Cisco Press - Cisco ASA All-In-One Firewall 2nd Edition(2010)

Cisco ASA All-in-One Firewall, IPS, Anti-X, andVPN Adaptive Security Appliance,Second Edition

Jazib Frahim, CCIE No. 5459

Omar Santos

Cisco Press800 East 96th Street

Indianapolis, IN 46240

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPNAdaptive Security Appliance, Second EditionJazib Frahim, Omar Santos

Copyright 2010 Cisco Systems, Inc.

Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.

Printed in the United States of America

First Printing December 2009

Library of Congress Cataloging-in-Publication data is on file.

ISBN-13: 978-1-58705-819-6

ISBN-10: 1-58705-819-7

Warning and DisclaimerThis book is designed to provide information about Cisco ASA. Every effort has been made to make thisbook as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall haveneither liability nor responsibility to any person or entity with respect to any loss or damages arising fromthe information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriate-ly capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use ofa term in this book should not be regarded as affecting the validity of any trademark or service mark.

ii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Corporate and Government SalesThe publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or spe-cial sales, which may include electronic versions and/or custom covers and content particular to your busi-ness, training goals, marketing focus, and branding interests. For more information, please contact: U.S.Corporate and Government Sales 1-800-382-3419 [email protected]

For sales outside the United States please contact: International [email protected]

Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.

Readers feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at [email protected]. Please make sure to include the book title and ISBN in yourmessage.

We greatly appreciate your assistance.

Publisher: Paul Boger Business Operation Manager, Cisco Press: Anand Sundaram

Associate Publisher: Dave Dusthimer Manager Global Certification: Erik Ullanderson

Executive Editor: Brett Bartow Technical Editors: Randy Ivener, Jay Johnston

Managing Editor: Patrick Kanouse Development Editors: Kimberley Debus, Dayna Isley

Project Editor: Seth Kerney Copy Editor: Margo Catts

Book and Cover Designer: Louisa Adair Editorial Assistant: Vanessa Evans

Composition: Mark Shirar Indexer: Ken Johnson

Proofreaders: Water Crest Publishing, Inc., Apostrophe Editing Services

iii

About the AuthorsJazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than ten years.With a bachelors degree in computer engineering from Illinois Institute of Technology,he started out as a TAC engineer in the LAN Switching team. He then moved to the TACSecurity team, where he acted as a technical leader for the security products. He led ateam of 20 engineers in resolving complicated security and VPN technologies. He is cur-rently working as a technical leader in the Worldwide Security Services Practice ofAdvanced Services for Network Security. He is responsible for guiding customers in thedesign and implementation of their networks with a focus on network security. He holdstwo CCIEs, one in routing and switching and the other in security. He has written numer-ous Cisco online technical documents and has been an active member on the Cisco onlineforum NetPro. He has presented at Networkers on multiple occasions and has taughtmany on-site and online courses to Cisco customers, partners, and employees.

While working for Cisco, he pursued his master of business administration (MBA) degreefrom North Carolina State University.

He is also an author of the following Cisco Press books:

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

Cisco Network Admission Control, Volume II: NAC Deployment andTroubleshooting

SSL Remote Access VPNs

Omar Santos is an incident manager at Ciscos Product Security Incident Response Team(PSIRT). Omar has designed, implemented, and supported numerous secure networks forFortune 500 companies and the U.S. government, including the United States MarineCorps (USMC) and the U.S. Department of Defense (DoD). He is also the author of manyCisco online technical documents and configuration guidelines. Prior to his current role,he was a technical leader within the World Wide Security Practice and Ciscos TechnicalAssistance Center (TAC), where he taught, led, and mentored many engineers within bothorganizations.

Omar has also delivered numerous technical presentations to Cisco customers and part-ners; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations.He is also the author of the following Cisco Press books:

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

Cisco Network Admission Control, Volume II: NAC Deployment andTroubleshooting

End-to-End Network Security: Defense-in-Depth

iv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

About the Technical ReviewersRandy Ivener, CCIE No. 10722, is a security engineer in the Cisco Security Researchand Operations team. He is a CISSP and PMI PMP. He has spent many years as a networksecurity consultant helping companies understand and secure their networks. Randy haspresented security topics at industry events including Blackhat and Cisco Networkers.Before becoming immersed in information security, he spent time in software develop-ment and as a training instructor. Randy graduated from the U.S. Naval Academy andholds an MBA.

Jay Johnston, CCIE No. 17663, is a security specialist in the Cisco TAC center located inResearch Triangle Park, North Carolina. His networking career began in 2002 when hejoined Cisco as a co-op while attending North Carolina State University. After graduatingwith a bachelors of computer science in 2004, he joined Cisco full time as a TACEngineer. He obtained his Security CCIE in 2007. He enjoys working for Cisco, especial-ly the constant technical challenges that working with customers in the TAC provides.

v

DedicationsJazib Frahim: I would like to dedicate this book to my lovely wife, Sadaf, who haspatiently put up with me during the writing process.

I would also like to dedicate this book to my parents, Frahim and Perveen, who supportand encourage me in all my endeavors.

Finally, I would like to thank my siblings, including my brother Shazib and sisters Erum andSana, sister-in-law Asiya, my cute nephew Shayan, and my adorable nieces Shiza and Alisha.Thank you for your patience and understanding during the development of this book.

Omar Santos: I would like to dedicate this book to my lovely wife, Jeannette, and mytwo beautiful children, Hannah and Derek, who have inspired and supported me through-out the development of this book.

I also dedicate this book to my parents, Jose and Generosa. Without their knowledge,wisdom, and guidance, I would not have the goals that I strive to achieve today.

AcknowledgmentsWe would like to thank the technical editors, Randy Ivener and Jay Johnston, for theirtime and technical expertise. They verified our work and corrected us in all the major andminor mistakes that were hard to find. Special thanks go to Aun Raza for reviewing manychapters prior to final editing.

We would like to thank the Cisco Press team, especially Brett Bartow, Dayna Isley,Kimberley Debus, and Andrew Cupp for their patience, guidance, and consideration.Their efforts are greatly appreciated.

Many thanks to our Cisco management team, including David Philips, Ken Cavanagh, andJean Reese for their continuous support. They highly encouraged us throughout this project.

Kudos to the Cisco ASA product development team for delivering such a great product.Their support is also greatly appreciated during the development of this book.

Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightestminds in the networking industry work there, supporting our Cisco customers oftenunder very stressful conditions and working miracles daily. They are truly unsung heroes,and we are all honored to have had the privilege of working side by side with them in thetrenches of the TAC.

vi Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Contents at a GlanceIntroduction xxiii

Part I: Product Overview

Chapter 1 Introduction to Security Technologies 1

Chapter 2 Cisco ASA Product and Solution Overview 25

Chapter 3 Initial Setup and System Maintenance 49

Part II: Firewall Technology

Chapter 4 Controlling Network Access 141

Chapter 5 IP Routing 231

Chapter 6 Authentication, Authorization, and Accounting (AAA) 311

Chapter 7 Application Inspection 349

Chapter 8 Virtualization 415

Chapter 9 Transparent Firewalls 474

Chapter 10 Failover and Redundancy 521

Chapter 11 Quality of Service 577

Part III: Intrusion Prevention System (IPS) Solutions

Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS) 615

Chapter 13 Tuning and Monitoring IPS 677

Part IV: Content Security

Chapter 14 Configuring Cisco Content Security and Control Security ServicesModule 689

Chapter 15 Monitoring and Troubleshooting the Cisco Content Security andControl Security Services Module 715

Part V: Virtual Private Network (VPN) Solutions

Chapter 16 Site-to-Site IPSec VPNs 735

Chapter 17 IPSec Remote-Access VPNs 799

Chapter 18 Public Key Infrastructure (PKI) 869

Chapter 19 Clientless Remote-Access SSL VPNs 923

Chapter 20 Client-Based Remote-Access SSL VPNs 1027

Index 1067

vii

ContentsIntroduction xxiii

Part I: Product Overview

Chapter 1 Introduction to Security Technologies 1

Firewalls 1

Network Firewalls 2

Stateful Inspection Firewalls 6

Deep Packet Inspection 7

Personal Firewalls 7

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 8

Pattern Matching and Stateful Pattern-Matching Recognition 9

Protocol Analysis 10

Heuristic-Based Analysis 11

Anomaly-Based Analysis 11

Virtual Private Networks 12

Technical Overview of IPSec 14

SSL VPNs 21

Summary 23

Chapter 2 Cisco ASA Product and Solution Overview 25

Cisco ASA 5505 Model 26





Cisco ASA 5580-20 and 5580-40 Models 38

Cisco ASA 5580-20 39

Cisco ASA 5580-40 40

Cisco ASA AIP-SSM Module 41

Cisco ASA AIP-SSM-10 43



Cisco ASA Gigabit Ethernet Modules 44

Cisco ASA 4GE-SSM 44

Cisco ASA 5580 Expansion Cards 45

Cisco ASA CSC-SSM Module 46

Summary 47

viii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Chapter 3 Initial Setup and System Maintenance 49

