1. The 5550 supports 36,000 connections/sec and 600,000 packets/sec 2.

The 5505 has no security contexts even with the Security Plus License 3. 5505 uses internal User Licensing and the Base the Security Plus feature licenses also can use the AnyConnect Essentials license and VPN Shared Licensing 4. Dont worry about the static or dynamic routing 5. Know where to go to configure appliance as a DHCP server and identify the interface 6. Know the fundamental default rules based on security levels 7. On the Cisco ASA 5505 Adaptive Security Appliance, two VLAN interfaces are configured by default. VLAN 1 is configures as inside interface and switchports Ethernet 0/1 to 0/7 are assigned to the VLAN 1. VLAN 2 is configured as outside interface and switchport Ethernet 0/0 is assigned to the VLAN 2 8. Review details of CLI Packet Tracer output 9. Know the logging destinations 10. Interpret syslog in CLI 11. Dont worry about the system questions 12. Look in ASDM to see if your using self-signed certificate 13. Dont worry about ACS 4.2 14. Know the 2 purposes Authorization tab in AAA Access 15. Dont worry about the Accounting 16. Memorize all connection state codes related to SYN-aB 17. Show local-host[IP Address] [detail] shows the translations and connections in the CLI 18. By default, when traffic is denied by an access rule, the security appliance generates system, message 106023 for each denied packet 19. You can add objects groups: Network, Service, ICMP, Protocol 20. The Cisco ASA Adaptive Security Appliances supports six types of service groups, but you will only learn to use the most generic and flexible one the IP service group 21. Know what uRP looks like in the CLI: ip verify reverse-path interface inside 22. Packet shunning is Cisco ASA Adaptive Security Appliance feature that allows you to quickly block a particular IP address on the appliance, independently of interface access rules. You should generally use shunning to quickly respond to a security incident 23. Know policy directionality. QoS bandwidth shaping can be configured in the outbound direction only 24. Specify the type of application inside the class map for OSI Layers 5 to 7 for which you want to classify packets 25. The following applications are supported a. DNS b. FTP c. H.323 d. HTTP e. IM

f.

SIP

26. Dont worry about specific REGEX knowledge IPS exam yes though! 27. A policy man for Layer 5 through 7 is applied to traffic by nesting it inside a policy map for Layer 3 and 4. So, you will apply the configured policy map for OSI Layers 5 to 7 inside a policy map for OSI Layer 3 and 4. The policy map for Layers 5 to 7 is used as an additional attribute when enabling application inspection inside the policy map for Layer 3 and 4. You can use policy maps for Layer 5 through 7 of appropriate type only inside a policy for specific application inspection 28. TCP Maps to tune TCP Normalization which that is able to verify the adherence of TCP Sessions to the TCP Protocol specification. The purpose of the TCP normalizer is to prevent malformed TCP packets from reaching a protected host 29. Applying TCP state bypass to a traffic class effectively disables all stateful checks and all features that rely on them. These features include application inspection and control, security services module redirection, inline user authentication (the cut-through proxy) and all TCP normalizer features. You should use TCP state bypass only if necessary, to process a minimal possible number of trusted flows, ensuring that spoofing of traffic that bypasses inspection by attackers is unlikely 30. Configure TCP bypass: Configuration > Firewall > Service Policy Rules > Connection Settings > Advanced Options > Checkbox 31. Memorize default inspectors in the Default Inspection Class 5/7 32. Create an HTTP inspection policy map; Configure HTTP protocol verification; Apply the HTTP inspection policy map globally. Create an ESMTP inspection map on some MIME type scenario too 33. TCP Intercept The Cisco ASA Security Appliance intercepts the TCP SYN and responds with a SYN-ACK and its sequence number set to a cookie. The cookie is an authenticated hash of parts of the TCP and IP header, therefore, the appliance does not need to keep state information. A legitimate client completes the handshake by sending an ACK with the acknowledgement number set to a cookie +1. If the cookie is authentic, the security appliance proxies the TCP session to the server 34. Botnet filter is an additional license; 2 ways dynamic SensorBase and/or Static; DNS replies for bad hostnames are cached on the appliance in a DNS reverse lookup cache 35. You need to know where to enable DNS Snooping for Botnet Traffic Filter Configuration > Firewall > Botnet Traffic Filter and where to enable it for an interface 36. Basic threat detection generates syslog message 733100 37. Advanced Threat Detection statistics for hosts has the most performance impact 38. CLI for threat detection is: threat-detection basic-threat a. Scanning threat detection looks for network scans and sweeps b. It sends a syslog message 733101 and optionally shuns the attacker c. Unlike IPS sensors it maintains an extensive database of host statistics 39. There are key difference between traffic policing and traffic shaping remember traffic-shaping buffers excess traffic, operates only on output interface traffic, minimizes TCP retransmissions; but can introduce

