This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Also available in other formats.
Register your product to gain access to bonus material or receive a coupon.
Cisco® ASA
All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition
Identify, mitigate, and respond to today’s highly-sophisticated network attacks.
Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.
Fully updated for today’s newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.
You’ll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs–
all designed to help you make the most of Cisco ASA in your rapidly evolving network.
Jazib Frahim, CCIE® No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.
Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.
Andrew Ossipov, CCIE® No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco’s product portfolio. He holds several pending patents.
Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices
Efficiently implement Authentication, Authorization, and Accounting (AAA) services
Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts
Configure IP routing, application inspection, and QoS
Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration
Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)
Implement high availability with failover and elastic scalability with clustering
Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features
Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)
Configure and troubleshoot Public Key Infrastructure (PKI)
Use IKEv2 to more effectively resist attacks against VPNs
Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs
Introduction
Chapter 1 Introduction to Security Technologies 1
Firewalls 2
Network Firewalls 2
Packet-Filtering Techniques 2
Application Proxies 3
Network Address Translation 3
Stateful Inspection Firewalls 6
Demilitarized Zones (DMZ) 7
Deep Packet Inspection 8
Next-Generation Context-Aware Firewalls 8
Personal Firewalls 9
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 9
Pattern Matching and Stateful Pattern-Matching Recognition 11
Protocol Analysis 12
Heuristic-Based Analysis 12
Anomaly-Based Analysis 12
Global Threat Correlation Capabilities 14
Virtual Private Networks 14
Technical Overview of IPsec 16
IKEv1 Phase 1 16
IKEv1 Phase 2 20
IKEv2 23
SSL VPNs 23
Cisco AnyConnect Secure Mobility 25
Cloud and Virtualization Security 26
Chapter 2 Cisco ASA Product and Solution Overview 29
Cisco ASA Model Overview 30
Cisco ASA 5505 Model 31
Cisco ASA 5510 Model 35
Cisco ASA 5512-X Model 38
Cisco ASA 5515-X Model 40
Cisco ASA 5520 Model 41
Cisco ASA 5525-X Model 42
Cisco ASA 5540 Model 43
Cisco ASA 5545-X Model 44
Cisco ASA 5550 Model 45
Cisco ASA 5555-X Model 46
Cisco ASA 5585-X Models 47
Cisco Catalyst 6500 Series ASA Services Module 51
Cisco ASA 1000V Cloud Firewall 52
Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX) 53
Cisco ASA AIP-SSM Module 53
Cisco ASA AIP-SSM-10 54
Cisco ASA AIP-SSM-20 54
Cisco ASA AIP-SSM-40 54
Cisco ASA Gigabit Ethernet Modules 55
Cisco ASA SSM-4GE 55
Cisco ASA 5580 Expansion Cards 56
Cisco ASA 5500-X Series 6-Port GE Interface Cards 57
Chapter 3 Licensing 59
Licensed Features on ASA 59
Basic Platform Capabilities 61
Advanced Security Features 63
Tiered Capacity Features 65
Displaying License Information 66
Managing Licenses with Activation Keys 68
Permanent and Time-Based Activation Keys 68
Combining Keys 69
Time-Based Key Expiration 70
Using Activation Keys 71
Combined Licenses in Failover and Clustering 73
License Aggregation Rules 73
Aggregated Time-Based License Countdown 75
Shared Premium VPN Licensing 75
Shared Server and Participants 76
Shared License 76
Shared Licensing Operation 76
Configuring Shared Licensing 78
Licensing Server 78
