Cisco ASA 5505 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. 5505 - ASA Firewall Edition Bundle
  6. Getting started manual

Cisco ASA 5505 Getting Started Manual

Adaptive security appliance
Hide thumbs Also See for ASA 5505:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Installation Manual
Cisco ASA 5505
Getting Started Guide
Software Version 8.0
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 527-0883
Customer Order Number: DOC-78-18003=
Text Part Number: 78-18003-02

Advertisement

Table of Contents
loading

Related Manuals for Cisco ASA 5505

Summary of Contents for Cisco ASA 5505

  • Page 1 Cisco ASA 5505 Getting Started Guide Software Version 8.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-78-18003= Text Part Number: 78-18003-02...
  • Page 2 DAMAGES. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco,...

  • Page 3: Table Of Contents

    2-10 Planning a VLAN Configuration C H A P T E R Understanding VLANs on the ASA 5505 About Physical Ports on the ASA 5505 About VLANs Maximum Number and Types of VLANs Deployment Scenarios Using VLANs Basic Deployment Using Two VLANs...
  • Page 4 C H A P T E R Verifying the Package Contents PoE Ports and Devices Installing the Chassis Connecting to Network Interfaces Powering on the ASA 5505 Setting Up a PC for System Administration Optional Procedures Connecting to the Console Installing a Cable Lock...
  • Page 5 Example IPsec Remote-Access VPN Network Topology Implementing the IPsec Remote-Access VPN Scenario Information to Have Available Starting ASDM Configuring the ASA 5505 for an IPsec Remote-Access VPN Selecting VPN Client Types Specifying the VPN Tunnel Group Name and Authentication Method Specifying a User Authentication Method...
  • Page 6 Example Topology Using AnyConnect SSL VPN Clients Implementing the Cisco SSL VPN Scenario Information to Have Available Starting ASDM Configuring the ASA 5505 for the Cisco AnyConnect VPN Client Specifying the SSL VPN Interface Specifying a User Authentication Method Specifying a Group Policy...
  • Page 7 What to Do Next 10-14 Scenario: Easy VPN Hardware Client Configuration 11-1 C H A P T E R Using an ASA 5505 as an Easy VPN Hardware Client 11-1 Client Mode and Network Extension Mode 11-2 Configuring the Easy VPN Hardware Client...
  • Page 8 Contents Configuring Advanced Easy VPN Attributes 11-11 What to Do Next 11-12 Obtaining a 3DES/AES License A P P E N D I X ASA 5505 Getting Started Guide viii 78-18003-02...

  • Page 9: Chapter 1 Before You Begin

    C H A P T E R Before You Begin Use the following table to find the installation and configuration steps that are required for your implementation of the Cisco ASA 5505 Adaptive Security Appliance. To Do This... See... Learn about typical deployments of the Chapter 2, “Deployment Planning”...
  • Page 10 To Do This... (continued) See... Refine the configuration Cisco Security Appliance Command Line Configuration Guide Configure optional and advanced features Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages ASA 5505 Getting Started Guide 78-18003-02...
  • Page 11 C H A P T E R Deployment Planning This document is based on several example scenarios that represent typical customer deployments of the ASA 5505. The deployment scenarios in this chapter correspond to subsequent configuration chapters. This chapter includes the following sections: Scenarios for Deployment Planning and Configuration, page 2-2 •...

  • Page 12: Scenarios For Deployment Planning And Configuration

    Figure 2-1 illustrates an extended network that includes most of the deployment and configuration scenarios included in this document. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 13 Scenario 3: IPSec VPN Scenario 6: Site-to-site VPN Connection Connection Adaptive Security Appliance A SS r ETH co ns Web Server Email Server Scenario 1: Basic Installation Scenario 2: Basic Installation with DMZ ASA 5505 Getting Started Guide 78-18003-02...

  • Page 14: Scenario 1: Private Network With External Connectivity

    PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. ASA 5505 Getting Started Guide...

  • Page 15: Scenario 2: Basic Installation With Dmz

    Internet. Figure 2-3 Private Network with DMZ Outside Network (Internet Connection) Internet Router Adaptive Security Appliance A SS r ETH co ns Web Server Printer Personal computers Email Server Private (Inside) Network ASA 5505 Getting Started Guide 78-18003-02...

  • Page 16: Scenario 3: Ipsec Remote-Access Vpn

    ETH co ns Adaptive Security Appliance Personal computers running Cisco VPN Personal Client software computer For information about how to configure an IPsec remote-access VPN deployment, see Chapter 7, “Scenario: IPsec Remote-Access VPN Configuration.” ASA 5505 Getting Started Guide 78-18003-02...

  • Page 17: Scenario 4: Ssl Vpn

    Scenario 4: SSL VPN Scenario 4: SSL VPN The adaptive security appliance supports two types of SSL VPN connections, including: Remote clients running the Cisco SSL VPN AnyConnect Client software. • Clientless SSL VPN connections, that is, SSL VPN connections established •...

  • Page 18: Scenario 6: Easy Vpn Hardware Client

    “Scenario: Site-to-Site VPN Configuration.” Scenario 6: Easy VPN Hardware Client In this scenario, an ASA 5505 is deployed as a hardware client (sometimes called a remote device). Deploying one or more VPN hardware clients in conjunction with a VPN headend device enables companies with multiple sites to establish secure communications among them and share network resources.
  • Page 19 ASA 5500 series Cisco IOS router with IPSec support Central LAN For information about how to configure the ASA 5505 as a VPN hardware client, see Chapter 11, “Scenario: Easy VPN Hardware Client Configuration.” ASA 5505 Getting Started Guide 78-18003-02...

