Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services, 3rd Edition

Description

• Copyright 2014
• Dimensions: 7-3/8" x 9-1/8"
• Edition: 3rd

• eBook (Watermarked)
• ISBN-10: 0-13-295440-0
• ISBN-13: 978-0-13-295440-2

Cisco®ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

Identify, mitigate, and respond to today’s highly-sophisticated network attacks.

Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.

Fully updated for today’s newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.

You’ll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs–
all designed to help you make the most of Cisco ASA in your rapidly evolving network.

Jazib Frahim, CCIE®No. 5459 (Routing and Switching; Security),Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.

Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.

Andrew Ossipov, CCIE®No. 18483 and CISSP No. 344324,is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco’s product portfolio. He holds several pending patents.

Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices

Efficiently implement Authentication, Authorization, and Accounting (AAA) services

Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts

Configure IP routing, application inspection, and QoS

Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration

Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)

Implement high availability with failover and elastic scalability with clustering

Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features

Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)

Configure and troubleshoot Public Key Infrastructure (PKI)

Use IKEv2 to more effectively resist attacks against VPNs

Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs



Sample Content

Table of Contents

Introduction

Chapter 1 Introduction to Security Technologies 1

Firewalls 2

Network Firewalls 2

Packet-Filtering Techniques 2

Application Proxies 3

Network Address Translation 3

Stateful Inspection Firewalls 6

Demilitarized Zones (DMZ) 7

Deep Packet Inspection 8

Next-Generation Context-Aware Firewalls 8

Personal Firewalls 9

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 9

Pattern Matching and Stateful Pattern-Matching Recognition 11

Protocol Analysis 12

Heuristic-Based Analysis 12

Anomaly-Based Analysis 12

Global Threat Correlation Capabilities 14

Virtual Private Networks 14

Technical Overview of IPsec 16

IKEv1 Phase 1 16

IKEv1 Phase 2 20

IKEv2 23

SSL VPNs 23

Cisco AnyConnect Secure Mobility 25

Cloud and Virtualization Security 26

Chapter 2 Cisco ASA Product and Solution Overview 29

Cisco ASA Model Overview 30

Cisco ASA 5505 Model 31

Cisco ASA 5510 Model 35

思科ASA 38 5512 - x模型

Cisco ASA 5515-X Model 40

Cisco ASA 5520 Model 41

Cisco ASA 5525-X Model 42

Cisco ASA 5540 Model 43

Cisco ASA 5545-X Model 44

Cisco ASA 5550 Model 45

Cisco ASA 5555-X Model 46

Cisco ASA 5585-X Models 47

Cisco Catalyst 6500 Series ASA Services Module 51

Cisco ASA 1000V Cloud Firewall 52

Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX) 53

Cisco ASA AIP-SSM Module 53

Cisco ASA AIP-SSM-10 54

Cisco ASA AIP-SSM-20 54

Cisco ASA AIP-SSM-40 54

Cisco ASA Gigabit Ethernet Modules 55

Cisco ASA SSM-4GE 55

Cisco ASA 5580 Expansion Cards 56

Cisco ASA 5500-X Series 6-Port GE Interface Cards 57

Chapter 3 Licensing 59

Licensed Features on ASA 59

Basic Platform Capabilities 61

Advanced Security Features 63

Tiered Capacity Features 65

Displaying License Information 66

Managing Licenses with Activation Keys 68

Permanent and Time-Based Activation Keys 68

Combining Keys 69

Time-Based Key Expiration 70

Using Activation Keys 71

Combined Licenses in Failover and Clustering 73

License Aggregation Rules 73

Aggregated Time-Based License Countdown 75

Shared Premium VPN Licensing 75

Shared Server and Participants 76

