| |
| |
Foreword | |
| |
| |
Introduction | |
| |
| |
| |
Product Overview | |
| |
| |
| |
Introduction to Network Security | |
| |
| |
Firewall Technologies | |
| |
| |
Network Firewalls | |
| |
| |
Packet-Filtering Techniques | |
| |
| |
Application Proxies | |
| |
| |
Network Address Translation | |
| |
| |
Port Address Translation | |
| |
| |
Static Translation | |
| |
| |
Stateful Inspection Firewalls | |
| |
| |
Personal Firewalls | |
| |
| |
Intrusion Detection and Prevention Technologies | |
| |
| |
Network-Based Intrusion Detection and Prevention Systems | |
| |
| |
Pattern Matching and Stateful Pattern-Matching Recognition | |
| |
| |
Protocol Analysis | |
| |
| |
Heuristic-Based Analysis | |
| |
| |
Anomaly-Based Analysis | |
| |
| |
Host-Based Intrusion Detection Systems | |
| |
| |
Network-Based Attacks | |
| |
| |
DoS Attacks | |
| |
| |
TCP SYN Flood Attacks | |
| |
| |
land.c Attacks | |
| |
| |
Smurf Attacks | |
| |
| |
DDoS Attacks | |
| |
| |
Session Hijacking | |
| |
| |
Virtual Private Networks | |
| |
| |
Understanding IPSec | |
| |
| |
Internet Key Exchange | |
| |
| |
IKE Phase 1 | |
| |
| |
IKE Phase 2 | |
| |
| |
IPSec Protocols | |
| |
| |
Authentication Header | |
| |
| |
Encapsulation Security Payload | |
| |
| |
IPSec Modes | |
| |
| |
Transport Mode | |
| |
| |
Tunnel Mode | |
| |
| |
Summary | |
| |
| |
| |
Product History | |
| |
| |
Cisco Firewall Products | |
| |
| |
Cisco PIX Firewalls | |
| |
| |
Cisco FWSM | |
| |
| |
Cisco IOS Firewall | |
| |
| |
Cisco IDS Products | |
| |
| |
Cisco VPN Products | |
| |
| |
Cisco ASA All-in-One Solution | |
| |
| |
Firewall Services | |
| |
| |
IPS Services | |
| |
| |
VPN Services | |
| |
| |
Summary | |
| |
| |
| |
Hardware Overview | |
| |
| |
Cisco ASA 5510 Model | |
| |
| |
Cisco ASA 5520 Model | |
| |
| |
Cisco ASA 5540 Model | |
| |
| |
AIP-SSM Modules | |
| |
| |
Summary | |
| |
| |
| |
Firewall Solution | |
| |
| |
| |
Initial Setup and System Maintenance | |
| |
| |
Accessing the Cisco ASA Appliances | |
| |
| |
Establishing a Console Connection | |
| |
| |
Command-Line Interface | |
| |
| |
Managing Licenses | |
| |
| |
Initial Setup | |
| |
| |
Setting Up the Device Name | |
| |
| |
Configuring an Interface | |
| |
| |
Configuring a Subinterface | |
| |
| |
Configuring a Management Interface | |
| |
| |
DHCP Services | |
| |
| |
IP Version 6 | |
| |
| |
IPv6 Header | |
| |
| |
Configuring IPv6 | |
| |
| |
IP Address Assignment | |
| |
| |
Setting Up the System Clock | |
| |
| |
Manual Clock Adjustment Using clock set | |
| |
| |
Automatic Clock Adjustment Using the Network Time Protocol | |
| |
| |
Time Zones and Daylight Savings Time | |
| |
| |
Configuration Management | |
| |
| |
Running Configuration | |
| |
| |
Startup Configuration | |
| |
| |
Removing the Device Configuration | |
| |
| |
Remote System Management | |
| |
| |
Telnet | |
| |
| |
Secure Shell | |
| |
| |
System Maintenance | |
| |
| |
Software Installation | |
| |
| |
Image Upgrade via the Cisco ASA CLI | |
| |
| |
Image Recovery Using ROMMON | |
