CCSP Prep: Preparing To Take The Securing Networks With PIX and ASA (SNPA) 642-523 Exam

CCSP Prep: Preparing to
Take the Securing Networks

with PIX and ASA (SNPA)
642-523 Exam
BRKCRT-2301
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2008, Cisco Systems, Inc. All rights reserved. 1

14363_04_2008_c2.scr
Agenda
Cisco Certified Security Professional

Preparing for the SNPA Exam
Exam Format
Exam Topics
What you need to know
Key Technology Reviews
Sample Exam Questions
Q&A
BRKCRT-2301
Cisco Certified Security Professional

“The CCSP certification (Cisco Certified Security Professional)
validates advanced knowledge and skills required to secure
Cisco networks.”
Acronym Course Name
SND Securing Cisco Network Devices
SNRS Securing Networks with Cisco Routers and Switches
SNPA Securing Networks with PIX and ASA v.5
IPS Implementing Cisco Intrusion Prevention Systems
Plus one of the electives below
CANAC or Implementing Network Admissions Control

HIPS or Securing Hosts Using Cisco Security Agent
MARS or Implementing Cisco Security Monitoring, Analysis and
Response System
BRKCRT-2301

14363_04_2008_c2.scr
Preparing for the SNPA Exam
Instructor Led and Web Based Training

Securing Networks with PIX and ASA
CCO
Config Guides
Command References
Cisco Press
Prepare: CCSP SNPA Official Exam Certification Guide, 3rd Ed.
Practice: CCSP Flash Cards and Exam Practice Pack
Recommended Reading: Cisco ASA, PIX, and FWSM Firewall
Handbook, Second Ed.
Recommended Reading: CCSP SNPA Quick Reference
Practical Experience
BRKCRT-2301
Exam Format
Test Practical Implementation Skills
Question Formats
Declarative—A declarative exam item tests simple recall of
pertinent facts
Procedural—A procedural exam item tests the ability to apply
knowledge to solve a given issue
Complex Procedural—A complex procedural exam item tests the
ability to apply multiple knowledge points to solve a given issue
Types of questions
Drag and drop Multiple choice
Simulation Simlet
BRKCRT-2301

14363_04_2008_c2.scr
Exam Taking Tips
Practical Tips on Taking a Multiple-choice Examination
Test-Taking Advice
9 Eliminate nonsense options

9 Look for the “best” answer
9 Look for subtleties
9 Make an intelligent guess
9 Use a time budget—Don’t spend too
much time on one question
BRKCRT-2301
What We Will Cover

Impossible to cover all topics for SNPA in two hour session
Session is about “How to Prepare for the SNPA Exam”, not
about “Cover all SNPA knowledge in two hours”
Will provide:
Suggestions
Resources
Some sample questions
Will cover key and newer exam topics likely to be included

on the exam based on exam topics listed on the Cisco SNPA
Certification website:
www.cisco.com/web/learning/le3/current_exams/642-523.html
BRKCRT-2301

14363_04_2008_c2.scr
Cisco SNPA Certification
Website—SNPA Exam Topics
SNPA Exam Topics from the Cisco SNPA Certification

website provides general guidelines for the content
likely to be included on the exam. However, other
related topics may also appear on any specific delivery
of the exam
Install and configure a security appliance for basic network
connectivity
Configure a security appliance to restrict inbound traffic from
untrusted sources
Configure a security appliance to provide secure connectivity
using site-to-site VPNs
BRKCRT-2301
Exam Topics (Con’t)
Configure a security appliance to provide secure

connectivity using remote access VPNs
Configure transparent firewall, virtual firewall, and high
availability firewall features on a security appliance
Configure AAA services for the security appliance
Configure routing and switching on a security appliance
Configure security appliance advanced application
layer and modular policy features
Monitor and manage an installed security appliance
BRKCRT-2301

14363_04_2008_c2.scr
Disclaimer
This Session Will Strictly Adhere to Cisco’s Rules of
Confidentiality
We may not be able to address your specific question
If you have taken the exam please refrain from asking
questions from the exam
We will be available after the session to direct you
to resources to assist with specific questions or to
provide clarification
BRKCRT-2301
Exam Topic—Install and

configure a security
appliance for basic
network connectivity
BRKCRT-2301

14363_04_2008_c2.scr
Install and Configure a Security Appliance
for Basic Network Connectivity Subtopics
What You Need to Know:
Describe the firewall technology
Describe the Security Appliance hardware and
software architecture
Determine the Security Appliance hardware and
software configuration and verify if it is correct
Use setup or the CLI to configure basic network
settings, including interface configurations
Use appropriate show commands to verify initial
configurations
Configure NAT and global addressing to meet
user requirements
Configure DHCP client option
BRKCRT-2301
Install and Configure a Security Appliance

for Basic Network Connectivity Subtopics
(Con’t)
Set default route
Configure logging options
Explain the information contained in syslog files
Configure static address translations
Configure Network Address Translations: PAT
Verify network address translation operation
BRKCRT-2301

14363_04_2008_c2.scr
Describe the Security Appliance
Hardware and Software Architecture
ASA Security Appliance Family
ASA 5550
ASA 5540
Price
ASA 5520
ASA 5510
ASA 5505
Gigabit Ethernet
SOHO ROBO SMB Enterprise SP
Functionality
BRKCRT-2301
ASA Content Security Control

Security Services Module (AIP-SSM)
CSC-SSM
The CSC-SSM can block or clean malicious traffic from

SMTP, POP3, HTTP, and FTP network traffic.
Malware Protection Content Control

Base License Plus License
• Anti-Virus • URL Filtering
• Anti-Spyware • Anti-Spam
• File Blocking • Anti-Phishing
• Email Content Filtering
BRKCRT-2301

14363_04_2008_c2.scr
ASA Advanced Inspection and Prevention
Security Services Module (AIP-SSM)
AIP-SSM
An AIP-SSM has the capability to detect and prevent misuse and abuse
of, and unauthorized access to, network resources. The following attacks
are the most commonly detected attacks by a AIP-SSM:
Network sweeps and scans,
Common network anomalies on most Open Systems Interconnection
(OSI) layers,
Malformed Address Resolution Protocol (ARP) requests or replies
Invalid IP datagrams (for example, a “Christmas tree” packet)
Invalid TCP packets (For example, a source or destination port is 0.)
Malformed application-layer protocol units
Flooding denial of service (DoS) attacks
Application layer content attacks
BRKCRT-2301
ASA 5505 and 5510 Licensing

Rel 7.2 Licensing
Security IPSec Failover Concurrent

Licenses Interfaces VLANs Firewall
Contexts VPN Peers A/S A/A Connections
ASA 5505
Base 8 x 10/100 N/A 3 10 N/A N/A 10,000
Security Plus 8 x 10/100 N/A 20 25 Yes* N/A 25,000
ASA 5510
3 x 10/100
Base N/A 50 250 N/A N/A 50,000
1 x Mgmt
Security Plus 5 x 10/100 2/5 100 250 Yes Yes 130,000
* Stateless A/S failover

BRKCRT-2301

14363_04_2008_c2.scr
ASA 5520, 5540, and 5550 Licensing
Rel 7.2 Licensing
Security IPSec Failover WebVPN

