed as a Hardware VPN Client In this scenario. minimizing the need for on-site administration. Cisco ASA 5505 Getting Started Guide 78-17612-02 2-7 .

“Scenario: Easy VPN Hardware Client Configuration.” Configuration Procedures for Scenarios Each deployment scenario in this chapter has a corresponding configuration chapter in this document that describes how to configure the ASA 5505 for that type of deployment.Chapter 2 Configuration Procedures for Scenarios Deployment Planning Figure 2-6 ASA 5505 Installed as VPN Hardware Client Push remote configuration ISP router ISP Router Internet VPN Hardware Client POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur ity Servi Card ces Slot 6 5 4 2 1 0 cons ole 1 2 RESE T ASA 5505 190930 VPN Headend Device POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T ASA 5500 series Cisco IOS router with IPSec support Central LAN For information about how to configure the ASA 5505 as a VPN hardware client. Cisco ASA 5505 Getting Started Guide 2-8 78-17612-02 . see Chapter 9.

Chapter 2 Deployment Planning What to Do Next To Configure the ASA 5505 For This Scenario..” Cisco ASA 5505 Getting Started Guide 78-17612-02 2-9 . “Scenario: DMZ Configuration” Chapter 7. “Planning for a VLAN Configuration. “Scenario: Easy VPN Hardware Client Configuration” What to Do Next Continue with Chapter 3. Chapter 5. Scenario 1: Private Network with External Connectivity Scenario 2: Basic Installation with DMZ Scenario 3: IPSec Remote-Access VPN Scenario 4: Site-to-Site VPN Scenario 5: ASA 5505 Deployed as a Hardware VPN Client See This Chapter... “Scenario: IPSec Remote-Access VPN Configuration” Chapter 8... “Configuring the Adaptive Security Appliance” Chapter 6. “Scenario: Site-to-Site VPN Configuration” Chapter 9.

Chapter 2 What to Do Next Deployment Planning Cisco ASA 5505 Getting Started Guide 2-10 78-17612-02 .

you must decide how many VLANs you need to support that deployment and how many ports to allocate to each VLAN. page 3-4 What to Do Next. It also describes allocating ports for each of the VLANs. page 3-9 Understanding VLANs on the ASA 5505 After you have made a decision about how to deploy the ASA 5505 in your network. This section includes the following topics: • • About Physical Ports on the ASA 5505.C H A P T E R 3 Planning for a VLAN Configuration Grouping ports into logical VLANs on the ASA 5505 enables you to segment large private networks and provide additional protection to critical network segments that may host resources such as servers. This chapter includes the following sections: • • • Understanding VLANs on the ASA 5505. and IP phones. This chapter describes the options of deploying the ASA 5505 in a VLAN configuration and how to determine how many VLANs you need. page 3-2 Cisco ASA 5505 Getting Started Guide 78-17612-02 3-1 . page 3-2 About VLANs. This section describes how VLANs work on the ASA 5505 to help you make those decisions. corporate computers. page 3-1 Deployment Scenarios Using VLANs.

To impose strict access control and provide protection of sensitive devices. This enables you to improve the security of your business because devices in different VLANs can only communicate with each other by passing the traffic through the adaptive security appliance where relevant security policies are applied. or a DSL modem. VLANs communicate with each other using routes and bridges. page 3-7 Teleworker Deployment Using Three VLANs. for example. that function as separate networks. Ethernet switch port 0/0 is allocated to VLAN2. see Ports and LEDs. the adaptive security appliance applies configured security policies to the traffic and routes or bridges the traffic between the two VLANs. Cisco ASA 5505 Getting Started Guide 3-2 78-17612-02 . page 3-3 Basic Deployment Using Two VLANs. there are two ports on the same VLAN connecting devices that you do not want to be able to communicate with each other. page 3-5 DMZ Deployment. All other switch ports are allocated by default to VLAN1. you can apply security policies to VLANs that restrict communications between VLANs. You can also apply security policies to individual ports. You might want to apply security policies at the port level if. The ASA 5505 comes preconfigured with two VLANs: VLAN1 and VLAN2. By default. You can connect PoE ports directly to user equipment such as PCs. page 4-9. IP phones. Physical ports on the same VLAN communicate with each other using hardware switching. About VLANs You can divide the eight physical ports into groups. Two of the eight physical ports are Power Over Ethernet (PoE) ports. called switch ports. For example. called VLANs. page 3-8 About Physical Ports on the ASA 5505 The ASA 5505 has a built-in switch with eight Fast Ethernet ports. when a switch port on VLAN1 is communicating with a switch port on VLAN2.Chapter 3 Understanding VLANs on the ASA 5505 Planning for a VLAN Configuration • • • • Maximum Number and Types of VLANs. For more information. You can also connect to another switch.

Trunk switch ports may be allocated to multiple VLANs. The security plus license allows you to create up to 20 VLANs in both modes—routed and transparent. but the DMZ VLAN is not permitted to send traffic to the Inside VLAN. enabling you to scale your deployment for larger organizations. you can use a single port to trunk multiple VLANs on an external switch. and DMZ network segments. you can create a as many as 20 VLANs. Each access switch port is allocated to a single VLAN. it must be assigned to a VLAN. With the Base platform. Chapter 5. depending on your license. see. The Security Plus license removes this limitation. thus enabling a full DMZ configuration. Although the ASA 5505 comes preconfigured with two VLANs. With the Base platform.. communication between the DMZ VLAN and the Inside VLAN is restricted: the Inside VLAN is permitted to send traffic to the DMZ VLAN. For example. each switch port can be assigned to only one VLAN at a time. Outside. Table 3-1 lists the number and types of connections supported by each license. With the Security Plus license.Chapter 3 Planning for a VLAN Configuration Understanding VLANs on the ASA 5505 Before you can enable a switch port on the ASA 5505. You can create VLANs and allocate ports in the following ways: Method of Configuring VLANs ASDM Startup Wizard ASDM GUI configuration Command-line interface For more information. “Configuring the Adaptive Security Appliance” ASDM online help Cisco Security Appliance Command Reference Maximum Number and Types of VLANs Your license determines how many active VLANs that you can have on the ASA 5505. you could create VLANs for the Inside. Cisco ASA 5505 Getting Started Guide 78-17612-02 3-3 ..

one of which must be used for failover. and HR. For example. Finance. you can allocate each physical port to a separate VLAN. DMZ 1. which aggregate multiple VLANs on a single physical port. Deployment Scenarios Using VLANs The number of VLANs you need depends on the complexity of the network into which you are installing the adaptive security appliance. Up to three active VLANs. page 3-7 Teleworker Deployment Using Three VLANs. page 3-5 DMZ Deployment. but not Stateful Failover. Use the scenarios in this section as a guide to help you determine how many VLANs you need and how many ports to allocate to each. Up to 20 active VLANs. such as Outside. This section includes the following topics: • • • Basic Deployment Using Two VLANs. Sales. DMZ 2. Because there are only 8 physical ports. Engineering. Customer Service. The DMZ VLAN is restricted from initiating traffic to the inside VLAN.Chapter 3 Deployment Scenarios Using VLANs Planning for a VLAN Configuration Table 3-1 License Restrictions on Active VLANs License Type Mode Transparent Mode Routed Mode Connections Up to two active VLANs. page 3-8 Cisco ASA 5505 Getting Started Guide 3-4 78-17612-02 . Up to three active VLANs. the additional VLANs are useful for assigning to trunk ports. Base Platform Security Plus License Transparent Mode Routed Mode Note The ASA 5505 adaptive security appliance supports active and standby failover.

Chapter 3

Planning for a VLAN Configuration Deployment Scenarios Using VLANs

Basic Deployment Using Two VLANs
For most deployments, you only need to create two VLANs: an Inside VLAN and an Outside VLAN, as shown in Figure 3-1.
Figure 3-1 Deployment Using Two VLANs

Power cable
POW ER 48VDC
Cisco ASA SSC05

ASA 5505
Statu
over ETHER

7 POWER

s

Secur Servi ity ces Slot

Inside VLAN Server

NET

6

Card

5 4 3

2 1 0

cons ole

1 2 RESE T

Outside VLAN Laptop computer Router
153755

Internet Printer Personal computer

In this example, the network includes an inside VLAN that permits all devices on the VLAN to communicate with each other and an outside VLAN that permits users to communicate with devices on the Internet. The Inside VLAN may consist of up to seven physical ports that connect desktop computers, network printers, and other devices. In this scenario, the Outside VLAN consists of a single ISP connection using an external WAN router. In Figure 3-1, the Inside VLAN uses four switch ports on the ASA 5505 and the Outside VLAN uses only one. Three switch ports are unused.

Cisco ASA 5505 Getting Started Guide 78-17612-02

3-5

Chapter 3 Deployment Scenarios Using VLANs

Planning for a VLAN Configuration

Note

This deployment is similar to the security deployments using the PIX 501. If you already have a security deployment with PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. If this same customer needed to have two Internet connections, the Outside VLAN could be allocated an additional port, as shown in Figure 3-2. This deployment includes an Inside VLAN and an Outside VLAN with two external connections to provide link redundancy if one fails.
Figure 3-2 Inside VLAN with Dual ISP Connectivity

IP Phone Power cable Inside VLAN
POW ER 48VDC
Cisco ASA SSC05

ASA 5505
Statu
over ETHER NET

7 POWER

s

Secur Servi ity ces Slot

6

Card

5 4 3

2 1 0

cons ole

1 2 RESE T

Server

Outside VLAN Backup Router

Laptop computer

Router

Internet Printer Personal computer
153757

Even very complex networks can be deployed with only two VLANs, one for inside and one for outside.