| |
| |
Password Recovery Process | |
| |
| |
Disabling the Password Recovery Process | |
| |
| |
System Monitoring | |
| |
| |
System Logging | |
| |
| |
Enabling Logging | |
| |
| |
Logging Types | |
| |
| |
Additional Syslog Parameters | |
| |
| |
Simple Network Management Protocol | |
| |
| |
Configuring SNMP | |
| |
| |
SNMP Monitoring | |
| |
| |
CPU and Memory Monitoring | |
| |
| |
Summary | |
| |
| |
| |
Network Access Control | |
| |
| |
Packet Filtering | |
| |
| |
Types of ACLs | |
| |
| |
Standard ACLs | |
| |
| |
Extended ACLs | |
| |
| |
IPv6 ACLs | |
| |
| |
EtherType ACLs | |
| |
| |
WebVPN ACLs | |
| |
| |
Comparing ACL Features | |
| |
| |
Configuring Packet Filtering | |
| |
| |
Step 1: Set Up an ACL | |
| |
| |
Step 2: Apply an ACL to an Interface | |
| |
| |
Step 3: Set Up an IPv6 ACL (Optional) | |
| |
| |
Advanced ACL Features | |
| |
| |
Object Grouping | |
| |
| |
Object Types | |
| |
| |
Object Grouping and ACLs | |
| |
| |
Standard ACLs | |
| |
| |
Time-Based ACLs | |
| |
| |
Absolute | |
| |
| |
Periodic | |
| |
| |
Downloadable ACLs | |
| |
| |
ICMP Filtering | |
| |
| |
Content and URL Filtering | |
| |
| |
Content Filtering | |
| |
| |
ActiveX Filtering | |
| |
| |
Java Filtering | |
| |
| |
Configuring Content Filtering | |
| |
| |
URL Filtering | |
| |
| |
Configuring URL Filtering | |
| |
| |
Deployment Scenarios Using ACLs | |
| |
| |
Using ACLs to Filter Inbound and Outbound Traffic | |
| |
| |
Enabling Content Filtering Using Websense | |
| |
| |
Monitoring Network Access Control | |
| |
| |
Monitoring ACLs | |
| |
| |
Monitoring Content Filtering | |
| |
| |
Understanding Address Translation | |
| |
| |
Network Address Translation | |
| |
| |
Port Address Translation | |
| |
| |
Packet Flow Sequence | |
| |
| |
Configuring Address Translation | |
| |
| |
Static NAT | |
| |
| |
Dynamic Network Address Translation | |
| |
| |
Static Port Address Translation | |
| |
| |
Dynamic Port Address Translation | |
| |
| |
Policy NAT/PAT | |
| |
| |
Bypassing Address Translation | |
| |
| |
Identity NAT | |
| |
| |
NAT Exemption | |
| |
| |
NAT Order of Operation | |
| |
| |
Integrating ACLs and NAT | |
| |
| |
DNS Doctoring | |
| |
| |
Monitoring Address Translations | |
| |
| |
Summary | |
| |
| |
| |
IP Routing | |
| |
| |
Configuring Static Routes | |
| |
| |
RIP | |
| |
| |
Configuring RIP | |
| |
| |
Verifying the Configuration | |
| |
| |
Troubleshooting RIP | |
| |
| |
Scenario 1: RIP Version Mismatch | |
| |
| |
Scenario 2: RIP Authentication Mismatch | |
| |
| |
Scenario 3: Multicast or Broadcast Packets Blocked | |
| |
| |
Scenario 4: Correct Configuration and Behavior | |
| |
| |
OSPF | |
| |
| |
Configuring OSPF | |
| |
| |
Enabling OSPF | |
| |
| |
Virtual Links | |
| |
| |
Configuring OSPF Authentication | |
| |
| |
Configuring the Cisco ASA as an ASBR | |
| |
| |
Stub Areas and NSSAs | |
| |
| |
ABR Type 3 LSA Filtering | |
| |
| |
OSPF neighbor Command and Dynamic Routing over VPN | |
| |
| |
Troubleshooting OSPF | |
| |
| |
