Cisco Firewall v2.0 Exam Preparation Slides

These slides taken from Cisco live 2012/2013 3/26/2014
Eng. Mohannad Alhanahnah 1
FIREWALL V2.0
642-618 FIREWALL v2.0 Exam
• 90-minute exam
• Register with Pearson Vue
• www.vue.com/.cisco
• Exam cost is $200.00 US

Preparing for the FIREWALL v2.0 Exam
• Recommended reading
–CCNP Security Firewall 642-618 Quick Reference
–CCNP Security FIREWALL 642-618 Official Cert Guide
• Cisco learning network
• www.cisco.com/go/learnnetspace
• Practical experience
Test Taking Tips
• It’s not possible to cover everything!
• We want you to get a feel for the technical level of the
exam, not every topic possible
• Give you suggestions, resources, some examples
• Will focus on key topics

Testing Implementation Skills
• Question formats
• Declarative—a declarative exam item tests simple recall of pertinent
facts
• Procedural—a procedural exam item tests the ability to apply
knowledge to solve a given issue
• Complex procedural—A complex procedural exam item tests the ability
to apply multiple knowledge points to solve a given issue
• Types of questions
• Drag and drop
• Multiple choice
• Simulation and simlet
Firewall V 2.0 High-Level Topics
1. Cisco Firewall and ASA Technology
2. Cisco ASA Adaptive Security Appliance Basic
Configurations
3. ASA Routing Features
4. ASA Inspection Policy
5. ASA Advanced Network Protections
6. ASA High Availability

What Is a Firewall?
• A firewall is a system or group of systems that
manages access between two or more networks.
Outside
Network
DMZ
Network
Inside
Network
Internet
• A firewall is a security device which is configured to permit,
deny or proxy data connections set by the organization's
security policy. Firewalls can either be hardware or software
based
• A firewall's basic task is to control traffic between computer
networks with different zones of trust
• Today’s firewalls combine multilayer stateful packet
inspection and multiprotocol application inspection
• Modern firewalls have evolved by providing additional
services such as VPN, IDS/IPS, and URL filtering
• Despite these enhancements, the primary role of the firewall
is to enforce security policy

Cisco Firewall – What is It?
• Adaptive Security Appliance (ASA) – firewall appliance,
• proprietary OS has one expansion slot for service modules.
Ethernet and fiber ports on box.
does not run IOS but has a similar look and feel
• FireWall Services Module (FWSM) – line card in Catalyst
6500 that provides firewall services. No physical interfaces,
uses VLANs as “virtual interfaces”
• IOS Device running a firewall feature set in software (IOS-
FW).
• Cisco’s firewall has been around over 15 years, PIX the
legacy platform
1. Cisco Firewall and ASATechnology
• Many types of firewalls are in use today and are based
various technologies, such as the following:
• Static packet filtering
• Proxy server
• Stateful packet filtering
• Stateful packet filtering with application inspection and control
• Network intrusion protection system (IPS)
• Network behavior analysis

• The ASA product line offers cost-effective, easy-to-deploy
solutions. The product line ranges from compact plug-
and-play desktop firewalls such as the ASA 5505 for small
offices to carrier-class gigabit firewalls such as the ASA
5580 for the most demanding enterprise and service-
provider environments.

• Cisco ASA features include the following:
• State-of-the-art stateful packet inspection firewall
• User-based authentication of inbound and outbound connections
• Integrated protocol and application inspection engines that
examine packet streams at Layers 4 through 7
• Highly flexible and extensible modular security policy framework
• Robust virtual private network (VPN) services for secure site-to-site
and remote-access connections
• Clientless and client-based Secure Sockets Layer (SSL) VPN
• Full-featured intrusion prevention system (IPS) services for Day 0
protection against threats, including application and operating
system vulnerabilities, directed attacks, worms, and other forms of
malware
• Denial-of-service (DoS) prevention through mechanisms such as
protocol verification to rate limiting connections and traffic flow
• Content security services, including URL filtering, antiphishing,
antispam, antivirus, antispyware, and content filtering using Trend
Micro technologies
• Multiple security contexts (virtual firewalls) within a single appliance
• Stateful active/active or active/standby failover capabilities that
ensure resilient network protection
• Transparent deployment of security appliances into existing
network environments without requiring re-addressing of the
network
• Intuitive single-device management and monitoring services with
the Cisco Adaptive Security Device Manager (ASDM) and
enterprise-class multidevice management services through Cisco
Security Manager

