Course Overview
In
this five-day
task-oriented Authorized Cisco course, you will gain the
knowledge and skills needed to configure, maintain, and
operate Cisco ASA 5500 Series Adaptive Security appliances.
Our labs utilize 5520
security applicances, though the content in this course and
our labs is applicable across the ASA and PIX families of
security appliances since the command syntax is generally
the same.
This updates Securing
Networks with PIX and ASA (SNPA) v5.0. In SNAF v1.0, the
ASDM graphical user interface (GUI) is used for
configuration and monitoring. All lessons and labs are now
GUI-based, with the commands for each task listed for those
who prefer to configure the security appliance via the
command line interface (CLI). SNAF 1.0 has been updated to
cover new features in Cisco ASA and PIX Security Appliance
Software version 8.0 including the following:
- Threat Detection
- Secure Logging
- Remote Command Execution in Failover
Pairs
- Redundant Interfaces
- Modular Policy Framework (MPF)
enhancements
- Access Control List (ACL) renaming
capability
- FTP support for SSL VPN
- Onscreen Keyboard for SSL VPN
- Customization of all SSL VPN
user-visible content
- Personal Bookmarks for SSL VPN user
Who will benefit from this course?
- Cisco customers who implement and
maintain ASA and PIX Security Appliances
- Cisco channel who sell, implement,
and maintain ASA and PIX Security Appliances
- Cisco systems engineers who support
the sale of ASA and PIX Security Appliances
Prerequisites
- Interconnecting Cisco Network Devices
Part 2 (ICND 2)
- Cisco CCNA or equivalent knowledge
- Basic knowledge of the Microsoft
Windows operating system
- Familiarity with networking and
security terms and concept
Related Courses
- SNAA Securing Networks With ASA
Advanced
- IPS Implementing Cisco Intrusion
Prevention System 6.0
- MARS Cisco Monitoring Analysis and
Response System 3.0
- IINS – Implementing Cisco IOS Network
Security 1.0
- SNRS – Securing Networks with Cisco
Routers and Switches 2.0
Course Objectives
- Functions of the three types of firewalls used to
secure today's computer networks
- Technology and features of Cisco security appliances
- How Cisco Adaptive Security Appliances (ASAs) and
Cisco PIX Security Appliances protect network devices
from attacks and why each is an appropriate choice
- Bootstrap the security appliance, prepare the
security appliance for configuration via the Cisco
Adaptive Security Device Manager (ASDM), and launch and
navigate ASDM
- Perform essential security appliance configuration
using ASDM and the CLI
- Configure dynamic and static address translations
using ASDM
- Configure switching and routing using ASDM
- Use ASDM to configure ACLs, filter malicious active
codes, and filter URLs that meet the requirements of the
security policy
- Use the packet tracer for troubleshooting
- Use ASDM to configure object groups that meet the
requirements of the security policy
- Use ASDM to configure AAA to meet the requirements
of the security policy
- Configure a modular policy that supports the
security policy using ASDM
- Use ASDM to configure protocol inspection to meet
security policy requirements
- Configure threat detection to meet security policy
requirements using ASDM and the CLI
- Using ASDM, configure the security appliance to
support a site-to-site VPN that meets policy
requirements
- Using ASDM, configure the security appliance to
provide secure connectivity using remote access VPNs
- Configure the security appliance to run in
transparent firewall mode
- Enable, configure, and manage multiple contexts to
meet security policy requirements
- Select and configure the type of failover that best
suits the network topology
- Monitor and manage an installed security appliance
Course Outline
Introducing Cisco Security
Appliance Technology and Features
- Functions of the three types of firewalls that are
used to secure modern computer networks
- Technology and features of Cisco security appliances
Cisco Adaptive Security Appliance
and PIX Security Appliance Families
- Cisco ASA security appliance models
- Cisco ASA security appliance licensing options
Getting Started with Cisco
Security Appliances
- Four main access modes
- Security appliance file management system
- Security appliance security levels
- ASDM requirements and capabilities
- Use the CLI to configure and verify basic network
settings, and prepare the security appliance for
configuration via ASDM
- Verify security appliance configuration and
licensing via ASDM
Essential Security Appliance
Configuration
- Configure a security appliance for basic network
connectivity
- Verify the initial configuration
- Set the clock and synchronize the time on security
appliances
- Configure the security appliance to send syslog
messages to a syslog server
