Cisco ® ASA Configuration ABOUT THE AUTHOR For over ten years, Richard Deal has operated his own company, The Deal Group Inc., in Oviedo, Florida, east of Orlando. Richard has over 20 years of experience in the com- puting and networking industry including networking, training, systems administra- tion, and programming. In addition to a BS in Mathematics from Grove City College, he holds many certifications from Cisco and has taught many beginning and advanced Cisco classes. This book replaces Richard’s Cisco PIX Firewalls (2002), an in-depth book on Cisco’s PIX firewalls and their implementation, published by McGraw-Hill Profes- sional. Richard has also written two revisions for the CCNA certification for McGraw- Hill, CCNA Cisco Certified Network Associate Study Guide (2008) and will be finishing his book for the CCNA Security certification in mid-2009: CCNA Cisco Certified Network As- sociate Security Study Guide. Richard is also the author of two books with Cisco Press: The Complete Cisco VPN Configuration Guide (2005) and Cisco Router Firewall Security (2004), named a Cisco CCIE Security recommended reading. In all, Richard has more than ten books under his belt. Richard also periodically holds boot-camp classes on the CCNA and CCSP, which provide hands-on configuration of Cisco routers, switches, and security devices. About the Technical Editor Ryan Lindfield has worked in IT since 1996 and is currently teaching Cisco certifica- tion courses at Boson Training and consulting for Westchase Technologies. Ryan holds several certifications including CCSP, CISSP, CEH, GCFA, CCSI, and MCSE and enjoys vulnerability research and exploring the latest trends in security technologies. He lives in Tampa, Florida, with his wife, Desiree, and his dog, Logan. Cisco ® ASA Configuration RICHARD A. DEAL New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Copyright © 2009 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys- tem, without the prior written permission of the publisher. ISBN: 978-0-07-162268-4 MHID: 0-07-162268-3 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162269-1, MHID: 0-07-162269-1. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate train- ing programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, trans- mit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. I dedicate this book to my two daughters, the loves of my life: Alina and Nika. May life bring you love, health, and happiness. This page intentionally left blank vii AT A GLANCE Part I Introduction to ASA Security Appliances and Basic Configuration Tasks ▼ 1 ASA Product Family . . . . . . . . . . . . . . . . . . . 3 ▼ 2 CLI Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ▼ 3 Basic ASA Configuration . . . . . . . . . . . . . . . . 45 ▼ 4 Routing and Multicasting . . . . . . . . . . . . . . . 75 Part II Controlling Traffic Through the ASA ▼ 5 Address Translation . . . . . . . . . . . . . . . . . . 105 ▼ 6 Access Control . . . . . . . . . . . . . . . . . . . . . . 151 ▼ 7 Web Content . . . . . . . . . . . . . . . . . . . . . . . . 189 ▼ 8 CTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 ▼ 9 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 viii Cisco ASA Configuration Part III Policy Implementation ▼ 10 Modular Policy Framework . . . . . . . . . . . . 247 ▼ 11 Protocols and Policies . . . . . . . . . . . . . . . . . 277 ▼ 12 Data Applications and Policies . . . . . . . . . . 295 ▼ 13 Voice and Policies . . . . . . . . . . . . . . . . . . . . 327 ▼ 14 Multimedia and Policies . . . . . . . . . . . . . . . 347 Part IV Virtual Private Networks (VPNs) ▼ 15 IPSec Phase 1 . . . . . . . . . . . . . . . . . . . . . . . 371 ▼ 16 IPSec Site-to-Site . . . . . . . . . . . . . . . . . . . . . 395 ▼ 17 IPSec Remote Access Server . . . . . . . . . . . . 409 ▼ 18 IPSec Remote Access Client . . . . . . . . . . . . 441 ▼ 19 SSL VPNs: Clientless . . . . . . . . . . . . . . . . . 451 ▼ 20 SSL VPNs: AnyConnect Client . . . . . . . . . . 48 7 Part V Advanced Features of the ASA ▼ 21 Transparent Firewall . . . . . . . . . . . . . . . . . . 509 ▼ 22 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 ▼ 23 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 ▼ 24 Network Attack Prevention . . . . . . . . . . . . 577 ▼ 25 SSM Cards . . . . . . . . . . . . . . . . . . . . . . . . . 597 Part VI Management of the ASA ▼ 26 Basic Management from the CLI . . . . . . . . 