ch24lev1sec4.html

Cisco Adaptive Security Device Manager (ASDM)

Cisco Adaptive Security Device Manager (ASDM) is another powerful web-based firewall management tool that is integrated into the Cisco-based firewall software.

Cisco ASDM provides support for integrated security and networking features offered by the market-leading suite of Cisco security appliances.

Cisco ASDM can be used to manage the following Cisco firewalls:

Cisco ASA 5500 Series Adaptive Security Appliances
Cisco PIX 500 Series Security Appliances
Cisco Catalyst 6500 Series Firewall Services Module (FWSM)

Cisco ASDM greatly improves productivity, simplifies security policy creation through step-by-step smart wizards, and offers proactive monitoring and debugging tools.

Cisco ASDM provides firewall management and provisioning of network and application security with greater flexibility.

Cisco ASDM—Features and Capabilities

Cisco ASDM offers a state-of-the-art security management and monitoring system through an intuitive, easy-to-use, secure web-based management interface.

The following list outlines some of the common Cisco ASDM capabilities for configuring and deploying Cisco firewalls using a web-based management interface:

Complete support for Cisco ASA 5500 series appliance software and Cisco PIX 500 series appliance software features
Web-based management application integrated into Cisco firewall software
Secure remote management to Cisco market-leading Cisco firewalls
Security and policy deployments using smart wizards
Robust administration and management tools
Capability to configure optional features such as DHCP, NAT, administrative access
Support of auto-update, a revolutionary secure remote-management capability that helps keep appliance configurations and software images up-to-date
Rapid configuration support features, such as inline and drag-and-drop policy editing, autocomplete, configuration wizards, appliance software upgrades, and online help
Integrated security policy and access control table
Profile-based management for all application inspection and control capabilities
Powerful troubleshooting and diagnostics tools, such as Packet Tracer, log-policy correlation, packet capture, regular expression tester, and embedded log reference
Real-time status and monitoring information features, such as device, firewall, content security, and IPS dashboards; real-time graphing; and tabulated metrics enabling rapid response to security incidents

Cisco ASDM—How It Works

Cisco ASDM is an integrated solution embedded within Cisco firewall software release.

Cisco ASDM can be launched remotely using a web browser from any user desktop PC on the network with an enabled Java plug-in, thereby providing rapid secure access to the Cisco ASA 5500 Series Adaptive Security Appliances or Cisco PIX Security Appliances.

With the factory default configuration on the firewall, users can connect to Cisco ASDM by using the default management IP address of 192.168.1.1. By default, on the Cisco ASA 5500 series appliance, Cisco ASDM connects to the Management0/0 interface. For the PIX 500 series appliance, Cisco ASDM connects to the Ethernet1 interface. In this case, the local desktop PC must be on the same subnet as the management IP address subnet—that is, 192.168.1.0/24.

Note

To restore the default configuration, enter the configure factory-default command on the security appliance console CLI.

As with Cisco SDM, users can launch Cisco ASDM from supported Internet browser using the firewall IP address as follows:

https://firewall_ip_address

When the Cisco ASDM application is launched, it provides a dynamic dashboard that gives a complete system overview and firewall health statistics.

Figure 24-15 shows the Cisco ASDM home page when the application is launched.

Figure 24-15. Cisco ASDM Home Page

[View full size image]

The Cisco ASDM home page provides comprehensive information including the following:

Hardware model of the firewall
Firewall software version
Memory usage
License information
Interface status
Traffic status

Further tabs from the home page provide comprehensive information for device configuration, monitoring, and real-time status indicators.

Figure 24-16 shows a sample screen capture of the Cisco ASDM Firewall Dashboard page that displays connection statistics, packet rate, Top 10 rules, and possible scan and network attack information.

Figure 24-16. Cisco ASDM—Firewall Dashboard Page

[View full size image]

Figure 24-17 shows a sample screen capture of the Cisco ASDM Configuration page that displays firewall access rules.

Figure 24-17. Cisco ASDM—Configuration Page Showing Access Rule Details

[View full size image]

Cisco ASDM also includes a configuration search engine that helps users locate where specific features can be configured and provides convenient point-and-click access to the search results.

Cisco ASDM—Packet Tracer Utility

Cisco ASDM introduces a powerful and revolutionary Packet Tracer utility that enables rapid troubleshooting and simplifies fault finding of any nature, including the most complex policy environments, with numerous access rules, or layered security services.

The Cisco ASDM Packet Tracer is the first proactive debugging tool that is capable of determining the packet flow and charting complete details of a day-in-the-life of a packet.

