Course Description
Based on our enhanced SASAC v1.0 and SASAA v1.0 courses, this exclusive, lab-based
course, provides you with your own set of equipment and is designed to provide you
with the most Adaptive Security Appliance (ASA) 9.x and ASA CX-based lab experience
possible in just five days. This course provides 30 different lab scenarios using
Cisco equipment such as: ASA v9.x, ASA 5515 NGFW (Next-Generation Firewall CX),
Access Control Server (ACS 5.4), Context Directory Agent (CDA), Catalyst switch,
Integrated Services Router (ISR), and ASA 55x5.
A typical day will begin with an informal white board lecture by the instructor,
covering topics associated with the day's labs. Afterwards, you will be free to
work on the labs at your own pace and to experiment in the lab environment. Of course,
the instructor will remain available to assist as needed.
ASA 9.x labs can be run in any order, any number of times. ASA-CX labs will be
run consecutively. With the exception of two labs that require two pods to work
together, no coordination with other students is necessary.
What You'll Learn
- Fundamental ASA Configuration from the CLI and ASDM
- Administrative Access using AAA, TACACS+ and Cisco ACS 5.x
- Object (Auto) NAT and Manual (Twice) NAT
- Access Control and Troubleshooting Tools
- Application Inspection and Control (Deep Packet Inspection)
- Bootstrapping and configuring CX and IPS software modules
- Deploying Cisco Context Directory Agent (CDA) with Active Directory
- Features of Cisco ASA 5500-X Series Next-Generation Firewalls (NGFW ASA
CX)
- IPS software module integration using Modular Policy Framework and IME
- CX software module integration using Prime Security Manager (PRSM)
- CX access policies for URL and application filtering
- CX identity policies using active and passive authentication
- CX decryption policies
- Cloud Web Security (ScanSafe) integration
- Threat and Botnet Detection
- Dynamic Routing
- Transparent Firewall and bridge groups
- Basic and Advanced Clientless SSL VPN
- Full tunnel SSL VPN using AnyConnect 3.x Secure Mobility Client
- Remote Access IPsec IKEv2 using AnyConnect 3.x
- Easy VPN remote for the SOHO using ASA 5505
- External AAA authentication of VPN users
- PKI and VPN integration
- Host Scan and Dynamic Access Policies (DAP) for VPN
- IPsec VPN Site-to-site between ASAs and with IOS router
- Active/Standby Failover
- ASA clustering including local and spanned EtherChannel
Who Needs to Attend
Network engineers supporting Cisco ASA 9.x implementations
Prerequisites
- Knowledge of the Cisco ASA
- IINS 2.0- Implementing Cisco IOS Network Security
Follow-On Courses
There are no follow-on courses but you can take other Cisco security classes
to perfection you security skills such as:
- SITCS- Implementing Cisco Threat Control Solutions
- SISAS- Implementing Cisco Secure Access Solutions
- SISE- Implementing and Configuring Cisco Identity Services Engine v1.1
- SESA- Securing Email with Cisco Email Security Appliance Parts 1 and 2 2.0
- SWSA- Securing the Web with Cisco Web Security Appliance 2.0
Course Outline
1. Cisco ASA v9.x Essentials
- Firewall Technologies
- Cisco ASA Features, Hardware, and Licenses
2. Basic Connectivity and Device Management
- Managing the Cisco ASA Boot Process
- Configuring the Cisco ASA Using the CLI and ASDM
- Managing the Cisco ASA Basic Upgrade
- Managing Cisco ASA Security Levels and Interfaces
- Cisco ASA as DHCP Client and DHCP Server
3. Network Integration
