Networks Training

You are here: Home / Cisco ASA General / Cisco ASA Firewall Fundamentals ebook : Rapidshare and Torrent Free Download

Cisco ASA Firewall Fundamentals ebook : Rapidshare and Torrent Free Download

Written By

The “Cisco ASA Firewall Fundamentals” ebook, that I have authored and been selling on this website, took me many hours of hard work to write. In addition to the work effort of writing this ebook, it encompasses also enormous value from many years of experience in administering and implementing Cisco ASA firewalls.

Why am I saying all that? Because I feel angry and pity that many people try to find and download my ebook for free from various torrent sites or Rapidshare. My website statistics and keyword research revealed all this activity from people trying to get my ebook for free. I hate to say that but I will have to resort to legal measures if I find that my ebook is being shared on peer-to-peer or download sites. Believe me, paying $29 bucks for an ebook like that is nothing compared to the valuable knowledge that you will gain by purchasing it. Moreover, the updated third edition ebook is probably the only ASA tutorial available that covers all latest Cisco ASA configurations (version 9.x) features and also the only book that explains the differences between the older versions (for example NAT, ACL etc) in pre-8.3 and post-8.3 versions.

MORE READING:  ExtraBacon Cisco ASA Vulnerability

I believe that the best reward for my efforts to write this Cisco ASA tutorial is the excellent feedback and comments that I receive everyday in my email and on this blog from people who purchased the ebook. Take a look below for some comments from happy customers.

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  2. BlogAdmin says

    Hello Glenn, thanks for your kind words.
    Well actually I’m working on a new ASA Advanced ebook right now which will continue from where the “ASA Fundamentals” ebook stopped. It will deal with more advanced features and topics so that to cover almost all Cisco ASA implementation concepts.

  4. Hoi says

    Hi Harris,

    I just want to say thank you to you. Your books saved my project. I seriously look for forward to see your next book coming – please keep it under 100 pages!

    Regards,
    Hoi

  5. Riz says

    Hi

    I have bought your book since many weeks and you have done great job. I wouldn’t hesitate to buy Advance version of it. I hope it will be jam packed with lots of real world examples and diagrams. If the eBook is full of great information and covering each Technologies for real world scenarios then I am happy to pay whatever price your chose.

    I have various different ASA books but whenever I want go back to basics, I go and check your color full diagrams plus simple explanation. End-of-Day I am human and forget things. Memory buffer overflow. :)

  6. BlogAdmin says

    Hi Riz, thanks for your comments.

    You guys really inspire me to sit down and get that “Advanced ASA” finished because its a lot of work.

    Thank you all for your kind words.

    Cheers

    Harris

  7. John D. says

    Hi Harris,

    Your book has been one of the best books I’ve bought so far. It provides me with a foundation of knowledge that is allowing me to progress further in my career. Also, it’s great that you also find the time to answer some newbie questions (thanks again for providing advice)! I can’t wait for the next book to come out!

    Regards,

    John D.

  8. BlogAdmin says

    Hello John,

    Thanks for your nice and encouraging words. I’m happy you found my ebook valuable.
    I really enjoy providing advice and helping newcomers in the networking field. Anything you give away comes back to you multiple times I believe.

    Thanks again.

    Harris

  10. ananth says

    Hi

    Is the advanced ASA done ?

    I would love to buy that one :)

    Please fix up a date.

    Thanks

  11. Richard says

    I Just want to say that this Cisco ASA Doc has been a great help to me as a Cisco Consultant. As a Cisco Consultant I have to understand all Cisco Technologies , and having a good reference Doc is hard to come by.
    Also want to say for the price its a great deal!!!

  12. BlogAdmin says

    Richard,

    Thank you so much for your comment. I’m glad to hear that my “Cisco ASA Firewall Fundamentals” ebook is a helpful resource for Cisco Consultants as well (in addition to technical oriented people). As far as the price is concerned, I tried to keep it as low as possible so that people from all over the world can take advantage of this helpful resource.

    Cheers

    Harris Andrea

  15. BlogAdmin says

    Hello Steve,

    No, this is a PDF ebook which you can download immediately after purchasing. It is not sold in any bookstore.

  16. Foster says

    Hi Harris,
    I am totally new for ASA. used to do basic thing on PIX. NEED GOOD FAST TRACK BOOK as soon as possible. My company is going for ASA 5510. Your book sounds good, is it possible to get a hard copy? Thanks

  17. BlogAdmin says

    Hello Foster,

    Welcome to the wonderful world of ASA !! I believe that my ebook will be an excellent choice for fast track learning, with lots of practical and day-to-day examples and scenarios. However, it does not come in hard copy. It is a PDF ebook which you can download immediately after payment. Please let me know if you need more clarifications.

    Regards

    Harris Andrea

  20. Unes says

    hi Harris
    just i want to say that your book is so far one of the best book that i have purchased , it’s for me a reference
    and it help me to performe a good project , and it’s value worth more than 27$
    can’t wait for your next book

  21. Noor Hasan says

    Dear Haris,

    I am also interested to buy your fundamental and advanced books. Please advice reference link to buy.

