TrainingPage

Overview:

In this Authorized Cisco course, get the knowledge and skills you need to configure, maintain, and operate Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX 500 Series Security Appliances. SNPA is recommended training for the Cisco Certified Security Professional (CCSP) certification.

We have enhanced our delivery of SNPA by adding depth to the existing Cisco-developed hands-on labs. Our advanced hands-on labs guide you through exercises such as executing general maintenance commands and configuring ACLs on the Security Appliance.

Our labs utilize ASA 5520 security appliances. However, as the command syntax is the same, the content in this course and in our labs is applicable across the ASA and PIX families of security appliances. SNPA v5.0 has been updated to cover the features and syntax of the Cisco Security Appliance Software version 7.2.

We have included several exclusive items in our labs, such as using the capture and management-access commands, stateful ICMP inspection, TCP Intercept, digital certificates, the SSL VPN Client, the Cisco Secure Desktop and a full lab on configuring a Modular Policy Framework.

Apply what you learn in labs based on an enhanced topology designed to simulate a typical production network instead of a classroom.

Description:


1. Cisco Security Appliance Technology and Features



Introduction to the general functionality provided by firewalls and Security
Appliances.

  • Firewall Technologies
  • Security Appliance Features Overview

2. Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families



Introduction to the Cisco PIX 500 Series Security Appliance family, Cisco ASA
5500 Series Adaptive Security Appliance family, and Firewall Services Module (FWSM).

  • Models and Features of Cisco Security Appliances
  • PIX Security Appliance Licensing
  • ASA Adaptive Security Appliance Licensing
  • Cisco Firewall Services Module

3. Getting Started with Cisco Security Appliances



Learn to configure a Security Appliance.

  • User Interface
  • File Management
  • Security Appliance Security Levels
  • Basic Security Appliance Configuration
  • Examining Security Appliance Status
  • Time Setting and NTP Support
  • Syslog Configuration

4. Translations and Connections



Discussion of Security Appliance translations and connections, how the Security
Appliance processes TCP and User Datagram Protocol (UDP) traffic, and how to
configure dynamic and static address translations in a Security Appliance.

  • Transport Protocols
  • Network Address Translation
  • Port Address Translation
  • Identity NAT (NAT 0)
  • Static Command
  • Port Redirection with the Static Command
  • TCP Intercept and Connection Limits
  • Connections and Translations
  • Configuring Multiple Interfaces

5. Access Control Lists (ACLs) and Content Filtering



Discuss how to control access through the Security Appliance using ACLs. Learn how to configure the Security Appliance to filter
malicious active code and how to configure URL filtering.

  • ACLs
  • Time-Based ACLs
  • Editing Existing ACLs
  • The ICMP Command
  • Other ACL Uses
  • Malicious Active Code Filtering
  • URL Filtering

6. Object Grouping



Learn object grouping concepts and how to use the object-group command to
configure object grouping. The various types of object groups are explained, and
the use and configuration of nested object groups are covered.

  • Configuring Object Groups
  • Nested Object Groups
  • Applying Object Groups to ACLs

7. Authentication, Authorization, and Accounting (AAA)



Learn Security Appliance AAA and
how to configure AAA.

  • Introduction to AAA
  • Installation of Cisco Secure ACS for Windows 2000
  • Security Appliance Access Authentication Configuration
  • Using the Local User Database
  • Changing Authentication Timeouts
  • Security Appliance Cut-Through Authentication Configuration
  • Virtual Telnet and Virtual HTTP
  • Tunnel Access Authentication Configuration
  • Authorization Configuration
  • Downloadable ACLs
  • Per-User Override
  • Accounting Configuration

8. Switching and Routing



Explanation of the virtual local area network (VLAN) capabilities of the
Security Appliance and the routing capabilities of the Security Appliance.
Discussion of Routing Information Protocol (RIP) and the Open Shortest Path
First (OSPF) algorithm in detail and configuration of the Security Appliance to
allow multicast traffic.

  • VLANs
  • Static and Dynamic Routing
  • OSPF
  • Multicasting

9. Modular Policy Framework



Introduction of modular policy framework and explanation of how to configure a
modular policy.

  • Modular Policy Overview
  • Configuring a Class Map
  • Configuring a Policy Map
  • Configuring a Service Policy

10. Advanced Protocol Handling



Introduction to Security Appliance advanced protocol handling. Learn to
configure protocol inspection, including configuring an inspection modular
policy, defining an FTP map, defining an HTTP map, and describing a number of
the inspection protocols supported by the Security Appliance.

