The “Cisco ASA Firewall Fundamentals” ebook, that I have authored and been selling on this website, took me many hours of hard work to write and promote. In addition to the work effort of writing this ebook, it encompasses also enormous value from many years of experience in administering and implementing Cisco ASA firewalls.
Why am I saying all that? Because I feel angry and pity that many people try to find and download my ebook for free from various torrent sites or Rapidshare. My website statistics and keyword research revealed all this activity from people trying to get my ebook for free. I hate to say that but I will have to resort to legal measures if I find that my ebook is being shared on peer-to-peer or download sites. Believe me, paying $29 bucks for an ebook like that is nothing compared to the valuable knowledge that you will gain by purchasing it. Moreover, the updated second edition ebook is probably the only ASA tutorial available that covers all latest Cisco ASA version 8.3 features which are different from the older versions (for example NAT, ACL etc).
I believe that the best reward for my efforts to write this Cisco ASA tutorial are the excellent feedback and comments that I receive everyday in my email and on this blog from people who purchased the ebook. Take a look below for some comments from happy customers.
Related posts:
- Trainsignal CCNA Video Training – Torrent Rapidshare free Download
- How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
- Using the Management Interface of the Cisco ASA Firewall
- Cisco ASA 1000V Cloud Firewall
- How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall
- Cisco ASA Identity Firewall
89 Responses to 'Cisco ASA Firewall Fundamentals ebook : Rapidshare and Torrent Free Download'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
Are you going to do a ASA Advanced (SNAA) book. You did a great job on this one.
Thanks
Hello Glenn, thanks for your kind words.
Well actually I’m working on a new ASA Advanced ebook right now which will continue from where the “ASA Fundamentals” ebook stopped. It will deal with more advanced features and topics so that to cover almost all Cisco ASA implementation concepts.
hello all
thanks for giving a book its help me to understand asa
Hi Harris,
I just want to say thank you to you. Your books saved my project. I seriously look for forward to see your next book coming – please keep it under 100 pages!
Regards,
Hoi
Hi
I have bought your book since many weeks and you have done great job. I wouldn’t hesitate to buy Advance version of it. I hope it will be jam packed with lots of real world examples and diagrams. If the eBook is full of great information and covering each Technologies for real world scenarios then I am happy to pay whatever price your chose.
I have various different ASA books but whenever I want go back to basics, I go and check your color full diagrams plus simple explanation. End-of-Day I am human and forget things. Memory buffer overflow.
Hi Riz, thanks for your comments.
You guys really inspire me to sit down and get that “Advanced ASA” finished because its a lot of work.
Thank you all for your kind words.
Cheers
Harris
Hi Harris,
Your book has been one of the best books I’ve bought so far. It provides me with a foundation of knowledge that is allowing me to progress further in my career. Also, it’s great that you also find the time to answer some newbie questions (thanks again for providing advice)! I can’t wait for the next book to come out!
Regards,
John D.
Hello John,
Thanks for your nice and encouraging words. I’m happy you found my ebook valuable.
I really enjoy providing advice and helping newcomers in the networking field. Anything you give away comes back to you multiple times I believe.
Thanks again.
Harris
This is excellent book
Hi
Is the advanced ASA done ?
I would love to buy that one
Please fix up a date.
Thanks
I Just want to say that this Cisco ASA Doc has been a great help to me as a Cisco Consultant. As a Cisco Consultant I have to understand all Cisco Technologies , and having a good reference Doc is hard to come by.
Also want to say for the price its a great deal!!!
Richard,
Thank you so much for your comment. I’m glad to hear that my “Cisco ASA Firewall Fundamentals” ebook is a helpful resource for Cisco Consultants as well (in addition to technical oriented people). As far as the price is concerned, I tried to keep it as low as possible so that people from all over the world can take advantage of this helpful resource.
Cheers
Harris Andrea
Hi Harris,
I have couple of ASA Books for refrences, but this one is awesome.
Hi Harris
Is this book sold in any book stores
Hello Steve,
No, this is a PDF ebook which you can download immediately after purchasing. It is not sold in any bookstore.
Hi Harris,
I am totally new for ASA. used to do basic thing on PIX. NEED GOOD FAST TRACK BOOK as soon as possible. My company is going for ASA 5510. Your book sounds good, is it possible to get a hard copy? Thanks
Hello Foster,
Welcome to the wonderful world of ASA !! I believe that my ebook will be an excellent choice for fast track learning, with lots of practical and day-to-day examples and scenarios. However, it does not come in hard copy. It is a PDF ebook which you can download immediately after payment. Please let me know if you need more clarifications.
