SNAA - Securing Networks with ASA Advanced

Duration: 5 days

Cisco Course v1.0 | Cisco Security Appliance Software v8.0 | Prepares you for Cisco Exam 642-515 SNAA

In this Authorized Cisco course, you will take your knowledge and skills on configuring, maintaining, and operating Cisco ASA 5500 Series Adaptive Security Appliance to the next level. Recommended training for the Cisco Certified Security Professional (CCSP) certification, SNAA takes over where SNAF leaves off, covering advanced topics of the Adaptive Security Appliance.

We have added depth to the existing Cisco-developed hands-on labs for SNAA. Our advanced hands-on labs, delivered on an enhanced topology designed to simulate a typical production network, guide you through exercises such as managing digital certificates for IPSec and SSL VPNs, deep packet inspection, and using the 5505 in the SOHO environment.

Our labs utilize ASA 5520 security appliances, though this course and lab content is applicable across the ASA and PIX families of security appliances. This course covers the features and syntax of Cisco Security Appliance Software v8.0. Note: The sections covering SSL VPN and the Security Services Modules are ASA-specific, as these features are not supported on the PIX firewall.

E-Labs Included for Post-Class Lab Practice

Following classroom instruction, you will receive 5 e-Lab credits for post-class lab practice, allowing you to hone your skills using the same hands-on lab equipment you used in the classroom.

• SNAF - Securing Networks with ASA Fundamentals

• Use advanced NAT features such as policy-based NAT
• Use advanced modular policy framework for deep packet inspection of application protocols such as HTTP and FTP
• How the multimedia protocols are handled and configured by the modular policy framework of the security appliance at Layer 3, 4, and 7
• Configure the security appliance to support multiple VLANs on a single physical interface
• Configure dynamic routing capabilities of the appliance
• Use advanced IPSec VPN technologies including peer authentication using digital certificates
• Steps necessary to configure the ASA as a CA Server
• Configure the IPSec VPN Client using digital certificates
• Configure the advanced Easy VPN Server features of the ASA
• Necessary configuration for the ASA 5505 to be a VPN hardware client
• Steps to configure QoS for VPN traffic
• SSL VPN features and capabilities of the security appliance
• Enable clientless SSL VPNs with the security appliance
• Enable AnyConnect SSL VPN Client with the security appliance
• Enable the Cisco Secure Desktop with the security appliance to increase the security posture of SSL VPN connections
• Enable Dynamic Access Policy for remote access IPsec or SSL VPN
• Characteristics of the security services modules for the ASA
• Configure, inspect, and filter traffic with the Content Security and Control SSM
• Configure the AIP-SSM to identify and alert for common attacks

1. Advanced ASA NAT

• Applying NAT 0 and Policy NAT
  • ACLs
  • NAT
  • Translation Behavior
  • NAT Exemption
  • Policy NAT
  • Verify and Troubleshoot

2. Advanced Protocol Handling

• Applying the Cisco Modular Policy Framework
  • Modular Policy Framework Overview
  • Configuring the Modular Policy Framework
  • Configuring a Layer 7 Class Map
  • Configuring a REGEX Class Map
  • Configuring a Layer 7 Policy Map
  • Verifying the Modular Policy Framework Configuration
• Handling Advanced Protocol
  • Protocol Inspection Overview
  • FTP Inspection
  • HTTP Inspection
  • Instant Messaging Inspection
  • ESMTP Inspection
  • DNS Inspection
  • ICMP Inspection
  • Verifying Protocol Inspection

3. Dynamic Routing and Switching

• Switching with VLANs
  • ASA VLAN Operations
  • VLAN Configuration
  • Configuring VLANs on the ASA 5505
  • Verify VLANs
• Routing with Dynamic Protocols
  • Dynamic vs. Static Routing
  • RIP
  • OSPF
  • EIGRP
  • Redistribution
  • Verification and Troubleshooting