Cisco ASA 5505 Getting Started Guide

3-6

78-17612-02

Chapter 3

Planning for a VLAN Configuration Deployment Scenarios Using VLANs

DMZ Deployment
The only deployment for which you must create three VLANs is when you have a DMZ to protect in addition to your Inside network. If you have a DMZ in your configuration, the DMZ must be on its own VLAN.
Figure 3-3 Deployment Requiring Three VLANs

Outside Network (Internet Connection)

Internet

ISP Router

DMZ

Adaptive Security Appliance

POW ER 48VDC

Cisco ASA SSC05

7 POWER
over ETHER NET

Statu

s

Secur Servi ity ces Slot

6

Card

5 4 3

2 1 0

cons ole

1 2 RESE T

Web Server

Printer Personal computers Private (Inside) Network Email Server

In this example, three physical switch ports are allocated to the Inside VLAN, two switch ports are allocated to the DMZ VLAN, and one switch port is allocated to the Outside VLAN. Two switch ports are left unused.

Cisco ASA 5505 Getting Started Guide 78-17612-02

3-7

190926

Chapter 3 Deployment Scenarios Using VLANs Planning for a VLAN Configuration Teleworker Deployment Using Three VLANs Although not required. The ASA 5505 is configured for three VLANs: • • • Inside (Work) VLAN that consists of all devices used to support access to the main corporate network DMZ (Home) VLAN that consists of devices that can be used by all members of the family Outside (Internet) VLAN that provides Internet connectivity for both the Inside and DMZ VLANs In this case. enable the Easy VPN hardware client functionality so that only traffic from the Inside (Work) VLAN initiates VPN connections. This configuration enables users on the DMZ (Home) VLAN to browse the Internet independently of the Inside (Work) VLAN. an ASA 5505 is installed in a home office environment and used as a remote VPN hardware client. and the security of the Inside (Work) VLAN is not compromised. Cisco ASA 5505 Getting Started Guide 3-8 78-17612-02 . To enable devices in the Inside (Work) VLAN to establish secure connections with corporate headend devices. using three VLANs can be useful in other situations. the ASA 5505 protects the critical assets on the Inside (Work) VLAN so that these devices cannot be infected by traffic from the DMZ (Home) VLAN. In Figure 3-4. such as when deploying a remote VPN hardware client to support a teleworker.

the physical ports of the ASA 5505 are used as follows: • • • The Inside (Work) VLAN consists of three physical switch ports.” Cisco ASA 5505 Getting Started Guide 78-17612-02 3-9 . What to Do Next Continue with Chapter 4.Chapter 3 Planning for a VLAN Configuration What to Do Next Figure 3-4 Teleworker Deployment Using Three VLANs Power cable Inside (Work) VLAN IP Phone POW ER 48VDC Cisco ASA SSC05 ASA 5505 Statu over ETHER NET 7 POWER s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Outside (Internet) VLAN Router Notebook computer Internet Printer Game System 153756 Personal computer DMZ (Home) VLAN In this example. The DMZ (Inside) VLAN consists of three physical switch ports. The printer is shared by both the Inside VLAN and the DMZ VLAN. “Installing the ASA 5505. For more scenarios with VLANs. see the Cisco Security Appliance Command Line Configuration Guide. one of which is a Power over Ethernet (PoE) switch port that is used for an IP phone. The Outside (Internet) VLAN consists of one physical switch port supporting a single ISP connection using an external WAN router or broadband modem.

Chapter 3 What to Do Next Planning for a VLAN Configuration Cisco ASA 5505 Getting Started Guide 3-10 78-17612-02 .

page 4-6 Setting Up a PC for System Administration. page 4-7 Ports and LEDs. page 4-9 What to Do Next. page 4-13 Verifying the Package Contents Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco Cisco ASA 5505 adaptive security appliance. as shown in Figure 4-1. page 4-4 Connecting to Network Interfaces.C H A P T E R 4 Installing the ASA 5505 This chapter describes how to install the Cisco ASA 5505 adaptive security appliance. page 4-1 PoE Ports and Devices. page 4-4 Powering on the Cisco ASA 5505. page 4-6 Optional Procedures. This chapter includes the following sections: • • • • • • • • • Verifying the Package Contents. page 4-3 Installing the Chassis. Cisco ASA 5505 Getting Started Guide 78-17612-02 4-1 .

Chapter 4 Verifying the Package Contents Installing the ASA 5505 Figure 4-1 Contents of Cisco ASA 5505 Package POWER 48VDC Securit y Service s Card Slo t CONSO LE 7 POWER over ETH ERNET 6 5 4 3 1 2 1 0 2 RESET Cisco ASA 5505 Blue console cable Power supply adapter Cable (US shown) Yellow Ethernet cable 05 55 ed A rt S ta A S e co ng id is ti u C et G G Cis co Pro Fire ASA du wa 55 ct ll 05 CD CoReg u Inf and mplialator orm Sa nc y ati fety e on Documentation Cisco ASA 5505 Getting Started Guide 4-2 78-17612-02 .

If you install a non-PoE device or do not connect to these switch ports. In this case. However. power is not provided to the port. These ports are the only ports that can provide power for IP phones or other PoE devices. If a PoE device is not attached. If auto-negotiation is disabled. such as IP phones or wireless access points. Do not disable auto-negotiation (force speed and duplex) on E0/6 and E0/7 when using them to connect PoE devices. like the Ethernet switch ports numbered 0 through 5. switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with the IEEE 802.3af standard. Using crossover cable does not enable the Cisco ASA 5505 to provide power to the PoE ports. a network loopback might occur with some Cisco Powered Device (PD) models. They can also be used as Ethernet switch ports. power is not supplied to the port. use the following guidelines: • • Use straight-through cable only. • The C isco IP Phone 7970 is always in low-power mode when drawing power from the Cisco ASA 5505.Chapter 4 Installing the ASA 5505 PoE Ports and Devices PoE Ports and Devices On the Cisco ASA 5505. the adaptive security appliance does not supply power to the ports and the device must be powered on its own. When connecting PoE devices. these ports are not restricted to that use. Cisco ASA 5505 Getting Started Guide 78-17612-02 4-3 . the Cisco ASA 5505 does not recognize that a PoE device is attached. If auto-negotiation is disabled for that switch port. Note Be careful when connecting a Cisco PoE device to a non-PoE switch port (E0/0 through E0/5).

Connect your network devices with an Ethernet cable to one of the remaining seven switched ports (numbered 1 through 7). switch port 0 is the outside port. connect them to one of the switch ports that support PoE (ports numbered 6 and 7). (Typically Ethernet port 0 is used to connect to an Internet router. b. To install the Cisco ASA 5505. in the Cisco ASA 5500 Series Hardware Installation Guide. Connecting to Network Interfaces To connect to a network interface. as shown in Figure 4-2. For information on wall-mounting or rack-mounting the Cisco ASA 5505. Note Step 3 By default. the Internet): a.Chapter 4 Installing the Chassis Installing the ASA 5505 Installing the Chassis You can wall-mount or rack-mount the Cisco ASA 5505. The part number for ordering a wall-mount kit for the Cisco ASA 5505 is ASA-5505-WALL-MNT= . Connect Port 0 to the public network (that is. If you are connecting any Power over Ethernet (PoE) devices. stable surface. Connect one end of the Ethernet cable to an Ethernet port (ports 0 through 7). perform the following steps: Step 1 Step 2 Place the chassis on a flat. see "Mounting the ASA 5505 Chassis" section.) Cisco ASA 5505 Getting Started Guide 4-4 78-17612-02 . Use a yellow Ethernet cable to connect the device to a switch or hub. the part number for ordering a rack-mount kit for the Cisco ASA 5505 is ASA5505-RACK-MNT=. Use one of the yellow Ethernet cables to connect the device to a cable/DSL/ISDN modem. perform the following steps: Step 1 Step 2 Locate an RJ-45 to RJ-45 Ethernet cable.

such as a router. use a straight through cable because ports 0 through 5 are switched ports and ports 6 and 7 are PoE ports and both require that you connect a straight through cable. Note When connecting a computer to an inside port on the rear panel of the adaptive security appliance.Chapter 4 Installing the ASA 5505 Connecting to Network Interfaces Figure 4-2 Connecting to an Ethernet Interface Security Services Card Slot Console POWER 48VDC 2 1 7 POWER over ETHERNET 6 5 4 3 2 1 0 1 2 1 Step 3 Ethernet switch ports 2 Ethernet cable Connect the other end of the Ethernet cable to a device. or printer. desktop computer. Cisco ASA 5505 Getting Started Guide 78-17612-02 4-5 153761 RESET .

and management tasks from a PC using the Adaptive Security Device Manager (ASDM) application. see Chapter 5. Completing Step 3 powers on the device. For more information about using ASDM for setup and configuration. Connect the AC power connector of the power supply input cable to an electrical outlet. configuration. Connect the small. Cisco ASA 5505 Getting Started Guide 4-6 78-17612-02 . For more information. if it is solid green. ASDM also provides configuration wizards for initial configuration. This setting provides the best performance. perform the following steps: Step 1 Make sure that the speed of the PC interface to be connected to one of the Cisco ASA 5505 inside ports is set to autonegotiate. Note The Cisco ASA 5505 does not have a power switch. which provides an intuitive graphical user interface (GUI). then the device is powered on. VPN configuration.” To set up a PC from which you can configure and manage the Cisco ASA 5505. perform the following steps: Step 1 Step 2 Step 3 Connect the power supply to the power cable. and high-availability configuration. see the “Front Panel Components” section on page 4-9. In addition to configuration and management capability. “Configuring the Adaptive Security Appliance.Chapter 4 Powering on the Cisco ASA 5505 Installing the ASA 5505 Powering on the Cisco ASA 5505 To power on the Cisco ASA 5505. rectangular connector of the power supply cable to the power connector on the rear panel. Setting Up a PC for System Administration You can perform setup. Step 4 Check the power LED.