Accessing the Cisco ASA Appliances 49

Establishing a Console Connection 50

Command-Line Interface 52

Managing Licenses 54

Initial Setup 57

Initial Setup via CLI 57

Initial Setup of ASDM 58

Device Setup 67

Setting Up Device Name and Passwords 67

Configuring an Interface 69

DHCP Services 76

IP Version 6 78

IPv6 Header 78

Configuring IPv6 80

Setting Up the System Clock 84

Manual Clock Adjustment 84

Automatic Clock Adjustment Using the Network Time Protocol 86

Configuration Management 88

Running Configuration 88

Startup Configuration 92

Removing the Device Configuration 93

Remote System Management 94

Telnet 95

Secure Shell (SSH) 98

System Maintenance 101

Software Installation 101

Password Recovery Process 106

Disabling the Password Recovery Process 109

System Monitoring 113

System Logging 113

NetFlow Secure Event Logging (NSEL) 125

Simple Network Management Protocol (SNMP) 128

Device Monitoring and Troubleshooting 133

CPU and Memory Monitoring 133

Troubleshooting Device Issues 136

Summary 139

ix

Part II: Firewall Technology

Chapter 4 Controlling Network Access 141

Packet Filtering 141

Types of ACLs 144

Comparing ACL Features 146

Configuring Traffic Filtering 147

Thru-Traffic Filtering via CLI 147

Thru-Traffic Filtering via ASDM 152

To-The-Box-Traffic Filtering 154

Set Up an IPv6 ACL (Optional) 157

Advanced ACL Features 159

Object Grouping 159

Standard ACLs 166

Time-Based ACLs 167

Downloadable ACLs 170

ICMP Filtering 172

Content and URL Filtering 173

Content Filtering 173

URL Filtering 175

Deployment Scenarios for Traffic Filtering 185

Using ACLs to Filter Inbound Traffic 185

Using Websense to Enable Content Filtering 190

Monitoring Network Access Control 193

Monitoring ACLs 193

Monitoring Content Filtering 198

Understanding Address Translation 199

Network Address Translation 200

Port Address Translation 202

Address Translation and Interface Security Levels 203

Packet Flow Sequence 204

Security Protection Mechanisms Within Address Translation 204

Configuring Address Translation 206

Bypassing Address Translation 218

NAT Order of Operation 222

Integrating ACLs and NAT 223

DNS Doctoring 225

Monitoring Address Translations 229

Summary 230

x Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Chapter 5 IP Routing 231

Configuring Static Routes 231

Static Route Monitoring 234

Displaying the Routing Table 239

RIP 240

Configuring RIP 241

RIP Authentication 244

RIP Route Filtering 246

Configuring RIP Redistribution 249

Troubleshooting RIP 249

OSPF 252

Configuring OSPF 254

Troubleshooting OSPF 272

EIGRP 280

Configuring EIGRP 280

Troubleshooting EIGRP 292

IP Multicast 301

IGMP Stub Mode 301

PIM Sparse Mode 301

Configuring Multicast Routing 302

Troubleshooting IP Multicast Routing 308

Summary 310

Chapter 6 Authentication, Authorization, and Accounting (AAA) 311

AAA Protocols and Services Supported by Cisco ASA 312

RADIUS 314

TACACS+ 316

RSA SecurID 316

Microsoft Windows NT 317

Active Directory and Kerberos 318

Lightweight Directory Access Protocol 318

HTTP Form Protocol 318

Defining an Authentication Server 318

Configuring Authentication of Administrative Sessions 325

Authenticating Telnet Connections 325

Authenticating SSH Connections 327

Authenticating Serial Console Connections 329

Authenticating Cisco ASDM Connections 329

xi

Authenticating Firewall Sessions (Cut-Through Proxy Feature) 330

Authentication Timeouts 335

Customizing Authentication Prompts 335

Configuring Authorization 336

Command Authorization 338

Configuring Downloadable ACLs 339

Configuring Accounting 340

RADIUS Accounting 341

TACACS+ Accounting 343

Troubleshooting Administrative Connections to Cisco ASA 344

Troubleshooting Firewall Sessions (Cut-Through Proxy) 347

Summary 347

Chapter 7 Application Inspection 349

Enabling Application Inspection 351

Selective Inspection 353

Computer Telephony Interface Quick Buffer Encoding Inspection 356

Distributed Computing Environment Remote Procedure Calls (DCERPC) 358

Domain Name System 359

Extended Simple Mail Transfer Protocol 363

File Transfer Protocol 367

General Packet Radio Service Tunneling Protocol 369

GTPv0 369

GTPv1 372

Configuring GTP Inspection 373

H.323 376

H.323 Protocol Suite 376

H.323 Version Compatibility 378

Enabling H.323 Inspection 380

Direct Call Signaling and Gatekeeper Routed Control Signaling 382

T.38 382

Unified Communications Advanced Support 383

Phone Proxy 383

TLS Proxy 388

Mobility Proxy 389

Presence Federation Proxy 390

xii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

HTTP 390

Enabling HTTP Inspection 391

ICMP 399

ILS 399

Instant Messenger (IM) 400

IPSec Pass-Through 403

MGCP 404

NetBIOS 406

PPTP 406

Sun RPC 407

RSH 407

RTSP 408

SIP 408

Skinny (SCCP) 410

SNMP 411

SQL*Net 412

TFTP 412

WAAS 413

XDMCP 413

Summary 413

Chapter 8 Virtualization 415

Architectural Overview 417

System Execution Space 417

Admin Context 418

User Context 419

Packet Classification 421

Packet Flow in Multiple Mode 424

Configuration of Security Contexts 427

Step 1: Enable Multiple Security Contexts Globally 427

Step 2: Set Up the System Execution Space 430

Step 3: Allocate Interfaces 433

Step 4: Specify a Configuration URL 434

Step 5: Configure an Admin Context 435

Step 6: Configure a User Context 437

Step 7: Manage the Security Contexts (Optional) 438

Step 8: Resource Management (Optional) 439

xiii

Deployment Scenarios 443

Virtual Firewalls That Use Non-Shared Interfaces 443

Virtual Firewalls That Use a Shared Interface 454

Monitoring and Troubleshooting the Security Contexts 466

Monitoring 466

Troubleshooting 468

Summary 470

Chapter 9 Transparent Firewalls 471


Single-Mode Transparent Firewalls 474

Multimode Transparent Firewalls 477

Restrictions Within Transparent Firewalls 478

Transparent Firewalls and VPNs 479

Transparent Firewalls and NAT 479

Configuration of Transparent Firewalls 482

Configuration Guidelines 482

Configuration Steps 483


SMTF Deployment 496

MMTF Deployment with Security Contexts 502

Monitoring and Troubleshooting the Transparent Firewalls 514

Monitoring 514

Troubleshooting 516

Summary 519

Chapter 10 Failover and Redundancy 521


Conditions that Trigger Failover 523

Failover Interface Tests 523

Stateful Failover 524

Hardware and Software Requirements 525

Types of Failover 527

Interface-Level Failover 531

Failover Configuration 533

Device-Level Redundancy Configuration 533

ASDM Failover Wizard Configuration 548

Interface Level Redundancy Configuration 550

Optional Failover Commands 552

Zero-Downtime Software Upgrade 557

xiv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance


Active/Standby Failover in Single Mode 560

Active/Active Failover in Multiple Security Contexts 564

Monitoring and Troubleshooting Failovers 569

Monitoring 569

Troubleshooting 572

Summary 575

Chapter 11 Quality of Service 577

QoS Types 579

Traffic Prioritization 579

Traffic Policing 579

Traffic Shaping 581

QoS Architecture 582

Packet Flow Sequence 582

Packet Classification 583

QoS and VPN Tunnels 587

Configuring Quality of Service 588

QoS Configuration via ASDM 589

QoS Configuration via CLI 596

QoS Deployment Scenarios 600

QoS for VoIP Traffic 600

QoS for the Remote-Access VPN Tunnels 607

Monitoring QoS 611

Summary 613

Part III: Intrusion Prevention System (IPS) Solutions

Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS) 615

Overview of the Adaptive Inspection Prevention Security Services Module(AIP-SSM) and Adaptive Inspection Prevention Security Services Card(AIP-SSC) 615

AIP-SSM and AIP-SSC Management 616

Inline Versus Promiscuous Mode 617

Cisco IPS Software Architecture 619

MainApp 620

SensorApp 621

Attack Response Controller 622

AuthenticationApp 623

cipsWebserver 623

xv

Logger 624

EventStore 624

CtlTransSource 625

Configuring the AIP-SSM 625

Introduction to the CIPS CLI 625

User Administration 632

AIP-SSM Maintenance 636

Adding Trusted Hosts 636

Upgrading the CIPS Software and Signatures 637

Displaying Software Version and Configuration Information 643

Backing Up Your Configuration 647

Displaying and Clearing Events 648

Advanced Features and Configuration 650

Custom Signatures 651

IP Logging 656

Configuring Blocking (Shunning) 659

Cisco Security Agent Integration 662

Anomaly Detection 666

Cisco ASA Botnet Detection 670

Dynamic and Administrator Blacklist Data 670

DNS Snooping 672

Traffic Classification 672

Summary 675

Chapter 13 Tuning and Monitoring IPS 677

IPS Tuning 677

Disabling IPS Signatures 679

Retiring IPS Signatures 680

Monitoring and Tuning the AIP-SSM Using CS-MARS 681

Adding the AIP-SSM in CS-MARS 682

Tuning the AIP-SSM Using CS-MARS 683

Displaying and Clearing Statistics 684

Summary 688

Part IV: Content Security

Chapter 14 Configuring Cisco Content Security and Control Security ServicesModule 689

