Cisco CCSP - Cisco Certified Security Professional SNAF - Securing Networks with ASA Fundamentals
SNAF - Securing Networks with ASA Fundamentals
Duration: 5 days Cisco Course v1.0 | Cisco Security Appliance Software v8.0 | Prepares you for Cisco Exam 642-524 SNAF In this Authorized Cisco course, you will gain the knowledge and skills needed to configure, maintain, and operate Cisco ASA 5500 Series Adaptive Security. We have enhanced our delivery of SNAF by adding depth to the existing Cisco-developed hands-on labs. In a topology designed to simulate a typical production network, our advanced hands-on labs guide you through exercises such as executing general maintenance commands, configuring ACLs, and configuring VPN on the Security Appliance. Our labs utilize ASA 5520 security appliances, though the content in this course and our labs is applicable across the ASA and PIX families of security appliances since the command syntax is generally the same. This course has been updated to cover the features and syntax of Cisco Security Appliance Software v8.0. E-Labs Included for Post-Class Lab PracticeFollowing classroom instruction, you will receive 5 e-Lab credits for post-class lab practice, allowing you to hone your skills using the same hands-on lab equipment you used in the classroom.
1. Introducing Cisco Security Appliance Technology and Features
2. Cisco Adaptive Security Appliance and PIX Security Appliance Families
3. Getting Started with Cisco Security Appliances
4. Essential Security Appliance Configuration
5. Configuring Translations and Connection Limits
6. Using ACLs and Content Filtering
7. Configuring Object Grouping
8. Switching and Routing on Security Appliances
9. Configuring AAA for Cut-Through Proxy
10. Configuring the Cisco Modular Policy Framework
11. Configuring Advanced Protocol Handling
12. Configuring Threat Detection
13. Configuring Site-to-Site VPNs Using Pre-Shared Keys
14. Configuring Security Appliance Remote Access VPNs
15. Configuring Cisco Security Appliances for SSL VPN
16. Configuring Transparent Firewall Mode
17. Configuring Security Contexts
18. Configuring Failover
19. Managing Security Appliances
Our investment in enhanced and exclusive lab content means you get the experience you need using current software and hardware. No other training company offers a unique, real-world lab solution like ours. In our lab descriptions, an enhanced lab exercise contains a significant addition to the standard labs and may or may not be offered by other providers, while an exclusive lab exercise contains material that is not offered by any other provider. We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SNAF, each pod has a 2811 router, a 3560 switch, an ASA 5520, a VMware Server with nine VM systems, and an 1841 router that simulates the Internet environment. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The nine PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. For example, the Admin PC is treated as the Security Administrator's office desktop PC. Management connections to the ASA, including SSH to the CLI and HTTPS to ASDM, are performed from the Admin PC. The Data Server is an Active Directory Domain Controller. Included in its duties are user and group management, DNS, e-mail, and Certificate Authority services. The Security Server runs security applications such as Cisco Secure Access Control Server and the PHP Kiwi Syslog system. The DMZ server is partially exposed to the Internet and provides HTTP, FTP, DNS, and SMTP services. The Outside PC is connected to the simulated Internet and can be used as an external web/FTP server, the source of inbound connections to the DMZ server, an attack source, or as a trusted VPN client, depending on the current scenario. The Services-R-Us server acts as a public DNS, e-mail, web/FTP, and certificate server. The BackTrack2 PC is a Linux system with hundreds of security tools installed, the User PC is another internal PC system, and the Site1 PC is connected to a small remote network. The SNAF courseware and Cisco's standard SNAF labs focus mainly on the ASDM GUI. Our SNAF labs also demonstrate the use of ASDM and pay respect to the CLI as well. For all operations completed using the GUI, the corresponding CLI commands are always displayed in our SNAF lab guide. Also, the full, final configuration is displayed at the end of each lab with the configuration commands that were entered during the lab highlighted. This helps to make our lab guide a valuable reference long after you have completed the lab exercises. Lab 1: Preparing the ASA for Administration The goal of this lab is to prepare the ASA for remote administration by both SSH and HTTPS/ASDM. You will find the ASA currently has an unusable configuration. You will have to access it via its physical console port and reset the configuration back to factory defaults. You will use the setup dialog to configure the inside interface and enable ASDM access via HTTP. You will also enable SSH from the CLI. You will test SSH access from the Admin PC. You will also install and configure ASDM on the Admin PC and test initial access with ASDM.
Lab 2: Essential Security Appliance Configuration In this lab, you will configure many of the basic settings on the ASA. You will configure the inside, outside, and DMZ interfaces, and you will configure authenticated NTP support and Syslog support. You will then use different scenarios and features to test the behavior of the ASA with this simple configuration in place.
Lab 3: Translations and Connections In this lab, you will work with configuring address translations through the ASA. You will begin by experimenting with nat 0 and no nat-control to understand the differences between the two. Next, you will implement a temporary PAT configuration. You will then move on to configure Dynamic NAT, NAT Exemption, and Static NAT as appropriate for the lab topology. At each step along the way, you will test and verify the results of the configuration, both on the host systems that are communicating as well as on the ASA. During this lab, you will learn how to configure and monitor address translation and you will see the difference between the ASA's translation table and its connection table.
Lab 4: Configuring ACLs and Object Groups In this lab, you will configure access policy through the ASA. The policy will allow access to the public services running on the DMZ Server from the outside. It will also be very restrictive on what connections are allowed to originate from the DMZ Server. Policy from the internal network will be unrestricted. While configuring and testing policy, you will also be introduced to Object Groups, the Packet Tracer, and ICMP Inspection.
