deploying cisco asa firewall solutions for ccnp...
Post on 25-Mar-2018
297 Views
Preview:
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Deploying Cisco ASA Firewall Solutions
for CCNP Security BRKCRT-8104
Mark Bernard, CCIE (Security 23846)
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Agenda
Overview of CCNP Security
FIREWALL Exam Information
FIREWALL Topics: Technical Introduction
What You Need to Know
Sample Questions
Q & A
3
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Disclaimer/Warning
This session will strictly adhere to Cisco’s rules
of confidentiality
‒ We may not be able to address specific question
‒ If you have taken the exam please refrain from asking questions from the
exam—this is a protection from disqualification
‒ We will be available after the session to direct you to resources to assist with
specific questions or to provide clarification
4
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
CCNP Security Certified Means…
•All four CCNP Security exams required. No elective options.
•Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ:
https://learningnetwork.cisco.com/docs/DOC-10424
Exam No Exam Name
642-637 Securing Networks with Cisco Routers and Switches
(SECURE)
642-627 Implementing Cisco Intrusion Prevention System
(IPS)
642-618 Deploying Cisco ASA Firewall Solutions
(FIREWALL)
642-648 Deploying Cisco ASA VPN Solutions (VPN)
6
BBRKCRT-2062_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
―Cisco CCNP Security and Cisco’s Qualified Specialist—showed healthy numbers, as well, with a $93,995 average for the security title and an $87,247 average for those of you holding one or more of Cisco’s 20-plus Qualified Specialist certifications.‖
TCPmag.com
Redmond Media Group
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
642-618 FIREWALL v2.0 Exam
90-minute exam
Register with Pearson Vue
‒ www.vue.com/.cisco
Exam cost is $200.00 US
9
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Special Exam Measures
Include the use of digital photographs for candidate-identity verification
Forensic analysis of testing data
Photo on Score Report and Web
Preliminary Score Report
Source: http://newsroom.cisco.com/dlls/2008/prod_072208.html 10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Preparing for the FIREWALL v2.0 Exam
Recommended reading
CCNP Security Firewall 642-618 Quick Reference
CCNP Security FIREWALL 642-618 Official Cert Guide
Recommended training via CLP
DEPLOYING CISCO ASA FIREWALL SOLUTIONS V2.0
Cisco learning network
www.cisco.com/go/learnnetspace
Practical experience
11
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Testing Implementation Skills
Question formats
Declarative—a declarative exam item tests simple recall of pertinent facts
Procedural—a procedural exam item tests the ability to apply knowledge to solve a given issue
Complex procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue
Types of questions
Drag and drop
Multiple choice
Simulation and simlet
12
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Test Taking Tips
Rule out the nonsense
Look for the best answer when multiple exist
Look for subtle keys
Narrow it down
Relate to how the device works
Don’t waste too much time
13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Test Taking Tips
It’s not possible to cover everything!
We want you to get a feel for the technical level of the exam, not every
topic possible
Give you suggestions, resources, some examples
Will focus on key topics
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
High-Level Topics
Cisco ASA Adaptive Security Appliance Basic Configurations
ASA Routing Features
ASA Inspection Policy
ASA Advanced Network Protections
ASA High Availability
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Topic 1: What You Need to Know
Identify the ASA product family
Implement ASA licensing
Manage the ASA boot process
Implement ASA interface settings
Implement ASA management features
Implement ASA access control features
Implement Network Address Translation (NAT) on the ASA
Implement ASDM public server feature
Implement ASA quality of service (QoS) settings
Implement ASA transparent firewall
18
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Cisco ASA 5500 Series
Portfolio
Multi-Service (Firewall/VPN and IPS)
Per
form
ance
an
d S
cala
bili
ty
Data Center Campus Branch Office Internet Edge
ASA 5585-X SSP-20 (10 Gbps, 125K cps)
ASA 5585-X SSP-60 (40 Gbps, 350K cps)
ASA 5585-X SSP-40 (20 Gbps, 200K cps)
ASA 5585-X SSP-10 (4 Gbps, 50K cps)
ASA 5555-X (4 Gbps,50K cps)
NEW ASA 5545-X (3 Gbps,30K cps)
NEW ASA 5525-X
(2 Gbps,20K cps)
NEW ASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5510 (300 Mbps, 9K cps)
ASA 5510 + (300 Mbps, 9K cps)
ASA 5520 (450 Mbps, 12K cps)
ASA 5540 (650 Mbps, 25K cps)
ASA 5550 (1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA licensing
20
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Install and Verify Licensing
Using ASDM
21
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Install and Verify Licensing
Using ASDM (Cont.)
