Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition
800 East 96th Street
Indianapolis, IN 46240
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition
Jazib Frahim, Omar Santos
Copyright © 2010 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
Third Printing July 2011
Library of Congress Cataloging-in-Publication data is on file.
ISBN-13: 978-1-58705-819-6
ISBN-10: 1-58705-819-7
Warning and Disclaimer
This book is designed to provide information about Cisco ASA. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales
1-800-382-3419
[email protected]
For sales outside the United States please contact:
International Sales
[email protected]
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.
Publisher: Paul Boger
Associate Publisher: Dave Dusthimer
Executive Editor: Brett Bartow
Managing Editor: Patrick Kanouse
Project Editor: Seth Kerney
Book and Cover Designer: Louisa Adair
Composition: Mark Shirar
Proofreaders: Water Crest Publishing, Inc., Apostrophe Editing Services
Business Operation Manager, Cisco Press: Anand Sundaram
Manager Global Certification: Erik Ullanderson
Technical Editors: Randy Ivener, Jay Johnston
Development Editors: Kimberley Debus, Dayna Isley
Copy Editor: Margo Catts
Editorial Assistant: Vanessa Evans
Indexer: Ken Johnson
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
About the Authors
Jazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than ten years. With a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees.
While working for Cisco, he pursued his master of business administration (MBA) degree from North Carolina State University.
He is also an author of the following Cisco Press books:
• Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
• Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting
• SSL Remote Access VPNs
Omar Santos is an incident manager at Cisco’s Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Prior to his current role, he was a technical leader within the World Wide Security Practice and Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.
Omar has also delivered numerous technical presentations to Cisco customers and partners; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the following Cisco Press books:
• Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
• Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting
• End-to-End Network Security: Defense-in-Depth
About the Technical Reviewers
Randy Ivener, CCIE No. 10722, is a security engineer in the Cisco Security Research and Operations team. He is a CISSP and PMI PMP. He has spent many years as a network security consultant helping companies understand and secure their networks. Randy has presented security topics at industry events including Blackhat and Cisco Networkers. Before becoming immersed in information security, he spent time in software development and as a training instructor. Randy graduated from the U.S. Naval Academy and holds an MBA.
Jay Johnston, CCIE No. 17663, is a security specialist in the Cisco TAC center located in Research Triangle Park, North Carolina. His networking career began in 2002 when he joined Cisco as a co-op while attending North Carolina State University. After graduating with a bachelors of computer science in 2004, he joined Cisco full time as a TAC Engineer. He obtained his Security CCIE in 2007. He enjoys working for Cisco, especially the constant technical challenges that working with customers in the TAC provides.
Dedications
Jazib Frahim: I would like to dedicate this book to my lovely wife, Sadaf, who has patiently put up with me during the writing process.
I would also like to dedicate this book to my parents, Frahim and Perveen, who support and encourage me in all my endeavors.
Finally, I would like to thank my siblings, including my brother Shazib and sisters Erum and Sana, sister-in-law Asiya, my cute nephew Shayan, and my adorable nieces Shiza and Alisha. Thank you for your patience and understanding during the development of this book.
Omar Santos: I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book.
I also dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today.
Acknowledgments
We would like to thank the technical editors, Randy Ivener and Jay Johnston, for their time and technical expertise. They verified our work and corrected us in all the major and minor mistakes that were hard to find. Special thanks go to Aun Raza for reviewing many chapters prior to final editing.
We would like to thank the Cisco Press team, especially Brett Bartow, Dayna Isley, Kimberley Debus, and Andrew Cupp for their patience, guidance, and consideration. Their efforts are greatly appreciated.
Many thanks to our Cisco management team, including David Philips, Ken Cavanagh, and Jean Reese for their continuous support. They highly encouraged us throughout this project.
Kudos to the Cisco ASA product development team for delivering such a great product. Their support is also greatly appreciated during the development of this book.
Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightest minds in the networking industry work there, supporting our Cisco customers often under very stressful conditions and working miracles daily. They are truly unsung heroes, and we are all honored to have had the privilege of working side by side with them in the trenches of the TAC.