Initial CSC SSM Setup 690

xvi Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Configuring CSC SSM Web-Based Features 694

URL Blocking and Filtering 695

File Blocking 697

HTTP Scanning 699

Configuring CSC SSM Mail-Based Features 701

SMTP Scanning 701

SMTP Anti-Spam 704

SMTP Content Filtering 708

POP3 Support 709

Configuring CSC SSM File Transfer Protocol (FTP) 709

Configuring FTP Scanning 709

FTP File Blocking 712

Summary 713

Chapter 15 Monitoring and Troubleshooting the Cisco Content Security andControl Security Services Module 715

Monitoring the CSC SSM 715

Detailed Live Event Monitoring 717

Configuring Syslog 718

Troubleshooting the CSC SSM 719

Re-Imaging the CSC SSM 719

Password Recovery 722

Configuration Backup 724

Upgrading the CSC SSM Software 726

CLI Troubleshooting Tools 726

Summary 734

Part V: Virtual Private Network (VPN) Solutions

Chapter 16 Site-to-Site IPSec VPNs 735

Preconfiguration Checklist 736

Configuration Steps 738

Step 1: Enable ISAKMP 739

Step 2: Create the ISAKMP Policy 739

Step 3: Set Up the Tunnel Groups 741

Step 4: Define the IPSec Policy 743

Step 5: Create a Crypto Map 745

Step 6: Configure Traffic Filtering (Optional) 749

Step 7: Bypass NAT (Optional) 751

Alternate Configuration Methods Through ASDM 752

xvii

Advanced Features 754

OSPF Updates over IPSec 755

Reverse Route Injection 757

NAT Traversal 758

Tunnel Default Gateway 759

Management Access 760

Perfect Forward Secrecy 761

Modifying Default Parameters 762

Security Association Lifetimes 763

Phase 1 Mode 764

Connection Type 764

ISAKMP Keepalives 766

IPSec and Packet Fragmentation 767


Single Site-to-Site Tunnel Configuration Using NAT-T 769

Fully Meshed Topology with RRI 775

Monitoring and Troubleshooting Site-to-Site IPSec VPNs 789

Monitoring Site-to-Site VPNs 789

Troubleshooting Site-to-Site VPNs 793

Summary 798

Chapter 17 IPSec Remote-Access VPNs 799

Cisco IPSec Remote Access VPN Solution 800

IPSec Remote-Access Configuration Steps 801

Step 2: Create the ISAKMP Policy 803

Step 3: Set Up Tunnel and Group Policies 805

Step 4: Define the IPSec Policy 809

Step 5: Configure User Authentication 810

Step 6: Assign an IP Address 812

Step 7: Create a Crypto Map 816

Step 8: Configure Traffic Filtering (Optional) 817

Step 9: Bypass NAT (Optional) 818

Step 10: Set Up Split Tunneling (Optional) 818

Step 11: Assign DNS and WINS (Optional) 821

Alternate Configuration Method through ASDM 822

Cisco VPN Client Configuration 824

xviii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Advanced Cisco IPSec VPN Features 828

Tunnel Default Gateway 828

Transparent Tunneling 829

IPSec Hairpinning 831

VPN Load Balancing 833

Client Firewalling 836

Hardware-Based Easy VPN Client Features 840

L2TP Over IPSec Remote Access VPN Solution 843

L2TP over IPSec Remote-Access Configuration Steps 845

Windows L2TP over IPSec Client Configuration 848


Load Balancing of Cisco IPSec Clients and Site-to-Site Integration 849

L2TP over IPSec with Traffic Hairpinning 855

Monitoring and Troubleshooting Cisco Remote-Access VPN 860

Monitoring Cisco Remote Access IPSec VPNs 860

Troubleshooting Cisco IPSec VPN Clients 865

Summary 868

Chapter 18 Public Key Infrastructure (PKI) 869

Introduction to PKI 869

Certificates 870

Certificate Authority (CA) 871

Certificate Revocation List 873

Simple Certificate Enrollment Protocol 874

Installing Certificates 874

Installing Certificates Through ASDM 874

Installing Certificates Using the CLI 883

The Local Certificate Authority 896

Configuring the Local CA Through ASDM 896

Configuring the Local CA Using the CLI 899

Enrolling Local CA Users Through ASDM 901

Enrolling Local CA Users Through the CLI 904

Configuring IPSec Site-to-Site Tunnels Using Certificates 906

Configuring the Cisco ASA to Accept Remote-Access IPSec VPN ClientsUsing Certificates 910

Enrolling the Cisco VPN Client 911

Configuring the Cisco ASA 914

xix

Troubleshooting PKI 917

Time and Date Mismatch 917

SCEP Enrollment Problems 920

CRL Retrieval Problems 921

Summary 922

Chapter 19 Clientless Remote-Access SSL VPNs 923

SSL VPN Design Considerations 924

User Connectivity 924

ASA Feature Set 925

Infrastructure Planning 925

Implementation Scope 925

SSL VPN Prerequisites 926

SSL VPN Licenses 926

Client Operating System and Browser and Software Requirements 930

Infrastructure Requirements 931

Pre-SSL VPN Configuration Guide 931

Enroll Digital Certificates (Recommended) 931

Set Up Tunnel and Group Policies 937

Set Up User Authentication 943

Clientless SSL VPN Configuration Guide 947

Enable Clientless SSL VPN on an Interface 949

Configure SSL VPN Portal Customization 949

Configure Bookmarks 965

Configure Web-Type ACLs 970

Configure Application Access 973

Configure Client-Server Plug-ins 979

Cisco Secure Desktop 980

CSD Components 981

CSD Requirements 983

CSD Architecture 984

Configuring CSD 985

Host Scan 998

Host Scan Modules 999

Configuring Host Scan 1000

Dynamic Access Policies 1003

DAP Architecture 1004

xx Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

DAP Sequence of Events 1005

Configuring DAP 1006


Step 1: Define Clientess Connections 1019

Step 2: Configure DAP 1020

Monitoring and Troubleshooting SSL VPN 1021

Monitoring SSL VPN 1021

Troubleshooting SSL VPN 1024

Summary 1026

Chapter 20 Client-Based Remote-Access SSL VPNs 1027

SSL VPN Deployment Considerations 1028

AnyConnect Licenses 1028

Cisco ASA Design Considerations 1031

SSL VPN Prerequisites 1032

Client Operating System and Browser and Software Requirements 1032

Infrastructure Requirements 1034

Pre-SSL VPN Configuration Guide 1035

Enrolling Digital Certificates (Recommended) 1035

Setting Up Tunnel and Group Policies 1035

Setting Up User Authentication 1038

AnyConnect VPN Client Configuration Guide 1040

Loading the AnyConnect Package 1042

Defining AnyConnect SSL VPN Client Attributes 1044

Advanced Full Tunnel Features 1049

AnyConnect Client Configuration 1055

Deployment Scenario of AnyConnect Client 1059

Step 1: Set Up CSD For Registry Check 1061

Step 2: Set Up RADIUS for Authentication 1061

Step 3: Configure AnyConnect SSL VPN 1061

Step 4: Enable Address Translation for Internet Access 1062

Monitoring and Troubleshooting AnyConnect SSL VPNs 1063

Monitoring SSL VPN 1063

Troubleshooting SSL VPN 1063

Summary 1066

Index 1067

xxi

Icons Used in This Book

Command Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conven-tions as follows:

Boldface indicates commands and keywords that are entered literally as shown. Inactual configuration examples and output (not general command syntax), boldfaceindicates commands that are manually input by the user (such as a show command).

Italic indicates arguments for which you supply actual values.

Vertical bars (|) separate alternative, mutually exclusive elements.

Square brackets ([ ]) indicate an optional element.

Braces ({ }) indicate a required choice.

Braces within brackets ([{ }]) indicate a required choice within an optional element.

PC Cisco ASA5500

SecureServer

CiscoCallManager

Terminal File Server

Web Server

Ciscoworks Workstation

Printer Laptop IBM Mainframe

Front End Processor

ClusterController

Modem

DSU/CSURouter Bridge Hub DSU/CSU Catalyst

Switch

Multilayer Switch

ATM Switch

ISDN/Frame Relay Switch

Communication Server

Gateway

AccessServer

Network Cloud

Voice-EnabledRouter

Line: Ethernet

FDDI

FDDI

Line: Serial Line: Switched Serial

V

xxii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

xxiii

IntroductionNetwork security has always been a challenge for many organizations that cannot deployseparate devices to provide firewall, intrusion prevention, and virtual private network(VPN) services. The Cisco ASA is a high-performance, multifunction security appliancethat offers firewall, IPS, network antivirus, and VPN services. The Cisco ASA delivers thesefeatures through improved network integration, resiliency, and scalability.

