Professional Documents
Culture Documents
BRKCRT-2301
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Q&A
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Exam Format
Test Practical Implementation Skills
Question Formats
Declarative—A declarative exam item tests simple recall of
pertinent facts
Procedural—A procedural exam item tests the ability to apply
knowledge to solve a given issue
Complex Procedural—A complex procedural exam item tests the
ability to apply multiple knowledge points to solve a given issue
Types of questions
Drag and drop Multiple choice
Simulation Simlet
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Test-Taking Advice
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
ASA 5540
Price
ASA 5520
ASA 5510
ASA 5505
Gigabit Ethernet
Functionality
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
CSC-SSM
AIP-SSM
An AIP-SSM has the capability to detect and prevent misuse and abuse
of, and unauthorized access to, network resources. The following attacks
are the most commonly detected attacks by a AIP-SSM:
Network sweeps and scans,
Common network anomalies on most Open Systems Interconnection
(OSI) layers,
Malformed Address Resolution Protocol (ARP) requests or replies
Invalid IP datagrams (for example, a “Christmas tree” packet)
Invalid TCP packets (For example, a source or destination port is 0.)
Malformed application-layer protocol units
Flooding denial of service (DoS) attacks
Application layer content attacks
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Gigabit 0/3
ASA 5540
Gigabit 0/4
Gigabit 0/5
Management 0/0
AUX
Port C
Failover Port D
Console
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
clear A
no B
message
trap
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Item B
Logging Device IP address
Item C
Logging Device-ID
Item D
Logging Date/Timestamp
Item E
Logging Message-ID
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
192.168.1.3
Internet
Outside Inside
Outside A
DMZ B
192.168.1.3 C
172.16.1.9 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
192.168.10.9
Internet 192.168.10.10
Outside Inside
Outside A
DMZ B
192.168.10.0 C
172.16.1.0 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
192.168.0.9/2121
Internet
Outside Inside
192.168.1.3
Internet
Outside Inside
fw1(config)# static (dmz,outside) 192.168.1.3
172.16.1.9 A B C D
100
A
UDP
B
200 C
BRKCRT-2301
25 D
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
any WWW
A
host 255.255.255.0 B
172.16.0.2 C
192.168.0.9 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
192.168.0.33 10.0.0.15
A B
0 10.0.0.0
C D
192.168.10.11 10
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
10.10.0.0
A
10.100.1.0
B
0
C
1
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
object1 A
object2 B
object3 C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
10.0.1.0 A
10.0.6.0 B
10.0.1.0 C
10.0.6.0 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Configure Tunnel-Group
Attributes—Pre-Shared Key
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 192.168.1.2 192.168.6.2 10.0.6.11
Tunnel-group
192.168.6.2 IPSec Tunnel-group
L2L IPSec 192.168.1.2
L2L
Tunnel-Group
pre-shared-key cisco123
192.168.6.2
Tunnel-group
pre-shared-key cisco123
192.168.1.2
fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2L
fw1(config)# tunnel-group 192.168.6.2 ipsec-attributes
fw1(config-ipsec)# pre-shared-key cisco123
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
esp-rc4
A
ah-md5-hmac
B
ah-aes-128
esp-sha-hmac
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
10.0.1.0 101
A B
10.0.6.0 FW1MAP
C D
192.168.1.2 192.168.6.2
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Traffic Flow
Branch A
HQ to BR A 10.0.2.0/24
HQ to BR B
HQ BR A to BR B
Internet
Permit
intra-interface
Traffic
10.0.1.0/24 10.0.4.0/24
Site-to-Site VPN:
Hub and Spoke IPsec Tunnels
192.168.1.10 Æ 192.168.1.1
Encrypted Traffic
IPsec Tunnels 10.0.2.0/24 Æ 10.0.1.0/24
192.168.1.1 Æ 192.168.1.10 10.0.2.0/24 Æ 10.0.4.0/24
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1
10.0.1.0/24 10.0.4.0/24
10.0.1.0/24 10.0.4.0/24
Site-to-Site VPN:
Hub and Spoke
Hub and Spoke Configuration
