This Cisco ASA training workshop is two intensive days filled with hands-on lab exercises where you'll learn how to reset the administrator password (even when you don't know it), how to build a basic firewall configuration from scratch in the command-line and in the GUI. Once you've finished building the configuration, you get lots of hands-on practice in how to manage it. You'll learn how to write and manage access-control lists, how to set up three different kinds of VPNs, a DMZ, and a lot more. You'll practice backing-up and restoring your configuration files and the firewall's operating system image. We'll show you how to set up centralized logging with a syslog server. You'll practice configuring login banners. You'll configure local usernames and privilege levels, plus you'll practice using Active Directory for authentication. You'll set up a DHCP server for automatic address assignment. You'll practice building three types of VPNs including site-to-site, remote access AnyConnect VPN, and a clientless Web VPN. You'll build a DMZ with a Web server and a print server. You'll even practice port-scanning to test for vulnerabilities.
Upon completion of soundtraining.net's Cisco ASA training workshop, you'll...
- Practice password recovery techniques for the Cisco ASA security appliance
- Practice two techniques for building a basic firewall configuration from scratch
- Gain an understanding of logging configurations and practice using syslog with the security appliance
- Practice two methods of backing up and restoring device's configurations
- Practice two methods of backing up and restoring your device's software image (operating system), including how to recover the software in a catastrophic fault condition
- Practice configuring and using three methods of remote management
- Gain an understanding of Network Address Translation and Port Address Translation on the ASA Security Appliance and practice using them in your configurations
- Practice configuring three types of banners
- Gain an understanding of Cisco privilege levels and practice configuring local usernames and privilege levels
- Practice configuring your security appliance to authenticate via Windows Active Directory using RADIUS
- Practice buidling and troubleshooting a DHCP server
- Practice building three types of VPNs including site-to-site, remote access, and a clientless Web VPN
- Gain an understanding of DMZs and practice building one with a Web server
- Practice testing security configurations with a port scanner
- Gain an understanding of filtering techniques and practice blocking Java applets
- Practice building a transparent (layer 2) firewall
Certifications and Exams
This Cisco training workshop can help prepare the student for professional certification by Cisco including the CCNP Security certification. It is not designed as a test-taker's "bootcamp". Exam candidates are encouraged to visit www.cisco.com for complete exam objectives and outlines.
Who should attend?
This class is intended for network security personnel who install, configure, support, and troubleshoot Cisco ASA Security Appliances and those are migrating from Cisco PIX firewalls. Network administrators, network engineers, IT managers, CIOs, CTOs, and anyone responsible for network security will benefit from attending this Cisco ASA Security Appliance training class.
Frequently Asked Questions
Q: What model of Cisco firewalls do you use in your workshop?
A: We use Cisco ASA 5505 security appliances.
Q: I use 5510s (or 5520s, 5540s, etc.). Will this class be relevant for me?
A: Yes. As with most Cisco products, the software is fairly consistent within product families. Certainly there are differences from one model to another in areas such as interface configuration and specific features, but the overall knowledge you gain from this seminar should be applicable to you regardless of the firewall model you use. Please review the course outline for specifics.
Q: How much of this class is taught in the command line as opposed to the GUI?
A: It's about 50/50.
Module One: Understanding Firewall Fundamentals
There are myriad firewalls available from personal firewalls to network firewalls; from application firewalls to firewall appliances. In this module, you'll learn the different types and classifications of firewalls and how to choose the right one for your workplace. We'll cover AAA (Authentication, Authorization, and Accounting) and provide an excellent overview of encryption concepts including both single key and PKI. You'll learn about stateful inspection and how the ASA (Adaptive Security Algorithm) provides a high level of security wtihout sacrificing performance. This module includes five hands-on exercises in which you'll actually break in to the firewall (when it's done legitimately, it's called "password recovery"), erase its configuration, and build a new configuration from scratch.
- What do firewalls do?