  • Advanced Protocol Handling
  • FTP, HTTP, and Protocol Application Inspection
  • Configuring Deep Packet Inspection
  • Multimedia Support

11. VPN Configuration



Learn the basics of IPSec and Security Appliance virtual private networks (VPNs),
with a focus on communications between Security Appliance gateways for
site-to-site secure connectivity. Discuss how VPNs function and the tasks
necessary to configure VPN connection parameters on the Security Appliance.

  • Secure VPNs
  • How IPSec Works
  • Configure VPN Connection Parameters
  • Configuring IKE Parameters
  • Configuring Tunnel Groups
  • Configuring IPSec Parameters
  • Scale Security Appliance VPNs with Digital Certificates

12. Configuring Security Appliance Remote Access Using Cisco Easy VPN



Discuss the Cisco Easy VPN and its two components and modes of operation.

  • Introduction to Cisco Easy VPN
  • How Cisco Easy VPN Works
  • Configuring Users and Groups
  • Configuring IKE Mode Config Parameters
  • Configuring Dynamic Crypto Maps
  • Configuring the Easy VPN Server for Extended Authentication
  • Configure Security Appliance Hub-and-Spoke VPNs
  • Cisco VPN Client Manual Configuration Tasks
  • Working with the Cisco VPN Client

13. Configuring ASA for WebVPN



Define the characteristics of WebVPN and how it compares with traditional VPNs.
Discuss the end-user interface and the steps and commands necessary to configure
the ASA for WebVPN. As this is a feature unique to the ASA 5500 Series, it is
not covered in a hands-on lab.

  • WebVPN End-User Interface
  • Configure WebVPN General Parameters, Servers, URLs, and Port Forwarding
  • Define Email Proxy Servers
  • Configure WebVPN Content Filters and ACLs

14. Configuring Transparent Firewall



Overview and explanation of transparent firewall mode. Enabling transparent
firewall and monitoring and maintenance commands specific to the transparent
firewall mode are also detailed.

  • Transparent Firewall Mode Overview
  • Enabling Transparent Firewall Mode
  • EtherType ACLs
  • ARP Inspection
  • Monitoring and Maintaining Transparent Firewall Mode

15. Configuring Security Contexts



Learn the purpose of security contexts and how to enable, configure, and manage
multiple contexts.

  • Security Context Overview
  • Enabling Multiple Context Mode
  • Configuring a Security Context
  • Managing Security Contexts

16. Failover



Introduction to the Security Appliance failover options and how to configure
them. Describe the types of failover supported by the Security Appliance and
learn to configure active/standby, active/active, and stateful failover.

  • Understanding Failover
  • Serial Cable-Based Failover Configuration
  • Active/Standby LAN-Based Failover Configuration
  • Active/Active Failover Configuration

17. Cisco Security Appliance Device Manager



Introduction to the Cisco Adaptive Security Device Manager (ASDM). Learn an
overview of ASDM and its operating requirements. Continue with an introduction
to the GUI structure and how to maneuver through the device manager. Learn how
to install ASDM and how to configure and monitor a Security Appliance with ASDM.

  • ASDM Overview and Operating Requirements
  • Navigating ASDM Configuration and Multimode Windows

18. AIP-SSM - Getting Started



Introduction to the Cisco Advanced Inspection and Prevention Security Services
Module (AIP-SSM). Learn how to load intrusion prevention system (IPS) software
on the AIP-SSM, initialize the AIP-SSM with the setup command, and define an IPS
modular policy on a Security Appliance via ASDM. As this is a feature unique to
the ASA 5500 Series, it is not covered in a hands-on lab.

  • AIP-SSM Software Loading
  • Initial IPS ASDM Configuration
  • Configure a Security Policy on the ASA Security Appliance

19. Managing Security Appliances



Explain how to secure system access to the Security Appliance and how to
configure and use local user authentication and command authorization. Password
recovery and file management are also covered.

  • Managing System Access
  • Managing User Access Levels
  • Command Authorization
  • Managing Software, Licenses, and Configurations
  • Image Upgrade and Activation Keys

Agenda:

Our investment in enhanced and exclusive labs means you get the experience you need using current software and hardware. No other training company offers a unique, real-world lab solution like ours.

In our lab descriptions, an enhanced lab contains a significant addition to the standard labs and may or may not be offered by other providers, while an exclusive lab contains material that is not offered by any other provider.

