思科ASA5500-X系列防火墙

asa 5505 常用配置2009-06-01 16:13asa 55051.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置telnetasa5505(config)#telnet 192.168.1.0 255.255.255.0 inside//允许内部接口192.168.1.0网段telnet防火墙3.配置密码asa5505(config)# password cisco//远程密码asa5505(config)# enable password cisco//特权模式密码4.配置IPasa5505(config)# interface vlan 2//进入vlan2asa5505(config-if)# ip address 218.xxx.37.222 255.255.255.192 //vlan2配置IPasa5505(config)#show ip address vlan2//验证配置5.端口加入vlanasa5505(config)# interface e0/3//进入接口e0/3asa5505(config-if)# switchport access vlan 3//接口e0/3加入vlan3asa5505(config)# interface vlan 3//进入vlan3asa5505(config-if)# ip address 10.10.10.36 255.255.255.224//vlan3配置IPasa5505(config-if)# nameif dmz//vlan3名asa5505(config-if)# no shutdown//开启asa5505(config-if)# show switch vlan//验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500//inside最大传输单元1500字节asa5505(config)#mtu outside 1500//outside最大传输单元1500字节asa5505(config)#mtu dmz 1500//dmz最大传输单元1500字节7.配置arp表的超时时间asa5505(config)#arp timeout 14400//arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive//FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable//启动日志asa5505(config)#logging asdm informational//启动asdm报告日志asa5505(config)#Show logging//验证配置11.启用http服务asa5505(config)#http serverenable//启动HTTP server,便于ASDM连接。

資料表思科 Firepower 新世代防火牆(NGFW)思科 Firepower ® NGFW （新世代防火牆）是業界首款完全整合、聚焦於威脅，並具備整合管理功能的新世代防火牆。

在遭受攻擊之前、中、後，思科 Firepower NGFW 獨家提供進階威脅保護。

阻止更多威脅 使用業界領先的思科® 進階惡意程式防護 (AMP) 和沙箱技術，阻止已知和未知的惡意軟體。

獲得更多深入分析 使用思科 Firepower 新世代 IPS ，在環境中享有卓越的可視性。

使用自動風險排名及影響旗標，為您的團隊排列處理威脅的優先順序。

及早偵測，盡快行動 思科年度安全報告指出，不同企業從感染到偵測的平均時間為 100 天。

將此時間縮短，一天以內即可完成。

降低複雜 程度 獲得整合管理，以及緊密整合的資安功能之間的自動威脅關聯，包括應用程式防火牆、NGIPS 和 AMP 。

讓網路發揮更大效益增強資安並善用您既有的投資，整合其他思科與第三方的網路及資安解決方案（選用）。

效能亮點支援服務讓您的 IT 員工可以隨時直接聯絡思科技術表 1 簡要說明思科 Firepower 4100 系列 NFGW 、9300 系列資安設備，以及精選思科 ASA 5500-X 設備的效能亮點。

表 1.設備功能亮點功能思科 Firepower 機型 思科 ASA 5500-FTD-X 機型211021202130214041104120414041509300（1 個 SM-24 模組）9300（1 個 SM-36 模組） 9300（1 個 SM-44 模組） 9300（3 個 SM-44 模組） 5506- FTD-X5506W- FTD-X5506H- FTD-X5508- FTD-X5516- FTD-X5525- FTD-X5545- FTD-X5555- FTD-X輸送量 FW + AVC （思科 Firepower 威脅防禦） 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps 12 Gbps 20 Gbps25 Gbps30 Gbps30 Gbps42 Gbps54 Gbps135 Gbps250 Mbps250 Mbps250 Mbps450 Mbps850 Mbps1100 Mbps1500Mbps1750 Mbps輸送量︰FW + AVC + NGIPS （思科 Firepower 威脅防禦） 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps 10 Gbps 15 Gbps20 Gbps24 Gbps24 Gbps34 Gbps53 Gbps133 Gbps125 Mbps125 Mbps125 Mbps250 Mbps450 Mbps650 Mbps1000Mbps1250 Mbps1 平均封包大小為 1024 位元組的 HTTP 階段作業 21024 位元組的 TCP 防火牆效能請注意：NGFW 的效能會因網路及流量而異。

