Home » Cisco Manuals » Networking » Cisco 5510 » Manual Viewer

Cisco 5510 Getting Started Guide - Page 178

inline, promiscuous, fail-close, fail-open, sensor, show ips, AIP SSM. See

UPC - 882658094767

Add to My Manuals
Save this manual to your list of manuals

Page 178 highlights

Configuring the AIP SSM Chapter 13 Configuring the AIP SSM Step 2 Step 3 Step 4 To add or edit a policy map that sets the action to divert traffic to the AIP SSM, enter the following commands: hostname(config)# policy-map name hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where the class_map_name is the class map from Step 1. For example: hostname(config)# policy-map IPS hostname(config-pmap)# class IPS To divert the traffic to the AIP SSM, enter the following command: hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] where the inline and promiscuous keywords control the operating mode of the AIP SSM. See the "Operating Modes" section on page 13-3 for more details. The fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable. The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable. If you use virtual sensors on the AIP SSM, you can specify a sensor name using the sensor sensor_name argument. To see available sensor names, enter the ips ... sensor ? command. Available sensors are listed. You can also use the show ips command. If you use multiple context mode on the adaptive security appliance, you can only specify sensors that you assigned to the context (see the "Assigning Virtual Sensors to Security Contexts" section on page 13-9). Use the mapped_name if configured in the context. If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the AIP SSM. If you enter a name that does not yet exist on the AIP SSM, you get an error, and the command is rejected. (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following commands: hostname(config-pmap-c)# class class_map_name2 hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor sensor_name] 13-12 Cisco ASA 5500 Series Getting Started Guide 78-19186-01

Section	Page
Contents	3
Before You Begin	11
ASA 5500	11
ASA 5500 with AIP SSM	12
ASA 5500 with CSC SSM	13
ASA 5500 with 4GE SSM	14
ASA 5550	15
Related Documents	15
Maximizing Throughput on the ASA 5550	17
Embedded Network Interfaces	17
Balancing Traffic to Maximize Throughput	18
What to Do Next	21
Installing the ASA 5550	23
Verifying the Package Contents	24
Installing the Chassis	25
Rack-Mounting the Chassis	26
Installing SFP Modules	28
SFP Module	28
Installing an SFP Module	30
Ports and LEDs	31
Front Panel LEDs	31
Rear Panel LEDs and Ports in Slot 0	32
Ports and LEDs in Slot 1	34
Connecting Interface Cables	35
What to Do Next	41
Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540	43
Verifying the Package Contents	44
Installing the Chassis	45
Rack-Mounting the Chassis	46
Ports and LEDs	49
What to Do Next	52
Installing Optional SSMs	53
Cisco 4GE SSM	53
4GE SSM Components	54
Installing the Cisco 4GE SSM	55
Installing the SFP Modules	56
SFP Module	57
Installing the SFP Module	58
Cisco AIP SSM and CSC SSM	60
Installing an SSM	61
What to Do Next	62
Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms	63
Connecting Interface Cables	64
Connecting to SSMs	66
Connecting to a 4GE SSM	68
Powering On the Adaptive Security Appliance	71
What to Do Next	71
Configuring the Adaptive Security Appliance	73
About the Factory Default Configuration	73
Using the CLI for Configuration	74
Using the Adaptive Security Device Manager for Configuration	75
Preparing to Use ASDM	76
Gathering Configuration Information for Initial Setup	76
Installing the ASDM Launcher	77
Starting ASDM with a Web Browser	80
Running the ASDM Startup Wizard	80
What to Do Next	81
Scenario: DMZ Configuration	83
Example DMZ Network Topology	83
An Inside User Visits a Web Server on the Internet	85
An Internet User Visits the DMZ Web Server	86
An Inside User Visits the DMZ Web Server	88
Configuring the Adaptive Security Appliance for a DMZ Deployment	90
Configuration Requirements	91
Information to Have Available	92
Enabling Inside Clients to Communicate with Devices on the Internet	92
Enabling Inside Clients to Communicate with the DMZ Web Server	92
Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces	93
Translating the Public Address of the Web Server to its Real Address on the Inside Interface	96
Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)	99
Providing Public HTTP Access to the DMZ Web Server	102
What to Do Next	105
Scenario: IPsec Remote-Access VPN Configuration	107
Example IPsec Remote-Access VPN Network Topology	107
Implementing the IPsec Remote-Access VPN Scenario	108
Information to Have Available	109
Configuring an IPsec Remote-Access VPN	109
Selecting VPN Client Types	111
Specifying the VPN Tunnel Group Name and Authentication Method	112
Specifying a User Authentication Method	113
(Optional) Configuring User Accounts	115
Configuring Address Pools	116
Configuring Client Attributes	117
Configuring the IKE Policy	118
Specifying Address Translation Exception and Split Tunneling	120
Verifying the Remote-Access VPN Configuration	122
What to Do Next	123
Scenario: Configuring Connections for a Cisco AnyConnect VPN Client	125
About SSL VPN Client Connections	125
Obtaining the Cisco AnyConnect VPN Client Software	126
Example Topology Using AnyConnect SSL VPN Clients	127
Implementing the Cisco SSL VPN Scenario	127
Information to Have Available	128
Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client	129
Specifying the SSL VPN Interface	130
Specifying a User Authentication Method	131
Specifying a Group Policy	132
Configuring the Cisco AnyConnect VPN Client	133
Verifying the Remote-Access VPN Configuration	135
What to Do Next	136
Scenario: SSL VPN Clientless Connections	137
About Clientless SSL VPN	137
Security Considerations for Clientless SSL VPN Connections	138
Example Network with Browser-Based SSL VPN Access	139
Implementing the Clientless SSL VPN Scenario	140
Information to Have Available	141
Configuring the Adaptive Security Appliance for Browser-Based SSL VPN Connections	142
Specifying the SSL VPN Interface	143
Specifying a User Authentication Method	144
Specifying a Group Policy	146
Creating a Bookmark List for Remote Users	147
Verifying the Configuration	151
What to Do Next	152
Scenario: Site-to-Site VPN Configuration	153
Example Site-to-Site VPN Network Topology	153
Implementing the Site-to-Site Scenario	154
Information to Have Available	155
Configuring the Site-to-Site VPN	155
Configuring the Security Appliance at the Local Site	155
Providing Information About the Remote VPN Peer	157
Configuring the IKE Policy	158
Configuring IPsec Encryption and Authentication Parameters	160
Specifying Hosts and Networks	161
Viewing VPN Attributes and Completing the Wizard	162
Configuring the Other Side of the VPN Connection	164
What to Do Next	165
Configuring the AIP SSM	167
Understanding the AIP SSM	168
How the AIP SSM Works with the Adaptive Security Appliance	168
Operating Modes	169
Using Virtual Sensors	170
Configuring the AIP SSM	172
AIP SSM Procedure Overview	172
Sessioning to the AIP SSM	172
Configuring the Security Policy on the AIP SSM	174
Assigning Virtual Sensors to Security Contexts	175
Diverting Traffic to the AIP SSM	177
What to Do Next	180
Configuring the CSC SSM	183
About the CSC SSM	183
About Deploying the Adaptive Security Appliance with the CSC SSM	184
Scenario: Security Appliance with CSC SSM Deployed for Content Security	186
Configuration Requirements	187
Configuring the CSC SSM for Content Security	188
Obtain Software Activation Key from Cisco.com	188
Gather Information	189
Verify Time Settings	189
Run the CSC Setup Wizard	190
What to Do Next	199
Configuring the 4GE SSM for Fiber	201
Cabling 4GE SSM Interfaces	202
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional)	203
What to Do Next	205

