Cisco ASA Services Module Quick Start Guide
Available Languages
Table of Contents
Log Out of the ASA Services Module
(Optional) Allow Access to Public Servers Behind the ASA Services Module
Guidelines for the ASA Services Module
Monitoring the ASA Services Module
History for the ASA Services Module
Cisco ASA Services Module
About the ASA Services Module in the Switch Network
Verify the Module Installation
Assign VLANs to the ASA Services Module
Use the MSFC as a Directly-Connected Router
Log Into the ASA Services Module
To access all documents related to this product, go to:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
About the ASA Services Module in the Switch Network
For switch and software compatibility with the ASA Services Module (ASASM), see the following: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. The switch runs Cisco IOS software on both the switch supervisor engine and the integrated Multilayer Switch Feature Card (MSFC). The ASASM runs its own operating system.
The connection between the ASASM and the switch is a single 20-GB interface.
Although you need the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one or more VLAN interfaces to the MSFC (known as switched virtual interfaces (SVIs)). You can alternatively use an external router instead of the MSFC.
In single context mode, you can place the MSFC or router in front of the ASASM or behind the ASASM; location depends on the VLANs that you assign to the ASASM interfaces.
For multiple context mode, if you place the MSFC or router behind the ASASM, you should only connect it to a single context. If you connect it to multiple contexts, the MSFC/router will route between the contexts, which might not be your intention. The typical scenario for multiple contexts is to use a router in front of all the contexts to route between the Internet and the switched networks.
Verify the Module Installation
Verify that the switch acknowledges the ASASM and has brought it online. (If you need to install your ASASM, see the module installation guide on Cisco.com.)
Step 1
Enter the following command to ensure that the Status column shows “Ok” for the ASASM:
For a switch in a VSS, enter the switch argument.
Assign VLANs to the ASA Services Module
The ASASM does not include any external physical interfaces. Instead, it uses VLAN interfaces passed down from the supervisor. Perform the following steps at the switch CLI to pass down VLANs from the supervisor.
- Assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.
- There is no limit on the number of VLANs per group, but the ASASM can only use VLANs up to the ASASM system limit (see the ASASM licensing documentation for more information).
- You cannot assign the same VLAN to multiple firewall groups.
- You can assign a single firewall group to multiple ASASMs. VLANs that you want to assign to multiple ASASMs, for example, can reside in a separate group from VLANs that are unique to each ASASM.
- See also VLAN Guidelines and Limitations.
Step 1 At the switch CLI, assign VLANs to a firewall group:
Step 2 Assign the firewall groups to the ASASM:
For a switch in a VSS, enter the switch argument.
The following example shows how to configure private VLANs on the switch by assigning the primary VLAN to the ASASM:
Step 1 At the switch CLI, add the primary VLAN 200 to a firewall VLAN group, and assign the group to the ASASM:
Step 2 Designate VLAN 200 as the primary VLAN:
Step 3 Designate only one secondary isolated VLAN. Designate one or more secondary community VLANs.
Step 4 Associate the secondary VLANs to the primary VLAN:
Step 5 Classify the port mode. The mode of interface f1/0/1 is host. The mode of interface f1/0/2 is promiscuous.
Step 6 Assign VLAN membership to the host port. Interface f1/0/1 is a member of primary VLAN 200 and secondary isolated VLAN 501.
Step 7 Assign VLAN membership to the promiscuous interface. Interface f1/0/2 is a member of primary VLAN 200. Secondary VLANs 501-503 are mapped to the primary VLAN.
Step 8 If inter-VLAN routing is desired, configure a primary SVI and then map the secondary VLANs to the primary.
Use the MSFC as a Directly-Connected Router
If you want to use the MSFC as a directly-connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
Step 1 (Optional) At the switch CLI, enable multiple SVIs:
By default, you can add only one SVI; to understand the caveats for multiple SVIs, see SVI Guidelines.
Step 2 Add a VLAN interface to the MSFC:
Step 3 Set the IP address for this interface on the MSFC:
The following example shows a typical configuration with multiple SVIs:
Log Into the ASA Services Module
From the switch CLI, you can connect to a virtual console session on the ASASM.
For a switch in a VSS, enter the switch argument.
Step 2 Access privileged EXEC mode, which is the highest privilege level:
Enter the enable password at the prompt. By default, the password is blank.
Step 3 Access global configuration mode:
Log Out of the ASA Services Module
If you do not log out of the ASASM, the console connection persists; there is no timeout. To end the ASASM console session and access the switch CLI, perform the following steps.