    Regards

  23. Paul Blackburn says

    Hello Harris,

    I have been asked to replace our two Cisco PIX 515e firewalls because they are no longer supported.
    Please would you advise me on a replacement from the Cisco ASA 5500 series?

    I am interested in keeping our costs down so the ASA 5505 looks interesting.

    Is the 5505 a NAT firewall only?

    We need to do packet filtering between two fully routed subnets.

    For example:
    block all traffic except allow DNS queries to our DNS nameserver
    and allow SMTP traffic to our mail server.

    Both of these servers are located on the secure side of our current PIX 515e (external firewall)
    which is a boundary between the Internet and our (routed IP subnet) DMZ.

    I would be very grateful for some advice and guidance.

    Thanks in advance.

    Paul Blackburn

  24. BlogAdmin says

    Hello Paul,

    Strictly speaking, the recommended replacement for a PIX515e is the ASA5510 and not the 5505. However, if you feel that a 5505 is suitable in terms of performance, connections etc. then go ahead with it. However, you must get a 5505 with a security plus license in case you want to create more than 2 security zones (Vlans). That is, if you want to have an outside vlan, an inside vlan and a third DMZ vlan, then you must get a “Sec Plus” license to avoid any restrictions.

    The ASA5505 is not just a NAT firewall. It is a fully functional firewall just like the other ASA models. You can configure any packet filtering scenarios you want. The example you mention with DNS and SMTP is fully supported on the 5505 with no problems.

    Let me know if you need more guidance.

    Harris

  25. Paul Belter says

    Hello Harris,
    I can’t thank you enough for the the information you provide in your book. Even though I have taken both ICND courses and have a firm grasp of
    Cisco OS, I find myself referencing your work quite often.
    Thanks again,
    Paul

  26. John Mello says

    We upgraded from a 10 year old Netscreen NS100 to a Cisco ASA5510 and this book was a great asset in learning how to recreate our firewall rules. It’s a very short read and right to the point! I found it much easier to follow than Cisco’s own book and would definitely recommend it as your main or companion reference.

  27. lenny says

    Great Book well worth buying has helped me in real life countless time. Keep up the good work.

  28. Tim Snell says

    This book was perfect and got me through standing up my first Cisco product. Very much appreciated, and there no reason people should not pay the price it was worth every penny.

  29. Tac Huynh says

    Hi Harris,

    Your books are very helpful and easier to understanding than Cisco documents.
    Are you going to do any book on IPS ASA_SSM ?

    Tac

  30. Kellon Langdon says

    Hi Harris

    I have not receive my ASA5510 I’m looking forward to using the book to help me setup the device when it arrives!!

    Thanks again

  31. Lance says

    Cisco ASA Firewall Fundamentals book is well worth the cost. Its contents were just right for me.

    I understand intermediate networking but I don’t work on Cisco ASA’s often enough to remember everything and I didn’t know much about the new 8.3 changes. I use Cisco ASA Firewall Fundamentals more than any other Cisco ASA book as a quick reference and a reminder if I have a Cisco ASA question. This book quickly showed me what the significant changes in 8.3 are.

    Cisco ASA Firewall Fundamentals isn’t dense like most Cisco books. It’s very accessible. It doesn’t contain every detail but it’s the most used Cisco ASA book in my library (including all the books on O’Reilly Safari). It’s easy to quickly read through, digest, and also good to refer back to later. It has excellent examples and explanations with helpful diagrams along with the command line commands.

    Harris, thanks for writing this book and making it available at a reasonable price. If you write more books I will buy them too.

  32. John says

    Anyone looking for a guide to walk you through both configuring and managing a Cisco firewall, this is the one! I am very reluctant to admit the price is a steal.

  33. Nhelskie says

    hi Harris thanks for the tremedous ebook, its robust and compact great job I really love it..

  34. Nisar says

    Hi Harris,

    Great book, you have done a great job,it help me a lot to understand ASA from basic,way of explaination with a simple and good example are excellent, i am eagerly waiting for your Advance ASA Book.

    Nisar

  35. Nalin says

    Hi,

    This is a great book bundle with a lot of clear illustrations.

    I am new to Cisco and to the CLI. I am not a very good classroom leaner either. I learn by reading, doing failing and correcting my mistakes and then succeeding.

    for those like us, I would be grateful if oyu could devote a small part ot the book to get people like us take off without crashing !.

    1. take the unit out of the box.
    2. Sample lab set up. how to save the intial configuration so that we can get back to dafault out of the box status.
    3. connecting with a telnet or ssh ( i know the telnet part easily and some ssh )
    4. What you see when you connect.
    5. Is there a Gui interface which is better / gui or CLI.
    6. Sample test configurations and how to check these results
    7. Anything else that you can throw in at this stage to make it easy for us to stay in the air before safely landing.
    8. Teach how to do a few simple acrobatic manoeuvres before trying out the more elaborate stuff.

    Thanks for sending the Link to the update.

    This book is highly recommended and I agree it’s a steal at the price.

  37. mohammad khan says

    Hi Harris

    I like your book, it is really good one for industry level security related issues. There are more complex requirements come. I will post you sometime. Also you can add configuring ASA 5520/5510 by using ASDM.

