Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services [NOOK Book]


Cisco® ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition


Identify, mitigate, and respond to today’s highly-sophisticated network attacks.


Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco ...

See more details below
Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac

Want a NOOK? Explore Now

NOOK Book (eBook)
$51.19 price
(Save 20%)$63.99 List Price


Cisco® ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition


Identify, mitigate, and respond to today’s highly-sophisticated network attacks.


Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.


Fully updated for today’s newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.


You’ll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs–
all designed to help you make the most of Cisco ASA in your rapidly evolving network.


Jazib Frahim, CCIE® No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.


Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.


Andrew Ossipov, CCIE® No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco’s product portfolio. He holds several pending patents.


Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices

Efficiently implement Authentication, Authorization, and Accounting (AAA) services

Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts

Configure IP routing, application inspection, and QoS

Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration

Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)

Implement high availability with failover and elastic scalability with clustering

Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features

Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)

Configure and troubleshoot Public Key Infrastructure (PKI)

Use IKEv2 to more effectively resist attacks against VPNs

Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs



Read More Show Less

Product Details

  • ISBN-13: 9780132954419
  • Publisher: Pearson Education
  • Publication date: 5/12/2014
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 3
  • Pages: 1248
  • Sales rank: 667,880
  • File size: 71 MB
  • Note: This product may take a few minutes to download.

Meet the Author

Jazib Frahim, CCIE No. 5459, is a Principal Engineer in the Global Security Services Practice at Cisco. He has been with Cisco for over 15 years, with a focus on cyber-security and emerging security technologies. Jazib is also responsible for guiding customers in

the design and implementation of security solutions and technologies in their networks with a focus on network security. He leads a team of solutions architects to guide them through the lifecycle of services and solutions development. Jazib has also been engaged

in the development of a number of customer-focused services, such as managed threat defense, network-based identity, bring-your-own-device (BYOD), and many others. Jazib holds a bachelor’s degree in computer engineering from Illinois Institute of

Technology and a master’s degree in business administration (MBA) from North Carolina State University. In addition to CISSP, Jazib also holds two CCIEs, one in routing and switching and the other in security. He has presented at many industry events, such as Cisco Live, Interop, and ISSA, on multiple occasions. He has also authored and coauthored numerous technical documents, whitepapers, and books, including the following Cisco Press titles:


¿ Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

¿ Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition

¿ Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting

¿ SSL Remote Access VPNs


Omar Santos, CISSP No. 463598 is a Senior Incident Manager of Cisco’s Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. Omar is an active member of the security community, where he leads several industrywide initiatives and standards bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar has delivered numerous technical presentations at conferences and to Cisco customers and partners, as well as many C-level executive presentations to many organizations. He has authored numerous whitepapers, articles, and security configuration guidelines and best practices, and has also authored or coauthored the following Cisco Press books:


¿ Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

¿ Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security

¿ Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting

¿ End-to-End Network Security: Defense-in-Depth


Andrew Ossipov, CCIE No. 18483 and CISSP No. 344324, is currently a Technical Marketing Engineer at Cisco with primary concentration on firewall, intrusion prevention, and other Cisco Data Center Security solutions. With over 15 years of networking

experience, Andrew previously worked with LAN switching, routing protocol, and network data storage technologies and performed academic research in the area of VoIP. At Cisco, Andrew is involved in a broad range of activities that include solving customers’ technical problems of the highest complexity, architecting features and products, and defining the future direction of the product portfolio. He is an inventor and co-inventor of multiple pending cross-technology patents. Andrew received his bachelor of science in computer engineering and master of science in electrical engineering degrees from Wichita State University.

