Atjaunināt sīkdatņu piekrišanu

Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services 3rd edition [Mīkstie vāki]

4.21/5 (30 ratings by Goodreads)
, ,
  • Formāts: Paperback / softback, 1248 pages, height x width x depth: 231x189x44 mm, weight: 1680 g
  • Izdošanas datums: 22-May-2014
  • Izdevniecība: Cisco Press
  • ISBN-10: 1587143070
  • ISBN-13: 9781587143076
Citas grāmatas par šo tēmu:
  • Mīkstie vāki
  • Cena: 82,66 €
  • Grāmatu piegādes laiks ir 3-4 nedēļas, ja grāmata ir uz vietas izdevniecības noliktavā. Ja izdevējam nepieciešams publicēt jaunu tirāžu, grāmatas piegāde var aizkavēties.
  • Daudzums:
  • Ielikt grozā
  • Piegādes laiks - 4-6 nedēļas
  • Pievienot vēlmju sarakstam
Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services 3rd editionPalielināt
  • Formāts: Paperback / softback, 1248 pages, height x width x depth: 231x189x44 mm, weight: 1680 g
  • Izdošanas datums: 22-May-2014
  • Izdevniecība: Cisco Press
  • ISBN-10: 1587143070
  • ISBN-13: 9781587143076
Citas grāmatas par šo tēmu:
Permanent link: https://www.kriso.lv/db/9781587143076.html
Keywords:
Cisco® ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

 

Identify, mitigate, and respond to todays highly-sophisticated network attacks.

 

Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.

 

Fully updated for todays newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.

 

Youll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs all designed to help you make the most of Cisco ASA in your rapidly evolving network.

 

Jazib Frahim, CCIE® No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.

 

Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.

 

Andrew Ossipov, CCIE® No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Ciscos product portfolio. He holds several pending patents.

 

Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices

Efficiently implement Authentication, Authorization, and Accounting (AAA) services

Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts

Configure IP routing, application inspection, and QoS

Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration

Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)

Implement high availability with failover and elastic scalability with clustering

Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features

Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)

Configure and troubleshoot Public Key Infrastructure (PKI)

Use IKEv2 to more effectively resist attacks against VPNs

Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs

 