Participants 79
Backup Licensing Server 79
Monitoring Shared Licensing Operation 80
Chapter 4 Initial Setup 81
Accessing the Cisco ASA Appliances 81
Establishing a Console Connection 82
Command-Line Interface 85
Managing Licenses 87
Initial Setup 90
Initial Setup via CLI 90
Initial Setup of ASDM 92
Uploading ASDM 92
Setting Up the Appliance 93
Accessing ASDM 94
Functional Screens of ASDM 97
Device Setup 100
Setting Up a Device Name and Passwords 100
Configuring an Interface 102
Configuring a Data-Passing Interface 102
Configuring a Subinterface 106
Configuring an EtherChannel Interface 109
Configuring a Management Interface 111
DHCP Services 112
Setting Up the System Clock 114
Manual Clock Adjustment 114
Time Zone 114
Date 116
Time 116
Automatic Clock Adjustment Using the Network Time Protocol 116
Chapter 5 System Maintenance 119
Configuration Management 119
Running Configuration 119
Startup Configuration 123
Removing the Device Configuration 124
Remote System Management 126
Telnet 126
Secure Shell (SSH) 129
System Maintenance 132
Software Installation 132
Image Upgrade via Cisco ASDM 132
Image Upgrade via the Cisco ASA CLI 133
Image Upload Using ROMMON 136
Password Recovery Process 137
Disabling the Password Recovery Process 141
System Monitoring 144
System Logging 144
Enabling Logging 146
Defining Event List 147
Logging Types 149
Defining a Syslog Server 153
Defining an Email Server 154
Storing Logs Internally and Externally 154
Syslog Message ID Tuning 156
NetFlow Secure Event Logging (NSEL) 156
Step 1: Define a NetFlow Collector 157
Step 2: Define a NetFlow Export Policy 159
Simple Network Management Protocol (SNMP) 160
Configuring SNMP 161
SNMP Monitoring 164
Device Monitoring and Troubleshooting 165
CPU and Memory Monitoring 165
Troubleshooting Device Issues 168
Troubleshooting Packet Issues 168
Troubleshooting CPU Issues 172
Chapter 6 Cisco ASA Services Module 173
Cisco ASA Services Module Overview 173
Hardware Architecture 174
Host Chassis Integration 175
Managing Host Chassis 176
Assigning VLAN Interfaces 177
Monitoring Traffic Flow 178
Common Deployment Scenarios 180
Internal Segment Firewalling 181
Edge Protection 182
Trusted Flow Bypass with Policy Based Routing 183
Traffic Flow 185
Sample PBR Configuration 185
Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191
AAA Protocols and Services Supported by Cisco ASA 192
RADIUS 194
TACACS+ 195
RSA SecurID 196
Microsoft Windows NTLM 197
Active Directory and Kerberos 197
Lightweight Directory Access Protocol 197
Defining an Authentication Server 198
Configuring Authentication of Administrative Sessions 204
Authenticating Telnet Connections 204
Authenticating SSH Connections 206
Authenticating Serial Console Connections 207
Authenticating Cisco ASDM Connections 208
Authenticating Firewall Sessions (Cut-Through Proxy Feature) 209
Authentication Timeouts 214
Customizing Authentication Prompts 214
Configuring Authorization 215
Command Authorization 217
Configuring Downloadable ACLs 218
Configuring Accounting 219
RADIUS Accounting 220
TACACS+ Accounting 221
Troubleshooting Administrative Connections to Cisco ASA 222
Troubleshooting Firewall Sessions (Cut-Through Proxy) 225
ASDM and CLI AAA Test Utility 226
Chapter 8 Controlling Network Access: The Traditional Way 229
Packet Filtering 229
Types of ACLs 232
Standard ACLs 233
Extended ACLs 233
EtherType ACLs 233
Webtype ACLs 234
Comparing ACL Features 234
Through-the-Box-Traffic Filtering 235
To-the-Box-Traffic Filtering 240
Advanced ACL Features 243
Object Grouping 243
Object Types 243
Configuration of Object Types 245
Object Grouping and ACLs 248
Standard ACLs 250
Time-Based ACLs 251
Downloadable ACLs 254
ICMP Filtering 254
