CCNP Security Firewall version 1.0 Deploying Cisco ASA Firewall Features Volume 1

Transcription

1 Deploying Cisco ASA Firewall Features Volume 1 Course Introduction Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms You re Training Curriculum Introduction to the Cisco ASA Adaptive Security Appliance Module Introducing Cisco ASA Adaptive Security Appliance Technology and Features Firewalls and Security Domains Physical and Logical Separation Firewall Technologies of Cisco ASA Adaptive Security Appliance Features Stateful Packet Filtering Engine Application Inspection and Control User Based Access Control (Cut Through Proxy) Session Auditing Security Modules Reputation Based Botnet Traffic Filtering Category Based URL Filtering Cryptographic Cisco Unified Communications Proxy Denial of Service Prevention Traffic Correlation Remote Access VPNs Site to Site VPNs High Availability Failover Redundant Interfaces Traffic and Policy Virtualization Rich IP Routing Functionality Powerful Network Address Translation Transparent (Bridged) Operation Integrated DHCP, DDNS, and PPPoE IPv6 Support Multicast Support Management Control and Protocols Simple Software Management

2 Configuration Flexibility and Scalability Cisco Security Management Suite and MARS Support Common Cisco ASA Adaptive Security Appliance Use Cases Introducing the Cisco ASA Adaptive Security Appliance Family Cisco ASA Adaptive Security Appliance Platforms and Models Cisco ASA Adaptive Security Appliance Security Services Modules Cisco ASA Adaptive Security Appliance Licensing Model Basic Cisco ASA Adaptive Security Appliance Hardware Troubleshooting Module Implementation o f Basic Connectivity and Device Management Model Getting Started with the Cisco ASA Adaptive Security Appliance and Cisco ASDM Managing the Cisco ASA Adaptive Security Appliance Boot Process Managing the Cisco ASA Adaptive Security Appliance Using the CLI Managing the Cisco ASA Adaptive Security Appliance Using Cisco ASDM Windows Requirements Apple Macintosh OS X Requirements Linux Requirements Navigating Basic Cisco ASDM Features Configuring Interfaces and Static Routing of Basic Configuration Choices, Basic Procedures, and Required Input Parameters Managing Cisco ASA Adaptive Security Appliance Security Levels Configuring and Verifying Interface Network Parameters Cisco ASA 5510 and Higher Cisco ASA 5505 Configuring and Verifying VLAN interfaces Cisco ASA 5510 and Higher Cisco ASA 5505 Configuring and Verifying Static Routing Configuring and Verifying the Cisco ASA Adaptive Security Appliance DHCP Server Troubleshooting Basic Connectivity

3 Configuring Basic Device Management Features of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Basic Device Management Settings Managing Time Settings Managing Event and Session Logging Message Severity Configuration of a Syslog Facility Tag and Syslog TImestamping Managing the Cisco ASA Adaptive Security Appliance Software and Feature Activation Upgrading the Image and the Activation Key at the Same Time Using Other Troubleshooting and Management Tools Configuring Management Access of Configuration Choices, Basic Procedures, and Required Input Parameters Managing Remote Management Channels Dedicated Management Interface Recommendations Managing Authentication for Management Access Using Simple Password Only Authentication Alternative: Configuring Privilege Levels of Individual Commands Verifying and Troubleshooting AAA for Management Access Module

4 Deploying Cisco ASA Firewall Features Volume 2 Deployment of Cisco ASA Adaptive Security Appliance Access Control Features Module Configuring Basic Access Control of Configurations Choices, Basic Procedures, and Required Input Parameters Connection Table and Local Host Table show conn Inside and Outside, Inbound and Outbound clear conn show local host clear local host Configuring and Verifying Interface Access Rules Stateless Rules Access Rule Logging Access Control Lists Time Based ACLs access list extended access list remark access group time range periodic absolute show access list clear configure access list Configuring and Verifying Object Groups name object group network object Configuring and Verifying Other Basic Access Controls ip verify reverse path shun show shun clear shun Troubleshooting Basic Access Control packet tracer Using Cisco ASA Adaptive Security Appliance Modular Policy Framework of Configuration Choices, Basic Procedures, and Required Input Parameters

