Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance By Jazib Frahim - CCIE No 5459, Omar Santos Publisher: Cisco Press Pub Date: October 21, 2005 ISBN: 1-58705-209-1 Pages: 840 Table of Contents | Index The definitive insider's guide to planning, installing, configuring, and maintaining the new Cisco Adaptive Security Appliance Delivers expert guidance from Cisco TAC engineers for securing small and medium business networks with the newly released Cisco all-in-one network security solution Covers the latest PIX Version 7 OS Incorporates detailed configuration examples with screenshots and commandline references Covers unified firewall, IPS, and VPN management Achieving maximum network security has been a challenge for many organizations, especially those that cannot afford to purchase, master, and maintain a separate security device such as a PIX or IPS system for each and every security need To better meet the needs of these customers, Cisco Systems recently launched an all-inone security solution called ASA that aims to offer a more affordable and simplified security solution Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance introduces this new suite of converged security appliances and provides a complete configuration and troubleshooting guide from the Technical Assistance Center (TAC) experts at Cisco Systems This book brings together expert guidance for virtually every challenge the reader will face from building basic network security policies to advanced VPN and IPS implementations This book has five parts, which contain three technology-based sections: Firewall, IPS, and VPN Each section is comprised of many sample configurations, accompanied by in-depth analysis of design scenarios Learning is further enhanced by discussing a set of debugs included in each section Ground-breaking features like WebVPN, virtual and Layer-2 firewalls are discussed extensively Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance By Jazib Frahim - CCIE No 5459, Omar Santos Publisher: Cisco Press Pub Date: October 21, 2005 ISBN: 1-58705-209-1 Pages: 840 Table of Contents | Index Copyright About the Authors About the Technical Reviewers Acknowledgments Foreword Icons Used in This Book Command Syntax Conventions Introduction Who Should Read This Book How This Book Is Organized Part I: Product Overview Chapter 1 Introduction to Network Security Firewall Technologies Intrusion Detection and Prevention Technologies Network-Based Attacks Virtual Private Networks Summary Chapter 2 Product History Cisco Firewall Products Cisco IDS Products Cisco VPN Products Cisco ASA All-in-One Solution Summary Chapter 3 Hardware Overview Cisco ASA 5510 Model Cisco ASA 5520 Model Cisco ASA 5540 Model AIP-SSM Modules Summary Part II: Firewall Solution Chapter 4 Initial Setup and System Maintenance Accessing the Cisco ASA Appliances Managing Licenses Initial Setup IP Version 6 Setting Up the System Clock Configuration Management Remote System Management System Maintenance System Monitoring Summary Chapter 5 Network Access Control Packet Filtering Advanced ACL Features Content and URL Filtering Deployment Scenarios Using ACLs Monitoring Network Access Control Understanding Address Translation DNS Doctoring Monitoring Address Translations Summary Chapter 6 IP Routing Configuring Static Routes RIP OSPF IP Multicast Deployment Scenarios Summary Chapter 7 Authentication, Authorization, and Accounting (AAA) AAA Protocols and Services Supported by Cisco ASA Defining an Authentication Server Configuring Authentication of Administrative Sessions Authenticating Firewall Sessions (Cut-Through Proxy Feature) Configuring Authorization Configuring Accounting Deployment Scenarios Troubleshooting AAA Summary Chapter 8 Application Inspection Enabling Application Inspection Using the Modular Policy Framework Selective Inspection Computer Telephony Interface Quick Buffer Encoding Inspection Domain Name System Extended Simple Mail Transfer Protocol File Transfer Protocol General Packet Radio Service Tunneling Protocol H.323 HTTP ICMP ILS MGCP NetBIOS PPTP Sun RPC RSH RTSP SIP Skinny SNMP SQL*Net TFTP XDMCP Deployment Scenarios Summary Chapter 9 Security Contexts Architectural Overview Configuration of Security Contexts Deployment Scenarios Monitoring and Troubleshooting the Security Contexts Summary Chapter 10 Transparent Firewalls Architectural Overview Transparent Firewalls and VPNs Configuration of Transparent Firewall Deployment Scenarios Monitoring and Troubleshooting the Transparent Firewall