jitter to traffic. Traffic shaping is not supported on the 5580. For traffic shaping all traffic must be matched and you have to use the class-default class 40. Priority Queuing sets the size of the priority queue in packets (queue-limit) as well as the transmission ring size on the hardware queue (tx-ring-limit) 41. Configuration > Firewall > AAA Rules is the area to generate AAA rules for local and remote access of transit traffic on the ASA 42. Configuration > Device Management > Users/AAA > AAA Access is the area for applying AAA services to administrative access to the device (enable, http/asdm, serial, ssh, telnet) using the local database or remote AAA servers 43. Review your knowledge of NAT-CONTROL 44. Static Policy Inside NAT scenarios involving the DMZ are likely involving the CLI 45. Review the DNS Rewrite feature. DNS inspection needs to be enabled and you must be able to decipher a topology scenario not configurable necessarily 46. Three ways to bypass nat-control are Dynamic Identity NAT, Static Identity NAT and NAT Exemption which is the most recommended 47. Instead of confirming Static NAT and interface access rules separately, you can use the Public Server feature in ASDM 48. Transparent Mode a. The following features are not supported: DHCP relay, DDNS, Dynamic Routing, Multicast IP, QoS, VPN termination (other than mgmt. traffic) b. The ASA can perform NAT even if its in transparent mode c. The management address must be on the same network as the connected network of the inside / outside interfaces d. Static routes are needed for management traffic, voice inspection, NAT 49. Ethertype ACLs cant permit CDP or ethertypes less than 0x600 yes to BPDUs 50. By default, the ASA permits ARP packets through transp fw in both directions w/o explicit access rules 51. If dynamic MAC address learning is disabled then MAC addresses must be manually configured troubleshooting scenario: MAC address table empty? Learning Disabled 52. Features not supported in Multiple Mode: IPSec, SSL VPNs and Dynamic Routing Protocols 53. Review the operations of the System Config in ASDM 54. When you use shared interfaces (or sub-ifs) assign different MAC addresses to the shared interface in each context 55. Features not supported when using security contexts: Dynamic Routing, Multicast IP Routing, Threat Detection, VPN, Phony Proxy 56. In show context output, the asterisk next to context name indicates current admin context 57. If multiple contexts share an interface and you dont configure unique MAC address the classifier intercepts the packet and does a destination IP address (NAT) lookup. If you dont use unique MAC or NAT then the packet is dropped

58. Know all about redundant interfaces 59. Data not passed to standby unit using Stateful Failover a. HTTP Connections (unless HTTP replication is explicitly enabled) b. Cut-through proxy user-authentication table c. Routing tables d. SSM modules state info e. DHCP server address leases f. Phone proxy info

60. Health is monitored on failover link using hello packets 61. Stateful failover is not supported as ASA 5505. Active/Active failover is not supported either even with the Security Plus License 62. Know ASA failover requirements (hardware and software matching elements 63. You must use a switch when using redundant interface as the failover interface 64. You enable failover with the failover command a. Review the results of show failover command 65. Know the order for Zero-Downtime Failover Pair Upgrade:4 a. Download software to both devices and specify to load new image b. Reload the standby unit c. Force the active unit failover to the standby unit d. Reload the former active unit e. Return the original active unit to the active state 66. To display information about the interfaces that are monitored for failover use show monitor-interface command 67. To choose the SA to route traffic to in a load-sharing scenario, use ECLB and PBR