larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Cisco Firewalls


  • Sorry, this book is no longer in print.
Not for Sale

Read the author's blog:

Read an article by Alexandre on the Cisco Support Forums: Revisiting Firewall Performance Parameters

  • Description
  • Sample Content
  • Updates
  • Copyright 2011
  • Edition: 1st
  • Book
  • ISBN-10: 1-58714-109-4
  • ISBN-13: 978-1-58714-109-6

Cisco Firewalls

Concepts, design and deployment for Cisco Stateful Firewall solutions

In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!—Luc Billot, Security Consulting Engineer at Cisco

Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.

Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).

·        Create advanced security designs utilizing the entire Cisco firewall product family

·        Choose the right firewalls based on your performance requirements

·        Learn firewall  configuration fundamentals and master the tools that provide insight about firewall operations

·        Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity

·        Use Cisco firewalls as part of a robust, secure virtualization architecture

·        Deploy Cisco ASA firewalls with or without NAT

·        Take full advantage of the classic IOS firewall feature set (CBAC)

·        Implement flexible security policies with the Zone Policy Firewall (ZPF)

·        Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling

·        Use application-layer inspection capabilities built into Cisco firewalls

·        Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP

·        Utilize identity to provide user-based stateful functionality

·        Understand how multicast traffic is handled through firewalls

·        Use firewalls to protect your IPv6 deployments

This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.

Online Sample Chapter

Cisco Firewall Configuration Fundamentals

Table of Contents



Chapter 1: Firewalls and Network Security

Security Is a Must. But, Where to Start?

Firewalls and Domains of Trust

Firewall Insertion in the Network Topology

    Routed Mode Versus Transparent Mode

    Network Address Translation and Port Address Translation

Main Categories of Network Firewalls

    Packet Filters

    Circuit-Level Proxies

    Application-Level Proxies

    Stateful Firewalls

The Evolution of Stateful Firewalls

    Application Awareness

    Identity Awareness

    Leveraging the Routing Table for Protection Tasks

    Virtual Firewalls and Network Segmentation

What Type of Stateful Firewall?

