642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Prerequisites Students who attend this advanced course must have experience in configuring Cisco IOS software. Candidates must also have: Certification as a CCNA or the equivalent knowledge. Basic knowledge of the Windows operating system. Familiarity with the networking and security terms and concepts Audience This course is intended for those who wish to attain the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Course Outline Chapter 1 The Cisco Security Appliance The Cisco Security Appliance What is a Firewall? Firewall Technologies Packet Filtering Proxy Server Stateful Packet Filtering Security Appliances: What Are They? Proprietary Operating System Stateful Packet Inspection Cut Through Proxy Operation Application Aware Inspection Modular Policy Virtual Private Network Security Context (Virtual Firewall) Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover Transparent Firewall Web Based Management Solutions Chapter 1 Review Chapter 2 Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families
Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families PIX Firewall Security Appliance Family ASA Adaptive Security Appliance Family Cisco ASA 5510 Adaptive Security Appliance Cisco ASA 5520 Adaptive Security Appliance Cisco ASA 5540 Adaptive Security Appliance ASA 5500 Series: Front and Back Panels ASA 5500 Series: Connectors Security Services Module PIX Firewall Security Appliance Licensing PIX License Types VPN Encryption License PIX Firewall Security Context Licenses PIX 515E, 525, and 535 Licensing ASA Adaptive Security Appliance Licensing ASA Security Context Licenses ASA 5510, 5520, and 5540 Licensing Cisco Firewall Services Module FWSM FWSM in Catalyst 6500 Switch and Cisco 7600 Internet Router Chapter 2 Review Chapter 3 Getting Started with Cisco Security Appliances Getting Started with Cisco Security Appliances User Interface Security Appliance Access Modes Access Privilege Mode Access Configuration Mode: Configure Terminal Command Help Command File Management Viewing and Saving Your Configuration Clearing Running Configuration Clearing Startup Configuration Reload the Configuration: reload Command File System Displaying Stored Files: System and Configuration Selecting Boot System File Verifying the Startup System Image Security Appliance Security Levels Functions of the Security Appliance: Security Algorithm Security Level Example Basic Security Appliance Configuration Hostname and CLI Prompt Configuration Basic CLI Commands Interface Configuration Naming the Interface Assign Interface IP Address
DHCP Assigned Address Assign a Security Level Speed and Duplex Commands ASA Management Interface NAT Enable NAT Control nat Command Global Command Demo Basic CLI Commands Configuring a Static Route Static Host Command Configuration Example Examining Security Appliance Status Show Commands Show memory Command Show cpu usage Command Show version Command Show ip address Command Show interface Command Show nameif Command Show run nat Command Show run global Command Show xlate Command Ping Command Show route Command Setting Time and Using NTP Support Clock Command Setting DST Ntp Command Syslog Configuration Using a Syslog Server Logging Options Logging Levels Configure Message Output to a Syslog Server Syslog Output Example Customize Syslog Output Show logging Command Demo More Commands Chapter 3 Review Chapter 4 Translations and Connections Translations and Connections Transport Protocols Sessions in an IP World TCP TCP from Inside to Outside UDP
Network Address Translation Addressing Scenarios Access Through the Security Appliance Inside Address Translation Dynamic Inside NAT Two Interfaces with NAT Three Interfaces with NAT Port Address Translation PAT Example PAT Using Egress Address Mapping Subnets to PAT Addresses Backing Up PAT Addresses by Using Multiple PATs Augmenting a Global Pool with PAT Identity NAT Identity NAT: nat 0 Command Demo Dynamic NAT Static Command Global NAT and Static NAT Static Command: Parameters Static Command: Web Server Static Command: FTP Server Net Static Static PAT: Port Redirection Static pat Command TCP Intercept and Connection Limits Connection Limits TCP Three Way Handshake TCP Intercept SYN Cookies Embryonic Connection Limit UDP Maximum Connection Limit Connections and Translations Connections Versus Translations Show conn Command Show conn detail Command Show local host Command Show xlate Command Show xlate detail Command Security Appliance NAT Philosophy Matching Outbound Packet Addresses Configuring Multiple Interfaces Additional Interface Support Configuring Three Interfaces Configuring Four Interfaces Demo Static NAT Chapter 4 Review