Licenses Interfaces VLANs Peers
Contexts VPN Peers A/S A/A
ASA 5520
4 x 10/100/1000
Base 2 150 750 Yes Yes 2
1 10/100
10, 25,50, 100,
Optional N/A 5, 10, 20 N/A N/A N/A N/A
250, 500, 750
ASA 5540
Base 4 x 10/100/1000 2 200 5000 Yes Yes 2

1 10/100
Optional N/A 5, 10, 20, 50 N/A N/A N/A N/A 10, 25,50, 100,
250, 500, 750,
1000, 2500
ASA 5550
Base 8 x 10/100/1000 2 250 5000 Yes Yes 2

4 fiber
1 10/100
10, 25,50, 100,
Optional N/A 5, 10, 20, 50 N/A N/A N/A N/A
250, 500, 750,
1000, 2500,
5000
BRKCRT-2301
Describe the Security Appliance

Hardware and Software Architecture
Drag the port name on the left to correct port location on the right.
Not all apply.
Gigabit 0/0
Port A
Gigabit 0/1
Port B
Gigabit 0/3
ASA 5540
Gigabit 0/4
Gigabit 0/5
Management 0/0
AUX
Port C
Failover Port D
Console
BRKCRT-2301

14363_04_2008_c2.scr
Customize Syslog Output
A customer wants to stop a security appliance from outputting
“uninteresting” syslog messages such as message 710005.
Drag the parameter on the left to correct letter on the right to
complete the command.
The actual exam
items do not look like
this. These are for
review purposes only
fw1(config)# A logging B 710005
clear A
no B
message
trap
BRKCRT-2301
Explain the Information Contained in

Syslog Files
Drag the logging descriptor on the left to correct location on
the right
Item A
Logging Level
Item B
Logging Device IP address
Item C
Logging Device-ID
Item D
Logging Date/Timestamp
Item E
Logging Message-ID
BRKCRT-2301

14363_04_2008_c2.scr
NAT/Global vs. Static Command
Inside
Sam Jones
Outside 10.0.0.12
Internet
Global Bob Smith
NAT/Global Pool 10.0.0.11
For dynamic NAT/PAT address assignments

Inside end-user receives an address from a pool of available addresses
Used mostly for outbound end-user connections
WWW Server FTP Server
172.16.1.9 172.16.1.10
Fixed Sam Jones

Fixed 10.0.0.12
Internet
Outside Inside
Static Bob Smith
10.0.0.11
For a “permanent” address assignments
Used mostly for server connections
BRKCRT-2301
Configure Network Address

Translations: PAT
Customer desires packets from subnet 10.0.2.0 on the inside to be
dynamically translated to 192.168.0.9 on the outside. Drag the parameter
on the left to correct letter on the right to complete the command.
fw1(config)# nat (inside) 2 10.0.2.0

255.255.255.0
192 .168.0.9 fw1(config)# global ( A ) B C netmask
.1 255.255.255.255
192 .168.0.8 192.168.0.0
.2
outside
inside
.1 10.0.0.0
A
192.168.0.9
B
10.0.1.0 10.0.2.0 10.0.2.0
C
1
2
Engineering Sales
BRKCRT-2301

14363_04_2008_c2.scr
Configure Static Address Translations
Customer desires packets sent to 192.168.1.3 on the outside to be
translated to 172.16.1.9 on the DMZ. Drag the parameter on the left
to correct letter on the right.
DMZ
WWW Server
172.16.1.9
192.168.1.3
Internet
Outside Inside
fw1(config)# static (A,B) C D netmask 255.255.255.255
Outside A
DMZ B
192.168.1.3 C
172.16.1.9 D
BRKCRT-2301
Configure a Net Static

A customer desires packets sent to 192.168.10.0 subnet on the outside
to be translated to the same host number on the 172.16.1.0 subnet on
the DMZ. Drag the parameter on the left to correct letter on the right.
DMZ
WWW Server FTP Server
172.16.1.9 172.16.1.10
192.168.10.9
Internet 192.168.10.10
Outside Inside
fw1(config)# static (A,B) C D netmask 255.255.255.0
Outside A
DMZ B
192.168.10.0 C
172.16.1.0 D
BRKCRT-2301

14363_04_2008_c2.scr
Configure Static Port Redirection
A customer wants packets sent to 192.168.0.9/2121 be redirected
by security appliance to 172.16.1.10/ftp. Drag the parameter on the
left to correct letter on the right to accomplish this task.
DMZ
FTP1 Server FTP2 Server
ftp 192.168.0.9:2121 172.16.1.9 172.16.1.10
192.168.0.9/2121
Internet
Outside Inside
fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255

Outside DMZ C
A
192.168.0.9 172.16.1.10 D
B
2121 FTP E
F
BRKCRT-2301
Set Embryonic and Connection Limits on

the Security Appliance
A customer wants to limit the number of TCP and UDP packets to
DMZ Server 2. Using the static command, drag the parameter on
the left to correct letter on the right to accomplish this task.
DMZ
UDP_Max_Conns = 100 DMZ Server 2
TCP_Max_Conns = 200 172.16.1.9
Embryonic_limit = 25
192.168.1.3
Internet
Outside Inside
fw1(config)# static (dmz,outside) 192.168.1.3
172.16.1.9 A B C D
100
A
UDP
B
200 C
BRKCRT-2301
25 D

14363_04_2008_c2.scr
Exam Topic—Configure
a Security Appliance to
Restrict Inbound Traffic
from Untrusted Sources
BRKCRT-2301
Configure a Security Appliance to Restrict

Inbound Traffic from Untrusted Sources Subtopics
Configure access-lists to filter traffic based on address, time,
and protocols
Configure object-groups to optimize access-list processing
Configure Network Address Translations: Nat0
Configure Network Address Translations: Policy NAT
Configure java/activeX filtering
Configure URL filtering
Verify inbound traffic restrictions
Configure static port redirection
Configure a net static
Set embryonic and connection limits on the security appliance
BRKCRT-2301

14363_04_2008_c2.scr
Security Appliance ACL Configuration
Outside Inside
Internet
ACL for ACL to deny
inbound access outbound access
No ACL
Outbound permitted by default
Inbound denied by default
Security appliance configuration philosophy is interface based.

Interface ACL permits or denies the initial packet incoming or
outgoing on that interface
ACL needs to describe only the initial packet of the application;
no need to think about return traffic
If no ACL is attached to an interface, the following ASA policy applies:
Outbound packet is permitted by default
Inbound packet is denied by default
BRKCRT-2301
Configure Access-Lists to Filter Traffic

Based on Address and Protocol
An customer wants to enable Internet users HTTP only access to the
company’s DMZ WWW Server. Using the access-list command, drag the
parameter on the left to correct letter on the right to accomplish this task.
172.16.0.2 DMZ-WWW
Inbound Server
192.168.0.9
192.168.0.0
Internet Inside
Outside .2 10.0.0.0
fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2

fw1(config)# access-list aclout permit tcp A B C eq D
any WWW
A
host 255.255.255.0 B
172.16.0.2 C
192.168.0.9 D
BRKCRT-2301

14363_04_2008_c2.scr
Configure Access-Lists to Filter Traffic
Based on Address and Time
Enable access: DMZ
8 AM to 5 PM Server
Temp 1 Jun to 30 Jun 172.16.0.6
Worker
Internet 192.168.0.6 10.0.0.0 Inside
.9
192.168.10.2
Define a time when certain resources can be accessed