配置要求：1、分别划分inside（内网）、outside（外网）、dmz（安全区）三个区域。

2、内网可访问外网及dmz内服务器（web），外网可访问dmz内服务器（web）。

3、Dmz服务器分别开放80、21、3389端口。

说明：由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。

具体配置如下：希望对需要的朋友有所帮助ASA Version 7.2(4)!hostname asa5505enable password tDElRpQcbH/qLvnn encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif outsidesecurity-level 0ip address 外网IP 外网掩码!interface Vlan2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan3no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.16.1.1 255.255.255.0!interface Ethernet0/0description outside!interface Ethernet0/1description insideswitchport access vlan 2!interface Ethernet0/2description dmzswitchport access vlan 3!interface Ethernet0/3description insideswitchport access vlan 2!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!ftp mode passiveobject-group service outside-to-dmz tcpport-object eq wwwport-object eq ftpport-object eq 3389access-list aaa extended permit tcp any host 外网IP object-group outsid e-to-dmzaccess-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255. 255.0 object-group outside-to-dmzpager lines 24mtu outside 1500mtu inside 1500mtu dmz 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfaceglobal (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0nat (inside) 1 192.168.1.0 255.255.255.0nat (dmz) 1 172.16.1.0 255.255.255.0alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255. 255.255dnsstatic (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns access-group aaa in interface outsideaccess-group bbb in interface dmzroute outside 0.0.0.0 0.0.0.0 外网网关 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpinspect http!service-policy global_policy globalprompt hostname contextCryptochecksum:9d2a6010d4fc078cf026f98dcec96007 : endasa5505(config)#。

Cisco ASA 5500系列概述Cisco® ASA 5500系列自适应安全设备是能够为从小型办公室/家庭办公室和中小企业到大型企业的各类环境提供新一代安全性和VPN服务的模块化安全平台。

Cisco ASA 5500 系列能为企业提供全面的服务，而且这些服务都可以根据客户对防火墙、入侵防御（IPS）、Anti-X和VPN的要求而特别定制。

Cisco ASA 5500 系列的各版本能够在适当的位置提供适当的安全服务，因而能为企业提供卓越的安全保护。

每个版本都包含一套特殊的Cisco ASA 服务，以满足企业网络内特殊环境的要求。

随着每个位置安全需求的满足，整体网络安全性也得到了提升。

由于Cisco ASA 5500 系列支持一个平台上的标准化，因而能降低整体安全运作成本。

统一配置环境不仅简化了管理，还降低了人员培训成本。

另外，该系列的通用硬件平台还有助于降低备件成本。

每个版本都能满足特定的企业环境需求：∙防火墙版：使企业能够安全、可靠地部署关键业务应用和网络。

独特的模块化设计能够提供卓越的投资保护，降低运作成本。

∙IPS版：通过一组防火墙、应用安全性和入侵防御服务，防止关键业务服务器和基础设施遭受蠕虫、黑客及其它威胁的袭击。

∙Anti-X版：利用全面的安全服务套件，为小型站点或远程站点的用户提供保护。

企业级防火墙和VPN服务提供到公司网络的安全连接。

来自Trend Micro 的业内领先的Anti-X服务能够防止客户端系统遭受恶意Web站点以及病毒、间谍软件和诱骗等基于内容的威胁侵袭。

∙SSL/IPsec VPN版：使远程用户能够安全地访问内部网络系统和服务，为大型企业部署支持VPN 集群。

安全套接字层（SSL）和IP Security（IPsec）VPN 远程接入技术将Cisco Secure Desktop 等威胁迁移技术与防火墙和入侵防御服务有机地结合在一起，保证VPN流量不会给企业带来威胁。