Read More Show Less

Table of Contents


Chapter 1 Introduction to Security Technologies 1

Firewalls 2

    Network Firewalls 2

        Packet-Filtering Techniques 2

        Application Proxies 3

        Network Address Translation 3

        Stateful Inspection Firewalls 6

    Demilitarized Zones (DMZ) 7

    Deep Packet Inspection 8

    Next-Generation Context-Aware Firewalls 8

    Personal Firewalls 9

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 9

    Pattern Matching and Stateful Pattern-Matching Recognition 11

    Protocol Analysis 12

    Heuristic-Based Analysis 12

    Anomaly-Based Analysis 12

    Global Threat Correlation Capabilities 14

Virtual Private Networks 14

    Technical Overview of IPsec 16

        IKEv1 Phase 1 16

        IKEv1 Phase 2 20

        IKEv2 23

    SSL VPNs 23

Cisco AnyConnect Secure Mobility 25

Cloud and Virtualization Security 26


Chapter 2 Cisco ASA Product and Solution Overview 29

Cisco ASA Model Overview 30

Cisco ASA 5505 Model 31

Cisco ASA 5510 Model 35

Cisco ASA 5512-X Model 38

Cisco ASA 5515-X Model 40

Cisco ASA 5520 Model 41

Cisco ASA 5525-X Model 42

Cisco ASA 5540 Model 43

Cisco ASA 5545-X Model 44

Cisco ASA 5550 Model 45

Cisco ASA 5555-X Model 46

Cisco ASA 5585-X Models 47

Cisco Catalyst 6500 Series ASA Services Module 51

Cisco ASA 1000V Cloud Firewall 52

Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX) 53

Cisco ASA AIP-SSM Module 53

    Cisco ASA AIP-SSM-10 54

    Cisco ASA AIP-SSM-20 54

    Cisco ASA AIP-SSM-40 54

Cisco ASA Gigabit Ethernet Modules 55

    Cisco ASA SSM-4GE 55

    Cisco ASA 5580 Expansion Cards 56

    Cisco ASA 5500-X Series 6-Port GE Interface Cards 57


Chapter 3 Licensing 59

Licensed Features on ASA 59

    Basic Platform Capabilities 61

    Advanced Security Features 63

    Tiered Capacity Features 65

    Displaying License Information 66

Managing Licenses with Activation Keys 68

    Permanent and Time-Based Activation Keys 68

        Combining Keys 69

        Time-Based Key Expiration 70

    Using Activation Keys 71

Combined Licenses in Failover and Clustering 73

    License Aggregation Rules 73

    Aggregated Time-Based License Countdown 75

Shared Premium VPN Licensing 75

    Shared Server and Participants 76

        Shared License 76

        Shared Licensing Operation 76

    Configuring Shared Licensing 78

        Licensing Server 78

        Participants 79

        Backup Licensing Server 79

        Monitoring Shared Licensing Operation 80


Chapter 4 Initial Setup 81

Accessing the Cisco ASA Appliances 81

    Establishing a Console Connection 82

    Command-Line Interface 85

Managing Licenses 87

Initial Setup 90

    Initial Setup via CLI 90

    Initial Setup of ASDM 92

        Uploading ASDM 92

        Setting Up the Appliance 93

        Accessing ASDM 94

        Functional Screens of ASDM 97

Device Setup 100

    Setting Up a Device Name and Passwords 100

    Configuring an Interface 102

        Configuring a Data-Passing Interface 102

        Configuring a Subinterface 106

        Configuring an EtherChannel Interface 109

        Configuring a Management Interface 111

    DHCP Services 112

Setting Up the System Clock 114

    Manual Clock Adjustment 114

        Time Zone 114

        Date 116

        Time 116

    Automatic Clock Adjustment Using the Network Time Protocol 116


Chapter 5 System Maintenance 119

Configuration Management 119

    Running Configuration 119

    Startup Configuration 123

    Removing the Device Configuration 124

Remote System Management 126

    Telnet 126

    Secure Shell (SSH) 129

System Maintenance 132

    Software Installation 132

        Image Upgrade via Cisco ASDM 132

        Image Upgrade via the Cisco ASA CLI 133

        Image Upload Using ROMMON 136

    Password Recovery Process 137

    Disabling the Password Recovery Process 141

System Monitoring 144

    System Logging 144

        Enabling Logging 146