 
Introduction
Chapter 1 Introduction to Security Technologies 1(28)
Firewalls
2(7)
Network Firewalls
2(1)
Packet-Filtering Techniques
2(1)
Application Proxies
3(1)
Network Address Translation
3(3)
Stateful Inspection Firewalls
6(1)
Demilitarized Zones (DMZ)
7(1)
Deep Packet Inspection
8(1)
Next-Generation Context-Aware Firewalls
8(1)
Personal Firewalls
9(1)
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
9(5)
Pattern Matching and Stateful Pattern-Matching Recognition
11(1)
Protocol Analysis
12(1)
Heuristic-Based Analysis
12(1)
Anomaly-Based Analysis
12(2)
Global Threat Correlation Capabilities
14(1)
Virtual Private Networks
14(11)
Technical Overview of IPsec
16(1)
IKEv1 Phase 1
16(4)
IKEv1 Phase 2
20(3)
IKEv2
23(1)
SSL VPNs
23(2)
Cisco AnyConnect Secure Mobility
25(1)
Cloud and Virtualization Security
26(3)
Chapter 2 Cisco ASA Product and Solution Overview 29(30)
Cisco ASA Model Overview
30(1)
Cisco ASA 5505 Model
31(4)
Cisco ASA 5510 Model
35(3)
Cisco ASA 5512-X Model
38(2)
Cisco ASA 5515-X Model
40(1)
Cisco ASA 5520 Model
41(1)
Cisco ASA 5525-X Model
42(1)
Cisco ASA 5540 Model
43(1)
Cisco ASA 5545-X Model
44(1)
Cisco ASA 5550 Model
45(1)
Cisco ASA 5555-X Model
46(1)
Cisco ASA 5585-X Models
47(4)
Cisco Catalyst 6500 Series ASA Services Module
51(1)
Cisco ASA 1000V Cloud Firewall
52(1)
Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX)
53(1)
Cisco ASA AIP-SSM Module
53(2)
Cisco ASA AIP-SSM-10
54(1)
Cisco ASA AIP-SSM-20
54(1)
Cisco ASA AIP-SSM-40
54(1)
Cisco ASA Gigabit Ethernet Modules
55(4)
Cisco ASA SSM-4GE
55(1)
Cisco ASA 5580 Expansion Cards
56(1)
Cisco ASA 5500-X Series 6-Port GE Interface Cards
57(2)
Chapter 3 Licensing 59(22)
Licensed Features on ASA
59(9)
Basic Platform Capabilities
61(2)
Advanced Security Features
63(2)
Tiered Capacity Features
65(1)
Displaying License Information
66(2)
Managing Licenses with Activation Keys
68(5)
Permanent and Time-Based Activation Keys
68(1)
Combining Keys
69(1)
Time-Based Key Expiration
70(1)
Using Activation Keys
71(2)
Combined Licenses in Failover and Clustering
73(2)
License Aggregation Rules
73(2)
Aggregated Time-Based License Countdown
75(1)
Shared Premium VPN Licensing
75(6)
Shared Server and Participants
76(1)
Shared License
76(1)
Shared Licensing Operation
76(2)
Configuring Shared Licensing
78(1)
Licensing Server
78(1)
Participants
79(1)
Backup Licensing Server
79(1)
Monitoring Shared Licensing Operation
80(1)
Chapter 4 Initial Setup 81(38)
Accessing the Cisco ASA Appliances
81(6)
Establishing a Console Connection
82(3)
Command-Line Interface
85(2)
Managing Licenses
87(3)
Initial Setup
90(10)
Initial Setup via CLI
90(2)
Initial Setup of ASDM
92(1)
Uploading ASDM
92(1)
Setting Up the Appliance
93(1)
Accessing ASDM
94(3)
Functional Screens of ASDM
97(3)
Device Setup
100(14)
Setting Up a Device Name and Passwords
100(2)
Configuring an Interface
102(1)
Configuring a Data-Passing Interface
102(4)
Configuring a Subinterface
106(3)
Configuring an EtherChannel Interface
109(2)
Configuring a Management Interface
111(1)
DHCP Services
112(2)
Setting Up the System Clock
114(5)
Manual Clock Adjustment
114(1)
Time Zone
114(2)
Date
116(1)
Time
116(1)
Automatic Clock Adjustment Using the Network Time Protocol
116(3)
Chapter 5 System Maintenance 119(54)
Configuration Management
119(7)
Running Configuration
119(4)
Startup Configuration
123(1)
Removing the Device Configuration
124(2)
Remote System Management
126(6)
Telnet
126(3)
Secure Shell (SSH)
129(3)
System Maintenance
132(12)
Software Installation
132(1)
Image Upgrade via Cisco ASDM
132(1)
Image Upgrade via the Cisco ASA CLI
133(3)
Image Upload Using ROMMON
136(1)
Password Recovery Process
137(4)
Disabling the Password Recovery Process
141(3)
System Monitoring
144(21)
System Logging
144(2)
Enabling Logging
146(1)
Defining Event List
147(2)
Logging Types
149(4)
Defining a Syslog Server
153(1)
Defining an Email Server
154(1)
Storing Logs Internally and Externally
154(2)
Syslog Message ID Tuning
156(1)
NetFlow Secure Event Logging (NSEL)
156(1)
Step 1: Define a NetFlow Collector
157(2)
Step 2: Define a NetFlow Export Policy
159(1)
Simple Network Management Protocol (SNMP)
160(1)
Configuring SNMP
161(3)
SNMP Monitoring
164(1)
Device Monitoring and Troubleshooting
165(8)
CPU and Memory Monitoring
165(3)
Troubleshooting Device Issues
168(1)
Troubleshooting Packet Issues
168(4)
Troubleshooting CPU Issues
172(1)
Chapter 6 Cisco ASA Services Module 173(18)
Cisco ASA Services Module Overview
173(3)
Hardware Architecture
174(1)
Host Chassis Integration
175(1)
Managing Host Chassis
176(4)
Assigning VLAN Interfaces
177(1)
Monitoring Traffic Flow
178(2)
Common Deployment Scenarios
180(3)
Internal Segment Firewalling
181(1)
Edge Protection
182(1)
Trusted Flow Bypass with Policy Based Routing
183(8)
Traffic Flow
185(1)
Sample PBR Configuration