22
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manage the ASA boot process
To change the OS boot image to a new image name, enter the following:
asa(config)# clear configure boot
asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename
For example:
asa(config)# clear configure boot
asa(config)# boot system disk0:/asa841-k8.bin
To configure the ASDM image to the new image name, enter the following command:
asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
Save configuration and Reload
asa(config)# write memory
asa(config)# reload
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA interface settings
1. Interface name
2. Interface security level
3. IP address and subnet mask
4. Enable interface
Inside: 192.168.1.80/24
Outside: 10.1.1.80/24
Internet
asa(config)# interface ethernet0/0
asa(config-if)# nameif inside
asa(config-if)# security-level 100
asa(config-if)# ip address
192.168.1.80 255.255.255.0
asa(config-if)# no shutdown
24
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Network and
Interface Settings (Cont.)
Inter-Interface Or Intra-Interface Communication
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA management features
asa(config)# http server enable
asa(config)# http 192.168.1.2 255.255.255.255 inside
To configure the firewall for ASDM access via cli:
To configure the firewall for SSH access via cli:
asa(config)# asa(config)# crypto key generate rsa modulus
1024
asa(config)# write memory
asa(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to
define local users.
asa(config)# username asauser1 password asauser1_password
asa(config)# ssh 192.168.1.2 255.255.255.255 inside
asa(config)# ssh timeout 30
26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA User Roles
Setting Privilege Level
27
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
Security appliance configuration philosophy is interface based
Interface ACL permits or denies the initial packet incoming or outgoing on that interface
Return traffic does not need to be specified if inspected
If no ACL is attached to an interface, the following ASA policy applies
‒ Outbound packet is permitted by default
‒ Inbound packet is denied by default
ACLs can be simplified by defining object groups for IP addresses and services
Outside Inside Internet
ACL for inbound access
ACL to deny outbound access
28
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
30
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
32
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
NAT Overview
Network Address Translation (NAT) and Port Address
Translation (PAT)
Used to translate IP addresses and ports
Not required by default (NAT control is disabled)
Concepts
Static NAT and static policy NAT
Dynamic NAT and dynamic policy NAT
Identity NAT
33
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
NAT Post ASA Version 8.3
NAT is redesigned in 8.3 and above to simplify operations:
A single rule to translate the source and destination IP address.
You can also manually establish the order in which NAT rules are processed.
Introduction of NAT to ―any‖ interface
Two Nat modes available in 8.3 and above
Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT
Sometimes referred to as "Auto-Nat―
Manual NAT: Policy based NAT when the source and destination addresses need to be considered
Sometimes referred to as Twice NAT
34
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Dynamic NAT Using Network Object NAT
asa(config)# object network Network-Inside-Out
asa(config-network-object)# subnet 10.1.1.0 255.255.255.0
asa(config-network-object)# description Nat Inside Users To Outside
Interface
asa(config-network-object)# nat (inside,outside) dynamic interface
The following example configures dynamic NAT that maps (dynamically hides) the 10.1.1.0 network to the outside interface address:
96.33.100.1
External Web Server
Internet
10.1.1.100
10.1.1.101
10.1.1.102
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Network Object NAT On The ASDM
Select Network Object
Check Auto
Translation Rule
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Static Object NAT Example
96.33.100.5
DMZ Web Server
Internet
The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:
192.168.1.23
asa(config)# object network DMZ-WEBSERVER
asa(config-network-object)# host 192.168.1.23
asa(config-network-object)# Description Static Nat For DMZ WebServer
asa(config-network-object)# nat (dmz,outside) static 96.33.100.5
asa(config-network-object)# exit
asa(config)# access-list outside-in permit ip any any host 192.168.1.23
asa(config)# access-group outside-in in interface outside
External Host
Inside
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Static PAT (Object NAT)
192.168.1.100
HTTP 96.33.100.2
HTTP External User
96.33.100.2
FTP
Internet
Used to create translation between a outside interface and local IP address/port.