4. IPsec VPNs

• Understanding IPsec and Digital Certificates
  • What IPsec Is
  • IPsec Operation
  • Digital Certificates and Public Key Cryptography
  • Certificates and Scalability
  • Certificate Enrollment Process
  • Validating the Certificate
  • Certificate Revocation Lists
  • Security Appliance Certificate Enrollment Support
  • Key Pairs and Trustpoints
• Implementing Site-to-Site VPNs with Digital Certificates
  • Site-to-Site VPNs
  • Configuring CA Certificates
  • Site-to-Site IPsec Connection Profiles
  • Modifying Certificate to Connection Mapping
  • Hub and Spoke
  • Site-to-Site Redundancy
  • Verifying Site-to-Site VPNs
  • Troubleshooting Site-to-Site VPNs
• Configuring the Cisco VPN Client
  • Cisco VPN Client
  • Client Installation
  • Digital Certificates with Cisco VPN Client
  • Connection Entry
  • Advanced Options
  • Verify and Troubleshoot Client Configuration
• Implementing Remote Access VPNs with Digital Certificates
  • Remote Access VPNs
  • Configuring an ASA for Remote Access
  • Installing ASA Certificates
  • Defining a Remote Access Address Pool
  • User Policy Attribute Inheritance
  • Configuring an IPSec Connection Profile
  • Configuring the Certificate to Connection Profile Policy
  • Verifying Remote Access VPNs
  • Troubleshooting Remote Access VPNs
• Configuring Advanced Remote Access Features and Policy
  • Load Balancing
  • Reverse Route Injection
  • Backup Servers
  • Intra-Interface VPN Traffic
  • NAT Transparency
  • Client Update
  • Split Tunneling
  • Personal Firewalls
• Configuring the ASA 5505 as an Easy VPN Hardware Client
  • Introduction to Cisco Easy VPN
  • Cisco Easy VPN Server Policy
  • Easy VPN Hardware Client
• IPsec VPNs and QoS
  • QoS Overview
  • ASA QoS
  • Configuring QoS for VPNs

5. SSL VPNs

• SSL VPN Technology Overview
  • SSL Overview
  • Clientless SSL VPN
  • Cisco Secure Desktop (CSD)
• Configuring Clientless SSL VPNs
  • Configuring Clientless SSL VPN
  • Verifying Clientless SSL VPN Operation
  • Configuring Port-Forwarding SSL VPN
  • Verifying Port-Forwarding SSL VPN
  • Configuring Additional SSL VPN Features
  • Troubleshooting Clientless and Port-Forwarding SSL VPNs
• Configuring Full Network Access SSL VPNs
  • Cisco Full Network Access SSL VPN Overview
  • Configuring Cisco AnyConnect SSL VPN
  • Verifying Cisco AnyConnect SSL VPN Operation
  • Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client
  • Configuring Certificate-Based Authentication for AnyConnect SSL VPN
  • Troubleshooting Cisco AnyConnect SSL VPN Client Operation
• Cisco Secure Desktop
  • Cisco Secure Desktop Overview
  • Cisco Secure Desktop Interoperability
  • Preparing the ASA for Cisco Secure Desktop
• Securing the Desktop with CSD and DAP
  • CSD Workflow
  • Pre-Login Assessment
  • Secure Session
  • Cache Cleaner
  • Host Emulation and Keystroke Logger Detection
  • Host Scan
  • Dynamic Access Policy
  • DAP Testing

6. Security Services Modules

• Examining the SSMs
  • Business Challenges
  • SSMs
  • CSC-SSM
  • AIP-SSM
  • AIP-SSM or CSC-SSM
• CSC-SSM: Getting Started
  • CSC-SSM Overview
  • CSC-SSM SW Loading
  • Initial CLI CSC Configuration
  • Initial Configuration of the CSC-SSM using CSC Setup Wizard from ASDM
• AIP-SSM: Getting Started
  • AIP-SSM Overview
  • AIP-SSM SW Loading
  • Initial IPS ASDM Configuration
  • Configure an IPS Security Policy

• Cisco customers who implement and maintain ASA and PIX Security Appliances
• Cisco channel partners who sell, implement, and maintain ASA and PIX Security Appliances
• Cisco systems engineers who support the sale of ASA and PIX Security Appliances

Our investment in enhanced and exclusive lab content means you get the experience you need using current software and hardware. No other training company offers a unique, real-world lab solution like ours.

