Home » Cisco Manuals » Networking » Cisco 5510 » Manual Viewer

Cisco 5510 Getting Started Guide - Page 179

class, global, interface, nameif, Step 3

UPC - 882658094767

Add to My Manuals
Save this manual to your list of manuals

Page 179 highlights

Chapter 13 Configuring the AIP SSM Configuring the AIP SSM Step 5 where the class_map_name2 argument is the name of a separate class map on which you want to perform IPS inspection. See Step 3 for information about the command options. Traffic cannot match more than one class map for the same action type; so if you want network A to go to sensorA, but want all other traffic to go to sensorB, then you need to enter the class command for network A before you enter the class command for all traffic; otherwise all traffic (including network A) will match the first class command, and will be sent to sensorB. To activate the policy map on one or more interfaces, enter the following command: hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. 78-19186-01 The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ips-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0 Cisco ASA 5500 Series Getting Started Guide 13-13

Section	Page
Contents	3
Before You Begin	11
ASA 5500	11
ASA 5500 with AIP SSM	12
ASA 5500 with CSC SSM	13
ASA 5500 with 4GE SSM	14
ASA 5550	15
Related Documents	15
Maximizing Throughput on the ASA 5550	17
Embedded Network Interfaces	17
Balancing Traffic to Maximize Throughput	18
What to Do Next	21
Installing the ASA 5550	23
Verifying the Package Contents	24
Installing the Chassis	25
Rack-Mounting the Chassis	26
Installing SFP Modules	28
SFP Module	28
Installing an SFP Module	30
Ports and LEDs	31
Front Panel LEDs	31
Rear Panel LEDs and Ports in Slot 0	32
Ports and LEDs in Slot 1	34
Connecting Interface Cables	35
What to Do Next	41
Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540	43
Verifying the Package Contents	44
Installing the Chassis	45
Rack-Mounting the Chassis	46
Ports and LEDs	49
What to Do Next	52
Installing Optional SSMs	53
Cisco 4GE SSM	53
4GE SSM Components	54
Installing the Cisco 4GE SSM	55
Installing the SFP Modules	56
SFP Module	57
Installing the SFP Module	58
Cisco AIP SSM and CSC SSM	60
Installing an SSM	61
What to Do Next	62
Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms	63
Connecting Interface Cables	64
Connecting to SSMs	66
Connecting to a 4GE SSM	68
Powering On the Adaptive Security Appliance	71
What to Do Next	71
Configuring the Adaptive Security Appliance	73
About the Factory Default Configuration	73
Using the CLI for Configuration	74
Using the Adaptive Security Device Manager for Configuration	75
Preparing to Use ASDM	76
Gathering Configuration Information for Initial Setup	76
Installing the ASDM Launcher	77
Starting ASDM with a Web Browser	80
Running the ASDM Startup Wizard	80
What to Do Next	81
Scenario: DMZ Configuration	83
Example DMZ Network Topology	83
An Inside User Visits a Web Server on the Internet	85
An Internet User Visits the DMZ Web Server	86
An Inside User Visits the DMZ Web Server	88
Configuring the Adaptive Security Appliance for a DMZ Deployment	90
Configuration Requirements	91
Information to Have Available	92
Enabling Inside Clients to Communicate with Devices on the Internet	92
Enabling Inside Clients to Communicate with the DMZ Web Server	92
Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces	93
Translating the Public Address of the Web Server to its Real Address on the Inside Interface	96
Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)	99
Providing Public HTTP Access to the DMZ Web Server	102
What to Do Next	105
Scenario: IPsec Remote-Access VPN Configuration	107
Example IPsec Remote-Access VPN Network Topology	107
Implementing the IPsec Remote-Access VPN Scenario	108
Information to Have Available	109
Configuring an IPsec Remote-Access VPN	109
Selecting VPN Client Types	111
Specifying the VPN Tunnel Group Name and Authentication Method	112
Specifying a User Authentication Method	113
(Optional) Configuring User Accounts	115
Configuring Address Pools	116
Configuring Client Attributes	117
Configuring the IKE Policy	118
Specifying Address Translation Exception and Split Tunneling	120
Verifying the Remote-Access VPN Configuration	122
What to Do Next	123
Scenario: Configuring Connections for a Cisco AnyConnect VPN Client	125
About SSL VPN Client Connections	125
Obtaining the Cisco AnyConnect VPN Client Software	126
Example Topology Using AnyConnect SSL VPN Clients	127
Implementing the Cisco SSL VPN Scenario	127
Information to Have Available	128
Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client	129
Specifying the SSL VPN Interface	130
Specifying a User Authentication Method	131
Specifying a Group Policy	132
Configuring the Cisco AnyConnect VPN Client	133
Verifying the Remote-Access VPN Configuration	135
What to Do Next	136
Scenario: SSL VPN Clientless Connections	137
About Clientless SSL VPN	137
Security Considerations for Clientless SSL VPN Connections	138
Example Network with Browser-Based SSL VPN Access	139
Implementing the Clientless SSL VPN Scenario	140
Information to Have Available	141
Configuring the Adaptive Security Appliance for Browser-Based SSL VPN Connections	142
Specifying the SSL VPN Interface	143
Specifying a User Authentication Method	144
Specifying a Group Policy	146
Creating a Bookmark List for Remote Users	147
Verifying the Configuration	151
What to Do Next	152
Scenario: Site-to-Site VPN Configuration	153
Example Site-to-Site VPN Network Topology	153
Implementing the Site-to-Site Scenario	154
Information to Have Available	155
Configuring the Site-to-Site VPN	155
Configuring the Security Appliance at the Local Site	155
Providing Information About the Remote VPN Peer	157
Configuring the IKE Policy	158
Configuring IPsec Encryption and Authentication Parameters	160
Specifying Hosts and Networks	161
Viewing VPN Attributes and Completing the Wizard	162
Configuring the Other Side of the VPN Connection	164
What to Do Next	165
Configuring the AIP SSM	167
Understanding the AIP SSM	168
How the AIP SSM Works with the Adaptive Security Appliance	168
Operating Modes	169
Using Virtual Sensors	170
Configuring the AIP SSM	172
AIP SSM Procedure Overview	172
Sessioning to the AIP SSM	172
Configuring the Security Policy on the AIP SSM	174
Assigning Virtual Sensors to Security Contexts	175
Diverting Traffic to the AIP SSM	177
What to Do Next	180
Configuring the CSC SSM	183
About the CSC SSM	183
About Deploying the Adaptive Security Appliance with the CSC SSM	184
Scenario: Security Appliance with CSC SSM Deployed for Content Security	186
Configuration Requirements	187
Configuring the CSC SSM for Content Security	188
Obtain Software Activation Key from Cisco.com	188
Gather Information	189
Verify Time Settings	189
Run the CSC Setup Wizard	190
What to Do Next	199
Configuring the 4GE SSM for Fiber	201
Cabling 4GE SSM Interfaces	202
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional)	203
What to Do Next	205