This book is an insiders guide to planning, implementing, configuring, and troubleshootingthe Cisco Adaptive Security Appliances. It delivers expert guidance from senior Cisco net-work security consulting engineers. It demonstrates how adaptive identification and mitiga-tion services on the Cisco ASA provide a sophisticated network security solution to small,medium, and large organizations. This book brings together expert guidance for virtuallyevery challenge you will facefrom building basic network security policies to advancedVPN and IPS implementations.

Who Should Read This Book?This book serves as a guide for any network professional who manages network security orinstalls and configures firewalls, VPN devices, or intrusion detection/prevention systems. Itencompasses topics from an introductory level to advanced topics on security and VPNs. Therequirements of the reader include a basic knowledge of TCP/IP and networking.

How This Book Is OrganizedThis book has five parts, which provide a Cisco ASA product introduction and then focus onfirewall features, intrusion prevention, content security, and VPNs. Each part includes manysample configurations, accompanied by in-depth analyses of design scenarios. Your learning isfurther enhanced by a discussion of a set of debugs included in each technology. Ground-breaking features, such as SSL VPN and virtual and Layer 2 firewalls, are discussed extensively.

The core chapters, Chapters 2 through 12, cover the following topics:

Part I, Product Overview, includes the following chapters:

Chapter 1, Introduction to Security TechnologiesThis chapter provides anoverview of different technologies that are supported by the Cisco ASA and wide-ly used by todays network security professionals.

Chapter 2, Cisco ASA Product and Solution OverviewThis chapter describeshow the Cisco ASA incorporates features from each of these products, integratingcomprehensive firewall, intrusion detection and prevention, and VPN technologiesin a cost-effective, single-box format. Additionally, it provides a hardwareoverview of the Cisco ASA, including detailed technical specifications and instal-lation guidelines. It also covers an overview of the Adaptive Inspection andPrevention Security Services Module (AIP-SSM) and Content Security andControl Security Services Module (CSC-SSM).

Chapter 3, Initial Setup and System MaintenanceA comprehensive list ofinitial setup tasks and system maintenance procedures is included in this chapter.These tasks and procedures are intended to be used by network professionalswho will be installing, configuring, and managing the Cisco ASA.

Part II, Firewall Technology, includes the following chapters:

Chapter 4, Controlling Network AccessThe Cisco ASA can protect one ormore networks from intruders. Connections between these networks can becarefully controlled by advanced firewall capabilities, enabling you to ensurethat all traffic from and to the protected networks passes only through the fire-wall based on the organizations security policy. This chapter shows you how toimplement your organizations security policy, using the features the Cisco ASAprovides.

Chapter 5, IP RoutingThis chapter covers the different routing capabilitiesof the Cisco ASA.

Chapter 6, Authentication, Authorization, and Accounting (AAA)The CiscoASA supports a wide range of AAA features. This chapter provides guidelineson how to configure AAA services by defining a list of authentication methodsapplied to various implementations.

Chapter 7, Application InspectionThe Cisco ASA stateful applicationinspection helps to secure the use of applications and services in your network.This chapter describes how to use and configure application inspection.

Chapter 8, VirtualizationThe Cisco ASA virtual firewall feature introducesthe concept of operating multiple instances of firewalls (contexts) within thesame hardware platform. This chapter shows how to configure and troubleshooteach of these security contexts.

Chapter 9, Transparent FirewallsThis chapter introduces the transparent(Layer 2) firewall model within the Cisco ASA. It explains how users can config-ure the Cisco ASA in transparent single mode and multiple mode while accom-modating their security needs.

Chapter 10, Failover and RedundancyThis chapter discusses the differentredundancy and failover mechanisms that the Cisco ASA provides. It includesnot only the overview and configuration, but also detailed troubleshooting pro-cedures.

Chapter 11, Quality of ServiceQoS is a network feature that lets you givepriority to certain types of traffic. This chapter covers how to configure andtroubleshoot QoS in the Cisco ASA.

Part III, Intrusion Prevention System (IPS) Solutions, includes the following chapters:

Chapter 12, Configuring and Troubleshooting Intrusion Prevention System(IPS)Intrusion detection and prevention systems provide a level of protectionbeyond the firewall by securing the network against internal and external

xxiv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

attacks and threats. This chapter describes the integration of IntrusionPrevention System (IPS) features within the Cisco ASA and expert guidance onhow to configure the AIP-SSM IPS software. Troubleshooting scenarios are alsoincluded to enhance learning.

Chapter 13, Tuning and Monitoring IPSThis chapter covers the IPS tuningprocess, as well as best practices on how to monitor IPS events.

Part IV, Content Security, includes the following chapters:

Chapter 14, Configuring Cisco Content Security and Control Security ServicesModuleThe Content Security and Control Security Services Module (CSC-SSM) is used to detect and take action on viruses, worms, Trojans, and othersecurity threats. It supports the inspection of SMTP, POP3, HTTP, and FTP net-work traffic. This chapter provides configuration and troubleshooting guide-lines to successfully deploy the CSC-SSM within your organization.

Chapter 15, Monitoring and Troubleshooting the Cisco Content Security andControl Security Services ModuleThis chapter provides best practices andmethodologies used while monitoring the CSC-SSM and troubleshooting anyproblems you may encounter.

Part V, Virtual Private Network (VPN) Solutions, includes the following chapters:

Chapter 16, Site-to-Site IPSec VPNsThe Cisco ASA supports IPSec VPNfeatures that enable you to connect networks in different geographic locations.This chapter provides configuration and troubleshooting guidelines to success-fully deploy site-to-site IPSec VPNs.

Chapter 17, IPSec Remote-Access VPNsThis chapter discusses two IPSecremote-access VPN solutions (Cisco IPSec and L2TP over IPSec) that are sup-ported on the Cisco ASA. A large number of sample configurations and trou-bleshooting scenarios are provided.

Chapter 18, Public Key Infrastructure (PKI)This chapter starts by introduc-ing PKI concepts. It then covers the configuration and troubleshooting of PKI inthe Cisco ASA.

Chapter 19, Clientless Remote-Access SSL VPNsThis chapter providesdetails about the Clientless SSL VPN functionality in Cisco ASA. This chaptercovers the Cisco Secure Desktop (CSD) solution in detail and also discusses theHost Scan feature that is used to collect posture information about end-work-stations. The dynamic access policy (DAP) feature, its usage, and detailed con-figuration examples are also provided. To reinforce learning, many differentdeployment scenarios are presented along with their configurations.

Chapter 20, Client-Based Remote-Access SSL VPNs This chapter providesdetails about the AnyConnect SSL VPN functionality in Cisco ASA.

xxv

This page intentionally left blank

Chapter 1

Introduction to Security Technologies

This chapter covers the following topics:

Firewalls

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

Monitoring and troubleshooting

The cost of reported computer and network security breaches at enterprises, schools,and government organizations has risen dramatically during the last several years. Bothhints and detailed instructions for creating exploits to break into networks and computersystems are becoming more easily available on the Internet, consequently requiring net-work security professionals to carefully analyze what techniques they deploy to mitigatethese risks.

Security threats vary from distributed denial-of-service (DDoS) attacks to viruses, worms,Trojan horses, and theft of information. These threats can easily destroy or corrupt vitaldata, requiring difficult and expensive remediation tasks to restore business continuity.

This chapter introduces the essentials of network security technologies and provides thenecessary foundation for technologies involved in the Cisco Adaptive SecurityAppliances (ASA) security features and solutions.

FirewallsA detailed understanding of how firewalls and their related technologies work is extreme-ly important for all network security professionals. This knowledge helps you to config-ure and manage the security of your networks accurately and effectively. The wordfirewall commonly describes systems or devices that are placed between a trusted and anuntrusted network.

Several network firewall solutions offer user and application policy enforcement that pro-vides protection for different types of security threats. They often provide logging capa-

2 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

bilities that enable the security administrators to identify, investigate, validate, and miti-gate such threats.

Additionally, several software applications can run on a system to protect only that host.These types of applications are known as personal firewalls. This section includes anoverview of network and personal firewalls and their related technologies.

Network Firewalls

Network-based firewalls provide key features used for perimeter security. The primarytask of a network firewall is to deny or permit traffic that attempts to enter the networkbased on explicit preconfigured policies and rules. The processes used to allow or blocktraffic may include the following:

Simple packet-filtering techniques

Multifaceted application proxies

Stateful inspection systems

Network address translation

Packet-Filtering Techniques

The purpose of packet filters is simply to control access to specific network segments bydefining which traffic can pass through them. They usually inspect incoming traffic at thetransport layer of the Open System Interconnection (OSI) model. For example, packet fil-ters can analyze Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)packets and judge them against a set of predetermined rules called access control lists(ACLs). They inspect the following elements within a packet:

Source address

Destination address

Source port

Destination port

Protocol

Note Packet filters do not commonly inspect additional Layer 3 and Layer 4 fields suchas sequence numbers, TCP control flags, and TCP acknowledgement (ACK) fields.