In our lab descriptions, an enhanced lab exercise contains a significant addition to the standard labs and may or may not be offered by other providers, while an exclusive lab exercise contains material that is not offered by any other provider.

We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SNAA, each pod has a 2811 router, a 3560 switch, an ASA 5520 with an AIP-SSM (IPS) module, an ASA 5505, a VMware Server with ten VM systems, and an 1841 router that simulates the Internet environment. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The ten PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. For example, the Admin PC is treated as the Security Administrator's office desktop PC. Management connections to the ASA, including SSH to the CLI and HTTPS to ASDM, are performed from the Admin PC. The Data Server is an Active Directory Domain Controller. Included in its duties are user and group management, DNS, e-mail, and Certificate Authority services. The Security Server runs security applications such as Cisco Secure Access Control Server and the PHP Kiwi Syslog system. The DMZ server is partially exposed to the Internet and provides HTTP, FTP, DNS, and SMTP services. The Outside PC is connected to the simulated Internet and can be used as an external web/FTP server, the source of inbound connections to the DMZ server, an attack source, or as a trusted VPN client, depending on the current scenario. The Services-R-Us server acts as a public DNS, e-mail, web/FTP, and certificate server. The BackTrack2 PC is a Linux system with hundreds of security tools installed, the User PC is another internal PC system, the Site1 PC is connected to a small remote network, and the Site2 PC is connected to another small remote network behind the ASA 5505.

The SNAA courseware and Cisco's standard SNAA labs focus mainly on the ASDM GUI. Our SNAA labs also demonstrate the use of ASDM and pay respect to the CLI as well. For all operations completed using the GUI, the corresponding CLI commands are always displayed in our SNAA lab guide. Also, the full, final configuration is displayed at the end of each lab with the configuration commands that were entered during the lab highlighted. This helps to make our lab guide a valuable reference long after you have completed the lab exercises.

Lab 1: Advanced NAT

In this lab you will work with various advanced NAT configurations. You will begin by verifying the basic pre-existing NAT setup. From there you will work with the DNS keyword in static NAT entries, and then set up Policy NAT for outbound as well as inbound communications. Lastly, you will set up net static NAT from the inside to the outside network. At each step along the way, you will test and verify the expected results.

• Verify Existing NAT Configuration
• Exclusive - Demonstrate the DNS keyword for a Static Command
• Configure Outbound Policy NAT
• Configure Inbound Policy NAT
• Exclusive - Configure Net-Static
• Verify the ASA Configuration

Lab 2: Modular Policy Framework: FTP and HTTP

In this lab you will work with Advanced Protocol Inspection for both FTP and HTTP, implementing two scenarios each. The first advanced FTP inspection scenario will mask the DMZ Server's FTP greeting banner and control which FTP commands are allowed to the DMZ server. The second advanced FTP inspection scenario is to defend against a buffer overflow attack by blocking change working directory requests where the directory specified is greater than a specified length. The first advanced HTTP inspection scenario will involve blocking internal hosts from accessing GIF files on external sites. The second HTTP inspection scenario will involve the detection of and blocking of a particular HTTP tunneling application.

• Advanced Inspection: FTP Command Enforcement
• Exclusive - Advanced Inspection: FTP Buffer Overflow Mitigation
• Advanced Inspection: HTTP Content Enforcement
• Exclusive - Advanced Inspection: HTTP Tunnel Detection and Block
• Verify the ASA Configuration

Lab 3: Dynamic Routing: EIGRP and OSPF

In this lab you will work with routing protocols on the ASA. At the start of the lab, as is quite common in firewalls on network perimeters, routes are configured statically. In this lab you will configure an OSPF-routed network on the outside, an EIGRP-routed network on the inside, and route redistribution between the two.