– 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP
– 96.33.100.2/FTP redirected to 192.168.1.101/FTP
192.168.1.101
FTP
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
asa(config)# object network DMZ-WEBSERVER
asa(config-network-object)# host 192.168.1.100
asa(config-network-object)# nat (dmz,outside) static
interface service tcp www www
asa(config)# object network DMZ-FTPSERVER
asa(config-network-object)# host 192.168.1.101
asa(config-network-object)# nat (dmz,outside) static
interface service tcp ftp ftp
192.168.1.100
HTTP 96.3.100.2
HTTP
96.3.100.2
FTP
Internet
192.168.1.101
FTP
Static PAT (Object NAT)
39
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manual Twice NAT
asa(config)# object network contractors
asa(config-network-object)# network 10.2.2.0 255.255.255.0
asa(config)# object network translated-ip
asa(config-network-object)# host 96.33.100.100
asa(config)# object network cisco-dot-com
asa(config-network-object)# host 64.32.2.4
Asa(config-network-object)#exit
asa(config)# nat (inside,outside) source static contractors
translated-ip static cisco-dot-com cisco-dot-com
64.32.2.4
Contractors
Inside Users
10.2.2.0
10.1.1.0
Inside Outside
www.cisco.com
96.33.100.1
96.33.100.100
40
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manual Twice NAT
64.32.2.4
Contractors
Inside Users
10.2.2.0
10.1.1.0
Inside Outside
www.cisco.com
96.33.100.1
96.33.100.100
41
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
asa(config)# object network vpn-subs
asa(config-network-object)# range 192.168.3.1 192.168.3.63
asa(config-network-object)#exit
asa(config)# nat (inside outside) source static inside-net inside-net
destination static vpn-subs
Identity NAT Example (Manual NAT)
Inside Outside
Original Packet
10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3
Translated Packet
Source Destination
192.168.3.3 10.1.1.15
VPN Tunnel
Branch A
42
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA quality of service (QoS)
settings
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA transparent firewall
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Explain Differences Between L2 and L3
Operating Modes
The security appliance can run in two mode settings: ‒ Routed—based on IP address
‒ Transparent—based on MAC address
Transparent Mode
10.0.1.0 VLAN 100
10.0.2.0 VLAN 200
Routed Mode
The following features are not supported in transparent mode: NAT Dynamic routing protocols IPv6 DHCP relay Quality of service Multicast VPN termination for through traffic
10.0.1.0 VLAN 100
10.0.1.0 VLAN 200
45
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Security Appliance for
Transparent Mode (L2) Layer 3 traffic must be explicitly permitted
Each directly connected network must be on the same subnet
The management IP address must be on the same subnet as the connected network
Do not specify the firewall appliance management IP address as the default gateway for connected devices
Devices need to specify the router on the other side of the firewall appliance as the default gateway
Each interface must be a different VLAN interface
VLAN 100 10.0.1.0
VLAN 200 10.0.1.0
Transparent Mode
Management IP Address 10.0.1.1
10.0.1.10
IP - 10.0.1.3 GW – 10.0.1.10
Internet
IP - 10.0.1.4 GW – 10.0.1.10
asa(config)# firewall transparent
Switched to transparent mode
asa(config)# show firewall
asa(config)#Firewall mode: Transparent
46
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Verify the Firewall Mode
of the Security Appliance Using ASDM
47
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Topic 2: What You Need to Know
Implement ASA static routing
Implement ASA dynamic routing
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
ASA Routing Capabilities
Static routing
Dynamic routing
‒ RIP
‒ OSPF
‒ EIGRP
Multicast Stub or Bi-directional PIM
Outside Inside
DMZ1
Internet
DMZ2
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA static routing
51
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Static Routes
10.10.10.1 Internet
asa(config)# route outside 0 0 10.10.10.1
asa(config)# sh run | inc route
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.2.1 2
route inside 192.168.30.0 255.255.255.0 192.168.1.2 1