Summary Chapter 11 Failover and Redundancy Architectural Overview Failover Configuration Deployment Scenarios Monitoring and Troubleshooting Failovers Summary Chapter 12 Quality of Service Architectural Overview Configuring Quality of Service QoS Deployment Scenarios Monitoring QoS Summary Part III: Intrusion Prevention System (IPS) Solution Chapter 13 Intrusion Prevention System Integration Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) Directing Traffic to the AIP-SSM AIP-SSM Module Software Recovery Additional IPS Features Summary Chapter 14 Configuring and Troubleshooting Cisco IPS Software via CLI Cisco IPS Software Architecture Introduction to the CIPS 5.x Command-Line Interface User Administration AIP-SSM Maintenance Advanced Features and Configuration Summary Part IV: Virtual Private Network (VPN) Solution Chapter 15 Site-to-Site IPSec VPNs Preconfiguration Checklist Configuration Steps Advanced Features Optional Commands Deployment Scenarios Monitoring and Troubleshooting Site-to-Site IPSec VPNs Summary Chapter 16 Remote Access VPN Cisco IPSec Remote Access VPN Solution Advanced Cisco IPSec VPN Features Deployment Scenarios of Cisco IPSec VPN Monitoring and Troubleshooting Cisco Remote Access VPN Cisco WebVPN Solution Advanced WebVPN Features Deployment Scenarios of WebVPN Monitoring and Troubleshooting WebVPN Summary Chapter 17 Public Key Infrastructure (PKI) Introduction to PKI Enrolling the Cisco ASA to a CA Using SCEP Manual (Cut-and-Paste) Enrollment Configuring CRL Options Configuring IPSec Site-to-Site Tunnels Using Certificates Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates Troubleshooting PKI Summary Part V: Adaptive Security Device Manager Chapter 18 Introduction to ASDM Setting Up ASDM Initial Setup Functional Screens Interface Management System Clock Configuration Management Remote System Management System Maintenance System Monitoring Summary Chapter 19 Firewall Management Using ASDM Access Control Lists Address Translation Routing Protocols AAA Application Inspection Security Contexts Transparent Firewalls Failover QoS Summary Chapter 20 IPS Management Using ASDM Accessing the IPS Device Management Console from ASDM Configuring Basic AIP-SSM Settings Advanced IPS Configuration and Monitoring Using ASDM Summary Chapter 21 VPN Management Using ASDM Site-to-Site VPN Setup Using Preshared Keys Site-to-Site VPN Setup Using PKI Cisco Remote-Access IPSec VPN Setup WebVPN VPN Monitoring Summary Chapter 22 Case Studies Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment Case Study 3: Data Center Security with Cisco ASA Summary Index Copyright Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance Jazib Frahim, Omar Santos Copyright © 2006 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing October 2005 Library of Congress Cataloging-in-Publication Number: 2004108505 Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Warning and Disclaimer This book is designed to provide information about Cisco ASA Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the U.S please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Publisher John Wait Editor-in-Chief John Kane Executive/Acquisitions Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Bradley Production Manager Patrick Kanouse Development Editor Sheri Cain Project Editor Marc Fowler Copy Editor Bill McManus Technical Editors David White, Jr., Andrew Yourtchenko, and Wen Zhang Team Coordinator Tammi Barnett Cover Designer Louisa Adair system execution space configuring troubleshooting selecting traffic for application inspection SensorApp serial console connections, authenticating server delimiters server reactivation policies, AAA service account (AIP-SSM) service packs, applying to CIPS 5.x service-based object groups session hijacking set command setup command setup process assigning device name DHCP services, configuring interface configuration management interfaces, configuring parameters subinterface configuration severity levels of events show aaa-server command show aaa-server protocol command show access-list command show capture command show clock command show configuration command show conn command 2nd show events command show failover command show firewall command show local-host command show logging command show module command 2nd show ntp status command show ospf command show ospf interface command show route command 2nd show running-config aaa-server command show running-config command show service-policy command 2nd show shun command show snmp-server