Various packet-filtering firewalls can also inspect packet header information to find outwhether the packet is from a new or an existing connection. Simple packet-filtering fire-walls have several limitations and weaknesses:

Their ACLs or rules can be relatively large and difficult to manage.

Chapter 1: Introduction to Security Technologies 3

They can be deceived into permitting unauthorized access of spoofed packets.Attackers can orchestrate a packet with an IP address that is authorized by the ACL.

Numerous applications can build multiple connections on arbitrarily negotiatedports. This makes it difficult to determine which ports will be selected and used untilafter the connection is completed. Examples of this type of application are multime-dia applications such as RealAudio, QuickTime, and other streaming audio and videoapplications. Packet filters do not understand the underlying upper-layer protocolsused by this type of application, and providing support for this type of application isdifficult because the ACLs need to be manually configured in packet-filtering fire-walls.

Application Proxies

Application proxies, or proxy servers, are devices that operate as intermediary agents onbehalf of clients that are on a private or protected network. Clients on the protected net-work send connection requests to the application proxy to transfer data to the unprotect-ed network or the Internet. Consequently, the application proxy sends the request onbehalf of the internal client. The majority of proxy firewalls work at the application layerof the OSI model. Most proxy firewalls can cache information to accelerate their transac-tions. This is a great tool for networks that have numerous servers that experience highusage. Additionally, proxy firewalls can protect against some web-server specific attacks;however, in most cases, they do not provide any protection against the web applicationitself. Another disadvantage of application proxies is their inability to scale. This makesthem difficult to deploy in large environments.

Network Address Translation

Several Layer 3 devices can provide Network Address Translation (NAT) services. TheLayer 3 device translates the internal hosts private (or local) IP addresses to a publiclyroutable (or global) address. NAT is often used by firewalls; however, other devices suchas routers and wireless access points provide support for NAT. By using NAT, the firewallhides the internal private addresses from the unprotected network, and exposes only itsown address or public range. This enables a network professional to use any IP addressspace as the internal network. A best practice is to use the address spaces that arereserved for private use (see RFC 1918, Address Allocation for Private Internets). Table1-1 lists the private address ranges specified in RFC 1918.

Table 1-1 RFC 1918 Private Address Ranges

Network Address Range Network/Mask

10.0.0.010.255.255.255 10.0.0.0/8

172.16.0.0172.31.255.255 172.16.0.0/12

192.168.0.0192.168.255.255 192.168.0.0/16


209.165.200.228

Outside

209.165.200.232

Source Address: 10.10.10.8Destination Address: 209.165.200.232

Source Port: 1024Destination Port: 80


Source Port: 1188Destination Port: 80

Inside

10.10.10.0/24

Host A

ASA PerformingPort Address Translation (PAT)

Figure 1-1 PAT Example

It is important to think about the different private address spaces when you plan yournetwork (for example, the number of hosts and subnets that can be configured). Carefulplanning and preparation leads to substantial time savings if changes are encountereddown the road.

Tip The whitepaper titled A Security-Oriented Approach to IP Addressing providesnumerous tips on planning and preparing your network IP address scheme. This whitepaperis posted at the following link:

http://www.cisco.com/web/about/security/intelligence/security-for-ip-addr.html

Port Address Translation

Normally, firewalls perform a technique called Port Address Translation (PAT). This fea-ture is a subset of the NAT feature that allows many devices on the internal protectednetwork to share one IP address by inspecting the Layer 4 information on the packet.This address is usually the firewalls public address; however, it can be configured to anyother available public IP address. Figure 1-1 shows how PAT works.

As illustrated in Figure 1-1, several hosts on a protected network labeled inside are con-figured with an address from the network 10.10.10.0 with a 24-bit subnet mask. The ASA


is performing PAT for the internal hosts and translating the 10.10.10.x addresses into itsown address (209.165.200.228). In this example, Host A sends a TCP port 80 packet tothe web server located in the outside unprotected network. The ASA translates therequest from the original 10.10.10.8 IP address of Host A to its own address. It does thisby randomly selecting a different Layer 4 source port when forwarding the request to theweb server. The TCP source port is modified from 1024 to 1188 in this example.

Static Translation

A different methodology is used when hosts in the unprotected network need to initiatea new connection to specific hosts behind the NAT device. You do so by creating a staticone-to-one mapping of the public (global) IP address to the address of the internal (local)protected device. For example, static NAT can be configured when a web server resideson the internal network and has a private IP address but needs to be contacted by hostslocated in the unprotected network or the Internet. Figure 1-2 demonstrates how statictranslation works.

In Figure 1-2, the web server address (10.10.10.230) is statically translated to an addressin the outside network (209.165.200.230, in this case). This allows the outside host to ini-tiate a connection to the web server by directing the traffic to 209.165.200.230. Thedevice performing NAT then translates and sends the request to the web server on theinside network.

10.10.10.230

209.165.200.228

Outside

209.165.200.240



Web Server

Inside

10.10.10.230 Is StaticallyTranslated To 209.165.200.230

Figure 1-2 Example of Static Translation


Internet

Internal Network

DMZ 2DMZ 1

Business Partner

Figure 1-3 Firewall DMZ Configurations

Address translation is not limited to firewalls. Nowadays, all sorts of lower-end networkdevices such as simple small office, home office (SOHO) routers and wireless accesspoints can perform different NAT techniques.

Stateful Inspection Firewalls

Stateful inspection firewalls provide enhanced benefits when compared to simple packet-filtering firewalls. They track every packet passing through their interfaces by assuringthat they are valid, established connections. They examine not only the packet headercontents, but also the application layer information within the payload. This is donebecause the packets payload is examined; subsequently, different rules can be created onthe firewall to permit or deny traffic based on specific payload patterns. A stateful fire-wall monitors the state of the connection and maintains a database with this information,usually called the state table. The state of the connection details whether such a connec-tion has been established, closed, reset, or is being negotiated. These mechanisms offerprotection for different types of network attacks.

Firewalls can be configured to separate multiple network segments (or zones), usuallycalled demilitarized zones (DMZ). These zones provide security to the systems thatreside within them with different security levels and policies between them. DMZs canhave several purposes; for example, they can serve as segments on which a web serverfarm resides or as extranet connections to a business partner. Figure 1-3 shows a firewall(a Cisco ASA in this case) with two DMZs.


DMZs minimize the exposure of devices and clients on your internal network by allow-ing only recognized and managed services on those hosts to be accessible from theInternet.

In Figure 1-3, DMZ 1 hosts web servers that are accessible by internal and Internet hosts.The Cisco ASA controls access from an extranet business partner connection on DMZ 2.

Note In large organizations, you can deploy multiple firewalls in different segmentsand DMZs.

Deep Packet Inspection

Several applications require special handling of data packets when they pass through fire-walls. These include applications and protocols that embed IP addressing information inthe data payload of the packet or open secondary channels on dynamically assignedports. Sophisticated firewalls and security appliances such as the Cisco ASA, Cisco PIXfirewall, and Cisco IOS firewall offer application inspection mechanisms to handle theembedded addressing information to allow the previously mentioned applications andprotocols to work. Using application inspection, these security appliances can identifythe dynamic port assignments and allow data exchange on these ports during a specificconnection.

With deep packet inspection, firewalls can look at specific Layer 7 payloads to protectagainst security threats. For example, you can configure a Cisco ASA or a Cisco PIX fire-wall running version 7.0 or later to not allow peer-to-peer (P2P) applications to be trans-ferred over the HTTP protocol. You can also configure these devices to deny specificFTP commands, HTTP content types, and other application protocols.

Note The Cisco ASA and Cisco PIX firewall running version 7.0 or later provide aModular Policy Framework (MPF) that offers a consistent and flexible way to configureapplication inspection and other features to specific traffic flows in a manner similar to theCisco IOS Software Modular quality of service (QoS) command-line interface (CLI).

Personal Firewalls

Personal firewalls are popular software applications that you can install on end-usermachines or servers to protect them from external security threats and intrusions. Theterm personal firewall typically applies to basic software that can control Layer 3 andLayer 4 access to client machines. Today, sophisticated software is available that not onlyprovides basic personal firewall features but also protects the system based on the behav-ior of the applications installed on such systems. An example of this type of software isthe Cisco Security Agent (CSA), which provides several features that offer more robustsecurity than a traditional personal firewall, such as host intrusion prevention and protec-tion against spyware, viruses, worms, Trojans, and other types of malware.


Web ServersAttacker

IDS

Alert!

CS-MARS

Figure 1-4 IDS Example

Intrusion Detection Systems (IDS) and IntrusionPrevention Systems (IPS)

Intrusion detection systems (IDS) are devices that detect (in promiscuous mode) attemptsfrom an attacker to gain unauthorized access to a network or a host, to create perform-ance degradation, or to steal information. They also detect distributed denial of service(DDoS) attacks, worms, and virus outbreaks. Figure 1-4 shows how an IDS device is con-figured to promiscuously detect security threats.

In Figure 1-4, an attacker sends a malicious packet to a web server. The IDS device ana-lyzes the packet and sends an alert to a monitoring system (CS-MARS in this example).The malicious packet still successfully arrives at the web server.

