Transform Set Window (IPSec Encryption and Authentication)
Using ASDM for VPN Configuration 485
Step 6 Identify the traffic you want to protect using the current IPSec tunnel,
as shown in Figure 15-25. The current IPSec tunnel protects packets
that are sent to or received from the hosts or networks you select in this
window. Use this window to identify the hosts and networks protected
by your local Cisco Security Appliance. In Figure 15-25, packets that
are sent to and received from the 192.168.4.0/24 network are
protected.
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
IKE Policy Window
IKE Policy Window
Step 5 Configure the transform set to specify the encryption and
authentication algorithms used by IPSec, as shown in Figure 15-24.
IPSec provides secure communication over an insecure network, such as
the public Internet, by encrypting traffic between two IPSec peers, such
as your local Security Appliance and a remote Security Appliance or
VPN concentrator.
Step 5 Configure the transform set to specify the encryption and
authentication algorithms used by IPSec, as shown in Figure 15-24.
IPSec provides secure communication over an insecure network, such as
the public Internet, by encrypting traffic between two IPSec peers, such
as your local Security Appliance and a remote Security Appliance or
VPN concentrator.
Using ASDM to Create a Site-to-Site VPN
Using ASDM to Create a Site-to-Site VPN
The following steps and corresponding figures show a sample site-to-site VPN configuration
using the VPN Wizard on ASDM:
Step 1 Select the VPN Wizard from the Wizard’s drop-down menu, as shown
in Figure 15-20, to start the VPN Wizard.
Figure 15-20 ASDM with VPN Wizard Selected
Step 2 Select the site-to-site radial buttons, as shown in Figure 15-21, to create
a site-to-site VPN configuration. This configuration is used between
two IPSec security gateways, which can include Cisco PIX Firewalls,
VPN concentrators, or other devices that support site-to-site IPSec
connectivity. Use this window to also select the type of VPN tunnel you
are defining and to identify the interface on which the tunnel will be
enabled. In Figure 15-21, the outside interface is selected as the VPN
termination point.
Step 3 In the Remote Site Peer window, shown in Figure 15-22, you specify the
IP address of the remote IPSec peer that will terminate the VPN tunnel
you are configuring. Also, you use this window to identify which of the
following methods of authentication you want to use:
• Preshared keys
• Certificates
Figure 15-22 shows the Remote Site Peer window configured with the
remote IPSec peer and the preshared authentication keys.
The following steps and corresponding figures show a sample site-to-site VPN configuration
using the VPN Wizard on ASDM:
Step 1 Select the VPN Wizard from the Wizard’s drop-down menu, as shown
in Figure 15-20, to start the VPN Wizard.
Figure 15-20 ASDM with VPN Wizard Selected
Step 2 Select the site-to-site radial buttons, as shown in Figure 15-21, to create
a site-to-site VPN configuration. This configuration is used between
two IPSec security gateways, which can include Cisco PIX Firewalls,
VPN concentrators, or other devices that support site-to-site IPSec
connectivity. Use this window to also select the type of VPN tunnel you
are defining and to identify the interface on which the tunnel will be
enabled. In Figure 15-21, the outside interface is selected as the VPN
termination point.
Step 3 In the Remote Site Peer window, shown in Figure 15-22, you specify the
IP address of the remote IPSec peer that will terminate the VPN tunnel
you are configuring. Also, you use this window to identify which of the
following methods of authentication you want to use:
• Preshared keys
• Certificates
Figure 15-22 shows the Remote Site Peer window configured with the
remote IPSec peer and the preshared authentication keys.
Monitoring Button on the ASDM Menu Bar
Monitoring Button on the ASDM Menu Bar
Selecting any of the following options in the Categories list provides a corresponding pane
of monitoring statistics for the Cisco Security Appliance:
■ ASDM Log—Displays the Syslog messages currently in the PDM Log buffer on the
Security Appliance. A snapshot of the ASDM Log buffer contents on the Security
Appliance can be displayed.
■ ASDM/HTTPS—Enables you to monitor connections made to the Security Appliance
using ASDM. A snapshot of the current ASDM user sessions to the Security Appliance
is displayed.
