Log Out of the ASA Services Module
(Optional) Allow Access to Public Servers Behind the ASA Services Module
Guidelines for the ASA Services Module
Monitoring the ASA Services Module
History for the ASA Services Module
About the ASA Services Module in the Switch Network
Verify the Module Installation
Assign VLANs to the ASA Services Module
Use the MSFC as a Directly-Connected Router
Log Into the ASA Services Module
To access all documents related to this product, go to:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
For switch and software compatibility with the ASA Services Module (ASASM), see the following: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. The switch runs Cisco IOS software on both the switch supervisor engine and the integrated Multilayer Switch Feature Card (MSFC). The ASASM runs its own operating system.
The connection between the ASASM and the switch is a single 20-GB interface.
Although you need the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one or more VLAN interfaces to the MSFC (known as switched virtual interfaces (SVIs)). You can alternatively use an external router instead of the MSFC.
In single context mode, you can place the MSFC or router in front of the ASASM or behind the ASASM; location depends on the VLANs that you assign to the ASASM interfaces.
For multiple context mode, if you place the MSFC or router behind the ASASM, you should only connect it to a single context. If you connect it to multiple contexts, the MSFC/router will route between the contexts, which might not be your intention. The typical scenario for multiple contexts is to use a router in front of all the contexts to route between the Internet and the switched networks.
Verify that the switch acknowledges the ASASM and has brought it online. (If you need to install your ASASM, see the module installation guide on Cisco.com.)
Step 1 Enter the following command to ensure that the Status column shows “Ok” for the ASASM:
For a switch in a VSS, enter the switch argument.
The ASASM does not include any external physical interfaces. Instead, it uses VLAN interfaces passed down from the supervisor. Perform the following steps at the switch CLI to pass down VLANs from the supervisor.
Step 1 At the switch CLI, assign VLANs to a firewall group:
Step 2 Assign the firewall groups to the ASASM:
For a switch in a VSS, enter the switch argument.
The following example shows how to configure private VLANs on the switch by assigning the primary VLAN to the ASASM:
Step 1 At the switch CLI, add the primary VLAN 200 to a firewall VLAN group, and assign the group to the ASASM:
Step 2 Designate VLAN 200 as the primary VLAN:
Step 3 Designate only one secondary isolated VLAN. Designate one or more secondary community VLANs.
Step 4 Associate the secondary VLANs to the primary VLAN:
Step 5 Classify the port mode. The mode of interface f1/0/1 is host. The mode of interface f1/0/2 is promiscuous.
Step 6 Assign VLAN membership to the host port. Interface f1/0/1 is a member of primary VLAN 200 and secondary isolated VLAN 501.
Step 7 Assign VLAN membership to the promiscuous interface. Interface f1/0/2 is a member of primary VLAN 200. Secondary VLANs 501-503 are mapped to the primary VLAN.
Step 8 If inter-VLAN routing is desired, configure a primary SVI and then map the secondary VLANs to the primary.
If you want to use the MSFC as a directly-connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
Step 1 (Optional) At the switch CLI, enable multiple SVIs:
By default, you can add only one SVI; to understand the caveats for multiple SVIs, see SVI Guidelines.
Step 2 Add a VLAN interface to the MSFC:
Step 3 Set the IP address for this interface on the MSFC:
The following example shows a typical configuration with multiple SVIs:
From the switch CLI, you can connect to a virtual console session on the ASASM.
For a switch in a VSS, enter the switch argument.
Step 2 Access privileged EXEC mode, which is the highest privilege level:
Enter the enable password at the prompt. By default, the password is blank.
Step 3 Access global configuration mode:
If you do not log out of the ASASM, the console connection persists; there is no timeout. To end the ASASM console session and access the switch CLI, perform the following steps.
To kill another user’s active connection, which may have been unintentionally left open, see the configuration guide.
Step 1 To return to the switch CLI, type:
You return to the switch prompt.
Note: Shift-6 on US and UK keyboards issues the caret (^) character. If you have a different keyboard and cannot issue the caret (^) character as a standalone character, you can temporarily change the escape character to a different character. In Cisco IOS, before you session to the ASASM, use the terminal escape-character ascii_number command. For example, to temporarily change the sequence to Ctrl-w, x, enter terminal escape-character 23.
Because the ASASM does not have physical interfaces, it does not come pre-configured for ASDM access; you must configure ASDM access using the CLI on the ASASM.