• Service Modules:
Three SSMs are available for the ASA:
• Advanced Inspection and Prevention Security Services Module
(AIP SSM)
• Content Security and Control Security Services Module (CSC
SSM)
• Four-port Gigabit Ethernet SSM
2. Cisco ASAAdaptive SecurityAppliance Basic
Configurations
• Implementing ASA Licensing:
• Base License
• Security Plus License
• ASA 5505 Adaptive Security Appliance Licensing

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs: 3, DMZ Restricted
Inside Hosts: Unlimited
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
VPN Peers: 10
WebVPN Peers: 2
Dual ISPs: Disabled
VLAN Trunk Ports: 0
3 possible VLANs and 1 restricted DMZ (Base License)
3 VLANs + Unrestricted DMZ (Security Plus License)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs: 20, DMZ Unrestricted
Inside Hosts: Unlimited
Failover: Active/Standby
VPN-DES: Enabled
VPN-3DES-AES: Enabled
VPN Peers: 25
WebVPN Peers: 25
Dual ISPs: Enabled
VLAN Trunk Ports: 8

Manage the ASA boot process:
Implement ASA management features

SSH Configuration:
Steps required to enable SSH follows:
Step 1. Configure the hostname.
Step 2. Configure the domain name.
Step 3. Generate the RSA keys.
Step 4. Configure the local authentication.
Step 5. Configure SSH on the specific interface.
Implement ASA User Roles

Implement ASA interface settings

Configure VLANs:
• Physical interfaces are separated into sub-interfaces (logical interfaces)
• 802.1Q trunking
Logical and Physical Interfaces

Configuring an EtherChannel Interface:
Note: The device to which you connect the ASA EtherChannel must also support
802.3ad EtherChannels

Configure Redundant Interfaces Using ASDM :
• A logical redundant interface pairs an active and a standby physical interface.
• When the active interface fails, the standby interface becomes active and starts
passing traffic.
• Used to increase the adaptive security appliance reliability.
• You can monitor redundant interfaces for failover using the monitor-interface
command

Security Appliance ACL Configuration:
1. Security appliance configuration philosophy is interface based *
2. Interface ACL permits or denies the initial packet incoming or outgoing on that
interface
3. Return traffic does not need to be specified if inspected
4. ACLs can be simplified by defining object groups for IP addresses and services
5. The implicit access rules applied to the inside interface are as follows:
• Permit traffic from anywhere destined to a lower-security interface.
• Deny any traffic from anywhere to anywhere.
6. The implicit access rule applied to the outside interface is as follows:
• Deny any traffic from anywhere to anywhere.
* 8.3 Introduces the concept of the Global ACL (access-group <name> global)

ASA 8.3 Global Policies:
• Until recently, ACLs were applied to firewall interfaces for inbound and outbound
traffic
• Release 8.3 adds the ability to configure Global Access Policies which are not
tied to a specific interface
• Interface ACLs take priority over Global Access Policies

NAT Overview:
• Network Address Translation (NAT) and Port Address Translation (PAT)
• Used to translate IP addresses and ports
• Not required by default (NAT control is disabled)
• Concepts
• Static NAT and static policy NAT
• Dynamic NAT and dynamic policy NAT
• Identity NAT

NAT Post ASA Version 8.3:
NAT is redesigned in 8.3 and above to simplify operations:
• A single rule to translate the source and destination IP address.
• You can also manually establish the order in which NAT rules are processed.
• Introduction of NAT to “any” interface
Two Nat modes available in 8.3 and above
• Network Object NAT: translation rule that defines a network object.
• Well suited for source-only NAT
• Sometimes referred to as "Auto-NAT“
• Manual NAT:
• Policy based NAT when the source and destination address or port need to be
considered
• Sometimes referred to as Twice NAT
NAT Control
One significant change in NAT with software Versions 8.3 and later is that NAT control
is no longer a supported option. If a connection finds no translation rules, it passes
through the ASA without translation, as long as the connection is allowed by
configured access rules and policies (including default behaviors).