        Defining Event List 147

        Logging Types 149

        Defining a Syslog Server 153

        Defining an Email Server 154

        Storing Logs Internally and Externally 154

        Syslog Message ID Tuning 156

    NetFlow Secure Event Logging (NSEL) 156

        Step 1: Define a NetFlow Collector 157

        Step 2: Define a NetFlow Export Policy 159

    Simple Network Management Protocol (SNMP) 160

        Configuring SNMP 161

        SNMP Monitoring 164

Device Monitoring and Troubleshooting 165

    CPU and Memory Monitoring 165

    Troubleshooting Device Issues 168

        Troubleshooting Packet Issues 168

        Troubleshooting CPU Issues 172


Chapter 6 Cisco ASA Services Module 173

Cisco ASA Services Module Overview 173

    Hardware Architecture 174

    Host Chassis Integration 175

Managing Host Chassis 176

    Assigning VLAN Interfaces 177

    Monitoring Traffic Flow 178

Common Deployment Scenarios 180

    Internal Segment Firewalling 181

    Edge Protection 182

Trusted Flow Bypass with Policy Based Routing 183

    Traffic Flow 185

    Sample PBR Configuration 185


Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191

AAA Protocols and Services Supported by Cisco ASA 192

    RADIUS 194

    TACACS+ 195

    RSA SecurID 196

    Microsoft Windows NTLM 197

    Active Directory and Kerberos 197

    Lightweight Directory Access Protocol 197

Defining an Authentication Server 198

Configuring Authentication of Administrative Sessions 204

    Authenticating Telnet Connections 204

    Authenticating SSH Connections 206

    Authenticating Serial Console Connections 207

    Authenticating Cisco ASDM Connections 208

Authenticating Firewall Sessions (Cut-Through Proxy Feature) 209

    Authentication Timeouts 214

Customizing Authentication Prompts 214

Configuring Authorization 215

    Command Authorization 217

    Configuring Downloadable ACLs 218

Configuring Accounting 219

    RADIUS Accounting 220

    TACACS+ Accounting 221

Troubleshooting Administrative Connections to Cisco ASA 222

    Troubleshooting Firewall Sessions (Cut-Through Proxy) 225

    ASDM and CLI AAA Test Utility 226


Chapter 8 Controlling Network Access: The Traditional Way 229

Packet Filtering 229

    Types of ACLs 232

        Standard ACLs 233

        Extended ACLs 233

        EtherType ACLs 233

        Webtype ACLs 234

    Comparing ACL Features 234

    Through-the-Box-Traffic Filtering 235

    To-the-Box-Traffic Filtering 240

Advanced ACL Features 243

    Object Grouping 243

        Object Types 243

        Configuration of Object Types 245

        Object Grouping and ACLs 248

    Standard ACLs 250

    Time-Based ACLs 251

    Downloadable ACLs 254

    ICMP Filtering 254

Deployment Scenario for Traffic Filtering 255

    Using ACLs to Filter Inbound Traffic 255

        Configuration Steps with ASDM 257

        Configuration Steps with CLI 259

Monitoring Network Access Control 260

    Monitoring ACLs 260


Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267

CX Integration Overview 268

    Logical Architecture 269

    Hardware Modules 270

    Software Modules 271

    High Availability 272

ASA CX Architecture 273

    Data Plane 274

    Eventing and Reporting 275

    User Identity 275

    TLS Decryption Proxy 276

    HTTP Inspection Engine 276

    Application Inspection Engine 276

    Management Plane 276

    Control Plane 276

Preparing ASA CX for Configuration 277

Managing ASA CX with PRSM 282

    Using PRSM 283

    Configuring User Accounts 286

    CX Licensing 288

    Component and Software Updates 290

        Signatures and Engines 290

        System Software 291

    Configuration Database Backup 292

Defining CX Policy Elements 293

    Network Groups 295

    Identity Objects 296

    URL Objects 298

    User Agent Objects 299

    Application Objects 299

    Secure Mobility Objects 300

    Interface Roles 301