Shared License 76

Shared Licensing Operation 76

Configuring Shared Licensing 78

Licensing Server 78

Participants 79

Backup Licensing Server 79

Monitoring Shared Licensing Operation 80

Chapter 4 Initial Setup 81

Accessing the Cisco ASA Appliances 81

Establishing a Console Connection 82

Command-Line Interface 85

Managing Licenses 87

Initial Setup 90

Initial Setup via CLI 90

Initial Setup of ASDM 92

Uploading ASDM 92

Setting Up the Appliance 93

Accessing ASDM 94

Functional Screens of ASDM 97

Device Setup 100

Setting Up a Device Name and Passwords 100

Configuring an Interface 102

Configuring a Data-Passing Interface 102

Configuring a Subinterface 106

Configuring an EtherChannel Interface 109

Configuring a Management Interface 111

DHCP Services 112

Setting Up the System Clock 114

Manual Clock Adjustment 114

Time Zone 114

Date 116

Time 116

Automatic Clock Adjustment Using the Network Time Protocol 116

第五章系统维护ance 119

Configuration Management 119

Running Configuration 119

Startup Configuration 123

Removing the Device Configuration 124

Remote System Management 126

Telnet 126

Secure Shell (SSH) 129

System Maintenance 132

Software Installation 132

Image Upgrade via Cisco ASDM 132

Image Upgrade via the Cisco ASA CLI 133

Image Upload Using ROMMON 136

Password Recovery Process 137

Disabling the Password Recovery Process 141

System Monitoring 144

System Logging 144

Enabling Logging 146

Defining Event List 147

Logging Types 149

Defining a Syslog Server 153

Defining an Email Server 154

Storing Logs Internally and Externally 154

Syslog Message ID Tuning 156

NetFlow Secure Event Logging (NSEL) 156

Step 1: Define a NetFlow Collector 157

Step 2: Define a NetFlow Export Policy 159

Simple Network Management Protocol (SNMP) 160

Configuring SNMP 161

SNMP Monitoring 164

Device Monitoring and Troubleshooting 165

CPU and Memory Monitoring 165

Troubleshooting Device Issues 168

Troubleshooting Packet Issues 168

Troubleshooting CPU Issues 172

Chapter 6 Cisco ASA Services Module 173

Cisco ASA Services Module Overview 173

Hardware Architecture 174

主机底盘集成175

Managing Host Chassis 176

Assigning VLAN Interfaces 177

Monitoring Traffic Flow 178

Common Deployment Scenarios 180

Internal Segment Firewalling 181

Edge Protection 182

Trusted Flow Bypass with Policy Based Routing 183

Traffic Flow 185

Sample PBR Configuration 185

Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191

AAA Protocols and Services Supported by Cisco ASA 192

RADIUS 194

TACACS+ 195

RSA SecurID 196

Microsoft Windows NTLM 197

Active Directory and Kerberos 197

Lightweight Directory Access Protocol 197

Defining an Authentication Server 198

Configuring Authentication of Administrative Sessions 204

Authenticating Telnet Connections 204

Authenticating SSH Connections 206

Authenticating Serial Console Connections 207

Authenticating Cisco ASDM Connections 208

Authenticating Firewall Sessions (Cut-Through Proxy Feature) 209

Authentication Timeouts 214

Customizing Authentication Prompts 214

Configuring Authorization 215

Command Authorization 217

Configuring Downloadable ACLs 218

Configuring Accounting 219

RADIUS Accounting 220

TACACS+ Accounting 221

Troubleshooting Administrative Connections to Cisco ASA 222

Troubleshooting Firewall Sessions (Cut-Through Proxy) 225

ASDM and CLI AAA Test Utility 226

Chapter 8 Controlling Network Access: The Traditional Way 229

Packet Filtering 229

Types of ACLs 232

Standard ACLs 233

Extended ACLs 233

EtherType ACLs 233

Webtype ACLs 234

Comparing ACL Features 234

Through-the-Box-Traffic Filtering 235

To-the-Box-Traffic Filtering 240

Advanced ACL Features 243

Object Grouping 243

Object Types 243

Configuration of Object Types 245

Object Grouping and ACLs 248

Standard ACLs 250