185(6)
Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191(38)
AAA Protocols and Services Supported by Cisco ASA
192(6)
RADIUS
194(1)
TACACS+
195(1)
RSA SecurID
196(1)
Microsoft Windows NTLM
197(1)
Active Directory and Kerberos
197(1)
Lightweight Directory Access Protocol
197(1)
Defining an Authentication Server
198(6)
Configuring Authentication of Administrative Sessions
204(5)
Authenticating Telnet Connections
204(2)
Authenticating SSH Connections
206(1)
Authenticating Serial Console Connections
207(1)
Authenticating Cisco ASDM Connections
208(1)
Authenticating Firewall Sessions (Cut-Through Proxy Feature)
209(5)
Authentication Timeouts
214(1)
Customizing Authentication Prompts
214(1)
Configuring Authorization
215(4)
Command Authorization
217(1)
Configuring Downloadable ACLs
218(1)
Configuring Accounting
219(3)
RADIUS Accounting
220(1)
TACACS+ Accounting
221(1)
Troubleshooting Administrative Connections to Cisco ASA
222(7)
Troubleshooting Firewall Sessions (Cut-Through Proxy)
225(1)
ASDM and CLI AAA Test Utility
226(3)
Chapter 8 Controlling Network Access: The Traditional Way 229(38)
Packet Filtering
229(14)
Types of ACLs
232(1)
Standard ACLs
233(1)
Extended ACLs
233(1)
EtherType ACLs
233(1)
Webtype ACLs
234(1)
Comparing ACL Features
234(1)
Through-the-Box-Traffic Filtering
235(5)
To-the-Box-Traffic Filtering
240(3)
Advanced ACL Features
243(12)
Object Grouping
243(1)
Object Types
243(2)
Configuration of Object Types
245(3)
Object Grouping and ACLs
248(2)
Standard ACLs
250(1)
Time-Based ACLs
251(3)
Downloadable ACLs
254(1)
ICMP Filtering
254(1)
Deployment Scenario for Traffic Filtering
255(5)
Using ACLs to Filter Inbound Traffic
255(2)
Configuration Steps with ASDM
257(2)
Configuration Steps with CLI
259(1)
Monitoring Network Access Control
260(7)
Monitoring ACLs
260(7)
Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267(70)
CX Integration Overview
268(5)
Logical Architecture
269(1)
Hardware Modules
270(1)
Software Modules
271(1)
High Availability
272(1)
ASA CX Architecture
273(4)
Data Plane
274(1)
Eventing and Reporting
275(1)
User Identity
275(1)
TLS Decryption Proxy
276(1)
HTTP Inspection Engine
276(1)
Application Inspection Engine
276(1)
Management Plane
276(1)
Control Plane
276(1)
Preparing ASA CX for Configuration
277(5)
Managing ASA CX with PRSM
282(11)
Using PRSM
283(3)
Configuring User Accounts
286(2)
CX Licensing
288(2)
Component and Software Updates
290(1)
Signatures and Engines
290(1)
System Software
291(1)
Configuration Database Backup
292(1)
Defining CX Policy Elements
293(16)
Network Groups
295(1)
Identity Objects
296(2)
URL Objects
298(1)
User Agent Objects
299(1)
Application Objects
299(1)
Secure Mobility Objects
300(1)
Interface Roles
301(1)
Service Objects
302(1)
Application-Service Objects
303(1)
Source Object Groups
304(1)
Destination Object Groups
305(1)
File Filtering Profiles
306(1)
Web Reputation Profiles
306(1)
NG IPS Profiles
307(2)
Enabling User Identity Services
309(7)
Configuring Directory Servers
310(2)
Connecting to AD Agent or CDA
312(1)
Tuning Authentication Settings
313(1)
Defining User Identity Discovery Policy
314(2)
Enabling TLS Decryption
316(7)
Configuring Decryption Settings
318(2)
Defining a Decryption Policy
320(3)
Enabling NG IPS
323(1)
Defining Context-Aware Access Policies
324(3)
Configuring ASA for CX Traffic Redirection
327(2)
Monitoring ASA CX
329(8)
Dashboard Reports
329(2)
Connection and System Events
331(1)
Packet Captures
332(5)
Chapter 10 Network Address Translation 337(42)
Types of Address Translation
338(3)
Network Address Translation
338(2)
Port Address Translation
340(1)
Address Translation Methods
341(4)
Static NAT/PAT
341(2)
Dynamic NAT/PAT
343(1)
Policy NAT/PAT
344(1)
Identity NAT
344(1)
Security Protection Mechanisms Within Address Translation
345(1)
Randomization of Sequence Numbers
345(1)
TCP Intercept
346(1)
Understanding Address Translation Behavior
346(4)
Address Translation Behavior Prior to Version 8.3
346(1)
Packet Flow Sequence in Pre-8.3 Version
347(1)
NAT Order of Operation for Pre-8.3 Versions
348(1)
Redesigning Address Translation (Version 8.3 and Later)
349(1)
NAT Modes in Version 8.3 and Later
349(1)
NAT Order of Operation for Version 8.3 and Later
350(1)
Configuring Address Translation
350(22)
Auto NAT Configuration
351(1)
Available Auto NAT Settings
351(2)
Auto NAT Configuration Example
353(3)
Manual NAT Configuration
356(1)
Available Manual NAT Settings
356(1)
Manual NAT Configuration Example
357(2)
Integrating ACLs and NAT
359(1)
Pre-8.3 Behavior for NAT and ACL Integration
359(2)
Behavior of NAT and ACL Integration in Version 8.3 and Later
361(1)
Configuration Use Cases
362(1)
Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server
363(1)
Use Case 2: Static PAT for a Web Server Located on the DMZ Network
364(2)
Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT
366(1)
Use Case 4: Identity NAT for Site-to-Site VPN Tunnel
367(2)
Use Case 5: Dynamic PAT for Remote-Access VPN Clients
369(3)
DNS Doctoring
372(3)
Monitoring Address Translations
375(4)
Chapter 11 IPv6 Support 379(12)
IP Version 6 Introduction
379(3)
IPv6 Header
380(1)
Supported IPv6 Address Types
381(1)
Global Unicast Address
382(1)
Site-Local Address
382(1)
Link-Local Address
382(1)
Configuring IPv6
382(9)
IP Address Assignment
383(1)
IPv6 DHCP Relay
384(1)
Optional IPv6 Parameters
385(1)
Neighbor Solicitation Messages
385(1)
Neighbor Reachable Time
385(1)
Router Advertisement Transmission Interval
385(1)
Setting Up an IPv6 ACL
386(3)
IPv6 Address Translation
389(2)
Chapter 12 IP Routing 391(74)
Configuring Static Routes
392(8)
Static Route Monitoring
395(4)
Displaying the Routing Table
399(1)
RIP
400(12)
Configuring RIP
401(2)
RIP Authentication
403(3)
RIP Route Filtering
406(3)
Configuring RIP Redistribution
409(1)
Troubleshooting RIP
409(1)
Scenario 1: RIP Version Mismatch
410(1)
Scenario 2: RIP Authentication Mismatch
411(1)
Scenario 3: Multicast or Broadcast Packets Blocked
411(1)
OSPF
412(29)
Configuring OSPF
413(1)
Enabling OSPF
414(5)
OSPF Virtual Links
419(3)
Configuring OSPF Authentication
422(4)
Configuring OSPF Redistribution
426(2)
Stub Areas and NSSAs
428(1)
OSPF Type 3 LSA Filtering
429(2)
OSPF neighbor Command and Dynamic Routing over a VPN Tunnel
431(2)
OSPFv3
433(1)
Troubleshooting OSPF
433(1)
Useful Troubleshooting Commands
433(7)
Mismatched Areas
440(1)
OSPF Authentication Mismatch
440(1)
Troubleshooting Virtual Link Problems
440(1)
EIGRP
441(24)
Configuring EIGRP
441(1)
Enabling EIGRP
441(4)
Configuring Route Filtering for EIGRP
445(2)
EIGRP Authentication
447(1)
Defining Static EIGRP Neighbors
448(1)
Route Summarization in EIGRP
448(2)
Split Horizon
450(1)
Route Redistribution in EIGRP
450(3)
Controlling Default Information
453(1)
Troubleshooting EIGRP
454(1)
Useful Troubleshooting Commands
454(4)
Scenario 1: Link Failures
458(1)
Scenario 2: Misconfigured Hello and Hold Intervals
459(3)
Scenario 3: Misconfigured Authentication Parameters
462(3)
Chapter 13 Application Inspection 465(66)
Enabling Application Inspection
468(1)
Selective Inspection
469(4)
CTIQBE Inspection
473(3)
DCERPC Inspection
476(1)
DNS Inspection
476(5)
ESMTP Inspection
481(3)
File Transfer Protocol
484(2)
General Packet Radio Service Tunneling Protocol
486(6)
GTPv0
487(2)
GTPv1
489(1)
Configuring GTP Inspection
490(2)
H.323
492(7)
H.323 Protocol Suite
493(2)
H.323 Version Compatibility
495(1)
Enabling H.323 Inspection
496(3)
Direct Call Signaling and Gatekeeper Routed Control Signaling
499(1)
T.38
499(1)
Cisco Unified Communications Advanced Support
499(8)
Phone Proxy
500(5)
TLS Proxy
505(1)
Mobility Proxy
506(1)
Presence Federation Proxy
506(1)
HTTP
507(8)
Enabling HTTP Inspection
507(3)
strict-http Command
510(1)
content-length Command
510(1)
content-type-verification Command
511(1)
max-header-length Command
511(1)
max-uri-length Command
512(1)
port-misuse Command
512(1)
request-method Command
513(2)
transfer-encoding type Command
515(1)
ICMP
515(1)
ILS
516(1)
Instant Messenger (IM)
517(1)
IPsec Pass-Through
518(1)
MGCP
519(2)
NetBIOS
521(1)
PPTP
522(1)
Sun RPC
522(1)
RSH
523(1)
RTSP
523(1)
SIP
524(1)
Skinny (SCCP)
525(2)
SNMP
527(1)
SQL*Net
528(1)
TFTP
528(1)
WAAS
528(1)
XDMCP
529(2)
Chapter 14 Virtualization 531(60)
Architectural Overview
533(11)
System Execution Space
533(2)
Admin Context
535(1)
User Context
535(3)
Packet Classification
538(1)
Packet Classification Criteria
538(1)
Destination IP Address
539(1)
Unique MAC Address
540(1)
Packet Flow in Multiple Mode
541(1)
Forwarding Without a Shared Interface
541(1)
Forwarding with a Shared Interface
542(2)
Configuration of Security Contexts
544(15)
Step 1: Enable Multiple Security Contexts Globally
544(3)
Step 2: Set Up the System Execution Space
547(2)
Step 3: Configure Interfaces
549(1)
Step 4: Specify a Configuration URL
550(2)
Step 5: Configure an Admin Context
552(1)
Step 6: Configure a User Context
553(1)
Step 7: Manage the Security Contexts (Optional)
554(1)
Step 8: Resource Management (Optional)
555(1)
Step 1: Define a Resource Class
556(2)
Step 2: Map the Resource Class to a Context
558(1)
Deployment Scenarios
559(27)
Virtual Firewall with Non-Shared Interfaces
559(2)
Configuration Steps with ASDM
561(8)
Configuration StepS with CLI
569(3)
Virtual Firewall with a Shared Interface
572(2)
Configuration Steps with ASDM
574(8)
Configuration Steps Using CLI
582(4)
Monitoring and Troubleshooting the Security Contexts
586(5)
Monitoring
586(2)
Troubleshooting
588(1)
Security Contexts Are Not Added
588(1)
Security Contexts Are Not Saved on the Local Disk
588(1)
Security Contexts Are Not Saved on the FTP Server
589(1)