Useful Troubleshooting Commands | |
| |
| |
Mismatched Areas | |
| |
| |
OSPF Authentication Mismatch | |
| |
| |
Troubleshooting Virtual Link Problems | |
| |
| |
IP Multicast | |
| |
| |
IGMP | |
| |
| |
IP Multicast Routing | |
| |
| |
Configuring Multicast Routing | |
| |
| |
Enabling Multicast Routing | |
| |
| |
Statically Assigning an IGMP Group | |
| |
| |
Limiting IGMP States | |
| |
| |
IGMP Query Timeout | |
| |
| |
Defining the IGMP Version | |
| |
| |
Configuring Rendezvous Points | |
| |
| |
Configuring Threshold for SPT Switchover | |
| |
| |
Filtering RP Register Messages | |
| |
| |
PIM Designated Router Priority | |
| |
| |
PIM Hello Message Interval | |
| |
| |
Configuring a Static Multicast Route | |
| |
| |
Troubleshooting IP Multicast Routing | |
| |
| |
show Commands | |
| |
| |
debug Commands | |
| |
| |
Deployment Scenarios | |
| |
| |
Deploying OSPF | |
| |
| |
Deploying IP Multicast | |
| |
| |
Summary | |
| |
| |
| |
Authentication, Authorization, and Accounting (AAA) | |
| |
| |
AAA Protocols and Services Supported by Cisco ASA | |
| |
| |
RADIUS | |
| |
| |
TACACS+ | |
| |
| |
RSA SecurID | |
| |
| |
Microsoft Windows NT | |
| |
| |
Active Directory and Kerberos | |
| |
| |
Lightweight Directory Access Protocol | |
| |
| |
Defining an Authentication Server | |
| |
| |
Configuring Authentication of Administrative Sessions | |
| |
| |
Authenticating Telnet Connections | |
| |
| |
Authenticating SSH Connections | |
| |
| |
Authenticating Serial Console Connections | |
| |
| |
Authenticating Cisco ASDM Connections | |
| |
| |
Authenticating Firewall Sessions (Cut-Through Proxy Feature) | |
| |
| |
Authentication Timeouts | |
| |
| |
Customizing Authentication Prompts | |
| |
| |
Configuring Authorization | |
| |
| |
Command Authorization | |
| |
| |
Configuring Downloadable ACLs | |
| |
| |
Configuring Accounting | |
| |
| |
RADIUS Accounting | |
| |
| |
TACACS+ Accounting | |
| |
| |
Deployment Scenarios | |
| |
| |
Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions | |
| |
| |
Deploying Cut-Through Proxy Authentication | |
| |
| |
Troubleshooting AAA | |
| |
| |
Troubleshooting Administrative Connections to Cisco ASA | |
| |
| |
Troubleshooting Firewall Sessions (Cut-Through Proxy) | |
| |
| |
Summary | |
| |
| |
| |
Application Inspection | |
| |
| |
Enabling Application Inspection Using the Modular Policy Framework | |
| |
| |
Selective Inspection | |
| |
| |
Computer Telephony Interface Quick Buffer Encoding Inspection | |
| |
| |
Domain Name System | |
| |
| |
Extended Simple Mail Transfer Protocol | |
| |
| |
File Transfer Protocol | |
| |
| |
General Packet Radio Service Tunneling Protocol | |
| |
| |
GTPv0 | |
| |
| |
GTPv1 | |
| |
| |
Configuring GTP Inspection | |
| |
| |
H.323 | |
| |
| |
H.323 Protocol Suite | |
| |
| |
H.323 Version Compatibility | |
| |
| |
Enabling H.323 Inspection | |
| |
| |
Direct Call Signaling and Gatekeeper Routed Control Signaling | |
| |
| |
T.38 | |
| |
| |
HTTP | |
| |
| |
Enabling HTTP Inspection | |
| |
| |
strict-http | |
| |