ASA5500-X身份防火墙与CDA配置指南一、目的 (1)二、网络拓扑 (1)三、CDA的安装与配置 (2)四、ASA5515-X安装CX模块 (4)五、Windows 2008 R2的配置 (8)六、ASA-CX的策略配置 (17)七、ASA-CX功能验证 (26)一、目的本文介绍了在ASA5515-X防火墙上，通过与思科Context Directory Agent（简称CDA）软件协同工作，实现基于身份的访问策略与控制。

主要内容包括以下几个部分：：ASA5515-X上CX模块的安装与配置步骤。

CDA的安装与配置步骤。

Windows 2008 R2服务器与CDA配合时，需要的修改哪些内容。

二、网络拓扑以下是本次配置实例的网络拓扑图：三、CDA的安装与配置思科Context Directory Agent(简称CDA)是一套软件，ASA5515-X的CX模块通过CDA能够获取IP地址与用户身份的映射关系，从而可以在ASA-CX上实现基于用户身份的安全访问策略。

通过思科CCO可以下载获取CDA的ISO格式的软件。

CDA软件本身包含了操作系统，它可以安装在一台专用的x86服务器上，或者VMware的ESX或ESXi虚拟机上。

在VMWare 虚拟机上安装时，注意Guest OS类型要选择：Linux CentOS 4/5 32bit。

以下是将CDA安装在ESXi5.0服务器上的安装和配置步骤：步骤1：在CCO下载CDA软件：/download/type.html?mdfid=284143128&flowid=31442步骤2：在VMware ESXi5.0上安装CDA。

步骤3：完成安装后，在login提示符下输入setup，进行基本配置。

以下为配置举例：localhost.localdomain login: setupPress ‘Ctrl-C’ to abort setupEnter Hostname[]: cda-serverEnter IP address []: 10.10.10.83Enter IP netmask []: 255.255.255.0Enter IP default gateway []: 10.10.10.3Enter default DNS domain []: Enter primary nameserver []: 10.10.10.80Enter secondary nameserver? Y/N: nEnter primary NTP server []: 10.10.10.80Enter secondary NTP server? Y/N: nEnter system timezone [UTC]: Asia/ShanghaiEnter username [admin]: adminEnter password:Enter password again:Bringing up the network interface...Pinging the gateway...Pinging the primary nameserver...Do not use ‘Ctrl-C’ from this point on...Installing applications...Installing cda...Pre installPost InstallApplication bundle (cda) installed successfully=== Initial setup for application: cda ===Generating configuration...Rebooting...步骤4：打开浏览器，输入https://10.10.10.83，输入已经创建好的用户名和密码，登陆CDA的GUI页面。

Cisco® ASA 5500 系列自适应安全设备是思科专门设计的解决方案，将最高的安全性和出色VPN服务与创新的可扩展服务架构有机地结合在一起。

作为思科自防御网络的核心组件，Cisco ASA 5500系列能够提供主动威胁防御，在网络受到威胁之前就能及时阻挡攻击，控制网络行为和应用流量，并提供灵活的VPN连接。

思科强大的多功能网络安全设备系列不但能为保护家庭办公室、分支机构、中小企业和大型企业网络提供广泛而深入的安全功能，还能降低实现这种新安全性相关的总体部署和运营成本及复杂性。

Cisco ASA 5500 系列在一个平台中有力地提供了多种已经获得市场验证的技术，无论从运营角度还是从经济角度看，都能够为多个地点部署各种安全服务。

利用其多功能安全组件，企业几乎不需要作任何两难选择，也不会面临任何风险，既可以提供强有力的安全保护，又可以降低在多个地点部署多台设备的运营成本。

Cisco ASA 5500系列包含全面的服务，通过为中小企业和大型企业定制的产品版本，能满足各种部署环境的特定需求。

这些版本为各地点提供了相应的服务，从而达到出色的保护效果。

每个版本都综合了一套Cisco ASA 5500系列的重点服务（如防火墙、IPSec和SSL VPN、IPS，以及Anti-X服务），以符合企业网络中特定环境的需要。