- Configuring Object (Auto) NAT and Manual NAT
- Connection Table and Local Host Table
- Configuring and Verifying Interface and Global ACLs
- Configuring and Verifying Object Groups and Public Servers
- Static and Dynamic Routing
- Multicast Support
4. Cisco ASA Policy Control
- Cisco Modular Policy Framework (MPF) Overview
- Configuring Layer 3 and Layer 4 Policies
- Configuring Layer 5 to Layer 7 Policies including HTTP and FTP inspection
5. Cisco ASA VPN Common Components
- VPN Types and Components
- VPN Connection Profiles and Group Policies
- AAA Including External Policy Storage
- Dynamic Access Policy for SSL VPN
- PKI for VPN Including Provisioning Server-Side Certificates
- Client-Based Certificate Authentication Including SCEP proxy
6. Cisco Clientless VPN Solution
- Cisco Clientless SSL VPN
- Basic Cisco Clientless SSL VPN
- Cisco Clientless SSL VPN Application Access with Application Plug-Ins and
Smart Tunnels
- Client-side Authentication and Authorization Using AAA Server
- Double Client-side Authentication Using AAA Servers
7. Cisco AnyConnect Full Tunnel VPN Solution
- Cisco AnyConnect SSL VPN
- Split Tunneling
- IP Address Pools and Identity NAT
- DTLS and TLS Tunnels
- Cisco AnyConnect Client Configuration Management
- Trusted Network Detection and Start Before Logon options
- Certificate-Based Server Authentication
- Client Enrollment Methods and Certificate-Based Authentication
- Two-Factor Authentication
- Local Authorization and External Authorization
- AnyConnect Support for IKEv2
- Making IPsec the Primary Protocol for a Host Entry
8. Cisco ASA High Availability and Virtualization
- EtherChannel and Redundant Interfaces
- Multiple-Context Mode
9. Cisco Next Generation Firewall
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA 5500-X Series IPS and CX Software Modules
- Introduction on the Cisco ASA Switch Module (ASASM)
- Introduction on the Cisco ASA 1000V Cloud Firewall
10. Cisco ASA Identity Firewall
- Cisco ASA Identity Firewall Solution
- Cisco ASA and Cisco CDA integration
- Using Cisco CDA and Active Directory
11. Cisco ASA CX
- Cisco ASA CX (Next-Generation Firewall)
- Cisco Off-Box PRSM and Cisco ASA CX
- PRSM Device Discovery and Configuration Import
- Cisco ASA CX Policy Objects
- Cisco ASA CX Access Policies
- Cisco ASA CX Identity Policies
- Cisco ASA CX Decryption Policies
- Cisco PRSM for Administration
12. Cisco ASA Cloud Web Security Integration
- Configuring Cisco ASA with Cisco Cloud Web Security
- Licensing Cisco ASA with Cisco Cloud Web Security
13. Cisco ASA IPv6 Enhancements
- Cisco ASA IPv4 and IPv6 Unified ACL
- Other Cisco ASA IPv6 Support Enhancements
14. Cisco ASA Security Group Firewall
- Cisco Security Group Tagging Overview
- Configuring Cisco ASA Security Group Firewall
15. Cisco ASA Multicontext Enhancements
- Cisco ASA Multicontext Mode
- Multicontext Enhancements in Cisco ASA Software Release 9.0
16. Cisco ASA Cluster
- Cisco ASA Cluster Features and Data Flows
- Configure a Cisco ASA Cluster using CLI and ASDM
Note: You will be provided with copies of Cisco official courseware for SASAC
and SASAA in addition to a Global Knowledge ASA Lab Camp guide.
Labs
Remember, ASA 9.x labs can be run in any order, any number of times. ASA-CX labs
will be run consecutively. With the exception of two labs that require two
pods to work together, no coordination with other students is necessary. You can
experiment with your own scenarios or try our cutting-edge labs.