| |
content-length | |
| |
| |
content-type-verification | |
| |
| |
max-header-length | |
| |
| |
max-uri-length | |
| |
| |
port-misuse | |
| |
| |
request-method | |
| |
| |
transfer-encoding type | |
| |
| |
ICMP | |
| |
| |
ILS | |
| |
| |
MGCP | |
| |
| |
NetBIOS | |
| |
| |
PPTP | |
| |
| |
Sun RPC | |
| |
| |
RSH | |
| |
| |
RTSP | |
| |
| |
SIP | |
| |
| |
Skinny | |
| |
| |
SNMP | |
| |
| |
SQLNet | |
| |
| |
TFTP | |
| |
| |
XDMCP | |
| |
| |
Deployment Scenarios | |
| |
| |
ESMTP | |
| |
| |
HTTP | |
| |
| |
FTP | |
| |
| |
Summary | |
| |
| |
| |
Security Contexts | |
| |
| |
Architectural Overview | |
| |
| |
System Execution Space | |
| |
| |
Admin Context | |
| |
| |
Customer Context | |
| |
| |
Packet Flow in Multiple Mode | |
| |
| |
Packet Classification | |
| |
| |
Packet Forwarding Between Contexts | |
| |
| |
Configuration of Security Contexts | |
| |
| |
Step 1: Enabling Multiple Security Contexts Globally | |
| |
| |
Step 2: Setting Up the System Execution Space | |
| |
| |
Step 3: Specifying a Configuration URL | |
| |
| |
Step 4: Allocating the Interfaces | |
| |
| |
Step 5: Configuring an Admin Context | |
| |
| |
Step 6: Configuring a Customer Context | |
| |
| |
Step 7: Managing the Security Contexts (Optional) | |
| |
| |
Deployment Scenarios | |
| |
| |
Virtual Firewall Using Two Customer Contexts | |
| |
| |
Virtual Firewall Using a Shared Interface | |
| |
| |
Monitoring and Troubleshooting the Security Contexts | |
| |
| |
Monitoring | |
| |
| |
Troubleshooting | |
| |
| |
Summary | |
| |
| |
| |
Transparent Firewalls | |
| |
| |
Architectural Overview | |
| |
| |
Single-Mode Transparent Firewall | |
| |
| |
Packet Flow in an SMTF | |
| |
| |
Multimode Transparent Firewall | |
| |
| |
Packet Flow in an MMTF | |
| |
| |
Transparent Firewalls and VPNs | |
| |
| |
Configuration of Transparent Firewall | |
| |
| |
Configuration Guidelines | |
| |
| |
Configuration Steps | |
| |
| |
Step 1: Enabling Transparent Firewalls | |
| |
| |
Step 2: Setting Up Interfaces | |
| |
| |
Step 3: Configuring an IP Address | |
| |
| |
Step 4: Configuring Interface ACLs | |
| |
| |
Step 5: Adding Static L2F Table Entries (Optional) | |
| |
| |
Step 6: Enabling ARP Inspection (Optional) | |
| |
| |
Step 7: Modifying L2F Table Parameters (optional) | |
| |
| |
Deployment Scenarios | |
| |
| |
SMTF Deployment | |
| |
| |
MMTF Deployment with Security Contexts | |
| |
| |
Monitoring and Troubleshooting the Transparent Firewall | |
| |
| |
Monitoring | |
| |
| |
Troubleshooting | |
| |
| |
Summary | |
| |
| |
| |
Failover and Redundancy | |
| |
| |
Architectural Overview | |
| |
| |
Conditions that Trigger Failover | |
| |
| |
Failover Interface Tests | |
| |
| |
Stateful Failover | |
| |
| |
Hardware and Software Requirements | |
| |
| |
Types of Failover | |
| |
| |
Active/Standby Failover | |
| |
| |
Active/Active Failover | |
| |
| |
Asymmetric Routing | |
| |
| |
Failover Configuration | |
| |
| |
Active/Standby Failover Configuration | |
| |
| |
Step 1: Select the Failover Link | |
