Contents

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Contents at a Glance

Icons Used in This Book

Contents

Introduction

Chapter 1 Firewall Overview

1-1: Overview of Firewall Operation

Initial Checking

Inspection Engine

1-2: Inspection Engines for ICMP, UDP, and TCP

ICMP Inspection

A Case Study in ICMP Inspection

Additional TCP Connection Controls

TCP Normalization

Other Firewall Operations

1-3: Hardware and Performance

1-4: Basic Security Policy Guidelines

Further Reading

Chapter 2 Configuration Fundamentals

2-1: User Interface

User Interface Modes

User Interface Features

Entering Commands

Command History

Searching and Filtering Command Output

Terminal Screen Format

2-2: Firewall Features and Licenses

Upgrading a License Activation Key

2-3: Initial Firewall Configuration

Chapter 3 Building Connectivity

3-1: Configuring Interfaces

Surveying Firewall Interfaces

Configuring Interface Redundancy

Basic Interface Configuration

Interface Configuration Examples

Configuring IPv6 on an Interface

Testing IPv6 Connectivity

Configuring the ARP Cache

Configuring Interface MTU and Fragmentation

Configuring an Interface Priority Queue

Displaying Information About the Priority Queue

Firewall Topology Considerations

Securing Trunk Links Connected to Firewalls

3-2: Configuring Routing

Using Routing Information to Prevent IP Address Spoofing

Configuring Static Routes

Static Route Example

Favoring Static Routes Based on Reachability

Reachable Static Route Example

Configuring RIP to Exchange Routing Information

Configuring EIGRP to Exchange Routing Information

An EIGRP Configuration Example

Configuring OSPF to Exchange Routing Information

OSPF Routing Scenarios with a Firewall

Configuring OSPF

Redistributing Routes from Another Source into OSPF

3-3: DHCP Server Functions

Using the Firewall as a DHCP Server

DHCP Server Example

Updating Dynamic DNS from a DHCP Server

Verifying DDNS Operation

Relaying DHCP Requests to a DHCP Server

DHCP Relay Example

3-4: Multicast Support

Multicast Overview

Multicast Addressing

Forwarding Multicast Traffic

Multicast Trees

Reverse Path Forwarding

IGMP: Finding Multicast Group Recipients

PIM: Building a Multicast Distribution Tree

PIM Sparse Mode

PIM RP Designation

Configuring PIM

Using a Multicast Boundary to Segregate Domains

Filtering PIM Neighbors

Filtering Bidirectional PIM Neighbors

Configuring Stub Multicast Routing (SMR)