Time-Based ACLs 251

Downloadable ACLs 254

ICMP Filtering 254

Deployment Scenario for Traffic Filtering 255

Using ACLs to Filter Inbound Traffic 255

Configuration Steps with ASDM 257

Configuration Steps with CLI 259

Monitoring Network Access Control 260

Monitoring ACLs 260

Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267

CX Integration Overview 268

Logical Architecture 269

Hardware Modules 270

Software Modules 271

High Availability 272

ASA CX Architecture 273

Data Plane 274

Eventing and Reporting 275

User Identity 275

TLS Decryption Proxy 276

HTTP Inspection Engine 276

Application Inspection Engine 276

Management Plane 276

Control Plane 276

Preparing ASA CX for Configuration 277

Managing ASA CX with PRSM 282

Using PRSM 283

Configuring User Accounts 286

CX Licensing 288

Component and Software Updates 290

Signatures and Engines 290

系统软件291

Configuration Database Backup 292

Defining CX Policy Elements 293

Network Groups 295

Identity Objects 296

URL Objects 298

User Agent Objects 299

Application Objects 299

Secure Mobility Objects 300

Interface Roles 301

Service Objects 302

Application-Service Objects 303

Source Object Groups 304

Destination Object Groups 305

File Filtering Profiles 306

Web Reputation Profiles 306

NG IPS Profiles 307

Enabling User Identity Services 309

Configuring Directory Servers 310

Connecting to AD Agent or CDA 312

Tuning Authentication Settings 313

Defining User Identity Discovery Policy 314

Enabling TLS Decryption 316

Configuring Decryption Settings 318

Defining a Decryption Policy 320

Enabling NG IPS 323

Defining Context-Aware Access Policies 324

Configuring ASA for CX Traffic Redirection 327

Monitoring ASA CX 329

Dashboard Reports 329

Connection and System Events 331

Packet Captures 332

Chapter 10 Network Address Translation 337

Types of Address Translation 338

Network Address Translation 338

Port Address Translation 340

Address Translation Methods 341

Static NAT/PAT 341

Dynamic NAT/PAT 343

Policy NAT/PAT 344

Identity NAT 344

Security Protection Mechanisms Within Address Translation 345

Randomization of Sequence Numbers 345

TCP Intercept 346

Understanding Address Translation Behavior 346

Address Translation Behavior Prior to Version 8.3 346

Packet Flow Sequence in Pre-8.3 Version 347

NAT Order of Operation for Pre-8.3 Versions 348

Redesigning Address Translation (Version 8.3 and Later) 349

NAT Modes in Version 8.3 and Later 349

NAT Order of Operation for Version 8.3 and Later 350

Configuring Address Translation 350

Auto NAT Configuration 351

Available Auto NAT Settings 351

Auto NAT Configuration Example 353

Manual NAT Configuration 356

Available Manual NAT Settings 356

Manual NAT Configuration Example 357

Integrating ACLs and NAT 359

Pre-8.3 Behavior for NAT and ACL Integration 359

Behavior of NAT and ACL Integration in Version 8.3 and Later 361

Configuration Use Cases 362

Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server 363

Use Case 2: Static PAT for a Web Server Located on the DMZ Network 364

Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT 366

Use Case 4: Identity NAT for Site-to-Site VPN Tunnel 367

Use Case 5: Dynamic PAT for Remote-Access VPN Clients 369

DNS Doctoring 372

Monitoring Address Translations 375

Chapter 11 IPv6 Support 379

IP Version 6 Introduction 379

IPv6 Header 380

Supported IPv6 Address Types 381

Global Unicast Address 382

Site-Local Address 382

Link-Local Address 382

Configuring IPv6 382

IP Address Assignment 383

IPv6 DHCP Relay 384

Optional IPv6 Parameters 385

Neighbor Solicitation Messages 385

Neighbor Reachable Time 385

Router Advertisement Transmission Interval 385

Setting Up an IPv6 ACL 386

IPv6 Address Translation 389

Chapter 12 IP Routing 391

Configuring Static Routes 392

Static Route Monitoring 395