    Firewall Appliances

    Router-Based Firewalls

    Switch-Based Firewalls

Classic Topologies Using Stateful Firewalls

Stateful Firewalls and Security Design

    Stateful Firewalls and VPNs

    Stateful Firewalls and Intrusion Prevention

    Stateful Firewalls and Specialized Security Appliances


Chapter 2: Cisco Firewall Families Overview

Overview of ASA Appliances

    Positioning of ASA Appliances

    Firewall Performance Parameters

    Overview of ASA Hardware Models

Overview of the Firewall Services Module

Overview of IOS-Based Integrated Firewalls

    Integrated Services Routers

    Aggregation Services Routers


Chapter 3: Configuration Fundamentals

Device Access Using the CLI

Basic ASA Configuration

    Basic Configuration for ASA Appliances Other Than 5505

    Basic Configuration for the ASA 5505 Appliance

Basic FWSM Configuration

Remote Management Access to ASA and FWSM

    Telnet Access

    SSH Access

    HTTPS Access Using ASDM

IOS Baseline Configuration

    Configuring Interfaces on IOS Routers

Remote Management Access to IOS Devices

    Remote Access Using Telnet

    Remote Access Using SSH

    Remote Access Using HTTP and HTTPS

Clock Synchronization Using NTP

Obtaining an IP Address Through the PPPoE Client

DHCP Services


Further Reading

Chapter 4: Learn the Tools. Know the Firewall

Using Access Control Lists Beyond Packet Filtering

Event Logging

Debug Commands

Flow Accounting and Other Usages of Netflow

    Enabling Flow Collection on IOS

    Traditional Netflow

    Netflow v9 and Flexible Netflow

    Enabling NSEL on an ASA Appliance

Performance Monitoring Using ASDM

Correlation Between Graphical Interfaces and CLI

Packet Tracer on ASA

Packet Capture

    Embedded Packet Capture on an ASA Appliance

    Embedded Packet Capture on IOS


Chapter 5: Firewalls in the Network Topology

Introduction to IP Routing and Forwarding

Static Routing Overview

Basic Concepts of Routing Protocols

RIP Overview

    Configuring and Monitoring RIP

EIGRP Overview

    Configuring and Monitoring EIGRP

        EIGRP Configuration Fundamentals

        Understanding EIGRP Metrics

        Redistributing Routes into EIGRP

        Generating a Summary EIGRP Route

        Limiting Incoming Updates with a Distribute-List

        EIGRP QUERY and REPLY Messages

        EIGRP Stub Operation

OSPF Overview

    Configuring and Monitoring OSPF

        OSPF Configuration Fundamentals

        OSPF Scenario with Two Areas

Configuring Authentication for Routing Protocols

Bridged Operation


Chapter 6: Virtualization in the Firewall World

Some Initial Definitions

Starting with the Data Plane: VLANs and VRFs

    Virtual LANs


VRF-Aware Services

Beyond the Data Plane—Virtual Contexts

Management Access to Virtual Contexts

Allocating Resources to Virtual Contexts

Interconnecting Virtual Elements

    Interconnecting VRFs with an External Router

    Interconnecting Two Virtual Contexts That Do Not Share Any Interface

    Interconnecting Two FWSM Contexts That Share an Interface

    Interconnecting Two ASA Contexts That Share an Interface

Issues Associated with Security Contexts

Complete Architecture for Virtualization

    Virtualized FWSM and ACE Modules

    Segmented Transport

    Virtual Machines and the Nexus 1000V


Chapter 7: Through ASA Without NAT

Types of Access Through ASA-Based Firewalls

Additional Thoughts About Security Levels

    Internet Access Firewall Topology

    Extranet Topology

    Isolating Internal Departments

ICMP Connection Examples

    Outbound Ping

    Inbound Ping

    Windows Traceroute Through ASA

UDP Connection Examples

    Outbound IOS Traceroute Through ASA

TCP Connection Examples

    ASA Flags Associated with TCP Connections

    TCP Sequence Number Randomization

Same Security Access

Handling ACLs and Object-Groups


Chapter 8: Through ASA Using NAT

Nat-Control Model

Outbound NAT Analysis

    Dynamic NAT

    Dynamic PAT

    Identity NAT

    Static NAT

    Policy NAT

        Static Policy NAT

        Dynamic Policy NAT

        Dynamic Policy PAT

    NAT Exemption

    NAT Precedence Rules

Address Publishing for Inbound Access

    Publishing with the static Command

    Publishing with Port Redirection

    Publishing with NAT Exemption

Inbound NAT Analysis

    Dynamic PAT for Inbound

    Identity NAT for Inbound

    NAT Exemption for Inbound

    Static NAT for Inbound

Dual NAT

Disabling TCP Sequence Number Randomization

Defining Connection Limits with NAT Rules


Chapter 9: Classic IOS Firewall Overview

Motivations for CBAC

CBAC Basics

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

Handling ACLs and Object-Groups

    Using Object-Groups with ACLs

    CBAC and Access Control Lists

IOS NAT Review

    Static NAT

    Dynamic NAT

    Policy NAT

    Dual NAT

    NAT and Flow Accounting



Chapter 10: IOS Zone Policy Firewall Overview

Motivations for the ZFW