Regards
Harris Andrea
Hi Harris,
Thank you for letting me know. I will work to get the ebook.
Thanks
I have bought your ebook yesterday… GREAT JOB!
Thank you!
Luigi
hi Harris
just i want to say that your book is so far one of the best book that i have purchased , it’s for me a reference
and it help me to performe a good project , and it’s value worth more than 27$
can’t wait for your next book
Dear Haris,
I am also interested to buy your fundamental and advanced books. Please advice reference link to buy.
Regards
Hello Noor,
The link for purchasing the Cisco ASA Firewall Fundamentals is http://www.networkstraining.com/ciscoasaebook.php
Hello Harris,
I have been asked to replace our two Cisco PIX 515e firewalls because they are no longer supported.
Please would you advise me on a replacement from the Cisco ASA 5500 series?
I am interested in keeping our costs down so the ASA 5505 looks interesting.
Is the 5505 a NAT firewall only?
We need to do packet filtering between two fully routed subnets.
For example:
block all traffic except allow DNS queries to our DNS nameserver
and allow SMTP traffic to our mail server.
Both of these servers are located on the secure side of our current PIX 515e (external firewall)
which is a boundary between the Internet and our (routed IP subnet) DMZ.
I would be very grateful for some advice and guidance.
Thanks in advance.
Paul Blackburn
Hello Paul,
Strictly speaking, the recommended replacement for a PIX515e is the ASA5510 and not the 5505. However, if you feel that a 5505 is suitable in terms of performance, connections etc. then go ahead with it. However, you must get a 5505 with a security plus license in case you want to create more than 2 security zones (Vlans). That is, if you want to have an outside vlan, an inside vlan and a third DMZ vlan, then you must get a “Sec Plus” license to avoid any restrictions.
The ASA5505 is not just a NAT firewall. It is a fully functional firewall just like the other ASA models. You can configure any packet filtering scenarios you want. The example you mention with DNS and SMTP is fully supported on the 5505 with no problems.
Let me know if you need more guidance.
Harris
Hello Harris,
I can’t thank you enough for the the information you provide in your book. Even though I have taken both ICND courses and have a firm grasp of
Cisco OS, I find myself referencing your work quite often.
Thanks again,
Paul
We upgraded from a 10 year old Netscreen NS100 to a Cisco ASA5510 and this book was a great asset in learning how to recreate our firewall rules. It’s a very short read and right to the point! I found it much easier to follow than Cisco’s own book and would definitely recommend it as your main or companion reference.
Great Book well worth buying has helped me in real life countless time. Keep up the good work.
This book was perfect and got me through standing up my first Cisco product. Very much appreciated, and there no reason people should not pay the price it was worth every penny.
Hi Harris,
Your books are very helpful and easier to understanding than Cisco documents.
Are you going to do any book on IPS ASA_SSM ?
Tac
Hi Harris
I have not receive my ASA5510 I’m looking forward to using the book to help me setup the device when it arrives!!
Thanks again
Cisco ASA Firewall Fundamentals book is well worth the cost. Its contents were just right for me.
I understand intermediate networking but I don’t work on Cisco ASA’s often enough to remember everything and I didn’t know much about the new 8.3 changes. I use Cisco ASA Firewall Fundamentals more than any other Cisco ASA book as a quick reference and a reminder if I have a Cisco ASA question. This book quickly showed me what the significant changes in 8.3 are.
Cisco ASA Firewall Fundamentals isn’t dense like most Cisco books. It’s very accessible. It doesn’t contain every detail but it’s the most used Cisco ASA book in my library (including all the books on O’Reilly Safari). It’s easy to quickly read through, digest, and also good to refer back to later. It has excellent examples and explanations with helpful diagrams along with the command line commands.
Harris, thanks for writing this book and making it available at a reasonable price. If you write more books I will buy them too.
Anyone looking for a guide to walk you through both configuring and managing a Cisco firewall, this is the one! I am very reluctant to admit the price is a steal.
hi Harris thanks for the tremedous ebook, its robust and compact great job I really love it..
Hi Harris,
Great book, you have done a great job,it help me a lot to understand ASA from basic,way of explaination with a simple and good example are excellent, i am eagerly waiting for your Advance ASA Book.