User Having Connectivity Issues When Shared Security Contexts Are Used
590(1)
Chapter 15 Transparent Firewalls 591(50)
Architectural Overview
594(5)
Single-Mode Transparent Firewalls
594(1)
Packet Flow in an SMTF
595(2)
Multimode Transparent Firewalls
597(1)
Packet Flow in an MMTF
597(2)
Restrictions When Using Transparent Firewalls
599(3)
Transparent Firewalls and VPNs
599(1)
Transparent Firewalls and NAT
600(2)
Configuration of Transparent Firewalls
602(14)
Configuration Guidelines
602(1)
Configuration Steps
603(1)
Step 1: Enable Transparent Firewalls
603(1)
Step 2: Set Up Interfaces
604(1)
Step 3: Configure an IP Address
605(1)
Step 4: Set Up Routes
606(2)
Step 5: Configure Interface ACLs
608(3)
Step 6: Configure NAT (Optional)
611(1)
Step 7: Add Static L2F Table Entries (Optional)
612(1)
Step 8: Enable ARP Inspection (Optional)
613(2)
Step 9: Modify L2F Table Parameters (Optional)
615(1)
Deployment Scenarios
616(20)
SMTF Deployment
617(1)
Configuration Steps Using ASDM
618(4)
Configuration Steps Using CLI
622(1)
MMTF Deployment with Security Contexts
623(2)
Configuration Steps Using ASDM
625(7)
Configuration Steps Using CLI
632(4)
Monitoring and Troubleshooting Transparent Firewalls
636(1)
Monitoring
636(1)
Troubleshooting
637(1)
Hosts Are Not Able to Communicate
637(2)
Moved Host Is Not Able to Communicate
639(1)
General Syslogging
640(1)
Chapter 16 High Availability 641(92)
Redundant Interfaces
642(4)
Using Redundant Interfaces
642(1)
Deployment Scenarios
643(1)
Configuration and Monitoring
644(2)
Static Route Tracking
646(6)
Configuring Static Routes with an SLA Monitor
647(2)
Floating Connection Timeout
649(1)
Sample Backup ISP Deployment
649(3)
Failover
652(33)
Unit Roles and Functions in Failover
652(1)
Stateful Failover
653(1)
Active/Standby and Active/Active Failover
654(2)
Failover Hardware and Software Requirements
656(1)
Zero Downtime Upgrade in Failover
657(1)
Failover Licensing
658(1)
Failover Interfaces
658(1)
Stateful Link
659(1)
Failover Link Security
659(1)
Data Interface Addressing
660(2)
Asymmetric Routing Groups
662(2)
Failover Health Monitoring
664(2)
State and Role Transition
666(1)
Configuring Failover
667(1)
Basic Failover Settings
668(3)
Data Interface Configuration
671(2)
Failover Policies and Timers
673(1)
Active/Active Failover
674(4)
Monitoring and Troubleshooting Failover
678(2)
Active/Standby Failover Deployment Scenario
680(5)
Clustering
685(48)
Unit Roles and Functions in Clustering
685(1)
Master and Slave Units
685(1)
Flow Owner
686(1)
Flow Director
686(1)
Flow Forwarder
687(1)
Clustering Hardware and Software Requirements
687(1)
Zero Downtime Upgrade in Clustering
688(1)
Unsupported Features
689(1)
Cluster Licensing
690(1)
Control and Data Interfaces
690(3)
Spanned EtherChannel Mode
693(2)
Individual Mode
695(2)
Cluster Management
697(1)
Cluster Health Monitoring
697(1)
Network Address Translation
698(2)
Performance
700(1)
Centralized Features
701(1)
Scaling Factors
701(1)
Packet Flow
702(1)
TCP Connection Processing
702(1)
UDP Connection Processing
703(2)
Centralized Connection Processing
705(1)
State Transition
705(1)
Configuring Clustering
706(1)
Setting Interface Mode
707(1)
Management Access for ASDM Deployment
708(2)
Building a Cluster
710(4)
Data Interface Configuration
714(3)
Monitoring and Troubleshooting Clustering
717(3)
Spanned EtherChannel Cluster Deployment Scenario
720(13)
Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733(54)
IPS Integration Overview
733(6)
IPS Logical Architecture
735(1)
IPS Hardware Modules
735(1)
IPS Software Modules
736(1)
Inline and Promiscuous Modes
737(2)
IPS High Availability
739(1)
Cisco IPS Software Architecture
739(5)
MainApp
741(1)
AuthenticationApp
741(1)
Attack Response Controller
742(1)
cipsWebserver
742(1)
Logger
742(1)
CtlTransSource
743(1)
NotificationApp
743(1)
SensorApp
743(1)
CollaborationApp
744(1)
EventStore
744(1)
Preparing ASA IPS for Configuration
744(9)
Installing CIPS System Software
744(3)
Accessing CIPS from the ASA CLI
747(1)
Configuring Basic Management Settings
748(4)
Setting Up ASDM for IPS Management
752(1)
Installing the CIPS License Key
752(1)
Configuring CIPS Software on ASA IPS
753(15)
Custom Signatures
755(3)
Remote Blocking
758(5)
Anomaly Detection
763(3)
Global Correlation
766(2)
Maintaining ASA IPS
768(10)
User Account Administration
769(1)
Administrator Account
769(1)
Operator Account
769(1)
Viewer Account
769(1)
Service Account
770(1)
Adding, Changing and Deleting Users
770(1)
Displaying CIPS Software and Process Information
771(1)
Upgrading CIPS Software and Signatures
772(1)
One-Time Upgrades
773(1)
Scheduled Upgrades
774(2)
Backing Up ASA IPS Configuration
776(1)
Displaying and Clearing Events
776(2)
Configuring ASA for IPS Traffic Redirection
778(2)
Botnet Traffic Filter
780(7)
Dynamic and Local Blacklist Data