    Thanks again.

  38. Justino says

    Good morning,

    Thank you very much for the update of the book, I will make it easier to compression of the device.
    A greeting.

  39. Andre Bowen says

    Your e-books on ASA firewall has been a GOD send for me. Will you be doing any books in any other areas of technology? Most notably VOIP (Cisco Unified Communications Manager, Voice Gateways, etc…).

    PS. Please continue doing what you have been doing. You make everything straight forward without all the unnecessary jargon that other books push on us.

  40. Sabin Ungureanu says

    Hi Haris,
    The book is very very useful to me.

    I have an ASA 8.2.1 version. I tried to configure a remote access VPN, but I have one problem.
    My remote VPN client is conected but I can’t ping or use remote access.
    I can’t add “crypto isakmp nat-traversal 20”, ASA ignore this command. I don’t know if this is the cauze for my problem.

    Do you have some ideea?
    Thanks.

  42. Blog Admin says

    Hello Sabin,

    In your ASA version (8.2.1) the command “crypto isakmp nat-traversal” is enabled by default, that’s why the ASA ignores the command. What you describe is probably a problem with the crypto Access Lists. Tell me more info in order to help you.

    Regards

    Harris

  43. Sabin Ungureanu says

    Hello again,
    Thank you very much for your support.
    If I ping (from VPN)internal network 192.168.2.X don’t work, except one IP(internal ip of my pc). Strange!
    Here is a part of my running conf.
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name XXXXXXXXX
    access-list outside-in extended permit icmp any any echo-reply
    access-list outside-in extended deny ip any any log
    access-list nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list splittunnel standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging enable
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 192.168.20.1-192.168.20.40
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat0_acl
    nat (inside) 1 192.168.2.0 255.255.255.0
    access-group outside-in in interface outside
    !route outsite using default gateway XXXXXXX
    route outside 0.0.0.0 0.0.0.0 XXXXXXXX 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpn2010 internal
    group-policy vpn2010 attributes
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splittunnel

    tunnel-group vpn2010 type remote-access
    tunnel-group vpn2010 general-attributes
    address-pool vpnpool
    default-group-policy vpn2010
    tunnel-group vpn2010 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect dns migrated_dns_map_1
    !
    service-policy global_policy global
    prompt hostname context

  44. Blog Admin says

    If at least one IP from the internal network (the IP address of your own PC) replies in the ping request, then the VPN tunnel works fine. I have a feeling that the rest of the machines in the internal network have windows firewall enabled. Did you check that?

  45. Sabin Ungureanu says

    Ping on my pc is OK, but remote desktop(windows)to my pc doesn’t work. The others pc have firewall disable.

  46. Sabin Ungureanu says

    My vpn is connected. Ping on local LAN doesn’t work. It possible to add a route from vpn to inside LAN?
    Thank you!

  47. Blog Admin says

    Sabin

    On the VPN client there is a “Log” button showing various statistics and connection properties. Click on that and see if there is traffic going through. Also, on the ASA check the VPN by using “show crypto ipsec sa” and “show crypto isakmp sa” to see if the packets between internal LAN and VPN pool are flowing encrypted. The configuration you have is correct, so I can not think of anything else.

    Regarding the route, NO you can not add a route on the VPN client. However, you can use “ipconfig /all” on the client PC to verify that it has received the proper IP address from the VPN pool range (192.168.20.0).

  48. capricorn says

    Hi!

    I want to buy this book via paypal. Please can you send me the information.

    Thanks

  49. Anis says

    Hi,

    I want to say that this Cisco ASA Firewall Fundamentals ebook is really helpful for me.
    I read a lot of Cisco DOC stuff for ASA and your ebook is best for reading and understanding.

    I read comments and see that you preparing Cisco ASA Advance ebook and I hope that you will finis soon.

    Thanks

  50. Joel Witherspoon says

    Just bought the book and I’m very happy. Thanks for the explanations and getting to the point in the configurations. Some authors bloat (I’m looking at you Richard Deal) and confuse. I’m very new to the ASA 5550 (v.8.3) and your book(s) got me clear quickly. Thank you.
    (I bought the book, definitely worth it)

    http://twitter.com/joelwitherspoon

  51. Bill P. says

    Nice Book.
    I have been putting off buying it for a while now.
    I wish I didn’t.
    Great help, great examples and easy read.
    This is a must for newbies or engineers that want to know the facts in understanding firewall configurations.

  52. Blog Admin says

    Thanks a lot guys for all your kind words. I’m really happy you liked my ebook. Don’t hesitate to ask me anything you want.

  53. earl says

    When we purchase the book to we get free updates to the book as revisions are made? Also, if or when you create the advanced book will that be discounted for users that bought this book?

  54. Blog Admin says

    Hi earl,

    YES, when you purchase you will get free updates to the book as revisions are made. For example, when I added some revisions about the new ASA 8.3 version a few months ago, all of my current customers received the updated ebook for free. My existing customers will receive also significant discounts on any new books that I’m planning to publish.