Deployment Scenario for Traffic Filtering 255
Using ACLs to Filter Inbound Traffic 255
Configuration Steps with ASDM 257
Configuration Steps with CLI 259
Monitoring Network Access Control 260
Monitoring ACLs 260
Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267
CX Integration Overview 268
Logical Architecture 269
Hardware Modules 270
Software Modules 271
High Availability 272
ASA CX Architecture 273
Data Plane 274
Eventing and Reporting 275
User Identity 275
TLS Decryption Proxy 276
HTTP Inspection Engine 276
Application Inspection Engine 276
Management Plane 276
Control Plane 276
Preparing ASA CX for Configuration 277
Managing ASA CX with PRSM 282
Using PRSM 283
Configuring User Accounts 286
CX Licensing 288
Component and Software Updates 290
Signatures and Engines 290
System Software 291
Configuration Database Backup 292
Defining CX Policy Elements 293
Network Groups 295
Identity Objects 296
URL Objects 298
User Agent Objects 299
Application Objects 299
Secure Mobility Objects 300
Interface Roles 301
Service Objects 302
Application-Service Objects 303
Source Object Groups 304
Destination Object Groups 305
File Filtering Profiles 306
Web Reputation Profiles 306
NG IPS Profiles 307
Enabling User Identity Services 309
Configuring Directory Servers 310
Connecting to AD Agent or CDA 312
Tuning Authentication Settings 313
Defining User Identity Discovery Policy 314
Enabling TLS Decryption 316
Configuring Decryption Settings 318
Defining a Decryption Policy 320
Enabling NG IPS 323
Defining Context-Aware Access Policies 324
Configuring ASA for CX Traffic Redirection 327
Monitoring ASA CX 329
Dashboard Reports 329
Connection and System Events 331
Packet Captures 332
Chapter 10 Network Address Translation 337
Types of Address Translation 338
Network Address Translation 338
Port Address Translation 340
Address Translation Methods 341
Static NAT/PAT 341
Dynamic NAT/PAT 343
Policy NAT/PAT 344
Identity NAT 344
Security Protection Mechanisms Within Address Translation 345
Randomization of Sequence Numbers 345
TCP Intercept 346
Understanding Address Translation Behavior 346
Address Translation Behavior Prior to Version 8.3 346
Packet Flow Sequence in Pre-8.3 Version 347
NAT Order of Operation for Pre-8.3 Versions 348
Redesigning Address Translation (Version 8.3 and Later) 349
NAT Modes in Version 8.3 and Later 349
NAT Order of Operation for Version 8.3 and Later 350
Configuring Address Translation 350
Auto NAT Configuration 351
Available Auto NAT Settings 351
Auto NAT Configuration Example 353
Manual NAT Configuration 356
Available Manual NAT Settings 356
Manual NAT Configuration Example 357
Integrating ACLs and NAT 359
Pre-8.3 Behavior for NAT and ACL Integration 359
Behavior of NAT and ACL Integration in Version 8.3 and Later 361
Configuration Use Cases 362
Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server 363
Use Case 2: Static PAT for a Web Server Located on the DMZ Network 364
Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT 366
Use Case 4: Identity NAT for Site-to-Site VPN Tunnel 367
Use Case 5: Dynamic PAT for Remote-Access VPN Clients 369
DNS Doctoring 372
Monitoring Address Translations 375
Chapter 11 IPv6 Support 379
IP Version 6 Introduction 379
IPv6 Header 380
Supported IPv6 Address Types 381
Global Unicast Address 382
Site-Local Address 382
Link-Local Address 382
Configuring IPv6 382
IP Address Assignment 383
IPv6 DHCP Relay 384
Optional IPv6 Parameters 385
Neighbor Solicitation Messages 385
Neighbor Reachable Time 385
Router Advertisement Transmission Interval 385
Setting Up an IPv6 ACL 386
IPv6 Address Translation 389
Chapter 12 IP Routing 391
Configuring Static Routes 392
Static Route Monitoring 395
Displaying the Routing Table 399