■ Telnet Sessions—Enables you to monitor connections made to the Security Appliance
using Telnet. A snapshot of current Telnet sessions to the Security Appliance is displayed.
■ Secure Shell Sessions—Enables you to monitor connections made to the Security
Appliance using Secure Shell (SSH). When the Secure Shell pane is displayed, a snapshot
of the current SSH sessions to the Security Appliance is available.
NOTE After specifying the information to be graphed, the graphical information is
displayed in a separate window (New Graph window) when you click the Show Graphs
button (see Figure 15-19). The graphical information displayed in the New Graph window
can be printed or bookmarked in your browser for later recall. The data may also be
exported for use by other applications.
■ User Licenses—Displays the number of current users, which is subtracted from the
maximum number of users for your Security Appliance licensing agreement.
■ DHCP Client—Displays DHCP-assigned interface parameters when DHCP addressing
is configured on the outside interface of the Security Appliance. A snapshot of the current
DHCP lease information is displayed.
■ VPN Statistics—Lets you graphically monitor the following functions:
— Number of active IPSec tunnels
— Detailed IPSec information (similar to the CLI command show ipsec sa
detail)
■ System Graphs—Enables you to build the New Graph window, which monitors the
Security Appliance’s system resources, including block utilization, CPU utilization,
failover statistics, and memory utilization.
■ Connection Graphs—Enables you to monitor a wide variety of performance statistics for
Security Appliance features, including statistics for xlates, connections, AAA, inspect,
URL filtering, and TCP intercept.
■ IPS (located under Miscellaneous Graphs)—Enables you to monitor intrusion detection
statistics, including packet counts for each IPS signature supported by the Security
Appliance.
■ Interface Graphs—Enables you to monitor per-interface statistics, such as packet counts
and bit rates, for each enabled interface on the Security Appliance.
Using ASDM for VPN Configuration
Chapter 13, “Virtual Private Networks,” explained how to configure VPN on the Cisco
Security Appliance via the CLI. One of the difficult configuration and troubleshooting issues
occurs with VPNs. Quite often, typos occur when you create a VPN configuration via the
CLI. For novice administrators of the Cisco Security Appliance, remembering the commands
and their sequence can sometimes be difficult. ASDM presents a user-friendly VPN Wizard
that creates both site-to-site and remote-access VPNs for the Cisco Security Appliance
(accessible via the Wizards menu on ASDM). Administrators are prompted for unique
parameters such as IP addresses, and they use drop-down menus to configure their VPN. The
following sections discuss the steps involved in creating a site-to-site VPN and a remoteaccess
VPN using the VPN Wizard on ASDM.
NOTE If an interface is not enabled using the Interfaces tab, no graphs are available for
Selecting any of the following options in the Categories list provides a corresponding pane
of monitoring statistics for the Cisco Security Appliance:
■ ASDM Log—Displays the Syslog messages currently in the PDM Log buffer on the
Security Appliance. A snapshot of the ASDM Log buffer contents on the Security
Appliance can be displayed.
■ ASDM/HTTPS—Enables you to monitor connections made to the Security Appliance
using ASDM. A snapshot of the current ASDM user sessions to the Security Appliance
is displayed.
■ Telnet Sessions—Enables you to monitor connections made to the Security Appliance
using Telnet. A snapshot of current Telnet sessions to the Security Appliance is displayed.
■ Secure Shell Sessions—Enables you to monitor connections made to the Security
Appliance using Secure Shell (SSH). When the Secure Shell pane is displayed, a snapshot
of the current SSH sessions to the Security Appliance is available.
NOTE After specifying the information to be graphed, the graphical information is
displayed in a separate window (New Graph window) when you click the Show Graphs
button (see Figure 15-19). The graphical information displayed in the New Graph window
can be printed or bookmarked in your browser for later recall. The data may also be
exported for use by other applications.
■ User Licenses—Displays the number of current users, which is subtracted from the
maximum number of users for your Security Appliance licensing agreement.
■ DHCP Client—Displays DHCP-assigned interface parameters when DHCP addressing
is configured on the outside interface of the Security Appliance. A snapshot of the current
DHCP lease information is displayed.