| |
| |
Step 2: Assign Failover IP Addresses | |
| |
| |
Step 3: Set the Failover Key (Optional) | |
| |
| |
Step 4: Designating the Primary Cisco ASA | |
| |
| |
Step 5: Enable Stateful Failover (Optional) | |
| |
| |
Step 6: Enable Failover Globally | |
| |
| |
Step 7: Configure Failover on the Secondary Cisco ASA | |
| |
| |
Active/Active Failover Configuration | |
| |
| |
Step 1: Select the Failover Link | |
| |
| |
Step 2: Assign Failover Interface IP Addresses | |
| |
| |
Step 3: Set Failover Key | |
| |
| |
Step 4: Designate the Primary Cisco ASA | |
| |
| |
Step 5: Enable Stateful Failover | |
| |
| |
Step 6: Set Up Failover Groups | |
| |
| |
Step 7: Assign Failover Group Membership | |
| |
| |
Step 8: Assign Interface IP Addresses | |
| |
| |
Step 9: Set Up Asymmetric Routing (Optional) | |
| |
| |
Step 10: Enable Failover Globally | |
| |
| |
Step 11: Configure Failover on the Secondary Cisco ASA | |
| |
| |
Optional Failover Commands | |
| |
| |
Specifying Failover MAC Addresses | |
| |
| |
Configuring Interface Policy | |
| |
| |
Managing Failover Timers | |
| |
| |
Monitoring Failover Interfaces | |
| |
| |
Zero-Downtime Software Upgrade | |
| |
| |
Deployment Scenarios | |
| |
| |
Active/Standby Failover in Single Mode | |
| |
| |
Active/Active Failover in Multiple Security Contexts | |
| |
| |
Monitoring and Troubleshooting Failovers | |
| |
| |
Monitoring | |
| |
| |
Troubleshooting | |
| |
| |
Summary | |
| |
| |
| |
Quality of Service | |
| |
| |
Architectural Overview | |
| |
| |
Traffic Policing | |
| |
| |
Traffic Prioritization | |
| |
| |
Packet Flow Sequence | |
| |
| |
Packet Classification | |
| |
| |
IP Precedence Field | |
| |
| |
IP DSCP Field | |
| |
| |
IP Access Control List | |
| |
| |
IP Flow | |
| |
| |
VPN Tunnel Group | |
| |
| |
QoS and VPN Tunnels | |
| |
| |
Configuring Quality of Service | |
| |
| |
Step 1: Set Up a Class Map | |
| |
| |
Step 2: Configure a Policy Map | |
| |
| |
Step 3: Apply the Policy Map on the Interface | |
| |
| |
Step 4: Tune the Priority Queue (Optional) | |
| |
| |
QoS Deployment Scenarios | |
| |
| |
QoS for VoIP Traffic | |
| |
| |
QoS for the Remote-Access VPN Tunnels | |
| |
| |
Monitoring QoS | |
| |
| |
Summary | |
| |
| |
| |
Intrusion Prevention System (IPS) Solution | |
| |
| |
| |
Intrusion Prevention System Integration | |
| |
| |
Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) | |
| |
| |
AIP-SSM Management | |
| |
| |
Inline Versus Promiscuous Mode | |
| |
| |
Directing Traffic to the AIP-SSM | |
| |
| |
AIP-SSM Module Software Recovery | |
| |
| |
Additional IPS Features | |
| |
| |
IP Audit | |
| |
| |
Shunning | |
| |
| |
Summary | |
| |
| |
| |
Configuring and Troubleshooting Cisco IPS Software via CLI | |
| |
| |
Cisco IPS Software Architecture | |
| |
| |
MainApp | |
| |
| |
SensorApp | |
| |
| |
Network Access Controller | |
| |
| |
AuthenticationApp | |
| |
| |
cipsWebserver | |
| |
| |
LogApp | |
| |
| |
EventStore | |
| |
| |
TransactionSource | |
| |
| |
Introduction to the CIPS 5.x Command-Line Interface | |