    Service Objects 302

    Application-Service Objects 303

    Source Object Groups 304

    Destination Object Groups 305

    File Filtering Profiles 306

    Web Reputation Profiles 306

    NG IPS Profiles 307

Enabling User Identity Services 309

    Configuring Directory Servers 310

    Connecting to AD Agent or CDA 312

    Tuning Authentication Settings 313

    Defining User Identity Discovery Policy 314

Enabling TLS Decryption 316

    Configuring Decryption Settings 318

    Defining a Decryption Policy 320

Enabling NG IPS 323

Defining Context-Aware Access Policies 324

Configuring ASA for CX Traffic Redirection 327

Monitoring ASA CX 329

    Dashboard Reports 329

    Connection and System Events 331

    Packet Captures 332


Chapter 10 Network Address Translation 337

Types of Address Translation 338

    Network Address Translation 338

    Port Address Translation 340

Address Translation Methods 341

    Static NAT/PAT 341

    Dynamic NAT/PAT 343

    Policy NAT/PAT 344

    Identity NAT 344

Security Protection Mechanisms Within Address Translation 345

    Randomization of Sequence Numbers 345

    TCP Intercept 346

Understanding Address Translation Behavior 346

    Address Translation Behavior Prior to Version 8.3 346

        Packet Flow Sequence in Pre-8.3 Version 347

        NAT Order of Operation for Pre-8.3 Versions 348

    Redesigning Address Translation (Version 8.3 and Later) 349

        NAT Modes in Version 8.3 and Later 349

        NAT Order of Operation for Version 8.3 and Later 350

Configuring Address Translation 350

    Auto NAT Configuration 351

        Available Auto NAT Settings 351

        Auto NAT Configuration Example 353

    Manual NAT Configuration 356

        Available Manual NAT Settings 356

        Manual NAT Configuration Example 357

    Integrating ACLs and NAT 359

        Pre-8.3 Behavior for NAT and ACL Integration 359

        Behavior of NAT and ACL Integration in Version 8.3 and Later 361

    Configuration Use Cases 362

        Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server 363

        Use Case 2: Static PAT for a Web Server Located on the DMZ Network 364

        Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT 366

        Use Case 4: Identity NAT for Site-to-Site VPN Tunnel 367

        Use Case 5: Dynamic PAT for Remote-Access VPN Clients 369

DNS Doctoring 372

Monitoring Address Translations 375


Chapter 11 IPv6 Support 379

IP Version 6 Introduction 379

    IPv6 Header 380

    Supported IPv6 Address Types 381

        Global Unicast Address 382

        Site-Local Address 382

        Link-Local Address 382

Configuring IPv6 382

    IP Address Assignment 383

    IPv6 DHCP Relay 384

    Optional IPv6 Parameters 385

        Neighbor Solicitation Messages 385

        Neighbor Reachable Time 385

        Router Advertisement Transmission Interval 385

    Setting Up an IPv6 ACL 386

    IPv6 Address Translation 389


Chapter 12 IP Routing 391

Configuring Static Routes 392

    Static Route Monitoring 395

    Displaying the Routing Table 399

RIP 400

    Configuring RIP 401

    RIP Authentication 403

    RIP Route Filtering 406

    Configuring RIP Redistribution 409

    Troubleshooting RIP 409

        Scenario 1: RIP Version Mismatch 410

        Scenario 2: RIP Authentication Mismatch 411

        Scenario 3: Multicast or Broadcast Packets Blocked 411

OSPF 412

    Configuring OSPF 413

        Enabling OSPF 414

    OSPF Virtual Links 419

    Configuring OSPF Authentication 422

    Configuring OSPF Redistribution 426

    Stub Areas and NSSAs 428

    OSPF Type 3 LSA Filtering 429

    OSPF neighbor Command and Dynamic Routing over a VPN Tunnel 431

    OSPFv3 433

    Troubleshooting OSPF 433

        Useful Troubleshooting Commands 433

        Mismatched Areas 440

        OSPF Authentication Mismatch 440

        Troubleshooting Virtual Link Problems 440


    Configuring EIGRP 441