  • Page 20: Where To Find Configuration Procedures

    Where to Find Configuration Procedures Where to Find Configuration Procedures Each deployment scenario in this chapter has a corresponding configuration chapter in this document that describes how to configure the ASA 5505 for that type of deployment. To Configure the ASA 5505 For This Scenario..

  • Page 21: Chapter 3 Planning A Vlan Configuration

    • Understanding VLANs on the ASA 5505 After you have made a decision about how to deploy the ASA 5505 in your network, you must decide how many VLANs you need to support that deployment and how many ports to allocate to each VLAN.

  • Page 22: About Physical Ports On The Asa 5505

    VLAN connecting devices that you do not want to be able to communicate with each other. Before you can enable a switch port on the ASA 5505, it must be assigned to a VLAN. With the Base platform, each switch port can be assigned to only one VLAN at a time.

  • Page 23: Maximum Number And Types Of Vlans

    Your license determines how many active VLANs that you can have on the ASA 5505. Although the ASA 5505 comes preconfigured with two VLANs, you can create a as many as three VLANs, depending on your license. For example, you could create VLANs for the Inside, Outside, and DMZ network segments.

  • Page 24: Deployment Scenarios Using Vlans

    One active VLAN as a backup link to your ISP. The backup interface does not send or receive traffic unless the route through the primary interface fails. The ASA 5505 adaptive security appliance supports active and standby failover, Note but not Stateful Failover. Deployment Scenarios Using VLANs The number of VLANs you need depends on the complexity of the network into which you are installing the adaptive security appliance.

  • Page 25: Basic Deployment Using Two Vlans

    In this scenario, the Outside VLAN consists of a single ISP connection using an external WAN router. In Figure 3-1, the Inside VLAN uses four switch ports on the ASA 5505 and the Outside VLAN uses only one. Three switch ports are unused.
  • Page 26 PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. If this same customer needed to have two Internet connections, the Outside VLAN could be allocated an additional port, as shown in Figure 3-2.

  • Page 27: Dmz Deployment

    In this example, three physical switch ports are allocated to the Inside VLAN, two switch ports are allocated to the DMZ VLAN, and one switch port is allocated to the Outside VLAN. Two switch ports are left unused. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 28: Teleworker Deployment Using Three Vlans

    VPN hardware client to support a teleworker. In Figure 3-4, an ASA 5505 is installed in a home office environment and used as a remote VPN hardware client. The ASA 5505 is configured for three VLANs: Inside (Work) VLAN that consists of all devices used to support access to the •...
  • Page 29 Game System DMZ (Home) VLAN In this example, the physical ports of the ASA 5505 are used as follows: The Inside (Work) VLAN consists of three physical switch ports, one of • which is a Power over Ethernet (PoE) switch port that is used for an IP phone.
  • Page 30 Chapter 3 Planning a VLAN Configuration What to Do Next ASA 5505 Getting Started Guide 3-10 78-18003-02...

  • Page 31: Verifying The Package Contents

    C H A P T E R Installing the ASA 5505 This chapter describes how to install the ASA 5505 adaptive security appliance. This chapter includes the following sections: • Verifying the Package Contents, page 4-1 PoE Ports and Devices, page 4-3 •...
  • Page 32 Chapter 4 Installing the ASA 5505 Verifying the Package Contents Figure 4-1 Contents of ASA 5505 Package Se cu rit P O W E R Se rv ic es VD C C ar d Sl C O N SO PO W ER...

  • Page 33: Poe Ports And Devices

    PoE Ports and Devices PoE Ports and Devices On the ASA 5505, switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with the IEEE 802.3af standard, such as IP phones and wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the ports and the device must be powered on its own.

  • Page 34: Connecting To Network Interfaces

    Connect one end of the Ethernet cable to an Ethernet port (ports 0 through 7) as Step 2 shown in Figure 4-2. (Typically Ethernet port 0 is used to connect to an Internet router.) ASA 5505 Getting Started Guide 78-18003-02...

  • Page 35: Powering On The Asa 5505

    Connect the other end of the Ethernet cable to a device, such as a router, desktop computer, or printer. Powering on the ASA 5505 To power on the ASA 5505, perform the following steps: Connect the power supply with the power cable. Step 1...

  • Page 36: Setting Up A Pc For System Administration

    For more information about using ASDM for setup and configuration, see Chapter 5, “Configuring the Adaptive Security Appliance.” To set up a PC from which you can configure and manage the ASA 5505, perform the following steps: Make sure that the speed of the PC interface to be connected to one of the ASA Step 1 5505 inside ports is set to autonegotiate.

  • Page 37: Optional Procedures

    Connecting to the Console You can access the command line for administration using the console port on the ASA 5505. To do so, you must run a serial terminal emulator on a PC or workstation as shown in Figure 4-3.

  • Page 38: Installing A Cable Lock

    1 stop bit. Installing a Cable Lock The ASA 5505 includes a slot that accepts standard desktop cable locks to provide physical security for small portable equipment, such as a laptop computer. The cable lock is not included.