RIP 400
Configuring RIP 401
RIP Authentication 403
RIP Route Filtering 406
Configuring RIP Redistribution 409
Troubleshooting RIP 409
Scenario 1: RIP Version Mismatch 410
Scenario 2: RIP Authentication Mismatch 411
Scenario 3: Multicast or Broadcast Packets Blocked 411
OSPF 412
Configuring OSPF 413
Enabling OSPF 414
OSPF Virtual Links 419
Configuring OSPF Authentication 422
Configuring OSPF Redistribution 426
Stub Areas and NSSAs 428
OSPF Type 3 LSA Filtering 429
OSPF neighbor Command and Dynamic Routing over a VPN Tunnel 431
OSPFv3 433
Troubleshooting OSPF 433
Useful Troubleshooting Commands 433
Mismatched Areas 440
OSPF Authentication Mismatch 440
Troubleshooting Virtual Link Problems 440
EIGRP 441
Configuring EIGRP 441
Enabling EIGRP 441
Configuring Route Filtering for EIGRP 445
EIGRP Authentication 447
Defining Static EIGRP Neighbors 448
Route Summarization in EIGRP 448
Split Horizon 450
Route Redistribution in EIGRP 450
Controlling Default Information 453
Troubleshooting EIGRP 454
Useful Troubleshooting Commands 454
Scenario 1: Link Failures 458
Scenario 2: Misconfigured Hello and Hold Intervals 459
Scenario 3: Misconfigured Authentication Parameters 462
Chapter 13 Application Inspection 465
Enabling Application Inspection 468
Selective Inspection 469
CTIQBE Inspection 473
DCERPC Inspection 476
DNS Inspection 476
ESMTP Inspection 481
File Transfer Protocol 484
General Packet Radio Service Tunneling Protocol 486
GTPv0 487
GTPv1 489
Configuring GTP Inspection 490
H.323 492
H.323 Protocol Suite 493
H.323 Version Compatibility 495
Enabling H.323 Inspection 496
Direct Call Signaling and Gatekeeper Routed Control Signaling 499
T.38 499
Cisco Unified Communications Advanced Support 499
Phone Proxy 500
TLS Proxy 505
Mobility Proxy 506
Presence Federation Proxy 506
HTTP 507
Enabling HTTP Inspection 507
strict-http Command 510
content-length Command 510
content-type-verification Command 511
max-header-length Command 511
max-uri-length Command 512
port-misuse Command 512
request-method Command 513
transfer-encoding type Command 515
ICMP 515
ILS 516
Instant Messenger (IM) 517
IPsec Pass-Through 518
MGCP 519
NetBIOS 521
PPTP 522
Sun RPC 522
RSH 523
RTSP 523
SIP 524
Skinny (SCCP) 525
SNMP 527
SQL*Net 528
TFTP 528
WAAS 528
XDMCP 529
Chapter 14 Virtualization 531
Architectural Overview 533
System Execution Space 533
Admin Context 535
User Context 535
Packet Classification 538
Packet Classification Criteria 538
Destination IP Address 539
Unique MAC Address 540
Packet Flow in Multiple Mode 541
Forwarding Without a Shared Interface 541
Forwarding with a Shared Interface 542
Configuration of Security Contexts 544
Step 1: Enable Multiple Security Contexts Globally 544
Step 2: Set Up the System Execution Space 547
Step 3: Configure Interfaces 549
Step 4: Specify a Configuration URL 550
Step 5: Configure an Admin Context 552
Step 6: Configure a User Context 553
Step 7: Manage the Security Contexts (Optional) 554
Step 8: Resource Management (Optional) 555
Step 1: Define a Resource Class 556
Step 2: Map the Resource Class to a Context 558
Deployment Scenarios 559
Virtual Firewall with Non-Shared Interfaces 559
Configuration Steps with ASDM 561
Configuration Steps with CLI 569
Virtual Firewall with a Shared Interface 572
Configuration Steps with ASDM 574
Configuration Steps Using CLI 582
Monitoring and Troubleshooting the Security Contexts 586
Monitoring 586
Troubleshooting 588
Security Contexts Are Not Added 588
Security Contexts Are Not Saved on the Local Disk 588
Security Contexts Are Not Saved on the FTP Server 589
User Having Connectivity Issues When Shared Security Contexts Are Used 590
Chapter 15 Transparent Firewalls 591
Architectural Overview 594