- Types of Firewalls
- Classification of Firewalls
- AAA: Authentication, Authorization, and Accounting
- Basics of Encryption including Single Key and PKI
- Stateful Inspection
- Adaptive Security Algorithm
- Network Address Translation
- An Overview of Cisco Security Appliances
- Understanding VLANs
- Understanding the Eight Basic Commands on a Cisco ASA Security Appliance
- Controlling the Appliance from its Console
- Password Recovery
Student Exercise 1.1: Password Recovery and Initial Configuration
Student Exercise 1.2: Removing the Existing Configuration
Student Exercise 1.3: Using the Eight Commands Required to Enable Basic Firewall Functionality
Student Exercise 1.4: Building a Base Configuration on the ASA Security Appliance
Student Exercise 1.5: Building an Initial Configuration on the ASA Security Appliance
Module Two: Backing Up and Restoring Configurations and Software Images
Once you've invested the time and effort in building a firewall configuration, you sure don't want to risk losing all your hard work through a hardware failure or some other anomoly. (Hey, things happen in systems and networks...the key is to have a backup.) In this module, you'll learn how to use a TFTP (Trivial File Transfer Protocol) server to backup and restore your configurations and software images. After all, when you've got backups, you've got peace-of-mind.
- Analyzing the Base Configuration of the Security Appliance
Student Exercise 2.1: Analyzing the Base Configuration and Saving It
Student Exercise 2.2: Backing Up and Restoring the Configuration
Student Exercise 2.3: Backing Up and Restoring the Software Image
Module Three: Sending Logging Output to a Syslog Server
One of the hallmarks of a great system or network administrator is someone who is intimately familiar with every performance aspect of his/her gear. The logs are your best friend for really understanding what's going on with your systems. In this module, you'll learn how to send logging output to an external server. We'll show you how to use the free Kiwi syslogd tool to offload your logs from the security appliance to a Windows host. We'll help you understand logging severity levels and how to configure the amount of logging information that is sent to your logging host.
- Using syslogd with the Security Appliance
Student Exercise 3.1: Sending Logging Output to a Syslog Server
Module Four: Remote Management Options
Most of us manage our network devices remotely instead of sitting at the physical console of the device. In this module, you'll learn how to use Telnet (and why you shouldn't use Telnet), SSH, and Web-based management tools to remotely manage your security appliance.
- Remote Console Access
- SSH (Secure Shell)
- Configuring and Managing Remote Management through ASDM
Student Exercise 4.1: Telnet and Secure Shell (SSH)
Module Five: Configuring Logon Banners, Usernames, and Authentication, Authorization, and Accounting (AAA)
Your legal department may have already supplied you with the text for your logon banners. In this module, we'll show you how to take that text and create the logon banners for your appliance. Then, you'll learn how about assigning commands to privilege levels, how to create usernames, and associate the usernames with privilege levels to control exactly what individuals can do with the security appliance. We'll also help you understand ways to offload authentication using RADIUS (Remote Authentication Dial-In User Service), TACACS+ (Terminal Access Controller Access Control System Plus), and CiscoSecure Access Control Server. Then, you'll actually configure a local database of usernames and privilege levels on your classroom security appliance.
- How to Configure a Banner
- Configuring Authentication, Authorization, and Accounting (AAA)
- Remote Authentication Technologies
- Cisco Secure Access Control Server
- Installing and Configuring CACS
- Authentication of Clients
Student Exercise 5.1: Creating Banners on the Security Appliance
Student Exercise 5.2: Configuring Usernames and Local Authentication
Student Exercise 5.3: Configuring Privilege Levels on the Security Appliance
Student Exercise 5.4: Authenticating Through Windows Active Directory
Module Six: Configuring the Appliance as a DHCP Server
Often, a security appliance such as the ASA must serve many roles in addition to security. One frequently used role is that of dynamic address allocation as a DHCP server. In this module, you'll learn how to configure your ASA security appliance as a DHCP server including how to provide IP options.
- Understanding the DHCP commands on the security appliance
Student Exercise 6.1: Reconfiguring Your DHCP Server
Module Seven: Access-Control Lists
Access-Control Lists (ACLs) are used on the Cisco ASA Security Appliance to identify and permit or deny traffic flows. In this module you will learn the fundamentals of configuring ACLs. You'll learn how and where to apply them and common mistakes to avoid when working with ACLs. For a sample of our lesson on ACLs, watch the video to the right.
