1-1: Overview of Firewall Operation
1-2: Inspection Engines for ICMP, UDP, and TCP
A Case Study in ICMP Inspection
Additional TCP Connection Controls
1-4: Basic Security Policy Guidelines
Chapter 2 Configuration Fundamentals
Searching and Filtering Command Output
2-2: Firewall Features and Licenses
Upgrading a License Activation Key
2-3: Initial Firewall Configuration
Chapter 3 Building Connectivity
Configuring Interface Redundancy
Interface Configuration Examples
Configuring IPv6 on an Interface
Configuring Interface MTU and Fragmentation
Configuring an Interface Priority Queue
Displaying Information About the Priority Queue
Firewall Topology Considerations
Securing Trunk Links Connected to Firewalls
Using Routing Information to Prevent IP Address Spoofing
Favoring Static Routes Based on Reachability
Reachable Static Route Example
Configuring RIP to Exchange Routing Information
Configuring EIGRP to Exchange Routing Information
An EIGRP Configuration Example
Configuring OSPF to Exchange Routing Information
OSPF Routing Scenarios with a Firewall
Redistributing Routes from Another Source into OSPF
Using the Firewall as a DHCP Server
Updating Dynamic DNS from a DHCP Server
Relaying DHCP Requests to a DHCP Server
IGMP: Finding Multicast Group Recipients
PIM: Building a Multicast Distribution Tree
Using a Multicast Boundary to Segregate Domains
Filtering Bidirectional PIM Neighbors
Configuring Stub Multicast Routing (SMR)
Stub Multicast Routing Example
Verifying IGMP Multicast Operation
Verifying PIM Multicast Routing Operation
4-1: Using Security Contexts to Make Virtual Firewalls
Issues with Sharing Context Interfaces
Solving Shared Context Interface Issues with Unique MAC Addresses
Configuration Files and Security Contexts
Guidelines for Multiple-Context Configuration
Initiating Multiple-Context Mode
Navigating Multiple Security Contexts
Changing a Session to a Different Context
Allocating Firewall Resources to Contexts
Verifying Multiple-Context Operation
4-2: Managing the Flash File System
Navigating an ASA or FWSM Flash File System
Administering an ASA or FWSM Flash File System
Using the PIX 6.3 Flash File System
Identifying the Operating System Image
Upgrading an Image from the Monitor Prompt
Upgrading an Image from an Administrative Session
Upgrading an Image Automatically
4-3: Managing Configuration Files
Managing the Startup Configuration
Selecting a Startup Configuration File
Displaying the Startup Configuration
Saving a Running Configuration
Viewing the Running Configuration
Saving the Running Configuration to Flash Memory
Saving the Running Configuration to a TFTP Server
Forcing the Running Configuration to Be Copied Across a Failover Pair
Forcing the Startup (Nonvolatile) Configuration to Be Cleared
Entering Configuration Commands Manually
Merging Configuration Commands from Flash Memory
Merging Configuration Commands from a TFTP Server
Merging Configuration Commands from a Web Server
Merging Configuration Commands from an Auto Update Server
4-4: Automatic Updates with an Auto Update Server
Configuring a Firewall as an Auto Update Client
Verifying Auto Update Client Operation
Configuring a Firewall as an Auto Update Server
4-5: Managing Administrative Sessions
Starting the ASDM or PDM Application from a Web Browser
Starting ASDM from a Local Application
Monitoring Administrative Sessions
4-6: Firewall Reloads and Crashes
Reloading a Firewall Immediately
Reloading a Firewall at a Specific Time and Date
Reloading a Firewall After a Time Interval
Controlling Crashinfo Creation
Generating a Test Crashinfo Image
Forcing an Actual Firewall Crash
Viewing the Crashinfo Information
Deleting the Previous Crashinfo File Contents
4-7: Monitoring a Firewall with SNMP
Overview of Firewall SNMP Support
Chapter 5 Managing Firewall Users
Authenticating and Authorizing Generic Users
5-2: Managing Users with a Local Database
Authenticating with Local Usernames
Authorizing Users to Access Firewall Commands
Accounting of Local User Activity
5-3: Defining AAA Servers for User Management
5-4: Configuring AAA to Manage Administrative Users
Enabling AAA User Authentication
Enabling AAA Command Authorization
Enabling AAA Command Accounting
5-5: Configuring AAA for End-User Cut-Through Proxy
Authenticating Users Passing Through
Authorizing User Activity with TACACS+ Servers
Authorizing User Activity with RADIUS Servers
Keeping Accounting Records of User Activity
AAA Cut-Through Proxy Configuration Examples
5-6: Firewall Password Recovery
Chapter 6 Controlling Access Through the Firewall
6-1: Routed and Transparent Firewall Modes
Configuring a Transparent Firewall
Handling Connections Through an Address Translation
Limiting Embryonic Connections
Dynamic Address Translation (NAT or PAT)
Controlling Access with Medium Security Interfaces
6-3: Controlling Access with Access Lists
Adding an ACE to an Access List
Adding Descriptions to an Access List
Defining a Time Range to Activate an ACE
Defining Network Object Groups
Defining Protocol Object Groups
Defining ICMP Type Object Groups