Alternatively. When connectivity is established. Step 3 Step 4 Use an Ethernet cable to connect the PC to a switched inside port on the rear panel of the Cisco ASA 5505 (one of the ports numbered 1 through 7). You can now access the ASDM and the ASDM Startup Wizard. When you connect other devices to any of the inside ports. this causes a duplex mismatch that significantly impacts the total throughput capabilities of the interface. Do not set the interface to full duplex. make sure that they do not have the same IP address. the Cisco ASA 5505 automatically negotiates the inside interface speed.0 subnet. Optional Procedures This section describes how to perform tasks that are not required for the initial setup of the Cisco ASA 5505.1. the LINK LED on the front panel of the Cisco ASA 5505 lights up solid green. which enables the PC to communicate with the Cisco ASA 5505 and the Internet as well as to run ASDM for configuration and management tasks. If autonegotiate is not an option for the PC interface. set the speed to either 10 or 100 Mbps half duplex. you can assign a static IP address to your PC by selecting an address in the 192. Check the LINK LED to verify that the PC has basic connectivity to the Cisco ASA 5505. See Chapter 5.Chapter 4 Installing the ASA 5505 Optional Procedures By default. Step 2 Configure the PC to use DHCP (to receive an IP address automatically from the Cisco ASA 5505). “Configuring the Adaptive Security Appliance” for information about how to perform initial setup and configuration of the Cisco ASA 5505. This section includes the following topics: • • “Connecting to the Console” section on page 4-8 “Installing a Cable Lock” section on page 4-9 Cisco ASA 5505 Getting Started Guide 78-17612-02 4-7 .168.

Figure 4-3 Connecting to the Console Security Services Card Slot Console POWER 48VDC 2 RESET 1 7 POWER over ETHERNET 6 5 4 3 2 1 0 1 1 Console port 2 Console cable To connect a console for local. To do so. Configure the PC terminal emulation software or terminal for 9600 baud. Plug the other end of the blue console cable into the concsole port. no parity. you must run a serial terminal emulator on a PC or workstation. and 1 stop bit. command-line administrative access. perform the following steps: Step 1 Step 2 Step 3 Plug one end of the PC terminal adapter into a standard 9-pin PC serial port on your PC.Chapter 4 Optional Procedures Installing the ASA 5505 Connecting to the Console You can access the command line for administration using the console port on the Cisco ASA 5505. Cisco ASA 5505 Getting Started Guide 4-8 78-17612-02 153760 2 . 8 data bits. as shown in Figure 4-3.

perform the following steps: Step 1 Step 2 Follow the directions from the manufacturer for attaching the other end of the cable for securing the adaptive security appliance. Ports and LEDs This section describes the front and rear panels of the ASA 5505. such as a laptop computer.Chapter 4 Installing the ASA 5505 Ports and LEDs Installing a Cable Lock The Cisco ASA 5505 includes a slot that accepts standard desktop cable locks to provide physical security for small portable equipment. Cisco ASA 5505 Getting Started Guide 78-17612-02 4-9 . The cable lock is not included. Each Ethernet interface (numbered 0 through 7) has two LEDs: one to indicate the operating speed and the other to indicate whether the physical link is established. Attach the cable lock to the lock slot on the back panel of the Cisco ASA 5505. page 4-12 Front Panel Components The LINK/ACT indicators on the front panel of the Cisco ASA 5505 are normally solid green when a link is established and flashing green when there is network activity. To install a cable lock. This section includes the following topics: • • Front Panel Components. page 4-9 Rear Panel Components.

Network traffic is flowing at 10 Mbps. Network traffic is flowing at 100 Mbps. Speed Indicators Not lit Green 3 4 5 Link Activity Indicators Power Status Green Green Green Off Green Amber Solid Cisco ASA 5505 Getting Started Guide 4-10 78-17612-02 153382 0 0 0 0 0 0 0 0 Cisco ASA 5505 series . The power-up diagnostics are running or the system is booting. The system is operational. Figure 4-4 ASA 5505 Front Panel 1 2 3 4 5 6 7 8 LINK/ACT Power Status Active VPN SSC 100 MBPS 0 Adaptive Security Appliance Port / LED 1 2 USB Port Color — State — — On Solid Flashing On — Flashing Solid Description Reserved for future use. The device is powered on. The physical link established. The device is powered off. The system has encountered a problem.Chapter 4 Ports and LEDs Installing the ASA 5505 Figure 4-4 shows the front panel of the Cisco ASA 5505.* There is network activity.

The system is initiating the VPN tunnel. a solid amber light indicates that this is the standby unit. a solid green light indicates that the link is forwarding traffic. You can fix the problem by changing the settings either on the Cisco ASA 5505 or on the other end. you might be using the wrong type of cable. Cisco ASA 5505 Getting Started Guide 78-17612-02 4-11 . If auto-negotiation is disabled (it is enabled by default). If the system is part of a high availability setup. Amber Solid The system is on standby. Note Amber 8 SSC — Solid — Currently not supported in this release. An SSC card is present in the SSC slot.Chapter 4 Installing the ASA 5505 Ports and LEDs Port / LED 6 Active Color Green State Solid Description The system is forwarding traffic. If the system is part of a high availability setup. the link could be down if there is a duplex mismatch. The tunnel failed to initiate. * If the LINK/ACT LED does not light up. 7 VPN Green Solid Flashing The VPN tunnel is established.

that is. Can be used for PoE devices. Cisco ASA 5505 Getting Started Guide 4-12 78-17612-02 153383 power 48VDC 2 RESET . Reserved for future use. devices that can be powered by the network interface. Reserved for future use. or other PoE devices.0 ports Ethernet switch ports 0–5 PoE switch ports 6–7 Purpose Attaching the power cord. However. such as IP phones. Reserved for future use. Reserved for future use. and the device must be powered on its own.Chapter 4 Ports and LEDs Installing the ASA 5505 Rear Panel Components Figure 4-5 shows the back panel of the Cisco ASA 5505. Figure 4-5 ASA 5505 Rear Panel 1 2 3 4 Security Services Card Slot Console 1 7 POWER over ETHERNET 6 5 4 3 2 1 0 8 7 6 5 Port or LED 1 2 3 4 5 6 7 8 Power connector Security service card slot Serial console port Lock device RESET button 2 USB ports v2. These ports are the only ports that can be used for IP phones. If a PoE device is not attached. They can also be used as Ethernet switch ports. Layer 2 switch non-powered ports that provide flexible zone configuration. Managing the device using the CLI (command-line interface). as are the ports numbered 0 through 5. these ports are not restricted to that use. power is not supplied to the port.

Chapter 4 Installing the ASA 5505 What to Do Next What to Do Next Continue with Chapter 5.” Cisco ASA 5505 Getting Started Guide 78-17612-02 4-13 . “Configuring the Adaptive Security Appliance.

Chapter 4 What to Do Next Installing the ASA 5505 Cisco ASA 5505 Getting Started Guide 4-14 78-17612-02 .

page 5-4 What to Do Next. The procedures in this chapter describe how to configure the adaptive security appliance using ASDM. page 5-7 About the Factory Default Configuration Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup.C H A P T E R 5 Configuring the Adaptive Security Appliance This chapter describes the initial configuration of the adaptive security appliance. The ASA 5505 comes preconfigured with • • Two VLANs: VLAN 1 and VLAN2 VLAN 1 has the following properties: – Named “inside” – Allocated switch ports Ethernet 0/1 through Ethernet 0/7 Cisco ASA 5505 Getting Started Guide 78-17612-02 5-1 . You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). This chapter includes the following sections: • • • • About the Factory Default Configuration. page 5-3 Using the Startup Wizard. page 5-1 About the Adaptive Security Device Manager.

For more information about CLI configuration. By default.255. see the Cisco Security Appliance Command Line Configuration Guide. This configuration enables a client on the inside network to obtain a DHCP address from the adaptive security appliance to connect to the appliance.1.1 255.168.255.Chapter 5 About the Factory Default Configuration Configuring the Adaptive Security Appliance – Security level of 100 – Allocated switch ports Ethernet 0/1 through 0/7 – IP address of 192. the adaptive security appliance Inside interface is configured with a default DHCP address pool. Administrators can then configure and manage the adaptive security appliance using ASDM. Cisco ASA 5505 Getting Started Guide 5-2 78-17612-02 .0 • VLAN2 has the following properties: – Named “outside” – Allocated switch port Ethernet 0/0 – Security level of 0 – Configured to obtain its IP address using DHCP • Inside interface to connect to the device and use ASDM to complete your configuration.

In addition to complete configuration and management capability. ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance. The web-based design provides secure access so that you can connect to and manage the adaptive security appliance from any location by using a web browser. you can configure the adaptive security appliance by using the command-line interface. see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference. Cisco ASA 5505 Getting Started Guide 78-17612-02 5-3 . In addition to the ASDM web configuration tool.Chapter 5 Configuring the Adaptive Security Appliance About the Adaptive Security Device Manager About the Adaptive Security Device Manager The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that allows you to manage and monitor the adaptive security appliance. For more information.

This section describes how to use the Startup Wizard to set basic configuration parameters. the Startup Wizard allows you to configure the adaptive security appliance so that it allows packets to flow securely between the inside network and the outside network. This section includes the following topics: • • Before Launching the Startup Wizard. there are two VLANs configured. page 5-5 Before Launching the Startup Wizard Before you launch the Startup Wizard. The privileged mode password for administrative access. Obtain the following information: • • • • • • • • • • A unique hostname to identify the adaptive security appliance on your network.Chapter 5 Using the Startup Wizard Configuring the Adaptive Security Appliance Using the Startup Wizard ASDM includes a Startup Wizard to simplify the initial configuration of your adaptive security appliance. The IP address range for the DHCP server. or Telnet. (By default. Static routes to be configured. With a few steps. SSH. The IP addresses of your outside interface. The IP addresses to use for NAT or PAT address translation. you must create a third VLAN and assign ports to that VLAN. The domain name. IP addresses for hosts that should have administrative access to this device using HTTPS for ASDM. The IP address for the WINS server. Make sure that you can access the Internet. and any other interfaces to be configured. page 5-4 Running the Startup Wizard. If you want to create a DMZ. inside interface. if any. perform the following steps: Step 1 Step 2 Step 3 Enable Java and Javascript in your web browser.) Cisco ASA 5505 Getting Started Guide 5-4 78-17612-02 .

a. connect a PC to a switch port on the ASA 5505. b. Cisco ASA 5505 Getting Started Guide 78-17612-02 5-5 . enter the following URL: https://192. which has an RJ-45 connector on each end. whether the client is to run in client or network extension mode.1. choose either to download the ASDM Launcher or to run the ASDM software as a Java applet. Connect the other end of the Ethernet cable to the Ethernet port on your computer or to your management network. and user and group login credentials to match those configured on the primary and secondary Easy VPN servers. b. Remember to add the “s” in “https” or the connection fails. c. perform the following steps: Step 1 If you have not already done so. Note The adaptive security appliance ships with a default IP address of 192. • Running the Startup Wizard To use the Startup Wizard to set up a basic configuration for the adaptive security appliance. Step 2 Start ASDM. open a web browser. On the PC connected to the ASA 5505. a. the IP addresses of primary and secondary Easy VPN servers.1.168. Connect one RJ-45 connector to the switch port.168. c. and whether traffic is permitted between hosts on the same interface. In the window that requires you to choose the method you want to use to run the ASDM software. Locate an Ethernet cable.1.1/. In the address field of the web browser. If you are configuring an Easy VPN hardware client.Chapter 5 Configuring the Adaptive Security Appliance Using the Startup Wizard • Interface configuration information: whether traffic is permitted between interfaces at the same security level. HTTP over SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance.