Configuring IGMP Operation

Stub Multicast Routing Example

PIM Multicast Routing Example

Verifying IGMP Multicast Operation

Verifying PIM Multicast Routing Operation

Chapter 4 Firewall Management

4-1: Using Security Contexts to Make Virtual Firewalls

Security Context Organization

Sharing Context Interfaces

Issues with Sharing Context Interfaces

Solving Shared Context Interface Issues with Unique MAC Addresses

Configuration Files and Security Contexts

Guidelines for Multiple-Context Configuration

Initiating Multiple-Context Mode

Navigating Multiple Security Contexts

Context Prompts

Changing a Session to a Different Context

Configuring a New Context

Context Definition Example

Allocating Firewall Resources to Contexts

Verifying Multiple-Context Operation

4-2: Managing the Flash File System

Navigating an ASA or FWSM Flash File System

Administering an ASA or FWSM Flash File System

Using the PIX 6.3 Flash File System

Identifying the Operating System Image

Upgrading an Image from the Monitor Prompt

Upgrading an Image from an Administrative Session

Upgrading an Image Automatically

4-3: Managing Configuration Files

Managing the Startup Configuration

Selecting a Startup Configuration File

Displaying the Startup Configuration

Saving a Running Configuration

Viewing the Running Configuration

Saving the Running Configuration to Flash Memory

Saving the Running Configuration to a TFTP Server

Forcing the Running Configuration to Be Copied Across a Failover Pair

Forcing the Startup (Nonvolatile) Configuration to Be Cleared

Importing a Configuration

Entering Configuration Commands Manually

Merging Configuration Commands from Flash Memory

Merging Configuration Commands from a TFTP Server

Merging Configuration Commands from a Web Server

Merging Configuration Commands from an Auto Update Server

4-4: Automatic Updates with an Auto Update Server

Configuring a Firewall as an Auto Update Client

Verifying Auto Update Client Operation

Configuring a Firewall as an Auto Update Server

4-5: Managing Administrative Sessions

Console Connection

Telnet Sessions

ASDM/PDM Sessions

Starting the ASDM or PDM Application from a Web Browser

Starting ASDM from a Local Application

User Session Banners

Monitoring Administrative Sessions

4-6: Firewall Reloads and Crashes

Reloading a Firewall

Reloading a Firewall Immediately

Reloading a Firewall at a Specific Time and Date

Reloading a Firewall After a Time Interval

Obtaining Crash Information

Controlling Crashinfo Creation

Generating a Test Crashinfo Image

Forcing an Actual Firewall Crash

Viewing the Crashinfo Information

Deleting the Previous Crashinfo File Contents

4-7: Monitoring a Firewall with SNMP

Overview of Firewall SNMP Support

Firewall SNMP Traps

SNMP Configuration

Chapter 5 Managing Firewall Users

5-1: Managing Generic Users

Authenticating and Authorizing Generic Users

Accounting of Generic Users

5-2: Managing Users with a Local Database

Authenticating with Local Usernames

Authorizing Users to Access Firewall Commands

Accounting of Local User Activity

5-3: Defining AAA Servers for User Management

5-4: Configuring AAA to Manage Administrative Users

Enabling AAA User Authentication

Enabling AAA Command Authorization

Enabling AAA Command Accounting

5-5: Configuring AAA for End-User Cut-Through Proxy

Authenticating Users Passing Through

Authorizing User Activity with TACACS+ Servers

Authorizing User Activity with RADIUS Servers

Keeping Accounting Records of User Activity

AAA Cut-Through Proxy Configuration Examples

5-6: Firewall Password Recovery

Recovering an ASA Password

Recovering a PIX Password

Recovering an FWSM Password

Chapter 6 Controlling Access Through the Firewall

6-1: Routed and Transparent Firewall Modes

Configuring a Transparent Firewall

6-2: Address Translation

Defining Access Directions

Outbound Access

Same-Security Access

Types of Address Translation

Handling Connections Through an Address Translation

UDP and TCP Connection Limits

Limiting Embryonic Connections

TCP Initial Sequence Numbers

Dynamic Address Translation (NAT or PAT)