Absolute start and stop time and date
Recurring time range time and day of the week
Apply time-range to an ACL
fw1(config)# time-range temp-worker

fw1(config-time-range)# absolute start 00:00 1 June 2006
end 00:00 30 June 2006
fw1(config-time-range)# periodic weekdays 8:00 to 17:00
fw1(config)# static (dmz,outside) 192.168.0.6 172.16.0.6
fw1(config)# access-list aclin permit tcp host 192.168.10.2
host 192.168.0.6 eq www time-range temp-worker
BRKCRT-2301

Translations: Policy NAT
When sending sales orders to Company A, All ABC Corp. IP source
addresses must be to translated to 192.168.0.33. Using the access-list
and global command, drag the parameter on the left to correct letter on
the right to accomplish this task.
ABC Corp.
Company A 192.168.0.33
Sales Server 10.0.0.15/24
192.168.10.11
Internet
fw1(config)# access-list company_a permit tcp A 255.255.255.0

host B
fw1(config)# nat (inside) 10 access-list company_a
fw1(config)# global (outside) C D netmask 255.255.255.255
192.168.0.33 10.0.0.15
A B
0 10.0.0.0
C D
192.168.10.11 10
BRKCRT-2301

14363_04_2008_c2.scr
Translations: Nat0
A customer does NOT want to translate home office to corporate office
VPN traffic . Using the access-list and nat command, drag the parameter
on the left to correct letter on the right to accomplish this task.
Home office Corporate office
No
Translation
fw1
Internet
10.100.1.0 /24 10.10.0.0/24
fw1(config)# access-list VPN-NO-NAT permit ip A

255.255.255.0 B 255.255.255.0
fw1(config)# nat (inside) C access-list VPN-NO-NAT
10.10.0.0
A
10.100.1.0
B
0
C
1
BRKCRT-2301
Configure Object-Groups to Optimize

Access-List Processing
A network administrator wants to grant external IT personnel, on subnet
192.168.10.0/24, HTTPS access to the servers on the DMZ subnet,
172.16.1.0/24 Using the access-list command, drag the parameter on
the left to correct letter on the right to accomplish this task.
fw1(config)# object-group service object1 tcp
fw1(config-service)# port-object eq https
fw1(config)# object-group network object2
fw1(config-network)# network-object 172.16.1.0 255.255.255.0
fw1(config)# object-group network object3
fw1(config-network)# network-object 192.168.10.0
255.255.255.0
fw1(config)# access-list IT extended permit tcp object-group
A object-group B object-group C
object1 A
object2 B
object3 C
BRKCRT-2301

14363_04_2008_c2.scr
Exam Topic—Configure a
Security Appliance to
Provide Secure Connectivity
Using Site-to-Site VPNs
BRKCRT-2301
Configure a Security Appliance to Provide

Secure Connectivity Using Site-to-Site VPNs
Explain the basic functionality of IPSec
Configure IKE with preshared keys
Differentiate between the types of encryption
Configure IPSec parameters
Configure crypto-maps and ACLs
BRKCRT-2301

14363_04_2008_c2.scr
Identify Interesting Traffic
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
fw1(config)# access-list 101 permit ip A

255.255.255.0 B 255.255.255.0
fw6(config)#access-list 101 permit ip C

255.255.255.0 D 255.255.255.0
10.0.1.0 A
10.0.6.0 B
10.0.1.0 C
10.0.6.0 D
BRKCRT-2301
Configure Tunnel-Group
Attributes—Pre-Shared Key
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 192.168.1.2 192.168.6.2 10.0.6.11
Tunnel-group
192.168.6.2 IPSec Tunnel-group
L2L IPSec 192.168.1.2
L2L
Tunnel-Group
pre-shared-key cisco123
192.168.6.2
Tunnel-group
pre-shared-key cisco123
192.168.1.2
fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2L
fw1(config)# tunnel-group 192.168.6.2 ipsec-attributes
fw1(config-ipsec)# pre-shared-key cisco123
BRKCRT-2301

14363_04_2008_c2.scr
Configure IKE with Pre-Shared Keys
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
fw1(config)# isakmp policy 10 encryption 3des

fw1(config)# isakmp policy 10 hash sha
fw1(config)# isakmp policy 10 authentication pre-share
fw1(config)# isakmp policy 10 group 1
fw1(config)# isakmp policy 10 lifetime 86400
BRKCRT-2301
Configure IPSec Parameters

Security Security
Appliance 1 Appliance 6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
fw1(config)# crypto ipsec transform-set FW6 esp-des

esp-md5-hmac
esp-des ESP transform using DES cipher (56 bits)

esp-3des ESP transform using 3DES cipher(168 bits)
esp-aes ESP transform using AES-128 cipher
esp-aes-192 ESP transform using AES-192 cipher
esp-aes-256 ESP transform using AES-256 cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
BRKCRT-2301

14363_04_2008_c2.scr
Configure IPSec Parameters
Security Security
Appliance 1 Appliance 6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
fw1(config)# crypto ipsec transform-set FW6 A B
Select two secure transforms for the IPSec tunnel.

Drag the parameter on the left to correct letter on the
right to accomplish this task.
esp-3des
esp-rc4
A
ah-md5-hmac
B
ah-aes-128
esp-sha-hmac
BRKCRT-2301
Configure Crypto-Maps and ACLs
fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11
fw1(config)# access-list 101 permit ip A 255.255.255.0

B 255.255.255.0
fw1(config)# crypto ipsec transform-set FW6 esp-3des esp-
sha-hmac
fw1(config)# crypto map FW1MAP 10 set peer C
fw1(config)# crypto map FW1MAP 10 match address D
fw1(config)# crypto map FW1MAP 10 set transform-set fw6
fw1(config)#crypto map FW1MAP interface outside
10.0.1.0 101
A B
10.0.6.0 FW1MAP
C D
192.168.1.2 192.168.6.2
BRKCRT-2301

14363_04_2008_c2.scr
Site-to-Site VPN:
Hub and Spoke
Traffic Flow
Branch A
HQ to BR A 10.0.2.0/24
HQ to BR B
HQ BR A to BR B
Internet
Permit
intra-interface
Traffic
10.0.1.0/24 10.0.4.0/24
Understand the traffic flow

Utilize existing S2S tunnels
Branch B
Add additional crypto access-lists
Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301
Site-to-Site VPN:
Hub and Spoke IPsec Tunnels
192.168.1.10 Æ 192.168.1.1
Encrypted Traffic
IPsec Tunnels 10.0.2.0/24 Æ 10.0.1.0/24
192.168.1.1 Æ 192.168.1.10 10.0.2.0/24 Æ 10.0.4.0/24
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1
Internet IPsec Tunnels

192.168.1.12 Æ 192.168.1.1
Encrypted Traffic
Permit 10.0.4.0/24 Æ 10.0.1.0/24
intra-interface 10.0.4.0/24 Æ 10.0.2.0/24
Traffic
10.0.1.0/24 10.0.4.0/24
Understand the traffic flow 192.168.1.12

