Cisco ASA Firewall Fundamentals 3rd Edition

Today I have officially launched my new ebook “Cisco ASA Firewall Fundamentals – 3rd Edition” which is probably the most updated and practical Cisco ASA tutorial out there. It covers the newest ASA version 9.x (plus older versions as well) and all content in the book is applicable for both ASA 5500 and 5500-X series.

I wrote the original First Edition of “Cisco ASA Firewall Fundamentals” in 2008. Since then, I have been updating and enhancing the ebook with all new developments and features that Cisco adds to the ASA product line.

This Third Edition of the book is completely updated to cover the latest ASA version 9.x. All configuration commands, features etc will work on the newest ASA 9.x (in addition to older 8.x versions) and also on the newest ASA 5500-X models. This updated book Edition includes also extensive new content, making it one of the most complete ASA books available in the market. I believe that the Third Edition ebook will be a valuable resource for both beginners and experienced ASA professionals.

This ebook (PDF Format) is filled with raw practical concepts, step-by-step configuration tutorials, more than 50 colorful network diagrams to explain the scenarios, Complete Configuration Examples, real-world cases that you will not find anywhere else etc. There is no fluff or redundant information.

Some of the new topics added in the book include:

  • Basic, Advanced, and Scanning Threat Detection
  • IKEv2 IPSEC VPN (site-to-site)
  • IKEv2 Remote Access VPN (Using Anyconnect Secure Mobility Client)
  • Anyconnect SSL VPN using Self-Signed ASA Certificate
  • Anyconnect SSL VPN using Certificates from the Local CA on ASA for Certificate Based Authentication together with username/password (two factor)
  • Anyconnect SSL VPN using 3rd Party CA Certificates.
  • Per-Session PAT and multi-session PAT for version 9.x
  • Access Control List (ACL ) changes introduced in ASA v9.x
  • Time-based ACLs
  • Master Passphrase Configuration.
  • Identity Firewall Configuration (ASA configuration, AD Agent Configuration etc).
  • IPv6 Routing (static IPv6, OSPFv3 for IPv6)
  • Quality of Service Configuration (Traffic Policing, Traffic Shaping, Priority Queuing)
  • Cisco ASA 5505 chapter (hardware, license, configuration)
  • etc

Those are the additional topics added in 3rd Edition. The rest of the book covers much more content which comprise the most important features and configurations that you will encounter in Cisco ASA firewalls.

I believe that this ASA Configuration Guide will be a valuable resource for any Cisco Professional for years to come. Again, keep in mind that by purchasing this ebook you will be getting huge discounts of the future updated editions of the book that I will be publishing. Just make sure to subscribe to my “Customers’ email list” (at the download page after purchasing the book) in order to be eligible for the discounts.


Site to Site IPSEC VPN Between Cisco Router and Juniper Security Gateway


In today's network infrastructures, you will encounter multivendor devices that need to communicate and interoperate. One requirement that you will find frequently in your work environment is to establish a secure VPN connection over the public internet between two different vendor devices.As a network engineer you need to know that the best VPN technology to use for multivendor communication is IPSEC VPN. IPSEC is a standardized suit of protocols that is supported by all security vendors, … [Continue reading]

Configuration of Cisco ASA for ASDM Access

I have created the following video on youtube a few months ago and thought about embedding the video here as well. It is about configuring the Cisco ASA in order to install the ASDM image (Adaptive Security Device Manager) and hence be able to manage the device with the graphical ASDM GUI. The video shows also how to enable SSH access to the device, how to restrict access to a management network etc.An out-of-the-box Cisco ASA device is not fully ready to be managed by the GUI interface … [Continue reading]

New Cisco ASA 5506-5508 models with FirePOWER


Cisco announced more details about its new ASA models (5506, 5508) which are using FirePOWER services and are geared towards small and medium size businesses.According to Cisco, the new ASA models are “industry’s first threat-focused Next Generation Firewalls” and offer application visibility and control, advanced malware protection (using AMP Threat Grid), next generation intrusion prevention, unified on-box management etc.The new models are the following:5506-X - Desktop threat … [Continue reading]