| |
| |
Logging In to the AIP-SSM via the CLI | |
| |
| |
CLI Command Modes | |
| |
| |
Initializing the AIP-SSM | |
| |
| |
User Administration | |
| |
| |
User Account Roles and Levels | |
| |
| |
Administrator Account | |
| |
| |
Operator Account | |
| |
| |
Viewer Account | |
| |
| |
Service Account | |
| |
| |
Adding and Deleting Users by Using the CLI | |
| |
| |
Creating Users | |
| |
| |
Deleting Users | |
| |
| |
Changing Passwords | |
| |
| |
AIP-SSM Maintenance | |
| |
| |
Adding Trusted Hosts | |
| |
| |
SSH Known Host List | |
| |
| |
TLS Known Host List | |
| |
| |
Upgrading the CIPS Software and Signatures via the CLI | |
| |
| |
One-Time Upgrades | |
| |
| |
Scheduled Upgrades | |
| |
| |
Displaying Software Version and Configuration Information | |
| |
| |
Backing Up Your Configuration | |
| |
| |
Displaying and Clearing Events | |
| |
| |
Displaying and Clearing Statistics | |
| |
| |
Advanced Features and Configuration | |
| |
| |
IPS Tuning | |
| |
| |
Disabling and Retiring IPS Signatures | |
| |
| |
Custom Signatures | |
| |
| |
IP Logging | |
| |
| |
Automatic Logging | |
| |
| |
Manual Logging of Specific Host Traffic | |
| |
| |
Configuring Blocking (Shunning) | |
| |
| |
Summary | |
| |
| |
| |
Virtual Private Network (VPN) Solution | |
| |
| |
| |
Site-to-Site IPSec VPNs | |
| |
| |
Preconfiguration Checklist | |
| |
| |
Configuration Steps | |
| |
| |
Step 1: Enable ISAKMP | |
| |
| |
Step 2: Create the ISAKMP Policy | |
| |
| |
Step 3: Set the Tunnel Type | |
| |
| |
Step 4: Configure ISAKMP Preshared Keys | |
| |
| |
Step 5: Define the IPSec Policy | |
| |
| |
Step 6: Specify Interesting Traffic | |
| |
| |
Step 7: Configure a Crypto Map | |
| |
| |
Step 8: Apply the Crypto Map to an Interface | |
| |
| |
Step 9: Configuring Traffic Filtering | |
| |
| |
Step 10: Bypassing NAT (Optional) | |
| |
| |
Advanced Features | |
| |
| |
OSPF Updates over IPSec | |
| |
| |
Reverse Route Injection | |
| |
| |
NAT Traversal | |
| |
| |
Tunnel Default Gateway | |
| |
| |
Optional Commands | |
| |
| |
Perfect Forward Secrecy | |
| |
| |
Security Association Lifetimes | |
| |
| |
Phase 1 Mode | |
| |
| |
Connection Type | |
| |
| |
Inheritance | |
| |
| |
ISAKMP Keepalives | |
| |
| |
Deployment Scenarios | |
| |
| |
Single Site-to-Site Tunnel Configuration Using NAT-T | |
| |
| |
Fully Meshed Topology with RRI | |
| |
| |
Monitoring and Troubleshooting Site-to-Site IPSec VPNs | |
| |
| |
Monitoring Site-to-Site VPNs | |
| |
| |
Troubleshooting Site-to-Site VPNs | |
| |
| |
ISAKMP Proposal Unacceptable | |
| |
| |
Mismatched Preshared keys | |
| |
| |
Incompatible IPSec Transform Set | |
| |
| |
Mismatched Proxy Identities | |
| |
| |
Summary | |
| |
| |
| |
Remote Access VPN | |
| |
| |
Cisco IPSec Remote Access VPN Solution | |
| |
| |
Configuration Steps | |
| |
| |
Step 1: Enable ISAKMP | |
| |
| |
Step 2: Create the ISAKMP Policy | |
| |
| |
Step 3: Configure Remote-Access Attributes | |
| |
| |
Step 4: Define the Tunnel Type | |
| |
| |