Configuring Translations and
Connection Limits
- Function of TCP and UDP protocols within the
security appliance
- Function of static and dynamic translations
- Configure dynamic address translation
- Configure static address translation
- Set connection limit
Using ACLs and Content Filtering
- Configure the basic function of ACLs
- Configure additional functions of ACLs
- Configure active code filtering (ActiveX and Java
applets)
- Configure the security appliance for URL filtering
- Use the packet tracer for troubleshooting
Configuring Object Grouping
- Object grouping feature of the security appliance
and its advantages
- Configure object groups and use them in ACLs
Switching and Routing on Security
Appliances
- Configure logical interfaces and VLANs
- Configure static routes and static route tracking
- Dynamic routing capabilities of Cisco security
appliances
- Configure passive RIP routing
Configuring AAA for Cut-Through
Proxy
- Define and compare AAA
- Install and configure Cisco Secure ACS
- Configure the local user database
- Define and configure cut-through proxy
authentication
- Define and configure user authorization using
downloadable ACLs
- Define and configure accounting
Configuring the Cisco Modular
Policy Framework
- Cisco Modular Policy Framework feature for security
appliances
- Functionality of class maps
- Functionality of policy maps
- Functionality of service policies
- Use ASDM to configure a service policy rule
Configuring Advanced Protocol
Handling
- Need for advanced protocol handling
- How the security appliance implements inspection of
common network applications
- Issues with multimedia applications and how the
security appliance supports multimedia call control and
audio sessions
Configuring Threat Detection
- Threat detection and statistics
- Configure basic threat detection and scanning threat
detection
- Configure and view threat detection statistics
Configuring Site-to-Site VPNs
Using Pre-Shared Keys
- How security appliances enable a secure VPN
- Perform the tasks necessary to configure security
appliance IPsec support
- Commands to configure security appliance IPsec
support
- Configure a VPN between security appliances
Configuring Security Appliance
Remote Access VPNs
- Cisco Easy VPN
- Cisco VPN Client
- Configure an IPSec Remote Access VPN
- Configure Users and Groups
Configuring Cisco Security
Appliances for SSL VPN
- SSL VPN and its purpose
- Use the SSL VPN Wizard to configure a basic
clientless SSL VPN connection
- Configure SSL VPN policies
- Verify SSL VPN operations
- Customize the clientless SSL VPN portal
Configuring Transparent Firewall
Mode
- Purpose of transparent firewall mode
- How data traverses a security appliance in
transparent mode
- Enable transparent firewall mode
- Monitor and maintain transparent firewall mode
Configuring Security Contexts
- Purpose of security contexts
- Enable and disable multiple context mode
- Configure a security context
- Manage a security context
Configuring Failover
- Difference between hardware and stateful failover
- Difference between active/standby and active/active
failover
- Security appliance failover hardware requirements
- Configure redundant interfaces
- How active/standby failover works
- Security appliance roles of primary, secondary,
active, and standby
- How active/active failover works
- Configure active/standby cable-based and LAN-based
failover
- Configure active/active failover
- Use remote command execution
Managing Security Appliances
- Configure Telnet access to the security appliance
- Configure SSH access to the security appliance
- Configure command authorization
- Recover security appliance passwords using general
password recovery procedures
- Use TFTP to install and upgrade the software image
on the security appliance
Labs
Our investment in enhanced
and exclusive labs means you get the experience you need
using current software and hardware. We provide an
unparalleled lab infrastructure for CCSP-oriented courses.
For SNAF, each pod has a 2811 router, a 3560 switch, one
5520 and one 5505 ASA per pod, and two PC systems. These
devices are organized in a real-world fashion and are
configured to work together to provide a complete security
solution. The two PCs are strategically placed in the
topology to provide interesting and realistic functional
demonstrations. An Inside PC is treated as the Security
Administrator's office desktop PC, and an Inside Server runs
the applications, such as Cisco Secure Access Control
Server, intended to be installed in the data center and
shared among multiple administrators. The DMZ server is
partially exposed to the Internet and provides HTTP and FTP
services. An Outside PC is connected to the simulated
Internet and can be used as a simulated web server and as
the source of inbound connections.