        Enabling EIGRP 441

        Configuring Route Filtering for EIGRP 445

        EIGRP Authentication 447

        Defining Static EIGRP Neighbors 448

        Route Summarization in EIGRP 448

        Split Horizon 450

        Route Redistribution in EIGRP 450

        Controlling Default Information 453

    Troubleshooting EIGRP 454

        Useful Troubleshooting Commands 454

        Scenario 1: Link Failures 458

        Scenario 2: Misconfigured Hello and Hold Intervals 459

        Scenario 3: Misconfigured Authentication Parameters 462


Chapter 13 Application Inspection 465

Enabling Application Inspection 468

Selective Inspection 469

CTIQBE Inspection 473

DCERPC Inspection 476

DNS Inspection 476

ESMTP Inspection 481

File Transfer Protocol 484

General Packet Radio Service Tunneling Protocol 486

    GTPv0 487

    GTPv1 489

    Configuring GTP Inspection 490

H.323 492

    H.323 Protocol Suite 493

    H.323 Version Compatibility 495

    Enabling H.323 Inspection 496

    Direct Call Signaling and Gatekeeper Routed Control Signaling 499

    T.38 499

Cisco Unified Communications Advanced Support 499

    Phone Proxy 500

    TLS Proxy 505

    Mobility Proxy 506

    Presence Federation Proxy 506

HTTP 507

    Enabling HTTP Inspection 507

        strict-http Command 510

        content-length Command 510

        content-type-verification Command 511

        max-header-length Command 511

        max-uri-length Command 512

        port-misuse Command 512

        request-method Command 513

        transfer-encoding type Command 515

ICMP 515

ILS 516

Instant Messenger (IM) 517

IPsec Pass-Through 518

MGCP 519

NetBIOS 521

PPTP 522

Sun RPC 522

RSH 523

RTSP 523

SIP 524

Skinny (SCCP) 525

SNMP 527

SQL*Net 528

TFTP 528

WAAS 528



Chapter 14 Virtualization 531

Architectural Overview 533

    System Execution Space 533

    Admin Context 535

    User Context 535

    Packet Classification 538

        Packet Classification Criteria 538

        Destination IP Address 539

        Unique MAC Address 540

    Packet Flow in Multiple Mode 541

        Forwarding Without a Shared Interface 541

        Forwarding with a Shared Interface 542

Configuration of Security Contexts 544

    Step 1: Enable Multiple Security Contexts Globally 544

    Step 2: Set Up the System Execution Space 547

    Step 3: Configure Interfaces 549

    Step 4: Specify a Configuration URL 550

    Step 5: Configure an Admin Context 552

    Step 6: Configure a User Context 553

    Step 7: Manage the Security Contexts (Optional) 554

    Step 8: Resource Management (Optional) 555

        Step 1: Define a Resource Class 556

        Step 2: Map the Resource Class to a Context 558

Deployment Scenarios 559

    Virtual Firewall with Non-Shared Interfaces 559

        Configuration Steps with ASDM 561

        Configuration Steps with CLI 569

    Virtual Firewall with a Shared Interface 572

        Configuration Steps with ASDM 574

        Configuration Steps Using CLI 582

Monitoring and Troubleshooting the Security Contexts 586

    Monitoring 586

    Troubleshooting 588

        Security Contexts Are Not Added 588

        Security Contexts Are Not Saved on the Local Disk 588

        Security Contexts Are Not Saved on the FTP Server 589

        User Having Connectivity Issues When Shared Security Contexts Are Used 590


Chapter 15 Transparent Firewalls 591

Architectural Overview 594

    Single-Mode Transparent Firewalls 594

        Packet Flow in an SMTF 595

    Multimode Transparent Firewalls 597

        Packet Flow in an MMTF 597

Restrictions When Using Transparent Firewalls 599

    Transparent Firewalls and VPNs 599

    Transparent Firewalls and NAT 600

Configuration of Transparent Firewalls 602

    Configuration Guidelines 602

    Configuration Steps 603

        Step 1: Enable Transparent Firewalls 603

        Step 2: Set Up Interfaces 604

        Step 3: Configure an IP Address 605

