A list of 8 new cisco asa ebooks you should read in , such as Day One and Network Security All-in-one. Read "Cisco ASA All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance" by Jazib Frahim available from Rakuten Kobo. Sign up today and get . This book is designed to provide information about Cisco ASA. . Kudos to the Cisco ASA product development team for delivering such a great product.
|Language:||English, Portuguese, Dutch|
|ePub File Size:||25.45 MB|
|PDF File Size:||17.59 MB|
|Distribution:||Free* [*Registration needed]|
I'm excited to announce today that my ASA book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on site as a physical Paperback book. Editorial Reviews. About the Author. Jazib Frahim, CCIE® No. , is a senior network download a site site eBooks site Unlimited Prime Reading Best Sellers & More site Book Deals Free Reading Apps site Singles Newsstand . Editorial Reviews. About the Author. Richard Deal, CCNA, CCNP, CCDA, CCDP is a certified eBook features: Highlight, take notes, and search in the book; Length: pages; Enhanced Typesetting: Enabled; Page Flip: Enabled; Similar books to Cisco.
Thank you! Its contents were just right for me. I understand intermediate networking but I don't work on Cisco ASAs often enough to remember everything and I didn't know much about the new 8. This book quickly showed me what the significant changes in 8.
It's very accessible. It's easy to quickly read through, digest, and also good to refer back to later. It has excellent examples and explanations with helpful diagrams along with the command line commands. Harris, thanks for writing this book and making it available at a reasonable price.
If you write more books I will download them too. It's a very short read and right to the point! I found it much easier to follow than Cisco's own book and would definitely recommend it as your main or companion reference. Thank you Marco "Mr. This new edition has been updated with detailed information on the latest ASA models and features. No reviews were found. Please log in to write a review if you've read this book.
Login Join. Time to read. Store Cisco ASA. Everything network professionals need to know to identify, mitigate, and respond to network attacks with Cisco ASA Includes detailed configuration examples, with screenshots and command line references Covers the ASA 8. December 29, Categories: English Publisher: Retail Price:. AnyConnect for Mobile: Keep in mind that this is not a standalone feature but rather a special capability available for AnyConnect peers. When the session is using an AnyConnect Essentials license, mobile device posture data is only available for informational purposes.
When the mobile device is one of the AnyConnect Premium Peers, you can leverage Dynamic Access Policies DAP to permit or deny network access for the given device based on a broad set of attributes.
This is not a standalone feature, because it requires an AnyConnect Premium Peers license to allow the underlying VPN connection in the first place. Advanced Endpoint Assessment: With this feature enabled, ASA can actively enforce certain operational policies on third-party antivirus, antispyware, and per- sonal firewall software packages residing on remote AnyConnect or clientless peers running Microsoft Windows, Apple OS X, and Linux operating systems.
This is another add-on feature that is only available for AnyConnect Premium Peers; by default, such peers can only benefit from the basic reactive posture validation capa- bilities provided by Host Scan and Dynamic Access Policies. Botnet Traffic Filter: With this feature, you can detect and block inbound and out- bound connections that involve known malicious hosts. The license enables database updates as well as the Botnet Traffic Filter configuration commands.
It expands the high-availability advantages of failover by allowing you to aggregate up to 16 physical appliances in exactly the same hardware configuration into a single logical device. All devices in a cluster must have this feature enabled. The availability of the Cluster feature and the maximum supported number of cluster members depend on the particular software image version and hardware platform type.
IPS Module: This license simply allows you to install the IPS software module on the Cisco ASA and then enable traffic redirection using the service- policy configuration; because the module runs an independent software image, it has its own feature license that you have to obtain and install separately. Tiered Capacity Features Yet another category of licensed features allows a particular advanced functionality for a limited number of users or sessions.
This flexibility allows you to provision enough premium licenses according to the specific business needs while allowing plenty of room for future growth. The typical features in this category provide firewall virtualiza- tion capabilities, Unified Communications inspection with TLS proxy, and advanced VPN connectivity. The preinstalled Base Licenses typically include a certain number of allowed sessions to take advantage of most of these features; you can obtain a separate license to enable or upgrade any of these capabilities to your desired user or session count.
To keep things simple, these features come in specific capacity tiers. Keep in mind that the capacity tiers cannot be stacked together. In other words, you need to obtain the UC Phone Proxy license for sessions even if you intend to use only up to of them; you cannot simply install a session license fol- lowed by a session license on the same device.
