• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Deploying Cisco ASA Firewall Solutions for CCNP Security (2012 San Diego)
 

Deploying Cisco ASA Firewall Solutions for CCNP Security (2012 San Diego)

on

  • 10,616 views

This session is an introductory and fundamentals ASA lecture for participants seeking the CCNP Security Certification. The two hour session consists of configuring the ASA firewall using both Command ...

This session is an introductory and fundamentals ASA lecture for participants seeking the CCNP Security Certification. The two hour session consists of configuring the ASA firewall using both Command Line Interface (CLI) and the Adaptive Security Device Manger (ASDM). We will discuss firewall design and features including object NAT, MPF, failover (active/active vs. active/standby), dynamic routing protocols supported on the ASA and transparent vs. routed firewall design. The new features of version 8.4 will also be introduced. A basic understanding of firewall theory and CLI is recommended.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4604

Statistics

Views

Total Views
10,616
Views on SlideShare
10,504
Embed Views
112

Actions

Likes
24
Downloads
0
Comments
1

9 Embeds 112

http://www.techgig.com 64
https://si0.twimg.com 16
http://www.scoop.it 11
http://www.twylah.com 9
http://us-w1.rockmelt.com 7
http://www.docseek.net 2
https://twimg0-a.akamaihd.net 1
http://www.techgig.timesjobs.com 1
http://115.112.206.131 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Deploying Cisco ASA Firewall Solutions for CCNP Security (2012 San Diego) Deploying Cisco ASA Firewall Solutions for CCNP Security (2012 San Diego) Presentation Transcript

    • Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104 Mark Bernard, CCIE (Security 23846)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • Agenda  Overview of CCNP Security  FIREWALL Exam Information  FIREWALL Topics: Technical Introduction What You Need to Know Sample Questions  Q&A BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Disclaimer/Warning  This session will strictly adhere to Cisco’s rules of confidentiality ‒ We may not be able to address specific question ‒ If you have taken the exam please refrain from asking questions from the exam—this is a protection from disqualification ‒ We will be available after the session to direct you to resources to assist with specific questions or to provide clarification BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • Overview of the CCNP Security Certification
    • CCNP Security Certified Means…•All four CCNP Security exams required. No elective options.•Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ: https://learningnetwork.cisco.com/docs/DOC-10424 Exam No Exam Name 642-637 Securing Networks with Cisco Routers and Switches (SECURE) 642-627 Implementing Cisco Intrusion Prevention System (IPS) 642-618 Deploying Cisco ASA Firewall Solutions (FIREWALL) 642-648 Deploying Cisco ASA VPN Solutions (VPN)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • ―Cisco CCNP Security and Cisco’s Qualified Specialist—showed healthy numbers, as well, with a $93,995 average for the security title and an $87,247 average for those of you holding one or more of Cisco’s 20-plus Qualified Specialist certifications.‖TCPmag.comRedmond Media Group BBRKCRT-2062_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
    • FIREWALL v2.0 Exam Information 642-618
    • 642-618 FIREWALL v2.0 Exam  90-minute exam  Register with Pearson Vue ‒ www.vue.com/.cisco  Exam cost is $200.00 US BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • Special Exam Measures  Include the use of digital photographs for candidate-identity verification  Forensic analysis of testing data  Photo on Score Report and Web  Preliminary Score ReportSource: http://newsroom.cisco.com/dlls/2008/prod_072208.html BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • Preparing for the FIREWALL v2.0 Exam  Recommended reading CCNP Security Firewall 642-618 Quick Reference CCNP Security FIREWALL 642-618 Official Cert Guide  Recommended training via CLP DEPLOYING CISCO ASA FIREWALL SOLUTIONS V2.0  Cisco learning network www.cisco.com/go/learnnetspace  Practical experience BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • Testing Implementation Skills  Question formats Declarative—a declarative exam item tests simple recall of pertinent facts Procedural—a procedural exam item tests the ability to apply knowledge to solve a given issue Complex procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue  Types of questions Drag and drop Multiple choice Simulation and simlet BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Test Taking Tips  Rule out the nonsense  Look for the best answer when multiple exist  Look for subtle keys  Narrow it down  Relate to how the device works  Don’t waste too much time BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Test Taking Tips  It’s not possible to cover everything!  We want you to get a feel for the technical level of the exam, not every topic possible  Give you suggestions, resources, some examples  Will focus on key topics BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • Firewall v2.0 High-Level Topics
    • High-Level Topics Cisco ASA Adaptive Security Appliance Basic Configurations ASA Routing Features ASA Inspection Policy ASA Advanced Network Protections ASA High AvailabilityBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Topic 1Cisco ASA Adaptive Security Appliance BasicConfigurations
    • Topic 1: What You Need to Know  Identify the ASA product family  Implement ASA licensing  Manage the ASA boot process  Implement ASA interface settings  Implement ASA management features  Implement ASA access control features  Implement Network Address Translation (NAT) on the ASA  Implement ASDM public server feature  Implement ASA quality of service (QoS) settings  Implement ASA transparent firewall BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • Cisco ASA 5500 Series Portfolio ASA 5585-X SSP-60 (40 Gbps, 350K cps) ASA 5585-X SSP-40 (20 Gbps, 200K cps) ASA 5585-X SSP-20 (10 Gbps, 125K cps) Multi-Service ASA 5585-X SSP-10 (4 Gbps, 50K cps) (Firewall/VPN and IPS) Performance and Scalability ASA 5555-X (4 Gbps,50K cps) ASA 5545-X (3 Gbps,30K cps) NEW ASA 5525-X (2 Gbps,20K cps) NEW ASA 5515-X (1.2 Gbps,15K cps) ASA 5550 NEW (1.2 Gbps, 36K cps) ASA 5512-X (1 Gbps, 10K cps) NEW ASA 5540 Firewall/VPN Only (650 Mbps, 25K cps) NEW ASA 5520 (450 Mbps, 12K cps) ASA 5510 + ASA 5510 (300 Mbps, 9K cps) (300 Mbps, 9K cps) ASA 5505 (150 Mbps, 4K cps) SOHO Branch Office Internet Edge Campus Data CenterBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Implement ASA licensingBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • Install and Verify LicensingUsing ASDMBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Install and Verify LicensingUsing ASDM (Cont.)