User Manual
Page 1
... not lit, the link could be down due to a duplex mismatch. LINK/ACT Indicator Power Indicator LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance If a LINK/ACT LED is established. If auto-negotiation is the Outside interface.) Connect the other end to a cable/DSL/ISDN...
... not lit, the link could be down due to a duplex mismatch. LINK/ACT Indicator Power Indicator LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance If a LINK/ACT LED is established. If auto-negotiation is the Outside interface.) Connect the other end to a cable/DSL/ISDN...
User Manual
Page 2
.... Step 1 In the main ASDM window, choose Configuration > Firewall > Public Servers. The Public Server pane appears. The Startup Wizard appears. Americas Headquarters Cisco Systems, Inc. Third-party trademarks mentioned are listed on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance The server appears in the...
.... Step 1 In the main ASDM window, choose Configuration > Firewall > Public Servers. The Public Server pane appears. The Startup Wizard appears. Americas Headquarters Cisco Systems, Inc. Third-party trademarks mentioned are listed on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance The server appears in the...
Administration Guide
Page 7
..., page 10 Document Objectives The purpose of this guide, the term "security appliance" applies generically to the Cisco ASA 5500 series security appliances (ASA 5505 and higher). About This Guide OL-12950-012 This preface introduces the Cisco AnyConnect VPN Client Administrator Guide, and includes the following tasks: • Manage network security • Install and...
..., page 10 Document Objectives The purpose of this guide, the term "security appliance" applies generically to the Cisco ASA 5500 series security appliances (ASA 5505 and higher). About This Guide OL-12950-012 This preface introduces the Cisco AnyConnect VPN Client Administrator Guide, and includes the following tasks: • Manage network security • Install and...
Administration Guide
Page 8
... Appliance Getting Started Guide • Cisco ASA 5500 Series Release Notes • Cisco ASDM Release Notes • Cisco ASDM Online Help • Release Notes for Cisco AnyConnect VPN Client, Release 2.0 • Cisco Security Appliance Command Reference • Cisco Security Appliance Logging Configuration and System Log Messages • Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators • For...
... Appliance Getting Started Guide • Cisco ASA 5500 Series Release Notes • Cisco ASDM Release Notes • Cisco ASDM Online Help • Release Notes for Cisco AnyConnect VPN Client, Release 2.0 • Cisco Security Appliance Command Reference • Cisco Security Appliance Logging Configuration and System Log Messages • Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators • For...
Administration Guide
Page 11
... appliance. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). • Standalone Mode-Allows a Cisco AnyConnect VPN client to individual users or groups. In this document is a standards-based SSL protocol that provides installation, maintenance, and removal... of platform requirements and supported versions. See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. DTLS is primarily on Windows systems. OL-12950-012...
... appliance. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). • Standalone Mode-Allows a Cisco AnyConnect VPN client to individual users or groups. In this document is a standards-based SSL protocol that provides installation, maintenance, and removal... of platform requirements and supported versions. See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. DTLS is primarily on Windows systems. OL-12950-012...
Administration Guide
Page 18
... .export files from : • The CD shipped with the security appliance. • The software download page for the ASA 5500 Series Adaptive Security Appliance at http://www.cisco.com/cgi-bin/tablebuild.pl/asa. For more information, see the CSA document Using Management Center for CSA Versions 5.2 and higher. Import the file using...
... .export files from : • The CD shipped with the security appliance. • The software download page for the ASA 5500 Series Adaptive Security Appliance at http://www.cisco.com/cgi-bin/tablebuild.pl/asa. For more information, see the CSA document Using Management Center for CSA Versions 5.2 and higher. Import the file using...
Administration Guide
Page 19
WebLaunch Mode Without a previously-installed client, remote users enter into their browser the IP address or DNS name of the ASA Release 8.0(1) and later and ASDM Release 6.0 and later. If the user satisfies the login and authentication, and the security ...requiring the client, it resident only for installing the AnyConnect client software on the ASA5500 using Transport Layer Security (TLS). OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-1 This chapter contains procedures for the duration of the connection. After loading, the client installs and configures itself...