Contents at a Glance
Chapter 1 Introduction to Security Technologies
Chapter 2 Cisco ASA Product and Solution Overview
Chapter 3 Initial Setup and System Maintenance
Chapter 4 Controlling Network Access
Chapter 6 Authentication, Authorization, and Accounting (AAA)
Chapter 7 Application Inspection
Chapter 9 Transparent Firewalls
Chapter 10 Failover and Redundancy
Part III: Intrusion Prevention System (IPS) Solutions
Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS)
Chapter 13 Tuning and Monitoring IPS
Chapter 14 Configuring Cisco Content Security and Control Security Services Module
Part V: Virtual Private Network (VPN) Solutions
Chapter 16 Site-to-Site IPSec VPNs
Chapter 17 IPSec Remote-Access VPNs
Chapter 18 Public Key Infrastructure (PKI)
Chapter 19 Clientless Remote-Access SSL VPNs
Chapter 20 Client-Based Remote-Access SSL VPNs
Contents
Chapter 1 Introduction to Security Technologies
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Pattern Matching and Stateful Pattern-Matching Recognition
Chapter 2 Cisco ASA Product and Solution Overview
Cisco ASA 5580-20 and 5580-40 Models
Cisco ASA Gigabit Ethernet Modules
Cisco ASA 5580 Expansion Cards
Chapter 3 Initial Setup and System Maintenance
Accessing the Cisco ASA Appliances
Establishing a Console Connection
Setting Up Device Name and Passwords
Automatic Clock Adjustment Using the Network Time Protocol
Removing the Device Configuration
Disabling the Password Recovery Process
NetFlow Secure Event Logging (NSEL)
Simple Network Management Protocol (SNMP)
Device Monitoring and Troubleshooting
Chapter 4 Controlling Network Access
Thru-Traffic Filtering via CLI
Thru-Traffic Filtering via ASDM
Deployment Scenarios for Traffic Filtering
Using ACLs to Filter Inbound Traffic
Using Websense to Enable Content Filtering
Monitoring Network Access Control
Understanding Address Translation
Address Translation and Interface Security Levels
Security Protection Mechanisms Within Address Translation
Configuring Address Translation
Monitoring Address Translations
Configuring RIP Redistribution
Troubleshooting IP Multicast Routing
Chapter 6 Authentication, Authorization, and Accounting (AAA)
AAA Protocols and Services Supported by Cisco ASA
Lightweight Directory Access Protocol
Defining an Authentication Server
Configuring Authentication of Administrative Sessions
Authenticating Telnet Connections
Authenticating SSH Connections
Authenticating Serial Console Connections
Authenticating Cisco ASDM Connections
Authenticating Firewall Sessions (Cut-Through Proxy Feature)
Customizing Authentication Prompts
Troubleshooting Administrative Connections to Cisco ASA
Troubleshooting Firewall Sessions (Cut-Through Proxy)
Chapter 7 Application Inspection
Enabling Application Inspection
Computer Telephony Interface Quick Buffer Encoding Inspection
Distributed Computing Environment Remote Procedure Calls (DCERPC)
Extended Simple Mail Transfer Protocol
General Packet Radio Service Tunneling Protocol
Direct Call Signaling and Gatekeeper Routed Control Signaling
Unified Communications Advanced Support
Configuration of Security Contexts
Step 1: Enable Multiple Security Contexts Globally
Step 2: Set Up the System Execution Space
Step 4: Specify a Configuration URL
Step 5: Configure an Admin Context
Step 6: Configure a User Context
Step 7: Manage the Security Contexts (Optional)
Step 8: Resource Management (Optional)
Virtual Firewalls That Use Non-Shared Interfaces
Virtual Firewalls That Use a Shared Interface
Monitoring and Troubleshooting the Security Contexts
Chapter 9 Transparent Firewalls
Single-Mode Transparent Firewalls
Multimode Transparent Firewalls
Restrictions Within Transparent Firewalls
Transparent Firewalls and VPNs
Configuration of Transparent Firewalls
MMTF Deployment with Security Contexts
Monitoring and Troubleshooting the Transparent Firewalls
Chapter 10 Failover and Redundancy
Conditions that Trigger Failover
Hardware and Software Requirements
Device-Level Redundancy Configuration
ASDM Failover Wizard Configuration
Interface Level Redundancy Configuration
Zero-Downtime Software Upgrade
Active/Standby Failover in Single Mode
Active/Active Failover in Multiple Security Contexts
Monitoring and Troubleshooting Failovers
Configuring Quality of Service
QoS for the Remote-Access VPN Tunnels