5 Configuring and Verifying Policies for OSI Layers 3 and 4 class map match dscp policy map class priority service policy (global) Configuring and Verifying Policies for OSI Layers 5 to 7 Cisco ASA Adaptive Security Appliance Regular Expression Supported Metacharacters regex class map type regex class map type inspect class (policy map) policy map type inspect reset Configuring and Verifying a Policy for Management Traffic class map type management match port set connection Tuning Basic Stateful Inspection Features of Configuration Choices, Basic Procedures, and Required Input Parameters Tuning Basic Inspection of OSI Layers 3 and 4 Dead Connection Detection inspect icmp set connection timeout set connection decrement ttl fragment Tuning the Cisco ASA Adaptive Security Appliance TCP Normalizer tcp map tcp options set connection advanced options set connection advanced options tcp state bypass Configuring Support for Dynamic Protocols established Troubleshooting Inspection of OSI Layers 3 and 4 on the Cisco ASA Adaptive Security Applicance Configuring Application Layer Policies of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying HTTP Inspection

6 policy map type inspect parameters protocol violation drop connection inspect http show service policy url server N2H2 Websense filter url Evaluating FTP Inspection Evaluating DNS Inspection Evaluating ESMTP Inspection Evaluating Inspection of Other Protocols Troubleshooting Application Layer Inspection Configuring Advanced Access Controls of Configuration Choices, Basic Procedures, and Required Input Parameters Bots and Botnets Configuring and Verifying Cisco TCP Intercept set connection Configuring and Verifying the Cisco Botnet Traffic Filter dynamic filter updater client enable dynamic filter use database inspect dns dynamic filter enable dynamic filter drop blacklist dynamic filter whitelist dynamic filter blacklist name (dynamic filter blacklist or whitelist) Configuring and Verifying Basic Threat Detection threat detection basic threat threat detection rate show threat detection rate Configuring and Verifying Advanced Threat Detection threat detection statistics show threat detection statistics host show threat detection statistics port show threat detection statistics protocol show threat detection statistics top Configuring and Verifying Scanning Threat Detection threat detection scanning threat show threat detection scanning threat

7 show threat detection shun clear threat detection shun Configuring Resource Limits and Guarantees of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Connection Limits set connection Configuring and Verifying Traffic Policing and Shaping match port police shape Configuring and Verifying Traffic Priority Queuing priority queue queue limit (priority queue) tx ring limit match dscp priority Configuring User Based Policies (Cut Through Proxy) of Configuration Choices, Basic Procedures, and Required Input Parameters Usage Examples Configuring and Verifying User Authentication aaa server aaa server host object group port object aaa authentication match show uauth clear uauth show aaa server CLI Configuration aaa authentication listener CLI Configuration virtual http CLI Configuration virtual telnet Configuring Authentication Prompts and Timeouts auth prompt Configuring and Verifying User Authorization

8 Command Line Configuration Configuring and Verifying User Session Accounting aaa accounting match Troubleshooting Operation of User Based Controls test aaa server Module

9 Deploying Cisco ASA Firewall Features Volume 3 Deployment of Cisco ASA Adaptive Security Appliance Network Integration Features Module Deploying Network Address Translation of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring NAT Control Configuring and Verifying Dynamic Inside NAT and PAT Configuring and Verifying Static Inside NAT and PAT Configuring NAT Rules to Bypass Address Translations Configuring Outside NAT Integrating NAT with Cisco ASA Adaptive Security Appliance Access Control Troubleshooting NAT Configuring Cisco ASA Adaptive Security Appliance Transparent Firewall Operations of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Transparent Firewall Mode Configuring OSI Layer 3 7 Access Control in Transparent Firewall Mode Configuring OSI Layer 2 Access Control in Transparent Firewall Mode Troubleshooting Transparent Firewall Operation Module Deployment of Cisco ASA Adaptive Security Appliance Virtualization and High Availability Features Module Deploying Cisco ASA Adaptive Security Appliance Virtualization Features of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Security Contexts show context Managing Security Contexts changeto mac address auto admin context

10 Configuring and Verifying Resource Management limit resource show resource allocation show resource usage Troubleshooting Security Contexts Deploying Cisco ASA Adaptive Security Appliance Redundant Interfaces of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Redundant Interfaces member interface redundant interface Troubleshooting Redundant Interfaces Deploying Active/Standby High Availability Failover of Configuration Choices, Basic Procedures, and Required Input Parameters Unit Health Monitoring (Unit Poll Time and Hold Time) Interface Health Monitoring (Interface Poll Time and Hold Time) Configuring and Verifying Active/Standby Failover failover lan unit failover lan interface failover interface ip failover link failover key failover replication http failover prompt show failover failover active failover reset Tuning and Managing Active/Standby Failover failover polltime failover polltime interface failover mac address Using Remote Command Execution failover exec show failover exec Troubleshooting Active/Standby Failover Show monitor interface