WebLaunch Mode Without a previously-installed client, remote users enter into their browser the IP address or DNS name of the ASA Release 8.0(1) and later and ASDM Release 6.0 and later. If the user satisfies the login and authentication, and the security ...requiring the client, it resident only for installing the AnyConnect client software on the ASA5500 using Transport Layer Security (TLS). OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-1 This chapter contains procedures for the duration of the connection. After loading, the client installs and configures itself...
Administration Guide
Page 20
...-specific issues and procedures for certificates on client machines. - If you can configure it to prompt the remote user about certificates, Cisco Security Agent (CSA), adding trusted sites, and responding to browser alerts: • Ensuring Automatic Installation of AnyConnect Clients, page 2-2... trusted root certificate on the security appliance, see "Configuring SSL VPN Connections" in this administrator's guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. This document contains information about configuring the AnyConnect client and other SSL VPN...
...-specific issues and procedures for certificates on client machines. - If you can configure it to prompt the remote user about certificates, Cisco Security Agent (CSA), adding trusted sites, and responding to browser alerts: • Ensuring Automatic Installation of AnyConnect Clients, page 2-2... trusted root certificate on the security appliance, see "Configuring SSL VPN Connections" in this administrator's guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. This document contains information about configuring the AnyConnect client and other SSL VPN...
Administration Guide
Page 22
... for domain users, see Using Microsoft Active Directory to Add the Security Appliance to the List of the security appliance. Click Add. Cisco AnyConnect VPN Client Administrator Guide 2-4 OL-12950-012 The Internet Options window opens. Click the Trusted Sites icon. Adding a Security Certificate... Response to Browser Security Alert Windows This section explains how to install a self-signed certificate as https://*.yourcompany.com to allow all ASA 5500s within the yourcompany.com domain to be used to support multiple sites. Click the Security tab. A remote user using standalone ...
... for domain users, see Using Microsoft Active Directory to Add the Security Appliance to the List of the security appliance. Click Add. Cisco AnyConnect VPN Client Administrator Guide 2-4 OL-12950-012 The Internet Options window opens. Click the Trusted Sites icon. Adding a Security Certificate... Response to Browser Security Alert Windows This section explains how to install a self-signed certificate as https://*.yourcompany.com to allow all ASA 5500s within the yourcompany.com domain to be used to support multiple sites. Click the Security tab. A remote user using standalone ...
Administration Guide
Page 58
For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Windows 2000 and Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Cisco Secure Desktop for Cisco ASA 5500 Series Administrators (Software Release 3.2). 5-16 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Windows 2000 and Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Cisco Secure Desktop for Cisco ASA 5500 Series Administrators (Software Release 3.2). 5-16 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
Administration Guide
Page 64
..., and attempts to remove traces of AnyConnect required to use dynamic access policies. For detailed information about configuring dynamic access policies, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2). To enable the client to perform a rekey on an SSL VPN connection for Windows 2000 and Windows...
..., and attempts to remove traces of AnyConnect required to use dynamic access policies. For detailed information about configuring dynamic access policies, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2). To enable the client to perform a rekey on an SSL VPN connection for Windows 2000 and Windows...
Administration Guide
Page 65
... the UPD/DTLS session, and the DPD mechanism is necessary for the existing group-policy sales: hostname(config)# group-policy sales attributes OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-7 To remove the svc dpd-interval command from the configuration, use the svc dpd-interval command from group-policy or... rekey {method {new-tunnel | none | ssl} | time minutes} method new-tunnel specifies that the client establishes a new tunnel during rekey. To enable DPD on the ASA to allow the AnyConnect client to fall back to 10080 (1 week).
... the UPD/DTLS session, and the DPD mechanism is necessary for the existing group-policy sales: hostname(config)# group-policy sales attributes OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-7 To remove the svc dpd-interval command from the configuration, use the svc dpd-interval command from group-policy or... rekey {method {new-tunnel | none | ssl} | time minutes} method new-tunnel specifies that the client establishes a new tunnel during rekey. To enable DPD on the ASA to allow the AnyConnect client to fall back to 10080 (1 week).