Displaying the Routing Table 399

RIP 400

Configuring RIP 401

把身份验证403

RIP Route Filtering 406

Configuring RIP Redistribution 409

Troubleshooting RIP 409

Scenario 1: RIP Version Mismatch 410

Scenario 2: RIP Authentication Mismatch 411

Scenario 3: Multicast or Broadcast Packets Blocked 411

OSPF 412

Configuring OSPF 413

Enabling OSPF 414

OSPF Virtual Links 419

Configuring OSPF Authentication 422

Configuring OSPF Redistribution 426

Stub Areas and NSSAs 428

OSPF Type 3 LSA Filtering 429

OSPF neighbor Command and Dynamic Routing over a VPN Tunnel 431

OSPFv3 433

Troubleshooting OSPF 433

Useful Troubleshooting Commands 433

Mismatched Areas 440

OSPF Authentication Mismatch 440

Troubleshooting Virtual Link Problems 440

EIGRP 441

Configuring EIGRP 441

Enabling EIGRP 441

Configuring Route Filtering for EIGRP 445

EIGRP Authentication 447

Defining Static EIGRP Neighbors 448

在448年EIGRP路由汇总

Split Horizon 450

Route Redistribution in EIGRP 450

Controlling Default Information 453

Troubleshooting EIGRP 454

Useful Troubleshooting Commands 454

Scenario 1: Link Failures 458

Scenario 2: Misconfigured Hello and Hold Intervals 459

Scenario 3: Misconfigured Authentication Parameters 462

Chapter 13 Application Inspection 465

Enabling Application Inspection 468

Selective Inspection 469

CTIQBE Inspection 473

DCERPC Inspection 476

DNS Inspection 476

ESMTP Inspection 481

File Transfer Protocol 484

General Packet Radio Service Tunneling Protocol 486

GTPv0 487

GTPv1 489

Configuring GTP Inspection 490

H.323 492

H.323 Protocol Suite 493

H.323 Version Compatibility 495

Enabling H.323 Inspection 496

Direct Call Signaling and Gatekeeper Routed Control Signaling 499

T.38 499

Cisco Unified Communications Advanced Support 499

Phone Proxy 500

TLS Proxy 505

Mobility Proxy 506

Presence Federation Proxy 506

HTTP 507

Enabling HTTP Inspection 507

strict-http Command 510

content-length Command 510

content-type-verification Command 511

max-header-length Command 511

max-uri-length Command 512

port-misuse Command 512

request-method Command 513

transfer-encoding type Command 515

ICMP 515

ILS 516

Instant Messenger (IM) 517

IPsec Pass-Through 518

MGCP 519

NetBIOS 521

PPTP 522

Sun RPC 522

RSH 523

RTSP 523

SIP 524

Skinny (SCCP) 525

SNMP 527

SQL*Net 528

TFTP 528

WAAS 528

XDMCP 529

Chapter 14 Virtualization 531

Architectural Overview 533

System Execution Space 533

Admin Context 535

User Context 535

Packet Classification 538

Packet Classification Criteria 538

Destination IP Address 539

Unique MAC Address 540

Packet Flow in Multiple Mode 541

Forwarding Without a Shared Interface 541

Forwarding with a Shared Interface 542

Configuration of Security Contexts 544

Step 1: Enable Multiple Security Contexts Globally 544

Step 2: Set Up the System Execution Space 547

Step 3: Configure Interfaces 549

Step 4: Specify a Configuration URL 550

Step 5: Configure an Admin Context 552

Step 6: Configure a User Context 553

Step 7: Manage the Security Contexts (Optional) 554

Step 8: Resource Management (Optional) 555

Step 1: Define a Resource Class 556

Step 2: Map the Resource Class to a Context 558

Deployment Scenarios 559

Virtual Firewall with Non-Shared Interfaces 559

Configuration Steps with ASDM 561

Configuration Steps with CLI 569

Virtual Firewall with a Shared Interface 572

Configuration Steps with ASDM 574

Configuration Steps Using CLI 582

Monitoring and Troubleshooting the Security Contexts 586

Monitoring 586

Troubleshooting 588

Security Contexts Are Not Added 588

Security Contexts Are Not Saved on the Local Disk 588

Security Contexts Are Not Saved on the FTP Server 589

User Having Connectivity Issues When Shared Security Contexts Are Used 590

Chapter 15 Transparent Firewalls 591

Architectural Overview 594

