Cisco ASA Firewall Fundamentals-3^rd Edition

Table of Contents:

Chapter 1 Getting Started With Cisco Firewalls. 9

1.1 User Interface. 9

1.1.1 Security Appliance Access Modes. 9

1.2 File Management. 10

1.2.1 Viewing and saving your configuration.. 10

1.3 ASA Image Software Management. 11

1.4 Password Recovery Procedure. 12

1.5 Security Levels. 13

1.5.1 Security Level Examples. 14

1.5.2 Rules for Traffic Flow between Security Levels. 16

1.6 Basic Firewall Configuration.. 16

Chapter 2 Configuring Network Address Translation.. 21

2.1 Network Address Translation (NAT) Overview... 21

2.1.1 Configuring Dynamic NAT Translation.. 23

2.1.1.1 Network Object NAT Configuration.. 24

2.1.2 Configuring Dynamic Port Address Translation (PAT). 30

2.1.2.1 Per-Session PAT and Multi-Session PAT (For ASA 9.x and later). 35

2.1.3 Configuring Static Address Translation (Static NAT). 37

2.1.4 Configuring Identity NAT.. 43

2.1.4.1 Identity NAT Used for VPN Configurations. 44

Chapter 3 Using Access Control Lists (ACL). 47

3.1 ACL Overview... 47

3.2 ACL Configuration.. 48

3.2.1 Editing Access Control Lists. 50

3.3 New ACL Features in ASA 8.3 and Later. 51

3.3.1 Global Access Control List. 51

3.3.2 ACL Changes in ASA Versions 9.x (9.0, 9.1 and later). 51

3.4 Controlling Inbound and Outbound Traffic with ACLs. 52

3.5 Configuring Object Groups for ACLs. 56

3.5.1 Network Object Groups. 57

3.5.2 Service Object Groups. 57

3.6 Time Based Access Lists. 58

Chapter 4 Configuring VLANs and Subinterfaces. 60

Chapter 5 Configuring Threat Detection.. 63

5.1 Threat Detection Overview... 63

5.2 Basic Threat Detection.. 63

5.2.1 Configuration and Monitoring of Basic Threat Detection.. 65

5.3 Advanced Threat Detection.. 68

5.3.1 Configuration and Monitoring of Advanced Threat Detection.. 68

5.4 Scanning Threat Detection.. 70

5.4.1 Configuration and Monitoring of Scanning Threat Detection.. 70

Chapter 6 IPSec VPNs. 72

6.1 Overview of Cisco ASA VPN Technologies. 72

6.2 What is IPSec. 74

6.3 How IPSec Works. 75

6.4 Site-to-Site VPN using IKEv1 IPSEC.. 76

6.4.1 Site-to-Site IKEv1 IPSEC VPN Overview... 76

6.4.2 Configuring Site-to-Site IKEv1 IPSec VPN.. 77

6.4.2.1 Restricting VPN Traffic between the Two Sites. 84

6.4.3 Configuring Hub-and-Spoke IKEv1 IPSec VPN.. 86

6.5 Site-to-Site VPN using IKEv2 IPSEC.. 89

6.5.1 IKEv2 Site-to-Site VPN Overview... 90

6.5.2 IKEv2 Site-to-Site VPN Configuration.. 92

6.6 Remote Access IPSec VPNs. 99

6.6.1 Remote Access IPSec VPN Overview... 99

6.6.2 Configuring Remote Access IPSec VPN.. 100

Chapter 7 AnyConnect Remote Access VPNs. 109

7.1 Comparison between SSL VPN Technologies. 109

7.2 AnyConnect VPN Overview... 110

7.3 Basic AnyConnect SSL VPN Configuration.. 112

7.3.1 Complete Configuration of Basic AnyConnect SSL VPN: 120

7.3.2 Connection Steps of Basic Anyconnect SSL VPN.. 122

7.4 Anyconnect SSL VPN using Self-Signed ASA Certificate. 128

7.5 Anyconnect SSL VPN using Certificates from the Local CA on ASA.. 133

7.6 Anyconnect SSL VPN using 3^rd Party CA.. 144

7.7 IKEv2 Remote Access VPN with Anyconnect. 150

Chapter 8 Configuring Firewall Failover. 157

8.1 ASA Models Supporting Failover. 157

8.2 Understanding Active/Standby Failover. 158

8.3 Configuring Active/Standby Failover. 160

Chapter 9 Advanced Features of Device Configuration.. 164

9.1 Configuring Clock and NTP Support. 164

9.1.1 Configure Clock Settings: 164

9.1.2 Configure Time Zone and Daylight Saving Time: 165

9.1.3 Configure Network Time Protocol (NTP): 165

9.2 Configuring Logging (Syslog). 166

9.3 Configuring Device Access Authentication Using Local Username/Password.. 169

9.4 Configuring a Master Passphrase. 171

Chapter 10 Authentication Authorization Accounting. 173

10.1 Device Access Authentication using External AAA Server. 173

10.1.1 Configure Authentication using an external AAA Server: 175

10.2 Cut-Through Proxy Authentication for TELNET,FTP,HTTP(s). 176

10.2.1 Configure cut-through proxy Authentication using an external AAA Server: 177

Chapter 11 Identity Firewall Configuration.. 179

11.1 Prerequisites For Identity Firewall 181

11.1.1 AD Agent Configuration.. 181

11.1.2 Microsoft Active Directory Configuration.. 182

11.2 Configuration of Identity Firewall on ASA.. 183

Chapter 12 Routing Protocol Support. 187

12.1 Static Routing. 188

12.1.1 IPv6 Static Routing. 189

12.1.2 Static Route Tracking - Dual ISP Redundancy.. 190

12.1.2.1 Configuring Static Route Tracking. 191

12.2 Dynamic Routing using RIP.. 192

12.2.1 Configuring RIP.. 192

12.3 Dynamic Routing using OSPF.. 194

12.3.1 Configuring OSPFv2.. 195

12.3.2 Configuring OSPFv3 (ASA Version 9.x and later). 198

12.4 Dynamic Routing using EIGRP.. 198

12.4.1 Configuring EIGRP.. 198

Chapter 13 Modular Policy Framework Configuration.. 200

13.1 MPF Overview... 200

13.1.1 Default Modular Policy Configuration.. 202

13.2 Modular Policy Framework Configuration.. 204

13.2.1 Configuring Class-Maps. 204

13.2.2 Configuring Policy Maps. 205

13.2.3 Configuring a Service-Policy.. 217

Chapter 14 Quality of Service (QoS) Configuration.. 219

14.1 Traffic Policing. 220

14.2 Traffic Shaping. 221

14.3 Priority Queuing. 222

14.3.1 Standard Priority Queuing. 222

14.3.2 Hierarchical Priority Queuing. 225

Chapter 15 Cisco ASA 5505 Overview... 227

15.1 ASA 5505 Hardware and Licensing. 227

15.1.1 Hardware Ports and VLANs. 227

15.1.2 Licensing. 229

15.2 ASA 5505 Default Configuration.. 230