Intrusion prevention system (IPS) devices, on the other hand, are capable of detecting allthese security threats; however, they are also able to drop malicious packets inline.

Figure 1-5 shows how an IPS device is placed inline and drops the noncompliant packetwhile sending an alert to the monitoring system.

Two different types of IPS exist:

Network-based (NIPS)

Host-based (HIPS)

Note Examples of NIPSs are the Cisco IPS 4200 sensors, the Catalyst 6500 IPS Module,and the Cisco ASA with the Advanced Inspection and Prevention Security ServicesModule (AIP-SSM). An example of a host-based IPS is the Cisco Security Agent (CSA).

The Cisco ASA 5500 Series IPS Solution provides intrusion prevention, firewall, and VPNin a single, easy-to-deploy platform. Intrusion prevention services enhance firewall protec-tion by looking deeper into the flows to provide protection against threats and vulnerabili-ties. Detailed IPS configuration and troubleshooting methodologies are included inChapter 12. Additionally, Chapter 13 includes information on tuning and monitoring IPS.


Web Servers

Attacker

Alert!

CS-MARS

IPS

Figure 1-5 IPS Example

Network-based IDS and IPS use several detection methodologies, such as the following:

Pattern matching and stateful pattern-matching recognition

Protocol analysis

Heuristic-based analysis

Anomaly-based analysis

Pattern Matching and Stateful Pattern-Matching Recognition

Pattern matching is a methodology in which the intrusion detection device searches for afixed sequence of bytes within the packets traversing the network. Generally, the patternis aligned with a packet that is related to a specific service or, in particular, associatedwith a source and destination port. This approach reduces the amount of inspectionmade on every packet. However, it is limited to services and protocols that are associatedwith well defined ports. Protocols that do not use any Layer 4 port information are notcategorized. Examples of these protocols are Encapsulated Security Payload (ESP),Authentication Header (AH), and Generic Routing Encapsulation (GRE) protocol.

This tactic uses the concept of signatures. A signature is a set of conditions that pointout some type of intrusion occurrence. For example, if a specific TCP packet has a desti-nation port of 1234 and its payload contains the string ff11ff22, an alert is triggered todetect that string.


Alternatively, the signature could include an explicit starting point and endpoint forinspection within the specific packet.

The benefits of the plain pattern-matching technique include the following:

Direct correlation of an exploit

Trigger alerts on the pattern specified

Can be applied across different services and protocols

One of the main disadvantages is that pattern matching can lead to a considerably highrate of false positives. False positives are alerts that do not represent a genuine maliciousactivity. In contrast, any alterations to the attack can lead to overlooked events of realattacks, which are normally referred as false negatives.

To address some of these limitations, a more refined method was created. This methodol-ogy is called stateful pattern-matching recognition. This process dictates that systemsperforming this type of signature analysis must consider the chronological order of pack-ets in a TCP stream. In particular, they should judge and maintain a stateful inspection ofsuch packets and flows.

The advantages of stateful pattern-matching recognition include the following:

It has the capability to directly correlate a specific exploit within a given pattern.

Supports all non-encrypted IP protocols.

Systems that perform stateful pattern matching keep track of the arrival order of non-encrypted packets and handle matching patterns across packet boundaries.

However, stateful pattern-matching recognition shares some of the same restrictions ofthe simple pattern-matching methodology, which was discussed previously, including anuncertain rate of false positives and a possibility of some false negatives. Additionally,stateful pattern-matching consumes more resources in the IPS device because it requiresmore memory and CPU processing.

Protocol Analysis

Protocol analysis (or protocol decode-base signatures) is often referred to as the exten-sion to stateful pattern recognition. A Network Intrusion Detection System (NIDS)accomplishes protocol analysis by decoding all protocol or client-server conversations.The NIDS identifies the elements of the protocol and analyzes them while looking for aninfringement. Some intrusion detection systems look at explicit protocol fields within theinspected packets. Others require more sophisticated techniques, such as examination ofthe length of a field within the protocol or the number of arguments. For example, inSMTP, the device may look at specific commands and fields such as HELO, MAIL, RCPT,DATA, RSET, NOOP, and QUIT. This technique diminishes the possibility of encounter-ing false positives if the protocol being analyzed is properly defined and enforced. On


the other hand, the system can generate numerous false positives if the protocol defini-tion is ambiguous or tolerates flexibility in its implementation.

Heuristic-Based Analysis

A different approach to network intrusion detection is to perform heuristic-based analy-sis. Heuristic scanning uses algorithmic logic from statistical analysis of the traffic pass-ing through the network. Its tasks are CPU and resource intensive, so it is an importantconsideration while planning your deployment. Heuristic-based algorithms may requirefine tuning to adapt to network traffic and minimize the possibility of false positives. Forexample, a system signature can generate an alarm if a range of ports is scanned on a par-ticular host or network. The signature can also be orchestrated to restrict itself from spe-cific types of packets (for example, TCP SYN packets). Heuristic-based signatures call formore tuning and modification to better respond to their distinctive network environment.

Anomaly-Based Analysis

A different practice keeps track of network traffic that diverges from normal behavioralpatterns. This practice is called anomaly-based analysis. The limitation is that what isconsidered to be normal must be defined. Systems and applications whose behavior canbe easily considered as normal could be classified as heuristic-based systems.

However, sometimes it is challenging to classify a specific behavior as normal or abnor-mal based on different factors. These factors include negotiated protocols and ports, spe-cific application changes, and changes in the architecture of the network.

A variation of this type of analysis is profile-based detection. This allows systems toorchestrate their alarms on alterations in the way that other systems or end users interre-late on the network.

Another kind of anomaly-based detection is protocol-based detection. This scheme isrelated to, but not to be confused with, the protocol-decode method. The protocol-baseddetection technique depends on well-defined protocols, as opposed to the protocol-decode method, which classifies as an anomaly any unpredicted value or configurationwithin a field in the respective protocol. For example, a buffer overflow can be detectedwhen specific strings are detected within the payload of the inspected IP packets.

Note A buffer overflow occurs when a program attempts to store more data in a tempo-rary storage area within memory (buffer) than it was designed to hold. This might cause thedata to incorrectly overflow into an adjacent area of memory. An attacker may craft specif-ic data inserted into the adjacent buffer. Subsequently, when the corrupted data is read, thetarget computer executes new instructions and malicious commands.

Traditional IDS and IPS provide excellent application layer attack-detection capabilities.However, they do have a weakness: They cannot detect DDoS attacks where the attacker


uses valid packets. IDS and IPS devices are optimized for signature-based applicationlayer attack detection. Another weakness is that these systems utilize specific signaturesto identify malicious patterns, yet if a new threat appears on the network before a signa-ture is created to identify the traffic, this could lead to false negatives. An attack forwhich there is no signature is called a zero-day attack.

Although some IPS devices do offer anomaly-based capabilities, which are required todetect such attacks, they require extensive manual tuning and have a major risk of gener-ating false positives.

Tip Cisco IPS Software Version 6.x and later support more sophisticated anomaly detec-tion techniques. More information can be obtained at http://www.cisco.com/go/ips.

You can use more elaborate anomaly-based detection systems to mitigate DDoS attacksand zero-day outbreaks. Typically, an anomaly detection system monitors network trafficand alerts or reacts to any sudden increase in traffic and any other anomalies. Cisco deliv-ers a complete DDoS protection solution based on the principles of detection, diversion,verification, and forwarding to help ensure total protection. Examples of sophisticatedanomaly detection systems are the Cisco Traffic Anomaly Detectors and the Cisco GuardDDoS Mitigation Appliances.

You can also use NetFlow as an anomaly detection tool. NetFlow is a Cisco proprietaryprotocol that provides detailed reporting and monitoring of IP traffic flows through anetwork device, such as a router, switch, or the Cisco ASA.

Note Refer to the Cisco feature navigator to find out in what Cisco IOS image NetFlowis supported. You can access this tool at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp.

Netflow support was introduced in the Cisco ASA in software version 8.2.

NetFlow uses a UDP-based protocol to periodically report on flows seen by the CiscoIOS device. A flow consists of session setup, data transfer, and session teardown. Youcan also integrate NetFlow with Cisco Secure Monitoring and Response System (CS-MARS). When NetFlow is integrated with CS-MARS, you can use statistical profiling,which can pinpoint day-zero attacks such as worm outbreaks, to take advantage of anom-aly detection.

Virtual Private NetworksOrganizations deploy VPNs to provide data integrity, authentication, and data encryp-tion to assure confidentiality of the packets sent over an unprotected network or theInternet. VPNs are designed to avoid the cost of unnecessary leased lines.


Many different protocols are used for VPN implementations, including

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Forwarding (L2F) Protocol

Layer 2 Tunneling Protocol (L2TP)

Generic Routing Encapsulation (GRE) Protocol

Multiprotocol Label Switching (MPLS) VPN

Internet Protocol Security (IPsec)

Secure Socket Layer (SSL)

Note L2F, L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication,and data encryption. On the other hand, you can combine L2TP, GRE, and MPLS withIPsec to provide these benefits. Many organizations use IPsec as their preferred protocolbecause it supports all three of these features.