781(1)
DNS Snooping
782(1)
Traffic Selection
783(4)
Chapter 18 Tuning and Monitoring IPS 787(14)
IPS Tuning Process
787(2)
Risk Ratings
789(2)
ASR
790(1)
TVR
790(1)
SFR
790(1)
ARR
791(1)
PD
791(1)
WLR
791(1)
Disabling IPS Signatures
791(1)
Retiring IPS Signatures
792(1)
Tools to Help with Monitoring and Tuning
793(2)
ASDM and IME
793(1)
CSM Event Manager
794(1)
Removing False Positive IPS Events from the Event Table
794(1)
Splunk
794(1)
RSA Security Analytics
794(1)
Displaying and Clearing Statistics in the Cisco ASA IPS
795(6)
Chapter 19 Site-to-Site IPsec VPNs 801(58)
Preconfiguration Checklist
802(3)
Configuration Steps
805(17)
Step 1: Enable ISAKMP
806(1)
Step 2: Create the ISAKMP Policy
807(1)
Step 3: Set Up the Tunnel Groups
808(2)
Step 4: Define the IPsec Policy
810(2)
Step 5: Create a Crypto Map
812(4)
Step 6: Configure Traffic Filtering (Optional)
816(1)
Step 7: Bypass NAT (Optional)
817(2)
Step 8: Enable Perfect Forward Secrecy (Optional)
819(1)
Alternative Configuration Methods Through ASDM
820(1)
Defining Site-to-Site Tunnel Using the IPsec VPN Wizard
820(1)
Defining a Site-to-Site Tunnel Through a Connection Profile
821(1)
Optional Attributes and Features
822(8)
OSPF Updates over IPsec
823(1)
Reverse Route Injection
824(2)
NAT Traversal
826(1)
Tunnel Default Gateway
827(1)
Management Access
828(1)
Fragmentation Policies
829(1)
Deployment Scenarios
830(18)
Single Site-to-Site Tunnel Configuration Using NAT-T, RRI, and IKEv2
831(1)
Configuration Steps Through ASDM
831(2)
Configuration Steps Through CLI
833(3)
Hub and Spoke Using Security Contexts
836(1)
Configuration Steps Through ASDM
837(5)
Configuration Steps Through CLI
842(6)
Monitoring and Troubleshooting Site-to-Site IPsec VPNs
848(11)
Monitoring Site-to-Site VPNs
848(4)
Troubleshooting Site-to-Site VPNs
852(2)
ISAKMP Proposal Unacceptable
854(1)
Mismatched Preshared Keys
854(1)
Incompatible IPsec Transform Set
854(1)
Mismatched Proxy Identities
855(1)
ISAKMP Captures
856(3)
Chapter 20 IPsec Remote-Access VPNs 859(72)
Cisco IPsec Remote Access VPN Solution
860(36)
IPsec (IKEv1) Remote-Access Configuration Steps
862(1)
Using the ASDM IPsec IKEvl Remote Access VPN Wizard
863(8)
Manually Configuring IPsec (IKEv1) VPN Using ASDM and CLI
871(4)
Configuring Group Policies
875(1)
Configuring a Tunnel Group
876(13)
IPsec (IKEv2) Remote-Access Configuration Steps
889(1)
Step 1: Introduction
889(1)
Step 2: Connection Profile Identification
890(1)
Step 3: VPN Protocols
890(3)
Step 4: Client Images
893(1)
Step 5: Specify User Authentication Method
893(1)
Step 6: Specify an Address Pool
893(1)
Step 7: Network Name Resolution Servers
893(1)
Step 8: NAT Exemption
894(1)
Step 9: AnyConnect Client Deployment
894(1)
Hardware-Based VPN Clients
894(2)
Advanced Cisco IPsec VPN Features
896(14)
Tunnel Default Gateway
896(1)
Transparent Tunneling
897(1)
NAT Traversal
898(1)
IPsec over UDP
898(1)
IPsec over TCP
899(1)
IPsec Hairpinning
899(2)
VPN Load Balancing
901(3)
Client Firewalling
904(1)
Personal Firewall Check
904(2)
Central Protection Policy
906(1)
Hardware-Based Easy VPN Client Features
907(1)
Interactive Client Authentication
907(1)
Individual User Authentication
908(1)
LEAP Bypass
909(1)
Cisco IP Phone Bypass
909(1)
Hardware Client Network Extension Mode
909(1)
L2TP over IPsec Remote-Access VPN (IKEv1)
910(6)
L2TP over IPsec Remote-Access Configuration Steps
912(1)
Step 1: Select Tunnel Interface
913(1)
Step 2: Select Remote Access Client
914(1)
Step 3: Select VPN Client Authentication Method
914(1)
Step 4: Specify User Authentication Method
914(1)
Step 5: User Accounts
914(1)
Step 6: Specify an Address Pool
915(1)
Step 7: Specify Attributes Pushed to Clients
915(1)
Step 8: Select the IPsec Settings (Optional)
915(1)
Step 9: Verify the Configuration
915(1)
Windows L2TP over IPsec Client Configuration
915(1)
Deployment Scenarios
916(6)
Load Balancing of Cisco IPsec Clients and Site-to-Site Integration
916(1)
Configuration Steps Through ASDM
917(2)
Configuration Steps Using the CLI
919(3)
Monitoring and Troubleshooting Cisco Remote-Access VPNs
922(9)
Monitoring Cisco Remote-Access IPsec VPNs
922(4)
Troubleshooting Cisco IPsec VPN Clients
926(5)
Chapter 21 Configuring and Troubleshooting PKI 931(48)
Introduction to PKI
931(5)
Certificates
932(1)
Certificate Authority
933(2)
Certificate Revocation List
935(1)
Simple Certificate Enrollment Protocol
936(1)
Installing Certificates
936(21)
Installing Certificates Through ASDM
936(1)
Installing a CA Certificate from a File
937(1)
Installing an Identity Certificate from a File
938(1)
Installing a CA Certificate by the Copy-and-Paste Method
939(1)
Installing a CA Certificate Using SCEP
940(3)
Installing an Identity Certificate Using SCEP
943(2)
Installing Certificates Using the CLI
945(1)
Generating the RSA Key Pair in the CLI