IPsec Tunnels
192.168.1.1 Æ 192.168.1.10
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1
Internet
Permit
intra-interface
Traffic
10.0.1.0/24 10.0.4.0/24
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
IPSec_RA A
ipsec-attributes B
general-attributes C
IPSec-L2L
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Group Policy
Push
DNS server
to client
WINS server
DNS domain
Address pool
Idle time
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Broadband
Provider
WebV ISP
PNTu
nnel
Wireless Corporate
Computer Kiosk Provider
Tunnel Network
WebVPN
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
WebVPN Tunnel
Console-Server
10.0.1.11/24
Selects predefined URLs that were configured by using the url-list command
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
WebVPN Tunnel
Training
10.0.1.11/24
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
10.0.1.0 10.0.1.0
The following features are not
VLAN 100 VLAN 100 supported in transparent mode:
NAT
Dynamic routing protocols
IPv6
10.0.2.0 10.0.1.0 DHCP relay
VLAN 200 VLAN 200 Quality of Service
Multicast
Routed Transparent VPN termination for through traffic
Mode Mode
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
e1 e4
1 2 CTX1- CTX2-
admin
Internet Internet e0 e3
ethernet0 ethernet4 A D
ethernet1 ctx1.cfg B E
ethernet3 ctx2.cfg C F
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Internet
Hardware Failover
Connections are dropped.
Client applications must reconnect.
Provided by serial or LAN-based failover link.
Active/Standby—only one unit can be actively processing traffic while
other is hot standby.
Active/Active—both units can actively process traffic and serve as
backup units
Stateful failover
TCP connections remain active.
No client applications need to reconnect.
Provides redundancy and stateful connection.
Provided by stateful link.
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
Contexts
Primary: Secondary:
Standby Active
Primary: Secondary:
Failed/Standby Active/Active
Internet Internet
Secondary
active 172.17.2.1 A D
standby 172.17.2.7 B E
LANFAIL primary C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
active 172.17.1.1 A C
standby 172.17.1.7 B
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
Group 1
Active/active failover adds support for failover group.
Failover is performed on a unit or group level.
A group is comprised of one or more contexts.
Each failover group contains separate state machines to keep track of the group failover state.
fw1(config)# failover group 1
fw1(config-fover-group)# primary
fw1(config)# failover group 2
BRKCRT-2301
fw1(config-fover-group)# secondary
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Internet
Internet
Resource Management
Limits the use of resources per context
Prevents one or more contexts from using too many resources and
causing other contexts to be denied use of resources
Enables you to configure limits for the following resources:
ASDM connections Telnet sessions
Connections Xlate objects
Hosts Application inspections (rate only)
Limit connections
SSH sessions Syslogs per second (rate only) for CONTEXT2
to 20%
CONTEXT 1
HTTP HTTP
Internet CONTEXT 2
X
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
CONTEXT 1
HTTP HTTP
Internet CONTEXT 2
X
fw1(config)# class MEDIUM-RESOURCE-SET
fw1(config-class)# limit-resource conns 20%
Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit
fw1(config)# context context2
fw1(config-ctx)# member MEDIUM_RESOURCE_SET
Assigns the TEST context to the MEDIUM-RESOURCE-SET class
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
Exam Topics—Configure
AAA Services for Access
Through a Security
Appliance
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
“aaauser”
192.168.2.10 10.0.1.0
Internet .1 A B
.2
NY1PIX .10
NY_ACS
C D
192.168.2.10 NY1PIX
10.0.1.1 NY_ACS A C
10.0.1.10 aaauser B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
Authentication via
LOCAL database
fw1(config)# username admin1 password cisco123
fw1(config)# aaa authentication telnet console LOCAL
Telnet
Internet
Authentication via NY_ACS
External database 10.0.0.2
and LOCAL backup