Nisar
Hi,
This is a great book bundle with a lot of clear illustrations.
I am new to Cisco and to the CLI. I am not a very good classroom leaner either. I learn by reading, doing failing and correcting my mistakes and then succeeding.
for those like us, I would be grateful if oyu could devote a small part ot the book to get people like us take off without crashing !.
1. take the unit out of the box.
2. Sample lab set up. how to save the intial configuration so that we can get back to dafault out of the box status.
3. connecting with a telnet or ssh ( i know the telnet part easily and some ssh )
4. What you see when you connect.
5. Is there a Gui interface which is better / gui or CLI.
6. Sample test configurations and how to check these results
7. Anything else that you can throw in at this stage to make it easy for us to stay in the air before safely landing.
8. Teach how to do a few simple acrobatic manoeuvres before trying out the more elaborate stuff.
Thanks for sending the Link to the update.
This book is highly recommended and I agree it’s a steal at the price.
Hi Harris, Thank you for best support,it’s greate asa book in the world
.
Hi Harris
I like your book, it is really good one for industry level security related issues. There are more complex requirements come. I will post you sometime. Also you can add configuring ASA 5520/5510 by using ASDM.
Thanks again.
Good morning,
Thank you very much for the update of the book, I will make it easier to compression of the device.
A greeting.
Your e-books on ASA firewall has been a GOD send for me. Will you be doing any books in any other areas of technology? Most notably VOIP (Cisco Unified Communications Manager, Voice Gateways, etc…).
PS. Please continue doing what you have been doing. You make everything straight forward without all the unnecessary jargon that other books push on us.
Hi Haris,
The book is very very useful to me.
I have an ASA 8.2.1 version. I tried to configure a remote access VPN, but I have one problem.
My remote VPN client is conected but I can’t ping or use remote access.
I can’t add “crypto isakmp nat-traversal 20″, ASA ignore this command. I don’t know if this is the cauze for my problem.
Do you have some ideea?
Thanks.
The book is worth all the money!
Hello Sabin,
In your ASA version (8.2.1) the command “crypto isakmp nat-traversal” is enabled by default, that’s why the ASA ignores the command. What you describe is probably a problem with the crypto Access Lists. Tell me more info in order to help you.
Regards
Harris
Hello again,
Thank you very much for your support.
If I ping (from VPN)internal network 192.168.2.X don’t work, except one IP(internal ip of my pc). Strange!
Here is a part of my running conf.
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXX
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0
access-group outside-in in interface outside
!route outsite using default gateway XXXXXXX
route outside 0.0.0.0 0.0.0.0 XXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn2010 internal
group-policy vpn2010 attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
tunnel-group vpn2010 type remote-access
tunnel-group vpn2010 general-attributes
address-pool vpnpool
default-group-policy vpn2010
tunnel-group vpn2010 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
!
service-policy global_policy global
prompt hostname context
If at least one IP from the internal network (the IP address of your own PC) replies in the ping request, then the VPN tunnel works fine. I have a feeling that the rest of the machines in the internal network have windows firewall enabled. Did you check that?
Ping on my pc is OK, but remote desktop(windows)to my pc doesn’t work. The others pc have firewall disable.
My vpn is connected. Ping on local LAN doesn’t work. It possible to add a route from vpn to inside LAN?
Thank you!
Sabin
On the VPN client there is a “Log” button showing various statistics and connection properties. Click on that and see if there is traffic going through. Also, on the ASA check the VPN by using “show crypto ipsec sa” and “show crypto isakmp sa” to see if the packets between internal LAN and VPN pool are flowing encrypted. The configuration you have is correct, so I can not think of anything else.
Regarding the route, NO you can not add a route on the VPN client. However, you can use “ipconfig /all” on the client PC to verify that it has received the proper IP address from the VPN pool range (192.168.20.0).
Hi!
I want to buy this book via paypal. Please can you send me the information.
Thanks
Hi,
I want to say that this Cisco ASA Firewall Fundamentals ebook is really helpful for me.
I read a lot of Cisco DOC stuff for ASA and your ebook is best for reading and understanding.
I read comments and see that you preparing Cisco ASA Advance ebook and I hope that you will finis soon.
Thanks
Just bought the book and I’m very happy. Thanks for the explanations and getting to the point in the configurations. Some authors bloat (I’m looking at you Richard Deal) and confuse. I’m very new to the ASA 5550 (v.8.3) and your book(s) got me clear quickly. Thank you.