We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SNPA, each pod has a 2811 router, a 3560 switch, a 5520 ASA, and five PC systems. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The four PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. An Inside PC is treated as the Security Administrator's office desktop PC, and an Inside Server runs the applications, such as Cisco Secure Access Control Server, intended to be installed in the data center and shared among multiple administrators. The DMZ server is partially exposed to the Internet and provides HTTP and FTP services. An Outside PC is connected to the simulated Internet and can be used as a simulated web server and as the source of inbound connections.

Lab 1: Remote Lab Environment Familiarization

  • Log in to the remote lab environment
  • Launch and log in to the remote lab Virtual PCs
  • Set time zone on remote lab Virtual PCs
  • Log in to and manage remote lab equipment

Lab 2: Basic Security Appliance Configuration

  • Configure the security appliance with basic configuration commands
  • Verify connectivity from the security appliance
  • Verify connectivity from the Inside PC
  • Exclusive - Define a TFTP server and back up the active configuration
  • Configure the security appliance to send Syslog messages
  • Generate and view Syslog messages
  • Exclusive - Configure authenticated NTP
  • Filter undesired Syslog messages
  • Configuration of SSH Services

Use basic configuration commands introduced in lecture to configure the security appliance to allow connectivity from the protected network (inside) to the Internet (outside) and DMZ. You will also use some basic show commands.

Configure the security appliance to send Syslog messages to a Syslog server application running on the Inside Server and learn some basics about how to read Syslog messages. Configure your security appliance as an NTP client, synchronize time with a time server, and have the security appliance add timestamps to Syslog messages. You will then learn how to filter Syslog messages that you don't want the security appliance to send.

Lab 3: Translations and Connections

  • Configure and test PAT on the DMZ interface
  • Exclusive - Learn some useful troubleshooting commands not in the course guide
  • Configure and test Identity NAT (NAT 0)
  • Configure and test static translations
  • Exclusive - Configure and test net static translation
  • Exclusive - Further test address translation rules precedence

This lab enhances your knowledge of security appliance administration regarding address translation. You will configure and test PAT to allow access to the DMZ network from the Inside without having to allocate individual IP addresses to internal clients. You will then experiment with a few very useful troubleshooting commands that are not included in the course guide, such as show traffic and capture. Then, you will configure and test Identity NAT, which allows a host address to be "translated to itselfwhen sending traffic through the security appliance. You will configure a static translation for your Inside Server for use when communicating with the DMZ network, and you will test the address translation priority schema of the security appliance. Finally, you will configure port-redirect static translations.

Lab 4: Access Control Lists (ACLs), ICMP Filters and Object Groups

  • Configure and test an inbound ACL
  • Exclusive - Configure and test an outbound ACL
  • Configure and test a time-based ACL
  • Edit existing ACLs
  • Configure and test ICMP filters
  • Configure object groups
  • Configure nested object groups
  • Configure an inbound ACL using object groups
  • Test the inbound ACL
  • Exclusive - Modify object group membership

In this lab, you will demonstrate your understanding of access lists by configuring and testing inbound, outbound, and time-based ACLs. You will edit existing ACLs by inserting and removing individual lines, and you will learn how to filter ICMP packets destined for the security appliance.

Extend your understanding of access lists by using object groups to organize hosts, services, and ICMP message types, and then use these definitions in an ACL. You will also modify object group memberships to observe the effect on the ACL configuration.

Lab 5: Authentication, Authorization, and Accounting

  • Configure a local user database
  • Configure TACACS+ and RADIUS server definitions
  • Add users to the Cisco Secure ACS database
  • Configure AAA authentication and accounting rules
  • Test security appliance access authentication
  • Test inbound and outbound AAA cut-through authentication
  • Review AAA accounting messages
  • Configure per-user access-lists via Downloadable ACLs
  • Test Downloadable ACLs with inbound authentication
  • Exclusive - Configure and test per-user-override

In this lab, you will configure both inbound and outbound cut-through authentication, security appliance access authentication, and accounting rules for both device access and session information. Users establishing connections to or through the security appliance will have to provide a valid username and password before the security appliance will allow the traffic. The username and password will be checked against either a central database maintained on a server in your network, so multiple clients (PIX, routers, switches, etc.) can use it, or, in case of server communication failure, against a local database kept on the security appliance itself. You will then review accounting messages generated during your tests.

In this lab you will configure your ACS server to generate per-user access-lists for the security appliance via Downloadable ACLs, a feature that only works with RADIUS authentication. You will test this feature with inbound connections. Finally, you will test the per-user-override feature associated with Downloadable ACLs.