  55. NMT says

    Thanks for your e-book. I refer to your “CONFIGURATION EXAMPLE 2: ASA FIREWALL WITH DMZ AND TWO INTERNAL ZONES”. I ve some blocking issues. I’d like to ssh/ftp to server@DMZ from internal seg. And would like to ssh/ telnet access to RTR which is connected at FW Outside seg. What could be the blockig issues?

    ASA01# sh run
    : Saved
    :
    ASA Version 8.3(1)
    !
    hostname ASA01
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif OUT
    security-level 0
    ip address 192.25.152.248 255.255.255.0
    !
    interface Ethernet0/1
    nameif DMZ2
    security-level 50
    ip address 192.25.154.249 255.255.255.0
    !
    interface Ethernet0/2
    nameif DMZ1
    security-level 50
    ip address 192.25.156.249 255.255.255.0
    !
    interface Ethernet0/3
    nameif IN
    security-level 100
    ip address 192.25.130.248 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.25.158.248 255.255.255.0
    management-only
    !
    boot system disk0:/asa831-k8.bin
    ftp mode passive
    clock timezone SGT 8
    object network DMZ1
    subnet 192.25.156.0 255.255.255.0
    object network IN
    subnet 192.25.130.0 255.255.255.0
    object network OUT
    subnet 192.25.152.0 255.255.255.0
    object network DMZ1
    host 192.25.156.107
    object network DMZ2
    host 192.25.154.107
    object-group service PORT_GROUPtcp
    port-object eq echo
    port-object eq ftp
    port-object eq ssh
    ! Allow access from Internet to DMZ SVR
    access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

    ! INT SVR zone is allowed to access all protocols
    access-list IN_IN extended permit ip 192.25.130.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu OUT 1500
    mtu DMZ2 1500
    mtu management 1500
    mtu DMZ1 1500
    mtu IN 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    !
    object network GDG-MGT
    ! Create permanent static NAT mappings for our DMZ servers
    nat (DMZ1,OUT) static 192.25.152.150
    object network DMZ2
    nat (DMZ2,OUT) static 192.25.152.151

    access-group OUTSIDE_IN in interface OUT
    access-group INSIDE_IN in interface IN

    ! Creation of default route for our DMZ servers
    route OUT 0.0.0.0 0.0.0.0 192.25.152.246 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.25.158.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca server
    shutdown
    smtp from-address [email protected]
    telnet 192.25.158.0 255.255.255.0 management
    telnet timeout 60
    ssh 192.25.158.0 255.255.255.0 management
    ssh timeout 60
    console timeout 5
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username admin password GTgQqSLU2SE75qvy encrypted privilege 15
    !
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    hpm topN enable
    Cryptochecksum:96844d7e69e6dc8b260b0875db9389d1
    : end

    ASA01#

  56. Blog Admin says

    Nay,

    You have not followed the example carefully. You have left behind the dynamic NAT translations. In order to access the DMZ from the internal lan, we can create a dynamic NAT rule as below:

    object network IN
    subnet 192.25.130.0 255.255.255.0
    nat (inside,any) dynamic interface

    Do the above and let me know how it goes.

  57. NMT says

    Thanks a lot for your guide. But when I configure the command, I received the error message
    nat (inside,any) dynamic interface
    ( ERROR: “interface” keyword is not allowed when translated interface is any ).

    nat (inside,any)dynamic interface ?
    ( network-object mode commands/options:
    dns Use the created xlate to rewrite DNS record
    )
    To be honest with you, I am not very experienced in ASA. Thanks.

  58. Blog Admin says

    Nay,

    Oh, I haven’t seen that the name of your internal network zone is called “IN”. So, you need to do the following:

    object network IN
    subnet 192.25.130.0 255.255.255.0
    nat (IN,DMZ1) dynamic interface

    object network IN
    subnet 192.25.130.0 255.255.255.0
    nat (IN,DMZ2) dynamic interface

    object network IN
    subnet 192.25.130.0 255.255.255.0
    nat (IN,OUT) dynamic interface

    The above will create a PAT rule on the respective outgoing interface IP address when going from inside (IN) to DMZ1,DMZ2,and OUT interfaces.

  59. dpsguard says

    Hi,

    Does the book cover remote access vpn without split tunneling for both 8.2 and 8.3 code?

    Thanks

  60. Blog Admin says

    The remote access vpn example in the book includes split tunneling configuration. If you just remove the split tunneling commands, then it is what you want.

  61. dpsguard says

    Thanks. Just purchased the books. I believe that other than removing split tunneling config, I also need to add same security permit traffic intra interface.

    Have a great new year and beyond.

  62. dpsguard says

    Hi again,

    I will recommend to include subnet mask in vpn pool command for Remote access vpn.

    Page 37 of 5505 book and other places in both books have following.
    ip local pool vpnpool 192.168.20.1-192.168.20.254

    This works, as by default, it appends the major class mask. But consider, someone using 10.x.x.x in inside, dmz as well as for pool, then subnet mask become critical else, users will connect, but will not be able to get anywhere as the mask they will get will be /8, which will cause the machine to consider all destinations subnets in corporate network to be local and hence only ARP rather than use its gateway to route.