To kill another user’s active connection, which may have been unintentionally left open, see the configuration guide.
Step 1 To return to the switch CLI, type:
You return to the switch prompt.
Note: Shift-6 on US and UK keyboards issues the caret (^) character. If you have a different keyboard and cannot issue the caret (^) character as a standalone character, you can temporarily change the escape character to a different character. In Cisco IOS, before you session to the ASASM, use the terminal escape-character ascii_number command. For example, to temporarily change the sequence to Ctrl-w, x, enter terminal escape-character 23.
Configure ASDM Connectivity
Because the ASASM does not have physical interfaces, it does not come pre-configured for ASDM access; you must configure ASDM access using the CLI on the ASASM.
Step 1 (Optional) Enable transparent firewall mode:
This command clears your configuration. See the configuration guide for more information.
Step 2 Do one of the following to configure a management interface, depending on your mode:
ip address ip_address [ mask ]
Example:
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
The security_level is a number between 1 and 100, where 100 is the most secure.
Example:
ciscoasa(config)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# nameif inside
The security_level is a number between 1 and 100, where 100 is the most secure.
Step 3 (For directly-connected management hosts) Enable DHCP for the management host on the management interface network:
Make sure you do not include the management address in the range.
Step 4 (For remote management hosts) Configure a route to the management hosts:
Step 5 Enable the HTTP server for ASDM:
Step 6 Allow the management host to access ASDM:
Step 7 Save the configuration:
Step 8 (Optional) Set the mode to multiple mode:
When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASASM. See the configuration guide for more information.
Launch ASDM
Using ASDM, you can use wizards to configure basic and advanced features. ASDM is a graphical user interface that allows you to manage the ASASM from any location by using a web browser.
See the ASDM release notes on Cisco.com for the requirements to run ASDM.
Step 1 On the PC connected to the ASASM management VLAN, launch a web browser.
Step 2 In the Address field, enter the following URL:
https:// management_ip_address /admin
The Cisco ASDM web page appears.
Step 3 Click Run Startup Wizard.
Step 4 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears.
Step 5 Leave the username and password fields empty, and click OK. The main ASDM window appears and the Startup Wizard opens.
Run ASDM Wizards
Run the Startup Wizard
Run the Startup Wizard (choose Wizards > Startup Wizard) so that you can customize the security policy to suit your deployment. Using the startup wizard, you can set the following:
(Optional) Allow Access to Public Servers Behind the ASA Services Module
The Configuration > Firewall > Public Servers pane automatically configures the security policy to make an inside server accessible from the Internet. As a business owner, you might have internal network services, such as a web and FTP server, that need to be available to an outside user. You can place these services on a separate network behind the ASASM, called a demilitarized zone (DMZ). By placing the public servers on the DMZ, any attacks launched against the public servers do not affect your inside networks.
(Optional) Run VPN Wizards
You can configure VPN using the following wizards (Wizards > VPN Wizards) :
- Site-to-Site VPN Wizard—Creates an IPsec site-to-site tunnel between two ASASMs.
- AnyConnect VPN Wizard—Configures SSL VPN remote access for the Cisco AnyConnect VPN client. AnyConnect provides secure SSL connections to the ASASM for remote users with full VPN tunneling to corporate resources. The ASASM policy can be configured to download the AnyConnect client to remote users when they initially connect via a browser. With AnyConnect 3.0 and later, the client can run either the SSL or IPsec IKEv2 VPN protocol.
- Clientless SSL VPN Wizard—Configures clientless SSL VPN remote access for a browser. Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASASM using a web browser. After authentication, users access a portal page and can access specific, supported internal resources. The network administrator provides access to resources by users on a group basis. ACLs can be applied to restrict or allow access to specific corporate resources.
- IPsec (IKEv1) Remote Access VPN Wizard—Configures IPsec VPN remote access for the Cisco IPsec client.
(Optional) Run Other Wizards
You can optionally run the following additional wizards in ASDM. There may be other wizards available as well.
Configure failover, VPN load balancing, or ASA clustering.
Configure and run packet capture. The wizard will run one packet capture on each of the ingress and egress interfaces. After capturing packets, you can save the packet captures to your PC for examination and replay in the packet analyzer.
Advanced Configuration
To continue configuring your ASASM, see the documents available for your software version at:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
Reference
Guidelines for the ASA Services Module
VLAN Guidelines and Limitations
- Use VLAN IDs 2 to 1001.
- You can use private VLANs with the ASASM. Assign the primary VLAN to the ASASM; the ASASM automatically handles secondary VLAN traffic. There is no configuration required on the ASASM for this feature; see the switch configuration guide for more information. See also the example in Assign VLANs to the ASA Services Module.