Single-Mode Transparent Firewalls 594
Packet Flow in an SMTF 595
Multimode Transparent Firewalls 597
Packet Flow in an MMTF 597
Restrictions When Using Transparent Firewalls 599
Transparent Firewalls and VPNs 599
Transparent Firewalls and NAT 600
Configuration of Transparent Firewalls 602
Configuration Guidelines 602
Configuration Steps 603
Step 1: Enable Transparent Firewalls 603
Step 2: Set Up Interfaces 604
Step 3: Configure an IP Address 605
Step 4: Set Up Routes 606
Step 5: Configure Interface ACLs 608
Step 6: Configure NAT (Optional) 611
Step 7: Add Static L2F Table Entries (Optional) 612
Step 8: Enable ARP Inspection (Optional) 613
Step 9: Modify L2F Table Parameters (Optional) 615
Deployment Scenarios 616
SMTF Deployment 617
Configuration Steps Using ASDM 618
Configuration Steps Using CLI 622
MMTF Deployment with Security Contexts 623
Configuration Steps Using ASDM 625
Configuration Steps Using CLI 632
Monitoring and Troubleshooting Transparent Firewalls 636
Monitoring 636
Troubleshooting 637
Hosts Are Not Able to Communicate 637
Moved Host Is Not Able to Communicate 639
General Syslogging 640
Chapter 16 High Availability 641
Redundant Interfaces 642
Using Redundant Interfaces 642
Deployment Scenarios 643
Configuration and Monitoring 644
Static Route Tracking 646
Configuring Static Routes with an SLA Monitor 647
Floating Connection Timeout 649
Sample Backup ISP Deployment 649
Failover 652
Unit Roles and Functions in Failover 652
Stateful Failover 653
Active/Standby and Active/Active Failover 654
Failover Hardware and Software Requirements 656
Zero Downtime Upgrade in Failover 657
Failover Licensing 658
Failover Interfaces 658
Stateful Link 659
Failover Link Security 659
Data Interface Addressing 660
Asymmetric Routing Groups 662
Failover Health Monitoring 664
State and Role Transition 666
Configuring Failover 667
Basic Failover Settings 668
Data Interface Configuration 671
Failover Policies and Timers 673
Active/Active Failover 674
Monitoring and Troubleshooting Failover 678
Active/Standby Failover Deployment Scenario 680
Clustering 685
Unit Roles and Functions in Clustering 685
Master and Slave Units 685
Flow Owner 686
Flow Director 686
Flow Forwarder 687
Clustering Hardware and Software Requirements 687
Zero Downtime Upgrade in Clustering 688
Unsupported Features 689
Cluster Licensing 690
Control and Data Interfaces 690
Spanned EtherChannel Mode 693
Individual Mode 695
Cluster Management 697
Cluster Health Monitoring 697
Network Address Translation 698
Performance 700
Centralized Features 701
Scaling Factors 701
Packet Flow 702
TCP Connection Processing 702
UDP Connection Processing 703
Centralized Connection Processing 705
State Transition 705
Configuring Clustering 706
Setting Interface Mode 707
Management Access for ASDM Deployment 708
Building a Cluster 710
Data Interface Configuration 714
Monitoring and Troubleshooting Clustering 717
Spanned EtherChannel Cluster Deployment Scenario 720
Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733
IPS Integration Overview 733
IPS Logical Architecture 735
IPS Hardware Modules 735
IPS Software Modules 736
Inline and Promiscuous Modes 737
IPS High Availability 739
Cisco IPS Software Architecture 739
MainApp 741
AuthenticationApp 741
Attack Response Controller 742
cipsWebserver 742
Logger 742
CtlTransSource 743
NotificationApp 743
SensorApp 743
CollaborationApp 744
EventStore 744
Preparing ASA IPS for Configuration 744
Installing CIPS System Software 744
Accessing CIPS from the ASA CLI 747
Configuring Basic Management Settings 748
Setting Up ASDM for IPS Management 752
Installing the CIPS License Key 752
< We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.
Download the errata from the main title