Content
Securing Networks with PIX and ASA v5.0
This set of lab exercises encompasses all lab exercises from the Securing Networks with PIX and ASA (SNPA) 5.0 curriculum. The lab bundle can be used as an integral part of the SNPA 5.0 course or as a separate learning solution for advanced learners. The featured lab exercises cover a wide range of technologies based on the PIX security appliance and Adaptive Security Appliance (ASA), including:
- Basic security appliance configuration and maintenance
- Security policy implementation on a security appliance
- PIX object grouping and their use in ACL provisioning
- Inspection protocol configuration and deep packet inspection on a security appliance
- Security appliance AAA in combination with a Cisco Access Control Server, to configure downloadable ACLs and various authentication types
- IPsec site-to-site VPN between on a security appliance
- Configuring a security appliance as an IPsec VPN server to accept Cisco VPN client remote access requests
- WebVPN functionality on an ASA
- Security appliance transparent firewalling
- Active-standby and active-active failover on a pair of security appliances
- Adaptive Security Device Manager (ASDM) for security appliance provisioning
- Managing an AIP-SSM module installed in an ASA
- Implementing security appliance management tasks, including SSH control, password recovery, and software image upgrade
Content
This set of lab exercises contains the following exercises:
Objectives
Upon finishing this set of exercises, you will be able to:
Familiarize yourself with the maintenance commands of the general security appliance
Configure the inside and outside interfaces of the security appliance
Configure NAT for outbound traffic
Configure the security appliance to send syslog messages to the device buffer
Configure the security appliance to send syslog messages to a syslog server
Test and verify basic security appliance operation
Configure and test the DHCP server feature
Configure routing on the security appliance
Configure network address translation for inside and DMZ devices
Test and verify the operation of the security appliance
Control ICMP access to the interfaces of the security appliance
Configure packet capture and use the packet tracer on the security appliance
Configure ACLs on all interfaces
Create time-based ACLs
Configure malicious active code filtering
Configure a service object group (Services OG)
Configure an ICMP-Type object group (ICMP OG)
Configure a nested server object group (All Servers Object Group, FTP Servers Object Group)
Configure an inbound ACL with object groups
Configure web and ICMP access to the inside host
Test and verify the inbound ACL
Add a user to the Cisco Secure ACS database
Configure the AAA server and protocol
Configure and test inbound user authentication
Configure and test outbound user authentication
Configure and test console authentication
Configure and test Virtual Telnet authentication
Change and test authentication timeouts and prompts
Configure ACS for downloadable ACLs during authentication
Test downloadable ACLs with inbound authentication
Test downloadable ACLs with outbound authentication
Configure and test accounting
Verify the inspection protocol configuration
Change the inspection protocol configuration
Test FTP inspection
Perform application-layer inspection for FTP
Perform application-layer inspection for HTTP to only allow specific web content
Perform application-layer inspection for HTTP to block known bad requests
Configure Internet Security Association Key Management Protocol (ISAKMP) parameters
Configure IPsec parameters
Test and verify IPsec configuration
Configure the security appliance for Cisco VPN Client remote access
Configure the Cisco VPN Client on a Microsoft Windows Workstation
Enable WebVPN access on the outside interface and configure initial WebVPN settings
Configure the group policy
Configure port forwarding to enable telnet access
Abnormally terminate a port-forwarding session
Configure secure e-mail SSL proxying
Enable transparent firewall mode
Configure security appliance interfaces and management IP address
Test inside and outside connectivity
Allow ICMP traffic through the transparent firewall
Disable transparent firewall mode
Configure the primary security appliance for LAN-based active-standby failover
Configure the secondary security appliance for LAN-based active-standby failover
Configure and test stateful failover
Enable multiple context mode
Configure the primary and secondary security appliance for stateful active-active failover
Allocate interfaces and failover groups to contexts
Configure security policies in individual contexts
Test stateful active-active failover
Configure security appliance for basic operation through interactive prompts
Configure HTTP access
Access the ASDM from your browser
Use the ASDM startup wizard to configure privileged mode password and outbound access
Configure inbound access
Configure logging to a syslog server monitor interface statistics
Configure a site-to-site VPN
Verify the AIP-SSM module
Load IPS recovery software on the AIP-SSM module
Configure the AIP-SSM setup parameters
Verify your ability to access AIP-SSM module via IDM and ASDM
Configure an IPS security policy
Verify the IPS security policy
Configure and test local command authorization for a selected set of commands at the enable level
Generate an RSA key pair for encrypted SSH sessions
Enable and test SSH to the security appliance
Configure and test local authentication of SSH sessions
Perform password recovery
Load the latest appliance software image
Importance
This lab exercise bundle is highly recommended for individuals attempting to improve and update their securit appliance configuration skills, as well as for all learners who have already attended the CSPFA or SNPA course.
Target Audience
The course is targeted at pre- and post-sales technical support engineers as well as enterprise network administrators who configure and implement security appliances in their networks.
Prerequisite Knowledge
Good knowledge of basic TCP/IP features and principles, advanced knowledge of Cisco security appliance features and security technologies, such as IPsec and WebVPN. This knowledge is best gained by attending the Securing Networks with PIX and ASA (SNPA) 5.0 course.