945(1)
Configuring a Trustpoint
946(5)
Manual (Cut-and-Paste) Enrollment via the CLI
951(3)
Configuring CRL Options via the CLI
954(3)
The Local Certificate Authority
957(9)
Configuring the Local CA Through ASDM
958(2)
Configuring the Local CA Using the CLI
960(3)
Enrolling Local CA Users Through ASDM
963(2)
Enrolling Local CA Users Through the CLI
965(1)
Configuring IPsec Site-to-Site Tunnels Using Certificates
966(5)
Configuring the Cisco ASA to Accept Remote-Access IPsec VPN Clients Using Certificates
971(1)
Troubleshooting PKI
972(7)
Time and Date Mismatch
972(3)
SCEP Enrollment Problems
975(2)
CRL Retrieval Problems
977(2)
Chapter 22 Clientless Remote-Access SSL VPNs 979(106)
SSL VPN Design Considerations
980(2)
User Connectivity
981(1)
ASA Feature Set
981(1)
Infrastructure Planning
981(1)
Implementation Scope
981(1)
SSL VPN Prerequisites
982(5)
SSL VPN Licenses
983(1)
AnyConnect Premium
984(1)
AnyConnect Essentials
984(1)
AnyConnect Mobile
984(1)
Shared Premium Licensing
985(1)
VPN Flex Licenses
985(1)
Client Operating System and Browser and Software Requirements
986(1)
Infrastructure Requirements
987(1)
Pre-SSL VPN Configuration Guide
987(17)
Enroll Digital Certificates (Recommended)
988(1)
Step 1: Obtaining a CA Certificate
988(1)
Step 2: Request a Certificate
989(4)
Step 3: Apply Identity Certificate for SSL VPN Connections
993(1)
Set Up Tunnel and Group Policies
994(1)
Configure Group Policies
995(3)
Configure a Tunnel Group
998(2)
Set Up User Authentication
1000(4)
Clientless SSL VPN Configuration Guide
1004(37)
Enable Clientless SSL VPN on an Interface
1005(1)
Configure SSL VPN Portal Customization
1006(1)
Logon Page
1007(5)
Portal Page
1012(3)
Logout Page
1015(1)
Portal Customization and User Group
1016(3)
Full Customization
1019(5)
Configure Bookmarks
1024(2)
Configure Websites
1026(2)
Configure File Servers
1028(1)
Apply a Bookmark List to a Group Policy
1029(1)
Single Sign-on
1030(1)
Configure Web-Type ACLs
1031(3)
Configure Application Access
1034(1)
Configure Port Forwarding
1035(2)
Configure Smart Tunnels
1037(3)
Configure Client-Server Plug-ins
1040(1)
Cisco Secure Desktop
1041(13)
CSD Components
1043(1)
Secure Desktop Manager
1043(1)
Secure Desktop
1043(1)
Cache Cleaner
1043(1)
CSD Requirements
1044(1)
Supported Operating Systems
1044(1)
User Privileges
1044(1)
Supported Internet Browsers
1045(1)
Internet Browser Settings
1045(1)
CSD Architecture
1045(1)
Configuring CSD
1046(1)
Step 1: Load the CSD Package
1047(1)
Step 2: Define Prelogin Sequences
1048(6)
Host Scan
1054(6)
Host Scan Modules
1054(1)
Basic Host Scan
1055(1)
Endpoint Assessment
1055(1)
Advanced Endpoint Assessment
1055(1)
Configuring Host Scan
1056(1)
Set Up Basic Host Scan
1057(1)
Enable Endpoint Host Scan
1058(1)
Set Up an Advanced Endpoint Host Scan
1058(2)
Dynamic Access Policies
1060(15)
DAP Architecture
1061(1)
DAP Sequence of Events
1062(1)
Configuring DAP
1062(1)
Choose AAA Attributes
1063(3)
Choose Endpoint Attributes
1066(2)
Define Access Policies
1068(7)
Deployment Scenario
1075(3)
Step 1: Define Clientless Connections
1076(1)
Step 2: Configure DAP
1077(1)
Monitoring and Troubleshooting SSL VPN
1078(7)
Monitoring SSL VPN
1078(3)
Troubleshooting SSL VPN
1081(1)
Troubleshooting SSL Negotiations
1081(1)
Troubleshooting Clientless Issues
1081(2)
Troubleshooting CSD
1083(1)
Troubleshooting DAP
1083(2)
Chapter 23 Client-Based Remote-Access SSL VPNs 1085(34)
SSL VPN Deployment Considerations
1086(2)
Cisco AnyConnect Secure Mobility Client Licenses
1086(1)
Cisco ASA Design Considerations
1086(1)
ASA Feature Set
1086(1)
Infrastructure Planning
1086(1)
Implementation Scope
1087(1)
SSL VPN Prerequisites
1088(2)
Client Operating System and Browser and Software Requirements
1088(1)
Supported Operating Systems
1088(1)
Compatible Browsers
1089(1)
Infrastructure Requirements
1089(1)
ASA Placement and Requirements
1089(1)
User Account
1089(1)
Administrative Privileges
1090(1)
Pre-SSL VPN Configuration Guide
1090(6)
Enrolling Digital Certificates (Recommended)
1090(1)
Setting Up Tunnel and Group Policies
1090(1)
Configuring Group Policies
1091(1)
Configuring a Tunnel Group
1092(2)
Setting Up User Authentication
1094(2)
Cisco AnyConnect Secure Mobility Client Configuration Guide
1096(16)
Loading the Cisco AnyConnect Secure Mobility Client Package
1096(2)
Defining the Cisco AnyConnect Secure Mobility Client Attributes
1098(1)
Enabling Cisco AnyConnect Secure Mobility Client VPN Client Functionality
1099(2)
Defining a Pool of Addresses
1101(2)
Advanced Full Tunnel Features
1103(1)
Split Tunneling
1103(3)
DNS and WINS Assignment
1106(1)
Keeping the SSL VPN Client Installed
1107(1)
Configuring DTLS
1108(1)
Configuring Traffic Filters
1109(1)
AnyConnect Client Configuration
1109(1)
Creating AnyConnect Client Profile
1110(2)
Connecting from AnyConnect Client