  • Page 39: Ports And Leds

    Follow the directions from the manufacturer for attaching the other end of the Step 1 cable for securing the adaptive security appliance. Attach the cable lock to the lock slot on the back panel of the ASA 5505. Step 2 Ports and LEDs This section describes the front and rear panels of the ASA 5505.
  • Page 40 Chapter 4 Installing the ASA 5505 Ports and LEDs Figure 4-4 illustrates the front panel of the ASA 5505. Figure 4-4 ASA 5505 Front Panel LINK/ACT Power Status Active 100 MBPS Cisco ASA 5505 series Adaptive Security Appliance Port / LED...
  • Page 41 If the LINK/ACT LED does not light up, the link could be down if there is a duplex mismatch. You can fix the problem by changing the settings either on the ASA 5505 or on the other end. If auto-negotiation is disabled (it is enabled by default), you might be using the wrong type of cable.

  • Page 42: Rear Panel Components

    Chapter 4 Installing the ASA 5505 Ports and LEDs Rear Panel Components Figure 4-5 illustrates the back panel of the ASA 5505. Figure 4-5 ASA 5505 Rear Panel Security Console Services Card Slot power RESET POWER over ETHERNET Port or LED...

  • Page 43: What To Do Next

    0 through 5. If a PoE device is not attached, power is not supplied to the port and the device must be powered on its own. What to Do Next Continue with Chapter 5, “Configuring the Adaptive Security Appliance.” ASA 5505 Getting Started Guide 4-13 78-18003-02...
  • Page 44 Chapter 4 Installing the ASA 5505 What to Do Next ASA 5505 Getting Started Guide 4-14 78-18003-02...

  • Page 45: Chapter 5 Configuring The Adaptive Security Appliance

    What to Do Next, page 5-10 • About the Factory Default Configuration Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The ASA 5505 comes preconfigured with the following: Two VLANs: VLAN 1 and VLAN2 •...

  • Page 46: Using The Cli For Configuration

    LAN-to-LAN connections in the CLI itself by using the vpnsetup ipsec-remote-access steps and vpnsetup site-to-site steps commands. For more information about these commands, see the Cisco Security Appliance Command Reference. For step-by-step configuration procedures for all functional areas of the adaptive security appliance, see the Cisco Security Appliance Command Line Configuration Guide.

  • Page 47: Using The Adaptive Security Device Manager For Configuration

    In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate the deployment of the adaptive security appliance. This section includes the following topics: Preparing to Use ASDM, page 5-4 • ASA 5505 Getting Started Guide 78-18003-02...

  • Page 48: Preparing To Use Asdm

    Check the LINK LED on the MGMT interface. Step 3 When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub turn solid green. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 49: Gathering Configuration Information For Initial Setup

    Launcher software so that ASDM runs locally on your PC, or by enabling Java and JavaScript in your web browser and accessing ASDM remotely from your PC. This procedure describes how to set up your system to run ASDM locally. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 50 It is not necessary to save the installation software to your hard drive. When the InstallShield Wizard appears, follow the instructions to install the ASDM Launcher software. From your desktop, start the Cisco ASDM Launcher software. Step 2 A dialog box appears. ASA 5505 Getting Started Guide...
  • Page 51 Step 3 Enter the IP address or the host name of your adaptive security appliance. Leave the Username and Password fields blank. Step 4 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Step 5 Click OK.

  • Page 52: Starting Asdm With A Web Browser

    Using the Adaptive Security Device Manager for Configuration ASDM starts and the main window appears. Starting ASDM with a Web Browser To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 53: Running The Asdm Startup Wizard

    ASDM. From the ASDM main page, click Configuration > Properties > ICMP Rules. Add an entry for the outside interface. Set the IP address to 0.0.0.0, the netmask to 0.0.0.0, and Action to deny. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 54: What To Do Next

    Configure the adaptive security appliance for Chapter 10, “Scenario: Site-to-Site VPN site-to-site VPN Configuration” Configure the adaptive security appliance as an Chapter 11, “Scenario: Easy VPN Hardware Client Easy VPN remote device Configuration” ASA 5505 Getting Started Guide 5-10 78-18003-02...

  • Page 55: Chapter 6 Scenario: Dmz Configuration

    C H A P T E R Scenario: DMZ Configuration Cisco ASA 5505 DMZ configurations are possible only with the Security Plus Note license. A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

  • Page 56: Example Dmz Network Topology

    Web Server Printer Personal computers Email Server Private (Inside) Network Example DMZ Network Topology The chapter describes how to configure a DMZ deployment of the adaptive security appliance as shown in Figure 6-2. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 57 Clients on the private network can access the web server in the DMZ and can • also communicate with devices on the Internet. Clients on the Internet are permitted HTTP access to the DMZ web server; all • other traffic coming from the Internet is denied. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 58: An Inside User Visits A Web Server On The Internet

    An Inside User Visits a Web Server on the Internet Figure 6-3 shows the traffic flow through the adaptive security appliance when an inside user requests an HTTP page from a web server on the Internet. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 59 The adaptive security appliance receives the packet and, because it is a new session, verifies that the packet is allowed. The adaptive security appliance performs network address translation (NAT) to translate the local source address (192.168.1.2) to the public address of the outside interface (209.165.200.225). ASA 5505 Getting Started Guide 78-18003-02...

