What You'll Learn

• Functions of the three types of firewalls used to secure today's computer networks
• Technology and features of Cisco security appliances
• How Cisco Adaptive Security Appliances (ASAs) and Cisco PIX Security Appliances protect network devices from attacks and why each is an appropriate choice
• Bootstrap the security appliance, prepare the security appliance for configuration via the Cisco Adaptive Security Device Manager (ASDM), and launch and navigate ASDM
• Perform essential security appliance configuration using ASDM and the CLI
• Configure dynamic and static address translations using ASDM
• Configure switching and routing using ASDM
• Use ASDM to configure ACLs, filter malicious active codes, and filter URLs that meet the requirements of the security policy
• Use the packet tracer for troubleshooting
• Use ASDM to configure object groups that meet the requirements of the security policy
• Use ASDM to configure AAA to meet the requirements of the security policy
• Configure a modular policy that supports the security policy using ASDM
• Use ASDM to configure protocol inspection to meet security policy requirements
• Configure threat detection to meet security policy requirements using ASDM and the CLI
• Using ASDM, configure the security appliance to support a site-to-site VPN that meets policy requirements
• Using ASDM, configure the security appliance to provide secure connectivity using remote access VPNs
• Configure the security appliance to run in transparent firewall mode
• Enable, configure, and manage multiple contexts to meet security policy requirements
• Select and configure the type of failover that best suits the network topology
• Monitor and manage an installed security appliance

Course Outline

1. Introducing Cisco Security Appliance Technology and Features

• Functions of the three types of firewalls that are used to secure modern computer networks
• Technology and features of Cisco security appliances

2. Cisco Adaptive Security Appliance and PIX Security Appliance Families

• Cisco ASA security appliance models
• Cisco ASA security appliance licensing options

3. Getting Started with Cisco Security Appliances

• Four main access modes
• Security appliance file management system
• Security appliance security levels
• ASDM requirements and capabilities
• Use the CLI to configure and verify basic network settings, and prepare the security appliance for configuration via ASDM
• Verify security appliance configuration and licensing via ASDM

4. Essential Security Appliance Configuration

• Configure a security appliance for basic network connectivity
• Verify the initial configuration
• Set the clock and synchronize the time on security appliances
• Configure the security appliance to send syslog messages to a syslog server

5. Configuring Translations and Connection Limits

• Function of TCP and UDP protocols within the security appliance
• Function of static and dynamic translations
• Configure dynamic address translation
• Configure static address translation
• Set connection limits

6. Using ACLs and Content Filtering

• Configure the basic function of ACLs
• Configure additional functions of ACLs
• Configure active code filtering (ActiveX and Java applets)
• Configure the security appliance for URL filtering
• Use the packet tracer for troubleshooting

7. Configuring Object Grouping

• Object grouping feature of the security appliance and its advantages
• Configure object groups and use them in ACLs

8. Switching and Routing on Security Appliances

• Configure logical interfaces and VLANs
• Configure static routes and static route tracking
• Dynamic routing capabilities of Cisco security appliances
• Configure passive RIP routing

9. Configuring AAA for Cut-Through Proxy

• Define and compare AAA
• Install and configure Cisco Secure ACS
• Configure the local user database
• Define and configure cut-through proxy authentication
• Define and configure user authorization using downloadable ACLs
• Define and configure accounting

10. Configuring the Cisco Modular Policy Framework

• Cisco Modular Policy Framework feature for security appliances
• Functionality of class maps
• Functionality of policy maps
• Functionality of service policies
• Use ASDM to configure a service policy rule

11. Configuring Advanced Protocol Handling

• Need for advanced protocol handling
• How the security appliance implements inspection of common network applications
• Issues with multimedia applications and how the security appliance supports multimedia call control and audio sessions

12. Configuring Threat Detection

• Threat detection and statistics
• Configure basic threat detection and scanning threat detection
• Configure and view threat detection statistics

13. Configuring Site-to-Site VPNs Using Pre-Shared Keys

• How security appliances enable a secure VPN
• Perform the tasks necessary to configure security appliance IPsec support
• Commands to configure security appliance IPsec support
• Configure a VPN between security appliances

14. Configuring Security Appliance Remote Access VPNs

• Cisco Easy VPN
• Cisco VPN Client
• Configure an IPsec Remote Access VPN
• Configure Users and Groups