Security Contexts: This license allows the creation of multiple virtual firewalls that can operate concurrently on the same physical ASA device. All other platforms and license combinations allow you to configure up to two virtual application contexts by default; the specific tiered options depend on the platform and can extend up to on a Cisco ASA Services Module and ASA X appliances with at least an SSP Keep in mind that not all features are currently compatible with the multiple context mode even if you install the appropriate feature license.
UC Phone Proxy Sessions: Keep in mind that the number of active TLS proxy sessions may exceed the number of active VoIP endpoints, depending on their high-availability configuration. Typically, this licensed session count is equivalent to the Total UC Proxy Sessions license, which has the default value of 2 on all platforms. Refer to the description of the Intercompany Media Engine license for information about raising the default configured limit of TLS proxy sessions and determining additional session limits imposed by the export restrictions.
Total UC Proxy Sessions: Refer to the description of the Intercompany Media Engine license for information about raising the default configured limit of TLS proxy sessions and determining additional ses- sion limits imposed by export restrictions. AnyConnect Premium Peers: This license is a prerequisite for multiple premium features that an AnyConnect Essentials license does not support.
Keep in mind that the AnyConnect Premium Peers and AnyConnect Essential licenses cannot operate concurrently; even if you install both licenses on a single Cisco ASA device, only one of them stays active at any given time. You must use the no anyconnect-essentials command to enable the AnyConnect Premium Peers license. AnyConnect Essentials: Refer to the description of the AnyConnect Premium Peers license for addi- tional information on specific differences, concurrency implications, and overall limits that pertain to these related feature licenses.
Displaying License Information Use the show version or show activation-key command to display the complete list of licensed features and capacities of a particular Cisco ASA device along with the activation information. Notice that the count of Firewall Connections does not show up as a licensed feature; check the output of the show resource usage command for some of these platform capacities.
However, this sample output contains several pieces of additional information: It also lists multiple activation keys that enable the given set of features on this particular device for the specified amount of time.
These activation keys enable a straightforward mechanism for adding or removing licensed features on Cisco ASA devices. Licensed features for this platform: Unlimited perpetual Failover: Enabled 56 days Security Contexts: Disabled perpetual AnyConnect Premium Peers: Disabled perpetual AnyConnect for Mobile: Disabled perpetual Advanced Endpoint Assessment: Enabled 56 days Intercompany Media Engine: Disabled perpetual IPS Module: Disabled perpetual Cluster: Disabled perpetual. The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key: Enabled 56 days Advanced Endpoint Assessment: Enabled 56 days Botnet Traffic Filter: Enabled 56 days. Managing Licenses with Activation Keys An activation key is an encoded bit string that defines the list of features to enable, how long the key would stay valid upon activation, and the specific serial number of a Cisco ASA device.
A series of five hexadecimal numbers, as shown at the top of the output in Example , typically represents that string. Each activation key is only valid for the particular hardware platform with the specific encoded serial number. The complete set of activation keys resides in a hidden partition of the built-in flash device of a Cisco ASA; other nonvolatile internal memory structures maintain a backup copy of that infor- mation.
After Cisco generates a key for a given device, you cannot separate individual features from this licensed package. You can request and apply another key with a dif- ferent set of features to the same Cisco ASA device at any future point in time.
All fea- tures encoded in a particular key always have the same licensed duration, so activation keys can be classified as permanent or time-based. Permanent and Time-Based Activation Keys Every Cisco ASA model comes with a certain set of basic features and capacities enabled by default; the Base License permanently activates these features on the particular plat- form. Even though these core features do not require an explicit activation key, one usu- ally comes installed anyway.
This is the permanent activation key, which never expires. Although the system does not require this key for basic operation, some advanced features, such as failover, depend on the permanent activation key in order to operate correctly.
You can enable additional features without a time limit by applying a differ- ent permanent activation key.
Because a Cisco ASA device can have only one permanent activation key installed at any given time, every new key must encompass the entire set of desired features. The feature set enabled by the new permanent activation key com- pletely replaces the previously enabled permanent feature set, instead of merging with it. In rare situations in which the permanent activation key becomes lost or corrupted, the output of the show activation-key command displays the following value:.
Running Permanent Activation Key: If this happens, the system continues to operate with the default set of basic features for the platform. Reinstall the permanent activation key to restore the desired feature set.