Part III: Intrusion Prevention System (IPS) Solutions
Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS)
AIP-SSM and AIP-SSC Management
Inline Versus Promiscuous Mode
Cisco IPS Software Architecture
Upgrading the CIPS Software and Signatures
Displaying Software Version and Configuration Information
Displaying and Clearing Events
Advanced Features and Configuration
Configuring Blocking (Shunning)
Cisco Security Agent Integration
Dynamic and Administrator Blacklist Data
Chapter 13 Tuning and Monitoring IPS
Monitoring and Tuning the AIP-SSM Using CS-MARS
Tuning the AIP-SSM Using CS-MARS
Displaying and Clearing Statistics
Chapter 14 Configuring Cisco Content Security and Control Security Services Module
Configuring CSC SSM Web-Based Features
Configuring CSC SSM Mail-Based Features
Configuring CSC SSM File Transfer Protocol (FTP)
Detailed Live Event Monitoring
Upgrading the CSC SSM Software
Part V: Virtual Private Network (VPN) Solutions
Chapter 16 Site-to-Site IPSec VPNs
Step 2: Create the ISAKMP Policy
Step 3: Set Up the Tunnel Groups
Step 4: Define the IPSec Policy
Step 6: Configure Traffic Filtering (Optional)
Alternate Configuration Methods Through ASDM
Security Association Lifetimes
IPSec and Packet Fragmentation
Single Site-to-Site Tunnel Configuration Using NAT-T
Fully Meshed Topology with RRI
Monitoring and Troubleshooting Site-to-Site IPSec VPNs
Troubleshooting Site-to-Site VPNs
Chapter 17 IPSec Remote-Access VPNs
Cisco IPSec Remote Access VPN Solution
IPSec Remote-Access Configuration Steps
Step 2: Create the ISAKMP Policy
Step 3: Set Up Tunnel and Group Policies
Step 4: Define the IPSec Policy
Step 5: Configure User Authentication
Step 8: Configure Traffic Filtering (Optional)
Step 10: Set Up Split Tunneling (Optional)
Step 11: Assign DNS and WINS (Optional)
Alternate Configuration Method through ASDM
Cisco VPN Client Configuration
Advanced Cisco IPSec VPN Features
Hardware-Based Easy VPN Client Features
L2TP Over IPSec Remote Access VPN Solution
L2TP over IPSec Remote-Access Configuration Steps
Windows L2TP over IPSec Client Configuration
Load Balancing of Cisco IPSec Clients and Site-to-Site Integration
L2TP over IPSec with Traffic Hairpinning
Monitoring and Troubleshooting Cisco Remote-Access VPN
Monitoring Cisco Remote Access IPSec VPNs
Troubleshooting Cisco IPSec VPN Clients
Chapter 18 Public Key Infrastructure (PKI)
Simple Certificate Enrollment Protocol
Installing Certificates Through ASDM
Installing Certificates Using the CLI
The Local Certificate Authority
Configuring the Local CA Through ASDM
Configuring the Local CA Using the CLI
Enrolling Local CA Users Through ASDM
Enrolling Local CA Users Through the CLI
Configuring IPSec Site-to-Site Tunnels Using Certificates
Configuring the Cisco ASA to Accept Remote-Access IPSec VPN Clients Using Certificates
Enrolling the Cisco VPN Client
Chapter 19 Clientless Remote-Access SSL VPNs
Client Operating System and Browser and Software Requirements
Pre-SSL VPN Configuration Guide
Enroll Digital Certificates (Recommended)
Set Up Tunnel and Group Policies
Clientless SSL VPN Configuration Guide
Enable Clientless SSL VPN on an Interface
Configure SSL VPN Portal Customization
Configure Client-Server Plug-ins
Step 1: Define Clientess Connections
Monitoring and Troubleshooting SSL VPN
Chapter 20 Client-Based Remote-Access SSL VPNs
SSL VPN Deployment Considerations
Cisco ASA Design Considerations
Client Operating System and Browser and Software Requirements
Pre-SSL VPN Configuration Guide
Enrolling Digital Certificates (Recommended)
Setting Up Tunnel and Group Policies
Setting Up User Authentication
AnyConnect VPN Client Configuration Guide
Loading the AnyConnect Package
Defining AnyConnect SSL VPN Client Attributes
AnyConnect Client Configuration
Deployment Scenario of AnyConnect Client
Step 1: Set Up CSD For Registry Check
Step 2: Set Up RADIUS for Authentication
Step 3: Configure AnyConnect SSL VPN
Step 4: Enable Address Translation for Internet Access
Monitoring and Troubleshooting AnyConnect SSL VPNs
Icons Used in This Book
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:
• Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
• Italic indicates arguments for which you supply actual values.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Square brackets ([ ]) indicate an optional element.