Step 5: Configure ISAKMP Preshared Keys | |
| |
| |
Step 6: Configure User Authentication | |
| |
| |
Step 7: Assign an IP Address | |
| |
| |
Step 8: Define the IPSec Policy | |
| |
| |
Step 9: Set Up a Dynamic Crypto Map | |
| |
| |
Step 10: Configure the Crypto Map | |
| |
| |
Step 11: Apply the Crypto Map to an Interface | |
| |
| |
Step 12: Configure Traffic Filtering | |
| |
| |
Step 13: Set Up a Tunnel Default Gateway (Optional) | |
| |
| |
Step 14: Bypass NAT (Optional) | |
| |
| |
Step 15: Set Up Split Tunneling (Optional) | |
| |
| |
Cisco VPN Client Configuration | |
| |
| |
Software-Based VPN Clients | |
| |
| |
Hardware-Based VPN Clients | |
| |
| |
Advanced Cisco IPSec VPN Features | |
| |
| |
Transparent Tunneling | |
| |
| |
NAT Traversal | |
| |
| |
IPSec over TCP | |
| |
| |
IPSec over UDP | |
| |
| |
IPSec Hairpinning | |
| |
| |
VPN Load-Balancing | |
| |
| |
Client Auto-Update | |
| |
| |
Client Firewalling | |
| |
| |
Personal Firewall Check | |
| |
| |
Central Protection Policy | |
| |
| |
Hardware based Easy VPN Client Features | |
| |
| |
Interactive Hardware Client Authentication | |
| |
| |
Individual User Authentication | |
| |
| |
Cisco IP Phone Bypass | |
| |
| |
Leap Bypass | |
| |
| |
Hardware Client Network Extension Mode | |
| |
| |
Deployment Scenarios of Cisco IPSec VPN | |
| |
| |
IPSec Hairpinning with Easy VPN and Firewalling | |
| |
| |
Load-Balancing and Site-to-Site Integration | |
| |
| |
Monitoring and Troubleshooting Cisco Remote Access VPN | |
| |
| |
Monitoring Cisco Remote Access IPSec VPNs | |
| |
| |
Troubleshooting Cisco IPSec VPN Clients | |
| |
| |
Cisco WebVPN Solution | |
| |
| |
Configuration Steps | |
| |
| |
Step 1: Enable the HTTP Service | |
| |
| |
Step 2: Enable WebVPN on the Interface | |
| |
| |
Step 3: Configure WebVPN Look and Feel | |
| |
| |
Step 4: Configure WebVPN Group Attributes | |
| |
| |
Step 5: Configure User Authentication | |
| |
| |
Advanced WebVPN Features | |
| |
| |
Port Forwarding | |
| |
| |
Configuring URL Mangling | |
| |
| |
E-Mail Proxy | |
| |
| |
Authentication Methods for E-Mail Proxy | |
| |
| |
Identifying E-Mail Servers for E-Mail Proxies | |
| |
| |
Delimiters | |
| |
| |
Windows File Sharing | |
| |
| |
WebVPN Access Lists | |
| |
| |
Deployment Scenarios of WebVPN | |
| |
| |
WebVPN with External Authentication | |
| |
| |
WebVPN with E-Mail Proxies | |
| |
| |
Monitoring and Troubleshooting WebVPN | |
| |
| |
Monitoring WebVPN | |
| |
| |
Troubleshooting WebVPN | |
| |
| |
SSL Negotiations | |
| |
| |
WebVPN Data Capture | |
| |
| |
E-Mail Proxy Issues | |
| |
| |
Summary | |
| |
| |
| |
Public Key Infrastructure (PKI) | |
| |
| |
Introduction to PKI | |
| |
| |
Certificates | |
| |
| |
Certificate Authority | |
| |
| |
Certificate Revocation List | |
| |
| |
Simple Certificate Enrollment Protocol | |
| |
| |
Enrolling the Cisco ASA to a CA Using SCEP | |
| |
| |
Generating the RSA Key Pair | |
| |
| |
Configuring a Trustpoint | |
| |
| |
Manual (Cut-and-Paste) Enrollment | |
| |
| |
Configuration for Manual Enrollment | |