11 Deploying Active/Active High Availability Failover of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Active/Active Failover failover lan unit failover interface ip failover link failover key failover failover group preempt replication http primary secondary join failover group ip address prompt show failover failover active Tuning and Managing Active/Active Failover asr group failover polltime polltime interface interface policy Troubleshooting Active/Active Failover Module Intergration of Cisco ASA Adaptive Security Appliance Security Service Modules Module Introducing Cisco ASA Adaptive Security Appliance Security Service Modules Cisco Security Service Modules Cisco Content Security and Control SSM Cisco ASA Advanced Inspection and Protection SSM and SSC Integrating the Cisco ASA Adaptive Security Appliance AIP SSM and AIP SSC Modules Cisco AIP SSM and Cisco AIP SSC Installation

12 Managing Cisco ASA AIP SSM and Cisco ASA AIP SSC Basic Features allow ssc mgmt hw module module recover hw module module password reset hw module module reload hw module module reset hw module module shutdown show module Initializing Cisco ASA AIP SSM and Cisco ASA AIP SSC Configuring Cisco ASA Adaptive Security Appliance Traffic Redirection Policy ips Integrating the Cisco ASA Adaptive Security Appliance CSC SSM Module Cisco CSC SSM installation Managing Cisco CSC SSM Basic Features debug module boot hw module module recover hw module module password reset hw module module reload hw module module reload Parameters hw module module reset hw module module shutdown Initializing Cisco CSC SSM Configuring Cisco ASA Adaptive Security Appliance Traffic Redirection Policy csc Module

13 Deploying Cisco ASA Firewall Features Volume 4 Configuring Routing on the Cisco ASA Adaptive Security Appliance of Configuration Choices, Basic Procedures, and Required Input Parameters Configuring and Verifying Static Route Tracking sla monitor type echo threshold frequency timeout (sla monitor) sla monitor schedule track rtr route show sla monitor configuration show sla monitor operational state Configuring and Verifying RIPv2 router rip version auto summary default information originate (RIP) network passive interface distribute list in distribute list out rip authentication mode rip authentication key show rip database Configuring and Verifying OSPF router ospf network area area range area filter list prefix log adj changes default information originate (OSPF) ospf authentication ospf message digest key prefix list show ospf show ospf interface show ospf neighbor show ospf database Configuring and Verifying EIGRP router eigrp

14 auto summary network distribute list in distribute list out summary address (EIGRP) authentication mode eigrp authentication key eigrp show eigrp neighbors show eigrp topology Configuring Redistribution redistribute (OSPF) redistribute (EIGRP) route map Troubleshooting Routing Protocols Configuring Traffic Redirection Using WCCP wccp wccp redirect show wccp Lab (Optional): Configuring Dynamic Routing Activity Objective Visual Objective Required Resources Command List Job Aids Task 1: Configure the OSPF Routing Protocol Task 2: Configure the EIGRP Routing Protocol Answer Key Lab 4 2 Answer Key: Configuring Dynamic Routing

15 Deploying Cisco ASA Firewall Features Lab Guide This guide presents the instructions and other information concerning the lab activities for this Course. You can find the solutions in the Lab Activity Answer Key. Outline This guide includes these activities: Lab 2 1: Configuring Basic Connectivity Lab 2 2: Configuring Management Features Lab 3 1: Configuring Basic Access Control Lab 3 2: Tuning Basic Cisco ASA Adaptive Security Appliance Stateful Inspection Features Lab 3 3: Configuring Application Layer Policies Lab 3 4: Configuring Advanced Access Controls Lab 3 5: Configuring User Based Policies (Cut Through Proxy) Lab 4 1: Configuring Cisco ASA Adaptive Security Appliance NAT Lab 4 2: Configuring Transparent Firewall Mode Lab 5 1: Deploying a Cisco ASA Adaptive Security Appliance Active/Standby Failover Lab 5 2: Deploying a Cisco ASA Adaptive Security Appliance Active/Active Failover Answer Key