将安全防火墙ASA调配到CSM
简介
本文档介绍向思科安全管理器(CSM)调配安全防火墙自适应安全设备(ASA)的过程。
先决条件
要求
Cisco 建议您了解以下主题:
- 安全防火墙ASA
- CSM
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 安全防火墙ASA版本9.18.3
- CSM版本4.28
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
CSM有助于实现一致的策略实施,并快速排除安全事件的故障,从而提供涵盖整个安全部署的摘要报告。借助其集中式界面,组织可以高效扩展和管理各种思科安全设备,同时提高可视性。
配置
在下一个示例中,虚拟ASA调配到CSM以进行集中管理。
配置
为HTTPS管理配置ASA
步骤1:创建具有所有权限的用户。
命令行(CLI)语法:
configure terminal
username < user string > password < password > privilege < level number >这转换为下一个命令示例,其中包含了用户csm-user和口令cisco123,如下所示:
ciscoasa# configure terminal
ciscoasa(config)# username csm-user password cisco123 privilege 15
提示:外部身份验证用户也用于此集成。
第二步:启用HTTP服务器。
命令行(CLI)语法:
configure terminal
http server enable第三步:允许CSM服务器IP地址进行HTTPS访问。
命令行(CLI)语法:
configure terminal
http < hostname > < netmask > < interface name >这转换为下一个命令示例,该示例允许任何网络通过外部接口(GigabitEthernet0/0)上的HTTPS访问ASA:
ciscoasa# configure terminal
ciscoasa(config)# http 0.0.0.0 0.0.0.0 outside第四步:验证从CSM服务器可以访问HTTPS。
打开任何Web浏览器并键入下一个语法:
https://< ASA IP address >/这转换为在上一步中允许HTTPS访问的外部接口IP地址的下一个示例:
https://10.8.4.11/
ASA HTTPS响应
提示:Error 404 Not Found expected on this step,因为此ASA未安装思科自适应安全设备管理器(ASDM),但是页面重定向到URL /admin/public/index.html时存在HTTPS响应。
将安全防火墙ASA调配到CSM
步骤1:打开并登录到CSM客户端。
CSM客户端登录
第二步:打开Configuration Manager。
CSM客户端控制面板
第三步:导航到设备>新设备。
CSM配置管理器
第四步:选择根据所需结果满足要求的添加选项。由于网络中已设置配置的ASA,因此本示例的最佳选项是Add Device From Network,然后单击Next。
设备添加方法
第五步:根据安全防火墙ASA上的配置和发现设置完成所需数据。然后单击Next。
ASA设置
第六步:从ASA上配置的CSM用户和enable密码完成所需的凭证。
ASA凭证
步骤 7.选择所需的组或在不需要时跳过此步骤,然后单击Finish。
CSM组选择
步骤 8出于控制目的而生成票证请求,然后单击OK。
CSM票证创建
步骤 9验证发现操作是否完成并且没有错误,然后单击Close。
ASA发现
提示:由于CSM并不支持所有ASA功能,因此警告被接受为成功输出。
步骤 10验证ASA现在显示为已在CSM客户端上注册并显示正确的信息。
已注册ASA信息
验证
ASA上提供HTTPS调试用于故障排除。使用下一个命令:
debug http以下是CSM注册调试成功的示例:
ciscoasa# debug http debug http enabled at level 1. ciscoasa# HTTP: processing handoff to legacy admin server [/admin/exec//show%20version] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20version HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^^u HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/config] HTTP: admin session verified = [0] HTTP MSG: GET /admin/config HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒e HTTP: processing GET URL '/admin/config' from host 10.8.4.12 HTTP: Authentication username = '' HTTP: processing handoff to legacy admin server [/admin/exec//show%20version] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20version HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^^u HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5)] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5) HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^2▒^aware_123▒ HTTP: processing GET URL '/admin/exec//sh%20module%20%7c%20in%20(CX%20Security%20Services%20Processor-%7ccxsc%20ASA%20CX5)' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//sh%20module%20%7c%20in%20(FirePOWER)] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//sh%20module%20%7c%20in%20(FirePOWER) HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒▒▒▒ HTTP: processing GET URL '/admin/exec//sh%20module%20%7c%20in%20(FirePOWER)' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//sh%20cluster%20info] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//sh%20cluster%20info HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^ HTTP: processing GET URL '/admin/exec//sh%20cluster%20info' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//sh%20inventory] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//sh%20inventory HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^^u HTTP: processing GET URL '/admin/exec//sh%20inventory' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//sh%20vm] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//sh%20vm HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒ 2▒^^^u HTTP: processing GET URL '/admin/exec//sh%20vm' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/config] HTTP: admin session verified = [0] HTTP MSG: GET /admin/config HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒e HTTP: processing GET URL '/admin/config' from host 10.8.4.12 HTTP: Authentication username = '' HTTP: processing handoff to legacy admin server [/admin/exec//show%20version] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20version HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^^u HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20inventory] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20inventory HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒u HTTP: processing GET URL '/admin/exec//show%20inventory' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20password%20encryption] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20password%20encryption HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^^ HTTP: processing GET URL '/admin/exec//show%20password%20encryption' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20all%20tunnel-group] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20running-config%20all%20tunnel-group HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒2▒^▒^e HTTP: processing GET URL '/admin/exec//show%20running-config%20all%20tunnel-group' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20all%20group-policy] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20running-config%20all%20group-policy HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒2▒^▒^e HTTP: processing GET URL '/admin/exec//show%20running-config%20all%20group-policy' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20crypto%20ca%20trustpool%20detail] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20crypto%20ca%20trustpool%20detail HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒2▒^2▒^▒^e HTTP: processing GET URL '/admin/exec//show%20crypto%20ca%20trustpool%20detail' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20snmp-server%20engineID] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20snmp-server%20engineID HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^P_▒ HTTP: processing GET URL '/admin/exec//show%20snmp-server%20engineID' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20version] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20version HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒▒^u HTTP: processing GET URL '/admin/exec//show%20version' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20failover] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20failover HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^u HTTP: processing GET URL '/admin/exec//show%20failover' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//dir%20%2frecursive%20all-filesystems] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//dir%20%2frecursive%20all-filesystems HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒2▒^2▒^2▒^▒^e HTTP: processing GET URL '/admin/exec//dir%20%2frecursive%20all-filesystems' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20asdm%20image] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20asdm%20image HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒^ 2▒^^^ HTTP: processing GET URL '/admin/exec//show%20asdm%20image' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20running-config%20webvpn] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20running-config%20webvpn HTTP/1.1 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM Cache-Control: no-cache Pragma: no-cache Host: 10.8.4.11 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ▒▒▒P_▒ HTTP: processing GET URL '/admin/exec//show%20running-config%20webvpn' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20webvpn] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20webvpn HTTP/1.1 Host: 10.8.4.1110.8.4.11 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM ▒▒▒^2▒^1 HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20webvpn' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec HTTP/1.1 Host: 10.8.4.1110.8.4.11 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM ▒▒▒ HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev1-ipsec' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec HTTP/1.1 Host: 10.8.4.1110.8.4.11 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM ▒▒▒ HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20ra-ikev2-ipsec' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec HTTP: processing handoff to legacy admin server [/admin/exec//show%20vpn-sessiondb%20full%20anyconnect] HTTP: admin session verified = [0] HTTP MSG: GET /admin/exec//show%20vpn-sessiondb%20full%20anyconnect HTTP/1.1 Host: 10.8.4.1110.8.4.11 Authorization: Basic OmNpc2NvMTIz User-Agent: CSM ▒▒▒1 HTTP: processing GET URL '/admin/exec//show%20vpn-sessiondb%20full%20anyconnect' from host 10.8.4.12 HTTP: Authentication username = '' Exited from HTTP Cli Exec
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
12-Feb-2024 |
初始版本 |
反馈