Dynamic NAT Using Network Object NAT :
The following example configures dynamic NAT that maps (dynamically hides) the
10.1.1.0 network to the outside interface address:

Network Object NAT On The ASDM

Static Object NAT :
The following example configures a translation to a Web Server in the DMZ. The
external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:
Static PAT (Object NAT):
• Used to create translation between a outside interface and local IP address/port.
–96.33.100.2/HTTP redirected to 192.168.1.100/HTTP
–96.33.100.2/FTP redirected to 192.168.1.101/FTP

Manual Twice NAT :
NAT rule that translates both the source and destination addresses in a packet, NAT
can be performed twice, once on the source IP, and once on the destination IP.

Identity NAT Example (Manual NAT) :
A real address is statically translated to itself, essentially bypassing NAT.

Implement ASA quality of service (QoS) settings:
Implement ASA transparent firewall:
Differences Between L2 and L3 Operating Modes
• The security appliance can run in two mode settings:
– Routed—based on IP address (default mode)
– Transparent—based on MAC address
• One of the main advantages of using an ASA in transparent mode is that you can
place the ASA in the network without re-addressing.
• The following features are not supported in transparent mode:
• NAT
• Dynamic routing protocols
• IPv6
• DHCP relay
• Quality of service
• Multicast
• VPN termination for through traffic

Configure Security Appliance for Transparent Mode (L2) :
• Layer 3 traffic must be explicitly permitted
• Each directly connected network must be on the same subnet
• The management IP address must be on the same subnet as the connected
network
• Do not specify the firewall appliance management IP address as the default
gateway for connected devices
• Devices need to specify the router on the other side of the firewall appliance as the
default gateway
• Each interface must be a different VLAN interface

3. ASARouting Features :
ASA Routing Capabilities:
• Static routing
• Dynamic routing
• RIP
• OSPF
• EIGRP
• Multicast Stub or Bi-directional PIM (can’t be configured concurrently)
Configuring Static Routes :

Configuring Dynamic Routing (EIGRP) :

4. ASAInspection Policy:
Advanced Protocol Inspection:
Advanced protocol inspection gives you options such as the following for defending
against application layer attacks:
• Blocking *.exe attachments
• Prohibiting use of Kazaa or other peer-to-peer file-sharing programs
• Setting limits on URL lengths
• Prohibiting file transfer or whiteboard as part of IM sessions
• Protecting your web services by ensuring that XML schema is valid
• Resetting a TCP session if it contains a string you know is malicious
• Dropping sessions with packets that are out of order

Modular Policy Framework:
The Modular Policy Framework (MPF) is an advanced feature of the ASA that
provides the security administrator with greater granularity and more flexibility when
configuring network policies. The security administrator can do the following:
■ Define flows of traffic.
■ Associate security policies to traffic flows.
■ Enable a set of security policies on an interface or globally.
Modular policies consist of the following components:
■ Class maps
■ Policy maps
■ Service policies
Configuring Layer 3/4 Inspection:
Differentiated Services Code Point (DSCP) is a field in an IP packet that enables
different levels of service to be assigned to network traffic. This is achieved by marking
each packet on the network with a DSCP code and appropriating to it the
corresponding level of service.