Branch B
BRKCRT-2301

14363_04_2008_c2.scr
Site-to-Site VPN:
Hub and Spoke IPsec Tunnels
192.168.1.10 Æ 192.168.1.1
Encrypted Traffic
IPsec Tunnels 10.0.2.0/24 Æ 10.0.1.0/24
192.168.1.1 Æ 192.168.1.10 10.0.2.0/24 Æ 10.0.4.0/24
192.168.1.1 Æ 192.168.1.12 Branch A
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1
Internet IPsec Tunnels

192.168.1.12 Æ 192.168.1.1
Encrypted Traffic
Permit 10.0.4.0/24 Æ 10.0.1.0/24
intra-interface 10.0.4.0/24 Æ 10.0.2.0/24
Traffic
10.0.1.0/24 10.0.4.0/24

Branch B
BRKCRT-2301
Site-to-Site VPN:
Hub and Spoke
Hub and Spoke Configuration
IPsec Tunnels
192.168.1.1 Æ 192.168.1.10
192.168.1.1 Æ 192.168.1.12 Branch A
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1
Internet
Permit
intra-interface
Traffic
10.0.1.0/24 10.0.4.0/24

Branch B
BRKCRT-2301

14363_04_2008_c2.scr
Exam Topics—Configure a
Security Appliance to
Provide Secure Connectivity
Using Remote Access VPNs
BRKCRT-2301
Configure a Security Appliance to Provide

Secure Connectivity Using Remote Access VPNs
Explain the functions of EasyVPN
Configure IPSec using EasyVPN Server/Client
Configure the Cisco Secure VPN client
Explain the purpose of WebVPN
Configure WebVPN services: Server/Client
Verify VPN operations
Install and Configure SVCs
Install and Configure Cisco Secure Desktop
BRKCRT-2301

14363_04_2008_c2.scr
Configure ISAKMP Parameters
Remote Client
172.26.26.1 Outside Inside Server
Internet 10.0.0.15
Fw1(config)# isakmp enable outside

…………………………………………………………………………………………..
fw1(config)# isakmp policy 10 encryption 3des
fw1(config)# isakmp policy 10 hash sha
fw1(config)# isakmp policy 10 authentication pre-share
fw1(config)# isakmp policy 10 group 2
fw1(config)# isakmp policy 10 lifetime 86400
BRKCRT-2301
Configure IPSec Tunnel-Group

Remote Client
Internet 10.0.0.15
fw1(config)# ip local pool mypool 10.0.0.100-10.0.0.254

!--- Configure tunnel-group parameters
fw1(config)# tunnel-group training type A
fw1(config)# tunnel-group training B
fw1(config-ipsec)# pre-shared-key cisco123
fw1(config)# tunnel-group training C
fw1(config-general)# address-pool mypool
IPSec_RA A
ipsec-attributes B
general-attributes C
IPSec-L2L
BRKCRT-2301

14363_04_2008_c2.scr
Configure Group Policy
Remote Client
Internet 10.0.0.15
Group Policy
Push
DNS server
to client
WINS server
DNS domain
Address pool
Idle time
fw1(config)# group-policy training internal

fw1(config)# group-policy training attributes
fw1(config-group-policy)# wins-server value 10.0.0.15
fw1(config-group-policy)# dns-server value 10.0.0.15
fw1(config-group-policy)# vpn-idle-timeout 15
fw1(config-group-policy)# default-domain value cisco.com
BRKCRT-2301
Configure Crypto Map

An administrator needs to complete a dynamic crypto map for this
solution. Drag the parameter on the left to correct letter on the right to
accomplish this task.
Internet 10.0.0.15
fw1(config)# crypto ipsec transform-set rmtuser1 esp-3des

esp-md5-hmac
fw1(config)# crypto dynamic-map rmt-dyna-map 10 set
transform-set A
fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp
dynamic-map B
!--- Apply crypto map to the outside interface.
fw1(config)# crypto map C interface outside
rmt-user-map A
rmt-dyna-map B
rmtuser1 C
BRKCRT-2301

14363_04_2008_c2.scr
Explain the Purpose of WebVPN
Home Office
Broadband
Provider
WebV ISP
PNTu
nnel
Wireless Corporate
Computer Kiosk Provider
Tunnel Network
WebVPN
Uses a standard SSLVPN to access the corporate network

Access to internal websites (HTTP/HTTPS), including filtering
Access to internal Windows (CIFS) File Shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL
BRKCRT-2301
Configure SSLVPN Services

HTTP-Server
Remote Client Security
Appliance 10.0.1.10/24
WebVPN Tunnel
Console-Server
10.0.1.11/24
fw1(config)# group-policy corp_sslvpn attributes

Enters the group-policy attributes subcommand mode
fw1(config-group-policy)# webvpn
Enters WebVPN group-policy attributes subcommand mode
fw1(config-group-webvpn)# functions url-entry file-access file-
entry file-browsing
Enables file access, entry, browsing, and URL entry for the group
fw1(config-group-webvpn)# url-list value URLs
Selects predefined URLs that were configured by using the url-list command
BRKCRT-2301

14363_04_2008_c2.scr
Configure SSLVPN File Services
Superserver
Remote Client Security
Appliance 10.0.1.10/24
WebVPN Tunnel
Training
10.0.1.11/24

fw1(config-group-webvpn)# functions url-entry file-access file-entry file-
browsing
fw1(config-group-webvpn)# url-list value sslvpn_urls
fw1(config)# url-list sslvpn_urls "Superserver" http://10.0.1.10
fw1(config)# url-list sslvpn_urls "CIFS Share" cifs://10.0.1.11/training
BRKCRT-2301
Configure SSLVPN Port-Forward Services

Super-Server1
Remote Client
Security 10.0.1.10/24
Appliance
WebVPN Tunnel Mail-Server1
10.0.1.11/24

fw1(config-group-webvpn)# functions port-forward
fw1(config-group-webvpn)# port-forward value SSLVPN_APPS
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2222 10.0.1.10 23
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2110
mailserver1.training.com 110
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2025
mailserver1.training.com 25
BRKCRT-2301

14363_04_2008_c2.scr
Exam Topics—Configure
Transparent Firewall, Virtual
Firewall, and High Availability
Firewall Features on a
Security Appliance
BRKCRT-2301
Configure Transparent Firewall, Virtual Firewall, and High

Availability Firewall Features on a Security Appliance
Explain differences between L2 and L3 operating modes
Configure security appliance for transparent mode (L2)
Explain purpose of virtual firewalls
Configure security appliance to support virtual firewall
Monitor and maintain virtual firewall
Explain the types, purpose and operation of fail-over
Install and configure appropriate topology to support cable-
based or LAN-based fail-over
Explain the hardware, software and licensing requirements
for high-availability
BRKCRT-2301

14363_04_2008_c2.scr
Configure Transparent Firewall, Virtual Firewall, and High
Availability Firewall Features on a Security Appliance (Con’t)
Configure the SA for active/standby fail-over
Configure the SA for stateful fail-over
Configure the SA for active-active fail-over
Verify fail-over operation
Recover from a fail-over
Allocate resources to virtual firewalls
BRKCRT-2301
Explain Differences Between L2 and L3