| |
| |
Obtaining the CA Certificate | |
| |
| |
Generating the ID Certificate Request and Importing the ID Certificate | |
| |
| |
Configuring CRL Options | |
| |
| |
Configuring IPSec Site-to-Site Tunnels Using Certificates | |
| |
| |
Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates | |
| |
| |
Enrolling the Cisco VPN Client | |
| |
| |
Configuring the Cisco ASA | |
| |
| |
Troubleshooting PKI | |
| |
| |
Time and Date Mismatch | |
| |
| |
SCEP Enrollment Problems | |
| |
| |
CRL Retrieval Problems | |
| |
| |
Summary | |
| |
| |
| |
Adaptive Security Device�Manager | |
| |
| |
| |
Introduction to ASDM | |
| |
| |
Setting Up ASDM | |
| |
| |
Uploading ASDM | |
| |
| |
Setting Up Cisco ASA | |
| |
| |
Accessing ASDM | |
| |
| |
Initial Setup | |
| |
| |
Startup Wizard | |
| |
| |
Functional Screens | |
| |
| |
Configuration Screen | |
| |
| |
Monitoring Screen | |
| |
| |
Interface Management | |
| |
| |
System Clock | |
| |
| |
Configuration Management | |
| |
| |
Remote System Management | |
| |
| |
Telnet | |
| |
| |
SSH | |
| |
| |
SSL (ASDM) | |
| |
| |
System Maintenance | |
| |
| |
Software Installation | |
| |
| |
File Management | |
| |
| |
System Monitoring | |
| |
| |
System Logging | |
| |
| |
SNMP | |
| |
| |
Summary | |
| |
| |
| |
Firewall Management Using ASDM | |
| |
| |
Access Control Lists | |
| |
| |
Address Translation | |
| |
| |
Routing Protocols | |
| |
| |
RIP | |
| |
| |
OSPF | |
| |
| |
Multicast | |
| |
| |
AAA | |
| |
| |
Application Inspection | |
| |
| |
Security Contexts | |
| |
| |
Transparent Firewalls | |
| |
| |
Failover | |
| |
| |
QoS | |
| |
| |
Summary | |
| |
| |
| |
IPS Management Using ASDM | |
| |
| |
Accessing the IPS Device Management Console from ASDM | |
| |
| |
Configuring Basic AIP-SSM Settings | |
| |
| |
Licensing | |
| |
| |
Verifying Network Settings | |
| |
| |
Adding Allowed Hosts | |
| |
| |
Configuring NTP | |
| |
| |
Adding Users | |
| |
| |
Advanced IPS Configuration and Monitoring Using ASDM | |
| |
| |
Disabling and Enabling Signatures | |
| |
| |
Configuring Blocking | |
| |
| |
Creating Custom Signatures | |
| |
| |
Creating Event Action Filters | |
| |
| |
Installing Signature Updates and Software Service Packs | |
| |
| |
Configuring Auto-Update | |
| |
| |
Summary | |
| |
| |
| |
VPN Management Using ASDM | |
| |
| |
Site-to-Site VPN Setup Using Preshared Keys | |
| |
| |
Site-to-Site VPN Setup Using PKI | |
| |
| |
Cisco Remote-Access IPSec VPN Setup | |
| |
| |
WebVPN | |
| |
| |
VPN Monitoring | |
| |
| |
Summary | |
| |
| |
| |
Case Studies | |
| |
| |
Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses | |
| |
| |
Branch Offices | |
| |
| |
Small Business Partners | |
| |
| |
Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment | |
| |
| |
Internet Edge and DMZ | |
| |
| |
Filtering Websites | |
| |
| |
Remote Access VPN Cluster | |
| |
| |
Application Inspection | |
| |
| |
IPS | |
| |
| |
Case Study 3: Data Center Security with Cisco ASA | |
| |
| |
Summary | |
| |
| |
Index | |