    Also, can you clarify as to why in 8.3 code, do we need to repeat the same network/object in nat commands:

    nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

    nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

    And to make this book complete, I will request to include a configuration example of a scenario with a site to site VPN and remote access VPN terminating on the same firewall (hairpinning) with and without splittunneling (most enterprises will not permit split tunneling while you are on VPN, but you may need u-turn, if a VPN user need to access resources at a third party who has set up a site to site vpn with your headend firewall, or to access resources at another site that has site to site vpn with main site). This also then requires to not miss including the remote sites subnets in the VPN headend firewall for its nat exemption and crypto ACLs.

    It may also be beneficial, especially these days, when telecommuters application prefer a cisco router at employee end, rather than a ASA5505, to include a config example for a site to site VPN between ASA and Cisco 891 router.

    Last thing may be to add two ISP connections, with IP SLA (and ceraful mention of the fact that main ISP need to supply a pingable IP address, that is only available thru their cloud and not reachable from internet, other ISPs). I had set up two 5510s with two separate ISPs at main site and IP SLA works great and remote site routers can then be specified with two peer addresses for these two interfaces on ASA (used management interfaces on redundant firewalls for second ISP) for auto failover of the VPN tunnel.

    Thanks

    Thanks for great work.

  63. Blog Admin says

    dpsguard,

    Happy New Year 2011 for you too.

    Great comments and suggestions. I really appreciate your feedback and recommendations.

    Regarding the ip pool for vpn clients, yes you could use a subnet mask to avoid any problems for class A addresses:

    e.g: ip local pool vpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0

    Now regarding the NAT commands in version 8.3 (used in VPN configurations), you basically repeat the same network/object twice in order to create an “identity NAT” thus essentially disabling NAT for VPN traffic (same as nat 0 for the pre-8.3 versions).

  64. dpsguard says

    Hi,

    Thanks for clarifying on the new NAT exemption. So essentially repeating the same address / network object implies that we are maintaining the source and destination addresses. I hope there is no other change other than NAT implementation in 8.3. I still don’t understand as to the benefit of making this change in 8.3 code, other than confusing everyone? There may be some more granularity and control, but not much. They should have better called it version 9.

    I do see that you have an example on your website of a two ISPs using IP SLA (not in the ebook). You are using ISP GW address to verify the availability of the primary internet circuit. What will happen if there is a problem with the ISP PE router at the POP, while the GW address is still reachable? We do need firewall to switchover to backup ISP even in such situations. If we use something like google DNS (8.8.8.8) or openDNS (4.2.2.2), it will cause it to trigger the failover even with ISP cloud issues. Do we see any issues with this approach?

    Thanks

  65. Blog Admin says

    Yeah, the new ASA 8.3 version has brought many complaints. I don’t like the changes in NAT either, not to say also the extra RAM required to run version 8.3.

    Now about the dual ISP redundancy, you can use any IP address to verify availability of your ISP links. In my example I use the ISP gateway address just for illustrative purposes. You can use another ISP address (maybe the ISP DNS server) to cover also failures in the ISP cloud. I wouldn’t use the Google DNS because they might be monitoring who is pinging them and if they see continuous and repeated ICMP packets from your site they might consider it as an attack.

  66. Hans Kristian says

    Hello Harris
    I will definatly buy your book. Just curios if/when it will be updated to cover ASA 8.4 version?

    br

    hkl

  68. Blog Admin says

    Guys,

    The new Cisco ASA version 8.4 does not have any important differences from version 8.3. The most important change is that version 8.4 now supports Etherchannel which is basically a well known feature in routers where you can bundle together 2 or more network interfaces to increase interface speed and redundancy. This is the most notable change in version 8.4 compared to 8.3 and earlier. The most important changes in Cisco ASA were introduced in version 8.3 which is fully covered in the book.

  69. marco says

    Hi, I just purchased the book yesterday but I didn’t found a example that answers my question.

    Is it possible that the DMZ and Inside can communicate vice versa? coz on the example only the inside can communicate with DMZ, please advice.

  70. Blog Admin says

    Marco,

    If you see page 19 (Configuration Example 3) on the Bonus ebook (“Cisco ASA 5505 Configuration”) you will see an example with bidirectional communication between inside and DMZ servers.

    If you still have any questions please let me know.

    Harris

  71. marco says

    Hi Harris,

    I’m new to ASA 8.3 (5510), just want to ask, I used the outside port for VPN and it’s working fine but when I tried to use the outside interface for internet on inside it didn’t work. Can I use the outside interface to both?

  72. Blog Admin says

    marco,

    yes, you can use the outside interface to terminate VPN (either IPSEC VPN or SSL VPN) and also use it to provide internet access for your internal network. Study my books and you will find numerous examples there.

  73. marco says

    Hi Harris,

    I need your expertise advice, the following are what I have able to make it work with 5510 8.3
    1. Allowed RDP for both inside and DMZ
    2. Allowed VPN
    3. Allowed FTP and WWW server
    4. Allowed inside to communicate with DMZ

    however below are I can’t make it work.
    1. inside and DMZ internet access
    2. allow DMZ to communicate to inside
    3. During I’m connected to VPN, on my laptop my internet connection is no longer available.