Administration Guide
Page 91
...-specified), and it contains empty message fields: hostname# export webvpn translation-table AnyConnect template tftp://209.165.200.225/test Step 2 Edit the translation table XML file. The end of this example, the filename of the template that follows msgid provides the translation. The ... a translation, enter the translated text between the quotes of message fields: # Copyright (C) 2007 by Cisco Systems, Inc. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: ASA\n" "Report-Msgid-Bugs-To: support@cisco.com\n" "POT-Creation-Date: 2007-04-23 18:57 GMT\n" "PO-Revision-Date: YEAR-MO-DA...
...-specified), and it contains empty message fields: hostname# export webvpn translation-table AnyConnect template tftp://209.165.200.225/test Step 2 Edit the translation table XML file. The end of this example, the filename of the template that follows msgid provides the translation. The ... a translation, enter the translated text between the quotes of message fields: # Copyright (C) 2007 by Cisco Systems, Inc. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: ASA\n" "Report-Msgid-Bugs-To: support@cisco.com\n" "POT-Creation-Date: 2007-04-23 18:57 GMT\n" "PO-Revision-Date: YEAR-MO-DA...
Administration Guide
Page 101
Appendix A Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema Can be a FQDN or IP address. --> cvc-asa-02.cisco.com 10.94.146.172 CVC-ASA-02 cvc-asa-02.cisco.com CVC-ASA-01 10.94.146.172 cvc-asa-03.cisco.com 10.94.146.173 Sample AnyConnect Profile Schema pwd This is the data needed to attempt a connection to a specific host. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide A-3
Appendix A Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema Can be a FQDN or IP address. --> cvc-asa-02.cisco.com 10.94.146.172 CVC-ASA-02 cvc-asa-02.cisco.com CVC-ASA-01 10.94.146.172 cvc-asa-03.cisco.com 10.94.146.173 Sample AnyConnect Profile Schema pwd This is the data needed to attempt a connection to a specific host. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide A-3
Installation Guide
Page 1
4 C H A P T E R Installing the ASA 5505 This chapter describes how to install your Cisco Cisco ASA 5505 adaptive security appliance, as shown in Figure 4-1. 78-18003-02 ASA 5505 Getting Started Guide 4-1 This chapter includes the following sections: • Verifying the Package Contents, ...; PoE Ports and Devices, page 4-3 • Installing the Chassis, page 4-4 • Connecting to Network Interfaces, page 4-4 • Powering on the Cisco ASA 5505, page 4-6 • Setting Up a PC for System Administration, page 4-6 • Optional Procedures, page 4-8 • Ports and LEDs, page 4-9 ...
4 C H A P T E R Installing the ASA 5505 This chapter describes how to install your Cisco Cisco ASA 5505 adaptive security appliance, as shown in Figure 4-1. 78-18003-02 ASA 5505 Getting Started Guide 4-1 This chapter includes the following sections: • Verifying the Package Contents, ...; PoE Ports and Devices, page 4-3 • Installing the Chassis, page 4-4 • Connecting to Network Interfaces, page 4-4 • Powering on the Cisco ASA 5505, page 4-6 • Setting Up a PC for System Administration, page 4-6 • Optional Procedures, page 4-8 • Ports and LEDs, page 4-9 ...
Installation Guide
Page 2
Verifying the Package Contents Figure 4-1 Contents of Cisco ASA 5505 Package Chapter 4 Installing the ASA 5505 POWER 48VDC Security SCearrvdicSelost 7 POWER over ETHERNET 6 5 4 3 2 1 0 Cisco ASA 5505 CONSOLE 1 2 RESET Power supply adapter Blue console cable Cable (US shown) ProCdiFusiccrteoCwADaSllA 5505 Yellow Ethernet cable InfoarnCmdoaSRmtiaoepfngeliuatylnactoery GeCGtitusincidgoeSAtSaArte5d505 Documentation ASA 5505 Getting Started Guide 4-2 78-18003-02
Verifying the Package Contents Figure 4-1 Contents of Cisco ASA 5505 Package Chapter 4 Installing the ASA 5505 POWER 48VDC Security SCearrvdicSelost 7 POWER over ETHERNET 6 5 4 3 2 1 0 Cisco ASA 5505 CONSOLE 1 2 RESET Power supply adapter Blue console cable Cable (US shown) ProCdiFusiccrteoCwADaSllA 5505 Yellow Ethernet cable InfoarnCmdoaSRmtiaoepfngeliuatylnactoery GeCGtitusincidgoeSAtSaArte5d505 Documentation ASA 5505 Getting Started Guide 4-2 78-18003-02
Installation Guide
Page 3
...PoE Ports and Devices On the Cisco ASA 5505, switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with some Cisco Powered Device (PD) models. • The Cisco IP Phone 7970 is always in low-power mode when drawing power from the Cisco ASA 5505. 78-18003-02 ASA 5505 Getting Started Guide 4-3 If you... PoE ports. • Do not disable auto-negotiation (force speed and duplex) on its own. Using crossover cable does not enable the Cisco ASA 5505 to provide power to these ports are the only ports that can also be powered on E0/6 and E0/7 when using them to a ...