■ VPN Statistics—Lets you graphically monitor the following functions:
— Number of active IPSec tunnels
— Detailed IPSec information (similar to the CLI command show ipsec sa
detail)
■ System Graphs—Enables you to build the New Graph window, which monitors the
Security Appliance’s system resources, including block utilization, CPU utilization,
failover statistics, and memory utilization.
■ Connection Graphs—Enables you to monitor a wide variety of performance statistics for
Security Appliance features, including statistics for xlates, connections, AAA, inspect,
URL filtering, and TCP intercept.
■ IPS (located under Miscellaneous Graphs)—Enables you to monitor intrusion detection
statistics, including packet counts for each IPS signature supported by the Security
Appliance.
■ Interface Graphs—Enables you to monitor per-interface statistics, such as packet counts
and bit rates, for each enabled interface on the Security Appliance.
Using ASDM for VPN Configuration
Chapter 13, “Virtual Private Networks,” explained how to configure VPN on the Cisco
Security Appliance via the CLI. One of the difficult configuration and troubleshooting issues
occurs with VPNs. Quite often, typos occur when you create a VPN configuration via the
CLI. For novice administrators of the Cisco Security Appliance, remembering the commands
and their sequence can sometimes be difficult. ASDM presents a user-friendly VPN Wizard
that creates both site-to-site and remote-access VPNs for the Cisco Security Appliance
(accessible via the Wizards menu on ASDM). Administrators are prompted for unique
parameters such as IP addresses, and they use drop-down menus to configure their VPN. The
following sections discuss the steps involved in creating a site-to-site VPN and a remoteaccess
VPN using the VPN Wizard on ASDM.
NOTE If an interface is not enabled using the Interfaces tab, no graphs are available for
Monitoring
Monitoring
The Monitoring tab, shown in Figure 15-19, is one of the most useful tools to help you make
sense of the different statistics that the Cisco Security Appliance can generate. The different
sections on the Monitoring tab help you to analyze your Security Appliance’s performance
using colorful graphs.
The Monitoring tab enables you to examine the operation of the Security Appliance. When
monitoring the operation of the Security Appliance, you can directly view the settings or
statistics for many features and parameters. For other features, you have the option of
displaying a graph that represents the usage of the features over time. The left column in
Figure 15-19 shows the different categories of information that you can monitor on your
Security Appliance.
The Monitoring tab, shown in Figure 15-19, is one of the most useful tools to help you make
sense of the different statistics that the Cisco Security Appliance can generate. The different
sections on the Monitoring tab help you to analyze your Security Appliance’s performance
using colorful graphs.
The Monitoring tab enables you to examine the operation of the Security Appliance. When
monitoring the operation of the Security Appliance, you can directly view the settings or
statistics for many features and parameters. For other features, you have the option of
displaying a graph that represents the usage of the features over time. The left column in
Figure 15-19 shows the different categories of information that you can monitor on your
Security Appliance.
Properties Tab on ASDM
Properties Tab on ASDM
The tab consists of 14 sections, each with a specific feature that can be configured. Some of
these sections include the following:
■ AAA Setup—Configures AAA server groups. The Security Appliance can provide AAA
servers and the authentication prompt. Each AAA server group directs different types of
traffic to the authentication servers in its group. If the first authentication server listed in
the group fails, the Security Appliance seeks authentication from the next server in the
group. You can have up to 14 groups, and each group can have up to 14 AAA servers,
for a total of up to 196 AAA servers.
■ Advanced—Configures advanced protection features including antispoofing, fragment
options, and connection settings through the Advances window.
■ ARP Static Table—Normally, MAC addresses as learned dynamically over the inside-out
outside interfaces. The ARP Static Table gives the security administrator the option of
adding static MAC address entries on the Security Appliance.
■ Auto Update—Enables the Auto Update server to push configuration information and
send requests for information to the Security Appliance. Additionally, by causing the
Security Appliance to periodically poll the Auto Update server, the Auto Updater can pull
configuration information.
Security Appliance Requirements to Run ASDM 479
■ DHCP Server—Provides network configuration parameters, such as IP addresses, to
DHCP clients. DHCP server or DHCP proxy relay services are provided by the Security
Appliance to DHCP clients attached to Security Appliance interfaces.