- You cannot use reserved VLANs.
- You cannot use VLAN 1.
- If you are using ASASM failover within the same switch chassis, do not assign the VLAN(s) that you are reserving for failover and stateful communications to a switch port. However, if you are using failover between chassis, you must include the VLANs in the trunk port between the chassis.
- If you do not add the VLANs to the switch before you assign them to the ASASM, the VLANs are stored in the supervisor engine database and are sent to the ASASM as soon as they are added to the switch.
- You can configure a VLAN in the ASASM configuration before it has been assigned on the switch. Note that when the switch sends the VLAN to the ASASM, the VLAN defaults to be administratively up on the ASASM, regardless of whether the you shut them down in the ASASM configuration. You need to shut them down again in this case.
In Cisco IOS software Version 12.2SXJ1 and earlier, for each ASASM in a switch, the SPAN reflector feature is enabled. This feature allows multicast traffic (and other traffic that requires a central rewrite engine) to be switched when coming from the ASASM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:
ASA and Cisco IOS Feature Interaction Guidelines
Some ASASM features interact with Cisco IOS features. The following features involve Cisco IOS software:
- Virtual Switching System (VSS)—No ASASM configuration is required.
- Autostate—The supervisor informs the ASASM when the last interface on a given VLAN has gone down, which assists in determining whether or not a failover switch is required.
- Clearing entries in the supervisor MAC address table on a failover switch—No ASASM configuration is required.
- Version compatibility—The ASASM will be automatically powered down if the supervisor/ASASM version compatibility matrix check fails.
If you want to use the MSFC as a directly connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
For security reasons, by default, you can configure one SVI between the MSFC and the ASASM; you can enable multiple SVIs, but be sure you do not misconfigure your network.
For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC. (See Figure 1.)
Figure 1 Multiple SVI Misconfiguration
You might need to bypass the ASASM in some network scenarios. Figure 2 shows an IPX host on the same Ethernet segment as IP hosts. Because the ASASM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX (transparent firewall mode can optionally allow non-IP traffic), you might want to bypass the ASASM for IPX traffic. Make sure that you configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201.
Figure 2 Multiple SVIs for IPX
For transparent firewalls in multiple context mode, you need to use multiple SVIs because each context requires a unique VLAN on its outside interface (see Figure 3). You might also choose to use multiple SVIs in routed mode so that you do not have to share a single VLAN for the outside interface.
Figure 3 Multiple SVIs in Multiple Context Mode
Switch Configuration Guidelines for ASA Failover
- Assign VLANs to the Secondary ASA Services Module—Because both units require the same access to the inside and outside networks, you must assign the same VLANs to both ASASMs on the switch(es).
- Add a Trunk Between a Primary Switch and Secondary Switch—If you are using inter-switch failover, then you should configure an 802.1Q VLAN trunk between the two switches to carry the failover and state links. The trunk should have QoS enabled so that failover VLAN packets, which have a CoS value of 5 (higher priority), are treated with higher priority in these ports. To configure the EtherChannel and trunk, see the documentation for your switch.
- Ensure Compatibility with Transparent Firewall Mode—To avoid loops when you use failover in transparent mode, use switch software that supports BPDU forwarding. Do not enable LoopGuard globally on the switch if the ASASM is in transparent mode. LoopGuard is automatically applied to the internal EtherChannel between the switch and the ASASM, so after a failover and a failback, LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes into the err-disable state.
- Enable Autostate Messaging for Rapid Link Failure Detection—The supervisor engine can send autostate messages to the ASASM about the status of physical interfaces associated with ASASM VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the ASASM that the VLAN is down. This information lets the ASASM declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the ASASM takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).
The switch supervisor sends an autostate message to the ASASM when:
– The last interface belonging to a VLAN goes down.
– The first interface belonging to a VLAN comes up.
To enable autostate messaging in Cisco IOS software, enter the following command:
Reset the ASA Services Module
This section describes how to reset the ASASM. You might need to reset the ASASM if you cannot reach it through the CLI or an external Telnet session. The reset process might take several minutes.
For a switch in a VSS, enter the switch argument.
The slot argument indicates the slot number in which the module is installed. To view the slots where the ASASM is installed, enter the show module command.
Note To reset the ASASM when you are already logged in to it. enter either the reload or reboot command.
Monitoring the ASA Services Module
To monitor the ASASM, enter one of the following commands on the switch:
History for the ASA Services Module
The following table lists each feature change and the platform release in which it was implemented.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)