Defining Basic Service Object Groups
Defining an Enhanced Service Object Group
Using Object Groups in an Access List
Using a Web Cache for Better HTTP Performance
7-2: Defining Security Policies in a Modular Policy Framework
Classifying Layers 3 and 4 Traffic
Match Against a Destination Port Number
Match Against a Range of Real-Time Transport Protocol (RTP) Port Numbers
Match Against a VPN Tunnel Group
Classifying Management Traffic
Set Connection Limits on the Matched Traffic
Adjust TCP Options for the Matched Traffic
Send the Matched Traffic to an IPS Module
Send the Matched Traffic to a CSC Module
Use a Policer to Limit the Matched Traffic Bandwidth
Give Priority Service (LLQ) to Matched Traffic
Configuring Application Inspection
Matching Text with Regular Expressions
Configuring FTP Inspection—ASA 7.2(1) or Later
Configuring FTP Inspection—FWSM and ASA 7.0-7.1
Configuring GTP Inspection—ASA 7.2(1) and Later
Configuring GTP Inspection—FWSM and ASA 7.0-7.1
Configuring HTTP Inspection—ASA 7.2(1) and Later
Configuring HTTP Inspection—FWSM and ASA 7.0-7.1
Configuring Instant Messaging (IM) Inspection
Configuring IPSec Passthru Inspection
Configuring MGCP Inspection—ASA 7.2(1) and Later
Configuring an MGCP Map—FWSM and ASA 7.0-7.1
Configuring NetBIOS Inspection
Configuring RADIUS Accounting Inspection
Chapter 8 Increasing Firewall Availability with Failover
8-1: Firewall Failover Overview
Active-Active Failover Requirements
8-2: Configuring Firewall Failover
8-3: Firewall Failover Configuration Examples
Active-Standby Failover Example with PIX Firewalls
Active-Standby Failover Example with FWSM
Active-Active Failover Example
Primary Firewall Configuration
Secondary Firewall Configuration
Allocating Interfaces to the Contexts
Configuring Interfaces in Each Context
8-4: Managing Firewall Failover
Displaying Information About Failover
Displaying the Current Failover Status
Displaying the LAN-Based Failover Interface Status
Displaying a History of Failover State Changes
Manually Intervening in Failover
Resetting a Failed Firewall Unit
Executing Commands on a Failover Peer
8-5: Upgrading Firewalls in Failover Mode
Manually Upgrading a Failover Pair
Automatically Upgrading a Failover Pair
Chapter 9 Firewall Load Balancing
9-1: Firewall Load-Balancing Overview
9-2: Firewall Load-Balancing in Software
IOS Firewall Load-Balancing Example
Outside IOS FWLB Configuration
Displaying Information About IOS FWLB
9-3: Firewall Load-Balancing in Hardware
FWLB in Hardware Configuration Notes
CSM Firewall Load-Balancing Example
Outside CSM FWLB Configuration
Displaying Information About CSM FWLB
9-4: Firewall Load-Balancing Appliance
CSS Appliance Firewall Load-Balancing Example
Outside CSS FWLB Configuration
Displaying Information About CSS FWLB
10-1: Managing the Firewall Clock
10-2: Generating Logging Messages
Configuring Basic Logging Parameters
Log to an Interactive Firewall Session
Log to the Firewall’s Internal Buffer
Log to an SNMP Management Station
Logging to a Secure Syslog Server Using SSL
Logging to an ASDM Management Application
Verifying Message Logging Activity
Manually Testing Logging Message Generation
10-3: Fine-Tuning Logging Message Generation
Changing the Message Severity Level
Chapter 11 Verifying Firewall Operation
11-1: Checking Firewall Vital Signs
Checking Stateful Inspection Resources
Checking Inspection Engine and Service Policy Activity
Verifying Failover Communication
Determining If a Failover Has Occurred
Determining the Cause of a Failover
An Example of Finding the Cause of a Failover
Intervening in a Failover Election
11-2: Watching Data Pass Through a Firewall
Getting Results from a Capture Session
Using a Capture Session to Display Trunk Contents
Copying Capture Buffer Contents
Using the ASDM Packet Capture Wizard
Capturing FWSM Packets Inside the Switch
11-3: Verifying Firewall Connectivity
Step 1: Test with Ping Packets
Step 3: Check the Routing Table
Step 4: Use Traceroute to Verify the Forwarding Path
Using Traceroute on the Firewall
Step 5: Check the Access Lists
Step 6: Verify the Address Translation and Connection Tables
Adjusting Table Timeout Values
Step 8: Check User Authentication
12-1: Initially Configuring an ASA SSM
Preparing the ASA for SSM Management Traffic
Connecting and Configuring the SSM Management Interface
Configuring the ASA to Divert Traffic to the CSC SSM
Configuring the Initial CSC SSM Settings
Repairing the Initial CSC Configuration
Connecting to the CSC Management Interface
Configuring CSC Inspection Policies
Configure Web (HTTP) Inspection Policies
Configuring URL Filtering Rules
Configuring URL Filtering Settings
Configuring HTTP File Blocking
Configuring File Transfer (FTP) Inspection Policies
Configuring Mail (SMTP and POP3) Inspection Policies
Configuring General SMTP Mail Handling
Manually Updating the AIP Code or Signature Files
Automatically Updating AIP Image and Signature Files
Working with Signature Definitions
Working with Event Action Rules
Working with Anomaly Detection Policies
Appendix A Well-Known Protocol and Port Numbers
3.137.161.193