    Below is my current configuration, I hope you can help me on this since I’m newbie with asa and besides the requirements is more complex (I guess).

    *******************************************
    interface Ethernet0/0
    duplex full
    nameif outside
    security-level 0
    ip address 111.111.111.111 255.255.255.0
    !
    interface Ethernet0/1
    duplex full
    nameif inside
    security-level 100
    ip address 172.16.0.1 255.255.255.0
    !
    interface Ethernet0/2
    duplex full
    nameif DMZ
    security-level 50
    ip address 192.168.10.1 255.255.255.0
    !
    ftp mode passive
    object network WEB-SERVER
    host 192.168.10.5
    object network DMZ-NET
    subnet 192.168.10.0 255.255.255.0
    object network inside-NET
    subnet 172.16.0.0 255.255.255.0
    object network VPN-SUBNET
    subnet 192.168.20.0 255.255.255.0
    object network DMZ-RDP
    subnet 192.168.10.0 255.255.255.0
    object network inside-RDP
    subnet 172.16.0.0 255.255.255.0
    object network DMZ-FTP
    host 192.168.10.3
    object network inside-FTP
    host 172.168.0.2
    object network DMZ_mapped_ip_pool
    range 192.168.10.100 192.168.10.254
    object network outside_pool
    range 111.111.111.112 111.111.111.114
    object network inside_to_DMZ
    subnet 172.16.0.0 255.255.255.0
    object network inside_to_outside
    subnet 172.16.0.0 255.255.255.0
    !
    object network DMZ_to_outside
    subnet 192.16.10.0 255.255.255.0
    access-list outside-in extended permit tcp any object WEB-SERVER eq www
    access-list outside-in extended permit tcp any object DMZ-FTP eq ftp
    access-list DMZ-in extended permit tcp 192.168.20.0 255.255.255.0 object DMZ-RDP eq 3389
    access-list DMZ-in extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
    access-list DMZ-in extended permit ip object inside_to_DMZ 192.168.10.0 255.255.255.0
    access-list DMZ-in extended permit ip object DMZ-NET 172.16.0.0 255.255.255.0
    access-list inside-in extended permit tcp object VPN-SUBNET object inside-RDP eq 3389
    access-list inside-in extended permit ip 172.16.0.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list extended extended permit ip 192.168.10.0 255.255.255.0 any
    !
    nat (DMZ,outside) source static DMZ-NET DMZ-NET destination static VPN-SUBNET VPN-SUBNET
    nat (inside,outside) source static inside-NET inside-NET destination static VPN-SUBNET VPN-SUBNET
    !
    object network WEB-SERVER
    nat (DMZ,outside) static 111.111.111.111 service tcp www www
    object network DMZ-FTP
    nat (DMZ,outside) static 111.111.111.114 service tcp ftp ftp
    object network inside-FTP
    nat (inside,outside) static 111.111.111.115 service tcp ftp ftp
    object network inside_to_DMZ
    nat (inside,DMZ) dynamic DMZ_mapped_ip_pool
    object network inside_to_outside
    nat (inside,outside) dynamic outside_pool
    object network DMZ_to_outside
    nat (DMZ,outside) dynamic outside_pool
    access-group outside-in in interface outside
    access-group inside-in in interface inside
    access-group DMZ-in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 111.111.111.110 1

  74. marco says

    Hi Harris,

    I already resolve the problem/concern on item#1 and item#2. But for item#3 I suspect that I need to put the DNS IP on VPN attributes on dns option so that my laptop will still have internet when I’m connected on VPN. However if you have better solution please let me know.

    Your book is awesome, I’m glad that I brought it. 1 thing that I can only promise you is that I’ll recommend your book to my colleagues and on my previous colleagues and I won’t give a copy to them.

    Thank you

  76. marco says

    Hi Harris,

    Sorry to bother you again, can you please check if I done it right. We need to open SMTP server from both “DMZ” and “inside” which is port 25 to access on “outside”

    This is what Ive done.

    for DMZ SMTP Server
    object network SMTP-dmz
    Host 192.168.10.254
    nat (DMZ,outside) static 111.111.111.246 service tcp smtp smtp

    access-list outside-in extended permit tcp any object SMTP-dmz eq smtp

    for Inside SMTP Server
    object network SMTP-inside
    nat (inside,outside) static 111.111.211.245 service tcp smtp smtp

    access-list outside-in extended permit tcp any object SMTP-inside eq smtp

    I hope you can share some advice.

    thank you in advance

  77. Blog Admin says

    marco,

    For the Inside SMTP server, you don’t have a host statement under the “object network SMTP-inside” like you do for the DMZ server. Other than that, the rest is correct.

  78. star says

    Hi your book and your product is amazing ! I want to ask question 5505 – 5540 difference ? And can asa-5505 support srst i mean i want to connect ip phone from my central office to my branch office using not softphone it mean want to use real ipphone please tell me is it possible ?

  79. Blog Admin says

    Thanks for your nice comments. Well, regarding the differences between 5505 and 5540, the first one (5505) is suitable for SOHO networks while the 5540 is suitable for medium to large networks. Their firewall software features though are the same. The 5505 can not be used as SRST device. However, you can connect an IP phone on one of its “power over ethernet” ports and have the ASA assign DHCP option 150 to the IP phone. In the option 150 you basically assign the IP address of the remote (central office) callmanager express system in order for the phone to register.