Operating Modes
The Security Appliance Can Run in Two Mode Settings:
Routed—Based on IP Address
Transparent—Based on MAC Address
10.0.1.0 10.0.1.0
The following features are not
VLAN 100 VLAN 100 supported in transparent mode:
NAT
Dynamic routing protocols
IPv6
10.0.2.0 10.0.1.0 DHCP relay
VLAN 200 VLAN 200 Quality of Service
Multicast
Routed Transparent VPN termination for through traffic
Mode Mode
BRKCRT-2301

14363_04_2008_c2.scr
Configure Security Appliance for
Transparent Mode (L2)
Layer 3 traffic must be explicitly Internet
permitted
Each directly connected network 10.0.1.10
must be on the same subnet VLAN 100
The management IP address must be 10.0.1.0
on the same subnet as the connected Transparent Management
network
Mode IP Address
Do not specify the firewall appliance 10.0.1.1
VLAN 200
management IP address as the default
10.0.1.0
gateway for connected devices
Devices need to specify the router on the
other side of the firewall appliance as the
default gateway
Each interface must be a different IP–10.0.1.3 IP–10.0.1.4
VLAN interface
GW–10.0.1.10 GW–10.0.1.10
fw1(config)# firewall transparent
Switched to transparent mode
BRKCRT-2301
Configure Security Appliance to

Support Virtual Firewall
e1 e4
1 2 CTX1- CTX2-
admin
Internet Internet e0 e3
fw1(config)# mode multiple

WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
………………………………………………………………..
fw1# show mode
Security context mode: multiple
BRKCRT-2301

14363_04_2008_c2.scr
An administrator is tasked with allocating interfaces for the two contexts,
ctx1 and ctx2. Using the allocate-interface command, drag the interface
fw1(config)# admin-context ctx1
fw1(config)# context ctx1
e1 e4
fw1(config-ctx)# allocate-interface A
fw1(config-ctx)# allocate-interface B
1 2 CTX1- CTX2- fw1(config-ctx)# config-url flash:/C
(admin)
Internet e0 e3 fw1(config-ctx)# allocate-interface D
fw1(config-ctx)# allocate-interface E
fw1(config-ctx)# config-url flash:/F
ethernet0 ethernet4 A D
ethernet1 ctx1.cfg B E
ethernet3 ctx2.cfg C F
BRKCRT-2301

10.0.1.1 10.0.31.7 Context 1
• Interface e0
e1 e4 • IP address 192.168.1.2
• Interface e1
1 2 CTX1- CTX2-
(admin)
• IP Address 10.0.1.1
Context 2
• Interface e3
Internet e0 e3
• IP address 192.168.31.7
192.168.1.2 192.168.31.7 • Interface e4
• IP address 10.0.31.7
fw1(config)# changeto context ctx1

fw1/ctx1(config)# interface ethernet0
fw1/ctx1(config-if)# ip address 192.168.1.2 255.255.255.0
fw1/ctx1(config-if)# nameif outside
fw1/ctx1(config)# interface ethernet1
fw1/ctx1(config-if)# ip address 10.0.1.1 255.255.255.0
fw1/ctx1(config-if)# nameif inside
BRKCRT-2301

14363_04_2008_c2.scr
Hardware and Stateful Failover
Internet
Hardware Failover
Connections are dropped.
Client applications must reconnect.
Provided by serial or LAN-based failover link.
Active/Standby—only one unit can be actively processing traffic while
other is hot standby.
Active/Active—both units can actively process traffic and serve as
backup units
Stateful failover
TCP connections remain active.
No client applications need to reconnect.
Provides redundancy and stateful connection.
Provided by stateful link.
BRKCRT-2301
Explain the Hardware, Software and Licensing

Requirements for High-Availability
Active/Standby Active/Active
Contexts
Primary: Secondary:
Standby Active
Primary: Secondary:
Failed/Standby Active/Active
Internet Internet
The primary and secondary security appliances must be identical in

the following requirements:
Same model number and hardware configurations
Same software versions-- The two units in a failover configuration should have the
same major (first number) and minor (second number) software version. Starting in
Rel. 7, you do not need to maintain version parity on the units during the upgrade
process, e.g. 7.0(4) to 7.0(5)
Same features (DES or 3DES)
Same amount of Flash memory and RAM
Proper licensing
BRKCRT-2301

14363_04_2008_c2.scr
Configure A/S Failover Link
Primary – fw1
.2 .1
.1
192.168.2.0 10.0.2.0
Internet 172.17.2.0
.7
.7 .7
Secondary
fw1(config)# interface ethernet3

fw1(config-if)# no shut
fw1(config)# failover lan interface LANFAIL ethernet3
fw1(config)# failover interface ip A B 255.255.255.0 C D
fw1(config)# failover lan unit E
fw1(config)# failover
active 172.17.2.1 A D
standby 172.17.2.7 B E
LANFAIL primary C
BRKCRT-2301
Configure A/A Failover Link

g0/1 g0/4 g0/1 g0/4
CTX1- CTX2- 172.17.2.1 172.17.2.7 CTX2-

1
1 2 1 2 CTX1-
Group 1 Group 2 1 Group 1 Group 2
g0/2 g0/2
g0/0 g0/3 Failover Link g0/0 g0/3
fw1(config)# interface GigabitEthernet0/2

fw1(config-if)# no shut
fw1(config)# failover lan interface LANFAIL GigabitEthernet0/2
fw1(config)# failover interface ip LANFAIL A 255.255.255.0 B C
fw1(config)# failover link LANFAIL GigabitEthernet0/2
fw1(config)# failover lan key 1234567
active 172.17.1.1 A C
standby 172.17.1.7 B
BRKCRT-2301

14363_04_2008_c2.scr
A/A Failover Group
Group 2
Primary Secondary
g0/1 g0/4 g0/1 g0/4
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX2-

Group 1 Group 2 11 2
11 2 CTX1-
Group 2
g0/2 g0/2 Group 1
g0/0 g0/3 g0/0 g0/3
Group 1
Active/active failover adds support for failover group.
Failover is performed on a unit or group level.
A group is comprised of one or more contexts.
Each failover group contains separate state machines to keep track of the group failover state.
fw1(config)# failover group 1
fw1(config-fover-group)# primary
fw1(config)# failover group 2
BRKCRT-2301
fw1(config-fover-group)# secondary
Context: Allocate Interfaces and Assign

a Failover Group Number
g0/1 g0/4 g0/1 g0/4
CTX1- CTX2- 1 2 CTX1- CTX2-

Group 1 Group 2 1 11 2 Group 1 Group 2
g0/0 g0/3 g0/0 g0/3
Internet
Associate interfaces and a group to a context

fw1(config-ctx)# allocate-interface GigabitEthernet0/0
fw1(config-ctx)# config-url flash:/ctx1.cfg
fw1(config-ctx)# join-failover-group 1
fw1(config-ctx)# config-url flash:/ctx2.cfg
fw1(config-ctx)# join-failover-group 2
BRKCRT-2301

14363_04_2008_c2.scr
Show Failover: Part 1
Primary 10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 g0/4 g0/1 g0/4
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-

Group 1 Group 2 11 2 11 2 Group 1 Group 2
Active Standby g0/2 g0/2 Standby Active
g0/0 g0/3 g0/0 g0/3