Chapter 5 ACLs and Content Filtering ACLs and Content Filtering ACLs Security Levels Revisited ACL Configuration ACL Usage Guidelines Inbound Traffic to DMZ Web Server Create a Static Translation for Web Server Access list Command Access group Command Show access list Command Clear access list counters Command Time Range Configuration Time Range Submode Time based ACL Time based ACL Example ACL Logging Access list deny flow max & alert interval Commands ACL Line Number and Comments Inbound HTTP Access Solution Inbound HTTPS Access Solution icmp Command nat 0 Plus acl Command Policy NAT: nat Plus acl Command Other Commands Plus acl Malicious Active Code Filtering Java Applet Filtering ActiveX Blocking ActiveX filter Command URL Filtering HTTP URL Filtering Designate the URL filtering Server Enable HTTP URL Filtering HTTPS and FTP Filtering URL filtering Configuration Example Demo ACL Configuration About the CSC SSM Deploying the Security Appliance with CSC SSM CSC SSM Traffic Flow CSC SSM Deployment Scenario Chapter 5 Review Chapter 6 Object Grouping Object Grouping Overview of Object Grouping Using Object Groups in ACLs Grouping Objects
Grouping Objects of Similar Types Getting Started with Object Groups Configuring and Using Object Groups Configuring Network Object Groups Configuring Service Object Groups Adding Object Groups to an ACL Configuring ICMP Type Object Groups Nested Object Groups Configuring Nested Object Groups Nested Object Group Example Group object Command Example Object Group Services Example Apply Nested Object Group to ACL Multiple Object Groups in ACLs Displaying Configured Object Groups Removing Configured Object Groups Demo Object Groups Chapter 6 Review Chapter 7 Authentication, Authorization, and Accounting Authentication, Authorization, and Accounting Introduction Types of Authentication Types of Authorization Types of Accounting Installation of Cisco Secure ACS for Windows 2000 Installation Wizard ACS Network Configuration Security Appliance Access Authentication Configuration Methods of Device Access Configuring Authentication Specify an AAA Server Group AAA Server Group Subcommand Designate an Authentication Server Authentication of Console Access How to Add Users to Cisco Secure ACS How to Add Users to the LOCAL Database Maximum Failed Attempts Show Local Users How to Change the Authentication Prompts How to Change the Authentication Timeouts Cut Through Proxy Authentication Configuration Cut Through Proxy Operation Configuring Cut Through Authentication Enable authentication match aaa authentication match Enable authentication include exclude
Show Authentication Show aaa server Command: TACACS+ Server Authentication of Non Telnet, FTP, HTTP, or HTTPS Traffic Virtual Telnet Virtual HTTP Configuration of Virtual HTTP Authentication Tunnel Access Authentication Configuration Tunnel User Authentication VPN Tunnel Group Policy Authorization Configuration Security Appliance User Authorization TACACS+ Authorization Configuration Enable authorization match Enable authorization include exclude Authorization Rules Allowing Specific Services Allowing Specific Services to Specific Hosts Authorization of Non Telnet, FTP, HTTP, or HTTPS Traffic Downloadable ACLs Downloadable ACL Authorization Downloadable ACLs (Cont.) Configuring Downloadable ACLs Assigning the ACL to the User or Group Show Downloaded ACLs Show Authentication (Cont.) RADIUS Per User Override Example: Per User Override Accounting Configuration AAA Enable accounting match Enable accounting include exclude How to View Accounting Information Accounting of Non Telnet, FTP, or HTTP Traffic Admin Accounting Viewing RADIUS Admin Access Accounting Information Command Accounting Viewing TACACS+ Admin Command Accounting Demo ACS Server Chapter 7 Review Chapter 8 Switching and Routing Switching and Routing VLANs Creating Logical and Physical Interfaces Assigning VLAN Names and Security Levels Assigning VLAN IP Addresses VLAN Configuration
Maximum Number of Interfaces Static and Dynamic Routing Static Routes Dynamic RIP Routes OSPF Configuring OSPF Enabling OSPF Routing Defining OSPF Networks Two OSPF Processes Configuring Two OSPF Areas Multicasting