(I bought the book, definitely worth it)
http://twitter.com/joelwitherspoon
Nice Book.
I have been putting off buying it for a while now.
I wish I didn’t.
Great help, great examples and easy read.
This is a must for newbies or engineers that want to know the facts in understanding firewall configurations.
Thanks a lot guys for all your kind words. I’m really happy you liked my ebook. Don’t hesitate to ask me anything you want.
When we purchase the book to we get free updates to the book as revisions are made? Also, if or when you create the advanced book will that be discounted for users that bought this book?
Hi earl,
YES, when you purchase you will get free updates to the book as revisions are made. For example, when I added some revisions about the new ASA 8.3 version a few months ago, all of my current customers received the updated ebook for free. My existing customers will receive also significant discounts on any new books that I’m planning to publish.
Thanks for your e-book. I refer to your “CONFIGURATION EXAMPLE 2: ASA FIREWALL WITH DMZ AND TWO INTERNAL ZONES”. I ve some blocking issues. I’d like to ssh/ftp to server@DMZ from internal seg. And would like to ssh/ telnet access to RTR which is connected at FW Outside seg. What could be the blockig issues?
ASA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA01
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif OUT
security-level 0
ip address 192.25.152.248 255.255.255.0
!
interface Ethernet0/1
nameif DMZ2
security-level 50
ip address 192.25.154.249 255.255.255.0
!
interface Ethernet0/2
nameif DMZ1
security-level 50
ip address 192.25.156.249 255.255.255.0
!
interface Ethernet0/3
nameif IN
security-level 100
ip address 192.25.130.248 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.25.158.248 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone SGT 8
object network DMZ1
subnet 192.25.156.0 255.255.255.0
object network IN
subnet 192.25.130.0 255.255.255.0
object network OUT
subnet 192.25.152.0 255.255.255.0
object network DMZ1
host 192.25.156.107
object network DMZ2
host 192.25.154.107
object-group service PORT_GROUPtcp
port-object eq echo
port-object eq ftp
port-object eq ssh
! Allow access from Internet to DMZ SVR
access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP
! INT SVR zone is allowed to access all protocols
access-list IN_IN extended permit ip 192.25.130.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu OUT 1500
mtu DMZ2 1500
mtu management 1500
mtu DMZ1 1500
mtu IN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network GDG-MGT
! Create permanent static NAT mappings for our DMZ servers
nat (DMZ1,OUT) static 192.25.152.150
object network DMZ2
nat (DMZ2,OUT) static 192.25.152.151
access-group OUTSIDE_IN in interface OUT
access-group INSIDE_IN in interface IN
! Creation of default route for our DMZ servers
route OUT 0.0.0.0 0.0.0.0 192.25.152.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.25.158.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
shutdown
smtp from-address admin@ASA01.null
telnet 192.25.158.0 255.255.255.0 management
telnet timeout 60
ssh 192.25.158.0 255.255.255.0 management
ssh timeout 60
console timeout 5
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password GTgQqSLU2SE75qvy encrypted privilege 15
!
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:96844d7e69e6dc8b260b0875db9389d1
: end
ASA01#
Nay,
You have not followed the example carefully. You have left behind the dynamic NAT translations. In order to access the DMZ from the internal lan, we can create a dynamic NAT rule as below:
object network IN
subnet 192.25.130.0 255.255.255.0
nat (inside,any) dynamic interface
Do the above and let me know how it goes.
Thanks a lot for your guide. But when I configure the command, I received the error message
nat (inside,any) dynamic interface
( ERROR: “interface” keyword is not allowed when translated interface is any ).
nat (inside,any)dynamic interface ?
( network-object mode commands/options:
dns Use the created xlate to rewrite DNS record
)
To be honest with you, I am not very experienced in ASA. Thanks.
Nay,
Oh, I haven’t seen that the name of your internal network zone is called “IN”. So, you need to do the following:
object network IN
subnet 192.25.130.0 255.255.255.0
nat (IN,DMZ1) dynamic interface
object network IN
subnet 192.25.130.0 255.255.255.0
nat (IN,DMZ2) dynamic interface
object network IN
subnet 192.25.130.0 255.255.255.0
nat (IN,OUT) dynamic interface
The above will create a PAT rule on the respective outgoing interface IP address when going from inside (IN) to DMZ1,DMZ2,and OUT interfaces.