• Braces ({ }) indicate a required choice.
• Braces within brackets ([{ }]) indicate a required choice within an optional element.
Introduction
Network security has always been a challenge for many organizations that cannot deploy separate devices to provide firewall, intrusion prevention, and virtual private network (VPN) services. The Cisco ASA is a high-performance, multifunction security appliance that offers firewall, IPS, network antivirus, and VPN services. The Cisco ASA delivers these features through improved network integration, resiliency, and scalability.
This book is an insider’s guide to planning, implementing, configuring, and troubleshooting the Cisco Adaptive Security Appliances. It delivers expert guidance from senior Cisco network security consulting engineers. It demonstrates how adaptive identification and mitigation services on the Cisco ASA provide a sophisticated network security solution to small, medium, and large organizations. This book brings together expert guidance for virtually every challenge you will face—from building basic network security policies to advanced VPN and IPS implementations.
Who Should Read This Book?
This book serves as a guide for any network professional who manages network security or installs and configures firewalls, VPN devices, or intrusion detection/prevention systems. It encompasses topics from an introductory level to advanced topics on security and VPNs. The requirements of the reader include a basic knowledge of TCP/IP and networking.
How This Book Is Organized
This book has five parts, which provide a Cisco ASA product introduction and then focus on firewall features, intrusion prevention, content security, and VPNs. Each part includes many sample configurations, accompanied by in-depth analyses of design scenarios. Your learning is further enhanced by a discussion of a set of debugs included in each technology. Ground-breaking features, such as SSL VPN and virtual and Layer 2 firewalls, are discussed extensively.
The core chapters, Chapters 2 through 12, cover the following topics:
• Part I, “Product Overview,” includes the following chapters:
• Chapter 1, “Introduction to Security Technologies”—This chapter provides an overview of different technologies that are supported by the Cisco ASA and widely used by today’s network security professionals.
• Chapter 2, “Cisco ASA Product and Solution Overview”—This chapter describes how the Cisco ASA incorporates features from each of these products, integrating comprehensive firewall, intrusion detection and prevention, and VPN technologies in a cost-effective, single-box format. Additionally, it provides a hardware overview of the Cisco ASA, including detailed technical specifications and installation guidelines. It also covers an overview of the Adaptive Inspection and Prevention Security Services Module (AIP-SSM) and Content Security and Control Security Services Module (CSC-SSM).
• Chapter 3, “Initial Setup and System Maintenance”—A comprehensive list of initial setup tasks and system maintenance procedures is included in this chapter. These tasks and procedures are intended to be used by network professionals who will be installing, configuring, and managing the Cisco ASA.
• Part II, “Firewall Technology,” includes the following chapters:
• Chapter 4, “Controlling Network Access”—The Cisco ASA can protect one or more networks from intruders. Connections between these networks can be carefully controlled by advanced firewall capabilities, enabling you to ensure that all traffic from and to the protected networks passes only through the firewall based on the organization’s security policy. This chapter shows you how to implement your organization’s security policy, using the features the Cisco ASA provides.