  • Page 60: An Internet User Visits The Dmz Web Server

    An Internet User Visits the DMZ Web Server Figure 6-4 shows the traffic flow through the adaptive security appliance when a user on the Internet requests a web page from the DMZ web server. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 61 IP address of the adaptive security appliance (209.165.200.225, the IP address of the outside interface). The adaptive security appliance receives the packet and, because it is a new session, verifies that the packet is allowed. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 62: An Inside User Visits The Dmz Web Server

    DMZ web server (209.165.200.225). The adaptive security appliance forwards the packet to the outside user. An Inside User Visits the DMZ Web Server Figure 6-5 shows an inside user accessing the DMZ web server. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 63 DNS server, internal client requests for the DMZ web server are handled as follows: A lookup request is sent to the DNS server of the ISP. The public IP address of the DMZ web server is returned to the client. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 64: Configuring The Security Appliance For A Dmz Deployment

    Information to Have Available, page 6-11 • Starting ASDM, page 6-12 • Enabling Inside Clients to Communicate with Devices on the Internet, • page 6-14 • Enabling Inside Clients to Communicate with the DMZ Web Server, page 6-15 ASA 5505 Getting Started Guide 6-10 78-18003-02...

  • Page 65: Configuration Requirements

    Before you begin this configuration procedure, gather the following information: Internal IP address of the server inside the DMZ that you want to make • available to clients on the public network (in this scenario, a web server). ASA 5505 Getting Started Guide 6-11 78-18003-02...

  • Page 66: Starting Asdm

    If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 5-8. To start ASDM using the ASDM Launcher software, perform the following steps: From your desktop, start the Cisco ASDM Launcher software. Step 1 A dialog box appears.
  • Page 67 Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Step 4 Click OK. If you receive a security warning containing a request to accept a certificate, click Step 5 Yes.

  • Page 68: Enabling Inside Clients To Communicate With Devices On The Internet

    IP addresses of internal clients to the external address of the outside interface (that is, the public IP address of the adaptive security appliance). Outgoing traffic appears to come from this address. ASA 5505 Getting Started Guide 6-14 78-18003-02...

  • Page 69: Enabling Inside Clients To Communicate With The Dmz Web Server

    Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The ASA 5505 comes with a default configuration that includes the necessary address translation rule. Unless you want to change the IP address of the inside interface, you do not need to configure any settings to allow inside clients to access the Internet.

  • Page 70: Translating Internal Client Ip Addresses Between The Inside And Dmz Interfaces

    In the Firewall pane on the left side of the ASDM window, click NAT Rules. Step 3 Step 4 Click the green plus (+) icon and choose Add Static NAT Rule. The Add Static NAT Rule dialog box appears. ASA 5505 Getting Started Guide 6-16 78-18003-02...
  • Page 71 From the Interface drop-down list, choose the DMZ interface. In the IP Address field, enter the IP address of the internal client or network. In this scenario, the IP address of the network is 10.10.10.0. ASA 5505 Getting Started Guide 6-17 78-18003-02...
  • Page 72 Chapter 6 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Click OK to add the Static NAT Rule and return to the Configuration > NAT pane. ASA 5505 Getting Started Guide 6-18 78-18003-02...
  • Page 73 Translating the Public Address of the Web Server to its Real Address To configure a NAT rule that translates the public IP address of the web server to its real IP address, perform the following steps: ASA 5505 Getting Started Guide 6-19 78-18003-02...
  • Page 74 Step 3 From the Interface drop-down list, choose Inside. Enter or choose from the IP Address drop-down list the real address of the DMZ web server. In this scenario, the IP address is 10.30.30.30. ASA 5505 Getting Started Guide 6-20 78-18003-02...

  • Page 75: Port Forwarding

    IP address, which allows outside HTTP clients to access the web server without being aware of the adaptive security appliance. In this scenario the DMZ web server shares a public IP address with the outside interface of the adaptive security appliance (209.165.200.225). ASA 5505 Getting Started Guide 6-21 78-18003-02...

  • Page 76: Address

    In the Translated area, specify the public IP address to be used for the web server: From the Interface drop-down list, choose Outside. Click the Interface IP radio button. This is the IP address for the specified interface, in this case, the outside interface. ASA 5505 Getting Started Guide 6-22 78-18003-02...
  • Page 77 To configure Port Address Translation, perform the following steps: Check the Enable Port Address Translation check box. Click the TCP Protocol radio button. In the Original Port field, enter 80. In the Translated Port field, enter 80. ASA 5505 Getting Started Guide 6-23 78-18003-02...
  • Page 78 Confirm that the rule was created the way you expected. The displayed Step 5 configuration should be similar to the following: Click Apply to complete the adaptive security appliance configuration changes. Step 6 ASA 5505 Getting Started Guide 6-24 78-18003-02...

  • Page 79: Providing Public Http Access To The Dmz Web Server

    Click More Options. If you want the Access Control rule to be enabled immediately, check the Enable Rule check box. Next to Traffic Direction, click In. In the Source Service field, enter tcp/http. ASA 5505 Getting Started Guide 6-25 78-18003-02...
  • Page 80 At this point, the entries in the Add Access Rule dialog box should be similar to the following: Click OK to return to the Security Policy > Access Rules pane. The displayed configuration should be similar to the following. ASA 5505 Getting Started Guide 6-26 78-18003-02...
  • Page 81 DMZ web server, while keeping the private network secure. If you want the configuration changes to be saved to the startup configuration so Step 3 that they are applied the next time the device starts, from the File menu, click Save. ASA 5505 Getting Started Guide 6-27 78-18003-02...