Cisco will ship boxes to vacant addresses to avoid NSA Interception Campaigns

cisco boxes

According to Cisco’s security chief John Stewart: “We ship [boxes]to an address that’s has nothing to do with the customer, and then you have no idea who ultimately it is going to. When customers are truly worried … it causes other issues to make [interception]more difficult in that [agencies]don’t quite know where that router is going so its very hard to target – you’d have to target all of them. There is always going to be inherent risk.” According to “The Register”, the NSA intercepts Cisco … [Continue reading]

Network Failover Redundancy Scenario – Two sites with two ASA Firewalls

site network redundancy

A few months ago I was involved in a project where we had to design a network redundancy scenario with two physically separate networks in two different buildings (the sites were a few kilometers away from each other).The main requirement was to provide Inbound Internet Access to two Server Pools (Linux Servers in High Availability Cluster). Traffic therefore would flow from the Internet to the Servers which were protected by two Cisco ASA Firewalls. The network has been implemented … [Continue reading]

Ping TCP Command on Cisco ASA – a great troubleshooting tool

ping tcp

The “ping” command has been the “de facto” troubleshooting protocol used mainly for testing connectivity and communication between two hosts. As we all know, the ping command sends “ICMP” packets to the other end and waits for ICMP reply packets to come back.From ASA 8.4(1) and later, Cisco introduced an enhanced version of the ping command. This is the “ping tcp”. It allows the ASA device to send any TCP packet (instead of ICMP) from any source IP to any destination IP on any port (source … [Continue reading]

Number of CCIEs in the world – Starting Salaries – Demand by Track

I have collected some statistics about the Cisco CCIE certification which is the top spot you can get in the Cisco certification pyramid (of course there is also Cisco Architect in Design track but that's another story).A lot of people are asking me about total number of CCIEs in the world, starting salaries of CCIEs and also which CCIE track has the most demand in Job openings, so I did some research and presenting you the results below.Total number of CCIEs in the world:This number … [Continue reading]

Cisco VPN Configuration Book available on Amazon

I wanted to let you know that my second book “Cisco VPN Configuration Guide” is now available in Paperback format on Amazon. Take advantage of Amazon’s free shipping with Prime and order the book with fast and free two-day delivery.The “Cisco VPN Configuration Guide” is a great practical reference for configuring almost any kind of Cisco VPNs. Having, therefore, a printed book on hand will be very useful on the field or on your desk for quick reference.Below are the direct links on the … [Continue reading]

Cisco ASA Firewall Fundamentals Book now available on Amazon


I’m excited to announce today that my ASA book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on Amazon as a physical Paperback book.I have had numerous requests from people to publish my book in printed format as well, so here we go. The book is available on almost all Amazon websites and you get free shipping as well (see links below).If you have already purchased the book (3rd Edition) in electronic format and you are interested to get the physical book as well, please … [Continue reading]

Six DoS Vulnerabilities in Cisco IOS Software – Patch your devices ASAP

On March 26, 2014 Cisco has announced six serious security vulnerabilities (five vulnerabilities in Cisco IOS software and one in Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks). If the vulnerabilities are exploited they can result in Denial of Service condition for the devices.All six vulnerabilities have a CVSS base score of greaten than 7 (with maximum of 10) which means they are high risk since they can be exploited remotely without authentication.Here … [Continue reading]

What is Currently the best Cisco Training for Certification Exams?


Read until the end of this article to see how you can get a complete CCNA Training for only $44 and a complete CCNP Training for only $99. Cisco Certifications have always been among the most valuable professional qualifications to obtain since they offer huge opportunities in career advancement. Earning a certification like CCNA, CCNP, CCIE, CCNA Security, CCNP Security etc, will show to your potential employer that you are a highly skilled and motivated professional.A lot of my colleagues … [Continue reading]

Cisco ASA5510 Vs ASA5512-X or 5515-X

The Cisco ASA product line for small and branch offices includes 4 ASA models:ASA5505 (either Basic License or Security Plus License) ASA5510 (either Basic License or Security Plus License) ASA5512-X (either Basic License or Security Plus License) ASA5515-XIn this article I will describe the main differences between the ASA5510 and the newest generation ASA5512-X and ASA5515-X models. I have chosen these 3 models because Cisco ASA5512-X and 5515-X are recommended by Cisco as … [Continue reading]