15. Configuring Cisco Security Appliances for SSL VPN

• SSL VPN and its purpose
• Use the SSL VPN Wizard to configure a basic clientless SSL VPN connection
• Configure SSL VPN policies
• Verify SSL VPN operations
• Customize the clientless SSL VPN portal

16. Configuring Transparent Firewall Mode

• Purpose of transparent firewall mode
• How data traverses a security appliance in transparent mode
• Enable transparent firewall mode
• Monitor and maintain transparent firewall mode

17. Configuring Security Contexts

• Purpose of security contexts
• Enable and disable multiple context mode
• Configure a security context
• Manage a security context

18. Configuring Failover

• Difference between hardware and stateful failover
• Difference between active/standby and active/active failover
• Security appliance failover hardware requirements
• Configure redundant interfaces
• How active/standby failover works
• Security appliance roles of primary, secondary, active, and standby
• How active/active failover works
• Configure active/standby cable-based and LAN-based failover
• Configure active/active failover
• Use remote command execution

19. Managing Security Appliances

• Configure Telnet access to the security appliance
• Configure SSH access to the security appliance
• Configure command authorization
• Recover security appliance passwords using general password recovery procedures
• Use TFTP to install and upgrade the software image on the security appliance

Labs

Our investment in enhanced and exclusive lab content means you get the experience you need using current software and hardware. No other training company offers a unique, real-world lab solution like ours.

In our lab descriptions, an enhanced lab exercise contains a significant addition to the standard labs and may or may not be offered by other providers, while an exclusive lab exercise contains material that is not offered by any other provider.

We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SNAF, each pod has a 2811 router, a 3560 switch, an ASA 5520, a VMware Server with nine VM systems, and an 1841 router that simulates the Internet environment. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The nine PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. For example, the Admin PC is treated as the Security Administrator's office desktop PC. Management connections to the ASA, including SSH to the CLI and HTTPS to ASDM, are performed from the Admin PC. The Data Server is an Active Directory Domain Controller. Included in its duties are user and group management, DNS, e-mail, and Certificate Authority services. The Security Server runs security applications such as Cisco Secure Access Control Server and the PHP Kiwi Syslog system. The DMZ server is partially exposed to the Internet and provides HTTP, FTP, DNS, and SMTP services. The Outside PC is connected to the simulated Internet and can be used as an external web/FTP server, the source of inbound connections to the DMZ server, an attack source, or as a trusted VPN client, depending on the current scenario. The Services-R-Us server acts as a public DNS, e-mail, web/FTP, and certificate server. The BackTrack2 PC is a Linux system with hundreds of security tools installed, the User PC is another internal PC system, and the Site1 PC is connected to a small remote network.

The SNAF courseware and Cisco's standard SNAF labs focus mainly on the ASDM GUI. Our SNAF labs also demonstrate the use of ASDM and pay respect to the CLI as well. For all operations completed using the GUI, the corresponding CLI commands are always displayed in our SNAF lab guide. Also, the full, final configuration is displayed at the end of each lab with the configuration commands that were entered during the lab highlighted. This helps to make our lab guide a valuable reference long after you have completed the lab exercises.

Lab 1: Preparing the ASA for Administration

The goal of this lab is to prepare the ASA for remote administration by both SSH and HTTPS/ASDM. You will find the ASA currently has an unusable configuration. You will have to access it via its physical console port and reset the configuration back to factory defaults. You will use the setup dialog to configure the inside interface and enable ASDM access via HTTP. You will also enable SSH from the CLI. You will test SSH access from the Admin PC. You will also install and configure ASDM on the Admin PC and test initial access with ASDM.

• Access the ASA Console Port
• Clearing an Existing Configuration
• Taking Inventory of the ASA
• The Setup Dialog
• Enable SSH
• Set Up ASDM
• Verify the ASA Configuration

Lab 2: Essential Security Appliance Configuration

In this lab, you will configure many of the basic settings on the ASA. You will configure the inside, outside, and DMZ interfaces, and you will configure authenticated NTP support and Syslog support. You will then use different scenarios and features to test the behavior of the ASA with this simple configuration in place.