  • Page 82: What To Do Next

    To Do This... See... Configure a remote-access VPN Chapter 7, “Scenario: IPsec Remote-Access VPN Configuration” Configure an SSL VPN for Cisco Chapter 8, “Scenario: Configuring AnyConnect software clients Connections for a Cisco AnyConnect VPN Client” ASA 5505 Getting Started Guide...
  • Page 83 Scenario: DMZ Configuration What to Do Next To Do This... See... Configure a browser-based SSL VPN Chapter 9, “Scenario: SSL VPN Clientless Connections” Configure a site-to-site VPN Chapter 10, “Scenario: Site-to-Site VPN Configuration” ASA 5505 Getting Started Guide 6-29 78-18003-02...
  • Page 84 Chapter 6 Scenario: DMZ Configuration What to Do Next ASA 5505 Getting Started Guide 6-30 78-18003-02...

  • Page 85: Chapter 7 Scenario: Ipsec Remote-Access Vpn Configuration

    Example IPsec Remote-Access VPN Network Topology Figure 7-1 shows an adaptive security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN software or hardware clients, over the Internet. ASA 5505 Getting Started Guide...

  • Page 86: Implementing The Ipsec Remote-Access Vpn Scenario

    Information to Have Available, page 7-3 • Starting ASDM, page 7-3 • Configuring the ASA 5505 for an IPsec Remote-Access VPN, page 7-5 • Selecting VPN Client Types, page 7-7 • Specifying the VPN Tunnel Group Name and Authentication Method, •...

  • Page 87: Information To Have Available

    Starting ASDM This section describes how to start ASDM using the ASDM Launcher software. If you have not installed the ASDM Launcher software, see Installing the ASDM Launcher, page 5-5. ASA 5505 Getting Started Guide 78-18003-02...
  • Page 88 Enter the IP address or the host name of your adaptive security appliance. Step 2 Leave the Username and Password fields blank. Step 3 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Click OK.

  • Page 89: Configuring The Asa 5505 For An Ipsec Remote-Access Vpn

    Chapter 7 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring the ASA 5505 for an IPsec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: In the main ASDM window, choose IPsec VPN Wizard from the Wizards Step 1 drop-down menu.
  • Page 90 In Step 1 of the VPN Wizard, perform the following steps: Step 2 Click the Remote Access radio button. From the drop-down list, choose Outside as the enabled interface for the incoming VPN tunnels. Click Next to continue. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 91: Selecting Vpn Client Types

    Specify the type of VPN client that will enable remote users to connect to this Step 1 adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.

  • Page 92: Specifying The Vpn Tunnel Group Name And Authentication Method

    To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. To use digital certificates for authentication, click the Certificate radio •...

  • Page 93: Specifying A User Authentication Method

    Chapter 7 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use Step 2 common connection parameters and client attributes to connect to this adaptive security appliance.
  • Page 94 Click the Authenticate Using an AAA Server Group radio button. Choose a preconfigured server group from the Authenticate using an AAA server group drop-down list, or click New to add a new AAA server group. Click Next to continue. Step 3 ASA 5505 Getting Started Guide 7-10 78-18003-02...

  • Page 95: (Optional) Configuring User Accounts

    In Step 5 of the VPN Wizard, perform the following steps: To add a new user, enter a username and password, and then click Add. Step 1 When you have finished adding new users, click Next to continue. Step 2 ASA 5505 Getting Started Guide 7-11 78-18003-02...

  • Page 96: Configuring Address Pools

    Enter a pool name or choose a preconfigured pool from the Pool Name drop-down Step 1 list. Alternatively, click New to create a new address pool. The Add IP Pool dialog box appears. ASA 5505 Getting Started Guide 7-12 78-18003-02...

  • Page 97: Configuring Client Attributes

    Easy VPN hardware client when a connection is established. Make sure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking. ASA 5505 Getting Started Guide 7-13 78-18003-02...

  • Page 98: Configuring The Ike Policy

    IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. ASA 5505 Getting Started Guide 7-14 78-18003-02...
  • Page 99 To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps: Choose the Encryption (DES/3DES/AES), authentication algorithms Step 1 (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Click Next to continue. Step 2 ASA 5505 Getting Started Guide 7-15 78-18003-02...

  • Page 100: Configuring Ipsec Encryption And Authentication Parameters

    Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA). Click Next to continue. Step 2 ASA 5505 Getting Started Guide 7-16 78-18003-02...

  • Page 101: Specifying Address Translation Exception And Split Tunneling

    Specify hosts, groups, and networks that should be in the list of internal resources Step 1 made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks area, click Add or Delete, respectively. ASA 5505 Getting Started Guide 7-17 78-18003-02...

  • Page 102: Verifying The Remote-Access Vpn Configuration

    Click Next to continue. Step 2 Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard, review the configuration attributes for the new VPN tunnel. The displayed configuration should be similar to the following: ASA 5505 Getting Started Guide 7-18 78-18003-02...