The ASDM main window appears. For information about any field in the Startup Wizard. Press Enter.Chapter 5 Using the Startup Wizard Configuring the Adaptive Security Appliance Step 3 Step 4 In the dialog box that requires a username and password. click Help at the bottom of the window. choose Startup Wizard. Follow the instructions in the Startup Wizard to set up your adaptive security appliance. Step 5 Step 6 From the Wizards menu. leave both fields empty. Click Yes for all subsequent authentication and certificate dialog boxes. Click Yes to accept the certificates. Cisco ASA 5505 Getting Started Guide 5-6 78-17612-02 .

What to Do Next Configure the adaptive security appliance for your deployment using one or more of the following chapters: To Do This. Set the IP address to 0.0..0. the netmask to 0. click Configuration > Properties > Device Administration > ICMP Rules. and the Action to deny. “Scenario: Easy VPN appliance as an Easy VPN remote device Hardware Client Configuration” Cisco ASA 5505 Getting Started Guide 78-17612-02 5-7 . “Scenario: Site-to-Site VPN Configuration” Configure the adaptive security Chapter 9.0.0. “Scenario: DMZ appliance to protect a DMZ web server Configuration” Configure the adaptive security appliance for remote-access VPN Configure the adaptive security appliance for site-to-site VPN Chapter 7. You can configure this access control policy using ASDM. See..Chapter 5 Configuring the Adaptive Security Appliance What to Do Next Note Based on your network security policy. Add an entry for the outside interface. Configure the adaptive security Chapter 6..0. From the ASDM main window..0. “Scenario: IPSec Remote-Access VPN Configuration” Chapter 8. you should also consider configuring the adaptive security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary.

Chapter 5 What to Do Next Configuring the Adaptive Security Appliance Cisco ASA 5505 Getting Started Guide 5-8 78-17612-02 .

C H A P T E R 6 Scenario: DMZ Configuration Note Cisco ASA 5505 DMZ configurations are possible only with the Security Plus license. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-1 . page 6-1 Configuring the Security Appliance for a DMZ Deployment. page 6-5 What to Do Next. page 6-18 Example DMZ Network Topology The example network topology shown in Figure 6-1 is typical of many DMZ implementations of the adaptive security appliance. This chapter includes the following sections: • • • Example DMZ Network Topology.

all other traffic is denied.200.200. The network has one routable IP address that is publicly available: the outside interface of the adaptive security appliance (209.1 (private address) 192. HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet.1 (private address) DNS server DMZ Web Private IP address: 10.30.225). Cisco ASA 5505 Getting Started Guide 6-2 132064 78-17612-02 .226 HTTP server This example scenario has the following characteristics: • • • • The web server is on the DMZ interface of the adaptive security appliance.168.1.30.30.225 (public address) Internet HTTP client DMZ interface 10. Figure 6-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet.1.165.30 Server Public IP address: 209.168.30.200.165.2 (private address) Security Appliance outside interface 209.165.Chapter 6 Example DMZ Network Topology Scenario: DMZ Configuration Figure 6-1 Network Layout for DMZ Configuration Scenario HTTP client inside interface 192. Clients on the Internet are permitted HTTP access to the DMZ web server.

200. internal client requests for the DMZ web server are handled as follows: 1. Because the internal network does not include a DNS server.165.200. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-3 .Chapter 6 Scenario: DMZ Configuration Example DMZ Network Topology Figure 6-2 Outgoing HTTP Traffic Flow from the Private Network Before an HTTP request can be sent to the DMZ web server.2 (private address) Client sends HTTP request to ASA which forwards it to the DMZ web server Web server DMZ network DMZ Web Private IP address: 10.30.1 Security Appliance outside interface 209. The DMZ web server returns the HTTP content to the adaptive security appliance with a destination address of the real IP address of the internal client.168. 4.225 (public address) DMZ interface 10. the URL must be resolved to an IP address HTTP client DNS request (inside interface) 192. the adaptive security appliance permits HTTP traffic originating from inside clients and destined for the DMZ web server.168.226 153777 In Figure 6-2. A lookup request is sent to the DNS server of the ISP.165. 2.1.30. The public IP address of the DMZ web server is returned to the client.1.1 (private address) DNS server Internet HTTP client HTTP request 192.30. The adaptive security appliance translates the public IP address of the DMZ web server to its real address and forwards the request to the web server.30. The internal client sends the HTTP request to the adaptive security appliance. 3.30 Server Public IP address: 209.

1 HTTP request sent to public address of DMZ web server. An access control rule permitting incoming HTTP traffic that is destined for the DMZ web server.30. Internet HTTP client 3 Destination IP address translated to the private IP address of the web server.165. Figure 6-3 Incoming HTTP Traffic Flow From the Internet 2 Incoming request Security Appliance destined for public address of DMZ web server intercepted.30.30.225).165.30).30.30.30.30.30 to 209. To permit internal clients to request HTTP content from the DMZ web server.200. Figure 6-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server. the adaptive security appliance configuration must include the following rules: • A NAT rule between the DMZ and inside interfaces that translates the real IP address of the DMZ web server to the public IP address of the DMZ web server (10. 78-17612-02 . A NAT rule between the inside and DMZ interfaces that translate the real addresses of the internal client network. the real IP address of the internal network is translated to itself when internal clients communicate with the web server in the DMZ (10.30 Server Public IP address: 209. Web server 4 DMZ Web Private IP address: 10. The adaptive security appliance forwards the HTTP content to the internal client.Chapter 6 Example DMZ Network Topology Scenario: DMZ Configuration 5. • To permit traffic coming from the Internet to access the DMZ web server. the adaptive security appliance configuration includes the following: • • An address translation rule translating the public IP address of the DMZ web server to the private IP address of the DMZ web server.226 Cisco ASA 5505 Getting Started Guide 6-4 153779 Web server receives request for content.30.200. In this scenario.30 to 10.

Set up interfaces on the adaptive security appliance by using the Startup Wizard in ASDM. page 6-15 The following sections provide detailed instructions for how to perform each step. “Configuring the Adaptive Security Appliance. page 6-12 Providing Public HTTP Access to the DMZ Web Server. Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure the adaptive security appliance for the configuration scenario shown in Figure 6-1. The procedure uses sample parameters based on the scenario. the outside interface.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The procedures for creating this configuration are detailed in the remainder of this chapter. (A common choice is 50. and the DMZ interface. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-5 . page 6-6 Enabling Inside Clients to Communicate with Devices on the Internet. Configuration Requirements Configuring the adaptive security appliance for this DMZ deployment requires the following: • Internal clients need to be able to communicate with devices on the Internet. page 6-8 Configuring an External Identity for the DMZ Web Server.) For more information about using the Startup Wizard. page 6-7 Enabling Inside Clients to Communicate with the DMZ Web Server.” The section includes the following topics: • • • • • • Configuration Requirements. page 6-5 Starting ASDM. Be sure that the DMZ interface security level is set between 0 and 100. see Chapter 5. This configuration procedure assumes that the adaptive security appliance already has interfaces configured for the inside interface.

Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration • • Internal clients need to be able to communicate with the DMZ web server. Cisco ASA 5505 Getting Started Guide 6-6 78-17612-02 . Note Remember to add the “s” in “https.168.1/admin/. The ASDM main window appears. External clients need to be able to communicate with the DMZ web server. The remainder of this chapter provides instructions for how to complete this configuration.1. enter the following factory default IP address in the address field: https://192. HTTP over SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance. Starting ASDM To run ASDM in a web browser.” or the connection fails.

The ASA 5505 comes with a default configuration that includes the necessary address translation rule. Unless you want to change the IP address of the inside interface. Outgoing traffic appears to come from this address. you do not need to configure any settings to allow inside clients to access the Internet. the adaptive security appliance translates the real IP addresses of internal clients to the external address of the outside interface (that is. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-7 .Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Enabling Inside Clients to Communicate with Devices on the Internet To permit internal clients to request content from devices on the Internet. the public IP address of the adaptive security appliance).

click NAT. page 6-10 Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces To configure NAT to translate internal client IP addresses between the inside interface and the DMZ interface.200. This section includes the following topics: • • Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces. perform the following steps: Step 1 Step 2 Step 3 In the ASDM main window.30.165. A NAT rule between the inside and DMZ interfaces that translates the public IP address of the DMZ web server back to its real IP address (209. page 6-8 Translating the Public Address of the Web Server to its Real Address. DNS requests must exit the adaptive security appliance to be resolved by a DNS server on the Internet.30. In the Features pane.Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration Enabling Inside Clients to Communicate with the DMZ Web Server In this procedure. you configure the adaptive security appliance to allow internal clients to communicate securely with the web server in the DMZ.200. To accomplish this. Cisco ASA 5505 Getting Started Guide 6-8 78-17612-02 . The Add Static NAT Rule dialog box appears. the DNS server returns the public IP address of the DMZ web server.225). From the Add drop-down list.225 to 10. • Note Because there is no DNS server on the inside network.30. This is necessary because when an internal client sends a DNS lookup request. click the Configuration tool.165.30 to 209.30). choose Add Static NAT Rule. you must configure two translation rules: • A NAT rule between the DMZ and inside interfaces that translates the real IP address of the DMZ web server to its public IP address (10.30.