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Manage the ASA boot process To change the OS boot image to a new image name, enter the following: asa(config)# clear configure boot asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename For example: asa(config)# clear configure boot asa(config)# boot system disk0:/asa841-k8.bin To configure the ASDM image to the new image name, enter the following command: asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename Save configuration and Reload asa(config)# write memory asa(config)# reload BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Implement ASA interface settings Internet Inside: 192.168.1.80/24 Outside: 10.1.1.80/24 1. Interface name asa(config)# interface ethernet0/0 2. Interface security level asa(config-if)# nameif inside 3. IP address and subnet mask asa(config-if)# security-level 100 asa(config-if)# ip address 4. Enable interface 192.168.1.80 255.255.255.0 asa(config-if)# no shutdown BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • Configure Network and Interface Settings (Cont.)Inter-InterfaceOr Intra-InterfaceCommunication BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Implement ASA management features  To configure the firewall for ASDM access via cli: asa(config)# http server enable asa(config)# http 192.168.1.2 255.255.255.255 inside  To configure the firewall for SSH access via cli: asa(config)# asa(config)# crypto key generate rsa modulus 1024 asa(config)# write memory asa(config)# aaa authentication ssh console LOCAL WARNING: local database is empty! Use username command to define local users. asa(config)# username asauser1 password asauser1_password asa(config)# ssh 192.168.1.2 255.255.255.255 inside asa(config)# ssh timeout 30 BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Implement ASA User Roles Setting Privilege Level BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Security Appliance ACL Configuration Outside Inside Internet ACL for ACL to deny inbound access outbound access  Security appliance configuration philosophy is interface based  Interface ACL permits or denies the initial packet incoming or outgoing on that interface  Return traffic does not need to be specified if inspected  If no ACL is attached to an interface, the following ASA policy applies ‒ Outbound packet is permitted by default ‒ Inbound packet is denied by default  ACLs can be simplified by defining object groups for IP addresses and services BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Security Appliance ACL ConfigurationBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • Security Appliance ACL ConfigurationBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • Security Appliance ACL ConfigurationBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • Security Appliance ACL ConfigurationBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • NAT Overview  Network Address Translation (NAT) and Port Address Translation (PAT)  Used to translate IP addresses and ports  Not required by default (NAT control is disabled)  Concepts Static NAT and static policy NAT Dynamic NAT and dynamic policy NAT Identity NAT BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • NAT Post ASA Version 8.3NAT is redesigned in 8.3 and above to simplify operations: A single rule to translate the source and destination IP address. You can also manually establish the order in which NAT rules are processed. Introduction of NAT to ―any‖ interfaceTwo Nat modes available in 8.3 and above Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT Sometimes referred to as "Auto-Nat― Manual NAT: Policy based NAT when the source and destination addresses need to be considered Sometimes referred to as Twice NATBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Dynamic NAT Using Network Object NAT ExternalWeb Server 10.1.1.100 Internet 10.1.1.101 96.33.100.1 10.1.1.102 The following example configures dynamic NAT that maps (dynamically hides) the 10.1.1.0 network to the outside interface address: asa(config)# object network Network-Inside-Out asa(config-network-object)# subnet 10.1.1.0 255.255.255.0 asa(config-network-object)# description Nat Inside Users To Outside Interface asa(config-network-object)# nat (inside,outside) dynamic interface BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Network Object NAT On The ASDMSelect Network Object Check Auto Translation Rule BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Static Object NAT Example DMZ Web ServerExternal Host 192.168.1.23 Internet Inside 96.33.100.5 The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:asa(config)# object network DMZ-WEBSERVERasa(config-network-object)# host 192.168.1.23asa(config-network-object)# Description Static Nat For DMZ WebServerasa(config-network-object)# nat (dmz,outside) static 96.33.100.5asa(config-network-object)# exitasa(config)# access-list outside-in permit ip any any host 192.168.1.23asa(config)# access-group outside-in in interface outsideBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Static PAT (Object NAT) 96.33.100.2 192.168.1.100 External HTTP HTTP User Internet 96.33.100.2 192.168.1.101 FTP FTP  Used to create translation between a outside interface and local IP address/port. – 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP – 96.33.100.2/FTP redirected to 192.168.1.101/FTPBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Static PAT (Object NAT) 96.3.100.2 192.168.1.100 HTTP HTTP Internet 96.3.100.2 192.168.1.101 FTP FTP asa(config)# object network DMZ-WEBSERVER asa(config-network-object)# host 192.168.1.100 asa(config-network-object)# nat (dmz,outside) static interface service tcp www www asa(config)# object network DMZ-FTPSERVER asa(config-network-object)# host 192.168.1.101 asa(config-network-object)# nat (dmz,outside) static interface service tcp ftp ftpBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • Manual Twice NATContractors 96.33.100.100 www.cisco.com 10.2.2.0 Inside OutsideInside Users 64.32.2.4 96.33.100.1 10.1.1.0 asa(config)# object network contractors asa(config-network-object)# network 10.2.2.0 