  • Page 103: What To Do Next

    To establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers, obtain the Cisco VPN client software. For more information about the Cisco Systems VPN client, see the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html. If you are deploying the adaptive security appliance solely in a remote-access VPN environment, you have completed the initial configuration.
  • Page 104 See... Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a web server in a Configuration” Configure an SSL VPN for the Cisco Chapter 8, “Scenario: Configuring AnyConnect software client Connections for a Cisco AnyConnect VPN Client” Configure a clientless (browser-based) Chapter 9, “Scenario: SSL VPN...

  • Page 105: Chapter 8 Scenario: Configuring Connections For A Cisco Anyconnect Vpn Client

    Instead, remote users enter the IP address or DNS name of a Cisco SSL VPN interface in their browser. The browser connects to that interface and displays the SSL VPN login screen. If the...

  • Page 106: Obtaining The Cisco Anyconnect Vpn Client Software

    The adaptive security appliance obtains the AnyConnect VPN Client software from the Cisco website. This chapter provides instructions for configuring the SSL VPN using a configuration Wizard. You can download the Cisco SSL VPN software during the configuration process. Users can download the AnyConnect VPN Client from the adaptive security appliance, or it can be installed manually on the remote PC by the system administrator.

  • Page 107: Example Topology Using Anyconnect Ssl Vpn Clients

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Example Topology Using AnyConnect SSL VPN Clients Example Topology Using AnyConnect SSL VPN Clients Figure 8-1 shows an adaptive security appliance configured to accept requests for and establish SSL connections from clients running the AnyConnect SSL VPN software.

  • Page 108: Information To Have Available

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Configuring the ASA 5505 for the Cisco AnyConnect VPN Client, page 8-7 • Specifying the SSL VPN Interface, page 8-8 • Specifying a User Authentication Method, page 8-9 •...

  • Page 109: Starting Asdm

    Enter the IP address or the host name of your adaptive security appliance. Step 2 Leave the Username and Password fields blank. Step 3 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Click OK.
  • Page 110 Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario The ASA checks to see if there is updated software and if so, downloads it automatically. The main ASDM window appears. ASA 5505 Getting Started Guide...

  • Page 111: Configuring The Asa 5505 For The Cisco Anyconnect Vpn Client

    Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Configuring the ASA 5505 for the Cisco AnyConnect VPN Client To begin the configuration process, perform the following steps: In the main ASDM window, choose SSL VPN Wizard from the Wizards Step 1 drop-down menu.

  • Page 112: Specifying The Ssl Vpn Interface

    Step 3 remote user to authenticate the ASA. Note The ASA 5505 generates a self-signed certificate by default. However, for enhanced security you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.

  • Page 113: Specifying A User Authentication Method

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Click Next to continue. Step 4 Specifying a User Authentication Method In Step 3 of the SSL VPN Wizard, perform the following steps:...
  • Page 114 Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Specify a AAA Server Group Name. You can either choose an existing AAA server group name from the drop down list, or you can create a new server group by clicking New.

  • Page 115: Specifying A Group Policy

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario If you have chosen to authenticate users with the local user database, you can Step 2 create new user accounts here. You can also add users later using the ASDM configuration interface.

  • Page 116: Configuring The Cisco Anyconnect Vpn Client

    VPN client connections, so click Next again. Configuring the Cisco AnyConnect VPN Client For remote clients to gain access to your network with a Cisco VPN Client, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected.
  • Page 117 Specify the location of the AnyConnect VPN Client software image. Step 3 To obtain the most current version of the software, click Download Latest AnyConnect VPN Client from cisco.com. This downloads the client software to your PC. Click Next to continue.

  • Page 118: Verifying The Remote-Access Vpn Configuration

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client Implementing the Cisco SSL VPN Scenario Verifying the Remote-Access VPN Configuration In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The displayed configuration should be similar to the following: If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

  • Page 119: What To Do Next

    Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client What to Do Next What to Do Next If you are deploying the adaptive security appliance solely to support AnyConnect VPN connections, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps: To Do This...
  • Page 120 Chapter 8 Scenario: Configuring Connections for a Cisco AnyConnect VPN Client What to Do Next ASA 5505 Getting Started Guide 8-16 78-18003-02...

  • Page 121: Chapter 9 Scenario: Ssl Vpn Clientless Connections

    Internet. They include: Internal websites • Web-enabled applications • • NT/Active Directory and FTP file shares E-mail proxies, including POP3S, IMAP4S, and SMTPS • ASA 5505 Getting Started Guide 78-18003-02...

  • Page 122: Security Considerations For Clientless Ssl Vpn Connections

    SSL-enabled web-server presents before communicating with it. To minimize the risks involved with SSL certificates: Configure a group policy that consists of all users who need Clientless SSL VPN access and enable it only for that group policy. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 123: Example Network With Browser-Based Ssl Vpn Access

    PAT, permitting multiple outbound sessions appear to originate from a single • IP address. Example Network with Browser-Based SSL VPN Access Figure 9-1 shows an adaptive security appliance configured to accept SSL VPN connection requests over the Internet using a web browser. ASA 5505 Getting Started Guide 78-18003-02...