SASAC v1 Labs
Lab 1: ASA Administration and Network Integration
- Clear the Existing Configuration
- Take Inventory of the ASA
- Initialize the ASA
- Enable SSH
- Install ASDM
- Configure Interfaces
- Setup Names and Static Routes
- Configure NTP, Syslog, and SNMP
- Configure DHCP Server
- Install CA Root and Identity Certificates
Lab 2: Network Address Translation
- Object NAT (for Dynamic PAT)
- Object NAT (for Dynamic NAT)
- Object NAT (for Static NAT)
- Manual NAT
- NAT Rule Order
Lab 3: Access Control and Troubleshooting
- Create Object Groups
- Configure Global Policy
- Configure Guest Policy
- Configure Outside Policy
- Configure DMZ Policy
- Configure Inside Policy
- Configure ICMP Policy
- Configure uRPF Policy
- Ping TCP
- Packet Tracer
Lab 4: MPF Basic Application Inspections
- Basic HTTP and FTP Inspection
- TTL Decrement and ISN Randomization
- TCP Normalization and Connection Settings
- Custom Application Support
- QoS with Priority Queuing and Policing
Lab 5: MPF Advanced Application Inspections
- Enforcing HTTP RFC Compliance
- Block an Undesirable HTTP Application
- Filter Commands within FTP
Lab 6: Basic Clientless SSL VPN
- Public CA Certificate
- Configure ASA for DNS
- Enable and Test Clientless SSL VPN
- Connection Profiles and Group Policies
- Local Users on the ASA
- Browsing Policies
- Bookmark Lists
- Navigating without URL Entry
- WebType ACLs
Lab 7: Clientless SSL VPN Applications
- Port Forwarding
- Advanced Bookmarks
- VPN Plugins
- Smart Tunnels
Lab 8: External AAA for Clientless SSL VPN
- AAA Options
- External AAA with LDAP
- External AAA with RADIUS and ACS
Lab 9:Basic AnyConnect SSL VPN
- Configure Address Assignment Policy and Pools
- Enable AnyConnect and Upload Client to the ASA
- Configure SSL Algorithms
- Modify Group Policies
- Install AnyConnect Using WebLaunch
- Configure NAT for Remote Access VPN
- Allow Internet Access via Split Tunneling
- Allow Internet Access via Hairpin
- Modify a Local Group Policy
- Configure a Centralized Group Policy
Lab 10: Advanced AnyConnect SSL VPN
- DTLS and TLS Fallback
- Pre-deploy Install of AnyConnect
- AnyConnect XML Profiles
- Certificates with SCEP proxy
Lab 11: IPSec Remote Access VPN
- Enable IKEv2 IPsec remote access VPN
- Test the IPsec AnyConnect Profile
- IKEv2 with SCEP Proxy
Lab 12: Active-Standby High Availability
- Prepare for this Lab
- Prepare the Primary-ASA for Failover via ASDM
- Configure the Failover Prompt
- Prepare the Secondary-ASA for Failover via the CLI
- Turn Failover On and Verify Status
- Test Failover Operation
- Return to a Normal State
- Demonstrate Configuration Replication
SASAA v1.0 Labs
Lab 1: Cisco ASA 5500-X IPS and CX Software Module Setup
- Install the IPS Software Module
- Redirect All Traffic to the IPS Software Module
- Explore IPS Management Options
- Trigger IPS Signatures
- Uninstall the IPS Software Module
- Install and Setup the CX Software Module
Lab 2: Context Directory Agent Configuration
- Work with CDA CLI and GUI
- Configure CDA Communications to ASA, AD, and Syslog
Lab 3: ASA Identity-Based Firewall Configuration
- Configure ASA to AD Communications
- Configure ASA to CDA Communications
- Setup ASA User-Identity Options
- Configure Identity-Based Access Control
Lab 4: ASA CX and PRSM Exploration
- Explore the ASA CX CLI
- Explore the On-Box PRSM GUI
- Redirect Traffic to the ASA CX
- Work with System Default ASA CX Policy Objects
- Create Custom ASA CX Policy Objects
Lab 5: ASA CX Access Policy Configuration
- Deny Access to Unacceptable Websites
- Deny Any Video File Download
- Deny Access to Websites with a Bad Reputation
- Configure ASA CX Access Policies
Lab 6: ASA CX Identity Policy Configuration