619 ▼ 27 ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 ▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 ix CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix Part I Introduction to ASA Security Appliances and Basic Configuration Tasks ▼ 1 ASA Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ASA Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Advanced Features of the Operating System . . . . . . . . . . . . 18 ASA Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 ASA Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Hardware Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 [...]... xxv xxvi Cisco ASA Configuration Richard has been recognized as an expert on the Cisco firewall for many years, and this book is an excellent follow-up to his Cisco PIX Firewalls book from 2002 This book does a great job of walking you step-by-step through the technologies and configuration behind the ASA 5500 Cisco ASA Configuration is an excellent resource for both the novice and seasoned Cisco PIX... of Internet services ■ To familiarize you with ASA and PIX security appliances You are likely to run into them in your job because Cisco is the market share leader in enterprise networking solutions ■ To fill the need for a really good, focused book on Cisco s security appliance products ▲ To make you more aware of the product technology and intelligence Cisco brings to the security arena, because I... who are using ASAs (and PIXs) to secure their internal networks This book can easily be read by not only network administrators, engineers, and technicians, but also by networking salespersons and managers The objective of this book is to provide you with an understanding of the functions of a firewall; an overview of Cisco s ASA security appliance family; the features available on the ASAs, including... critical components in your infrastructure is the firewall Possessing a solid understanding of firewall capabilities is a critical prerequisite to fortify your defenses The Cisco ASA 5500 series products and the latest revisions of Cisco s firewall software have introduced some awesome new features Topics discussed within this book include Modular Policy Framework, transparent firewalls, deep packet...x Cisco ASA Configuration ▼ 2 CLI Basics 33 34 34 35 36 36 38 41 ▼ 3 Basic ASA Configuration Setup Script Basic Management Commands Viewing Configurations ... on security, spending most of my time with Cisco s security products like the ASAs and PIXs, and with VPN technologies Firewalls, as a technology, have been around for over a decade However, it wasn’t until the explosion of the Internet that the use of firewalls has become commonplace in corporate and small offices, and even in home environments (I use an ASA 5505 for my home office and Eset on my... have attempted to scan and probe my home office network Because of the large number of products available, I have limited the focus of this book primarily to Cisco s ASA security appliance family Most of what I discuss in this book also applies to Cisco s end-of-sale PIX security appliances, and where there are differences I point them out Many of the readers of my previous book on the PIXs have constantly... version 6 of the security appliances that I have finally succumbed to my faithful readers Most medium-to-enterprise companies I’ve consulted for use Cisco s security appliances, so having a good background in understanding their capabilities xxix xxx Cisco ASA Configuration and configuring their features makes you more marketable as a consultant and more valuable as an employee I have written this book... Recovery Process Performing the PIX Password Recovery Process Performing the ASA Password Recovery Process AAA Restricting CLI Access Command Authorization Management Accounting 619 620 620 622 623 623 625 629 630 630 631 633 634 635 635 636 638 639 639 642 645 xxi xxii Cisco ASA Configuration ▼ 27 ASDM ASDM Overview ASDM Requirements ASDM... networks continues to grow, security becomes ever more vital The Cisco Adaptive Security Appliances intelligent threat defense offers the needed protection for businesses today as well as for the future Technologies and devices based on Internet protocol continually touch every aspect of our lives—we need to be confident that our data is safe Cisco ASA Configuration is a great reference and tool for answering . from Cisco and has taught many beginning and advanced Cisco classes. This book replaces Richard’s Cisco PIX Firewalls (2002), an in-depth book on Cisco s. of two books with Cisco Press: The Complete Cisco VPN Configuration Guide (2005) and Cisco Router Firewall Security (2004), named a Cisco CCIE Security