Enter the IP address of the client or network.0. b. c.255.10. specify the IP address to be translated. address translation for inside clients is performed for the entire 10.10. From the Interface drop-down list. From the Interface drop-down list. Step 6 Review the configuration pane to verify that the translation rule appears as you expected. In this scenario.0 for this sccenario.0.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 4 In the Real Address area.255.0 subnet. enter the IP address of the internal client subnet. Step 5 In the Static Translation area. the IP address is 10. the IP address of the network is 10. From the Netmask drop-down list. choose the DMZ interface. choose 255. b. In the IP Address field.10. c. do the following: a. Click OK to add the static NAT rule and return to the Configuration > NAT pane. choose the Inside interface.10. In this scenario. For this scenario. a.10.10. The rule should appear similar to the following: Cisco ASA 5505 Getting Started Guide 78-17612-02 6-9 .

perform the following steps: Step 1 Step 2 In the main ASDM window. From the Add drop-down list. The Add Static NAT Rule dialog box appears. choose Configuration > NAT. do the following: a. choose Add Static NAT Rule. Step 3 From the Interface drop-down list. Cisco ASA 5505 Getting Started Guide 6-10 78-17612-02 .Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration Step 7 Click Apply to complete the adaptive security appliance configuration changes. Translating the Public Address of the Web Server to its Real Address To configure NAT rule that translates the public IP address of the web server to its real IP address. In the Real Address area. choose DMZ.

200. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-11 .225.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment b.30. choose Inside.30. Enter or choose from the IP Address drop-down list the real address of the DMZ web server. do the following: a.30. In this scenario.165. the IP address is 10. In the Static Translation area. the IP address is 209. In this scenario. Step 4 Enter or choose from the IP Address drop-down list the public address of the DMZ web server. From the Interface drop-down list. b.

This configuration requires translating the private IP address of the DMZ web server to a public IP address.165.Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration Step 5 Click OK to return to the Configuration > NAT pane. which allows outside HTTP clients to access the web server without being aware of the adaptive security appliance. The configuration should look similar to the following: Configuring an External Identity for the DMZ Web Server The DMZ web server needs to be accessible by all hosts on the Internet.30.200.225). perform the following steps: Step 1 In the ASDM main window.30. Cisco ASA 5505 Getting Started Guide 6-12 78-17612-02 .30) statically to a public IP address (209. choose Configuration > NAT. To map the real web server IP address (10.

165. b. it is necessary to use Port Address Translation to translate the IP address of the DMZ web server to the public outside IP address of the adaptive security appliance. Step 3 From the Interface drop-down list.255. choose Add Static NAT Rule. Check the Enable Port Address Translation (PAT) check box. choose 255. From the Interface drop-down list. The Add Static NAT Rule dialog box appears. Security Appliance HTTP client inside interface 192.30. From the IP Address drop-down list. From the Protocol drop-down list.255. c.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 2 From the Add drop-down list.30.1 (private address) DNS server DMZ Web Private IP address: 10.225 (public address) Internet HTTP client DMZ interface 10. In the Real Address area. choose the DMZ interface.30.226 HTTP server Step 5 Configure Port Address Translation.200. choose tcp. specify the following: a. in this case. the IP address is 10.1.30. b.200.165.30. Because there is only one public IP address. enter 80. In the Original Port field. choose Outside.168.30. From the Netmask drop-down list. In this scenario.255.168. which is the IP address for the specified outside interface. choose the Interface IP keyword. Cisco ASA 5505 Getting Started Guide 132064 78-17612-02 6-13 .30.2 (private address) outside interface 209. b.1. specify the public IP address to be used for the web server: a. Enter the real IP address of the DMZ web server.1 (private address) 192. To configure Port Address Translation. Step 4 In the Static Translation area.30 Server Public IP address: 209. c. perform the following steps: a.

Click OK to add the rule and return to the list of Address Translation Rules.30. Cisco ASA 5505 Getting Started Guide 6-14 78-17612-02 . e.30.165. The displayed configuration should be similar to the following: Step 7 Click Apply to complete the adaptive security appliance configuration changes.Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration d. This rule maps the real web server IP address (10. In the Translated Port field.30) statically to the public IP address of the web server (209.200. enter 80.225). Step 6 Confirm that the rule was created the way you expected.

To configure the access control rule. the origin and destination of the traffic. and the type of traffic protocol and service to be permitted. choose Add Access Rule. you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet. Step 2 In the Interface and Action area. choose Outside. do the following: a. choose Outside. c. From the Interface drop-down list. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-15 . From the Type drop-down list. choose Permit. From the Action drop-down list. do the following: a. you must configure an access control rule permitting incoming HTTP traffic destined for the DMZ web server. that the traffic is incoming. This access control rule specifies the interface of the adaptive security appliance that processes the traffic. Click the Access Rules tab. From the Protocol drop-down list. the adaptive security appliance denies all traffic coming in from the public network. choose tcp. a. Choose Configuration > Security Policy. All other traffic coming in from the public network is denied. The Add Access Rule dialog box appears. specify the type of traffic that you want to permit through the adaptive security appliance. b. From the Interface drop-down list. In the Destination area. choose the Interface IP keyword. b. choose the Any keyword from the Type drop-down list to allow traffic originating from any host or network. if the destination of the traffic is the web server on the DMZ network. From the Direction drop-down list. b. do the following: a. perform the following steps: Step 1 In the ASDM main window. In this section. Step 5 In the Protocol and Service area. then from the Add pull-down list. choose Incoming.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Providing Public HTTP Access to the DMZ Web Server By default. Step 3 Step 4 In the Source area. To permit traffic coming from the Internet to access the DMZ web server.

confirm that the Service radio button is set to “=” (equal to). and then choose Any from the next drop-down list.Chapter 6 Configuring the Security Appliance for a DMZ Deployment Scenario: DMZ Configuration b. At this point. and then choose HTTP/WWW from the next drop-down list. c. the entries in the Add Access Rule dialog box should be similar to the following: d. The displayed configuration should be similar to the following. confirm that the Service radio button is set to “=” (equal to). Step 6 Click OK to return to the Security Policy > Access Rules pane. In the Source Port area. In the Destination Port area. Cisco ASA 5505 Getting Started Guide 6-16 78-17612-02 . Verify that the information you entered is accurate.

With this setting. Step 8 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts. ASDM prompts you to save the configuration changes permanently when you exit ASDM. choose Save. Alternatively. while keeping the private network secure.Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 7 Click Apply to save the changes to the configuration that the adaptive security appliance is currently running. Cisco ASA 5505 Getting Started Guide 78-17612-02 6-17 . clients on the public network can resolve HTTP requests for content from the DMZ web server. the previous configuration takes effect the next time that the device starts. If you do not save the configuration changes. from the File menu.

.Chapter 6 What to Do Next Scenario: DMZ Configuration What to Do Next If you are deploying the adaptive security appliance solely to protect a web server in a DMZ.. Configure a remote-access VPN Configure a site-to-site VPN See.. “Scenario: IPSec Remote-Access VPN Configuration” Chapter 8. The following sections provide configuration procedures for other common applications of the adaptive security appliance. To Do This. you have completed the initial configuration. Chapter 7.. You may want to consider performing some of the following additional steps: To Do This.. “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 6-18 78-17612-02 . Refine configuration and configure optional and advanced features Learn about daily operations See.... Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages You can configure the adaptive security appliance for more than one application.

C H A P T E R 7 Scenario: IPSec Remote-Access VPN Configuration This chapter describes how to use the adaptive security appliance to accept remote-access IPSec VPN connections. or tunnels. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-1 . which provides secure access to off-site users. If you are implementing an Easy VPN solution. page 7-1 Implementing the IPSec Remote-Access VPN Scenario. this chapter describes how to configure the Easy VPN server (sometimes called a headend device). such as a Cisco Easy VPN software or hardware clients. across the Internet. page 7-2 What to Do Next. A remote-access VPN allows you to create secure connections. page 7-18 Example IPSec Remote-Access VPN Network Topology Figure 7-1 shows an adaptive security appliance configured to accept requests from and establish IPSec connections with VPN clients. This chapter includes the following sections: • • • Example IPSec Remote-Access VPN Network Topology. over the Internet.

Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration Figure 7-1 Network Layout for Remote Access VPN Scenario Implementing the IPSec Remote-Access VPN Scenario This section describes how to configure the adaptive security appliance to accept IPSec VPN connections from remote clients and devices. Values for example configuration settings are taken from the remote-access scenario illustrated in Figure 7-1. If you are implementing an Easy VPN solution. page 7-3 Configuring the ASA 5505 for an IPSec Remote-Access VPN. this section describes how to configure an Easy VPN server (also known as a headend device). This section includes the following topics: • • • • • Information to Have Available. page 7-3 Starting ASDM. page 7-6 Specifying the VPN Tunnel Group Name and Authentication Method. page 7-5 Selecting VPN Client Types. page 7-7 Cisco ASA 5505 Getting Started Guide 7-2 78-17612-02 .

page 7-8 (Optional) Configuring User Accounts. make sure that you have the following information available: • • • Range of IP addresses to be used in an IP pool. Networking information to be used by remote clients when connecting to the VPN.1/admin/. and networks that should be made accessible to authenticated remote clients Starting ASDM To run ASDM in a web browser. page 7-15 Specifying Address Translation Exception and Split Tunneling. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-3 .1. These addresses are assigned to remote VPN clients as they are successfully connected. including the following: – IP addresses for the primary and secondary DNS servers – IP addresses for the primary and secondary WINS servers – Default domain name – List of IP addresses for local hosts. page 7-11 Configuring Client Attributes.168. page 7-10 Configuring Address Pools. List of users to be used in creating a local authentication database. unless you are using a AAA server for authentication.Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario • • • • • • • • Specifying a User Authentication Method. enter the factory default IP address in the address field: https://192. groups. page 7-13 Configuring IPSec Encryption and Authentication Parameters. page 7-17 Information to Have Available Before you begin configuring the adaptive security appliance to accept remote access IPSec VPN connections. page 7-12 Configuring the IKE Policy. page 7-16 Verifying the Remote-Access VPN Configuration.