192.168.1.2 192.168.31.7
192.168.1.7 192.168.31.1
Internet
fw1# show failover

Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: lanfail GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Group 1 last failover at: 15:54:49 UTC Sept 17 2006
BRKCRT-2301Group 2 last failover at: 15:55:00 UTC Sept 17 2006
Resource Management
Limits the use of resources per context
Prevents one or more contexts from using too many resources and
causing other contexts to be denied use of resources
Enables you to configure limits for the following resources:
ASDM connections Telnet sessions
Connections Xlate objects
Hosts Application inspections (rate only)
Limit connections
SSH sessions Syslogs per second (rate only) for CONTEXT2
to 20%
CONTEXT 1
HTTP HTTP
Internet CONTEXT 2
X
BRKCRT-2301

14363_04_2008_c2.scr
Configuring Resource Management
Limit connections
for CONTEXT2
to 20%
CONTEXT 1
HTTP HTTP
Internet CONTEXT 2
X
fw1(config)# class MEDIUM-RESOURCE-SET
fw1(config-class)# limit-resource conns 20%
Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit
fw1(config)# context context2
fw1(config-ctx)# member MEDIUM_RESOURCE_SET
Assigns the TEST context to the MEDIUM-RESOURCE-SET class
BRKCRT-2301
AAA Services for Access
Through a Security
Appliance
BRKCRT-2301

14363_04_2008_c2.scr
Configure AAA Services for Access
Through a Security Appliance
Configure ACS for security appliance support
Configure security appliance to use AAA feature
Configure authentication using both local and
external databases
Configure authorization using an external database
Configure the ACS server for downloadable ACLs
Configure accounting of connection start/stop
Verify AAA operation
BRKCRT-2301
Configure ACS for Security

Appliance Support
When configuring a Cisco ACS Server network configuration window, the
administrator must supply two names and IP addresses. Drag the
“aaauser”
192.168.2.10 10.0.1.0
Internet .1 A B
.2
NY1PIX .10
NY_ACS
C D
192.168.2.10 NY1PIX
10.0.1.1 NY_ACS A C
10.0.1.10 aaauser B D
BRKCRT-2301

14363_04_2008_c2.scr
Configure Authentication Using Both
Local and External Databases
Telnet
Internet
Authentication via
LOCAL database
fw1(config)# username admin1 password cisco123
fw1(config)# aaa authentication telnet console LOCAL
Telnet
Internet
Authentication via NY_ACS
External database 10.0.0.2
and LOCAL backup
fw1(config)# aaa-server NY_ACS protocol tacacs+
fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key secretkey
fw1(config)# aaa authentication telnet console NY_ACS LOCAL
BRKCRT-2301
Configure Cut-Through Proxy

Authentication
The administrator wants every Internet user to be authenticated before
gaining http access to the DMZ server, 172.16.4.9. Drag the parameter
on the left to correct letter on the right to accomplish this task.
DMZ Server
Internet User 172.16.4.9
192.168.2.10 192.168.1.12
Internet NY_ACS
RADIUS 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol radius
fw1(config-aaa-server)# key cisco123
fw1(config)# access-list 110 permit tcp any host A eq www
fw1(config)# aaa authentication match B C D
192.168.1.12 110
172.16.4.9 NY_ACS A C
192.168.2.10 outside B D
BRKCRT-2301

14363_04_2008_c2.scr
Configure Authorization Using an
External Database
FTP server
192.168.9.10 192.168.0.0 10.0.0.33
Internet FTP
.3 NY_ACS
server
192.168.0.12 Authorization 10.0.0.2
fw1(config)# aaa-server NY_ACS protocol tacacs+

fw1(config-aaa-server)# key secretkey
fw1(config)# static (inside,outside) 192.168.0.12 10.0.0.33
fw1(config)# access-list 110 permit tcp any host 192.168.0.12 eq ftp
fw1(config)# aaa authorization match 110 outside NY_ACS
BRKCRT-2301
Authorization Rules Allowing Specific

Services to Specific Hosts
On the previous page, the administrator configured a PIX to verify users rights
before they ftp to the Inside FTP server. In the Access server, the administrator
must configure TACACS+ group setup. Check the parameter for each subtask
on the left that is needed to accomplish this task.
Group setup
Unmatched Cisco IOS commands
Deny
Permit
Command
ftp
Blank (ftp is in the arguments list)
Arguments
permit 192.168.0.12
permit tcp any host 192.168.0.12eq ftp
Unlisted arguments
Deny
Permit
BRKCRT-2301

14363_04_2008_c2.scr
Configure the ACS Server for
Downloadable ACLs
FTP Server WWW Server
172.16.4.9 172.16.4.10
192.168.1.10
“aaauser” 192.168.1.11
Internet
Authentication NY_ACS
(RADIUS) 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol A
fw1(config)# aaa-server NY_ACS (inside) host B
fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq C
fw1(config)# aaa authentication match 110 outside D
www NY_ACS TACACS+ A C

172.16.4.10 10.0.0.2 RADIUS B D
BRKCRT-2301
Configure the ACS Server for

Downloadable ACLs
BRKCRT-2301

14363_04_2008_c2.scr
Authentication of Console Access
Security
Appliance
Console Access
Security Appliance
Console Access
Internet NY_ACS
TACACS+ Server
10.0.0.2
Defines a console access method that requires authentication

Identifies the authentication server group name (authentication server
or LOCAL)
Enables fallback to LOCAL security appliance database
fw1(config)# aaa authentication serial console NY_ACS LOCAL

fw1(config)# aaa authentication enable console NY_ACS LOCAL
fw1(config)# aaa authentication telnet console NY_ACS LOCAL
fw1(config)# aaa authentication ssh console NY_ACS LOCAL
BRKCRT-2301
Configure Accounting of
Connection Start/Stop
FTP Server WWW Server
172.16.4.9 172.16.4.10
192.168.1.10
“aaauser” 192.168.1.11
Internet
Accounting NY_ACS
(RADIUS) 10.0.0.2
fw1(config)# aaa-server NY_ACS protocol A

fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq www
fw1(config)# aaa B match C outside NY_ACS
radius accounting
192.168.1.0 authentication A C
110 LDAP B
BRKCRT-2301

14363_04_2008_c2.scr
Routing and Switching on
a Security Appliance
BRKCRT-2301
Configure Routing and Switching on a

Security Appliance Subtopics
Enable DHCP server and relay functionality
Configure VLANs on a security appliance interface
Configure security appliance to pass multi-cast traffic
BRKCRT-2301

14363_04_2008_c2.scr
Configure VLANs on a Security
Appliance Interface
dmz2
172.16.20.1
dmz1 dmz3
172.16.10.1 172.16.30.1 Partner
Public Server Proxy
Server Server
vlan20
vlan10 vlan30
Trunk port
Internet
10.0.0.0
192.168.0.0
fw1(config)# interface ethernet3.1

fw1(config-subif)# vlan 10
fw1(config-subif)# nameif dmz1
fw1(config-subif)# security-level 10
fw1(config-subif)# ip address 172.16.10.1
BRKCRT-2301
Configure Routing Functionality of

Security Appliance Including OSPF, RIP
RIP v2
192.168.0.0 10.0.0.0
10.0.1.0
172.26.26.30 RIP v2 RIP v1
fw1(config)# rip outside passive version 2

authentication md5 MYKEY 2
fw1(config)# rip inside passive
fw1(config)# rip dmz passive version 2
BRKCRT-2301