- Configure an Identity Policy Using Active Authentication
- Configure an Identity Policy Using Passive Authentication
- Configure Access Policies Using Identity Objects
Lab 7: ASA CX Decryption Policy Configuration
- Install K9 Licensing
- Configure a Cisco ASA CX Decryption Policy
- Configure Access Policies to Provide Granular Facebook Control
Lab 8: PRSM Administration
- Manage PRSM User Accounts
- Download the ASA CX and PRSM Logs
- Examine SIO Updates
- Use the Database Backup Option
- Examine the PRSM Dashboard, Reports, and Change History
- Disable Traffic Redirection to the ASA CX on the ASA
Lab 9: Cisco ASA and Cloud Web Security Integration
- Understand the Cloud Web Security Web Filtering Policy
- Download the Cloud Web Security License File
- Configure ASA-to-Cloud Web Security Integration
Lab 10: ASA Cluster Configuration
- Configure Spanned EtherChannel Mode on Each ASA
- Configure the Cluster Hostname on the Odd Pod ASA
- Configure the CCL Using a Local EtherChannel on Each ASA
- Configure the Management Interface in Individual Mode (L3) on the Odd Pod
ASA
- Configure the Data Interfaces in Spanned EtherChannel (L2) Mode on the Odd
Pod ASA
- Configure the Cluster Bootstrap Configurations and Enable Clustering on
Each ASA
- Verify and Manage the Cluster Operations using the CLI
- Verify the Cluster Operations using ASDM
- Verify HTTP Connections through the Cluster
- Configure the ASA Firewall Policy on the Master Unit
- Simulate a Master Unit Failure and Observe Results
ASA Lab Camp Add-On Labs:
Lab 1: Dynamic Routing
- Configure Non-ASA Devices for EIGRP and OSPF
- Modify the ASA in Preparation for Dynamic Routing
- Configure OSPF on The the ASA
- Configure EIGRP on The the ASA
- Verify Routing Operations
- Enable Route Redistribution and Verify the Results
Lab 2: Threat Detection
- Working with Basic Threat Detection
- Interpreting Threat Detection Statistics
- Configure and Verify TCP Intercept
Lab 3: Botnet Traffic Filter
- Configure the Botnet Traffic Filter Using the Dynamic Database
- Configure the Botnet Traffic Filter Using the Static Database
Lab 4: IKEv1 Site-to-Site VPN (ASA to IOS router)
- Configure the HQ-ASA for Site-to-Site VPN
- Verify an IKEv1 Policy
- Build the Site-to-Site Connection Profile
- Configure NAT Exemption
- Monitor Tunnel Establishment
- Verifying Tunnel Status
- Control Site-to-Site Traffic with a Filter
- Update the VPN Configuration for PKI Support
Lab 5*: Hardware Easy VPN (ASA 5505 to ASA 5515)
- Configure the Easy VPN Server
- Configure the Easy VPN Remote
- Verify Easy VPN Client Mode
- Implement Network Extension Mode
- Work with Extended Authentication Options
Lab 5*: IKEv2 Site-to-Site VPN (ASA to ASA)
- Setup an IKEv2 Site-to-Site VPN
- Verify an IKEv2 Site-to-Site VPN
Lab 6: ACS 5.x and TACACS+ for Administrative Access
- Work with Privilege Level Authorization
- Configure ACS and ASA Communication
- Configure ACS Integration with Active Directory
- Implement User Authentication using TACACS+
- Institute User Authorization using TACACS+
- Add Command Authorization using TACACS+
- Explore Command Accounting using TACACS+
Lab 7: Transparent Firewall
- Configure Transparent Firewall Mode
- Create Bridge Groups, Interfaces, and Management Address
- Test Connectivity through the Security Appliance
- Prepare the ASA for and Launch ASDM
- Define and Test Inbound Policy with ASDM
Lab 8: Host Scan and Dynamic Access Policies and VPN
- Enable Host Scan and Examine Anti-Spyware Software on an Endpoint
- Deploy DAP to Evaluate Endpoint Posture Status
- Deploy Anti-Virus Posture
*ASA Lab Camp Lab 5 has two distinctive parts: Hardware Easy VPN and IKEv2
Site-to-Site VPN.