255.255.255.0 asa(config)# object network translated-ip asa(config-network-object)# host 96.33.100.100 asa(config)# object network cisco-dot-com asa(config-network-object)# host 64.32.2.4 Asa(config-network-object)#exit asa(config)# nat (inside,outside) source static contractors translated-ip static cisco-dot-com cisco-dot-com BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • Manual Twice NATContractors 96.33.100.100 www.cisco.com 10.2.2.0 Inside OutsideInside Users 64.32.2.4 96.33.100.1 10.1.1.0 BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • Identity NAT Example (Manual NAT) Source Destination Branch A Inside Outside VPN Tunnel10.1.1.15 192.168.3.3 10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3 Original Packet Translated Packetasa(config)# object network vpn-subsasa(config-network-object)# range 192.168.3.1 192.168.3.63asa(config-network-object)#exitasa(config)# nat (inside outside) source static inside-net inside-net destination static vpn-subsBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Implement ASA quality of service (QoS)settings BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • Implement ASA transparent firewallBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • Explain Differences Between L2 and L3Operating Modes The security appliance can run in two mode settings: ‒ Routed—based on IP address ‒ Transparent—based on MAC address 10.0.1.0 10.0.1.0  The following features are not VLAN 100 VLAN 100 supported in transparent mode: NAT Dynamic routing protocols 10.0.2.0 10.0.1.0 IPv6 VLAN 200 VLAN 200 DHCP relay Routed Quality of service Transparent Mode Multicast Mode VPN termination for through traffic BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • Configure Security Appliance for Transparent Mode (L2) Internet  Layer 3 traffic must be explicitly permitted  Each directly connected network must 10.0.1.10 be on the same subnet VLAN 100  The management IP address must be 10.0.1.0 on the same subnet as the connected network Transparent Management  Do not specify the firewall appliance Mode IP Address management IP address as the default VLAN 200 10.0.1.1 gateway for connected devices 10.0.1.0  Devices need to specify the router on the other side of the firewall appliance as the default gateway  Each interface must be a different VLAN interface IP - 10.0.1.3 IP - 10.0.1.4 GW – 10.0.1.10 GW – 10.0.1.10asa(config)# firewall transparentSwitched to transparent modeasa(config)# show firewallasa(config)#Firewall mode: Transparent BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • Verify the Firewall Modeof the Security Appliance Using ASDMBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • Topic 2 ASA Routing Features
    • Topic 2: What You Need to Know  Implement ASA static routing  Implement ASA dynamic routing BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • ASA Routing Capabilities DMZ1 Internet Outside Inside  Static routing DMZ2  Dynamic routing ‒ RIP ‒ OSPF ‒ EIGRP  Multicast Stub or Bi-directional PIM BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Implement ASA static routingBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • Configuring Static Routes 10.10.10.1 Internet asa(config)# route outside 0 0 10.10.10.1 asa(config)# sh run | inc route route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 route inside 192.168.10.0 255.255.255.0 192.168.1.2 1 route inside 192.168.10.0 255.255.255.0 192.168.2.1 2 route inside 192.168.30.0 255.255.255.0 192.168.1.2 1 BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • Implement ASA Dynamic routingBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • Configuring EIGRP (Step 1)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • Configuring EIGRP (Step 2)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    • Configuring EIGRP (Step 3)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    • Configure VLANs dmz2 172.16.20.1 dmz1 dmz3 172.16.10.1 172.16.30.1 Partner Public server Proxy server Server vlan20 vlan10 vlan30 Trunk port Internet 10.1.1.0 192.168.1.0 Physical interfaces are separated into sub-interfaces (logical interfaces) 802.1Q trunking BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • Logical and Physical InterfacesBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • Topic 3 ASA Inspection Policy
    • Topic 3: What You Need to Know  Implement ASA inspections features BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • Advanced Protocol Inspection Advanced protocol inspection gives you options such as the following for defending against application layer attacks:  Blocking *.exe attachments  Prohibiting use of Kazaa or other peer-to-peer file-sharing programs  Setting limits on URL lengths  Prohibiting file transfer or whiteboard as part of IM sessions  Protecting your web services by ensuring that XML schema is valid  Resetting a TCP session if it contains a string you know is malicious  Dropping sessions with packets that are out of order .exe Kazaa X http://www.example.com/long/URL/far2long IM whiteboard BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • Configuring Layer 3/4 Inspection1. Create a Layer 3/4 class map to identify traffic by matching:  An ACL  TCP or UDP ports  Any packet  IP precedence  The default inspection traffic  RTP ports  A DSCP value  A tunnel-group  A destination IP address2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:  TCP normalization  Cisco IPS  TCP and UDP connection limits and timeouts  QoS policing  TCP sequence number randomization  QoS priority queuing  Application inspection  Cisco CSC3. Use a service policy to activate the Layer 3/4 