larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

Premium Website

  • Sorry, this book is no longer in print.
Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2006
  • Edition: 1st
  • Premium Website
  • ISBN-10: 1-58705-209-1
  • ISBN-13: 978-1-58705-209-5

Identify, mitigate, and respond to network attacks

  • Understand the evolution of security technologies that make up the unified ASA device and how to install the ASA hardware
  • Examine firewall solutions including network access control, IP routing, AAA, application inspection, virtual firewalls, transparent (Layer 2) firewalls, failover and redundancy, and QoS
  • Evaluate Intrusion Prevention System (IPS) solutions including IPS integration and Adaptive Inspection and Prevention Security Services Module (AIP-SSM) configuration
  • Deploy VPN solutions including site-to-site IPsec VPNs, remote- access VPNs, and Public Key Infrastructure (PKI)
  • Learn to manage firewall, IPS, and VPN solutions with Adaptive Security Device Manager (ASDM)

Achieving maximum network security is a challenge for most organizations. Cisco® ASA, a new unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network.

This new family of adaptive security appliances also controls network activity and application traffic and delivers flexible VPN connectivity. The result is a powerful multifunction network security device that provides the security breadth and depth for protecting your entire network, while reducing the high deployment and operations costs and complexities associated with managing multiple point products.

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance is a practitioner’s guide to planning, deploying, and troubleshooting a comprehensive security plan with Cisco ASA. The book provides valuable insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a sophisticated security solution for both large and small network environments.

The book contains many useful sample configurations, proven design scenarios, and discussions of debugs that help you understand how to get the most out of Cisco ASA in your own network.

“I have found this book really highlights the practical aspects needed for building real-world security. It offers the insider’s guidance needed to plan, implement, configure, and troubleshoot the Cisco ASA in customer environments and demonstrates the potential and power of Self-Defending Networks.”