The Packet Tracer utility employs an animated packet flow model, emulating a complete TCP/IP flow sequence for any given protocol or port number. It virtually passes through the entire device configuration checking all access rules, NAT rules, filter rules, and service policies. During the flows through each stage, it provides visual aids to indicate the status of each transaction and the action performed at that stage of that packet's lifetime. These visual indicators provide users the insight into the packet flow and help identify the fault and determine incorrect policies, which can be in the form of erroneous network translation policies, access rules, or inspection engines.

Figure 24-18 shows a sample screen capture of the Cisco ASDM Packet Tracer utility.

Figure 24-18. Cisco ASDM—Packet Tracer Utility

[View full size image]

Cisco ASDM—Syslog to Access Rule Correlation

Cisco ASDM introduces yet another dynamic tool that enables Syslog to Access Rule Correlation. This dynamic feature greatly enhances day-to-day security management and troubleshooting activities to resolve common configuration issues and network connectivity problems.

The Syslog to Access Rule Correlation feature offers an intuitive view into syslog messages invoked by user-configured access rules. Users can closely inspect traffic patterns and monitor resource access behavior.

Cisco ASDM—Supported Firewalls and Software Versions

Table 24-9 lists the supported hardware and software for the Cisco ASA 5500 series security appliances.

Table 24-9. Cisco ASDM—Cisco ASA 5500 Series System Requirements
Hardware Software
Platform: Cisco ASA 5505, 5510, 5520, 5540, or 5550 Adaptive Security Appliance
RAM: 256 MB
Flash memory: 64 MB Cisco ASA Software: Version 7.2 Encryption: DES or 3DES enabled

Table 24-9. Cisco ASDM—Cisco ASA 5500 Series System Requirements
Hardware	Software
Platform: Cisco ASA 5505, 5510, 5520, 5540, or 5550 Adaptive Security Appliance RAM: 256 MB Flash memory: 64 MB	Cisco ASA Software: Version 7.2 Encryption: DES or 3DES enabled

Table 24-10 lists the supported hardware and software for the Cisco PIX 500 series security appliances.

Table 24-10. Cisco ASDM—Cisco PIX 500 Series System Requirements
Hardware Software
Platform: Cisco PIX 515/515E, 525, or 535 Security Appliances (Cisco PIX 501 and 506/506E Security Appliances are not supported)
RAM: 64 MB
Flash memory: 16 MB Cisco PIX Security Appliance Software Version 7.2 Encryption: DES or 3DES enabled

Table 24-10. Cisco ASDM—Cisco PIX 500 Series System Requirements
Hardware	Software
Platform: Cisco PIX 515/515E, 525, or 535 Security Appliances (Cisco PIX 501 and 506/506E Security Appliances are not supported) RAM: 64 MB Flash memory: 16 MB	Cisco PIX Security Appliance Software Version 7.2 Encryption: DES or 3DES enabled

Cisco ASDM—User Requirements

Table 24-11 lists the supported operating system and web browser on the end-user PC to launch the Cisco ASDM application.

Table 24-11. Cisco ASDM—Operating Systems and Web Browsers Supported by Cisco ASDM
Operating Systems Browsers (JavaScript and Java-Enabled)
Windows 2000 with Service Pack 4 (English/Japanese) Windows XP (English/Japanese) Microsoft Internet Explorer 6.0 with Java Plug-In v1.4.2 or 1.5.0
Firefox 1.5 with Java Plug-In v1.4.2 or 1.5.0
Netscape Communicator 7.2 with Java Plug-In v1.4.2 or 1.5.0
Sun Solaris 2.8 or higher running CDE Mozilla 1.7.3 with Java Plug-In v1.4.2 or 1.5.0
Red Hat Linux 9.0 running GNOME or KDE Red Hat Enterprise Linux WS Version 3 Firefox 1.5 with Java Plug-In v1.4.2 or 1.5.0

Table 24-11. Cisco ASDM—Operating Systems and Web Browsers Supported by Cisco ASDM
Operating Systems	Browsers (JavaScript and Java-Enabled)
Windows 2000 with Service Pack 4 (English/Japanese) Windows XP (English/Japanese)	Microsoft Internet Explorer 6.0 with Java Plug-In v1.4.2 or 1.5.0 Firefox 1.5 with Java Plug-In v1.4.2 or 1.5.0 Netscape Communicator 7.2 with Java Plug-In v1.4.2 or 1.5.0
Sun Solaris 2.8 or higher running CDE	Mozilla 1.7.3 with Java Plug-In v1.4.2 or 1.5.0
Red Hat Linux 9.0 running GNOME or KDE Red Hat Enterprise Linux WS Version 3	Firefox 1.5 with Java Plug-In v1.4.2 or 1.5.0

For more details about installing and configuring Cisco ASDM, refer to the following Cisco documentation:

http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

http://www.cisco.com/en/US/products/ps6121/products_data_sheets_list.html