Dynamic NAT and PAT Example

Controlling Traffic

Controlling Access with Medium Security Interfaces

6-3: Controlling Access with Access Lists

Compiling Access Lists

Configuring an Access List

Adding an ACE to an Access List

Manipulating Access Lists

Adding Descriptions to an Access List

Defining a Time Range to Activate an ACE

Access List Examples

Defining Object Groups

Defining Network Object Groups

Defining Protocol Object Groups

Defining ICMP Type Object Groups

Defining Basic Service Object Groups

Defining an Enhanced Service Object Group

Using Object Groups in an Access List

Logging ACE Activity

Monitoring Access Lists

6-4: Shunning Traffic

Chapter 7 Inspecting Traffic

7-1: Filtering Content

Configuring Content Filters

Content-Filtering Examples

Using a Web Cache for Better HTTP Performance

7-2: Defining Security Policies in a Modular Policy Framework

Classifying Layers 3 and 4 Traffic

Match Against a Destination Port Number

Match Against an Access List

Match Against QoS Parameters

Match Against a Range of Real-Time Transport Protocol (RTP) Port Numbers

Match Against a VPN Tunnel Group

Match All Traffic

Match Default Traffic

Classifying Management Traffic

Defining a Layer 3/4 Policy

Set Connection Limits on the Matched Traffic

Adjust TCP Options for the Matched Traffic

Send the Matched Traffic to an IPS Module

Send the Matched Traffic to a CSC Module

Use a Policer to Limit the Matched Traffic Bandwidth

Give Priority Service (LLQ) to Matched Traffic

Default Policy Definitions

7-3: Application Inspection

Configuring Application Inspection

Matching Text with Regular Expressions

Configuring DCERPC Inspection

Configuring DNS Inspection

Configuring ESMTP Inspection

Configuring FTP Inspection—ASA 7.2(1) or Later

Configuring FTP Inspection—FWSM and ASA 7.0-7.1

Configuring GTP Inspection—ASA 7.2(1) and Later

Configuring GTP Inspection—FWSM and ASA 7.0-7.1

Configuring H.323 Inspection

Configuring HTTP Inspection—ASA 7.2(1) and Later

Configuring HTTP Inspection—FWSM and ASA 7.0-7.1

Configuring ICMP Inspection

Configuring Instant Messaging (IM) Inspection

Configuring IPSec Passthru Inspection

Configuring MGCP Inspection—ASA 7.2(1) and Later

Configuring an MGCP Map—FWSM and ASA 7.0-7.1

Configuring NetBIOS Inspection

Configuring RADIUS Accounting Inspection

Configuring SNMP Inspection

Chapter 8 Increasing Firewall Availability with Failover

8-1: Firewall Failover Overview

How Failover Works

Firewall Failover Roles

Detecting a Firewall Failure

Failover Communication

Active-Active Failover Requirements

8-2: Configuring Firewall Failover

8-3: Firewall Failover Configuration Examples

Active-Standby Failover Example with PIX Firewalls

Active-Standby Failover Example with FWSM

Active-Active Failover Example

Primary Firewall Configuration

Secondary Firewall Configuration

Allocating Interfaces to the Contexts

Configuring Interfaces in Each Context

8-4: Managing Firewall Failover

Displaying Information About Failover

Displaying the Current Failover Status

Displaying the LAN-Based Failover Interface Status

Displaying a History of Failover State Changes

Debugging Failover Activity

Monitoring Stateful Failover

Manually Intervening in Failover

Forcing a Role Change

Resetting a Failed Firewall Unit

Reloading a Hung Standby Unit

Executing Commands on a Failover Peer

8-5: Upgrading Firewalls in Failover Mode

Manually Upgrading a Failover Pair

Automatically Upgrading a Failover Pair

Chapter 9 Firewall Load Balancing

9-1: Firewall Load-Balancing Overview

9-2: Firewall Load-Balancing in Software

IOS FWLB Configuration Notes

IOS FWLB Configuration

IOS Firewall Load-Balancing Example

Basic Firewall Configuration

Outside IOS FWLB Configuration

Inside IOS FWLB Configuration

Displaying Information About IOS FWLB

IOS FWLB Output Example

9-3: Firewall Load-Balancing in Hardware

FWLB in Hardware Configuration Notes

CSM FWLB Configuration

CSM Firewall Load-Balancing Example

CSM Components Needed

Basic Firewall Configuration

Outside CSM FWLB Configuration

Inside CSM Configuration

Displaying Information About CSM FWLB

CSM FWLB Output Example