Hi,
Does the book cover remote access vpn without split tunneling for both 8.2 and 8.3 code?
Thanks
The remote access vpn example in the book includes split tunneling configuration. If you just remove the split tunneling commands, then it is what you want.
Thanks. Just purchased the books. I believe that other than removing split tunneling config, I also need to add same security permit traffic intra interface.
Have a great new year and beyond.
Hi again,
I will recommend to include subnet mask in vpn pool command for Remote access vpn.
Page 37 of 5505 book and other places in both books have following.
ip local pool vpnpool 192.168.20.1-192.168.20.254
This works, as by default, it appends the major class mask. But consider, someone using 10.x.x.x in inside, dmz as well as for pool, then subnet mask become critical else, users will connect, but will not be able to get anywhere as the mask they will get will be /8, which will cause the machine to consider all destinations subnets in corporate network to be local and hence only ARP rather than use its gateway to route.
Also, can you clarify as to why in 8.3 code, do we need to repeat the same network/object in nat commands:
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
And to make this book complete, I will request to include a configuration example of a scenario with a site to site VPN and remote access VPN terminating on the same firewall (hairpinning) with and without splittunneling (most enterprises will not permit split tunneling while you are on VPN, but you may need u-turn, if a VPN user need to access resources at a third party who has set up a site to site vpn with your headend firewall, or to access resources at another site that has site to site vpn with main site). This also then requires to not miss including the remote sites subnets in the VPN headend firewall for its nat exemption and crypto ACLs.
It may also be beneficial, especially these days, when telecommuters application prefer a cisco router at employee end, rather than a ASA5505, to include a config example for a site to site VPN between ASA and Cisco 891 router.
Last thing may be to add two ISP connections, with IP SLA (and ceraful mention of the fact that main ISP need to supply a pingable IP address, that is only available thru their cloud and not reachable from internet, other ISPs). I had set up two 5510s with two separate ISPs at main site and IP SLA works great and remote site routers can then be specified with two peer addresses for these two interfaces on ASA (used management interfaces on redundant firewalls for second ISP) for auto failover of the VPN tunnel.
Thanks
Thanks for great work.
dpsguard,
Happy New Year 2011 for you too.
Great comments and suggestions. I really appreciate your feedback and recommendations.
Regarding the ip pool for vpn clients, yes you could use a subnet mask to avoid any problems for class A addresses:
e.g: ip local pool vpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0
Now regarding the NAT commands in version 8.3 (used in VPN configurations), you basically repeat the same network/object twice in order to create an “identity NAT” thus essentially disabling NAT for VPN traffic (same as nat 0 for the pre-8.3 versions).
Hi,
Thanks for clarifying on the new NAT exemption. So essentially repeating the same address / network object implies that we are maintaining the source and destination addresses. I hope there is no other change other than NAT implementation in 8.3. I still don’t understand as to the benefit of making this change in 8.3 code, other than confusing everyone? There may be some more granularity and control, but not much. They should have better called it version 9.
I do see that you have an example on your website of a two ISPs using IP SLA (not in the ebook). You are using ISP GW address to verify the availability of the primary internet circuit. What will happen if there is a problem with the ISP PE router at the POP, while the GW address is still reachable? We do need firewall to switchover to backup ISP even in such situations. If we use something like google DNS (8.8.8.8) or openDNS (4.2.2.2), it will cause it to trigger the failover even with ISP cloud issues. Do we see any issues with this approach?
Thanks
Yeah, the new ASA 8.3 version has brought many complaints. I don’t like the changes in NAT either, not to say also the extra RAM required to run version 8.3.
Now about the dual ISP redundancy, you can use any IP address to verify availability of your ISP links. In my example I use the ISP gateway address just for illustrative purposes. You can use another ISP address (maybe the ISP DNS server) to cover also failures in the ISP cloud. I wouldn’t use the Google DNS because they might be monitoring who is pinging them and if they see continuous and repeated ICMP packets from your site they might consider it as an attack.
Hello Harris
I will definatly buy your book. Just curios if/when it will be updated to cover ASA 8.4 version?
br
hkl
Hi
R u going to update the ebook with the new version 8.4?