–Jayshree Ullal, Sr. Vice President, Security Technologies Group, Cisco Systems® 

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Online Sample Chapter

Cisco ASA Security Contexts

Downloadable Sample Chapter

Download - 184 KB -- Chapter 9: Security Contexts

Table of Contents



Part I Product Overview

Chapter 1 Introduction to Network Security

Firewall Technologies

Network Firewalls

Packet-Filtering Techniques

Application Proxies

Network Address Translation

Port Address Translation

Static Translation

Stateful Inspection Firewalls

Personal Firewalls

Intrusion Detection and Prevention Technologies

Network-Based Intrusion Detection and Prevention Systems

Pattern Matching and Stateful Pattern-Matching Recognition

Protocol Analysis

Heuristic-Based Analysis

Anomaly-Based Analysis

Host-Based Intrusion Detection Systems

Network-Based Attacks

DoS Attacks

TCP SYN Flood Attacks

land.c Attacks

Smurf Attacks

DDoS Attacks

Session Hijacking

Virtual Private Networks

Understanding IPSec

Internet Key Exchange

IKE Phase 1

IKE Phase 2

IPSec Protocols

Authentication Header

Encapsulation Security Payload

IPSec Modes

Transport Mode

Tunnel Mode


Chapter 2 Product History

Cisco Firewall Products

Cisco PIX Firewalls

Cisco FWSM

Cisco IOS Firewall

Cisco IDS Products

Cisco VPN Products

Cisco ASA All-in-One Solution

Firewall Services

IPS Services

VPN Services


Chapter 3 Hardware Overview

 Cisco ASA 5510 Model

Cisco ASA 5520 Model

Cisco ASA 5540 Model

AIP-SSM Modules


Part II Firewall Solution

Chapter 4 Initial Setup and System Maintenance

Accessing the Cisco ASA Appliances

Establishing a Console Connection

Command-Line Interface

Managing Licenses

Initial Setup

Setting Up the Device Name

Configuring an Interface

Configuring a Subinterface

Configuring a Management Interface

DHCP Services

IP Version 6

IPv6 Header

Configuring IPv6

IP Address Assignment

Setting Up the System Clock

Manual Clock Adjustment Using clock set

Automatic Clock Adjustment Using the Network Time Protocol

Time Zones and Daylight Savings Time

Configuration Management

Running Configuration

Startup Configuration

Removing the Device Configuration

Remote System Management


Secure Shell

System Maintenance

Software Installation

Image Upgrade via the Cisco ASA CLI

Image Recovery Using ROMMON

Password Recovery Process

Disabling the Password Recovery Process

System Monitoring

System Logging

Enabling Logging

Logging Types

Additional Syslog Parameters

Simple Network Management Protocol

Configuring SNMP

SNMP Monitoring

CPU and Memory Monitoring


Chapter 5 Network Access Control

Packet Filtering

Types of ACLs

Standard ACLs

Extended ACLs


EtherType ACLs


Comparing ACL Features

Configuring Packet Filtering

Step 1: Set Up an ACL

Step 2: Apply an ACL to an Interface

Step 3: Set Up an IPv6 ACL (Optional)

Advanced ACL Features

Object Grouping

Object Types

Object Grouping and ACLs

Standard ACLs

Time-Based ACLs



Downloadable ACLs

ICMP Filtering

Content and URL Filtering

Content Filtering

ActiveX Filtering

Java Filtering

Configuring Content Filtering

URL Filtering

Configuring URL Filtering

Deployment Scenarios Using ACLs

Using ACLs to Filter Inbound and Outbound Traffic

Enabling Content Filtering Using Websense

Monitoring Network Access Control

Monitoring ACLs

Monitoring Content Filtering

Understanding Address Translation

Network Address Translation

Port Address Translation

Packet Flow Sequence

Configuring Address Translation

Static NAT

Dynamic Network Address Translation

Static Port Address Translation

Dynamic Port Address Translation

Policy NAT/PAT

Bypassing Address Translation

Identity NAT

NAT Exemption

NAT Order of Operation

Integrating ACLs and NAT

DNS Doctoring

Monitoring Address Translations


Chapter 6 IP Routing

Configuring Static Routes


Configuring RIP

Verifying the Configuration

Troubleshooting RIP

Scenario 1: RIP Version Mismatch

Scenario 2: RIP Authentication Mismatch

Scenario 3: Multicast or Broadcast Packets Blocked

Scenario 4: Correct Configuration and Behavior


Configuring OSPF

Enabling OSPF

Virtual Links

Configuring OSPF Authentication

Configuring the Cisco ASA as an ASBR

Stub Areas and NSSAs

ABR Type 3 LSA Filtering

OSPF neighbor Command and Dynamic Routing over VPN

Troubleshooting OSPF

Useful Troubleshooting Commands

Mismatched Areas

OSPF Authentication Mismatch

Troubleshooting Virtual Link Problems

IP Multicast


IP Multicast Routing

Configuring Multicast Routing

Enabling Multicast Routing

Statically Assigning an IGMP Group

Limiting IGMP States

IGMP Query Timeout

Defining the IGMP Version

Configuring Rendezvous Points

Configuring Threshold for SPT Switchover

Filtering RP Register Messages

PIM Designated Router Priority

PIM Hello Message Interval

Configuring a Static Multicast Route

Troubleshooting IP Multicast Routing

show Commands

debug Commands

Deployment Scenarios

Deploying OSPF

Deploying IP Multicast


Chapter 7 Authentication, Authorization, and Accounting (AAA)

AAA Protocols and Services Supported by Cisco ASA




Microsoft Windows NT

Active Directory and Kerberos

Lightweight Directory Access Protocol

Defining an Authentication Server

Configuring Authentication of Administrative Sessions

Authenticating Telnet Connections

Authenticating SSH Connections

Authenticating Serial Console Connections

Authenticating Cisco ASDM Connections

Authenticating Firewall Sessions (Cut-Through Proxy Feature)

Authentication Timeouts

Customizing Authentication Prompts

Configuring Authorization

Command Authorization

Configuring Downloadable ACLs

Configuring Accounting

RADIUS Accounting

TACACS+ Accounting

Deployment Scenarios

Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions

Deploying Cut-Through Proxy Authentication

Troubleshooting AAA

Troubleshooting Administrative Connections to Cisco ASA

Troubleshooting Firewall Sessions (Cut-Through Proxy)