9-4: Firewall Load-Balancing Appliance

CSS FWLB Configuration

CSS Appliance Firewall Load-Balancing Example

Basic Firewall Configuration

Outside CSS FWLB Configuration

Inside CSS FWLB Configuration

Displaying Information About CSS FWLB

Chapter 10 Firewall Logging

10-1: Managing the Firewall Clock

Setting the Clock Manually

Setting the Clock with NTP

10-2: Generating Logging Messages

Syslog Server Suggestions

Logging Configuration

Configuring Basic Logging Parameters

Log to an Interactive Firewall Session

Log to the Firewall’s Internal Buffer

Log to an SNMP Management Station

Logging to a Syslog Server

Logging to a Secure Syslog Server Using SSL

Logging to an E-mail Address

Logging to an ASDM Management Application

Verifying Message Logging Activity

Manually Testing Logging Message Generation

10-3: Fine-Tuning Logging Message Generation

Pruning Messages

Changing the Message Severity Level

Access List Activity Logging

10-4: Analyzing Firewall Logs

Chapter 11 Verifying Firewall Operation

11-1: Checking Firewall Vital Signs

Using the Syslog Information

Checking System Resources

Firewall CPU Load

Firewall Memory

Checking Stateful Inspection Resources

Xlate Table Size

Conn Table Size

Checking Firewall Throughput

Traffic Counters

Perfmon Counters

Checking Inspection Engine and Service Policy Activity

Checking Failover Operation

Verifying Failover Roles

Verifying Failover Communication

Determining If a Failover Has Occurred

Determining the Cause of a Failover

An Example of Finding the Cause of a Failover

Intervening in a Failover Election

Checking Firewall Interfaces

Interface Name and Status

Interface Control

Interface Addresses

Inbound Packet Statistics

Outbound Packet Statistics

Traffic Statistics

Packet Queue Status

11-2: Watching Data Pass Through a Firewall

Defining a Capture Session

Getting Results from a Capture Session

Using a Capture Session to Display Trunk Contents

Copying Capture Buffer Contents

Controlling a Capture Session

A Capture Example

Using the ASDM Packet Capture Wizard

Capturing FWSM Packets Inside the Switch

Using Debug Packet

11-3: Verifying Firewall Connectivity

Step 1: Test with Ping Packets

Step 2: Check the ARP Cache

Step 3: Check the Routing Table

Step 4: Use Traceroute to Verify the Forwarding Path

Using Traceroute on a Host

Using Traceroute on the Firewall

Step 5: Check the Access Lists

Step 6: Verify the Address Translation and Connection Tables

Monitoring Translations

Monitoring Connections

Monitoring Specific Hosts

Clearing Xlate Table Entries

Adjusting Table Timeout Values

Step 7: Look for Active Shuns

Step 8: Check User Authentication

Authentication Proxy (Uauth)

Content Filtering

Step 9: See What Has Changed

Chapter 12 ASA Modules

12-1: Initially Configuring an ASA SSM

Preparing the ASA for SSM Management Traffic

Connecting and Configuring the SSM Management Interface

12-2: Configuring the CSC SSM

Configuring the ASA to Divert Traffic to the CSC SSM

Configuring the Initial CSC SSM Settings

Repairing the Initial CSC Configuration

Connecting to the CSC Management Interface

Configuring Automatic Updates

Configuring CSC Inspection Policies

Configure Web (HTTP) Inspection Policies

Configuring URL Blocking

Configuring URL Filtering Rules

Configuring URL Filtering Settings

Configuring HTTP File Blocking

Configuring HTTP Scanning

Configuring File Transfer (FTP) Inspection Policies

Configuring Mail (SMTP and POP3) Inspection Policies

Scanning SMTP Traffic

Filtering SMTP Content

Detecting Spam SMTP E-mail

Configuring General SMTP Mail Handling

Scanning POP3 Traffic

Detecting Spam in POP3 E-mail

Filtering POP3 Content

12-3: Configuring the AIP SSM

Initially Configuring the AIP

Managing the AIP

Updating the AIP License

Manually Updating the AIP Code or Signature Files

Automatically Updating AIP Image and Signature Files

Working with Signature Definitions

Working with Event Action Rules

Working with Anomaly Detection Policies

IPS Virtual Sensors

Appendix A Well-Known Protocol and Port Numbers

Appendix B Security Appliance Logging Messages

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

3.137.161.193