Although you can always obtain the replacement key from Cisco, it is a best practice to always maintain a backup of all activation keys used by your Cisco ASA devices.
In addition to the permanent activation key, you can install one or more time-based keys to enable certain features for a limited period of time. All premium features can be activated by either permanent or time-based keys, with the exception of Botnet Traffic Filter, which is only available via a time-based license. Even though you can apply mul- tiple time-based activation keys on the same Cisco ASA concurrently, only one license remains active for any particular feature at any given time.
Thus, several time-based keys can stay active on the ASA as long as they enable different features. Other time-based keys remain installed but inactive until needed. Only the currently active licenses for each feature continue the time countdown; you can stop the timer by manually deac- tivating a key or installing a different time-based license for the same feature.
Combining Keys Even though only one time-based activation key can be active for any particular feature at any given time, two identical time-based keys will license a feature for the combined duration. All of the following conditions must be satisfied for this to happen:. Both current and new time-based keys enable only one feature.
Typically, this is how you receive all time-based activation keys from Cisco. Both keys license the feature at exactly the same level. If the feature is tiered, the licensed capacities have to match.
If you add another time- based key for AnyConnect Premium Peers that has a duration of eight weeks, the new key will have the combined duration of 14 weeks. However, the new key will deacti- vate the original time-based license if it enables AnyConnect Premium Peers instead or also adds the Intercompany Media Engine feature.
If you install another time-based key for the IPS Module feature on the same device, both keys will activate concurrently because they enable different features.
To ease the management of time-based licenses and receive the maximum advantage of combining their duration when possible, always make sure to use separate time-based activation keys for each feature and tiered capacity. When activated on the same device, the features and capacities of the permanent and active time-based keys also combine to form a single feature set, as such:. The system chooses the better value between the two key types for any feature that can be either enabled or disabled.
For example, the ASA enables the Intercompany Media Engine feature based on the permanent key even if all active time-based keys have this feature disabled. For AnyConnect Premium Sessions and AnyConnect Essentials licenses that are tiered, the system picks the highest session count between the active time-based and permanent keys. Total UC Proxy and Security Contexts counts combine between the permanent and active time-based keys up to the platform limit. This way, you can configure a total of 22 virtual contexts by adding a time-based license for 20 contexts to a Cisco ASA X with the permanent Base License for 2 contexts.
Example illustrates a Cisco ASA that derives its feature set from the permanent and one time-based activation keys.
Both activation keys appear at the top of the output. Features denoted as perpetual come from the permanent activation key; these licenses never expire. Time-based features show the remaining number of days before expiration; even if you enable one of these features via the permanent key later on, the countdown will continue until the applicable time-based key expires or becomes deactivated manually. Time-Based Key Expiration When a time-base key is within 30 days of expiration, ASA generates daily system log messages to alert you of that fact.
The following message includes the specific time- based activation key that is about to expire:. Timebased license key 0x8cff 0xd6ce9 0xcb 0xc74cb 0x17fc9a will expire in 29 days. When the active time-based license expires, a Cisco ASA looks for another available time-based activation key that you previously installed.
The system picks the next key according to internal software rules, so a particular order is not guaranteed. You can manually activate a specific time-based key at any given time; after you do so, the deac- tivated time-based key remains installed with the unused licensed time still available.
When all time-based keys for a particular feature expire, the device falls back to using the value in the permanent key for this feature. Upon any expiration event, an ASA gen- erates another system log message that lists the expired key and the succession path for the license.
The following message shows that the states of all licensed features from the expired time-based key reverted to the permanent key:. Timebased activation key 0x8cff 0xd6ce9 0xcb 0xc74cb 0x17fc9a has expired. Applying permanent activation key 0xe3a19 0xee 0xcddd4 0xeeaf4 0x1bc79c. As time-based licenses expire, certain features may deactivate completely and some licensed capacities of other features may reduce.
Although these changes typically do not affect existing connections that are using a previously licensed feature, new con- nections will see the impact. However, the existing user sessions would remain operational with no impact.
On the other hand, the Botnet Traffic Filter feature disables dynamic updates when the license expires; this removes the ben- efits of the feature right away.