Lab 6: Exclusive - Configure Modular Policy Framework

  • Configure Class Maps and define matching criteria
  • Configure Policy Maps and associated classes and policies
  • Configure Service Policies and apply them to interfaces
  • Test connectivity with Modular Policy Framework in place

Modular Policy Framework is one of the major new features of OS v7. While some of the functionality directly replaces previous features, such as many of the "inspectpolicies being a direct replacement for the fixup protocol commands of the past, there are also new features. The ability to selectively apply the various policies only to specified traffic types, instead of applying them globally, is the main difference. An administrator now has much more granular control over security policy implementation. In this lab, you will fully configure and test the Modular Policy Framework.

Lab 7: Advanced Protocol Inspection

  • Modify and test the global policy map
  • Configure and test FTP deep packet inspection
  • Exclusive - Configure an HTTP misuse policy

You will modify advanced protocol application inspection rules and delete from inspection applications not in use by your organization. Then you will modify and test FTP inspection to include configuring and testing deep packet inspection. You will configure a policy to guard against misuse of HTTP by users in your organization.

Lab 8: Site-to-Site VPN with Pre-Shared Keys

  • Configure IKE Phase 1 (ISAKMP) using pre-shared keys
  • Configure IKE Phase 2 (IPSec)
  • Test and verify Site-to-Site IPSec connectivity

You will configure your security appliance to act as an IPSec gateway between your pod and the "Headquarterssite network. You will use pre-shared keys for Phase 1 authentication. You will test connectivity to the "Headquarterssite through an IPSec tunnel.

Lab 9: Site-to-Site VPN with Digital Certificates

  • Exclusive - Configure Certificate Authority support
  • Exclusive - Obtain a digital certificate
  • Exclusive - Configure an IKE Phase 1 (ISAKMP) policy to use RSA Signatures
  • Configure new IPSec transform set using more secure algorithms
  • Alter existing crypto map to use new policy
  • Test and verify Site-to-Site IPSec connectivity

You will enhance your existing IPSec configuration by obtaining a digital certificate for your security appliance, and using RSA Signatures for ISAKMP authentication. You will also configure more secure transform sets for use in IPSec.

Lab 10: Remote Access VPN

  • Configure a pool of IP addresses to provide to remote VPN clients
  • Configure security appliance to bypass translation for VPN client traffic
  • Configure ISAKMP Mode Config Parameters, including XAUTH
  • Configure a dynamic crypto map entry for use by remote VPN clients
  • Install and configure the Cisco VPN Client on Outside PC
  • Test and verify an IPSec VPN Connection from the Outside PC

Further expand on your understanding of IPSec by configuring and testing secure connectivity from a remotely located PC to your security appliance using the Cisco VPN Client software.

Lab 11: Web VPN

  • Configure Clientless WebVPN
  • Exclusive - Configure Multiple Policy Groups using RADIUS
  • Configure Thin Client (Port Forwarding) Web VPN
  • Exclusive - Configure SSL VPN Client
  • Exclusive - Configure Cisco Secure Desktop

Configure WebVPN services on the security appliance, allowing VPN access from standard web browsers. Exclusively in our lab, you will integrate WebVPN with Cisco Secure ACS, providing different policies to different groups of users. Our other exclusive activities to this lab include using the SSL VPN Client, which provides a user experience similar to the IPSec-based Cisco Easy VPN client, and working with the Cisco Secure Desktop, which is used to protect against threats from using unsecured public workstations.

Lab 12: Transparent Firewall and Security Contexts

  • Configure transparent firewall mode
  • Configure interfaces and management IP address
  • Configure and test connectivity through the security appliance
  • Configure inbound access policy
  • Enable and confirm multiple context mode
  • Examine resulting configuration translation
  • Allocate interfaces to new context
  • Configure a second security context to provide transparent firewall on a second subnet
  • Test connectivity through two transparent firewall security contexts

You will configure and test a new feature of OS v7, transparent firewall mode. Transparent firewall mode is designed for two primary reasons: 1) an organization wants to add a firewall to an existing network without requiring re-addressing and 2) an organization operates a multiprotocol network, including non-IP traffic, and wants to allow that traffic through the firewall without requiring GRE tunneling.

You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context is an independent firewall. In this lab, you will configure each security appliance to have two contexts, each configured to provide transparent firewalling services on separate IP subnets.