Step 1 (Optional) Enable transparent firewall mode:
This command clears your configuration. See the configuration guide for more information.
Step 2 Do one of the following to configure a management interface, depending on your mode:
ip address ip_address [ mask ]
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
ciscoasa(config)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# nameif inside
Step 3 (For directly-connected management hosts) Enable DHCP for the management host on the management interface network:
Make sure you do not include the management address in the range.
Step 4 (For remote management hosts) Configure a route to the management hosts:
Step 5 Enable the HTTP server for ASDM:
Step 6 Allow the management host to access ASDM:
Step 7 Save the configuration:
Step 8 (Optional) Set the mode to multiple mode:
When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASASM. See the configuration guide for more information.
Using ASDM, you can use wizards to configure basic and advanced features. ASDM is a graphical user interface that allows you to manage the ASASM from any location by using a web browser.
See the ASDM release notes on Cisco.com for the requirements to run ASDM.
Step 1 On the PC connected to the ASASM management VLAN, launch a web browser.
Step 2 In the Address field, enter the following URL:
https:// management_ip_address /admin
The Cisco ASDM web page appears.
Step 3 Click Run Startup Wizard.
Step 4 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears.
Step 5 Leave the username and password fields empty, and click OK. The main ASDM window appears and the Startup Wizard opens.
Run the Startup Wizard (choose Wizards > Startup Wizard) so that you can customize the security policy to suit your deployment. Using the startup wizard, you can set the following:
The Configuration > Firewall > Public Servers pane automatically configures the security policy to make an inside server accessible from the Internet. As a business owner, you might have internal network services, such as a web and FTP server, that need to be available to an outside user. You can place these services on a separate network behind the ASASM, called a demilitarized zone (DMZ). By placing the public servers on the DMZ, any attacks launched against the public servers do not affect your inside networks.
You can configure VPN using the following wizards (Wizards > VPN Wizards) :
You can optionally run the following additional wizards in ASDM. There may be other wizards available as well.
Configure failover, VPN load balancing, or ASA clustering.
Configure and run packet capture. The wizard will run one packet capture on each of the ingress and egress interfaces. After capturing packets, you can save the packet captures to your PC for examination and replay in the packet analyzer.
To continue configuring your ASASM, see the documents available for your software version at:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
VLAN Guidelines and Limitations
In Cisco IOS software Version 12.2SXJ1 and earlier, for each ASASM in a switch, the SPAN reflector feature is enabled. This feature allows multicast traffic (and other traffic that requires a central rewrite engine) to be switched when coming from the ASASM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:
ASA and Cisco IOS Feature Interaction Guidelines
Some ASASM features interact with Cisco IOS features. The following features involve Cisco IOS software:
If you want to use the MSFC as a directly connected router (for example, as the default gateway connected to the ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
For security reasons, by default, you can configure one SVI between the MSFC and the ASASM; you can enable multiple SVIs, but be sure you do not misconfigure your network.
For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC. (See Figure 1.)
Figure 1 Multiple SVI Misconfiguration
You might need to bypass the ASASM in some network scenarios. Figure 2 shows an IPX host on the same Ethernet segment as IP hosts. Because the ASASM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX (transparent firewall mode can optionally allow non-IP traffic), you might want to bypass the ASASM for IPX traffic. Make sure that you configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201.
Figure 2 Multiple SVIs for IPX
For transparent firewalls in multiple context mode, you need to use multiple SVIs because each context requires a unique VLAN on its outside interface (see Figure 3). You might also choose to use multiple SVIs in routed mode so that you do not have to share a single VLAN for the outside interface.
Figure 3 Multiple SVIs in Multiple Context Mode
Switch Configuration Guidelines for ASA Failover
The switch supervisor sends an autostate message to the ASASM when:
– The last interface belonging to a VLAN goes down.
– The first interface belonging to a VLAN comes up.
To enable autostate messaging in Cisco IOS software, enter the following command:
This section describes how to reset the ASASM. You might need to reset the ASASM if you cannot reach it through the CLI or an external Telnet session. The reset process might take several minutes.
For a switch in a VSS, enter the switch argument.
The slot argument indicates the slot number in which the module is installed. To view the slots where the ASASM is installed, enter the show module command.
Note To reset the ASASM when you are already logged in to it. enter either the reload or reboot command.
To monitor the ASASM, enter one of the following commands on the switch:
The following table lists each feature change and the platform release in which it was implemented.