Note: The scenario presented in this lab is intended to demonstrate the function of dynamic routing protocols on the ASA. It's not to demonstrate optimal routing design within the lab topology.

• Configure Non-ASA Devices for EIGRP and OSPF
• Modify the ASA in preparation for Dynamic Routing
• Configure OSPF On The ASA
• Configure EIGRP On The ASA
• Verify the Results
• Enable Route Redistribution and Verify the Results
• Verify the ASA Configuration

Lab 4: Site-to-Site VPN with Digital Certificates

In this lab you will configure a Site-to-Site VPN using digital certificates for peer authentication. This will require enrolling the ASA with the Services-R-Us certificate authority (CA). You will see how to properly authenticate the CA, how to enroll with the CA via SCEP, how to issue the certificate from the CA, and how to verify enrollment success. The VPN peer is the Site1 router (simulated with a loopback interface on the Internet Router). It has already enrolled with the Services-R-Us CA and is configured to accept a connection from the ASA. You will use the IPsec VPN Wizard to configure the Site-to-Site VPN policy on the ASA. Once things are configured, you will verify tunnel operation and monitor the tunnel from both ASDM and the CLI.

• Examine Current SSL Identity Certificate
• Authenticate the External CA
• Enroll with the External CA via SCEP
• Configure Site-to-Site VPN
• Verify Site-to-Site VPN
• Verify the ASA Configuration

Lab 5: Remote Access VPN with Digital Certificates

As this lab starts, ASA has two identity certificates installed: One that is self-signed and used for SSL connections to ASDM, and a second from the Services-R-Us CA that is used for extra-net VPN connections. In this lab you will enroll the ASA with the internal CA residing on the Data Server. The intent is to use this certificate for Remote Access VPN. A twist on the enrollment methodology used is that you will perform a manual enrollment instead of a SCEP-based enrollment. SCEP-based enrollment is more convenient, but it requires direct connectivity between the appliance and the CA. If this is not available, manual enrollment must be used. Even though there is direct connectivity available between the ASA and the internal CA, you will use the manual method to demonstrate the process.

You will also install and configure the Cisco Easy VPN Client on the Outside PC. The client will also need to enroll with the internal CA. To facilitate this, you will create a Remote Access VPN tunnel group, which uses pre-shared keys and extended authentication to provide access to the internal CA. Using this tunnel, the VPN client will enroll with the internal CA. You will then create another tunnel group providing full internal access. This tunnel group will require an identity certificate and extended authentication. Once configured, you will verify its operation and monitor the sessions using ASDM and the CLI.

• Exclusive - Enroll the ASA with the Internal CA Server
• Configure a Tunnel Group for CA Access
• Install and Configure the Cisco Easy VPN Client
• Enroll the VPN Client with the Internal CA Server
• Configure a Tunnel Group for Full Network Access
• Exclusive - Enable Hub and Spoke VPN Connectivity
• Monitor Remote Access VPN Activity
• Verify the ASA Configuration

Lab 6: ASA 5505 Hardware Client

In this lab you will explore the use of a hardware-based VPN client. The ASA 5520 at the main site will be the VPN server, and the ASA 5505 at Site2 will be the hardware client. In keeping with the theme of SNAA VPN exercises, ISAKMP authentication will be performed with digital certificates. The ASA 5520 is already enrolled with the Services-R-Us CA. You will enroll the 5505 with the Services-R-Us CA. Once basic VPN connectivity has been established, you will experiment with using Network Extension Mode, a feature that can only be done with hardware-based clients. You will also explore the various authentication modes available with hardware client systems.