Match case Limit results 1 per page

13-13

Cisco ASA 5500 Series Getting Started Guide

78-19186-01

Chapter 13

Configuring the AIP SSM

where the

class_map_name2

argument is the name of a separate class map on

which you want to perform IPS inspection. See

Step 3

for information about the

command options.

Traffic cannot match more than one class map for the same action type; so if you

want network A to go to sensorA, but want all other traffic to go to sensorB, then

you need to enter the

class

command for network A before you enter the

class

command for all traffic; otherwise all traffic (including network A) will match the

first

class

command, and will be sent to sensorB.

Step 5

To activate the policy map on one or more interfaces, enter the following

command:

hostname(config-pmap-c)#

service-policy

policy_map_name

[

global

interface

interface_ID

]

hostname

where

policy_map_name

is the policy map you configured in

Step 2

. To apply the

policy map to traffic on all the interfaces, use the

global

keyword. To apply the

policy map to traffic on a specific interface, use the

interface

interface_ID

option,

where

interface_ID

is the name assigned to the interface with the

nameif

command.

Only one global policy is allowed. You can override the global policy on an

interface by applying a service policy to that interface. You can only apply one

policy map to each interface.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode,

and blocks all IP traffic if the AIP SSM card fails for any reason:

hostname(config)#

access-list IPS permit ip any any

hostname(config)#

class-map my-ips-class

hostname(config-cmap)#

match access-list IPS

hostname(config-cmap)#

policy-map my-ips-policy

hostname(config-pmap)#

class my-ips-class

hostname(config-pmap-c)#

ips promiscuous fail-close

hostname(config-pmap-c)#

service-policy my-ips-policy global

The following example diverts all IP traffic destined for the 10.1.1.0 network and

the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through

if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is

used; for the my-ips-class2 traffic, sensor2 is used.

hostname(config)#

access-list my-ips-acl permit ip any 10.1.1.0

255.255.255.0