  82. Eduardo De Freitas says

    you say the 2nd edition covers the new 8.3 OS but does it keep the old examples too?

    Thanks in advance for your comments!

  83. Blog Admin says

    Eduardo,
    Yes, the 2nd edition covers version 8.3 and later together with the old examples. Basically on the same examples and configuration tutorials I include the commands for pre 8.3 and post 8.3 versions of Cisco ASA.

  84. Indrit says

    Hi Harris!

    The fist thing that i would say is to give a big thanks for the book that you have published

    Look im workin with an apliance asa 5510 and i what to allow in the firewall the vpn port and web port 80.

    can you help me hot to do that? thank you man and excuse me for my english but i’m not from england . thanks again

  85. Blog Admin says

    Indrit,

    I’m glad you liked my book. Please give me some more details for what you want to achieve. Do you have an internal web server? Are you going to terminate vpn from outside to an internal server? What kind of vpn do you want to allow (IPSEC vpn, ssl vpn?). What is the exact scenario?

  86. shajan daniel says

    Hi how can i purhase this book and whats the cost of this??? is it software ver 8.3 or not. please give me a reply

  87. Blog Admin says

    Hi Shajan,

    You can purchase Cisco ASA Firewall Fundamentals – 2nd Edition from the LINK HERE . It costs $29.95 and you will get also a Free ebook which is focused on Cisco ASA 5505. Both books cover all versions prior and after 8.3 software.

  88. Oscar Cid says

    Mr. Harris Andrea,
    I wrote you one time and you replied back, it was about a command in Class-Maps and you informed me that it was introduced in version 7.4, awesome!. I was very impressed, thank you.
    Just wanted to let you know, that the book, Cisco-ASA-Firewall-Fundamentals took me to the next level configuring and troubleshooting Cisco ASA 5510 firewalls.
    Perhaps let us know about your next book and include configurations for QoS on the firewall, since some VoIP providers are found now on the internet.
    Thank you again, regards
    Oscar

  89. Blog Admin says

    Hi Oscar,

    I’m really glad that my book has helped you to enhance your knowledge on Cisco ASA firewall devices. I will be updating the book if major changes will be implemented by Cisco accordingly.

    Thanks

    Harris

  90. Edwin says

    I just wanted to say I bought your book a few months ago and it still does me justice today. I wanted to practice a lot of the scenarios in your book at home but 5505 with a security plus license is a little steep. Can I practice your same scenarios using an unrestricted Pix 525. If so, what wouldn’t I be able to practice on it vs the 5505. Also, would I be able to use anyconnect with the Pix 525’s.

  91. Blog Admin says

    Edwin,

    You can use a PIX 525 but you need to install software version 7.x and higher. Also, you might need memory upgrade in order to support 8.x version. You can practice the same scenarios with the PIX 525 with no problems.

  92. Edwin says

    So as long as I’m using version 7.x the commands should be the same between the Pix 525 and ASA 5505.

  93. Blog Admin says

    Yes, they should be the same. The only difference ofcourse will be the interface related commands, since ASA5505 works with vlans in contrast to all other ASA and PIX models which use physical layer3 interfaces

  96. Capt Alex Raiche-Marsden says

    Good day Sir,

    I wanted to let you know I was dead wrong that your book would not be helpful as it was CLI focussed. I would like to provide some feedback in that after reading all the cisco guides and examples(noise) and after posting on numerous forums I am now reading and using your book. It has solidified all the tidbits of knowledge amongst the most confusing array of information out there. In addition, help on cisco forums and others has been either non-existant or not useful.
    Suffice to say I am now comfortable with the ASDM, reading run-configs and typing in CLI commands (typically both up at same time). I find your book clear and to the point for the basic user like me. I will note that I have had to unlearn some previous concepts (doing ACL prior to NAT on inbound was foreign) and had to be careful as cisco devices, firmwares etc are not all equal. In fact, I find it quite horrible that CISCO makes major changes to how data is handled. Glad that your book is paving a clear path.

    Cheers
    Alex

  97. Thomas says

    Hi Harris,

    I wanted to buy a copy of Cisco ASA Firewall Fundamentals – 2nd Edition and wondered if you have hard copies for sell.

    Much Thanks,
    Thomas

  98. Blog Admin says

    Thomas,

    Thank you for your interest for my ebook. Unfortunately the book comes only in electronic format (PDF) (there is no hard copy available). You will be able to download the book immediately after payment.

    Regards

    Harris

  100. Blog Admin says

    Hi Beit,

    I’m glad you liked my book. It is very satisfying for me to hear people that they’ve found my book helpful.

    Unfortunately I don’t have books for MPLS and BGP. Maybe you can take a look at Cisco Press for such books.

    Best Regards

    Harris

  101. Ali says

    Love the book, I always keep it on my computer as well as the printed version next to me and it has helped me learn and understand Cisco Firewalls so much better.