 Chapter 8 Application Inspection

Enabling Application Inspection Using the Modular Policy Framework

Selective Inspection

Computer Telephony Interface Quick Buffer Encoding Inspection

Domain Name System

Extended Simple Mail Transfer Protocol

File Transfer Protocol

General Packet Radio Service Tunneling Protocol



Configuring GTP Inspection


H.323 Protocol Suite

H.323 Version Compatibility

Enabling H.323 Inspection

Direct Call Signaling and Gatekeeper Routed Control Signaling



Enabling HTTP Inspection








transfer-encoding type















Deployment Scenarios





Chapter 9 Security Contexts

Architectural Overview

System Execution Space

Admin Context

Customer Context

Packet Flow in Multiple Mode

Packet Classification

Packet Forwarding Between Contexts

Configuration of Security Contexts

Step 1: Enabling Multiple Security Contexts Globally

Step 2: Setting Up the System Execution Space

Step 3: Specifying a Configuration URL

Step 4: Allocating the Interfaces

Step 5: Configuring an Admin Context

Step 6: Configuring a Customer Context

Step 7: Managing the Security Contexts (Optional)

Deployment Scenarios

Virtual Firewall Using Two Customer Contexts

Virtual Firewall Using a Shared Interface

Monitoring and Troubleshooting the Security Contexts




Chapter 10 Transparent Firewalls

Architectural Overview

Single-Mode Transparent Firewall

Packet Flow in an SMTF

Multimode Transparent Firewall

Packet Flow in an MMTF

Transparent Firewalls and VPNs

Configuration of Transparent Firewall

Configuration Guidelines

Configuration Steps

Step 1: Enabling Transparent Firewalls

Step 2: Setting Up Interfaces

Step 3: Configuring an IP Address

Step 4: Configuring Interface ACLs

Step 5: Adding Static L2F Table Entries (Optional)

Step 6: Enabling ARP Inspection (Optional)

Step 7: Modifying L2F Table Parameters (optional)

Deployment Scenarios

SMTF Deployment

MMTF Deployment with Security Contexts

Monitoring and Troubleshooting the Transparent Firewall




Chapter 11 Failover and Redundancy

Architectural Overview

Conditions that Trigger Failover

Failover Interface Tests

Stateful Failover

Hardware and Software Requirements

Types of Failover

Active/Standby Failover

Active/Active Failover

Asymmetric Routing

Failover Configuration

Active/Standby Failover Configuration

Step 1: Select the Failover Link

Step 2: Assign Failover IP Addresses

Step 3: Set the Failover Key (Optional)

Step 4: Designating the Primary Cisco ASA

Step 5: Enable Stateful Failover (Optional)

Step 6: Enable Failover Globally

Step 7: Configure Failover on the Secondary Cisco ASA

Active/Active Failover Configuration

Step 1: Select the Failover Link

Step 2: Assign Failover Interface IP Addresses

Step 3: Set Failover Key

Step 4: Designate the Primary Cisco ASA

Step 5: Enable Stateful Failover

Step 6: Set Up Failover Groups

Step 7: Assign Failover Group Membership

Step 8: Assign Interface IP Addresses

Step 9: Set Up Asymmetric Routing (Optional)

Step 10: Enable Failover Globally

Step 11: Configure Failover on the Secondary Cisco ASA

Optional Failover Commands

Specifying Failover MAC Addresses

Configuring Interface Policy

Managing Failover Timers

Monitoring Failover Interfaces

Zero-Downtime Software Upgrade

Deployment Scenarios

Active/Standby Failover in Single Mode

Active/Active Failover in Multiple Security Contexts

Monitoring and Troubleshooting Failovers




Chapter 12 Quality of Service

Architectural Overview

Traffic Policing

Traffic Prioritization

Packet Flow Sequence

Packet Classification

IP Precedence Field


IP Access Control List

IP Flow

VPN Tunnel Group

QoS and VPN Tunnels

Configuring Quality of Service

Step 1: Set Up a Class Map

Step 2: Configure a Policy Map

Step 3: Apply the Policy Map on the Interface

Step 4: Tune the Priority Queue (Optional)