• Execute the Startup Wizard
• ASDM Device Setup
• Configure Syslog
• Test and Verify the ASA's Configuration
• The Packet Capture Wizard
• Verify the ASA Configuration

Lab 3: Translations and Connections

In this lab, you will work with configuring address translations through the ASA. You will begin by experimenting with nat 0 and no nat-control to understand the differences between the two. Next, you will implement a temporary PAT configuration. You will then move on to configure Dynamic NAT, NAT Exemption, and Static NAT as appropriate for the lab topology. At each step along the way, you will test and verify the results of the configuration, both on the host systems that are communicating as well as on the ASA. During this lab, you will learn how to configure and monitor address translation and you will see the difference between the ASA's translation table and its connection table.

• Understanding NAT Control and NAT 0
• Configure PAT
• Configure Dynamic NAT and NAT Exemption
• Configure Static NAT
• Verify the ASA Configuration

Lab 4: Configuring ACLs and Object Groups

In this lab, you will configure access policy through the ASA. The policy will allow access to the public services running on the DMZ Server from the outside. It will also be very restrictive on what connections are allowed to originate from the DMZ Server. Policy from the internal network will be unrestricted. While configuring and testing policy, you will also be introduced to Object Groups, the Packet Tracer, and ICMP Inspection.

• Configure Inbound HTTP Access
• Complete Inbound Policy using Object Groups
• Configure Policy from the DMZ
• Verify the ASA Configuration

Lab 5: AAA and Cut Through Proxy

Cut Through Proxy is a feature on the security appliance that allows access control to be based on a user instead of an IP address. That is, instead of using statically defined ACLs that key off expected user IP addresses, when the ASA sees matching traffic from a new IP address, it can intercept the connection and challenge for a username and password. If the user is authorized, connections are allowed. This can be extended one step further where downloadable ACLs provided by the AAA server very precisely define the access control for that particular user. You will explore AAA and the Cut Through Proxy feature in this lab exercise.

• Configure ACS and ASA Communication
• Exclusive - Configure ACS Integration with Active Directory
• Cut Through Authentication
• User Authentication Timeouts
• Virtual Telnet Server
• Downloadable ACLs
• Per User Override
• AAA Accounting
• Verify the ASA Configuration

Lab 6: Modular Policy Framework and Advanced Protocol Handling

In this lab you will work with the Modular Policy Framework (MPF) in various ways. First, you will inspect the current global policy and see how class maps, policy maps, and service policy are built into a hierarchy. Then you will use the MPF to apply DOS protection to the DMZ interface, testing the feature with an attempted SYN Flood attack. You will implement QoS features, limiting bandwidth used by the DMZ interface, insuring traffic to and from the inside network is not starved by DMZ access. You will finish by experimenting with FTP inspection. With FTP inspection turned on, if the FTP control channel is allowed, so are all the associated dynamically negotiated data connections. When FTP inspection is turned off, if the FTP data connections are not allowed by the static policy in place, the data connections will not be allowed.

• Examine the Current Policy
• Exclusive - DOS Protection with MPF
• Exclusive - Quality of Service with MPF
• FTP Protocol Inspection
• Verify the ASA Configuration

Lab 7: Threat Detection

By default the ASA monitors the rate of dropped packets and security events due to a number of reasons including (but not limited to) DoS attack, ACL drop, Conn limit, ICMP attack, and SYN attack. When the ASA detects a threat, it sends a Syslog message to inform of its occurrence. In this lab, you will work with Basic Threat Detection. You will verify that it is enabled by default, and you will see how to enable and view additional threat detection statistics.

• Basic Threat Detection
• Threat Detection Statistics
• Verify the ASA Configuration

Lab 8: Site-to-Site VPN

In this lab you will work with creating and testing a site-to-site VPN using the ASDM VPN Wizard. You will begin by verifying that without a VPN, there is no connectivity between the local network and Site 1. You will then proceed to create and test a site-to-site VPN to Site 1 using the VPN Wizard. Lastly, you will experiment with ways to limit access through the tunnel for those users connecting from Site 1.

• Verify Current Environment
• ASDM VPN Wizard
• Verify the Resulting Configuration
• Test and Verify the VPN Tunnel
• Exclusive - Enforce Access Policy from Site 1
• Verify the ASA Configuration

Lab 9: Remote Access VPN

In this lab you will once again use the VPN Wizard. This time it will be used to enable Remote Access VPN. Since completion of the link requires a client, you will also configure the VPN software client to initiate the connection. After testing and verifying the Remote Access VPN, you will implement split tunneling in order to allow Remote Access VPN clients to access Internet resources without using the tunnel. Lastly, you will work with Hairpin VPN, an alternative to split tunnel, to allow Remote Access VPN users to access the Internet.