The Main ASDM window appears. HTTP over SSL (HTTP) provides a secure connection between your browser and the adaptive security appliance. Cisco ASA 5505 Getting Started Guide 7-4 78-17612-02 .Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration Note Remember to add the “s” in “https” or the connection fails.

The VPN Wizard Step 1 screen appears. Click Next to continue. From the drop-down list. choose VPN Wizard from the Wizards drop-down menu. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-5 .Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Configuring the ASA 5505 for an IPSec Remote-Access VPN To begin the process for configuring a remote-access VPN. perform the following steps: Step 1 In the main ASDM window. c. choose Outside as the enabled interface for the incoming VPN tunnels. Click the Remote Access radio button. b. Step 2 In Step 1 of the VPN Wizard. perform the following steps: a.

Cisco ASA 5505 Getting Started Guide 7-6 78-17612-02 . You can also use any other Cisco Easy VPN remote product. Step 2 Click Next to continue.Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration Selecting VPN Client Types In Step 2 of the VPN Wizard. For this scenario. perform the following steps: Step 1 Specify the type of VPN client that will enable remote users to connect to this adaptive security appliance. click the Cisco VPN Client radio button.

and then choose a preconfigured trustpoint name from the drop-down list. You can revise the authentication configuration later using the standard ASDM windows. click the Certificate radio button. If you want to use digital certificates for authentication but have not yet configured a trustpoint name. This key is used for IPSec negotiations between the adaptive security appliances. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-7 . “Cisco”). choose the Certificate Signing Algorithm from the drop-down list. To use digital certificates for authentication. you can continue with the Wizard by using one of the other two options. perform the following steps: Step 1 Specify the type of authentication that you want to use by performing one of the following steps: • To use a static preshared key for authentication. • • Click the Challenge/Response Authentication (CRACK) radio button to use that method of authentication. click the Pre-Shared Key radio button and enter a preshared key (for example.Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Specifying the VPN Tunnel Group Name and Authentication Method In Step 3 of the VPN Wizard.

Cisco ASA 5505 Getting Started Guide 7-8 78-17612-02 . and LDAP). and accounting (AAA) servers (RADIUS. NT. Click Next to continue.Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use common connection parameters and client attributes to connect to this adaptive security appliance. authorization. TACACS+. Kerberos. Step 3 Specifying a User Authentication Method Users can be authenticated either by a local authentication database or by using external authentication. SDI.

b. If you want to authenticate users with an external AAA server group: a. or click New to add a new AAA server group. click the Authenticate Using the Local User Database radio button. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-9 . perform the following steps: Step 1 If you want to authenticate users by creating a user database on the adaptive security appliance. Choose a preconfigured server group from the Authenticate using an AAA server group drop-down list. Step 2 Click the Authenticate Using an AAA Server Group radio button. Step 3 Click Next to continue.Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario In Step 4 of the VPN Wizard.

Chapter 7 Implementing the IPSec Remote-Access VPN Scenario

Scenario: IPSec Remote-Access VPN Configuration

(Optional) Configuring User Accounts
If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface. In Step 5 of the VPN Wizard, perform the following steps:
Step 1

To add a new user, enter a username and password, and then click Add.

Step 2

When you have finished adding new users, click Next to continue.

Cisco ASA 5505 Getting Started Guide

7-10

78-17612-02

Chapter 7

Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario

Configuring Address Pools
For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1–209.166.201.20. In Step 6 of the VPN Wizard, perform the following steps:
Step 1

Enter a pool name or choose a preconfigured pool from the Name drop-down list. Alternatively, click New to create a new address pool. The Add IP Pool dialog box appears.

Step 2

In the Add IP Pool dialog box, do the following:
a. b. c.

Enter the Starting IP address and Ending IP address of the range. (Optional) Enter a subnet mask or choose a subnet mask for the range of IP addresses from the Subnet Mask drop-down list. Click OK to return to Step 6 of the VPN Wizard.

Cisco ASA 5505 Getting Started Guide 78-17612-02

7-11

Chapter 7 Implementing the IPSec Remote-Access VPN Scenario

Scenario: IPSec Remote-Access VPN Configuration

Step 3

Click Next to continue.

Configuring Client Attributes
To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Instead of configuring each remote client individually, you can provide the client information to ASDM. The adaptive security appliance pushes this information to the remote client or Easy VPN hardware client when a connection is established. Make sure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking.

Cisco ASA 5505 Getting Started Guide

7-12

78-17612-02

In most cases. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy. it is also an authentication method to ensure the identity of the peers. Cisco ASA 5505 Getting Started Guide 78-17612-02 7-13 .Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario In Step 7 of the VPN Wizard. the ASDM default values are sufficient to establish secure VPN tunnels. perform the following steps: Step 1 Enter the network configuration information to be pushed to remote clients. Step 2 Click Next to continue.

perform the following steps: Step 1 Choose the Encryption (DES/3DES/AES). Cisco ASA 5505 Getting Started Guide 7-14 78-17612-02 . and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association.Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration To specify the IKE policy in Step 8 of the VPN Wizard. authentication algorithms (MD5/SHA). Step 2 Click Next to continue.

Cisco ASA 5505 Getting Started Guide 78-17612-02 7-15 . Step 2 Click Next to continue. perform the following steps: Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA).Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Configuring IPSec Encryption and Authentication Parameters In Step 9 of the VPN Wizard.

You can make exceptions to this network protection by identifying local hosts and networks that should be made accessible to authenticated remote users. In Step 10 of the VPN Wizard. perform the following steps: Step 1 Specify hosts. and networks that should be in the list of internal resources made accessible to authenticated remote users. The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally. groups. Cisco ASA 5505 Getting Started Guide 7-16 78-17612-02 . To add or remove hosts. groups. respectively.Chapter 7 Implementing the IPSec Remote-Access VPN Scenario Scenario: IPSec Remote-Access VPN Configuration Specifying Address Translation Exception and Split Tunneling Split tunneling enables remote-access IPSec clients to send packets conditionally over an IPSec tunnel in encrypted form or to a network interface in text form. and networks dynamically from the Selected Hosts/Networks pane. click Add or Delete.

The displayed configuration should be similar to the following: Cisco ASA 5505 Getting Started Guide 78-17612-02 7-17 .. review the configuration attributes for the new VPN tunnel. Step 2 Click Next to continue. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard. check box at the bottom of the screen.Chapter 7 Scenario: IPSec Remote-Access VPN Configuration Implementing the IPSec Remote-Access VPN Scenario Note Enable split tunneling by checking the Enable Split Tunneling ..

encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers.html. If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts.Chapter 7 What to Do Next Scenario: IPSec Remote-Access VPN Configuration If you are satisfied with the configuration. For more information about the Cisco Systems VPN client.. click Finish to apply the changes to the adaptive security appliance. Alternatively. the old configuration takes effect the next time the device starts. If you do not save the configuration changes. click Save. What to Do Next To establish end-to-end. you may want to consider performing some of the following steps: To Do This. ASDM prompts you to save the configuration changes permanently when you exit ASDM. from the File menu. obtain the Cisco VPN client software.. Cisco ASA 5505 Getting Started Guide 7-18 78-17612-02 .. If you are deploying the adaptive security appliance solely in a remote-access VPN environment. you have completed the initial configuration. Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages You can configure the adaptive security appliance for more than one application.cisco.. The following sections provide configuration procedures for other common applications of the adaptive security appliance. Refine configuration and configure optional and advanced features Learn about daily operations See. see the following URL: http://www. In addition.com/en/US/products/sw/secursw/ps2308/index.

.Chapter 7 Scenario: IPSec Remote-Access VPN Configuration What to Do Next To Do This. Chapter 6.. Configure the adaptive security appliance to protect a web server in a DMZ Configure a site-to-site VPN See.. “Scenario: DMZ Configuration” Chapter 8.. “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 78-17612-02 7-19 .

Chapter 7 What to Do Next Scenario: IPSec Remote-Access VPN Configuration Cisco ASA 5505 Getting Started Guide 7-20 78-17612-02 .

page 8-1 Implementing the Site-to-Site Scenario. page 8-14 Example Site-to-Site VPN Network Topology Figure 8-1 shows an example VPN tunnel between two adaptive security appliances. first by authenticating both ends of the connection. Cisco ASA 5505 Getting Started Guide 78-17612-02 8-1 . or tunnel. page 8-13 What to Do Next. page 8-2 Configuring the Other Side of the VPN Connection. and then by automatically encrypting all data sent between the two sites. This chapter includes the following sections: • • • • Example Site-to-Site VPN Network Topology. Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection.C H A P T E R 8 Scenario: Site-to-Site VPN Configuration This chapter describes how to use the adaptive security appliance to create a site-to-site VPN.

20.0 POW ER 48VDC Cisco ASA SSC05 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Adaptive Security Appliance 1 Adaptive Security Appliance 2 Printer Personal computers Printer 190929 Personal computers Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you to configure two adaptive security appliances.165. Implementing the Site-to-Site Scenario This section describes how to configure the adaptive security appliance in a site-to-site VPN deployment.200.20.10. This section includes the following topics: • • Information to Have Available. using example parameters from the remote-access scenario shown in Figure 8-1. one on each side of the connection.236 Site B 7 POWER over ETHER NET Statu s Secur Servi ity ces Slot 6 Card 5 4 3 2 1 0 cons ole 1 2 RESE T Inside 10. page 8-3 Configuring the Site-to-Site VPN.0 POW ER 48VDC Cisco ASA SSC05 Internet Outside 209.165.200. page 8-3 Cisco ASA 5505 Getting Started Guide 8-2 78-17612-02 .Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration Figure 8-1 Network Layout for Site-to-Site VPN Configuration Scenario ISP Router Outside 209.226 Site A Inside 10.10.