- The importance of order of entries
- The difference between standard and extended lists
- Hidden implicit statements in ACLs
- Editing ACLs
- Re-naming ACLs
- Using time-ranges with ACLs
- How to use object groups with ACLs
Module Eight: Virtual Private Networking (VPNs)
Virtual Private Networks (VPNs) are one of the most widely used tools to connect remote users to an office LAN and to connect remote offices to main office LANs. Cisco security appliances support both Site-to-Site and Remote Access LANs, plus the new Cisco ASA Security Appliance supports Web-based VPNs, thus eliminating the need for either a hardware or software VPN client. In this module, you'll learn about VPN protocols including PPTP and L2TP, VPN encryption technologies including IPSec, DES and 3DES (Data Encryption Standard), the Diffie-Hellman public-key cryptography protocol, ISAKMP (Internet Security Association Key Management Protocol) and IKE (Internet Key Exchange), AES (Advanced Encryption Standard), and more. We'll cover IKE phase 1 and IKE phase 2. Admittedly, it's a lot of acronyms, but we break it down so you can really understand the whole process.
- Encryption Algorithms
- Hashing Algorithms
- Authentication Methods
- Troubleshooting VPN Connections
- Configuring the Cisco Anyconnect VPN Client and Connecting to Your VPN
- Creating a Web-Based SSL VPN
Student Exercise 8.1: Site-to-Site VPNs
Student Exercise 8.2: Remote Access VPNs
Student Exercise 8.3: Configuring a Web-Based SSL VPN
Student Exercise 8.4: Configuring the Cisco AnyConnect Client
Student Exercise 8.5: Logging Off VPN Users through the ASDM
Module Nine: DMZs (De-Militarized Zones)
DMZs (Demilitarized Zones) are not a new concept, and now even the most basic Cisco security appliance supports configuring VLANs and DMZs to isolate network hosts. In this module, you'll learn various applications for DMZs and how to configure a static routes, access control lists, security levels, and how to add an interface in the ASDM (Adaptive Security Device Manager) and how to build a DMZ in the CLI (Command Line Interface).
- Understanding DMZ concepts
- Security Levels
- Access Control Lists
- Static Routes
- Port Scanning
Student Exercise 9.1: Configuring a DMZ
Student Exercise 9.2: Analyzing Potential Vulnerabilities with Port Scanning
Module Ten: Filtering Content
Cisco ASA security appliance has extensive filtering and blocking capability. In this module, you'll learn how to configure Unicast RPF to help address problems caused by malformed or spoofed IP packets, how to block fragmented packets, how to implement intrusion detection and prevention through IP auditing, how to configure URL filtering with WebSense and SecureComputing's SmartFilter.
- Configuring Unicast RPF
- Fragmented Packets
- Intrusion Prevention
- URL Filtering
- Dynamic Content Filtering
Student Exercise 10.1: Filtering Dynamic Java Content
Module Eleven: Configuring Transparent Mode
Cisco ASA security appliances can operate in either routed mode or transparent mode. Most of the time, they are in routed mode, but occasionally it can be helpful to operate them in transparent mode. In transparent mode, they function similarly to a bridge with the same IP address on the inside and outside interfaces. They still provide firewall services, but do so without affecting IP addresses.
- Understanding transparent mode
Student Exercise 11.1: Viewing and changing the mode
Prospective attendees should have completed soundtraining.net's Cisco Router Fundamentals workshop or have equivalent knowledge.
Schedule Each Day
- 8:30 a.m.: Doors open
- 9:00 a.m. to 11:45 a.m.: Morning session
- 11:45 a.m. to 12:45 p.m.: Lunch, on your own
- 12:45 p.m. to 4:00 p.m.: Afternoon session
Outstanding IT Resources, Now Available for You to Purchase
These are books based on soundtraining.net's accelerated training programs. When you can't attend the training, you can get the books.
Click on a cover for more information and to purchase.