• Initial Configuration of Easy VPN Server
• Enroll the 5505 with the Services-R-Us CA
• Easy VPN Remote on the 5505
• Exclusive - Easy VPN Network Extension Mode
• Exclusive - Easy VPN Extended Authentication Options
• Verify the ASA Configuration

Lab 7: SSL VPN: Clientless and Thin Client

This lab focuses on truly clientless SSL VPN as well as thin client applications that require Java support in the client browser. Clientless SSL VPN works well for web-based applications and file access (FTP and Windows CIFS Shares). Providing arbitrary access to single channel TCP connections can be accomplished with Port Forwarding. Port Forwarding uses Java to open a port for listening on the client PC, and connections to that port on the local PC are forwarded through the SSL connection to the configured IP address and port on the protected network. Smart tunnels provide a similar capacity but may be more intuitive to the end users. With smart tunnels, specified applications have access to resources on the protected network via the SSL tunnel. Lastly, SSL VPN plug-ins push capabilities to the browser for certain application protocols. This will allow the browser itself to act as a client for supported applications. Each of these methods will be explored in this lab.

• Enable Basic Clientless SSL VPN Access
• Test Basic Clientless SSL VPN Access
• Exclusive - Implement and Test Port Forwarding
• Exclusive - Implement and Test Smart Tunnels
• Exclusive - Implement and Test SSL VPN Plug-Ins
• Verify the ASA Configuration

Lab 8: SSL VPN: AnyConnect Client

In this lab you will work with the AnyConnect client. You will first implement the AnyConnect client requiring only a username/password for authentication. You will perform both a manual install and a web launch of the AnyConnect client, and you will verify connectivity and monitor the AnyConnect connections. After accomplishing basic connectivity, you will migrate to requiring a digital certificate as well as username/password for authentication. You will prepare the Local CA Server on the ASA for this purpose. You will enroll the SSL user with the CA and install their certificate on the Outside PC. You will then verify connectivity and session status using digital certificates and username/password-based authentication.

• Local CA on the ASA
• Configure AnyConnect Client Support
• Enroll with the ASA Local CA
• Install the Stand Alone AnyConnect Client
• Configure and Verify the Web Launch AnyConnect Client
• Verify the ASA Configuration

Lab 9: Cisco Secure Desktop and Dynamic Access Policies

In this lab you will work with the Cisco Secure Desktop (CSD) and Dynamic Access Policies (DAP). Clientless and AnyConnect Client support is already configured on the ASA. You will start from this base configuration and require that SSL connections from non-trusted IP addresses (addresses outside those used by the Site1 partner) use CSD. You will explore the operations of CSD on the remote clients. You will then fine-tune the CSD configuration to look for a watermark on the client system. Both watermarked and non-watermarked clients from untrusted IP space will require the use of CSD, but the restrictions will be greater on the non-watermarked systems. You will finish with an exploration of DAP. Depending on even finer criteria, connectivity can be restricted or denied.

• Enable the Cisco Secure Desktop
• Configure Policies for the CSD
• Verify the Cisco Secure Desktop Operation
• Configure a Dynamic Access Policy
• Verify the DAP Operation
• Verify the ASA Configuration

Lab 10: The AIP-SSM

In this lab you will take an AIP-SSM from an unknown state to a working state. The first step will be to recover the AIP-SSM's operating image, which will return it to a factory default state. You will then perform the initial setup of the AIP-SSM. As you work with the AIP-SSM it will become apparent that it really is a Cisco IPS Sensor. It runs the same code and works the same way as the stand-alone 4200 series sensors do. There are just some extra hooks to let it work with the ASA. Its monitoring interfaces are connected to the backplane of the ASA, so you will have to configure the Modular Policy Framework to forward traffic to the sensor. You will configure the ASA to send all traffic passing through the DMZ interface to the AIP-SSM inline. Once things are configured, you will verify the IPS operation with a couple of scenarios. You will also tune a set of signatures to deny offending traffic in-line and demonstrate the results.

• Recover the AIP-SSM Image
• Initial Setup of the AIP-SSM
• AIP-SSM Management Connection Options
• Configure the ASA's MPF to use the AIP-SSM Inline
• Exclusive - Verify IPS Operation
• Exclusive - Tune a Signature and Verify the Result
• Verify the ASA and AIP-SSM Configurations

No details for the moment