  • Page 124: Implementing The Clientless Ssl Vpn Scenario

    This section includes the following topics: Information to Have Available, page 9-5 • Starting ASDM, page 9-5 • Configuring the ASA 5505 for Browser-Based SSL VPN Connections, • page 9-7 Specifying the SSL VPN Interface, page 9-8 • Specifying a User Authentication Method, page 9-10 •...

  • Page 125: Information To Have Available

    Portal Page is displayed. Digital certificate • The ASA 5505 generates a self-signed certificate by default. For improved security and to eliminate browser warning messages, you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.
  • Page 126 Enter the IP address or the host name of your adaptive security appliance. Step 2 Leave the Username and Password fields blank. Step 3 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Click OK.

  • Page 127: Configuring The Asa 5505 For Browser-Based Ssl Vpn Connections

    Chapter 9 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario Configuring the ASA 5505 for Browser-Based SSL VPN Connections To begin the process for configuring a browser-based SSL VPN, perform the following steps: In the main ASDM window, choose SSL VPN Wizard from the Wizards Step 1 drop-down menu.

  • Page 128: Specifying The Ssl Vpn Interface

    Check the Browser-based SSL VPN (Web VPN) check box. Click Next to continue. Specifying the SSL VPN Interface In Step 2 of the SSL VPN Wizard, perform the following steps: Specify a Connection Name to which remote users connect. Step 1 ASA 5505 Getting Started Guide 78-18003-02...
  • Page 129 From the Certificate drop-down list, choose the certificate the ASA sends to the Step 3 remote user to authenticate the ASA. The ASA 5505 generates a self-signed certificate by default. For improved Note security and to eliminate browser warning messages, you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.

  • Page 130: Specifying A User Authentication Method

    New to add a new AAA server group. To create a new AAA Server Group, click New. The New Authentication Server Group dialog box appears. In this dialog box, specify the following: ASA 5505 Getting Started Guide 9-10 78-18003-02...

  • Page 131: Specifying A Group Policy

    Step 1 Click the Create new group policy radio button and specify a group name. Click the Modify an existing group policy radio button and choose a group from the drop-down list. ASA 5505 Getting Started Guide 9-11 78-18003-02...

  • Page 132: Creating A Bookmark List For Remote Users

    In Step 5 of the SSL VPN Wizard, specify URLs to appear on the VPN portal page by performing the following steps: To specify an existing bookmark list, choose the Bookmark List name from the Step 1 drop-down list. ASA 5505 Getting Started Guide 9-12 78-18003-02...
  • Page 133 Chapter 9 Scenario: SSL VPN Clientless Connections Implementing the Clientless SSL VPN Scenario To add a new list or edit an existing list, click Manage. The Configure GUI Customization Objects dialog box appears. ASA 5505 Getting Started Guide 9-13 78-18003-02...
  • Page 134 Implementing the Clientless SSL VPN Scenario To create a new bookmark list, click Add. Step 2 To edit an existing bookmark list, choose the list and click Edit. The Add Bookmark List dialog box appears. ASA 5505 Getting Started Guide 9-14 78-18003-02...
  • Page 135 From the URL Value drop-down list, choose the type of URL you are specifying. Step 6 For example, choose http, https, ftp, and so on. Then, specify the complete URL for the page. Click OK to return to the Add Bookmark List dialog box. Step 7 ASA 5505 Getting Started Guide 9-15 78-18003-02...

  • Page 136: Verifying The Configuration

    Click Next to continue. Step 11 Verifying the Configuration In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The displayed configuration should be similar to the following: ASA 5505 Getting Started Guide 9-16 78-18003-02...
  • Page 137 Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. ASA 5505 Getting Started Guide 9-17 78-18003-02...

  • Page 138: What To Do Next

    Configure a remote-access VPN Chapter 7, “Scenario: IPsec Remote-Access VPN Configuration” Configure an AnyConnect VPN Chapter 8, “Scenario: Configuring Connections for a Cisco AnyConnect VPN Client” Configure a site-to-site VPN Chapter 10, “Scenario: Site-to-Site VPN Configuration” ASA 5505 Getting Started Guide 9-18 78-18003-02...

  • Page 139: Chapter 10 Scenario: Site-To-Site Vpn Configuration

    Configuring the Other Side of the VPN Connection, page 10-14 • What to Do Next, page 10-14 • Example Site-to-Site VPN Network Topology Figure 10-1 shows an example VPN tunnel between two adaptive security appliances. ASA 5505 Getting Started Guide 10-1 78-18003-02...

  • Page 140: Implementing The Site-To-Site Scenario

    VPN deployment, using example parameters from the remote-access scenario shown in Figure 10-1. This section includes the following topics: Information to Have Available, page 10-3 • • Configuring the Site-to-Site VPN, page 10-3 ASA 5505 Getting Started Guide 10-2 78-18003-02...