fw1(config)# aaa-server NY_ACS protocol tacacs+
fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key secretkey
fw1(config)# aaa authentication telnet console NY_ACS LOCAL
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
192.168.1.12 110
172.16.4.9 NY_ACS A C
192.168.2.10 outside B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
FTP server
192.168.9.10 192.168.0.0 10.0.0.33
Internet FTP
.3 NY_ACS
server
192.168.0.12 Authorization 10.0.0.2
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Group setup
Unmatched Cisco IOS commands
Deny
Permit
Command
ftp
Blank (ftp is in the arguments list)
Arguments
permit 192.168.0.12
permit tcp any host 192.168.0.12eq ftp
Unlisted arguments
Deny
Permit
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
192.168.1.10
“aaauser” 192.168.1.11
Internet
Authentication NY_ACS
(RADIUS) 10.0.0.2
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Internet NY_ACS
TACACS+ Server
10.0.0.2
Configure Accounting of
Connection Start/Stop
FTP Server WWW Server
172.16.4.9 172.16.4.10
192.168.1.10
“aaauser” 192.168.1.11
Internet
Accounting NY_ACS
(RADIUS) 10.0.0.2
radius accounting
192.168.1.0 authentication A C
110 LDAP B
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
vlan20
vlan10 vlan30
Trunk port
Internet
10.0.0.0
192.168.0.0
RIP v2
192.168.0.0 10.0.0.0
10.0.1.0
172.26.26.30 RIP v2 RIP v1
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
0
10.0.0.0
Internet 10.0.1.0
1.1.1.0 Private
2.2.2.0
firewall(config)#
network prefix ip_address netmask area area_id
• Adds and removes interfaces to and from the OSPF routing process
fw1(config)# router ospf 1
fw1(config-router)# network 1.1.1.0 255.255.255.0 area 0
fw1(config-router)# network 2.2.2.0 255.255.255.0 area 2.2.2.0
fw1(config-router)# network 10.0.0.0 255.255.255.0 area 10.0.0.0
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
ethernet1 DMZ A
10.0.0.11 Inside B
224.0.1.50 ethernet2 C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Layer 7: Application
Inspection Overview
Layer 7: Application Inspection—
Deep packet inspection
• “Get”—Allow
• “Put”—Reset
• “Post”—Reset
DMZ - HTTP
Server
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Internet Inside
10.0.0.0
Outside
Internet Inside
10.0.0.0
Outside
Create a Layer 7 application inspection policy
Class-map type inspect —Identify application inspection criteria based on
the attributes of a given protocol
Policy-map type inspect —Apply an action to identified packets, allow,
reset, or log
fw1(config)# class-map type inspect http HTTP_SAFE_Method
fw1(config-cmap)# match request method get
fw1(config)# class-map type inspect http HTTP_RESTRICTED_Methods
fw1(config-cmap)# match request method post
fw1(config-cmap)# match request method put
fw1(config)# policy-map type inspect HTTP inbound_http_traffic
Fw1(config-pmap)# class HTTP_SAFE_Method
Fw1(config-pmap-c)# allow
Fw1(config)-pmap) class HTTP_RESTRICTED_Method
Fw1(config-pmap-c)# reset log
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
Internet Inside
10.0.0.0
Outside
ftp_method log
inbound_ftp dele A C
put reset B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
ftp_traffic class-map A D
ftp service-policy B E
inbound policy-map C F
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Inspection class maps enable you to group multiple traffic matching statements
The inspection class map is then assigned to the inspection policy map.
Pair a single traffic match statement with an action directly in the policy map
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103
Regular Expressions
Mail
Server
Client
ftp> username: root
Internet
ASA configured to drop
packets containing the
string “root”
FTP_USER RESTRICTED_ACCESS A B
FTP_PATH MY_FTP_MAP C D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
recover configure
A
recover boot
B
session 1
session m2/0 C
setup D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Internet
AIP-SSM
IPS
dmz_traffic class-map A D
ips inline B E
fail-open policy-map C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Recommended Reading
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112