Configuring Layer 7 Inspection:
Layer 3/4 Class Maps vs. Layer 7 Class Maps:

Filtering FTP Commands: Layer 7 Policy Map 20

Filtering FTP Commands: Layer 7 Policy Map (Cont.)
Filtering FTP Commands: Service Policy Rule

Filtering FTP Commands: Service Policy Rule (Cont.)
Regular expression:
• The regular expression ".*.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt])" will block
any website address ending with ".doc," ".xls" or ".ppt" and block the
download or opening of these files from a web browser.
• The regular expression ".youtube.com" will block any YouTube website
address

5. ASAAdvanced Network Protection:
ASA Botnet Traffic Filter:
The Cisco ASA 5500 Series Botnet Traffic Filter is a new feature available with the
Cisco ASA 8.2 Software Release for botnet traffic detection. The Botnet Traffic Filter
monitors network ports across all ports and protocols for rogue activity, and detects
infected internal endpoints or bots sending command and control traffic back to a host
on the Internet. The command and control hosts receiving the information are
accurately identified using the Botnet Traffic Filter database.
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
•Known malware addresses—These addresses are on the blacklist identified by the
dynamic database and the static blacklist.
•Known allowed addresses—These addresses are on the whitelist. The whitelist is
useful when an address is blacklisted by the dynamic database and also identified by
the static whitelist.
•Ambiguous addresses—These addresses are associated with multiple domain
names, but not all of these domain names are on the blacklist. These addresses are
on the greylist.
•Unlisted addresses—These addresses are unknown, and not included on any list.
To configure the Botnet Traffic Filter, perform the following steps:
1. Enable use of the dynamic database.
2. (Optional) Add static entries to the database.
3. Enable DNS snooping.
4. Enable traffic classification and actions for the Botnet Traffic Filter.
5. (Optional) Block traffic manually based on syslog message information.

Configure Threat Detection:
• Basic threat detection
- Blocks attackers by monitoring rate of dropped packets and security events per
second
- When event thresholds are exceeded, attackers are blocked
- Enabled by default
• Scanning threat detection
- Blocks attackers performing port scans
- Disabled by default

6. ASAHigh Availability:
Configuring Virtual Firewalls :
• Enables a physical firewall to be partitioned into multiple standalone firewalls
• Each standalone firewall acts and behaves as an independent entity with it’s own
–Configuration
–Interfaces
–Security Policy
–Routing Table
• Examples scenarios to use Virtual Firewalls
–Education network that wants to segregate student networks from teacher
networks
–Service provider that wants to protect several customers without a physical
firewall for each.
–Large enterprise with various departments
• Context = a virtual firewall
• All virtualized firewalls must define a System context and an Admin
context at a minimum
• There is no policy inheritance between contexts
• The system space uses the admin context for network connectivity; system
space creates other contexts

Enabling and Disabling Multiple Context Mode:
Selects the context mode as follows:
multiple: Sets multiple context mode (mode with security contexts)
single: Sets single context mode (mode without security contexts)
noconfirm: Sets the mode without prompting you for confirmation
mode {single | multiple} [noconfirm]
ciscoasa(config)#
asa1(config)# mode multiple
Before you convert from multiple mode to single mode,
copy the backup version of the original running
configuration to the current startup configuration.
Unsupported Features with Virtualization:
• Dynamic routing protocols (EIGRP, OSPF, RIP) are not supported
• Multicast routing is not supported (multicast bridging is supported)
• MAC addresses for virtual interfaces are automatically set to physical interface MAC
• Admin context can be used, but grants root privileges to other contexts, use with
caution
• VPN services are not supported
asa1(config)# context CONTEXT1
Creating context ‘CONTEXT1'... Done. (4)
asa1(config-ctx)#

ciscoasa#
changeto {system | context name}
asa1# changeto context CONTEXT1
asa1/CONTEXT1#
Changes the environment to the system execution space or to the context
specified
asa1/CONTEXT1# changeto system
asa1#
Changes the environment to Context 1
Changes the environment to the system execution space
Changing Between Contexts:
Types of supported failover by ASA:
• Hardware failover
–Connections are dropped
–Client applications must reconnect
–Provided by serial or LAN-based failover link
–Active/Standby—only one unit can be actively processing traffic while other is
hot standby
–Active/Active—both units can actively process traffic and serve as backup units
• Stateful failover
–TCP connections remain active
–No client applications need to reconnect
–Provides redundancy and stateful connection
–Provided by stateful link