QoS Deployment Scenarios

QoS for VoIP Traffic

QoS for the Remote-Access VPN Tunnels

Monitoring QoS


Part III Intrusion Prevention System (IPS) Solution

Chapter 13 Intrusion Prevention System Integration

Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)

AIP-SSM Management

Inline Versus Promiscuous Mode

Directing Traffic to the AIP-SSM

AIP-SSM Module Software Recovery

Additional IPS Features

IP Audit



Chapter 14 Configuring and Troubleshooting Cisco IPS Software via CLI

Cisco IPS Software Architecture



Network Access Controller






Introduction to the CIPS 5.x Command-Line Interface

Logging In to the AIP-SSM via the CLI

CLI Command Modes

Initializing the AIP-SSM

User Administration

User Account Roles and Levels

Administrator Account

Operator Account

Viewer Account

Service Account

Adding and Deleting Users by Using the CLI

Creating Users

Deleting Users

Changing Passwords

AIP-SSM Maintenance

Adding Trusted Hosts

SSH Known Host List

TLS Known Host List

Upgrading the CIPS Software and Signatures via the CLI

One-Time Upgrades

Scheduled Upgrades

Displaying Software Version and Configuration Information

Backing Up Your Configuration

Displaying and Clearing Events

Displaying and Clearing Statistics

Advanced Features and Configuration

IPS Tuning

Disabling and Retiring IPS Signatures

Custom Signatures

IP Logging

Automatic Logging

Manual Logging of Specific Host Traffic

Configuring Blocking (Shunning)


Part IV Virtual Private Network (VPN) Solution

Chapter 15 Site-to-Site IPSec VPNs

Preconfiguration Checklist

Configuration Steps

Step 1: Enable ISAKMP

Step 2: Create the ISAKMP Policy

Step 3: Set the Tunnel Type

Step 4: Configure ISAKMP Preshared Keys

Step 5: Define the IPSec Policy

Step 6: Specify Interesting Traffic

Step 7: Configure a Crypto Map

Step 8: Apply the Crypto Map to an Interface

Step 9: Configuring Traffic Filtering

Step 10: Bypassing NAT (Optional)

Advanced Features

OSPF Updates over IPSec

Reverse Route Injection

NAT Traversal

Tunnel Default Gateway

Optional Commands

 Perfect Forward Secrecy

Security Association Lifetimes

Phase 1 Mode

Connection Type


ISAKMP Keepalives

Deployment Scenarios

Single Site-to-Site Tunnel Configuration Using NAT-T

Fully Meshed Topology with RRI

Monitoring and Troubleshooting Site-to-Site IPSec VPNs

Monitoring Site-to-Site VPNs

Troubleshooting Site-to-Site VPNs

ISAKMP Proposal Unacceptable

Mismatched Preshared keys

Incompatible IPSec Transform Set

Mismatched Proxy Identities


Chapter 16 Remote Access VPN

Cisco IPSec Remote Access VPN Solution

Configuration Steps

Step 1: Enable ISAKMP

Step 2: Create the ISAKMP Policy

Step 3: Configure Remote-Access Attributes

Step 4: Define the Tunnel Type

Step 5: Configure ISAKMP Preshared Keys

Step 6: Configure User Authentication

Step 7: Assign an IP Address

Step 8: Define the IPSec Policy

Step 9: Set Up a Dynamic Crypto Map

Step 10: Configure the Crypto Map

Step 11: Apply the Crypto Map to an Interface

Step 12: Configure Traffic Filtering

Step 13: Set Up a Tunnel Default Gateway (Optional)

Step 14: Bypass NAT (Optional)

Step 15: Set Up Split Tunneling (Optional)