通过确保满足每个地点的安全需求，网络整体安全性也得到了提升。

图1. Cisco ASA 5500系列自适应安全设备Cisco ASA 5500 系列能够通过以下关键组件帮助企业更有效地管理网络并提供出色的投资保护：•经过市场验证的安全与VPN功能- 全特性、高性能的防火墙，入侵防御系统(IPS), Anti-X和IPSec/SSL VPN 技术提供了强大的应用安全性、基于用户和应用的访问控制、蠕虫与病毒防御、恶意软件防护、内容过滤以及远程用户/站点连接。

•可扩展的自适应识别与防御服务架构－利用Cisco ASA 5500系列的一个模块化服务处理和策略框架，企业可根据每个流量的情况，应用特定的安全或网络服务，提供高度精确的策略控制和各种防御服务，并简化流量处理。

Cisco ASA5500系列防火墙基本配置手册一、配置基础1.1用户接口思科防火墙支持下列用户配置方式：Console，Telnet，SSH（1.x或者2.0，2.0为7.x新特性），ASDM的http方式，VMS的Firewall Management Center。

支持进入Rom Monitor模式，权限分为用户模式和特权模式，支持Help，History和命令输出的搜索和过滤。

用户模式：Firewall> 为用户模式，输入enable进入特权模式Firewall#。

特权模式下输入config t 可以进入全局配置模式。

通过exit，ctrl-z退回上级模式。

配置特性：在原有命令前加no可以取消该命令。

Show running-config 或者 write terminal显示当前配置。

Show running-config all显示所有配置，包含缺省配置。

Tab可以用于命令补全，ctrl-l可以用于重新显示输入的命令（适用于还没有输入完命令被系统输出打乱的情况），help和history相同于IOS命令集。

Show命令支持 begin，include，exclude，grep 加正则表达式的方式对输出进行过滤和搜索。

Terminal width 命令用于修改终端屏幕显示宽度，缺省为80个字符，pager命令用于修改终端显示屏幕显示行数，缺省为24行。

1.2初始配置跟路由器一样可以使用setup进行对话式的基本配置。

二、配置连接性2.1配置接口接口基础：防火墙的接口都必须配置接口名称，接口IP地址和掩码和安全等级。

接口基本配置：Firewall(config)# interface hardware-id 进入接口模式Firewall(config-if)# speed {auto | 10 | 100 | nonegotiate} 设置接口速率Firewall(config-if)# duplex {auto | full | half} 接口工作模式Firewall(config-if)# [no] shutdown 激活或关闭接口Firewall(config-if)# nameif if_name 配置接口名称Firewall(config-if)# security-level level 定义接口的安全级别例：interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 125.78.33.22 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.18.254 255.255.255.0在配置中，接口被命名为外部接口（outside），安全级别是0；被命名为内部接口（inside），安全级别是100.安全级别取值范围为1～99，数字越大安全级别越高。