Single-Mode Transparent Firewalls 594

Packet Flow in an SMTF 595

Multimode Transparent Firewalls 597

Packet Flow in an MMTF 597

Restrictions When Using Transparent Firewalls 599

Transparent Firewalls and VPNs 599

Transparent Firewalls and NAT 600

Configuration of Transparent Firewalls 602

Configuration Guidelines 602

Configuration Steps 603

Step 1: Enable Transparent Firewalls 603

Step 2: Set Up Interfaces 604

Step 3: Configure an IP Address 605

Step 4: Set Up Routes 606

Step 5: Configure Interface ACLs 608

Step 6: Configure NAT (Optional) 611

Step 7: Add Static L2F Table Entries (Optional) 612

Step 8: Enable ARP Inspection (Optional) 613

Step 9: Modify L2F Table Parameters (Optional) 615

Deployment Scenarios 616

SMTF Deployment 617

Configuration Steps Using ASDM 618

Configuration Steps Using CLI 622

MMTF Deployment with Security Contexts 623

Configuration Steps Using ASDM 625

Configuration Steps Using CLI 632

Monitoring and Troubleshooting Transparent Firewalls 636

Monitoring 636

Troubleshooting 637

Hosts Are Not Able to Communicate 637

Moved Host Is Not Able to Communicate 639

General Syslogging 640

Chapter 16 High Availability 641

Redundant Interfaces 642

Using Redundant Interfaces 642

Deployment Scenarios 643

Configuration and Monitoring 644

Static Route Tracking 646

Configuring Static Routes with an SLA Monitor 647

Floating Connection Timeout 649

Sample Backup ISP Deployment 649

Failover 652

Unit Roles and Functions in Failover 652

Stateful Failover 653

Active/Standby and Active/Active Failover 654

Failover Hardware and Software Requirements 656

Zero Downtime Upgrade in Failover 657

Failover Licensing 658

Failover Interfaces 658

Stateful Link 659

Failover Link Security 659

Data Interface Addressing 660

Asymmetric Routing Groups 662

Failover Health Monitoring 664

State and Role Transition 666

Configuring Failover 667

Basic Failover Settings 668

Data Interface Configuration 671

Failover Policies and Timers 673

Active/Active Failover 674

Monitoring and Troubleshooting Failover 678

Active/Standby Failover Deployment Scenario 680

Clustering 685

Unit Roles and Functions in Clustering 685

Master and Slave Units 685

Flow Owner 686

Flow Director 686

Flow Forwarder 687

Clustering Hardware and Software Requirements 687

Zero Downtime Upgrade in Clustering 688

Unsupported Features 689

Cluster Licensing 690

Control and Data Interfaces 690

Spanned EtherChannel Mode 693

Individual Mode 695

Cluster Management 697

Cluster Health Monitoring 697

Network Address Translation 698

Performance 700

Centralized Features 701

Scaling Factors 701

Packet Flow 702

TCP Connection Processing 702

UDP Connection Processing 703

Centralized Connection Processing 705

State Transition 705

Configuring Clustering 706

Setting Interface Mode 707

管理访问ASDM部署708

Building a Cluster 710

Data Interface Configuration 714

Monitoring and Troubleshooting Clustering 717

Spanned EtherChannel Cluster Deployment Scenario 720

Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733

IPS Integration Overview 733

IPS Logical Architecture 735

IPS Hardware Modules 735

IPS Software Modules 736

Inline and Promiscuous Modes 737

IPS High Availability 739

Cisco IPS Software Architecture 739

MainApp 741

AuthenticationApp 741

Attack Response Controller 742

cipsWebserver 742

Logger 742

CtlTransSource 743

NotificationApp 743

SensorApp 743

CollaborationApp 744

EventStore 744

Preparing ASA IPS for Configuration 744

Installing CIPS System Software 744

Accessing CIPS from the ASA CLI 747

Configuring Basic Management Settings 748

Setting Up ASDM for IPS Management 752

Installing the CIPS License Key 752

<



Updates

Errata

We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.

Download the errata from the main title

Submit Errata