Cisco VPN Client Configuration

Software-Based VPN Clients

Hardware-Based VPN Clients

Advanced Cisco IPSec VPN Features

Transparent Tunneling

NAT Traversal

IPSec over TCP

IPSec over UDP

IPSec Hairpinning

VPN Load-Balancing

Client Auto-Update

Client Firewalling

Personal Firewall Check

Central Protection Policy

Hardware based Easy VPN Client Features

Interactive Hardware Client Authentication

Individual User Authentication

Cisco IP Phone Bypass

Leap Bypass

Hardware Client Network Extension Mode

Deployment Scenarios of Cisco IPSec VPN

IPSec Hairpinning with Easy VPN and Firewalling

Load-Balancing and Site-to-Site Integration

Monitoring and Troubleshooting Cisco Remote Access VPN

Monitoring Cisco Remote Access IPSec VPNs

Troubleshooting Cisco IPSec VPN Clients

Cisco WebVPN Solution

Configuration Steps

Step 1: Enable the HTTP Service

Step 2: Enable WebVPN on the Interface

Step 3: Configure WebVPN Look and Feel

Step 4: Configure WebVPN Group Attributes

Step 5: Configure User Authentication

Advanced WebVPN Features

Port Forwarding

Configuring URL Mangling

E-Mail Proxy

Authentication Methods for E-Mail Proxy

Identifying E-Mail Servers for E-Mail Proxies


Windows File Sharing

WebVPN Access Lists

Deployment Scenarios of WebVPN

WebVPN with External Authentication

WebVPN with E-Mail Proxies

Monitoring and Troubleshooting WebVPN

Monitoring WebVPN

Troubleshooting WebVPN

SSL Negotiations

WebVPN Data Capture

E-Mail Proxy Issues


Chapter 17 Public Key Infrastructure (PKI)

Introduction to PKI


Certificate Authority

Certificate Revocation List

Simple Certificate Enrollment Protocol

Enrolling the Cisco ASA to a CA Using SCEP

Generating the RSA Key Pair

Configuring a Trustpoint

Manual (Cut-and-Paste) Enrollment

Configuration for Manual Enrollment

Obtaining the CA Certificate

Generating the ID Certificate Request and Importing the ID Certificate

Configuring CRL Options

Configuring IPSec Site-to-Site Tunnels Using Certificates

Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates

Enrolling the Cisco VPN Client

Configuring the Cisco ASA

Troubleshooting PKI

Time and Date Mismatch

SCEP Enrollment Problems

CRL Retrieval Problems


Part V Adaptive Security Device‡Manager

Chapter 18 Introduction to ASDM

Setting Up ASDM

Uploading ASDM

Setting Up Cisco ASA

Accessing ASDM

Initial Setup

Startup Wizard

Functional Screens

Configuration Screen

Monitoring Screen

Interface Management

System Clock

Configuration Management

Remote System Management




System Maintenance

Software Installation

File Management

System Monitoring

System Logging



Chapter 19 Firewall Management Using ASDM

Access Control Lists

Address Translation

Routing Protocols





Application Inspection

Security Contexts

Transparent Firewalls




Chapter 20 IPS Management Using ASDM

Accessing the IPS Device Management Console from ASDM

Configuring Basic AIP-SSM Settings


Verifying Network Settings

Adding Allowed Hosts

Configuring NTP

Adding Users

Advanced IPS Configuration and Monitoring Using ASDM

Disabling and Enabling Signatures

Configuring Blocking

Creating Custom Signatures

Creating Event Action Filters

Installing Signature Updates and Software Service Packs

Configuring Auto-Update


Chapter 21 VPN Management Using ASDM

Site-to-Site VPN Setup Using Preshared Keys

Site-to-Site VPN Setup Using PKI

Cisco Remote-Access IPSec VPN Setup


VPN Monitoring


Chapter 22 Case Studies

Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses

Branch Offices

Small Business Partners

Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment

Internet Edge and DMZ

Filtering Websites

Remote Access VPN Cluster

Application Inspection


Case Study 3: Data Center Security with Cisco ASA




Download - 13 KB -- Foreword from Jayshree Ullal, Senior Vice President, Security Technology Group, Cisco Systems, Inc.


Download - 115 KB -- Index

Unlimited one-month access with your purchase
Free Safari Membership