Match case Limit results 1 per page

Chapter 13

Configuring the AIP SSM

13-12

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Step 2

To add or edit a policy map that sets the action to divert traffic to the AIP SSM,

enter the following commands:

hostname(config)#

policy-map

name

hostname(config-pmap)#

class

class_map_name

hostname(config-pmap-c)#

where the

class_map_name

is the class map from

Step 1

For example:

hostname(config)#

policy-map IPS

hostname(config-pmap)#

class IPS

Step 3

To divert the traffic to the AIP SSM, enter the following command:

hostname(config-pmap-c)#

ips

{

inline

promiscuous

} {

fail-close

fail-open

} [

sensor

{

sensor_name

mapped_name

}]

where the

inline

and

promiscuous

keywords control the operating mode of the

AIP SSM. See the

“Operating Modes” section on page 13-3

for more details.

The

fail-close

keyword sets the adaptive security appliance to block all traffic if

the AIP SSM is unavailable.

The

fail-open

keyword sets the adaptive security appliance to allow all traffic

through, uninspected, if the AIP SSM is unavailable.

If you use virtual sensors on the AIP SSM, you can specify a sensor name using

the

sensor

sensor_name

argument. To see available sensor names, enter the

ips ...

sensor ?

command. Available sensors are listed. You can also use the

show ips

command. If you use multiple context mode on the adaptive security appliance,

you can only specify sensors that you assigned to the context (see the

“Assigning

Virtual Sensors to Security Contexts” section on page 13-9

). Use the

mapped_name

if configured in the context. If you do not specify a sensor name,

then the traffic uses the default sensor. In multiple context mode, you can specify

a default sensor for the context. In single mode or if you do not specify a default

sensor in multiple mode, the traffic uses the default sensor that is set on the AIP

SSM. If you enter a name that does not yet exist on the AIP SSM, you get an error,

and the command is rejected.

Step 4

(Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy,

enter the following commands:

hostname(config-pmap-c)#

class

class_map_name2

hostname(config-pmap-c)#

ips

{

inline

promiscuous

} {

fail-close

fail-open

} [

sensor

sensor_name

]