policy.BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • Configuring Layer 7 Inspection1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:  IM  DNS  RTSP  FTP  SIP  H.323  HTTP2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:4. Use a service policy to activate the Layer 3/4 policy on an interface or globallyBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • Layer 3/4 Class Maps vs. Layer 7 Class Maps Layer 3/4 Class Maps Layer 7 Class Maps  Match traffic based on protocols, ports, IP  Work with layer 7 policy maps to implement addresses, and other layer 3 or 4 attributes: advanced protocol inspection ACL  Match criteria is specific to one of the following Any packet applications: Default inspection traffic DNS IP differentiated services FTP IM code point H.323 RTSP TCP and UDP ports HTTP SIP IP precedence  Enable you to specify a not operator for a match RTP port numbers condition VPN tunnel group  Can contain one or more match conditions  Typically contain only one match condition  Can use regular expressions as match criteria  Are mandatory MPF components  Are optional MPF components (match criteria can be specified in a layer 7 policy map instead) BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • Layer 3/4 Policy Maps vs. Layer 7 Policy Maps Layer 3/4 Policy Maps Layer 7 Policy Maps Used to create the following policy types:  Implement advanced protocol inspection, which defends against application layer attacks Application inspection  Also called Inspection Policy Maps TCP normalization  Can be used for advanced inspection of: TCP and UDP connection limits and timeouts DCERPC IPsec Pass Through TCP sequence number randomization DNS MGCP Cisco CSC ESMTP NetBIOS Cisco IPS FTP RTSP QoS input policing GTP SCCP (Skinny) QoS output policing H.323 SIP QoS priority queue HTTP SNMP Must be applied to an interface or globally via a IM service policy  Must be applied to a layer 3/4 policy map Are mandatory MPF components  Are optional MPF components BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • Filtering FTP Commands:Layer 7 Policy MapBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • Filtering FTP Commands:Layer 7 Policy Map (Cont.)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • Filtering FTP Commands:Service Policy RuleBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • Filtering FTP Commands:Service Policy Rule (Cont.)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • Topic 4 ASA Advanced Network Protection
    • What You Need to Know  Configure Threat Detection on the ASA  Implement ASA Botnet Traffic FilterBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • Task Flow for Configuring the ASA Botnet Traffic FilterTo configure the Botnet Traffic Filter, perform thefollowing steps: 1. Enable use of the dynamic database. 2.(Optional) Add static entries to the database. 3. Enable DNS snooping. 4. Enable traffic classification and actions for the Botnet Traffic Filter. 5.(Optional) Block traffic manually based on syslog message information.BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • Configure Threat Detection DMZ Server Internet Attacker ASA  Basic threat detection - Blocks attackers by monitoring rate of dropped packets and security events per second - When event thresholds are exceeded, attackers are blocked - Enabled by default  Scanning threat detection - Blocks attackers performing port scans - Disabled by defaultBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • Configuring Threat DetectionBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • Topic 5ASA High Availability
    • Topic 5: What You Need to Know  Implement ASA Interface redundancy and load sharing features  Implement ASA virtualization feature  Implement ASA stateful failover BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • Implement ASA Interface redundancy and load sharing featuresBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    • Configure Redundant InterfacesUsing ASDM  A logical redundant interface pairs an active and a standby physical interface.  When the active interface fails, the standby interface becomes active and starts passing traffic.  Used to increase the adaptive security appliance reliability.  You can monitor redundant interfaces for failover using the monitor-interface commandBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • Configure Redundant InterfacesUsing ASDM (Cont.)Select Add Interface Select RedundantInterfaceBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • Configure Redundant InterfacesUsing ASDM (Cont.)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • Configuring EtherChannel InterfacesBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
    • EtherChannel Example Note: The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannelsBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • EtherChannel Configuration Select Add Interface Select EtherChannel InterfaceBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
    • EtherChannel Configuration channel-group 1 mode passive interface Port-channel1 lacp max-bundle 4 port-channel min-bundle 2 port-channel load-balance dst-ip interface GigabitEthernet0/0 channel-group 1 mode active interface GigabitEthernet0/1 channel-group 1 mode activeBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