52
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA Dynamic routing
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring EIGRP (Step 1)
54
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring EIGRP (Step 2)
55
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring EIGRP (Step 3)
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Public
server
Partner
server
dmz3
172.16.30.1
Configure VLANs
Physical interfaces are separated into
sub-interfaces (logical interfaces)
802.1Q trunking
192.168.1.0 10.1.1.0
Proxy
Server
vlan30 vlan20
Trunk port
vlan10
dmz1
172.16.10.1
dmz2
172.16.20.1
Internet
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Logical and Physical Interfaces
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Topic 3: What You Need to Know
Implement ASA inspections features
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
.exe
http://www.example.com/long/URL/far2long
IM whiteboard
Kazaa X
Advanced Protocol Inspection Advanced protocol inspection gives you options such as the following for
defending against application layer attacks:
Blocking *.exe attachments
Prohibiting use of Kazaa or other peer-to-peer file-sharing programs
Setting limits on URL lengths
Prohibiting file transfer or whiteboard as part of IM sessions
Protecting your web services by ensuring that XML schema is valid
Resetting a TCP session if it contains a string you know is malicious
Dropping sessions with packets that are out of order
61
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Layer 3/4 Inspection
TCP normalization
TCP and UDP connection limits and timeouts
TCP sequence number randomization
Application inspection
Cisco CSC
1. Create a Layer 3/4 class map to identify traffic by matching:
2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:
3. Use a service policy to activate the Layer 3/4 policy.
An ACL
Any packet
The default inspection traffic
A DSCP value
A destination IP address
TCP or UDP ports
IP precedence
RTP ports
A tunnel-group
Cisco IPS
QoS policing
QoS priority queuing
62
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:
2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action
3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:
4. Use a service policy to activate the Layer 3/4 policy on an interface or globally
IM
RTSP
SIP
DNS
FTP
H.323
HTTP
Configuring Layer 7 Inspection
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Match traffic based on protocols, ports, IP addresses, and other layer 3 or 4 attributes:
ACL
Any packet
Default inspection traffic
IP differentiated services code point
TCP and UDP ports
IP precedence
RTP port numbers
VPN tunnel group
Typically contain only one match condition
Are mandatory MPF components
Layer 7 Class Maps Layer 3/4 Class Maps
Work with layer 7 policy maps to implement advanced protocol inspection
Match criteria is specific to one of the following applications:
DNS
FTP
H.323
HTTP
Enable you to specify a not operator for a match condition
Can contain one or more match conditions
Can use regular expressions as match criteria
Are optional MPF components (match criteria can be specified in a layer 7 policy map instead)
IM
RTSP
SIP
Layer 3/4 Class Maps vs. Layer 7 Class Maps
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement advanced protocol inspection, which defends against application layer attacks
Also called Inspection Policy Maps
Used to create the following policy types:
Application inspection
TCP normalization
TCP and UDP connection limits and timeouts
TCP sequence number randomization
Cisco CSC
Cisco IPS
QoS input policing
QoS output policing
QoS priority queue
Must be applied to an interface or globally via a service policy
Are mandatory MPF components
Layer 7 Policy Maps Layer 3/4 Policy Maps
Can be used for advanced inspection of:
DCERPC
DNS
ESMTP
FTP
GTP
H.323
HTTP
IM
IPsec Pass Through
MGCP
NetBIOS
RTSP
SCCP (Skinny)
SIP
SNMP
Must be applied to a layer 3/4 policy map
Are optional MPF components
Layer 3/4 Policy Maps vs. Layer 7 Policy Maps
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands:
Layer 7 Policy Map
66
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands:
Layer 7 Policy Map (Cont.)