statistics command show ssh sessions command show startup-config command show statistics command show uauth command show url-server statistics command show version command shun command shunning 2nd signatures customizing disabling updates, applying to CIPS 5.x single mode Active/Standby failover single-mode transparent firewalls packet flow SIP inspection site-to-site IPSec VPNs advanced Cisco ASA features NAT -T OSPF updates over IPSec RRI tunnel default gateway connection type, specifying crypto maps, applying to interface crypto maps, configuring fully-meshed topology with RRI interesting traffic, defining ISAKMP attributes enabling keepalives policies, creating preshared keys, configuring mismatched preshared keys, troubleshooting monitoring NAT, bypassing PFS preconfiguration checklist QoS SA lifetimes single tunnel configuration using NAT-T traffic filtering troubleshooting tunnel type, setting unacceptable ISAKMP proposals, troubleshooting using PKI, configuring on ASDM using preshared keys, configuring on ASDM Skinny inspection small business deployment, case study SMTF (single-mode transparent firewalls), deploying smurf attacks SNMP (Simple Network Management Protocol) application inspection software ASDM image file, uploading failover requirements recovery parameters, configuring on AIP-SSM software-based VPN clients, configuring source routing sparse mode (PIM) specifying AAA server groups connection type on site-to-site VPNs RPs for multicast routing split tunneling spoofing SQL*Net inspection SSH (Secure Shell) ASDM, remote management connections, authenticating SSL, ASDM remote management standard ACLs 2nd standby unit failover MAC address, specifying role during Active/Standby failover startup configuration Startup Wizard (ASDM) state table stateful failover replicated traffic statistics, displaying stateful inspection firewalls stateful pattern matching static address translation static multicast routes, configuring static NAT configuring 2nd outside entries, configuring static PAT, configuring static routes configuring redistribution statically assigning multicast groups stealth firewalls [See transparent firewalls] strict-http command stub areas OSPF configuration sub-configuration mode (CLI) subinterface configuration subinterfaces, creating on ASDM supported AAA protocols Active Directory Kerberos LDAP Microsoft Windows NT RADIUS RSA SecurID TACACS+ synchronization of NTP server and system clock, verifying syntax, clock set command syslog enabling on ASDM parameters server logging system clock ASDM configuration automatic adjustment DST, setting manual adjustment time zone, configuring system execution space security context configuration system images recovering with ROMMON upgrading via Cisco ASA CLI system logging event logging ASDM logging buffered logging console logging e-mail logging enabling syslog server logging terminal logging SNMP configuring on ASDM system monitoring system time [See system clock] Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] TACACS+ (Terminal Access Controller Access Control System) accounting administrative connections, troubleshooting deploying for administrative sessions TCP (Transmission Control Protocol) 3-way handshakes, embryonic connections custom signatures, creating SYN flood attacks TCP interception Telnet ASDM, remote management authentication user access mode password, changing telnet command Telnet connections terminal logging terminals terminating Cisco VPN client IPSec connections using certificates testing interface failover detection TFTP inspection three-way handshake time and date mismatches on PKI, troubleshooting time zone, configuring time-based ACLs absolute time restrictions configuring periodic time restrictions timed mode, AAA server reactivation timeout uauth command timing-related failover issues, troubleshooting TLS trusted host, adding to AIP-SSM TOS (Type Of Service) bits traffic prioritization selecting for application inspection traffic classes, creating traffic policing TransactionSource transfer-encoding type command transform sets troubleshooting on IPSec site-to-site VPNs transmission ring transparent firewalls and VPNs ARP inspection, configuring comparing with routed firewalls configuring deploying interface ACLs, configuring IP address, configuring L2F table parameters, configuring MMTF packet flow with security contexts, deploying monitoring single-mode packet flow SMTF, deploying troubleshooting transparent tunneling transport mode (IPSec) troubleshooting