Some features may show no impact from the time-based key expiration until the Cisco ASA system reloads; because the feature is no longer licensed upon the reload, the device may reject some elements of the startup configuration. When a Cisco ASA that was previously licensed for 20 security contexts reloads with the default license, only two virtual contexts will remain operational after the system loads the startup configura- tion file.
To avoid unexpected network outages, it is very important to monitor time- based licenses for expiration and replace them in advance; always use permanent licenses for the critical features when possible.
Using Activation Keys To apply an activation key to the Cisco ASA, you can use the activation-key command followed by the hexadecimal key value. Both permanent and time-based keys follow the same process, and you cannot determine the key duration until you attempt to install it.
Example shows a successful attempt to activate the permanent key. Keep in mind that an ASA supports only one of such keys at any given time; the feature set of the last installed key completely overwrites the previous one.
This may take a few minutes Both Running and Flash permanent activation key was updated with the requested key. As shown in Example , the system specifically notes a time-based key as such during the same activation process; you can see the remaining time before expiration as well.
The requested key is a timebased key and is activated, it has 7 days remaining. When you add a new time-based activation key that enables a single feature at the same level as another currently active key, the remaining time from the current key adds to the new key, as shown in Example Keep in mind that both the current and new time- based keys must enable only one feature with the exact same capacity, if applicable; otherwise, the new key will deactivate and replace the current one.
The requested key is a timebased key and is activated, it has 63 days remaining, including 7 days from currently active activation key. You can also deactivate a previously installed time-based license using the optional deac- tivate argument at the end of the activation-key key command, as shown in Example ; this keyword is not available for the permanent activation key.
After it is deacti- vated, the time-based key remains installed on the Cisco ASA. You can always reactivate this license later either manually or automatically upon the expiration of another time- based license.
The requested key is a timebased key and is now deactivated. In rare cases, the new permanent key that disables certain features may require a reload of the system before the change occurs.
Example shows the warning that the sys- tem displays before the strong encryption feature gets disabled by the new permanent license. The following features available in running permanent activation key are NOT available in new permanent activation key: The running activation key was not updated with the requested key. Proceed with update flash activation key?
Because activation keys tie to a particular device using the serial number, it is possible to attempt to activate a key from one Cisco ASA on another; the software automati- cally checks for such errors and rejects an incorrect key.
Example illustrates such an attempt. The requested activation key was not saved because it is not valid for this system. In older Cisco ASA Software versions, it is also possible for the system to reject an acti- vation key when it contains unknown features.
In Cisco ASA 8. For instance, when you downgrade from Cisco ASA 9. Module license enabled, the same activation key remains valid after the downgrade even though the older software no longer supports this feature. After the changes in Cisco ASA 8.
For both failover and clustering, all units must have the same encryption license. After satisfying these basic requirements, the rest of the licensed features and capacities from both failover peers and all active cluster members combine to form a single feature set that all the participating devices use concurrently.
License Aggregation Rules The system follows these steps to create a combined feature set of a failover pair or a cluster:. Each failover unit or cluster member computes its local feature set by combining the permanent and active time-based activation keys using the rules discussed earlier. For each feature that can be either enabled or disabled, the combined failover or cluster license inherits the best setting from all of the feature sets of the participat- ing devices.
For instance, each unit of a cluster enables the IPS Module license if at least one of the members has it enabled in the local feature set.
For each tiered feature, the licensed capacities of the individual units combine up to the platform limit of each member. This happens even if the particular tiered counts for the same feature do not match between all participating members. After aggregating these capacities, each device in this failover pair allows up to sessions for this feature.
Notice that the combined count of sessions from the individual licenses exceeds the Total VPN session count of for this platform; this causes the downward adjustment.
After license aggregation, each failover peer or cluster member displays an additional section in the output of the show version and show activation-key commands to reflect the combined active feature set of the device. As shown in Example , this feature set supersedes the licensed feature set of the local unit as long as it continues to participate in a failover pair or a cluster. Failover cluster licensed features for this platform: Disabled perpetual Intercompany Media Engine: Enabled perpetual Cluster: Enabled perpetual.
If a device loses the connection to its failover peer or a cluster for over 30 days, it falls back to its locally licensed feature set. You can use the clear configure failover or clear configure cluster command to manually remove the aggregated license and force the unit to revert to its locally activated features before the day period expires. This capability is useful when splitting failover or cluster members to configure them as shared VPN licensing peers instead. Aggregated Time-Based License Countdown If the combined failover pair or cluster license relies on time-based activation keys to activate any features or aggregate licensed capacities, the countdown rules for these keys depend on the feature type:.