Data Sheet Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls for the Internet EdgeCisco® ASA 5500 and ASA 5500-X Series Next-Generation Firewalls integrate the world’s most proven stateful inspection firewall with a comprehensive suite of highly integrated next-generation firewall services for networks of all sizes - small and midsize businesses with one or a few locations, large enterprises, service providers, and mission-critical data centers. The Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls deliver MultiScale™ performance with unprecedented services flexibility, including next-generation firewall capabilities, modular scalability, feature extensibility, and lower deployment and operations costs.Midsize businesses protecting the Internet edge require the same level of protection as large enterprise networks. You require enterprise-strength security, but purchasing a firewall that was built to handle the performance needs and budget of a large enterprise would be unnecessary and a waste of company resources. You need a firewall that provides the performance you need at a price you can afford, along with the visibility and control you need to take advantage of new applications and devices without compromising security.Features and BenefitsCisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls are available in a wide range of sizes and performance levels to fit your network and budget while offering the same proven level of security that protects some of the largest networks at some of the most security-conscious companies in the world. The ASA 5500 and ASA 5500-X Next-Generation Series Firewalls scale to meet the performance and security requirements of a wide range of network applications, to correspond with your changing needs.Like their enterprise counterparts, Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet edge protect critical assets through:●Exceptional next-generation firewall services that provide the visibility and control your enterprise needs tosafely take advantage of new applications and devices1●Application Visibility and Control (AVC) to control specific behaviors within allowed micro-applications●Web Security Essentials (WSE) to restrict web and web application usage based on reputation of the site●Broad and deep network security through an array of integrated cloud- and software-based next-generationfirewall services backed by Cisco Security Intelligence Operations (SIO)●Highly effective intrusion prevention system (IPS) with Cisco Global Correlation●High-performance VPN and always-on remote access●The ability to enable additional security services quickly and easily in response to changing needs1 Please contact your sales representative for availability.Cisco ASA 5525-X, 5545-X, and 5555-XThe Cisco ASA 5525-X, 5545-X, and 5555-X are next-generation firewalls that combine the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services - for comprehensive security without compromise. They help meet evolving security needs by delivering multiple next-generation security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1-RU form factor. These firewalls optionally provide broad and deep network security services through an array of integrated cloud- and software-based security services, including Application Visibility and Control (AVC), Web Security Essentials (WSE), Cisco Cloud Web Security (CWS), and the only context-aware IPS - with no need for additional hardware modules.The ASA 5525-X, 5545-X, and 5555-X Next-Generation Firewalls are part of the ASA 5500-X Series, which is built on the same proven security platform as the rest of the ASA family of firewalls and delivers superior performance for exceptional operational efficiency. These models are designed to meet evolving security needs by providing, among other things, innovative next-generation firewall services that make it possible to take advantage of new applications and devices without compromising security. Unlike other next-generation firewalls, the Cisco ASA 5500-X Series keeps pace with rapidly evolving needs by offering end-to-end network intelligence gained from combining the visibility from local traffic with in-depth global network intelligence through:●Cisco TrustSec® technology●Cisco AnyConnect® Secure Mobility Solution for unique mobile client insight●Cisco Security Intelligence Operations (SIO) for near-real-time threat information and proactive protection●Cisco ASA Next-Generation Firewall ServicesWith up to 4 Gbps of firewall throughput, 1,000,000 concurrent firewall connections, 50,000 connections per second, and 6 integrated Gigabit Ethernet interfaces, the ASA 5525-X, 5545-X, and 5555-X are excellent choices for businesses requiring high performance, cost effectiveness, exceptional application visibility and control, and an extensible security solution that can grow with their changing needs.Cisco ASA 5520, 5540, and 5550The Cisco ASA 5520, 5540, and 5550 are modular, high-performance firewalls that deliver security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks. With Gigabit Ethernet interfaces and support for up to 200 VLANs, businesses can easily deploy the Cisco ASA 5520, 5540, and 5550 into multiple zones within their network. The Cisco ASA 5520, 5540, and 5550 scale with businesses as their network security requirements grow, delivering solid investment protection.Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 5000 Cisco AnyConnect and/or clientless VPN peers can be supported. VPN capacity and resiliency can be increased by taking advantage of integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520, 5540, and 5550 support up to 10 firewalls in a cluster, offering a maximum of 50,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520, 5540, and 5550 can also benefit from Cisco VPN Flex licenses, which enable administrators to react to or plan for short-term “bursts” of concurrent Premium VPN remote-access users for up to two months.The advanced application-layer security and content security defenses provided by these firewalls can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the Advanced Inspection and Prevention Security Services Module (AIP SSM) or the comprehensive malware protection of the Content Security and Control Security Services Module (CSC SSM). Using these optional security context capabilities, businesses can deploy up to 100 virtual firewalls within a physical appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.Table 1 compares the features and capacities of the Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet Edge.Table 1. Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet EdgeUp to 450 Mbps 2 Gbps Up to 650 Mbps 3 Gbps Up to 1.2 Gbps 4 Gbps2 Maximum throughput measured with UDP traffic under ideal conditions.3 Multiprotocol: Traffic profile consisting primarily of TCP-based protocols/applications, such as HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.4 Firewall traffic that does not go through the IPS service can have higher throughput.5 Throughput was measured using ASA CX Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well.6 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.7 Separately licensed feature; includes two SSL licenses with base system.Regulatory and Standards ComplianceSafety UL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950 IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionElectromagnetic Compatibility (EMC) CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24Industry Certifications Common CriteriaEAL4 US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments,Common CriteriaEAL2 for IPS onAIP SSM-10 and -20, FIPS 140-2Level 2, and NEBSLevel 3In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn processCisco ASA 5500 Series Security Services Processors, Modules, and CardsThe Cisco ASA 5500 Series brings a new level of integrated security performance to networks with its highly effective IPS services and multiprocessor hardware architecture. This architecture allows businesses to adapt and extend the high-performance security services profile of the Cisco ASA 5500 Series. Customers can add additional high-performance services using security services modules with dedicated security co-processors, and can custom-tailor flow-specific policies using a highly flexible policy framework. This adaptable architecture enables businesses to deploy new security services when and where they are needed, such as adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM. Further, the Cisco ASA 5500 Series architecture allows Cisco to introduce new services to address new threats, giving businesses outstanding investment protection.The Cisco ASA 5500 Series AIP SSM and AIP SSC are inline, network-based solutions that accurately identify, classify, and stop malicious traffic before it affects business continuity for IPv4, IPv6, and hybrid IPv6 and IPv4 networks. They combine inline prevention services with innovative technologies, resulting in total confidence in the provided protection of the deployed IPS solution, without the fear of legitimate traffic being dropped. The AIP SSM and AIP SSC also offer comprehensive network protection through their unique ability to collaborate with other network security resources, providing a proactive approach to protecting the network.Accurate inline prevention technologies provide unparalleled confidence to take preventive action on a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of data and help ensure that businesses are getting the most out of their intrusion prevention solutions. Furthermore, the IPS SSP, AIP SSM, and AIP SSC use multivector threat identification to protect the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7.Table 2 details the AIP SSM models that are available, and their respective performance and physical characteristics.Table 2. Characteristics of Cisco ASA 5500 Series AIP SSM Models225 Mbps with Cisco ASA 5520 375 Mbps with Cisco ASA 5520500 Mbps with Cisco ASA 5540 450 Mbps with Cisco ASA 5520 650 Mbps with Cisco ASA 5540Cisco ASA 5500 Series Content Security and Control ModuleThe Cisco ASA 5500 Series CSC SSM delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering services in an easy-to-manage solution. The CSC SSM bolsters the Cisco ASA 5500 Series’ strong security capabilities, providing customers with additional protection of and control over the content of their business communications. The module provides additional flexibility and choice over the functioning and deployment of Cisco ASA 5500 Series firewalls. Licensing options enable organizations to customize the features and capabilities to each group’s needs, with features that include advanced content services and increased user capacity. The CSC SSM ships with a default feature set that provides antivirus, antispyware, and file blocking services.A Plus license is available for each CSC SSM at an additional charge, delivering capabilities such as antispam, antiphishing, URL blocking and filtering, and content control services. Businesses can extend the user capacity of the CSC SSM by purchasing and installing additional user licenses. A detailed listing of these options is shown in Table 3 and in the CSC SSM data sheet.Table 3. Characteristics of Cisco ASA 5500 Series CSC SSMsCisco ASA 5520 Cisco ASA 5520Cisco ASA 5540Cisco ASA 5500 Series 4-Port Gigabit Ethernet ModuleThe Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSM enables businesses to better segment network traffic into separate security zones, providing more granular security for their network environment. These zones can range from the Internet to internal corporate departments/sites to DMZs. This high-performance module supports both copper and optical connection options by including four 10/100/1000 copper RJ-45 ports and four SFP ports. Businesses can choose between copper or fiber ports, providing flexibility for data center, campus, or enterprise edge connectivity. The module extends the I/O profile of the Cisco ASA 5500 Series to a total of five Fast Ethernet and four Gigabit Ethernet ports on the Cisco ASA 5510. Table 4 lists the characteristics of the Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMs.Table 4. Characteristics of Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMsFour 10/100/1000BASE-TFour (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LH transceiver supported)Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsCisco ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the I/O profile of the ASA 5525-X through ASA 5555-X by providing additional GE ports. The cards provide the following benefits:●Better segmentation of network traffic (into separate security zones)●Fiber-optic cable connectivity for long distance communication●Load sharing of traffic as well as protection against link failure by using EtherChannel●Support for Jumbo Ethernet frames of up to 9000 bytes●Protection against cable failure for the most demanding Active/Active and full mesh firewall deployments Table 5 lists the characteristics of the Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards.Table 5. Characteristics of Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsSix 10/100/1000BASE-T Six (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LHtransceiver supported)Ordering InformationTo place an order, visit the Cisco Ordering Home Page. Table 6 provides ordering information for the Cisco ASA 5500 Series and ASA 5500-X Series Next-Generation Firewalls.Table 6. Ordering InformationTo Download the SoftwareVisit the Cisco Software Center to download Cisco ASA Software.Service and SupportCisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business.Included in the “Operate” phase of the service lifecycle are Cisco Sec urity IntelliShield Alert Manager Service, Cisco SMARTnet® Service, Cisco Service Provider Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature IPS capabilities. Cisco SMARTnet and Service Provider Base support other products in this family.Cisco CapitalFinancing to Help You Achieve Your ObjectivesCisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.For More InformationFor more information, please visit the following links:●Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls: /go/asa●Cisco Adaptive Security Device Manager: /go/asdm●Cisco Security Services: /en/US/products/svcs/ps2961/ps2952/serv_group_home.html●Cisco ASA 5500 Series and ASA 5500-X Series Licensing Information:/en/US/products/ps6120/products_licensing_information_listing.html。