■ DNS Client—Specifies one or more DNS servers for the Security Appliance so it can
resolve server names to IP addresses.
■ Failover—The settings for configuring failover on the Security Appliance.
■ History Metrics—The ASDM can display history graphs and tables to allow the security
administrator a means to track various statistics. This window allows you to configure
the Security Appliance to keep a history of various statistics. Statistics can only be
monitored in real time if this feature is not enabled.
■ HTTP/HTTPS—Displays information on HTTP redirection and HTTPS user certificate
requirements for each interface on the Security Appliance.
■ IP Audit—Provides basic IPS functionality.
■ Logging—Enables or disables sending informational messages to the console, to a syslog
server, or to an Simple Network Management Protocol (SNMP) management station.
■ priority-queue—Priority queuing features enable QoS options on packet flows passing
through the Security Appliance. To create a priority queue for an interface, use this
window. All administrator-created priority queues will be enabled before priority
queuing takes effect
The tab consists of 14 sections, each with a specific feature that can be configured. Some of
these sections include the following:
■ AAA Setup—Configures AAA server groups. The Security Appliance can provide AAA
servers and the authentication prompt. Each AAA server group directs different types of
traffic to the authentication servers in its group. If the first authentication server listed in
the group fails, the Security Appliance seeks authentication from the next server in the
group. You can have up to 14 groups, and each group can have up to 14 AAA servers,
for a total of up to 196 AAA servers.
■ Advanced—Configures advanced protection features including antispoofing, fragment
options, and connection settings through the Advances window.
■ ARP Static Table—Normally, MAC addresses as learned dynamically over the inside-out
outside interfaces. The ARP Static Table gives the security administrator the option of
adding static MAC address entries on the Security Appliance.
■ Auto Update—Enables the Auto Update server to push configuration information and
send requests for information to the Security Appliance. Additionally, by causing the
Security Appliance to periodically poll the Auto Update server, the Auto Updater can pull
configuration information.
Security Appliance Requirements to Run ASDM 479
■ DHCP Server—Provides network configuration parameters, such as IP addresses, to
DHCP clients. DHCP server or DHCP proxy relay services are provided by the Security
Appliance to DHCP clients attached to Security Appliance interfaces.
■ DNS Client—Specifies one or more DNS servers for the Security Appliance so it can
resolve server names to IP addresses.
■ Failover—The settings for configuring failover on the Security Appliance.
■ History Metrics—The ASDM can display history graphs and tables to allow the security
administrator a means to track various statistics. This window allows you to configure
the Security Appliance to keep a history of various statistics. Statistics can only be
monitored in real time if this feature is not enabled.
■ HTTP/HTTPS—Displays information on HTTP redirection and HTTPS user certificate
requirements for each interface on the Security Appliance.
■ IP Audit—Provides basic IPS functionality.
■ Logging—Enables or disables sending informational messages to the console, to a syslog
server, or to an Simple Network Management Protocol (SNMP) management station.
■ priority-queue—Priority queuing features enable QoS options on packet flows passing
through the Security Appliance. To create a priority queue for an interface, use this
window. All administrator-created priority queues will be enabled before priority
queuing takes effect
Device Administration Tab on ASDM
Device Administration Tab on ASDM
Properties Tab
Security Appliance features and configurations, such as AAA servers, failover, and logging,
are placed in a single configuration tab called Properties. The Properties tab, shown in Figure
15-18, gives the security administrator the option to customize the Security Appliance with
advanced and optional features.
Properties Tab
Security Appliance features and configurations, such as AAA servers, failover, and logging,
are placed in a single configuration tab called Properties. The Properties tab, shown in Figure
15-18, gives the security administrator the option to customize the Security Appliance with
advanced and optional features.
Device Administration Tab
Device Administration Tab
The ASDM gives you a single location where you can manage the basic parameters of the
Security Appliance. The Device Administration tab, shown in Figure 15-17, can set the basic
parameters for the Security Appliance, such as passwords, user accounts, banners, system
access, and so on. While in this tab, the administrator can also generate and manage
certificates.