Building Blocks for Zone-Based Firewall Policies

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

ZFW and ACLs


ZFW in Transparent Mode

Defining Connection Limits

Inspection of Router Traffic

Intrazone Firewall Policies in IOS 15.X


Chapter 11: Additional Protection Mechanisms


    Classic Antispoofing Using ACLs

    Antispoofing with uRPF on IOS

    Antispoofing with uRPF on ASA

TCP Flags Filtering

Filtering on the TTL Value

Handling IP Options

    Stateless Filtering of IP Options on IOS

    IP Options Drop on IOS

    IP Options Drop on ASA

Dealing with IP Fragmentation

    Stateless Filtering of IP Fragments in IOS

    Virtual Fragment Reassembly on IOS

    Virtual Fragment Reassembly on ASA

Flexible Packet Matching

Time-Based ACLs

    Time-Based ACLs on ASA

    Time-Based ACLs on IOS

Connection Limits on ASA

TCP Normalization on ASA

Threat Detection on ASA


Further Reading

Chapter 12: Application Inspection

Inspection Capabilities in the Classic IOS Firewall

Application Inspection in the Zone Policy Firewall

DNS Inspection in the Zone Policy Firewall

FTP Inspection in the Zone Policy Firewall

HTTP Inspection in the Zone Policy Firewall

IM Inspection in the Zone Policy Firewall

Overview of ASA Application Inspection

DNS Inspection in ASA

    DNS Guard

    DNS Doctoring

    DNS Inspection Parameters

    Some Additional DNS Inspection Capabilities

FTP Inspection in ASA

HTTP Inspection in ASA

Inspection of IM and Tunneling Traffic in ASA

Botnet Traffic Filtering in ASA


Further Reading

Chapter 13: Inspection of Voice Protocols

Introduction to Voice Terminology

Skinny Protocol

H.323 Framework

    H.323 Direct Calls

    H.323 Calls Through a Gatekeeper

Session Initiation Protocol (SIP)

MGCP Protocol

Cisco IP Phones and Digital Certificates

Advanced Voice Inspection with ASA TLS-Proxy

Advanced Voice Inspection with ASA Phone-Proxy


Further Reading

Chapter 14: Identity on Cisco Firewalls

Selecting the Authentication Protocol

ASA User-Level Control with Cut-Through Proxy

    Cut-Through Proxy Usage Scenarios

        Scenario 1: Simple Cut-Through Proxy (No Authorization)

        Scenario 2: Cut-Through Proxy with Downloadable ACEs

        Scenario 3: Cut-Through Proxy with Locally Defined ACL

        Scenario 4: Cut-Through Proxy with Downloadable ACLs

        Scenario 5: HTTP Listener

IOS User-Level Control with Auth-Proxy

    Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

    Scenario 2: IOS Auth-Proxy with Downloadable ACLs

    Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

User-Based Zone Policy Firewall

    Establishing user-group Membership Awareness in IOS - Method 1

    Establishing user-group Membership Awareness in IOS - Method 2

    Integrating Auth-Proxy and the ZFW

Administrative Access Control on IOS

Administrative Access Control on ASA


Chapter 15: Firewalls and IP Multicast

Review of Multicast Addressing

Overview of Multicast Routing and Forwarding

    The Concept of Upstream and Downstream Interfaces

    RPF Interfaces and the RPF Check

Multicast Routing with PIM

    Enabling PIM on Cisco Routers

    PIM-DM Basics

    PIM-SM Basics

    Finding the Rendezvous Point on PIM-SM Topologies

Inserting ASA in a Multicast Routing Environment

    Enabling Multicast Routing in ASA

    Stub Multicast Routing in ASA

    ASA Acting as a PIM-SM Router

Summary of Multicast Forwarding Rules on ASA


Further Reading

Chapter 16: Cisco Firewalls and IPv6

Introduction to IPv6

Overview of IPv6 Addressing

IPv6 Header Format

IPv6 Connectivity Basics

Handling IOS IPv6 Access Control Lists

IPv6 Support in the Classic IOS Firewall

IPv6 Support in the Zone Policy Firewall

Handling ASA IPv6 ACLs and Object-Groups

Stateful Inspection of IPv6 in ASA

Establishing Connection Limits

    Setting an Upper Bound for Connections Through ASA

IPv6 and Antispoofing

    Antispoofing with uRPF on ASA

    Antispoofing with uRPF on IOS

IPv6 and Fragmentation

    Virtual Fragment Reassembly on ASA

    Virtual Fragment Reassembly on IOS


Further Reading

Chapter 17: Firewall Interactions

Firewalls and Intrusion Prevention Systems

Firewalls and Quality of Service

Firewalls and Private VLANs

Firewalls and Server Load Balancing

Firewalls and Virtual Machines

    Protecting Virtual Machines with External Firewalls

    Protecting Virtual Machines Using Virtual Firewall Appliances

Firewalls and IPv6 Tunneling Mechanisms

Firewalls and IPsec VPNs

    Classic IPsec Site-to-Site for IOS

    IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)

    IPsec Site-to-Site Using a GRE Tunnel

    NAT in the Middle of an IPsec Tunnel

    Post-Decryption Filtering in ASA

Firewalls and SSL VPNs

    Clientless Access

    Client-Based Access (AnyConnect)

Firewalls and MPLS Networks

Borderless Networks Vision


Further Reading

Appendix A: NAT and ACL Changes in ASA 8.3



Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020