VPN implementations can be categorized into two distinct groups:

Site-to-site VPNsEnable organizations to establish VPN tunnels between two ormore network infrastructure devices in different sites so that they can communicateover a shared medium such as the Internet. Many organizations use IPsec, GRE, andMPLS VPN as site-to-site VPN protocols.

Remote-access VPNsEnable users to work from remote locations such as theirhomes, hotels, and other premises as if they were directly connected to their corpo-rate network.

Note Typically, site-to-site VPN tunnels are terminated between two or more networkinfrastructure devices, as opposed to remote access VPN where the tunnels are formed bya VPN head-end device a end-user workstation or hardware VPN client.

Figure 1-6 illustrates a site-to-site IPsec tunnel between two sites (corporate headquartersand a branch office).


Ipsec Tunnel

Internet

Corporate Headquarters Branch Office

Figure 1-6 Site-to-Site VPN Example

Figure 1-7 shows an example of remote access VPN. In this example, a telecommuter usesIPSec VPN while a remote user from a hotel uses SSL VPN to connect to the corporateheadquarters.

Technical Overview of IPSec

IPsec uses the Internet Key Exchange (IKE) Protocol to negotiate and establish securedsite-to-site or remote access VPN tunnels. IKE is a framework provided by the InternetSecurity Association and Key Management Protocol (ISAKMP) and parts of two otherkey management protocols, namely Oakley and Secure Key Exchange Mechanism(SKEME).

Note IKE is defined in RFC 2409, The Internet Key Exchange.

ISAKMP has two phases. Phase 1 is used to create a secure bidirectional communicationchannel between the IPsec peers. This channel is known as the ISAKMP SecurityAssociation (SA). Phase 2 is used to negotiate the IPsec SAs.


Internet

Corporate Headquarters

Remote User at a Hotel

TelecommuterIpsec T

unnel

SSL VPN Tunnel

Figure 1-7 Remote Access VPN Example

Phase 1

Within Phase 1 negotiation, several attributes are exchanged, including the following:

Encryption algorithms

Hashing algorithms

Diffie-Hellman groups

Authentication method

Vendor-specific attributes


The following are the typical encryption algorithms:

Data Encryption Standard (DES): 64 bits long

Triple DES (3DES): 168 bits long

Advanced Encryption Standard (AES): 128 bits long

AES 192: 192 bits long

AES 256: 256 bits long

Hashing algorithms include these:

Secure Hash Algorithm (SHA)

Message digest algorithm 5 (MD5)

The common authentication methods are preshared keys (where peers use a shared secretto authenticate each other) and digital certificates with the use of Public KeyInfrastructure (PKI).

Note Typically, small and medium-sized organizations use preshared keys as theirauthentication mechanism. Several large organizations use digital certificates for scalabili-ty, for centralized management, and for the use of additional security mechanisms.

You can establish a Phase 1 SA in main mode or aggressive mode.

In main mode, the IPsec peers complete a six-packet exchange in three round trips tonegotiate the ISAKMP SA, whereas aggressive mode completes the SA negotiation inthree packet exchanges. Main mode provides identity protection if preshared keys areused. Aggressive mode provides identity protection only if digital certificates are used.

Note Cisco products that support IPsec typically use main mode for site-to-site tunnelsand aggressive mode for remote-access VPN tunnels. This is the default behavior when pre-shared keys are used as the authentication method.

Figure 1-8 illustrates the six-packet exchange in main mode negotiation.

In Figure 1-8, two Cisco ASAs are configured to terminate a site-to-site VPN tunnelbetween them. The Cisco ASA labeled as ASA-1 is the initiator, and ASA-2 is the respon-der. The following are the steps illustrated in Figure 1-8.

Step 1. ASA-1 (the initiator) has two ISAKMP proposals configured. In the first pack-et, ASA-1 sends its configured proposals to ASA-2.


ASA-2ASA-1

Initiator

IKE

Responder

DESMD5DH1

Preshared

DESMD5DH1

Preshared

HDR, KE i, Nonce i

HDR, KE R, Nonce R

HDR*, ID i, HASH i

HDR*, ID R, HASH R

Diffie-Hellman Key Exchange SKEYID

Derived

IDs Are Exchanged and HASH Is Verified.*These Two Packets

Are Encrypted.

1

2

3

4

5

6

HDR, SA proposal

HDR, SA choice

Phase 1 SA parameter negotiation complete

3DESSHADH2

Preshared

Figure 1-8 IKE Negotiation

Step 2. ASA-2 evaluates the received proposal. Because it has a proposal that matchesthe offer of the initiator, ASA-2 sends the accepted proposal back to ASA-1 inthe second packet.

Step 3. Diffie-Hellman exchange and calculation is started. Diffie-Hellman is a keyagreement protocol that enables two users or devices to authenticate eachothers pre-shared keys without actually sending the keys over the unsecuredmedium. ASA-1 sends the Key Exchange (KE) payload and a randomly gener-ated value called a nonce.

Step 4. ASA-2 receives the information and reverses the equation, using the proposedDiffie-Hellman group/exchange to generate the SKEYID. The SKEYID is astring derived from secret material that is known only to the active partici-pants in the exchange.

Step 5. ASA-1 sends its identity information. The fifth packet is encrypted with thekeying material derived from the SKEYID. The asterisk in Figure 1-8 is usedto illustrate that this packet is encrypted.

Step 6. ASA-2 validates the identity of ASA-1, and ASA-2 sends its own identityinformation to ASA-1. This packet is also encrypted.


Note IKE uses UDP port 500 for communication. UDP port 500 is used to send all thepackets described in the previous steps.

Phase 2

Phase 2 is used to negotiate the IPsec SAs. This phase is also known as quick mode. TheISAKMP SA protects the IPsec SAs because all payloads are encrypted except theISAKMP header.

A single IPSec SA negotiation always creates two security associationsone inboundand one outbound. Each SA is assigned a unique security parameter index (SPI) valueone by the initiator and the other by the responder.

Tip The security protocols (AH or ESP) are Layer 3 protocols and do not have Layer 4port information. If an IPSec peer is behind a PAT device, the ESP or AH packets are typi-cally dropped. To work around this, many vendors, including Cisco Systems, use a featurecalled IPSec pass-thru. The PAT device that is IPSec pass-thru capable builds the Layer 4translation table by looking at the SPI values on the packets.

Many industry vendors, including Cisco Systems, implement another new feature calledNAT Traversal (NAT-T). With NAT-T, the VPN peers dynamically discover whether anaddress translation device exists between them. If they detect a NAT/PAT device, they useUDP port 4500 to encapsulate the data packets, subsequently allowing the NAT device tosuccessfully translate and forward the packets.

Another interesting point is that if the VPN router needs to connect multiple networksover the tunnel, it needs to negotiate twice as many IPSec SAs. Remember, each IPSec SAis unidirectional, so if three local subnets need to go over the VPN tunnel to talk to theremote network, then six IPSec SAs are negotiated. IPSec can use quick mode to negoti-ate these multiple Phase 2 SAs, using the single pre-established ISAKMP SA. The numberof IPSec SAs can be reduced, however, if source and/or destination networks are summa-rized.

Many different IPSec attributes are negotiated in quick mode, as shown in Table 1-3.

In addition to generating the keying material, quick mode also negotiates identity infor-mation. The Phase 2 identity information specifies what network, protocol, and/or portnumber to encrypt. Hence, the identities can vary anywhere from an entire network to asingle host address, allowing a specific protocol and port.

Figure 1-9 illustrates the Phase 2 negotiation between the two routers that just completedPhase 1.


ASA-2ASA-1

Initiator Responder

ESP3DESSHA

ESP3DESSHA

HDR*, HASH2, SA proposal, Nonce r [KEr], [ID ci, ID cr]

HDR*, HASH2

1

2

HDR*, HASH1, SA proposal, Nonce I [KEi], [ID ci, ID cr]

3

Phase 2 Quick Mode

Figure 1-9 IPsec Phase 2 Negotiation

The following are the steps illustrated in Figure 1-9.

Step 1. ASA-1 sends the identity information, IPsec SA proposal, nonce payload, and(optional) Key Exchange (KE) payload if Perfect Forward Secrecy (PFS) isused. PFS is used to provide additional Diffie-Hellman calculations.

Step 2. ASA-2 evaluates the received proposal against its configured proposal andsends the accepted proposal back to ASA-1, along with its identity informa-tion, nonce payload, and the optional KE payload.

Step 3. ASA-1 evaluates the ASA-2 proposal and sends a confirmation that the IPsecSAs have been successfully negotiated. This starts the data encryption process.

Table 1-3 IPSec Attributes

Attribute Possible Values

Encryption None, DES, 3DES, AES128, AES192,AES256

Hashing MD5, SHA, or null

Identity information Network, Protocol, Port number

Lifetime 1202,147,483,647 seconds102,147,483,647 kilobytes

Mode Tunnel or transport

Perfect Forward Secrecy (PFS) group None, 1, 2, or 5


IPsec uses two different protocols to encapsulate the data over a VPN tunnel:

Encapsulation Security Payload (ESP): IP Protocol 50

Authentication Header (AH): IP Protocol 51

Note ESP is defined in RFC 4303, IP Encapsulating Security Payload (ESP), and AH isdefined in RFC 4305, IP Authentication Header.