The ASDM gives you a single location where you can manage the basic parameters of the
Security Appliance. The Device Administration tab, shown in Figure 15-17, can set the basic
parameters for the Security Appliance, such as passwords, user accounts, banners, system
access, and so on. While in this tab, the administrator can also generate and manage
certificates.
Building Blocks Tab
Building Blocks Tab
The ASDM uses the name “building blocks” for the reusable components that must be
implemented for your policy. The Building Blocks tab, shown in Figure 15-16, provides a
single location where you can configure, view, and modify the building blocks.
These building blocks include the following:
■ Hosts/Networks—You can use this option to add, modify, or remove hosts and
networks from specific interfaces.
■ Inspect Maps—You can use this option to create inspect maps for specific protocol
inspection engines. The inspect map can then be applied to a type of traffic through the
Service Policy Rules tab using Modular Policy Framework features.
■ TCP Maps—You can use this option to assign TCP connection settings for different
traffic flows using Modular Policy Framework features.
■ Time Ranges—You can use this option to assign a start and end time range to various
security features and policies.
The ASDM uses the name “building blocks” for the reusable components that must be
implemented for your policy. The Building Blocks tab, shown in Figure 15-16, provides a
single location where you can configure, view, and modify the building blocks.
These building blocks include the following:
■ Hosts/Networks—You can use this option to add, modify, or remove hosts and
networks from specific interfaces.
■ Inspect Maps—You can use this option to create inspect maps for specific protocol
inspection engines. The inspect map can then be applied to a type of traffic through the
Service Policy Rules tab using Modular Policy Framework features.
■ TCP Maps—You can use this option to assign TCP connection settings for different
traffic flows using Modular Policy Framework features.
■ Time Ranges—You can use this option to assign a start and end time range to various
security features and policies.
VPN Tab on ASDM
VPN Tab on ASDM
IPS Tab
The IPS tab is optional and will only be displayed if the Security Appliance has enabled IPS
sensors through the CLI. You can use the IPS tab to manage network settings and signatures
for intrusion prevention (see Figure 15-14). The IPS can configure the sensor to control
blocking devices, as well as configure several SNMP features. Additionally, you can configure
a sensor to automatically restore the sensor to factory defaults, reboot, update the software,
or shut down.
Routing Tab
The Routing tab, shown in Figure 15-15, is where a security administrator can configure the
different routing protocols for the Security Appliance. The Routing window is subdivided
into each supported routing protocol: static routes, RIP, OSPF, IGMP, and PIM. Each of these
routing protocols has the same features as can be found through the CLI configuration.
IPS Tab
The IPS tab is optional and will only be displayed if the Security Appliance has enabled IPS
sensors through the CLI. You can use the IPS tab to manage network settings and signatures
for intrusion prevention (see Figure 15-14). The IPS can configure the sensor to control
blocking devices, as well as configure several SNMP features. Additionally, you can configure
a sensor to automatically restore the sensor to factory defaults, reboot, update the software,
or shut down.
Routing Tab
The Routing tab, shown in Figure 15-15, is where a security administrator can configure the
different routing protocols for the Security Appliance. The Routing window is subdivided
into each supported routing protocol: static routes, RIP, OSPF, IGMP, and PIM. Each of these
routing protocols has the same features as can be found through the CLI configuration.
VPN Tab
VPN Tab
The Security Appliance can create three different types of secure connections:
■ Remote-access VPNs
■ Site-to-site VPNs
■ WebVPNs
The ASDM uses a VPN wizard to create remote-access and site-to-site VPNs. After the
wizard has completed the VPN configurations, the administrator will be able to add, delete,
or modify VPN-specific features. The wizard is described in more detail later in this chapter.
The VPN tab, shown in Figure 15-13, allows a security administrator to configure group
policies and individual VPN tunnels.
The Security Appliance can create three different types of secure connections:
■ Remote-access VPNs
■ Site-to-site VPNs
■ WebVPNs
The ASDM uses a VPN wizard to create remote-access and site-to-site VPNs. After the
wizard has completed the VPN configurations, the administrator will be able to add, delete,
or modify VPN-specific features. The wizard is described in more detail later in this chapter.
The VPN tab, shown in Figure 15-13, allows a security administrator to configure group
policies and individual VPN tunnels.
NAT Tab
NAT Tab
The NAT tab, shown in Figure 15-12, lets you view all the address translation rules or NAT
exemption rules applied to your network.
Figure 15-12 NAT Tab on ASDM
The Cisco Security Appliance supports both NAT, which provides a globally unique address
for each outbound host session, and PAT, which provides a single, unique global address for
more than 64,000 simultaneous outbound or inbound host sessions. The global addresses
used for NAT come from a pool of addresses to be used specifically for address translation.
The unique global address that is used for PAT can be either one global address or the IP
address of a given interface.
From the NAT tab, you also can create a translation exemption rule, which lets you specify
traffic that is exempt from being translated. The exemption rules are grouped by interface in
the table, and then by direction. If you have a group of IP addresses that will be translated,
you can exempt certain addresses from being translated by using the exemption rules. If you
have a previously configured access list, you can use that to define your exemption rule.
ASDM writes the exemption to the Security Appliance using a nat 0 command through the
CLI. You can re-sort your exemption’s view by clicking the column heading.
It is important to note that the order in which you apply translation rules can affect how the
rules operate. ASDM lists the static translations first and then the dynamic translations. Each
rule type will be examined in order, with the Security Appliance handling the packet based
on the first rule the packet qualifies for in each set. The Security Appliance will first look at
NAT 0, the static translations, NAT, and lastly PAT rules. If a packet arrives at the Security
Appliance and is destined for a web server using PAT, the packet must pass all of the previous
rules defined in NAT 0, static, and NAT before PAT translation even happens. When
processing NAT, the Cisco Security Appliance first translates the static translations in the
order they are configured. The packet will be handled based on the first match in the
translation rule set. You can use the Insert Before or Insert After commands to determine the
order in which static translations are processed. Because dynamically translated rules are
processed on a best-match basis, the option to insert a rule before or after a dynamic
translation is disabled. Use the Manage Pools button to create global address pools to be used
by NAT. You can view or delete existing global pools through the global address pools
window.
The NAT tab, shown in Figure 15-12, lets you view all the address translation rules or NAT
exemption rules applied to your network.
Figure 15-12 NAT Tab on ASDM
The Cisco Security Appliance supports both NAT, which provides a globally unique address
for each outbound host session, and PAT, which provides a single, unique global address for
more than 64,000 simultaneous outbound or inbound host sessions. The global addresses
used for NAT come from a pool of addresses to be used specifically for address translation.
The unique global address that is used for PAT can be either one global address or the IP
address of a given interface.
From the NAT tab, you also can create a translation exemption rule, which lets you specify
traffic that is exempt from being translated. The exemption rules are grouped by interface in
the table, and then by direction. If you have a group of IP addresses that will be translated,
you can exempt certain addresses from being translated by using the exemption rules. If you
have a previously configured access list, you can use that to define your exemption rule.
ASDM writes the exemption to the Security Appliance using a nat 0 command through the
CLI. You can re-sort your exemption’s view by clicking the column heading.
It is important to note that the order in which you apply translation rules can affect how the
rules operate. ASDM lists the static translations first and then the dynamic translations. Each
rule type will be examined in order, with the Security Appliance handling the packet based
on the first rule the packet qualifies for in each set. The Security Appliance will first look at
NAT 0, the static translations, NAT, and lastly PAT rules. If a packet arrives at the Security
Appliance and is destined for a web server using PAT, the packet must pass all of the previous
rules defined in NAT 0, static, and NAT before PAT translation even happens. When
processing NAT, the Cisco Security Appliance first translates the static translations in the
order they are configured. The packet will be handled based on the first match in the
translation rule set. You can use the Insert Before or Insert After commands to determine the
order in which static translations are processed. Because dynamically translated rules are
processed on a best-match basis, the option to insert a rule before or after a dynamic
translation is disabled. Use the Manage Pools button to create global address pools to be used
by NAT. You can view or delete existing global pools through the global address pools
window.
Subscribe to:
Posts (Atom)