产品手册Cisco AnyConnect 安全移动客户端和 Cisco ASA 5500-X 系列下一代防火墙 (VPN)思科® ASA 5500-X 系列下一代防火墙是专门构建的平台，兼具一流的安全功能和 VPN 服务。

组织可以获得互联网传输的连接和成本收益，且不会影响公司安全策略的完整性。

通过将安全套接字层 (SSL) 和 IP 安全 (IPsec) VPN 服务与全面威胁防御技术相结合，思科 ASA 5500-X 系列下一代防火墙可以提供高度可定制的网络接入，满足各种部署环境的要求，同时提供高级终端和网络级安全性（图 1）。

图 1.适合任意部署方案的可定制 VPN 服务AnyConnect 与思科 ASA 5500-X 系列自适应安全设备自适应安全设备可以为任意连接场景提供灵活的技术，每台设备最多可扩展至支持 10,000 个并发用户。

它通过以下方面提供易于管理的全隧道网络接入：●SSL（DTLS 和 TLS）●IPsec VPN 客户端技术●针对统一合规性和思科 Web 安全设备进行了优化的 AnyConnect®安全移动客户端●高级无客户端 SSL VPN 功能●网络感知站点到站点 VPN 连接此解决方案为移动用户、远程站点、承包商和业务合作伙伴提供高度安全的公共网络连接。

无需辅助设备即可轻松扩展 VPN 和保证其安全，从而降低 VPN 部署和运营相关的成本。

AnyConnect 安全移动客户端的优点包括：●SSL（TLS 和 DTLS）和基于 IPsec 的全网络访问：全网络访问可以为几乎所有的应用或网络资源提供网络层远程用户连接，而且通常用于将访问扩展至被管理的计算机，例如属于公司的笔记本电脑。

通过AnyConnect 安全移动客户端、Microsoft 第 2 层隧道协议 (L2TP) IPsec VPN 客户端、Apple iOS 和 Mac OS X 内置 IPsec VPN 客户端和各种支持 IPsec IKEv2 的第三方远程访问 VPN 客户端，均可获得连接。