• Chapter 5, “IP Routing”—This chapter covers the different routing capabilities of the Cisco ASA.
• Chapter 6, “Authentication, Authorization, and Accounting (AAA)”—The Cisco ASA supports a wide range of AAA features. This chapter provides guidelines on how to configure AAA services by defining a list of authentication methods applied to various implementations.
• Chapter 7, “Application Inspection”—The Cisco ASA stateful application inspection helps to secure the use of applications and services in your network. This chapter describes how to use and configure application inspection.
• Chapter 8, “Virtualization”—The Cisco ASA virtual firewall feature introduces the concept of operating multiple instances of firewalls (contexts) within the same hardware platform. This chapter shows how to configure and troubleshoot each of these security contexts.
• Chapter 9, “Transparent Firewalls”—This chapter introduces the transparent (Layer 2) firewall model within the Cisco ASA. It explains how users can configure the Cisco ASA in transparent single mode and multiple mode while accommodating their security needs.
• Chapter 10, “Failover and Redundancy”—This chapter discusses the different redundancy and failover mechanisms that the Cisco ASA provides. It includes not only the overview and configuration, but also detailed troubleshooting procedures.
• Chapter 11, “Quality of Service”—QoS is a network feature that lets you give priority to certain types of traffic. This chapter covers how to configure and troubleshoot QoS in the Cisco ASA.
• Part III, “Intrusion Prevention System (IPS) Solutions,” includes the following chapters:
• Chapter 12, “Configuring and Troubleshooting Intrusion Prevention System (IPS)”—Intrusion detection and prevention systems provide a level of protection beyond the firewall by securing the network against internal and external attacks and threats. This chapter describes the integration of Intrusion Prevention System (IPS) features within the Cisco ASA and expert guidance on how to configure the AIP-SSM IPS software. Troubleshooting scenarios are also included to enhance learning.
• Chapter 13, “Tuning and Monitoring IPS”—This chapter covers the IPS tuning process, as well as best practices on how to monitor IPS events.
• Part IV, “Content Security,” includes the following chapters:
• Chapter 14, “Configuring Cisco Content Security and Control Security Services Module”—The Content Security and Control Security Services Module (CSCSSM) is used to detect and take action on viruses, worms, Trojans, and other security threats. It supports the inspection of SMTP, POP3, HTTP, and FTP network traffic. This chapter provides configuration and troubleshooting guidelines to successfully deploy the CSC-SSM within your organization.
• Chapter 15, “Monitoring and Troubleshooting the Cisco Content Security and Control Security Services Module”—This chapter provides best practices and methodologies used while monitoring the CSC-SSM and troubleshooting any problems you may encounter.
• Part V, “Virtual Private Network (VPN) Solutions,” includes the following chapters:
• Chapter 16, “Site-to-Site IPSec VPNs”—The Cisco ASA supports IPSec VPN features that enable you to connect networks in different geographic locations. This chapter provides configuration and troubleshooting guidelines to successfully deploy site-to-site IPSec VPNs.
• Chapter 17, “IPSec Remote-Access VPNs”—This chapter discusses two IPSec remote-access VPN solutions (Cisco IPSec and L2TP over IPSec) that are supported on the Cisco ASA. A large number of sample configurations and troubleshooting scenarios are provided.
• Chapter 18, “Public Key Infrastructure (PKI)”—This chapter starts by introducing PKI concepts. It then covers the configuration and troubleshooting of PKI in the Cisco ASA.
• Chapter 19, “Clientless Remote-Access SSL VPNs”—This chapter provides details about the Clientless SSL VPN functionality in Cisco ASA. This chapter covers the Cisco Secure Desktop (CSD) solution in detail and also discusses the Host Scan feature that is used to collect posture information about end-workstations. The dynamic access policy (DAP) feature, its usage, and detailed configuration examples are also provided. To reinforce learning, many different deployment scenarios are presented along with their configurations.
• Chapter 20, “Client-Based Remote-Access SSL VPNs”—This chapter provides details about the AnyConnect SSL VPN functionality in Cisco ASA.