Regards
Reza
Guys,
The new Cisco ASA version 8.4 does not have any important differences from version 8.3. The most important change is that version 8.4 now supports Etherchannel which is basically a well known feature in routers where you can bundle together 2 or more network interfaces to increase interface speed and redundancy. This is the most notable change in version 8.4 compared to 8.3 and earlier. The most important changes in Cisco ASA were introduced in version 8.3 which is fully covered in the book.
Hi, I just purchased the book yesterday but I didn’t found a example that answers my question.
Is it possible that the DMZ and Inside can communicate vice versa? coz on the example only the inside can communicate with DMZ, please advice.
Marco,
If you see page 19 (Configuration Example 3) on the Bonus ebook (“Cisco ASA 5505 Configuration”) you will see an example with bidirectional communication between inside and DMZ servers.
If you still have any questions please let me know.
Harris
Hi Harris,
I’m new to ASA 8.3 (5510), just want to ask, I used the outside port for VPN and it’s working fine but when I tried to use the outside interface for internet on inside it didn’t work. Can I use the outside interface to both?
marco,
yes, you can use the outside interface to terminate VPN (either IPSEC VPN or SSL VPN) and also use it to provide internet access for your internal network. Study my books and you will find numerous examples there.
Hi Harris,
I need your expertise advice, the following are what I have able to make it work with 5510 8.3
1. Allowed RDP for both inside and DMZ
2. Allowed VPN
3. Allowed FTP and WWW server
4. Allowed inside to communicate with DMZ
however below are I can’t make it work.
1. inside and DMZ internet access
2. allow DMZ to communicate to inside
3. During I’m connected to VPN, on my laptop my internet connection is no longer available.
Below is my current configuration, I hope you can help me on this since I’m newbie with asa and besides the requirements is more complex (I guess).
*******************************************
interface Ethernet0/0
duplex full
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.0
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/2
duplex full
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
object network WEB-SERVER
host 192.168.10.5
object network DMZ-NET
subnet 192.168.10.0 255.255.255.0
object network inside-NET
subnet 172.16.0.0 255.255.255.0
object network VPN-SUBNET
subnet 192.168.20.0 255.255.255.0
object network DMZ-RDP
subnet 192.168.10.0 255.255.255.0
object network inside-RDP
subnet 172.16.0.0 255.255.255.0
object network DMZ-FTP
host 192.168.10.3
object network inside-FTP
host 172.168.0.2
object network DMZ_mapped_ip_pool
range 192.168.10.100 192.168.10.254
object network outside_pool
range 111.111.111.112 111.111.111.114
object network inside_to_DMZ
subnet 172.16.0.0 255.255.255.0
object network inside_to_outside
subnet 172.16.0.0 255.255.255.0
!
object network DMZ_to_outside
subnet 192.16.10.0 255.255.255.0
access-list outside-in extended permit tcp any object WEB-SERVER eq www
access-list outside-in extended permit tcp any object DMZ-FTP eq ftp
access-list DMZ-in extended permit tcp 192.168.20.0 255.255.255.0 object DMZ-RDP eq 3389
access-list DMZ-in extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list DMZ-in extended permit ip object inside_to_DMZ 192.168.10.0 255.255.255.0
access-list DMZ-in extended permit ip object DMZ-NET 172.16.0.0 255.255.255.0
access-list inside-in extended permit tcp object VPN-SUBNET object inside-RDP eq 3389
access-list inside-in extended permit ip 172.16.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended extended permit ip 192.168.10.0 255.255.255.0 any
!
nat (DMZ,outside) source static DMZ-NET DMZ-NET destination static VPN-SUBNET VPN-SUBNET
nat (inside,outside) source static inside-NET inside-NET destination static VPN-SUBNET VPN-SUBNET
!
object network WEB-SERVER
nat (DMZ,outside) static 111.111.111.111 service tcp www www
object network DMZ-FTP
nat (DMZ,outside) static 111.111.111.114 service tcp ftp ftp
object network inside-FTP
nat (inside,outside) static 111.111.111.115 service tcp ftp ftp
object network inside_to_DMZ
nat (inside,DMZ) dynamic DMZ_mapped_ip_pool
object network inside_to_outside
nat (inside,outside) dynamic outside_pool
object network DMZ_to_outside
nat (DMZ,outside) dynamic outside_pool
access-group outside-in in interface outside
access-group inside-in in interface inside
access-group DMZ-in in interface DMZ
route outside 0.0.0.0 0.0.0.0 111.111.111.110 1
Hi Harris,
I already resolve the problem/concern on item#1 and item#2. But for item#3 I suspect that I need to put the DNS IP on VPN attributes on dns option so that my laptop will still have internet when I’m connected on VPN. However if you have better solution please let me know.