        Step 4: Set Up Routes 606

        Step 5: Configure Interface ACLs 608

        Step 6: Configure NAT (Optional) 611

        Step 7: Add Static L2F Table Entries (Optional) 612

        Step 8: Enable ARP Inspection (Optional) 613

        Step 9: Modify L2F Table Parameters (Optional) 615

Deployment Scenarios 616

    SMTF Deployment 617

        Configuration Steps Using ASDM 618

        Configuration Steps Using CLI 622

    MMTF Deployment with Security Contexts 623

        Configuration Steps Using ASDM 625

        Configuration Steps Using CLI 632

Monitoring and Troubleshooting Transparent Firewalls 636

    Monitoring 636

    Troubleshooting 637

Hosts Are Not Able to Communicate 637

Moved Host Is Not Able to Communicate 639

General Syslogging 640


Chapter 16 High Availability 641

Redundant Interfaces 642

    Using Redundant Interfaces 642

    Deployment Scenarios 643

    Configuration and Monitoring 644

Static Route Tracking 646

    Configuring Static Routes with an SLA Monitor 647

    Floating Connection Timeout 649

    Sample Backup ISP Deployment 649

Failover 652

    Unit Roles and Functions in Failover 652

    Stateful Failover 653

    Active/Standby and Active/Active Failover 654

    Failover Hardware and Software Requirements 656

        Zero Downtime Upgrade in Failover 657

        Failover Licensing 658

    Failover Interfaces 658

        Stateful Link 659

        Failover Link Security 659

        Data Interface Addressing 660

        Asymmetric Routing Groups 662

    Failover Health Monitoring 664

    State and Role Transition 666

    Configuring Failover 667

        Basic Failover Settings 668

        Data Interface Configuration 671

        Failover Policies and Timers 673

        Active/Active Failover 674

    Monitoring and Troubleshooting Failover 678

    Active/Standby Failover Deployment Scenario 680

Clustering 685

    Unit Roles and Functions in Clustering 685

        Master and Slave Units 685

        Flow Owner 686

        Flow Director 686

        Flow Forwarder 687

    Clustering Hardware and Software Requirements 687

        Zero Downtime Upgrade in Clustering 688

        Unsupported Features 689

        Cluster Licensing 690

    Control and Data Interfaces 690

        Spanned EtherChannel Mode 693

        Individual Mode 695

        Cluster Management 697

    Cluster Health Monitoring 697

    Network Address Translation 698

    Performance 700

        Centralized Features 701

        Scaling Factors 701

    Packet Flow 702

        TCP Connection Processing 702

        UDP Connection Processing 703

        Centralized Connection Processing 705

    State Transition 705

    Configuring Clustering 706

        Setting Interface Mode 707

        Management Access for ASDM Deployment 708

        Building a Cluster 710

        Data Interface Configuration 714

    Monitoring and Troubleshooting Clustering 717

    Spanned EtherChannel Cluster Deployment Scenario 720


Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733

IPS Integration Overview 733

    IPS Logical Architecture 735

    IPS Hardware Modules 735

    IPS Software Modules 736

    Inline and Promiscuous Modes 737

    IPS High Availability 739

Cisco IPS Software Architecture 739

    MainApp 741

        AuthenticationApp 741

        Attack Response Controller 742

        cipsWebserver 742

        Logger 742

        CtlTransSource 743

        NotificationApp 743

    SensorApp 743

    CollaborationApp 744

    EventStore 744

Preparing ASA IPS for Configuration 744

    Installing CIPS System Software 744

    Accessing CIPS from the ASA CLI 747

    Configuring Basic Management Settings 748

    Setting Up ASDM for IPS Management 752

    Installing the CIPS License Key 752

Read More Show Less

Customer Reviews

Average Rating 4.5
( 14 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 14 Customer Reviews
  • Anonymous