For any features that can be either enabled or disabled, only one participating unit continues the countdown at any given time.
When this license expires, another device starts the countdown of its own time-based key for this feature. This way, the total licensed duration for this feature type combines from all applicable time- based activation keys in a failover pair or a cluster. Consider a failover pair where the primary unit has the Botnet Traffic Filter license for 52 weeks and the second- ary unit has the same active license for 28 weeks.
Only the primary Cisco ASA will continue the countdown of this license for the first 52 weeks of failover pair opera- tion. After this activation key on the primary unit expires, the secondary unit will begin the countdown for another 28 weeks. As the result, you can benefit from the Botnet Traffic Filter feature in this failover pair without interruption for a combined duration of 80 weeks. If a unit loses communication with its failover peer or cluster for less than 30 days, the combined license still covers this period of independent operation for this device.
If the interval of separation exceeds 30 days, the device subtracts the entire period from its local time-based license upon restoration of failover or cluster communication. Any time-based keys for tiered capacity features that contribute to the aggre- gated failover pair of cluster limits continue the countdown concurrently on their respective Cisco ASA units. Assume a cluster of four Cisco ASA appliances where each member has a week license for ten virtual contexts in addition to the permanent key with two contexts.
The combined license of the cluster allows configuring and using up to 48 virtual contexts for 52 weeks because all time-based tiered capacity licenses count down concurrently on all members. After 52 weeks, the combined cluster license drops down to eight security contexts based on the remaining permanent licenses of each member. Even though individual appliances may reach the maximum expected number of concurrent VPN ses- sions at different times, it is unlikely that all of them will always remain at the peak load.
Instead of obtaining a tiered AnyConnect Premium Peers capacity license to cover the worst-case scenario for each Cisco ASA in your network, you have the option of con- figuring your devices to share a pool of such licenses and request premium VPN session capacities as needed.
The server maintains the shared licenses and issues them to participants as necessary. You can option- ally designate one participant ASA as the backup shared licensing server; this device will manage the shared pool only when the primary shared server becomes unavailable. Shared License Like other licensed capabilities, the Shared License feature can be either enabled or disabled. However, it could also link with the tiered capacity of Shared AnyConnect Premium Peers when enabled.
When the output of the show version or show activation- key command simply shows the Shared License feature as enabled, it means that the par- ticular Cisco ASA can act as a shared licensing participant or a backup server. The same output from a shared licensing server also displays the associated quantity of shared licenses in the pool, as shown in Example Shared License: Keep in mind that the Shared AnyConnect Premium Peers license is not available sepa- rately from the Shared License feature; the particular activation key must enable this capability and specify the shared session capacity in order to enable a shared licensing server.
Cisco ASA Series CLI Configuration Guide, 9.0 -- Whole Book PDF
You cannot use the regular AnyConnect Premium Peers license to provision or expand the shared session pool. Only the participant license can activate with a time- based activation key; the shared server license must use the permanent key. Shared Licensing Operation After you install the appropriate licenses on the server and participants, you can configure these devices to share the licensed pool of AnyConnect Premium sessions. Keep in mind that any Cisco ASA device may participate in a shared licensing domain under the following conditions:.
Each device has the Shared License feature enabled. Because hardware models do not have to match within a single domain, any device except a Cisco ASA can be the server or a participant.site and the site logo are trademarks of site. Monitoring Shared Licensing Operation Use the show shared license command to monitor the communication between the shared license server and its participants. These features include the following capabilities: If applicable, the IP address and the serial number of the Cisco ASA that will act as the backup shared licensing server; if this device participates in failover, you need the serial number of the secondary unit as well.
Omar Santos. Shaded thumbtabs mark each section for quick reference and each section provides information in a concise format, with background, configuration, and example components.
Cisco ASA, 3rd Edition
Thats where this book comes in. This flexibility allows you to provision enough premium licenses according to the specific business needs while allowing plenty of room for future growth. Jazib has also been engaged in the development of a number of customer-focused services, such as managed threat defense, network-based identity, bring-your-own-device BYOD , and many others.
Upon initial synchronization, the backup server is only capable of five days of independent operation when the primary server goes offline; this period extends by one day every day up to the maximum of 30 days as long as the communication channel with the primary server remains operational.