...PoE Ports and Devices On the Cisco ASA 5505, switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with some Cisco Powered Device (PD) models. • The Cisco IP Phone 7970 is always in low-power mode when drawing power from the Cisco ASA 5505. 78-18003-02 ASA 5505 Getting Started Guide 4-3 If you... PoE ports. • Do not disable auto-negotiation (force speed and duplex) on its own. Using crossover cable does not enable the Cisco ASA 5505 to provide power to these ports are the only ports that can also be powered on E0/6 and E0/7 when using them to a ...
Installation Guide
Page 4
... support PoE (ports numbered 6 and 7). The part number for ordering a wall-mount kit for the Cisco ASA 5505 is ASA-5505-WALL-MNT= , the part number for ordering a rack-mount kit for the Cisco ASA 5505 is , the Internet): a. b. Connect Port 0 to RJ-45 Ethernet cable. For information on a...to a network interface, perform the following steps: Step 1 Step 2 Place the chassis on wall-mounting or rack-mounting the Cisco ASA 5505, see "Mounting the ASA 5505 Chassis" section in Figure 4-2. (Typically Ethernet port 0 is the outside port. If you are connecting any Power over Ethernet ...
... support PoE (ports numbered 6 and 7). The part number for ordering a wall-mount kit for the Cisco ASA 5505 is ASA-5505-WALL-MNT= , the part number for ordering a rack-mount kit for the Cisco ASA 5505 is , the Internet): a. b. Connect Port 0 to RJ-45 Ethernet cable. For information on a...to a network interface, perform the following steps: Step 1 Step 2 Place the chassis on wall-mounting or rack-mounting the Cisco ASA 5505, see "Mounting the ASA 5505 Chassis" section in Figure 4-2. (Typically Ethernet port 0 is the outside port. If you are connecting any Power over Ethernet ...
Installation Guide
Page 5
... cable because ports 0 through 5 are switched ports and ports 6 and 7 are PoE ports and both require that you connect a straight through cable. 78-18003-02 ASA 5505 Getting Started Guide 4-5 Chapter 4 Installing the ASA 5505 Connecting to Network Interfaces Figure 4-2 Connecting to a device, such as a router, desktop computer, or printer.
... cable because ports 0 through 5 are switched ports and ports 6 and 7 are PoE ports and both require that you connect a straight through cable. 78-18003-02 ASA 5505 Getting Started Guide 4-5 Chapter 4 Installing the ASA 5505 Connecting to Network Interfaces Figure 4-2 Connecting to a device, such as a router, desktop computer, or printer.
Installation Guide
Page 6
... using ASDM for setup and configuration, see the "Front Panel Components" section on the device. ASA 5505 Getting Started Guide 4-6 78-18003-02 Powering on the Cisco ASA 5505 Chapter 4 Installing the ASA 5505 Powering on the Cisco ASA 5505 To power on the Cisco ASA 5505, perform the following steps: Step 1 Make sure that the speed of the PC interface to be...
... using ASDM for setup and configuration, see the "Front Panel Components" section on the device. ASA 5505 Getting Started Guide 4-6 78-18003-02 Powering on the Cisco ASA 5505 Chapter 4 Installing the ASA 5505 Powering on the Cisco ASA 5505 To power on the Cisco ASA 5505, perform the following steps: Step 1 Make sure that the speed of the PC interface to be...