Your book is awesome, I’m glad that I brought it. 1 thing that I can only promise you is that I’ll recommend your book to my colleagues and on my previous colleagues and I won’t give a copy to them.
Thank you
Marco,
You will need to configure “split-tunneling” in order to be able to access internet while connected on VPN. The following links will explain you how to configure this feature:
Allow Split Tunneling for AnyConnect VPN Client on the ASA
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Allow Split Tunneling for VPN Clients on the ASA
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
Hope it helps.
Regards
Hi Harris,
Sorry to bother you again, can you please check if I done it right. We need to open SMTP server from both “DMZ” and “inside” which is port 25 to access on “outside”
This is what Ive done.
for DMZ SMTP Server
object network SMTP-dmz
Host 192.168.10.254
nat (DMZ,outside) static 111.111.111.246 service tcp smtp smtp
access-list outside-in extended permit tcp any object SMTP-dmz eq smtp
for Inside SMTP Server
object network SMTP-inside
nat (inside,outside) static 111.111.211.245 service tcp smtp smtp
access-list outside-in extended permit tcp any object SMTP-inside eq smtp
I hope you can share some advice.
thank you in advance
marco,
For the Inside SMTP server, you don’t have a host statement under the “object network SMTP-inside” like you do for the DMZ server. Other than that, the rest is correct.
Hi your book and your product is amazing ! I want to ask question 5505 – 5540 difference ? And can asa-5505 support srst i mean i want to connect ip phone from my central office to my branch office using not softphone it mean want to use real ipphone please tell me is it possible ?
Thanks for your nice comments. Well, regarding the differences between 5505 and 5540, the first one (5505) is suitable for SOHO networks while the 5540 is suitable for medium to large networks. Their firewall software features though are the same. The 5505 can not be used as SRST device. However, you can connect an IP phone on one of its “power over ethernet” ports and have the ASA assign DHCP option 150 to the IP phone. In the option 150 you basically assign the IP address of the remote (central office) callmanager express system in order for the phone to register.
Do you have a .mobi version of the book for the Kindle?
Jeffrey,
The book is only available in PDF format but you can easily convert it to .mobi format with “Auto Kindle” (free) from sourceforge here:
http://sourceforge.net/projects/autokindle/
you say the 2nd edition covers the new 8.3 OS but does it keep the old examples too?
Thanks in advance for your comments!
Eduardo,
Yes, the 2nd edition covers version 8.3 and later together with the old examples. Basically on the same examples and configuration tutorials I include the commands for pre 8.3 and post 8.3 versions of Cisco ASA.
Hi Harris!
The fist thing that i would say is to give a big thanks for the book that you have published
Look im workin with an apliance asa 5510 and i what to allow in the firewall the vpn port and web port 80.
can you help me hot to do that? thank you man and excuse me for my english but i’m not from england . thanks again
Indrit,
I’m glad you liked my book. Please give me some more details for what you want to achieve. Do you have an internal web server? Are you going to terminate vpn from outside to an internal server? What kind of vpn do you want to allow (IPSEC vpn, ssl vpn?). What is the exact scenario?
Hi how can i purhase this book and whats the cost of this??? is it software ver 8.3 or not. please give me a reply
Hi Shajan,
You can purchase Cisco ASA Firewall Fundamentals – 2nd Edition from the LINK HERE . It costs $29.95 and you will get also a Free ebook which is focused on Cisco ASA 5505. Both books cover all versions prior and after 8.3 software.
Mr. Harris Andrea,
I wrote you one time and you replied back, it was about a command in Class-Maps and you informed me that it was introduced in version 7.4, awesome!. I was very impressed, thank you.
Just wanted to let you know, that the book, Cisco-ASA-Firewall-Fundamentals took me to the next level configuring and troubleshooting Cisco ASA 5510 firewalls.
Perhaps let us know about your next book and include configurations for QoS on the firewall, since some VoIP providers are found now on the internet.
Thank you again, regards
Oscar
Hi Oscar,
I’m really glad that my book has helped you to enhance your knowledge on Cisco ASA firewall devices. I will be updating the book if major changes will be implemented by Cisco accordingly.
Thanks
Harris