administrative connections Cisco remote-access IPSec VPNs failover timing issues IP multicast OSPF adjacencies mismatched areas mismatched authentication virtual links PKI retrieval problems SCEP enrollment issues time and date mismatches RIP authentication mismatches blocked multicast/broadcast packets version mismatches security contexts site-to-site VPNs transparent firewalls WebVPN trusted hosts, adding to AIP-SSM trustpoints, configuring tunnel default gateway 2nd tunnel mode (IPSec) type 3 LSA filtering Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] upgrading images via Cisco ASA CLI uploading ASDM image file URL filtering configuring external filtering servers filtering servers, configuring long URL support, configuring Websense servers, case study URL mangling url-server command user accounts (AIP-SSM) adding/deleting administrator account operator account passwords, changing service account viewer account user group-policy user mode (CLI) user policies, configuring username attributes command username delimiters UTC (Universal Time, Coordinated) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] vendors of CAs verifying NTP server synchronization with system clock operation of primary Cisco ASA failover RIP configuration viewer account (AIP-SSM) viewing AAA server running configuration ASA connections module statistics Virtual Alarm virtual firewalls [See also security contexts] multimode topology with shared interface, deploying virtual links configuring troubleshooting VoIP (Voice over IP), deploying QoS VPNs and transparent firewalls Cisco IPSec remote-access VPN solution advanced features bypass NAT CiscoEasy VPN Client, configuring configuring 2nd connection termination with certificates, configuring dynamic crypto maps, configuring hairpinning with Easy VPN and firewalling IP addresses, assigning IPSec policy, defining ISAKMP policy, creating ISAKMP preshared keys, configuring ISAKMP, enabling load balancing and site-to-site integration remote-access attributes, configuring split tunneling traffic filtering, configuring tunnel default gateway tunnel type, defining user authentication, configuring Cisco WebVPN advanced features configuring 2nd deployment scenarios monitoring 2nd troubleshooting 2nd versus Cisco VPN client solution with e-mail proxy deployment scenario with external authentication deployment scenario IPSec AH ESP IKE transport mode tunnel mode load balancing monitoring on ASDM 2nd QoS site-to-site advanced Cisco ASA features configuring with certificates connection type, specifying crypto maps, applying to interface crypto maps, configuring fully-meshed topology with RRI ISAKMP attributes ISAKMP keepalives ISAKMP policy, creating ISAKMP preshared keys, configuring ISAKMP, enabling mismatched preshared keys, troubleshooting monitoring NAT, bypassing PFS preconfiguration checklist SA lifetimes single tunnel configuration using NAT-T traffic filtering troubleshooting tunnel type, setting unacceptable ISAKMP proposals, troubleshooting using PKI, configuring on ASDM using preshared keys, configuring on ASDM tunnel groups, packet classification Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] Websense servers content filtering WebVPN ACLs advanced features ACLs e-mail proxy port forwarding URL mangling Windows file sharing configuring 2nd data capture tool deployment scenarios group attributes, configuring monitoring troubleshooting user authentication, configuring versus Cisco VPN client solution with e-mail proxy deployment scenario with external authentication deployment scenario Windows file sharing Windows operating system, ASDM support Wizards write memory command Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] X.509 certificates XDMCP (X Display Manager Control Protocol) inspection Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zero-downtime software upgrades performing ... Case Study 3: Data Center Security with Cisco ASA Summary Index Copyright Cisco ASA: All- in- One Firewall, IPS, and VPN Adaptive Security Appliance Jazib Frahim, Omar Santos Copyright © 2006 Cisco Systems, Inc Published by:... Product History Cisco Firewall Products Cisco IDS Products Cisco VPN Products Cisco ASA All- in- One Solution Summary Chapter 3 Hardware Overview Cisco ASA 5510 Model Cisco ASA 5520 Model Cisco ASA 5540 Model... He became a CCIE in Routing and Switching in 1999 and in Security in 2002 Wen Zhang, CCIE No 4302, is a senior engineer in the Cisco TAC Escalation Team, with a focus in network security and VPN technologies