Lab 5: AAA and Cut Through Proxy Cut Through Proxy is a feature on the security appliance that allows access control to be based on a user instead of an IP address. That is, instead of using statically defined ACLs that key off expected user IP addresses, when the ASA sees matching traffic from a new IP address, it can intercept the connection and challenge for a username and password. If the user is authorized, connections are allowed. This can be extended one step further where downloadable ACLs provided by the AAA server very precisely define the access control for that particular user. You will explore AAA and the Cut Through Proxy feature in this lab exercise.
Lab 6: Modular Policy Framework and Advanced Protocol Handling In this lab you will work with the Modular Policy Framework (MPF) in various ways. First, you will inspect the current global policy and see how class maps, policy maps, and service policy are built into a hierarchy. Then you will use the MPF to apply DOS protection to the DMZ interface, testing the feature with an attempted SYN Flood attack. You will implement QoS features, limiting bandwidth used by the DMZ interface, insuring traffic to and from the inside network is not starved by DMZ access. You will finish by experimenting with FTP inspection. With FTP inspection turned on, if the FTP control channel is allowed, so are all the associated dynamically negotiated data connections. When FTP inspection is turned off, if the FTP data connections are not allowed by the static policy in place, the data connections will not be allowed.
Lab 7: Threat Detection By default the ASA monitors the rate of dropped packets and security events due to a number of reasons including (but not limited to) DoS attack, ACL drop, Conn limit, ICMP attack, and SYN attack. When the ASA detects a threat, it sends a Syslog message to inform of its occurrence. In this lab, you will work with Basic Threat Detection. You will verify that it is enabled by default, and you will see how to enable and view additional threat detection statistics.
Lab 8: Site-to-Site VPN In this lab you will work with creating and testing a site-to-site VPN using the ASDM VPN Wizard. You will begin by verifying that without a VPN, there is no connectivity between the local network and Site 1. You will then proceed to create and test a site-to-site VPN to Site 1 using the VPN Wizard. Lastly, you will experiment with ways to limit access through the tunnel for those users connecting from Site 1.
Lab 9: Remote Access VPN In this lab you will once again use the VPN Wizard. This time it will be used to enable Remote Access VPN. Since completion of the link requires a client, you will also configure the VPN software client to initiate the connection. After testing and verifying the Remote Access VPN, you will implement split tunneling in order to allow Remote Access VPN clients to access Internet resources without using the tunnel. Lastly, you will work with Hairpin VPN, an alternative to split tunnel, to allow Remote Access VPN users to access the Internet.
Lab 10: Clientless SSL VPN In this lab you will run the SSL VPN Wizard to configure ASA to allow access to the Web VPN. Once the SSL VPN is up and running, you will explore the features it provides. You will then create different policies for different groups of users. General users will have fewer privileges with the clientless VPN than administrative users.
Lab 11: Transparent Mode Firewall & Security Contexts In this lab, you will configure and test two features which first appeared in version 7.0 of the Security Appliance OS: Transparent firewalling and security contexts. Transparent firewall mode is designed for two primary reasons: 1) an organization wants to add a firewall to an existing network without requiring re-addressing, and 2) an organization operates a multiprotocol network, including non-IP traffic, and wants to allow that traffic through the firewall without requiring GRE tunneling. In this lab, the transparent firewall will be inserted between the routing interfaces of the L3-Switch and the PC systems. The transparent firewall can then provide firewalling services without modifying the L3-Switch or PC configurations. Security contexts were designed to allow a single physical firewall to perform jobs that generally require multiple firewalls. A limitation of transparent firewall mode on the security appliance is that only two interfaces are allowed. Obviously, dedicating a single physical firewall with more than two physical interfaces (and the ability to support multiple VLANs off each of its physical interfaces) is quite limiting. Hence using security contexts with transparent firewalling allows a single physical firewall to provide transparent firewalling to multiple IP subnets.
Lab 12: Active/Standby Failover In this lab, two pods are linked together. The Primary Pod's ASA will be configured as the primary ASA for failover and the Secondary Pod's ASA will be configured as the secondary ASA for failover. Stateful failover will also be enabled. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.
Lab 13: Active/Active Failover In this lab, two pods are linked together. The Primary and Secondary Pod's ASA will be configured for failover using two contexts each assigned to different failover groups. Stateful failover will be enabled, and preemption will be configured so that different ASAs will be active for each failover group. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.
Lab 14: Managing the Security Appliance You will begin this lab by experimenting with the configuration of Authentication, Authorization, and Accounting. You will configure various methods of AAA including using the Local ASA database as well as scaling the solution by using Cisco Secure ACS. Next, you will perform an upgrade including the ASA OS as well as ASDM. Lastly, you will perform a password recovery on the ASA.
No details for the moment
|
||||||||
|
|
||||||||
Recently Viewed Products
- ROUTE - Implementing Cisco IP Routing v1.0 (Category: CCDP - Cisco Certified Design Professional)
- MPLS - Implementing Cisco MPLS v2.2 (Category: CCIP - Cisco Certified Internetwork Professional)
- CANAC - Implementing NAC Appliance (formerly Cisco Clean Access) (Category: CCSP - Cisco Certified Security Professional)
- SWITCH - Implementing Cisco IP Switched Networks v1.0 (Category: CCDP - Cisco Certified Design Professional)
- VMware vSphere: Install, Configure, Manage [V4.1] (Category: VMware vSphere)
Your Cart is currently empty.