14363_04_2008_c2.scr
Configure Routing Functionality of
Security Appliance Including OSPF, RIP
Router OSPF 1
0
10.0.0.0
Internet 10.0.1.0
1.1.1.0 Private
2.2.2.0
firewall(config)#
network prefix ip_address netmask area area_id
• Adds and removes interfaces to and from the OSPF routing process
fw1(config)# router ospf 1
fw1(config-router)# network 1.1.1.0 255.255.255.0 area 0
fw1(config-router)# network 2.2.2.0 255.255.255.0 area 2.2.2.0
fw1(config-router)# network 10.0.0.0 255.255.255.0 area 10.0.0.0
BRKCRT-2301
Configure Security Appliance to Pass

Multi-Cast (MC) Traffic
Outside
A multicast (MC) client on the
172.16.0.1 MC DMZ
inside network wants to “view”
e0 router
a MC session from a MC Multicast
server on the DMZ . Drag the server
e1 e2 MC Group
parameter on the left to correct
224.0.1.50
letter on the right to accomplish Inside
this task. MC client
10.0.0.11
fw1(config)# access-list 120 permit udp any host 224.0.1.50

fw1(config)# interface A
fw1(config-if)# igmp access-group 120
fw1(config)# interface B
fw1(config-if)# igmp forward interface C
ethernet1 DMZ A
10.0.0.11 Inside B
224.0.1.50 ethernet2 C
BRKCRT-2301

14363_04_2008_c2.scr
Security Appliance
Advanced Application Layer
and Modular Policy Features
BRKCRT-2301
Configure a Modular Policy on a Security

Appliance Subtopics
Configure a class-map
Configure a policy-map
Configure a service-policy
Configure a class-map type inspect
Configure a policy-map type inspect
Configure regular expressions
Explain the function of protocol inspection
Explain DNS guard feature
BRKCRT-2301

14363_04_2008_c2.scr
Configure a Modular Policy on a Security
Appliance Subtopics (Con’t)
Describe the AIP-SSM HW and SW
Load IPS SW on the AIP-SSM
Verify AIP-SSM
Configure an IPS modular policy
Describe the CSC-SSM HW and SW
Load CSC SW on the SSM
Verify the CSC-SSM
Configure an CSC modular policy
BRKCRT-2301
Layer 7: Application
Inspection Overview
Layer 7: Application Inspection—
Deep packet inspection
• “Get”—Allow
• “Put”—Reset
• “Post”—Reset
DMZ - HTTP
Server
Internet 192.168.0.0 Inside

.2 10.0.0.0
Outside
A Layer 7 policy is intended for protocol deep packet inspection.

You can configure Layer-7 protocol inspection criteria to recognize
specific protocol attributes that you wish to control,
Actions can be applied to the desirable and undesirable traffic.
Application inspection (AI) varies in capability per supported protocol
BRKCRT-2301

14363_04_2008_c2.scr
Layer 7: Application
Inspection Configuration
• “Put”—Reset
• “Post”—Reset
Layer 3 and 4:
• HTTP traffic to DMZ - HTTP
WWW Server Server
Internet Inside
10.0.0.0
Outside
To create a application inspection:

Create a Layer 7 application inspection policy
Identify application inspection criteria based on the attributes of
a given protocol
Apply an action to identified packets, allow, reset, or log
Create a Layer 3 and 4 policy to identify a traffic stream
Define the Layer 3 and 4 traffic stream for inspection.
Attach the traffic stream to a Layer 3 and 4 policy
BRKCRT-2301
Configure Layer 7 Application

Inspection Policy
• “Put”—Reset DMZ - HTTP
• “Post”—Reset Server
Internet Inside
10.0.0.0
Outside
Create a Layer 7 application inspection policy
Class-map type inspect —Identify application inspection criteria based on
the attributes of a given protocol
Policy-map type inspect —Apply an action to identified packets, allow,
reset, or log
fw1(config)# class-map type inspect http HTTP_SAFE_Method
fw1(config-cmap)# match request method get
fw1(config)# class-map type inspect http HTTP_RESTRICTED_Methods
fw1(config-cmap)# match request method post
fw1(config-cmap)# match request method put
fw1(config)# policy-map type inspect HTTP inbound_http_traffic
Fw1(config-pmap)# class HTTP_SAFE_Method
Fw1(config-pmap-c)# allow
Fw1(config)-pmap) class HTTP_RESTRICTED_Method
Fw1(config-pmap-c)# reset log
BRKCRT-2301

14363_04_2008_c2.scr
Configure a Layer 3 and 4 Policy
Layer 3 and 4:
• HTTP traffic to DMZ - HTTP
WWW Server Server
Internet Inside
10.0.0.0
Outside
Create a Layer 3 and 4 inspection policy

Define the Layer 3 and 4 traffic stream for inspection.
Associate a traffic stream with a Layer 3 and 4 policy
fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www

fw1(config)# class-map inbound_http_traffic
fw1(config-ftp-map)# match access-list 102
fw1(config)# policy-map dmz_http_inbound
fw1(config-pmap)# class inbound_http_traffic
fw1(config-pmap-c)# inspect http inbound_http_traffic
fw1(config)# service-policy dmz_http_inbound outside
BRKCRT-2301
Configure Class-Map Type

Inspect Example
WWW Server
172.16.4.9
Internet 192.168.1.11
User
Internet
fw1(config)# class-map type inspect ftp ftp_method

fw1(config-cmap)# match request method A
fw1(config-cmap)# match request method B
fw1(config)#policy-map type inspect ftp inbound_ftp
fw1(config-pmap)#class C
fw1(config-pmap-c)#reset D
ftp_method log
inbound_ftp dele A C
put reset B D
BRKCRT-2301

14363_04_2008_c2.scr
Configure a Layer 3 and 4 Policy Example
FTP Server
172.16.4.9
192.168.1.11
192.168.2.10
Internet
fw1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftp

fw1(config)# A ftp_traffic
fw1(config-cmap)# match access-list 101
fw1(config)# B inbound
fw1(config-pmap)# class C
fw1(config-pmap-c)# inspect D strict
fw1(config)# E F outside
ftp_traffic class-map A D
ftp service-policy B E
inbound policy-map C F
BRKCRT-2301
Configure Class-Map Type Inspect

HTTP Example
WWW Server
172.16.4.9
Internet 192.168.1.11
User
Internet
fw1(config)# class-map type inspect http BLOCKED_METHOD_LIST

fw1(config-cmap)# match request method delete
fw1(config)# policy-map type inspect http inbound_http
fw1(config-pmap)# class BLOCKED_METHOD_LIST
fw1(config-pmap-c)# reset log
fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www
fw1(config)# class-map inbound_http_traffic
fw1(config-ftp-map)# match access-list 102
fw1(config)# policy-map inbound
fw1(config-pmap)# class inbound_http_traffic
fw1(config-pmap-c)# inspect http inbound_http
fw1(config)# service-policy inbound outside
BRKCRT-2301