IPsec can use two modes with either AH or ESP:

Transport modeProtects upper-layer protocols, such as User Datagram Protocol(UDP) and TCP

Tunnel modeProtects the entire IP packet

Transport mode is used to encrypt and authenticate the data packets between the peers.A typical example of this is the use of GRE over an IPsec tunnel. Tunnel mode is used toencrypt and authenticate the IP packets when they are originated by the hosts connectedbehind the Virtual Private Network (VPN) device. Tunnel mode adds an additional IPheader to the packet, as illustrated in Figure 1-10.

Figure 1-10 demonstrates the major difference between transport and tunnel mode. Itincludes an example of an IP packet encapsulated in GRE and the difference when it isencrypted in transport mode and tunnel mode. As demonstrated in Figure 1-10, tunnelmode increases the overall size of the packet in comparison to transport mode.

IP Hdr 1 TCP Hdr Data

IP Hdr 1 TCP Hdr DataGRE HdrIP Hdr 2

IP Hdr 1 TCP Hdr DataGRE HdrESP Hdr

IP Hdr 1 TCP Hdr DataGRE HdrIP Hdr 2

IP Hdr 2

ESP HdrIP Hdr 3

Encrypted

Encrypted

Original Packet

GRE Encapsulation

GRE Over IPSecTransport Mode

GRE Over IPSecTunnel Mode

Figure 1-10 Transport vs. Tunnel Mode


Note Tunnel mode is the default mode in Cisco IPsec devices.

SSL VPNs

SSL-based VPNs leverage the SSL protocol. SSL, also referred to as Transport LayerSecurity (TLS), is a matured protocol that has been in existence since the early 1990s.The Internet Engineering Task Force (IETF) created TLS to consolidate the different SSLvendor versions into a common and open standard.

One of the most popular features of SSL VPN is the capability to launch a browser suchas Microsoft Internet Explorer and Firefox and simply connect to the address of the VPNdevice, as opposed to running a separate VPN client program to establish an IPSec VPNconnection. In most implementations, a clientless solution is possible. Users can accesscorporate intranet sites, portals, and email from almost anywhere (even from an airportkiosk). Because most people allow SSL (TCP port 443) over their firewalls, it is unneces-sary to open additional ports.

The most successful application running on top of SSL is HTTP because of the hugepopularity of the World Wide Web. All the most popular web browsers in use today sup-port HTTPS (HTTP over SSL/TLS). This ubiquity, if used in remote access VPNs, pro-vides some appealing properties:

Secure communication using cryptographic algorithmsIt offers confidentiality,integrity, and authentication.

UbiquityThe ubiquity of SSL/TLS makes it possible for VPN users to remotelyaccess corporate resources from anywhere, using any PC, without having to prein-stall a remote access VPN client.

Low management costThe clientless access makes this type of remote access VPNfree of deployment costs and free of maintenance problems at the end-user side. Thisis a huge benefit for the IT management personnel, who would otherwise spend con-siderable resources to deploy and maintain their remote access VPN solutions.

Effective operation with a firewall and NATSSL VPN operates on the same portas HTTPS (TCP/443). Most Internet firewalls, proxy servers, and NAT devices havebeen configured to correctly handle TCP/443 traffic. Subsequently, there is no needfor any special consideration to transport SSL VPN traffic over the networks. Thishas been viewed as a significant advantage over native IPsec VPN, which operatesover IP protocol 50 (ESP) or 51 (AH), which in many cases needs special configura-tion on the firewall or NAT devices to let them pass through.

As SSL VPN evolves to fulfill another important requirement of remote access VPN,namely the requirement of supporting any application, some of these properties are nolonger true, depending on which SSL VPN technology the VPN users choose. But over-all, these properties are the main drivers for the popularity of SSL VPN in recent yearsand are heavily marketed by SSL VPN vendors as the main reasons for IPsec replacement.


Todays SSL VPN technology uses SSL/TLS as secure transport and employs a heteroge-neous collection of remote access technologies such as reverse proxy, tunneling, and ter-minal services to provide users with different types of access methods that fit differentenvironments. Subsequent chapters examine some commonly used SSL VPN technolo-gies, such as

Reverse proxy technology

Port-forwarding technology

SSL VPN tunnel client

Integrated terminal services

HTTPS provides secure web communication between a browser and a web server thatsupports the HTTPS protocol. SSL VPN extends this model to allow VPN users to accesscorporate internal web applications and other corporate application servers that might ormight not support HTTPS, or even HTTP. SSL VPN does this by using several techniquesthat are collectively called reverse proxy technology.

A reverse proxy is a proxy server that resides in front of the application servers, normal-ly web servers, and functions as an entry point for Internet users who want to access thecorporate internal web application resources. To the external clients, a reverse proxy serv-er appears to be the true web server. Upon receiving the users web request, a reverseproxy relays the user request to the internal web server to fetch the content on behalf ofthe users and relays the web content to the user with or without additional modificationsto the data being presented to the user.

Many web server implementations support reverse proxy. One example is the mod_proxymodule in Apache. With so many implementations, you might wonder why you need anSSL VPN solution to have this functionality. The answer is that SSL VPN offers muchmore functionality than traditional reverse proxy technologies:

SSL VPN can transform complicated web and some non-web applications that simplereverse proxy servers cannot handle. The content transformation process is some-times called webification. For example, SSL VPN solutions enable users to accessWindows or UNIX file systems. The SSL VPN gateway needs to be able to communi-cate with internal Windows or UNIX servers and webify the file access in a webbrowserpresentable format for the VPN users.

SSL VPN supports a wide range of business applications. For applications that can-not be webified, SSL VPN can use other resource access methods to support them.For users who demand ultimate access, SSL VPN can provide network-layer accessto directly connect a remote system to the corporate network, in the same manner asan IPsec VPN.

SSL VPN provides a true remote access VPN package, including user authentication,resource access privilege management, logging and accounting, endpoint security,and user experience.


The reverse proxy mode in SSL VPN is also known as clientless web access or clientlessaccess because it does not require any client-side applications to be installed on the clientmachine.

Note Configuration and troubleshooting of clientless remote access SSL VPN is coveredin Chapter 19. Configuration and troubleshooting of client-based remote access SSL VPNis covered in Chapter 20.

SummaryNetwork security is a science that needs to be put into practice carefully. There are manydifferent techniques at the disposal of a network administrator to prevent attackers fromgaining access to private networks and computer systems. This chapter provides anoverview of the different technologies, principles, and protocols related to the integratedfeatures of Cisco ASA. An overview of different firewall technologies and implementa-tions was covered in the beginning of the chapter, followed by the introduction of IDSand IPS solutions. At the end, a technical overview of site-to-site and remote access VPNtechnologies was discussed in detail.

This page intentionally left blank

Chapter 2

Cisco ASA Product and Solution Overview

This chapter covers the following topics:

Cisco ASA 5505 hardware overview





Cisco ASA 5580-20 hardware overview

Cisco ASA 5580-40 hardware overview

Cisco ASA AIP-SSM module overview

Cisco ASA CSC-SSM module overview

Deployment examples

The Cisco ASA 5500 Series Adaptive Security Appliances integrate firewall, IPS, andVPN capabilities, providing an all-in-one solution for your network. Incorporating allthese solutions into Cisco ASA secures the network without the need for extra overlayequipment or network alterations. This is something that many Cisco customers and net-work professionals have requested in a security product.

There are several Cisco ASA 5500 Series models. These include

Cisco ASA 5505

Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

26 Deploying Cisco Wide Area Application Services

Cisco ASA 5550

Cisco ASA 5580-20

Cisco ASA 5580-40

This chapter provides an overview of the Cisco ASA 5500 Series Adaptive SecurityAppliance hardware, including performance and technical specifications. It also providesan overview of the Adaptive Inspection and Prevention Security Services Module (AIP-SSM), which is required for IPS features. Additionally, it introduces the Content Securityand Control Security Services Module (CSC-SSM), designed to provide antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking/filtering, and content filter-ing. This chapter also discusses the Cisco ASA 4-Port Gigabit Ethernet Security ServicesModule (4GE SSM) that extends the number of physical interfaces in an appliance.

Cisco ASA 5505 ModelThe Cisco ASA 5505 Adaptive Security Appliance is designed for small business, branchoffice, and telecommuting environments. Despite its small size, it provides firewall, SSLand IPsec VPN, and numerous networking services expected on a bigger appliance.Figure 2-1 shows the front view of the Cisco ASA 5505.

The front panel has the following components:

Step 1. USB PortReserved for future use.

Step 2. Speed and Link Activity LEDsThe Cisco ASA 5505 has a speed indicatorLED and a separate link activity indicator LED for each of its eight ports.When the speed ind

Cisco Press - Cisco ASA All-In-One Firewall 2nd Edition(2010)

Documents

Transcript of Cisco Press - Cisco ASA All-In-One Firewall 2nd Edition(2010)