• Prepare the ASA for Remote Access VPN
• Prepare the Cisco VPN Client
• Test and Verify Remote Access VPN
• Update the NAT Configuration
• Exclusive - Allow Internet Access via Split Tunneling
• Exclusive - Allow Internet Access via Hairpin
• Verify the ASA Configuration

Lab 10: Clientless SSL VPN

In this lab you will run the SSL VPN Wizard to configure ASA to allow access to the Web VPN. Once the SSL VPN is up and running, you will explore the features it provides. You will then create different policies for different groups of users. General users will have fewer privileges with the clientless VPN than administrative users.

• SSL VPN Wizard
• Test Clientless SSL VPN
• Define a Group Policy for General Users
• Test the Policy for General Users
• Exclusive - Provide Greater Customization for the AdminPolicy
• Exclusive - Test the Admin Customization and OnScreen Keyboard
• Monitor SSL VPN Connections
• Verify the ASA Configuration

Lab 11: Transparent Mode Firewall & Security Contexts

In this lab, you will configure and test two features which first appeared in version 7.0 of the Security Appliance OS: Transparent firewalling and security contexts.

Transparent firewall mode is designed for two primary reasons: 1) an organization wants to add a firewall to an existing network without requiring re-addressing, and 2) an organization operates a multiprotocol network, including non-IP traffic, and wants to allow that traffic through the firewall without requiring GRE tunneling. In this lab, the transparent firewall will be inserted between the routing interfaces of the L3-Switch and the PC systems. The transparent firewall can then provide firewalling services without modifying the L3-Switch or PC configurations.

Security contexts were designed to allow a single physical firewall to perform jobs that generally require multiple firewalls. A limitation of transparent firewall mode on the security appliance is that only two interfaces are allowed. Obviously, dedicating a single physical firewall with more than two physical interfaces (and the ability to support multiple VLANs off each of its physical interfaces) is quite limiting. Hence using security contexts with transparent firewalling allows a single physical firewall to provide transparent firewalling to multiple IP subnets.

• Understand the Updated Topology
• Access the Security Appliance Console
• Configure Transparent Firewall Mode
• Configure Interfaces and the Management IP Address
• Exclusive - Configure the Switching Fabric
• Test Connectivity through the Security Appliance
• Prepare the ASA for and Launch ASDM
• Define and Test Inbound Policy with ASDM
• Understand the Updated Scenario
• Exclusive - Enable Multiple Context Mode
• Exclusive - Multiple Context Mode from ASDM
• Exclusive - Create and Configure a New Context
• Exclusive - Update the Switching Fabric
• Exclusive - Verify Functionality of the New Context
• Verify the ASA Configuration

Lab 12: Active/Standby Failover

In this lab, two pods are linked together. The Primary Pod's ASA will be configured as the primary ASA for failover and the Secondary Pod's ASA will be configured as the secondary ASA for failover. Stateful failover will also be enabled. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.

• Understand the Updated Topology
• High Availability and Scalability Wizard
• Exclusive - Configure the Failover Prompt
• Verify Failover Status
• Test Failover Operation
• Return to a Normal State
• Verify the ASA Configuration

Lab 13: Active/Active Failover

In this lab, two pods are linked together. The Primary and Secondary Pod's ASA will be configured for failover using two contexts each assigned to different failover groups. Stateful failover will be enabled, and preemption will be configured so that different ASAs will be active for each failover group. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.

• Understand the Updated Topology
• High Availability and Scalability Wizard
• Exclusive - Demonstrate Configuration Replication and Failover Exec
• Verify Failover Status
• Exclusive - Enable Preemption
• Test Failover Operation
• Return to a Normal State
• Verify the ASA Configuration

Lab 14: Managing the Security Appliance

You will begin this lab by experimenting with the configuration of Authentication, Authorization, and Accounting. You will configure various methods of AAA including using the Local ASA database as well as scaling the solution by using Cisco Secure ACS. Next, you will perform an upgrade including the ASA OS as well as ASDM. Lastly, you will perform a password recovery on the ASA.