HTTP over SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance.” or the connection fails.1/admin/. Note Make sure you add the “s” in “https. Starting ASDM To run ASDM in a web browser. page 8-4 Providing Information About the Remote VPN Peer.1. Cisco ASA 5505 Getting Started Guide 78-17612-02 8-3 . obtain the following information: • • • IP address of the remote adaptive security appliance peer IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources on the remote site IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources Configuring the Site-to-Site VPN This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN. enter the factory default IP address in the address field: https://192. page 8-10 Viewing VPN Attributes and Completing the Wizard. This section includes the following topics: • • • • • • • Starting ASDM. page 8-11 The following sections provide detailed instructions for how to perform each configuration step.Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Information to Have Available Before you begin the configuration procedure. page 8-7 Configuring IPSec Encryption and Authentication Parameters.168. page 8-6 Configuring the IKE Policy. page 8-3 Configuring the Security Appliance at the Local Site. page 8-9 Specifying Hosts and Networks.

Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration The ASDM main window appears. perform the following steps: Step 1 In the ASDM main window. To configure Security Appliance 1. ASDM opens the first VPN Wizard screen. Configuring the Security Appliance at the Local Site Note The adaptive security appliance at the first site is referred to as Security Appliance 1 in this scenario. Cisco ASA 5505 Getting Started Guide 8-4 78-17612-02 . choose the VPN Wizard option from the Wizards drop-down menu.

or other devices that support site-to-site IPSec connectivity.Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario In Step 1 of the VPN Wizard. VPN concentrators. b. From the VPN tunnel Interface drop-down list. c. Click the Site-to-Site VPN radio button. Note The Site-to-Site VPN option connects two IPSec security gateways. choose Outside as the enabled interface for the current VPN tunnel. which can include adaptive security appliances. Cisco ASA 5505 Getting Started Guide 78-17612-02 8-5 . perform the following steps: a. Click Next to continue.

perform the following steps: Step 1 Step 2 Enter the remote Peer IP Address (209.236) and a Tunnel Group Name (for example. choose the certificate signing algorithm from the Certificate Signing Algorithm drop-down list.200. You can revise the authentication configuration later using the same ASDM screens. Specify the type of authentication that you want to use by selecting one of the following authentication methods: • To use a static preshared key for authentication. and then choose a preconfigured trustpoint name from the Trustpoint Name drop-down list. Cisco ASA 5505 Getting Started Guide 8-6 78-17612-02 . click the Pre-Shared Key radio button and enter a preshared key (for example.165. This key is used for IPSec negotiations between the adaptive security appliances. the tunnel group name must be the same as either the IP address of the peer or the peer hostname. Note For site-to-site connections with pre-shared key authentication such as this scenario. Note In this scenario. • To use digital certificates for authentication.Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration Providing Information About the Remote VPN Peer The VPN peer is the system on the other end of the connection that you are configuring. “Cisco”). • Click the Challenge/Response Authentication radio button to use that method of authentication. If you want to use digital certificates for authentication but have not yet configured a trustpoint name. click the Certificate radio button. In Step 2 of the VPN Wizard. you can continue with the Wizard by using one of the other two options. usually at a remote site. the remote VPN peer is referred to as Security Appliance 2. “Cisco”). whichever is used as the peer identity.

Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data integrity through secure VPN tunnels and ensure privacy. it also provides authentication to ensure the identity of the peers. perform the following steps: Step 1 Click the Encryption (DES/3DES/AES). Cisco ASA 5505 Getting Started Guide 78-17612-02 8-7 . the ASDM default values are sufficient to establish secure VPN tunnels between two peers.Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. authentication algorithms (MD5/SHA). and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. In most cases. In Step 3 of the VPN Wizard.

Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration Note When configuring Security Appliance 2. enter the same values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Step 2 Click Next to continue. Cisco ASA 5505 Getting Started Guide 8-8 78-17612-02 .

Step 2 Click Next to continue. Cisco ASA 5505 Getting Started Guide 78-17612-02 8-9 . and the authentication algorithm (MD5/SHA) from the Authentication drop-down list. perform the following steps: Step 1 Choose the encryption algorithm (DES/3DES/AES) from the Encryption drop-down list.Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring IPSec Encryption and Authentication Parameters In Step 4 of the VPN Wizard.

Enter the IP address of remote networks to be protected or not protected. In addition. you can use the hostname as the peer IP address. Cisco ASA 5505 Getting Started Guide 8-10 78-17612-02 . In the current scenario. or click the ellipsis (. Step 1 Step 2 Note If a remote peer has a dynamic IP address.10. Specify hosts and networks that are permitted access to the tunnel by clicking Add or Delete..) button to select from a list of hosts and networks. perform the following steps: Note In this context. In Step 5 of the VPN Wizard.Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration Specifying Hosts and Networks Identify hosts and networks at the local site that are permitted to use this IPSec tunnel to communicate with hosts and networks on the other side of the tunnel. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. Enter the IP address of local networks to be protected or not protected.. without encryption through an unsecured connection. In this scenario.20. the remote network is Network B (10.) button to select from a list of hosts and networks. traffic from Network A (10. Information that is being sent from one host to another as plain text.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.0). or click the ellipsis (. for Security Appliance 1.. Tampering may occur when you send unprotected data through unsecured connections. is considered unprotected data. protection provides encryption to preserve data integrity between two hosts through a secure VPN tunnel.10.20. so traffic encrypted from this network is permitted through the tunnel. identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to access local hosts and networks..

Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard. Cisco ASA 5505 Getting Started Guide 78-17612-02 8-11 . review the configuration settings for the VPN tunnel that you just created.Chapter 8 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. click Finish to apply the changes to the adaptive security appliance. If you are satisfied with the configuration settings.

Cisco ASA 5505 Getting Started Guide 8-12 78-17612-02 . If you do not save the configuration changes. This concludes the configuration process for Security Appliance 1. click Save. Alternatively.Chapter 8 Implementing the Site-to-Site Scenario Scenario: Site-to-Site VPN Configuration Step 4 If you want to save the configuration changes to the startup configuration so that they are applied the next time the device starts. from the File menu. the previous configuration takes effect the next time that the device starts. ASDM prompts you to save the configuration changes permanently when you exit ASDM.

com/en/US/products/ps6120/prod_configuration_examples_lis t. see the Configuration Examples and TechNotes at the following location: http://www. see the technotes for Site to Site VPN (L2L) with ASA in the Troubleshooting Technotes. with the exception of local hosts and networks. configure the second adaptive security appliance to serve as a VPN peer. Note When configuring Security Appliance 2. starting with “Configuring the Security Appliance at the Local Site” section on page 8-4 and finishing with “Viewing VPN Attributes and Completing the Wizard” section on page 8-11. Use the same procedure that you used to configure the local adaptive security appliance.cisco. The troubleshooting technotes walk you through using commands like the following to troubleshoot the Site-to-site VPN configuration: • • • • • show run isakmp show run ipsec show run tunnel-group show run crypto map debug crypto ipsec sa Cisco ASA 5505 Getting Started Guide 78-17612-02 8-13 .html For help troubleshooting configuration issues.html In particular.com/en/US/products/ps6120/prod_tech_notes_list. Next. Mismatches are a common cause of VPN configuration failures.cisco. At the remote site. For information about verifying or troubleshooting the configuration for the Site-to-Site VPN.Chapter 8 Scenario: Site-to-Site VPN Configuration Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN Connection You have just configured the local adaptive security appliance. use the same values for each of the options that you selected for Security Appliance 1. see the Troubleshooting Technotes at the following location: http://www. you need to configure the adaptive security appliance at the remote site. see the section "Troubleshooting the Security Appliance" in the Cisco Security Appliance Command Line Configuration Guide. For specific troubleshooting issues.

Refine configuration and configure optional and advanced features Learn about daily operations See.. What to Do Next If you are deploying the adaptive security appliance only in a site-to-site VPN environment. In addition.. you may want to consider performing some of the following steps: To Do This. The following sections provide configuration procedures for other common applications of the adaptive security appliance.. Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages You can configure the adaptive security appliance for more than one application. To Do This... Configure the adaptive security appliance to protect a web server in a DMZ Configure a remote-access VPN See. Chapter 6. “Scenario: IPSec Remote-Access VPN Configuration” Cisco ASA 5505 Getting Started Guide 8-14 78-17612-02 . then you have completed the initial configuration. “Scenario: DMZ Configuration” Chapter 7..Chapter 8 What to Do Next Scenario: Site-to-Site VPN Configuration • debug crypto isakmp sa See also the Cisco Security Appliance Command Reference for detailed information about each of these commands...

but not both at the same time. page 9-5 What to Do Next.C H A P T E R 9 Scenario: Easy VPN Hardware Client Configuration This chapter describes how to configure the ASA 5505 to function as an Easy VPN hardware client. page 9-3 Configuring the Easy VPN Hardware Client. This chapter includes the following sections: • • • • Using an ASA 5505 as an Easy VPN Hardware Client. page 9-9 Using an ASA 5505 as an Easy VPN Hardware Client A Cisco Easy VPN hardware client (sometimes called an “Easy VPN remote device”) enables companies with multiple sites to establish secure communications among them and share resources. Cisco ASA 5505 Getting Started Guide 78-17612-02 9-1 . page 9-1 Client Mode and Network Extension Mode. The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client or as a Cisco Easy VPN server (sometimes called a “headend device”). The ASA 5505 can be used as part of an Easy VPN deployment consisting of multiple devices that make up a Virtual Private Network (VPN). A Cisco Easy VPN solution consists of an Easy VPN server at the main site and Easy VPN hardware clients at the remote offices.