    • Implement ASA virtualization featureBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • Virtual Firewalls Active/Active Enables a physical firewall to be partitioned into multiple standalone firewalls Each standalone firewall acts and behaves as an Contexts independent entity with it’s own 1 2 1 2 ‒ Configuration Primary: Secondary: ‒ Interfaces Failed/Standby Active/Active ‒ Security Policy Internet ‒ Routing Table Examples scenarios to use Virtual Firewalls ‒ Education network that wants to segregate student networks from teacher networks ‒ Service provider that wants to protect several customers without a physical firewall for each. ‒ Large enterprise with various departmentsBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
    • Active/Active Failover Configuration g0/1 g0/4 g0/1 g0/4 CTX1- CTX2- 172.17.2.1 172.17.2.7 CTX2- 1 CTX1- Group 1 Group 2 g0/2 1 2 11 2 Group 2 g0/2 Group 1 g0/0 g0/3 Failover Link g0/0 g0/3 1. Cable the interfaces on both ASAs 2. Ensure that both ASAs are in multiple context mode 3. Configure contexts and allocate interfaces to contexts 4. Enable and assign IP addresses to each interface that is allocated to a context 5. Prepare both security appliances for configuration via ASDM 6. Use the ASDM high availability and scalability Wizard to configure the ASA for failover 7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set 8. Save the configuration to the secondary ASA to flashBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
    • Implement ASA stateful failoverBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    • Hardware and Stateful Failover Internet Hardware failover ‒ Connections are dropped ‒ Client applications must reconnect ‒ Provided by serial or LAN-based failover link ‒ Active/Standby—only one unit can be actively processing traffic while other is hot standby ‒ Active/Active—both units can actively process traffic and serve as backup units Stateful failover ‒ TCP connections remain active ‒ No client applications need to reconnect ‒ Provides redundancy and stateful connection ‒ Provided by stateful linkBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
    • Explain the Hardware, Software, and LicensingRequirements for High-Availability Active/Standby Active/Active Contexts 1 2 1 2 Primary: Secondary: Standby Active Primary: Secondary: Failed/Standby Active/Active Internet Internet The primary and secondary security appliances must be identical in the following requirements: ‒ Same model number and hardware configurations ‒ Same software versions ‒ Same features (DES or 3DES) ‒ Same amount of Flash memory and RAM ‒ Proper licensingBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
    • Active/Standby Failover ConfigurationConcepts Primary – fw1 .2 .1 .1 192.168.2.0 172.17.2.0 10.0.2.0 Internet .7 .7 .7 Secondary  One ASA acts as the active or primary and the other acts as a secondary or standby firewall  Primary and secondary communicate over a configured interfaces over the LAN-based interface  The primary is active and passes traffic, in the event of a failure the secondary takes over BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
    • Active/Standby Failover Configuration Steps Primary – fw1 .2 .1 .1 192.168.2.0 172.17.2.0 10.0.2.0 Internet .7 .7 .7 Secondary 1. Cable the interfaces on both ASAs 2. Prepare both security appliances for configuration via ASDM 3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover 4. Verify that ASDM configured the secondary ASA with the LAN-based failover command set 5. Save the configuration to the secondary ASA to flash BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
    • Configure Active/Standby Using ASDM(Step 1 of 6) Select Active/StandbyBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
    • Configure Active/Standby Using ASDM(Step 2 of 6)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
    • Configure Active/Standby Using ASDM(Step 3 of 6)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
    • Configure Active/Standby Using ASDM(Step 4 of 6)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
    • Configure Active/Standby Using ASDM(Step 5 of 6)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
    • Configure Active/Standby UsingASDM (Step 6 of 6)BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
    • Active/Active Failover Configuration g0/1 g0/4 g0/1 g0/4 CTX1- CTX2- 172.17.2.1 172.17.2.7 CTX1- CTX2- Group 1 Group 2 11 11 Group 2 g0/2 2 2 Group 1 g0/2 g0/0 g0/3 Failover Link g0/0 g0/3 1. Cable the interfaces on both ASAs 2. Ensure that both ASAs are in multiple context mode (mode multiple) 3. Configure contexts and allocate interfaces to contexts 4. Enable and assign IP addresses to each interface that is allocated to a context 5. Prepare both security appliances for configuration via ASDM 6. Use the ASDM high availability and scalability Wizard to configure the ASA for failover 7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set 8. Save the configuration to the secondary ASA to flashBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
    • Configure Active/Active Using ASDM (Step 1 of 7)Select Active/Active BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
    • Sample QuestionsCan You Identify the Correct Answer?
    • Question 1  A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall? A. Failover active B. Failover active group 1 C. Failover secondary group 1 D. Standby group 1 active BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
    • Question 1  A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall? A. Failover active B. Failover active group 1 C. Failover secondary group 1 D. Standby group 1 active BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
    • Question 2  Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.) A. dir B. show info flash C. directory view disk0:/ D. show run disk E. flash view F. show flash BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