Lab 13: Active/Standby LAN-Based Failover

  • Configure the Primary security appliance for LAN-based failover
  • Configure the Secondary security appliance for LAN-based failover
  • Test LAN-based hardware failover
  • Enable LAN-based stateful failover
  • Test LAN-based stateful failover

In this lab, you will work with a "partner podto configure a pair of security appliances for LAN-based failover. You will test hardware failover, and then enhance it by enabling and testing stateful failover.

Lab 14: Active/Active LAN-Based Failover

  • Configure the security appliances for LAN-based failover
  • Configure and activate failover groups (Primary pod only)
  • Activate failover
  • Test Active/Active LAN-based stateful failover

With active/active failover, each physical appliance is the Active firewall for one or more contexts, comprising a "failover group", and for remaining contexts, the Standby firewall, comprising a second "failover group". This way, each appliance is helping with traffic processing under normal conditions. In the event of a failure, all contexts are processed by the appliance that remains "healthy". You will configure and test active/active failover in this lab.

Lab 15: ASDM

  • Erase the configuration on the security appliance to configure from scratch via ASDM
  • Execute the ASDM Startup Wizard
  • Configure inbound access policy to the DMZ
  • Establish a Site-to-Site VPN Connection
  • Explore the use of the Packet Tracer

In this lab, you will configure a security appliance from scratch using ASDM. You will put the security appliance in a factory default state and use the setup dialog to place a minimal configuration to support ASDM. You will then use ASDM's startup wizard for basic configuration, including outbound connectivity. You will configure inbound policy for outside access to the DMZ server, and you'll configure a Site-to-Site IPSec VPN tunnel using ASDM. You will finish by testing the Packet Tracer which can be used to troubleshoot connectivity through the security appliance.

Lab 16: Managing the Security Appliance

  • Configure customized privilege levels for specific commands
  • Configure unique enable passwords for different privilege level access
  • Test command authorization based on login privilege level
  • Test AAA command authorization using the local user database
  • Exclusive - Configure AAA command authorization using a TACACS+ server
  • Exclusive - Test AAA command authorization using a TACACS+ server
  • Exclusive - Test AAA command accounting using a TACACS+ server
  • Upgrade the security appliance operating system file
  • Upgrade the security appliance ASDM image file
  • Perform a password recovery

Command authorization allows you to define different administrator accounts having different privilege levels. When combined with customizing the privilege level required to execute certain security appliance commands, you can effectively administer which commands specific administrators can access.

This lab introduces you to three basic and very important concepts in security appliance system maintenance: upgrading the operating system, upgrading ASDM image files, and performing a password recovery.

Audience:

Cisco customers who implement and maintain PIX and ASA Security Appliances; Cisco channel partners who sell, implement, and maintain PIX and ASA Security Appliances; and Cisco systems engineers who support the sale of PIX and ASA Security Appliances.

Objectives:

  • Security Appliance features, models, components, and benefits
  • Security Appliance interface security levels
  • Configure a Security Appliance for basic network connectivity
  • Configure the Security Appliance to send syslog messages to a syslog server
  • How the TCP and UDP protocols function with the Security Appliance
  • How static and dynamic translations function
  • Security Appliance Port Address Translation (PAT) feature
  • Function and configuration of ACLs and NAT 0 ACLs
  • Configure active code filtering (ActiveX and Java applets)
  • Configure the Security Appliance for URL filtering
  • Object grouping feature of the Security Appliance and its advantages
  • AAA protocols supported by the Security Appliance
  • Configure AAA authentication for Security Appliance access
  • Configure cut-through proxy authentication and tunnel access authentication
  • Configure AAA accounting
  • Install and configure basic Cisco Secure ACS functions
  • How the Security Appliance implements FTP and HTTP protocol inspection
  • How the Security Appliance implements remote shell (rsh), SQL, SMTP, ICMP, and SNMP protocol inspection
  • Tasks and commands to configure Security Appliance IPSec support
  • Configure the Easy VPN Server for remote access VPN using the Cisco VPN Client
  • Configure WebVPN general parameters, servers, URLs, and port forwarding
  • Monitor and maintain transparent firewall mode
  • Configure and manage a security context
  • Security Appliance hardware failover requirements
  • Configure Active/Standby Failover
  • Configure Active/Active Failover
  • Install ASDM and use it to configure the Security Appliance
  • Configure the AIP-SSM setup parameters
  • Configure a security policy on an ASA Security Appliance using ASDM
  • Configure Telnet and SSH access to the Security Appliance console
  • Recover the Security Appliance passwords using general password recovery procedures
  • Use TFTP to install and upgrade the software image on the Security Appliance

View Dates & Enroll Online