• Connect to the ASA via SSH
• Configure Commands at a New Privilege Level
• Configure Command Authorization for LOCAL Users
• Exclusive - Configure Command Authorization using TACACS+
• Exclusive - Configure Command Accounting
• View the AAA Configuration from ASDM
• Perform a "System Upgrade"
• Exclusive - Perform a Password Recovery
• Verify the ASA Configuration

Classroom Dates and Locations

Date	Location Details
Feb 22 - 26, 2010	St. John's, NL	Register
Feb 22 - 26, 2010	Houston, TX	Register
Mar 1 - 5, 2010	Dulles, VA	Register
Mar 8 - 12, 2010	Dallas, TX	Register
Mar 8 - 12, 2010	Morristown, NJ	Register
Mar 15 - 19, 2010	Orlando, FL	Register
Mar 15 - 19, 2010	Vancouver, BC	Register
Mar 22 - 26, 2010	Toronto, ON	Register
Mar 22 - 26, 2010	Washington, DC	Register
Mar 29 - Apr 2, 2010	Chicago (Schaumburg), IL	Register
Apr 5 - 9, 2010	Atlanta, GA	Register
Apr 5 - 9, 2010	Ft. Lauderdale, FL	Register
Apr 5 - 9, 2010	Minneapolis, MN	Register
Apr 5 - 9, 2010	Montreal, QC	Register
Apr 12 - 16, 2010	Ottawa, ON	Register
Apr 12 - 16, 2010	Boston, MA	Register
Apr 12 - 16, 2010	New York, NY	Register
Apr 19 - 23, 2010	Norfolk, VA	Register
Apr 19 - 23, 2010	Austin, TX	Register
Apr 26 - 30, 2010	San Jose, CA	Register
Apr 26 - 30, 2010	Dallas, TX	Register
May 3 - 7, 2010	Washington, DC	Register
May 10 - 14, 2010	Sacramento, CA	Register
May 10 - 14, 2010	Toronto, ON	Register
May 10 - 14, 2010	Raleigh, NC	Register
May 17 - 21, 2010	Los Angeles, CA	Register
May 17 - 21, 2010	Calgary, AB	Register
May 17 - 21, 2010	Philadelphia, PA	Register
May 24 - 28, 2010	Columbus, OH	Register
Jun 7 - 11, 2010	Rockville, MD	Register
Jun 7 - 11, 2010	Morristown, NJ	Register
Jun 7 - 11, 2010	Vancouver, BC	Register
Jun 14 - 18, 2010	Toronto, ON	Register
Jun 14 - 18, 2010	Chicago (Schaumburg), IL	Register
Jun 14 - 18, 2010	Houston, TX	Register
Jun 21 - 25, 2010	Dallas, TX	Register
Jun 21 - 25, 2010	Ottawa, ON	Register
Jun 21 - 25, 2010	New York, NY	Register
Jun 28 - Jul 2, 2010	Irvine, CA	Register
Jun 28 - Jul 2, 2010	Washington, DC	Register
Jul 12 - 16, 2010	Denver, CO	Register
Jul 12 - 16, 2010	Orlando, FL	Register
Jul 19 - 23, 2010	Atlanta, GA	Register
Jul 26 - 30, 2010	San Jose, CA	Register
Jul 26 - 30, 2010	Regina, SK	Register
Jul 26 - 30, 2010	Dallas, TX	Register
Aug 2 - 6, 2010	Boston, MA	Register
Aug 2 - 6, 2010	Montreal, QC	Register
Aug 2 - 6, 2010	Philadelphia, PA	Register
Aug 9 - 13, 2010	New York, NY	Register
Aug 16 - 20, 2010	Washington, DC	Register
Aug 16 - 20, 2010	Raleigh, NC	Register
Aug 16 - 20, 2010	Toronto, ON	Register
Aug 23 - 27, 2010	Houston, TX	Register
Aug 23 - 27, 2010	Chicago (Schaumburg), IL	Register
Aug 30 - Sep 3, 2010	Los Angeles, CA	Register
Aug 30 - Sep 3, 2010	Ottawa, ON	Register
Sep 13 - 17, 2010	Dulles, VA	Register
Sep 20 - 24, 2010	Morristown, NJ	Register
Sep 20 - 24, 2010	Calgary, AB	Register
Sep 27 - Oct 1, 2010	Dallas, TX	Register

Don’t see the location or date you need? No problem – just use our By Request service.