67
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands:
Service Policy Rule
68
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands:
Service Policy Rule (Cont.)
69
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
What You Need to Know
Configure Threat Detection on the ASA
Implement ASA Botnet Traffic Filter
71
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Task Flow for Configuring the ASA Botnet
Traffic Filter
1. Enable use of the dynamic database.
2.(Optional) Add static entries to the database.
3. Enable DNS snooping.
4. Enable traffic classification and actions for the Botnet Traffic Filter.
5.(Optional) Block traffic manually based on syslog message information.
To configure the Botnet Traffic Filter, perform the following steps:
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Threat Detection
Internet
ASA
Basic threat detection
- Blocks attackers by monitoring rate of dropped packets and security events per second
- When event thresholds are exceeded, attackers are blocked
- Enabled by default
Scanning threat detection
- Blocks attackers performing port scans
- Disabled by default
DMZ Server
Attacker
73
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Threat Detection
74
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Topic 5: What You Need to Know
Implement ASA Interface redundancy and load sharing features
Implement ASA virtualization feature
Implement ASA stateful failover
76
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA Interface redundancy and
load sharing features
77
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces
Using ASDM
A logical redundant interface pairs an active and a standby physical interface.
When the active interface fails, the standby interface becomes active and starts passing traffic.
Used to increase the adaptive security appliance reliability.
You can monitor redundant interfaces for failover using the monitor-interface command
78
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces
Using ASDM (Cont.)
Select Add Interface
Select Redundant Interface
79
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces
Using ASDM (Cont.)
80
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring EtherChannel Interfaces
81
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
EtherChannel Example
Note: The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels
82
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
EtherChannel Configuration
Select Add Interface
Select EtherChannel Interface
83
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
EtherChannel Configuration
channel-group 1 mode passive
interface Port-channel1
lacp max-bundle 4
port-channel min-bundle 2
port-channel load-balance dst-ip
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
84
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA virtualization feature
85
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Virtual Firewalls
Enables a physical firewall to be partitioned into
multiple standalone firewalls
Each standalone firewall acts and behaves as an
independent entity with it’s own
‒ Configuration
‒ Interfaces
‒ Security Policy
‒ Routing Table
Examples scenarios to use Virtual Firewalls
‒ Education network that wants to segregate student
networks from teacher networks
‒ Service provider that wants to protect several customers
without a physical firewall for each.
‒ Large enterprise with various departments
Secondary: Active/Active
Primary: Failed/Standby
Internet
Active/Active
Contexts
2 1 2 1
86
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Active Failover Configuration
1. Cable the interfaces on both ASAs
2. Ensure that both ASAs are in multiple context mode
3. Configure contexts and allocate interfaces to contexts
4. Enable and assign IP addresses to each interface that is allocated to a context
5. Prepare both security appliances for configuration via ASDM
6. Use the ASDM high availability and scalability Wizard to configure the ASA
for failover
7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
8. Save the configuration to the secondary ASA to flash
CTX1- Group 1
CTX2- Group 2
CTX2- Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/2 1 1 2 1 1
Failover Link
172.17.2.1 172.17.2.7 CTX1- Group 1 2
87
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA stateful failover
88
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Hardware and Stateful Failover
Hardware failover
‒ Connections are dropped
‒ Client applications must reconnect
‒ Provided by serial or LAN-based failover link
‒ Active/Standby—only one unit can be actively processing traffic while other is hot standby
‒ Active/Active—both units can actively process traffic and serve as backup units
Stateful failover
‒ TCP connections remain active
‒ No client applications need to reconnect
‒ Provides redundancy and stateful connection
‒ Provided by stateful link
Internet
89
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Explain the Hardware, Software, and Licensing
Requirements for High-Availability
The primary and secondary security appliances must be identical in the following requirements: ‒ Same model number and hardware configurations
