Implementing Network Security ( Version 2.0) – CCNAS Chapter 10 Exam Online

Cisco Adaptive Security Device Manager (ASDM) is a Java-based GUI tool that facilitates the management of Cisco ASAs. Cisco ASDM can be used to manage multiple ASAs that run the same ASDM version. ASDM can be run as a Java Web Start application that allows an administrator to configure and monitor that ASA device. Otherwise ASDM can also be downloaded from flash and installed locally on a host as an application; which allows an administrator to use ASDM (local application) to manage multiple ASA devices.

Cisco ASDM facilitates configuration of Cisco ASAs because it hides the complexity of the configuration commands. The ASA is required to have a minimum configuration before accessing the ASDM. ASDM is accessed using a web browser connection or local application which provides no more security than being consoled into the device.

ASDM is accessed using an SSL local application connection.

Before an ASA can be accessed using ASDM, the ASA must have a management interface configured. On an ASA 5505 , a logical VLAN interface and Ethernet port other than 0/0 must be configured. All other ASAs must have a dedicated Layer 3 management interface that is assigned an IP address and appropriate security level.​

Before an ASA can be accessed using ASDM, the ASA must have access permissions and the ASA web server enabled. Furthermore, a management interface must be configured. On an ASA 5505, a logical VLAN interface and Ethernet port other than 0/0 must be configured. All other ASAs must have a dedicated Layer 3 management interface that is assigned an IP address and appropriate security level.

To configure an ASA interface using ASDM, select the desired interface and click Add. In the Interface Name textbox, enter outside. Assign the security level, IP address, and subnet mask. Do not forget to enable the Enable Interface check box.​​

The two main ASDM options used to configure an ASA are Device Setup and Device Management. Within Device Setup are the Startup Wizard, Interfaces, Routing, Device Name/Password, and System Time options.​

The System Time option is used to manually configure the time zone, date, and time or to configure the system to obtain the date and time from an NTP server.​

Use the Device Management configuration option to select DHCP and configure DHCP inside and outside settings.​

ASDM supports DHCP server and relay settings. From the DHCP Server menu option, select the inside interface and enable the DHCP server option to provide addresses for devices attached through the inside ASA interface. The DMZ commonly contains servers that have statically assigned IP addresses. The outside interface connects to the WAN and would not have devices that would use corporate-provided DHCP.

The master passphrase is used to reversibly encrypt shared keys and passwords. ​

The master passphrase is used to reversibly encrypt shared keys and passwords. Once enabled, AES encryption is used for the password encryption.​

An ACL is used in the ISR configuration of a site-to-site VPN connection to define traffic that will be permitted. This traffic is referred to as interesting traffic.

When selected traffic is being secured during ASDM site-to-site VPN configuration, both IKE and ISAKMP parameters can be set. The authentication options are a preshared key or the use of a digital certificate.

When a web browser is used to securely access the corporate network, the browser must use a secure version of HTTP to provide SSL encryption. A VPN client is not required to be installed on the remote host, so a clientless SSL connection is used.

When a web browser is used to securely access the corporate network, the browser must use a secure version of HTTP to provide SSL encryption. A VPN client is not required to be installed on the remote host, so a clientless SSL connection is used.

Cisco AnyConnect is used to create an IPsec (IKEv2) VPN connection. A web browser is used for a clientless SSL VPN. A Cisco VPN client uses IPsec (IKEv1).​

Authentication on an ASA 5505 device can be accomplished by using a AAA server and indicating the location of the server. Alternatively, a local database can be used by entering the appropriate username and password.​

The clientless SSL VPN uses a web browser for access and uses a set of URLs that are configured to be used with the web portal.

When a user logs out, he or she loses access to the VPN. The user does receive a message advising to clear the browser cache, delete the downloaded files, and close the browser window for added security. If the user does not log out, the connection will eventually time out.

If an outside host does not have the Cisco AnyConnect client preinstalled, the remote user must initiate a clientless SSL VPN connection via a compliant web browser, and then download and install the AnyConnect client on the remote host.

During the process of establishing a VPN connection, a posture assessment can be performed in order to identify the client operating system, antivirus, antispyware, and firewall software. Once identified, a determination can be made whether remote access is allowed.

Both IPsec and SSL are supported by Cisco AnyConnect.

The IP address pool is assigned to clients when they connect. The IP address pool configuration is required for successful client-based SSL VPN connectivity. Without an available IP address pool, the connection to the security appliance fails.