14363_04_2008_c2.scr
Class-Map Type Inspect and
Policy-Map Type Inspect
fw1(config)#class-map type inspect http BLOCKED_METHOD_LIST
fw1(config-cmap)# match request method delete
Inspection class maps enable you to group multiple traffic matching statements
fw1(config)#policy-map type inspect http MY_HTTP_MAP

fw1(config-pmap)#class BLOCKED_METHOD_LIST
fw1(config-pmap-c)#drop-connection log
The inspection class map is then assigned to the inspection policy map.
fw1(config)#policy-map type inspect http MY_HTTP_MAP

fw1(config-pmap)# match request method post
fw1(config-pmap-c)#drop-connection log
Pair a single traffic match statement with an action directly in the policy map
BRKCRT-2301
Regular Expressions
Mail
Server
Client
ftp> username: root
Internet
ASA configured to drop
packets containing the
string “root”
Enables you to identify text in a packet using a regular expression

A regular expression is characterized as follows:
Defined as a pattern to match against an input string
Enables you to permit, deny, or log any packet to create custom
security checks
Matches a text string
Literally as an exact string
By using metacharacters, which enable you to match multiple variants
of a text string
You can combine custom security checks for increased granular
control
BRKCRT-2301

14363_04_2008_c2.scr
Blocking Based on Matching (or Not)
Regular Expressions (REGEX)
ftp> username: root FTP
Bob
Server
ftp>put /root/filename
Denies all inbound users with a username of “root”

Denies all access to “/root” from the Internet
fw1(config)#regex FTP_USER “root”
fw1(config)#regex FTP_PATH “\/root”
fw1(config)#class-map type regex match-any RESTRICTED_ACCESS
fw1(config-cmap)#match regex A
fw1(config-cmap)#match regex B
fw1(config)#policy-map type inspect ftp C
fw1(config-pmap)#class D
fw1(config-pmap-c)#reset log
FTP_USER RESTRICTED_ACCESS A B
FTP_PATH MY_FTP_MAP C D
BRKCRT-2301
Load IPS SW on the AIP-SSM

fw1(config)# hw module 1 A
Image URL [tftp://0.0.0.0/]: tftp://10.0.31.10/AIP-SSM-K9-
sys-1.1-a-5.0-0.22.img
Port IP Address [0.0.0.0]: 10.0.31.1
fw1(config)# hw module 1 B
The module in slot 1 will be recovered. This may
erase all configuration and all data on that device and
attempt to download a new image for it.
fw1# C
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL^X'.
sensor# D
--- System Configuration Dialog ---
Current Configuration:
recover configure
A
recover boot
B
session 1
session m2/0 C
setup D
BRKCRT-2301

14363_04_2008_c2.scr
AIP-SSM Initialized
Internet
AIP-SSM
fw1(config)# show module 1
Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ ----------
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 123456789
Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ --------------
1 0016.4687.a520 to 0016.4687.a520 1.0 1.0(10)0 6.0(2)E1
Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.0(2)E1
Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------
1 Up Up
BRKCRT-2301
Configure an IPS Modular Policy

DMZ Servers
172.16.1.0
IPS Policy:
• Inline
Internet
• Fail open
IPS
fw1(config)# access-list 101 permit TCP any 172.16.1.0 255.255.255.0

fw1(config)# A dmz_traffic
fw1(config-cmap)# match access-list 101
fw1(config)# B dmz_ips
fw1(config-pmap)# class C
fw1(config-pmap-c)# ips D E
fw1(config)# service-policy dmz_ips outside
dmz_traffic class-map A D
ips inline B E
fail-open policy-map C
BRKCRT-2301

14363_04_2008_c2.scr
Q and A
BRKCRT-2301
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKCRT-2301

14363_04_2008_c2.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.
BRKCRT-2301
BRKCRT-2301

14363_04_2008_c2.scr

CCSP Prep: Preparing To Take The Securing Networks With PIX and ASA (SNPA) 642-523 Exam

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSP Prep: Preparing To Take The Securing Networks With PIX and ASA (SNPA) 642-523 Exam

Uploaded by

Copyright:

Available Formats

CCSP Prep: Preparing to

Take the Securing Networks

© 2008, Cisco Systems, Inc. All rights reserved. 1

 Cisco Certified Security Professional

Cisco Certified Security Professional

Plus one of the electives below

CANAC or Implementing Network Admissions Control

© 2008, Cisco Systems, Inc. All rights reserved. 2

 Instructor Led and Web Based Training

© 2008, Cisco Systems, Inc. All rights reserved. 3

9 Eliminate nonsense options

What We Will Cover

 Will cover key and newer exam topics likely to be included

© 2008, Cisco Systems, Inc. All rights reserved. 4

 SNPA Exam Topics from the Cisco SNPA Certification

Exam Topics (Con’t)

 Configure a security appliance to provide secure

© 2008, Cisco Systems, Inc. All rights reserved. 5

Exam Topic—Install and

© 2008, Cisco Systems, Inc. All rights reserved. 6

Install and Configure a Security Appliance

© 2008, Cisco Systems, Inc. All rights reserved. 7

SOHO ROBO SMB Enterprise SP

ASA Content Security Control

The CSC-SSM can block or clean malicious traffic from

Malware Protection Content Control

© 2008, Cisco Systems, Inc. All rights reserved. 8

ASA 5505 and 5510 Licensing

Security IPSec Failover Concurrent

* Stateless A/S failover

© 2008, Cisco Systems, Inc. All rights reserved. 9

Security IPSec Failover WebVPN

Base 4 x 10/100/1000 2 200 5000 Yes Yes 2

Base 8 x 10/100/1000 2 250 5000 Yes Yes 2

Describe the Security Appliance

© 2008, Cisco Systems, Inc. All rights reserved. 10

fw1(config)# A logging B 710005

Explain the Information Contained in

© 2008, Cisco Systems, Inc. All rights reserved. 11

For dynamic NAT/PAT address assignments

Fixed Sam Jones

Configure Network Address

fw1(config)# nat (inside) 2 10.0.2.0

© 2008, Cisco Systems, Inc. All rights reserved. 12

fw1(config)# static (A,B) C D netmask 255.255.255.255

Configure a Net Static

fw1(config)# static (A,B) C D netmask 255.255.255.0

© 2008, Cisco Systems, Inc. All rights reserved. 13

fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255

Set Embryonic and Connection Limits on

© 2008, Cisco Systems, Inc. All rights reserved. 14

Configure a Security Appliance to Restrict

© 2008, Cisco Systems, Inc. All rights reserved. 15

Security appliance configuration philosophy is interface based.

Configure Access-Lists to Filter Traffic

fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2

© 2008, Cisco Systems, Inc. All rights reserved. 16

 Define a time when certain resources can be accessed

fw1(config)# time-range temp-worker

Configure Network Address

fw1(config)# access-list company_a permit tcp A 255.255.255.0

© 2008, Cisco Systems, Inc. All rights reserved. 17

Cisco Certified Security Professional

Instructor Led and Web Based Training

Will cover key and newer exam topics likely to be included

SNPA Exam Topics from the Cisco SNPA Certification

Configure a security appliance to provide secure

Define a time when certain resources can be accessed

Understand the traffic flow

Understand the traffic flow 192.168.1.12

Utilize existing S2S tunnels

Understand the traffic flow 192.168.1.12

Utilize existing S2S tunnels

Understand the traffic flow 192.168.1.12

Utilize existing S2S tunnels

Uses a standard SSLVPN to access the corporate network

The primary and secondary security appliances must be identical in