    Posted July 8, 2014


    Babe Im really sleepy. She hops into his arms

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014


    *she walks in with a light blue dress with her hair perfectly curled and her earing dangling from her ears. She looks around standing alone in the crowd.*

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014

    Comes in nu .de


    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014



    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014


    This is very boring babe lets go

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 10, 2014


    Walks in.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014


    Smiles back. Babe imma have to go soon

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014

    Nathan to all

    I think its at the next res.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 9, 2014

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 8, 2014

    Adain to rolo

    Hey you said you would do it cmon

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 9, 2014

    Too smalpl


    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 9, 2014



    Was this review helpful? Yes  No   Report this review
  • Posted June 29, 2014

    Are you a network professional who manages network security or i

    Are you a network professional who manages network security or installs and configures firewalls? If you are, then this book is for you! Authors Jazib Frahim, Omar Santos and Andrew Ossipov, have done an outstanding job of writing a book that is an insiders guide to planning, implementing, configuring, and troubleshooting the Cisco Adaptive Security Appliances.

    Authors Frahim, Santos and Ossipov, begin by providing an overview of different technologies that are supported by the Cisco ASA and widely used by today’s network security professionals. Then, the authors describe how the Cisco ASA incorporates features from each of the products, integrating comprehensive firewall, intrusion detection and prevention, and VPN technologies in a cost-effective, single-box format. They continue by examining the available licenses for each Cisco ASA model and specific features, and explain how to install such licenses. Then, the authors introduce a comprehensive list of initial setup tasks. They then show you how to perform system maintenance of the Cisco ASA, including system upgrades and health monitoring, and provide tips on how to troubleshoot hardware and data issues. Next, the authors show you how to configure the Cisco ASA Services Module; as well as, how to configure the Cisco Catalyst 6500 Series Switches and 7600 Series Routers to send traffic to be protected and inspected by the module. They continue by showing you how to configure AAA services by defining a list of authentication methods applied to various implementations. Then, the authors show you how to implement your organization’s security policy, by using the features that the Cisco ASA provides. They then cover the features, benefits deployment, configuration, and troubleshooting of the Cisco ASA Next-Generation Firewall Services. Next, the authors show you how to configure Network Address Translation on the Cisco ASA. They continue by covering the configuration and deployment of IPv6 support in the Cisco ASA. Then, the authors deal with the different routing capabilities of the Cisco ASA. They then show you how to use and configure application inspection. Next, the authors show you how to configure and troubleshoot each of the security contexts. They continue by introducing the transparent firewall model within the Cisco ASA. Then, the authors discuss the different redundancy and high availability mechanisms that the Cisco ASA provides. They then describe the integration of IPS features within Cisco ASA and provide expert guidance on how to configure the Cisco IPS software. Next, the authors cover the IPS tuning process; as well as, best practices on how to monitor IPS events. They continue by providing configuration and troubleshooting guidelines to successfully deploy site-to-site IPsec VPNs in both single- and multiple-mode firewalls. Then, the authors discuss two IPsec remote-access VPN solutions that are supported on the Cisco ASA. Finally, they show you how to configure, troubleshoot, and deploy the QoS features in the Cisco ASA.

    This excellent book delivers expert guidance from senior Cisco security engineers. In other words, this great book brings together expert guidance for virtually every challenge you will face­from building basic network security policies to advanced next-generation firewall, VPN, and IPS implementations.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted October 26, 2014

    No text was provided for this review.

Sort by: Showing all of 14 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)