  104. shajan daniel says

    I want to purchase this book , can i create any username or password for that. please guide me how can i purchase this and how i can recive this

  105. Blog Admin says

    Hi Shajan,

    Thank you for your interest in my ebook. You can purchase the books here: https://www.networkstraining.com/ciscoasaebook.php . Go to the middle of the page on the section where it says “How do I pay and get the ebooks”. There are two options: Paying with a credit card or through paypal. After payment you will receive an automatic email with a download link to get the ebooks immediately.

    Regards

    Harris

  106. White Rabbit says

    This book is the Bomb i am Cisco Certifed in all four Catagories (CCNA R&S – Security – Wireless and Voice )My goal is to be CCNP with focus on Security , but before your book my experience with the ASA’s was about to make me bonkers . . . thank you so much. This book has to be one of the easiest learning experiences i’ve ever had. You now hold spot number 2 in my book of cisco instructors i wanna be like (Jeremy Cioara of CBT Nuggets is No. 1 )

  107. Blog Admin says

    White Rabbit,

    I really appreciate your feedback and comments about my Cisco ASA book. I’m always excited to hear from fellow professionals that my book has provided value to them. Regarding the ranking you’ve put me on your scale, I don’t think I deserve such a high spot. In any case I really appreciate it :)

    Thanks a lot

    Harris

  108. sha says

    Hello Harris

    i am looking for ASA version 8.3 onwards. i have old book version upto 8.2 so now i need new book. is it available or not, if available how i can purchase that, give me the link to “how to purchase”

    regards

    Sha

  110. Jib Jab says

    Instead of ranting here why don’t you start consulting if you know so much and have so much talent. You will make top dollar if you really have practical real world knowledge but I guess you don’t

  111. Blog Admin says

    Hi Jib Jab,

    Regarding your comment, I have a full time job which I like. Unfortunately I live in a small country where there are not a lot of opportunities for consultancy work (small market), so I will stick with my current job (in an ISP company). Well, whether I have practical experience or not, you can try me if you want. Come on, ask me some questions :)

  112. Maniram Sahu says

    Dear Harris,
    The Cisco ASA Firewall Fundamentals book is simply incredible.I was afraid of reading the Entire Cisco ASA firewall book as its too time taking to finish . But ur book has made my work easy .U did a splendid job in ur book. I would like to call it a short a precise book for quick and better understanding. The way u wrote the books shows that you are really a Master of ASA Technology. I hope in future u shall write books for CCIE level also, it will be a great fun to read the books written by you. Thanks from the Bottom of my Heart. I will be waiting for your CCIE Level books.

    Kind Regards,

    Mani

  113. Blog Admin says

    Mani,

    It gives me great pleasure to hear comments like yours. Knowing that my book has helped professionals to learn the Cisco ASA is very satisfying for me because I have spent great effort to write the book. Thanks from the bottom of my heart too :)

    Harris

  114. Oscar Cid says

    Harris,
    Good day ! The Cisco VPN configuration guide is awesome !
    I am taking the CCNA security soon and looking to complete the CCNP security as well, quick question, I can’t come across the commands to secure boot-image or secure boot-config on an ASA, I know they are supported in a router but they don’t work for me on my lab simulator for ASA 5520 version 8.4 (2). Thank you as always, regards Oscar

  116. Joe says

    Hi Harris,

    VPN is not that really hard to understand unless somebody will make you understand the concept in a simple and practical way. Your books are really amazing specially the Cisco VPN configuration Guide! I read a lot of VPN books, but yours is the best book I’ve ever read. It’s so practical and easy to understand. Keep up the good work!

    Joe

  117. Blog Admin says

    Joe,

    I really appreciate your great feedback. I’m very happy that you liked my books. As a practical guy, I try to pass this skill into my books as well.

    Have a great day.

    Harris

  118. shailesh says

    Hello, Can you please let me know what the differences between version 2 and version 3 are? I have already purchased version 2 but am curious to see what the new version entails.

    Thanks
    Shailesh

  119. Harris Andrea says

    Hi shailesh,

    Thanks for your interest for my new ASA 3rd edition book. You can find more details about the new book (including description of new topics added from version 2 to version 3) here:

    The new edition also covers the new ASA version 9.x and above (and also 8.x)

    Thanks

    Harris

  120. MOHAMMED ALI says

    HELLO Mr.Harris

    really is helpful book , easy to read , easy to understand , also easy for people not speak English very well , because they are many graphs and examples .

    please keep going .

    THANKS ,

    MOHAMMED ALI

  122. Oscar Cerdas says

    I Bought your Books and they are Awesome!!!!

    Thank’s for your time to write them.

    Oscar C.

  124. Ed says

    Nice books. However, all three books share incomplete configurations. Even the book “COMPLETE CONFIGURATION EXAMPLES WITH CISCO ASA FIREWALLS” has the statement ![other commands omitted]….
    For a beginner, like myself, it would have been helpful if you would have identified that set of commands once or twice so that I didn’t spend time second guessing the “complete” configuration when it didn’t work the first time.

  125. Harris Andrea says

    Hi Ed,

    The “commands omitted” are those that are not necessary to change. The ASA has some default commands that are just there and you don’t need to change them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx