Summary of the content on the page No. 1
QUICK START GUIDE
Cisco ASA Services Module
1 Information About the ASA Services Module in the Switch Network
2 Verifying the Module Installation
3 Assigning VLANs to the ASA Services Module
4 Using the MSFC as a Directly-Connected Router
5 Logging Into the ASA Services Module
6 Configuring ASDM Connectivity
7 Launching ASDM
8 Running the Startup Wizard
9 (Optional) Allowing Access to Public Servers Behind the ASA Services Module
10 (Optional) Running Other Wizards in ASDM
11 Advanced Configur
Summary of the content on the page No. 2
Updated: May 15, 2013, 78-19998-02 1 Information About the ASA Services Module in the Switch Network For switch and software compatibility with the ASA Services Module (ASASM), see the following: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. The switch runs Cisco IOS software on both the switch supervisor engine and the integrated Multilayer Switch Feature Card (MSFC). The ASASM runs its own operating system. Although you need the MSFC as part of your system, y
Summary of the content on the page No. 3
For multiple context mode, if you place the MSFC or router behind the ASASM, you should only connect it to a single context. If you connect it to multiple contexts, the MSFC/router will route between the contexts, which might not be your intention. The typical scenario for multiple contexts is to use a router in front of all the contexts to route between the Internet and the switched networks. Internet VLAN 100 MSFC/Router VLAN 300 VLAN 303 VLAN 301 VLAN 302 Admin Context A Context B Contex
Summary of the content on the page No. 4
2 Verifying the Module Installation Verify that the switch acknowledges the ASASM and has brought it online. (If you need to install your ASASM, see the module installation guide on Cisco.com.) Enter the following command to ensure that the Status column shows “Ok” for the ASASM: show module [switch {1 |2}] [mod-num | all] For a switch in a VSS, enter the switch argument. For example: Router# show module Mod Ports Card Type Model Serial No. --- ----
Summary of the content on the page No. 5
4 Using the MSFC as a Directly-Connected Router If you want to use the MSFC as a directly-connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI). By default, you can add only one SVI; to add multiple SVIs, and understand the caveats for multiple SVIs, see the configuration guide on Cisco.com. Perform the following steps at the switch CLI: Command Purpose Step 1 inter
Summary of the content on the page No. 6
5 Logging Into the ASA Services Module From the switch CLI, you can connect to a virtual console session on the ASASM: Command Purpose service-module session [switch {1 |2}] Step 1 Connects to the ASASM. For a switch in a slot number VSS, enter the switch argument. You access user EXEC mode. Example: Router# service-module session slot 4 hostname> Step 2 enable Accesses privileged EXEC mode, which is the highest privilege level. Enter the enable password at the prompt. By Example: default
Summary of the content on the page No. 7
Logging Out of the ASA Services Module If you do not log out of the ASASM, the console connection persists; there is no timeout. To end the ASASM console session and access the switch CLI, perform the following steps. To kill another user’s active connection, which may have been unintentionally left open, see the configuration guide. Step 1 To return to the switch CLI, type: Ctrl-Shift-6, x You return to the switch prompt. Note: Shift-6 on US and UK keyboards issues the caret (^) character.
Summary of the content on the page No. 8
Command Purpose Step 2 Do one of the following to configure a management interface, depending on your mode: Routed mode: Configures an interface in routed mode. The security_level is a number between 1 and interface vlan number 100, where 100 is the most secure. ip address ip_address [mask] nameif name security-level level Example: hostname(config)# interface vlan 1 hostname(config-if)# ip address 192.168.1.1 255.255.255.0 hostname(config-if)# nameif inside hostname(config-if)# security-lev
Summary of the content on the page No. 9
Command Purpose http server enable Step 4 Enables the HTTP server for ASDM. Example: hostname(config)# http server enable http ip_address mask interface_name Step 5 Allows the management host to access ASDM. Example: hostname(config)# http 192.168.1.0 255.255.255.0 inside write memory Step 6 Saves the configuration. Example: hostname(config)# write memory Step 7 (Optional) Sets the mode to multiple mode. When prompted, confirm that you want to convert mode multiple the existing configurati
Summary of the content on the page No. 10
7 Launching ASDM Using ASDM, you can use wizards to configure basic and advanced features. ASDM is a graphical user interface that allows you to manage the ASASM from any location by using a web browser. See the ASDM release notes on Cisco.com for the requirements to run ASDM. Step 1 On the PC connected to the ASASM management VLAN, launch a web browser. Step 2 In the Address field, enter the following URL: https://management_ip_address/admin The Cisco ASDM web page appears. Step 3 Click Ru
Summary of the content on the page No. 11
8 Running the Startup Wizard Run the Startup Wizard so that you can customize the security policy to suit your deployment. Using the startup wizard, you can set the following: • Hostname � Static routes � Domain name � DHCP server � Administrative passwords � Network address translation rules � Interfaces � and more... � IP addresses Step 1 If the wizard is not already running, in the main ASDM window, choose Wizards > Startup Wizard. Step 2 Follow the instructions in the Startup Wizard to
Summary of the content on the page No. 12
9 (Optional) Allowing Access to Public Servers Behind the ASA Services Module The Public Server pane automatically configures the security policy to make an inside server accessible from the Internet. As a business owner, you might have internal network services, such as a web and FTP server, that need to be available to an outside user. You can place these services on a separate network behind the ASASM, called a demilitarized zone (DMZ). By placing the public servers on the DMZ, any at
Summary of the content on the page No. 13
10 (Optional) Running Other Wizards in ASDM You can optionally run the following additional wizards in ASDM: � High Availability and Scalability Wizard Configure active/active or active/standby failover, or VPN cluster load balancing. � Packet Capture Wizard Configure and run packet capture. The wizard will run one packet capture on each of the ingress and egress interfaces. After capturing packets, you can save the packet captures to your PC for examination and replay in the packet analy
Summary of the content on the page No. 14
Americas Headquarters Asia Pacific Headquarters Europe Headquarters Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam, San Jose, CA Singapore The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cis