Modes of operation for failover:
■ Active/standby failover
■ Active/active failover
Failover Links:
■ LAN-based failover links: the failover messages are transferred over Ethernet
connections. LAN-based failover links provide message encryption and
authentication using a manual preshared key for added security. LAN-based
failover links require an additional Ethernet interface on each ASA to be used
exclusively for passing failover communications between two security appliance
units.
■ Stateful failover links: passes per-connection stateful information to the standby
ASA unit. Stateful failover requires an additional Ethernet interface on each security
appliance with a minimum speed of 100 Mbps to be used exclusively for passing
state information between the two ASAs. The LAN-based failover interface can also
be used as the stateful failover interface.
• The primary and secondary security appliances must be identical in the
following requirements:
– Same model number and hardware configurations
– Similar software versions
– Same Hardware
– Proper licensing (8.3 and above)

How Failover Works:
• Failover link passes Hellos between active and standby units every 15 seconds
(tunable from 3-15 seconds)
• After three missed hellos, primary unit sends hellos over all interfaces to check
health of its peer
• Whether a failover occurs depends on the responses received
• Interfaces can be prioritized by specifically monitoring them for responses
• If the failed interface threshold is reached then a failover occurs
What does Stateful Failover Mean?
Active/Active Failover Configuration:
1.Cable the interfaces on both ASAs
2.Ensure that both ASAs are in multiple context mode
3.Configure contexts and allocate interfaces to contexts
4.Enable and assign IP addresses to each interface that is allocated to a context
5.Prepare both security appliances for configuration via ASDM
6.Use the ASDM high availability and scalability Wizard to configure the ASA for
failover
7.Verify that ASDM configured the secondary ASA with the LAN-based failover
command set
8.Save the configuration to the secondary ASA to flash

Active/Standby Failover Configuration:
• One ASA acts as the active or primary and the other acts as a secondary or
standby firewall
• Primary and secondary communicate over a configured interfaces over the LAN-
based interface
• The primary is active and passes traffic, in the event of a failure the secondary
takes over
Steps:
1. Cable the interfaces on both ASAs
2. Prepare both security appliances for configuration via ASDM
3. Use the ASDM high availability and scalability Wizard to configure the primary
ASA for failover
4. Verify that ASDM configured the secondary ASA with the LAN-based failover
command set
5. Save the configuration to the secondary ASA to flash

Configure Active/Standby Using ASDM:

Overview: Logging with Syslog
• Defined in RFC 3164, syslog is a protocol that allows a host to send event
information to a syslog server
• Messages are commonly sent via UDP port 514 and are <1024 bytes
• By default, syslog provides no concept of authentication or encryption
• Events can be sent to a syslog server on any port between 1025 – 65535) via
either UDP (default 514) or TCP (default 1470)
ASDM Syslog Viewer:

Packet tracer:
Packet Capturing:
• Capturing packets is useful when you troubleshoot connectivity problems or
monitor suspicious activity.
• use the capture command in privileged EXEC mode.
• In order to see the details and hexadecimal dump, you need to transfer the buffer
in PCAP format and read it with TCPDUMP or Ethereal.
• This feature is not supported in ASDM

In the new window provide the parameters to capture the INGRESS traffic. Choose
the Ingress interface as Inside and provide the source and the destination IP address
of the packets to be captured with their subnetmask in the respective space provided.
Also, choose the packet type to be captured by ASA.
Choose the Egress interface as Outside and provide the source and the destination
IP address with their subnetmask

Provide the Packet size and the Capture buffer size in the respective space provided
as these data are required for the capture to take place. Also, remember to check
the Use circular buffer check box if you want to use the circular buffer option.
This window shows the Access-lists to be configured on the ASA for the the ASA to
capture the desired packets and shows the type of packet (IP packets are captured in
this example). Click Next.

Cisco Firewall v2.0 Exam Preparation Slides

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Firewall v2.0 Exam Preparation Slides

Similar to Cisco Firewall v2.0 Exam Preparation Slides (20)

Recently uploaded

Recently uploaded (20)

Cisco Firewall v2.0 Exam Preparation Slides