  • Page 141: Information To Have Available

    If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 5-8. To start ASDM using the ASDM Launcher software, perform the following steps: ASA 5505 Getting Started Guide 10-3 78-18003-02...
  • Page 142 Enter the IP address or the host name of your adaptive security appliance. Step 2 Leave the Username and Password fields blank. Step 3 By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Click OK.
  • Page 143 Configuring the Security Appliance at the Local Site The adaptive security appliance at the first site is referred to as Security Note Appliance 1 in this scenario. To configure the Security Appliance 1, perform the following steps: ASA 5505 Getting Started Guide 10-5 78-18003-02...
  • Page 144 VPN concentrators, or other devices that support site-to-site IPsec connectivity. From the VPN tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel. ASA 5505 Getting Started Guide 10-6 78-18003-02...
  • Page 145 To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. When using preshared key authentication, the Tunnel Group Name Note must be the IP address of the peer.
  • Page 146 In Step 3 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. ASA 5505 Getting Started Guide 10-8 78-18003-02...
  • Page 147 When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue. Step 2 ASA 5505 Getting Started Guide 10-9 78-18003-02...
  • Page 148 In Step 4 of the VPN Wizard, perform the following steps: Choose the encryption algorithm (DES/3DES/AES) from the Encryption Step 1 drop-down list, and the authentication algorithm (MD5/SHA) from the Authentication drop-down list. Click Next to continue. Step 2 ASA 5505 Getting Started Guide 10-10 78-18003-02...
  • Page 149 (...) button to select from a list of hosts and networks. Enter the IP address of remote networks to be protected or not protected, or click Step 3 the ellipsis (...) button to select from a list of hosts and networks. ASA 5505 Getting Started Guide 10-11 78-18003-02...
  • Page 150 Implementing the Site-to-Site Scenario Click Next to continue. Step 4 Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. ASA 5505 Getting Started Guide 10-12 78-18003-02...
  • Page 151 Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. This concludes the configuration process for Security Appliance 1. ASA 5505 Getting Started Guide 10-13 78-18003-02...

  • Page 152: Configuring The Other Side Of The Vpn Connection

    Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages ASA 5505 Getting Started Guide 10-14 78-18003-02...
  • Page 153 Remote-Access VPN Configuration” Configure a clientless (browser-based) Chapter 9, “Scenario: SSL VPN SSL VPN Clientless Connections” Configure an SSL VPN for the Cisco Chapter 8, “Scenario: Configuring AnyConnect software client Connections for a Cisco AnyConnect VPN Client” ASA 5505 Getting Started Guide...
  • Page 154 Chapter 10 Scenario: Site-to-Site VPN Configuration What to Do Next ASA 5505 Getting Started Guide 10-16 78-18003-02...

  • Page 155: Chapter 11 Scenario: Easy Vpn Hardware Client Configuration

    Easy VPN server at the main site and Easy VPN hardware clients at the remote offices. The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client or as a Cisco Easy VPN server (sometimes called a “headend device”), but not both at the same time.

  • Page 156: Client Mode And Network Extension Mode

    Cisco VPN 30xx, or Cisco IOS 12.2(8)T) When used as an Easy VPN hardware client, the ASA 5505 can also be configured to perform basic firewall services, such as protecting devices in a DMZ from from unauthorized access. However, if the ASA 5505 is configured to function as an Easy VPN hardware client, it cannot establish other types of tunnels.
  • Page 157 Easy VPN hardware client using the CLI, you must specify a mode. Figure 11-2 shows a sample network topology with the ASA 5505 running in Easy VPN Client Mode. When configured in Client Mode, devices on the inside interface of the ASA 5505 cannot be accessed by devices behind the Easy VPN server.
  • Page 158 LAN from remote LAN When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.

  • Page 159: Configuring The Easy Vpn Hardware Client

    Configuring the Easy VPN Hardware Client The Easy VPN server controls the security policies enforced on the ASA 5505 Easy VPN hardware client. However, to establish the initial connection to the Easy VPN server, you must complete some configuration locally.

  • Page 160: Starting Asdm With The Asdm Launcher

    Launcher, page 5-5. If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 5-8. To start ASDM, perform the following steps: From your desktop, double-click the Cisco ASDM Launcher icon. The ASDM Step 1 Launcher dialog box appears.
  • Page 161 Chapter 11 Scenario: Easy VPN Hardware Client Configuration Configuring the Easy VPN Hardware Client By default, there is no Username and Password set for the Cisco ASDM Note Launcher. Step 4 Click OK. Click Yes to accept the certificates. Step 5 The ASA checks to see if there is updated software and if so, downloads it automatically.
  • Page 162 Chapter 11 Scenario: Easy VPN Hardware Client Configuration Configuring the Easy VPN Hardware Client ASA 5505 Getting Started Guide 11-8 78-18003-02...

  • Page 163: Configuring The Hardware Client

    Scenario: Easy VPN Hardware Client Configuration Configuring the Easy VPN Hardware Client Configuring the Hardware Client To configure the ASA 5505 as an Easy VPN hardware client, perform the following steps: In the ASDM window, click the Configuration tool. Step 1...
  • Page 164 Pre shared key radio button and enter a Group Name and Group Password. In the User Settings area, specify the User Name and User Password to be used Step 6 by the ASA 5505 when establishing a VPN connection. ASA 5505 Getting Started Guide 11-10 78-18003-02...
  • Page 165 Easy VPN connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the Note NAT device unless you add static NAT mappings on the NAT device.
  • Page 166 Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages ASA 5505 Getting Started Guide 11-12 78-18003-02...
  • Page 167 (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. You need an encryption license key to enable this license. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license...
  • Page 168 Step 4 Exits global configuration mode. hostname(config)# exit Step 5 Saves the configuration. hostname# copy running-config startup-config Step 6 Reboots the adaptive security appliance and hostname# reload reloads the configuration. ASA 5505 Getting Started Guide 78-18003-02...

Table of Contents