1112(1)
Deployment Scenario of AnyConnect Client
1112(4)
Step 1: Set Up CSD for Registry Check
1114(1)
Step 2: Set Up RADIUS for Authentication
1114(1)
Step 3: Configure AnyConnect SSL VPN
1115(1)
Step 4: Enable Address Translation for Internet Access
1116(1)
Monitoring and Troubleshooting AnyConnect SSL VPNs
1116(3)
Troubleshooting SSL VPN
1116(1)
Troubleshooting SSL Negotiations
1116(1)
Troubleshooting AnyConnect Client Issues
1117(2)
Chapter 24 IP Multicast Routing 1119(12)
IGMP Support
1120(1)
PIM Sparse Mode
1120(1)
Configuring IP Multicast Routing
1120(7)
Enabling Multicast Routing
1121(1)
Statically Assigning an IGMP Group
1122(1)
Limiting IGMP States
1122(1)
IGMP Query Timeout
1123(1)
Defining the IGMP Version
1123(1)
Enabling PIM
1124(1)
Configuring Rendezvous Points
1125(1)
Filtering PIM Neighbors
1126(1)
Configuring a Static Multicast Route
1127(1)
Troubleshooting IP Multicast Routing
1127(4)
Useful show Commands
1128(1)
Useful debug Commands
1129(2)
Chapter 25 Quality of Service 1131
QoS Types
1133(3)
Traffic Prioritization
1133(1)
Traffic Policing
1134(1)
Traffic Shaping
1135(1)
QoS Architecture
1136(6)
Packet Flow Sequence
1136(1)
Packet Classification
1137(1)
IP Precedence Field
1137(1)
IP DSCP Field
1138(3)
IP Access Control List
1141(1)
IP Flow
1141(1)
VPN Tunnel Group
1141(1)
QoS and VPN Tunnels
1142(1)
Configuring Quality of Service
1142(13)
QoS Configuration via ASDM
1143(1)
Step 1: Tune Priority Queue
1143(1)
Step 2: Define a Service Policy
1144(1)
Step 3: Specify Traffic Classification Criteria
1145(3)
Step 4: Apply an Action Rule
1148(4)
QoS Configuration via CLI
1152(1)
Step 1: Tune the Priority Queue
1152(1)
Step 2: Set Up a Class Map
1152(1)
Step 3: Configure a Policy Map
1153(2)
Step 4: Apply the Policy Map on the Interface
1155(1)
QoS Deployment Scenario
1155(7)
Configuration Steps Through ASDM
1157(3)
Configuration Steps Through the CLI
1160(2)
Monitoring QoS
1162
Jazib Frahim, CCIE No. 5459, is a Principal Engineer in the Global Security Services Practice at Cisco. He has been with Cisco for over 15 years, with a focus on cyber-security and emerging security technologies. Jazib is also responsible for guiding customers in the design and implementation of security solutions and technologies in their networks with a focus on network security. He leads a team of solutions architects to guide them through the lifecycle of services and solutions development. Jazib has also been engaged in the development of a number of customer-focused services, such as managed threat defense, network-based identity, bring-your-own-device (BYOD), and many others. Jazib holds a bachelors degree in computer engineering from Illinois Institute of Technology and a masters degree in business administration (MBA) from North Carolina State University. In addition to CISSP, Jazib also holds two CCIEs, one in routing and switching and the other in security. He has presented at many industry events, such as Cisco Live, Interop, and ISSA, on multiple occasions.

, CCIE No. 5459, is a Principal Engineer in the Global Security Services Practice at Cisco. He has been with Cisco for over 15 years, with a focus on cyber-security and emerging security technologies. Jazib is also responsible for guiding customers in the design and implementation of security solutions and technologies in their networks with a focus on network security. He leads a team of solutions architects to guide them through the lifecycle of services and solutions development. Jazib has also been engaged in the development of a number of customer-focused services, such as managed threat defense, network-based identity, bring-your-own-device (BYOD), and many others. Jazib holds a bachelors degree in computer engineering from Illinois Institute of Technology and a masters degree in business administration (MBA) from North Carolina State University. In addition to CISSP, Jazib also holds two CCIEs, one in routing and switching and the other in security. He has presented at many industry events, such as Cisco Live, Interop, and ISSA, on multiple occasions.  Omar Santos, CISSP No. 463598 is a Senior Incident Manager of Ciscos Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and Ciscos Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. Omar is an active member of the security community, where he leads several industrywide initiatives and standards bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar has delivered numerous technical presentations at conferences and to Cisco customers and partners, as well as many C-level executive presentations to many organizations.

is a Senior Incident Manager of Ciscos Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and Ciscos Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. Omar is an active member of the secur