    • Question 2  Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.) A. dir B. show info flash C. directory view disk0:/ D. show run disk E. flash view F. show flash BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
    • Question 3  When provisioning a service policy using ASDM what order are the elements created in? A. Class-map > Policy-Map > Service-Policy B. Service-Policy > Class-map > Policy-Map C. Service-Policy > Policy-Map > Service-Policy D. Policy-Map > Service-Policy > Class-Map BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
    • Question 3  When provisioning a service policy using ASDM what order are the elements created in? A. Class-map > Policy-Map > Service-Policy B. Service-Policy > Class-map > Policy-Map C. Service-Policy > Policy-Map > Service-Policy D. Policy-Map > Service-Policy > Class-Map BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
    • Question 4  When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic? A. Use the vlan command on the main interface B. Use the shutdown command on the main interface C. Omit the nameif command on the subinterface D. Omit the nameif command on the main interface BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
    • Question 4  When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic? A. Use the vlan command on the main interface B. Use the shutdown command on the main interface C. Omit the nameif command on the subinterface D. Omit the nameif command on the main interface BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
    • Question 5  Choose two correct statements about multiple context mode: A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces C. Multiple context mode enables support for additional hardware modules and firewalls D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin" BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
    • Question 5  Choose two correct statements about multiple context mode: A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces C. Multiple context mode enables support for additional hardware modules and firewalls D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin" BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
    • Question 6  Which three features does the ASA support? A. BGP dynamic routing B. 802.1Q trunking C. EIGRP dynamic routing D. OSPF dynamic routing BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
    • Question 6  Which three features does the ASA support? A. BGP dynamic routing B. 802.1Q trunking C. EIGRP dynamic routing D. OSPF dynamic routing BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
    • Question 7  Which command will display information about ASA crypto map configurations? A. show crypto sa B. show crypto map C. show run ipsec sa D. show run crypto map BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
    • Question 7  Which command will display information about ASA crypto map configurations? A. show crypto sa B. show crypto map C. show run ipsec sa D. show run crypto map BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
    • Question 8  What is the reason that you want to configure VLANs on a security appliance interface? A. Enable failover and VLANs to improve reliability B. Allow transparent firewall mode to be used C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances D. Enable multiple context mode where you can map only VLAN interfaces to contexts BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
    • Question 8  What is the reason that you want to configure VLANs on a security appliance interface? A. Enable failover and VLANs to improve reliability B. Allow transparent firewall mode to be used C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances D. Enable multiple context mode where you can map only VLAN interfaces to contexts BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
    • Question 9  What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.) A. Allow a hub-and-spoke VPN design on one interface. B. Enable Dynamic Multipoint VPN C. Allow traffic in and out of the same interface when the traffic is IPSec protected D. Allow traffic between different interfaces with matching security levels BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
    • Question 9  What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.) A. Allow a hub-and-spoke VPN design on one interface B. Enable Dynamic Multipoint VPN C. Allow traffic in and out of the same interface when the traffic is IPSec protected D. Allow traffic between different interfaces with matching security levels BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
    • Question 10  Which command will display NAT translations on the ASA? A. show ip nat all B. show running-configuration nat C. show xlate D. show nat translation BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
    • Question 10  Which command will display NAT translations on the ASA? A. show ip nat all B. show running-configuration nat C. show xlate D. show nat translation BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
    • Q&AAnd Now Time for Questions…
    • Complete Your OnlineSession Evaluation  Give us your feedback and you could win fabulous prizes. Winners announced daily.  Receive 20 Cisco Preferred Access points for each session evaluation you complete.  Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live and Networkers Virtual account for stations throughout the Convention access to all session materials, communities, and Center. on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com. BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
    • BRKCRT-8104 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public