Cisco ASA 5505 Getting Started Guide 9-2 78-17612-02 153801 Easy VPN Server (ASA 5500 Series Adaptive Security Appliance. Figure 9-1 Easy VPN Components in a Virtual Private Network Remote LAN Push remote configuration Internet ASA 5505 (Easy VPN Hardware Client) ISP router Central LAN When used as an Easy VPN hardware client. such as protecting devices in a DMZ from from unauthorized access.2(8)T) . minimizing the need for on-site administration. However. it cannot establish other types of tunnels.Chapter 9 Using an ASA 5505 as an Easy VPN Hardware Client Scenario: Easy VPN Hardware Client Configuration Using an Easy VPN solution simplifies the deployment and management of a VPN in the following ways: • • • Hosts at remote sites no longer have to run VPN client software. the ASA 5505 cannot function simultaneously as an Easy VPN hardware client and as one end of a standard peer-to-peer VPN deployment. Figure 9-1 illustrates how Easy VPN components can be deployed to create a VPN. For example. Few configuration parameters need to be set locally. or Cisco IOS 12. if the ASA 5505 is configured to function as an Easy VPN hardware client. the ASA 5505 can also be configured to perform basic firewall services. Cisco VPN 30xx. Security policies reside on a central server and are pushed to the remote hardware clients when a VPN connection is established.

IP address management is neither required for the Easy VPN client inside interface or the inside hosts.Chapter 9 Scenario: Easy VPN Hardware Client Configuration Client Mode and Network Extension Mode Client Mode and Network Extension Mode The Easy VPN hardware client supports one of two modes of operation: Client Mode or Network Extension Mode (NEM). The configuration must store the group name. The mode of operation determines whether the hosts behind the Easy VPN hardware client are accessible from the enterprise network over the tunnel. if you do not specify the mode in ASDM. also called Port Address Translation (PAT) mode. Cisco ASA 5505 Getting Started Guide 78-17612-02 9-3 . PAT does not apply to VPN traffic in NEM. Automatic tunnel initiation is disabled if secure unit authentication is enabled. NEM makes the inside interface and all inside hosts routable across the enterprise network over the tunnel. devices on the inside interface of the ASA 5505 cannot be accessed by devices behind the Easy VPN server. The ASA 5505 configured for NEM mode supports automatic tunnel initiation. The network and addresses on the private side of the Easy VPN client are hidden. The Easy VPN client performs PAT for all VPN traffic for its inside hosts. Figure 9-2 shows a sample network topology with the ASA 5505 running in Easy VPN Client Mode. isolates all devices on the Easy VPN client private network from those on the enterprise network. However. This mode does not require a VPN configuration for each client. and password. When configured in Client Mode. you must specify a mode. The Easy VPN hardware client does not have a default mode. username. ASDM automatically selects client mode. and cannot be accessed directly. When you configure the Easy VPN hardware client using the CLI. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or with DHCP) that is preconfigured with static IP addresses. Client Mode.

100. hosts on the other side of the VPN connection can communicate directly with hosts on the local network.168. Cisco ASA 5505 Getting Started Guide 9-4 78-17612-02 153802 . When configuring NEM.4 Addresses not visible from central LAN Address not visible from remote LAN Easy VPN Server 192.200.168. the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore.3 When configured in Easy VPN Network Extension Mode.168.3 Internet ASA 5505 ISP router (Easy VPN Hardware Client) 192.100. the network behind the Easy VPN client should not overlap your the network behind the Easy VPN server Figure 9-3 shows a sample network topology with the ASA 5505 running in Network Extension Mode.Chapter 9 Client Mode and Network Extension Mode Scenario: Easy VPN Hardware Client Configuration Figure 9-2 Topology with ASA 5505 in Client Mode Remote LAN Central LAN 192.

3 Internet ISP router ASA 5505 (Easy VPN Hardware Client) 192.100.Chapter 9 Scenario: Easy VPN Hardware Client Configuration Configuring the Easy VPN Hardware Client Figure 9-3 Network Topology with ASA 5505 Running in Network Extension Mode Remote LAN Central LAN 192. You do not want devices behind the Easy VPN hardware client to be accessible by devices on the enterprise network.4 Addresses visible from central LAN Address visible from remote LAN Easy VPN Server 192.168.168. Use Network Extension Mode if: • • Configuring the Easy VPN Hardware Client The Easy VPN server controls the security policies enforced on the ASA 5505 Easy VPN hardware client. to establish the initial connection to the Easy VPN server. However.3 Use the following guidelines when deciding whether to configure the ASA 5505 in Easy VPN Client Mode or Network Extension Mode. You want remote devices to be able to access hosts behind the Easy VPN hardware client.100. You want VPN connections to be established automatically and to remain open even when not required for transmitting traffic. you must complete some configuration locally. Cisco ASA 5505 Getting Started Guide 78-17612-02 9-5 153803 . Use Client Mode if: • • You want VPN connections to be initiated when a device behind the Easy VPN hardware client attempts to access a device on the enterprise network.168.200.

Note Remember to add the “s” in “https” or the connection fails. Cisco ASA 5505 Getting Started Guide 9-6 78-17612-02 . and then check the Enable Easy VPN Remote check box. you are prompted to specify if you want to clear the entire Easy VPN configuration or whether you just want to disable the Easy VPN client temporarily. Click the VPN tool. This section describes how to perform the configuration using ASDM. In the window that requires you to choose the method you want to use to run the ASDM software. The Easy VPN Remote configuration pane appears.Chapter 9 Configuring the Easy VPN Hardware Client Scenario: Easy VPN Hardware Client Configuration You can perform this configuration procedure by using ASDM or by using the command-line interface. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance. Step 2 Step 3 In the ASDM window. In the address field of the browser.168. Start a web browser. b. If you uncheck it. c. when you apply the configuration changes. Easy VPN is enabled on the device when you click Apply. perform the following steps: Step 1 At a PC that has access to the inside interface of the ASA 5505. If you check the Enable Easy VPN Remote check box. start ASDM.1. a. To configure the ASA 5505 as an Easy VPN hardware client. choose either to download the ASDM Launcher or to run the ASDM software as a Java applet.1/. enter the factory default IP address in the address field: https://192. click the Configuration tool.

specify the type of authentication the VPN devices should use. Step 7 In the User Settings area.Chapter 9 Scenario: Easy VPN Hardware Client Configuration Configuring the Easy VPN Hardware Client Step 4 Step 5 Step 6 Check the Enable Easy VPN Remote check box. click the Group Password radio button and enter a Group Name and Group Password. Cisco ASA 5505 Getting Started Guide 78-17612-02 9-7 . In the Group Settings area. To specify which mode the Easy VPN remote hardware client should run in. click Client Mode or Network Extension Mode radio button. specify the User Name and User Password to be used by the ASA 5505 when establishing a VPN connection. • To specify that the VPN devices should use a text password for authentication.

In this case. If you are using a Cisco VPN 3000 series concentrator as the headend device. • Your ASA 5505 is operating behind a NAT device.Chapter 9 Configuring Advanced Easy VPN Attributes Scenario: Easy VPN Hardware Client Configuration Step 8 Specify one or more Easy VPN servers from which this device obtains VPN security policies. click the Save button on the top toolbar. To save the configuration. b. Other servers on the list provide redundancy. Cisco ASA 5505 Getting Started Guide 9-8 78-17612-02 . you must use tunneled management attributes to specify whether device management should occur in the clear or through the tunnel and the network or networks allowed to manage the Easy VPN connection through the tunnel. Note The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device. you can enable the device pass-through feature. You can specify up to nine backup servers. In the Easy VPN server To Be Added area. the concentrator can be configured to balance the load across all servers in the list. a. and therefore are incapable of participating in individual unit authentication. Such devices include Cisco IP Phones. enter the hostname or IP address of an Easy VPN server. Step 9 Click Apply to push the configuration to the adaptive security appliance. printers. for a total of ten servers. Configuring Advanced Easy VPN Attributes You might need to perform some advanced configuration tasks if your network meets any of the following conditions: • Your network includes devices that are incapable of performing authentication. The first server on the list is used as the primary server. and the like. Click Add or Remove to add or remove servers from the Easy VPN servers list. To accommodate these devices.

click Advanced in the Easy VPN Remote configuration pane. What to Do Next If you are deploying the adaptive security appliance only as an Easy VPN hardware client. Configure the ASA 5505 to protect a DMZ web server Refine configuration and configure optional and advanced features Learn about daily operations See.. You may want to consider performing some of the following additional steps: To Do This. Chapter 6. “Scenario: DMZ Configuration” Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5505 Getting Started Guide 78-17612-02 9-9 . you have completed the initial configuration. See the online help for specific information about configuration settings...Chapter 9 Scenario: Easy VPN Hardware Client Configuration What to Do Next To configure these attributes..

Chapter 9 What to Do Next Scenario: Easy VPN Hardware Client Configuration Cisco ASA 5505 Getting Started Guide 9-10 78-17612-02 .

A P P E N D I X A Obtaining a 3DES/AES License The Cisco ASA 5505 adaptive security appliance comes with a DES license that provides encryption. such as secure remote management (SSH. and remote access VPN. For more information on activation key examples or upgrading software.com/go/license If you are not a registered user of Cisco. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license. You can obtain a 3DES-AES license that provides encryption technology to enable specific features.com/SWIFT/Licensing/RegistrationServlet Provide your name. and so on). Note You will receive the new activation key for your adaptive security appliance within two hours of requesting the license upgrade. and the serial number for the adaptive security appliance as it appears in the show version command output. see the Cisco Security Appliance Command Line Configuration Guide.cisco. go to the following website: https://tools. ASDM. go to the following website: http://www. You need an encryption license key to enable this license.com. e-mail address.cisco. Cisco ASA 5505 Getting Started Guide 78-17612-02 A-1 . site-to-site VPN.

hardware configuration. The “0x” is optional. all values are assumed to be hexadecimal. Saves the configuration.Appendix A Obtaining a 3DES/AES License To use the activation key. Step 2 Step 3 hostname# configure terminal hostname(config)# activation-key activation-5-tuple-key Step 4 Step 5 hostname(config)# exit hostname# copy running-config startup-config hostname# reload Step 6 Reboots the adaptive security appliance and reloads the configuration. The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element. perform the following steps: Command Step 1 hostname# show version Purpose Shows the software release. license key. Cisco ASA 5505 Getting Started Guide A-2 78-17612-02 . Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license. Exits global configuration mode. and related uptime data. Enters global configuration mode. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e.