‒ Same software versions
‒ Same features (DES or 3DES)
‒ Same amount of Flash memory and RAM
‒ Proper licensing
Primary: Standby
Internet
Secondary: Active
Active/Standby
Secondary: Active/Active
Primary: Failed/Standby
Internet
Active/Active
Contexts
2 1 2 1
90
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Standby Failover Configuration Concepts
One ASA acts as the active or primary and the other acts as a
secondary or standby firewall
Primary and secondary communicate over a configured interfaces
over the LAN-based interface
The primary is active and passes traffic, in the event of a failure the
secondary takes over
Primary – fw1
Internet
.7
Secondary
192.168.2.0 10.0.2.0
.1 .2
.7
172.17.2.0
.1
.7
91
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Standby Failover Configuration Steps
1. Cable the interfaces on both ASAs
2. Prepare both security appliances for configuration via ASDM
3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover
4. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
5. Save the configuration to the secondary ASA to flash
Primary – fw1
.7
Secondary
192.168.2.0 10.0.2.0
.1 .2
.7
172.17.2.0
.1
.7 Internet
92
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Select Active/Standby
Configure Active/Standby Using ASDM (Step 1 of 6)
93
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Active/Standby Using ASDM (Step 2 of 6)
94
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Active/Standby Using ASDM (Step 3 of 6)
95
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Active/Standby Using ASDM (Step 4 of 6)
96
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Active/Standby Using ASDM (Step 5 of 6)
97
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Active/Standby Using
ASDM (Step 6 of 6)
98
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Active Failover Configuration
1. Cable the interfaces on both ASAs
2. Ensure that both ASAs are in multiple context mode (mode multiple)
3. Configure contexts and allocate interfaces to contexts
4. Enable and assign IP addresses to each interface that is allocated to a context
5. Prepare both security appliances for configuration via ASDM
6. Use the ASDM high availability and scalability Wizard to configure the ASA
for failover
7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
8. Save the configuration to the secondary ASA to flash
CTX1- Group 1
CTX2- Group 2
CTX2- Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/2 1 1 2 1 1
Failover Link
172.17.2.1 172.17.2.7 CTX1- Group 1 2
99
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Select Active/Active
Configure Active/Active Using ASDM (Step 1 of 7)
100
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 1
A primary ASA in a failover pair has failed causing the secondary ASA to
become active. After resolving the issue, what command should be
executed on the primary ASA to make it the active firewall?
A. Failover active
B. Failover active group 1
C. Failover secondary group 1
D. Standby group 1 active
102
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 1
A primary ASA in a failover pair has failed causing the secondary ASA to
become active. After resolving the issue, what command should be
executed on the primary ASA to make it the active firewall?
A. Failover active
B. Failover active group 1
C. Failover secondary group 1
D. Standby group 1 active
103
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 2
Which of these commands will show you the contents of flash memory on
the Cisco ASA? (Choose two.)
A. dir
B. show info flash
C. directory view disk0:/
D. show run disk
E. flash view
F. show flash
104
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 2
Which of these commands will show you the contents of flash memory on
the Cisco ASA? (Choose two.)
A. dir
B. show info flash
C. directory view disk0:/
D. show run disk
E. flash view
F. show flash
105
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 3
When provisioning a service policy using ASDM what order are the
elements created in?
A. Class-map > Policy-Map > Service-Policy
B. Service-Policy > Class-map > Policy-Map
C. Service-Policy > Policy-Map > Service-Policy
D. Policy-Map > Service-Policy > Class-Map
106
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 3
When provisioning a service policy using ASDM what order are the
elements created in?
A. Class-map > Policy-Map > Service-Policy
B. Service-Policy > Class-map > Policy-Map
C. Service-Policy > Policy-Map > Service-Policy
D. Policy-Map > Service-Policy > Class-Map
107
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 4
When using sub-interfaces, which method prevents the main interfaces
from sending untagged traffic?
A. Use the vlan command on the main interface
B. Use the shutdown command on the main interface
C. Omit the nameif command on the subinterface
D. Omit the nameif command on the main interface
108
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 4
When using sub-interfaces, which method prevents the main interfaces
from sending untagged traffic?
A. Use the vlan command on the main interface
B. Use the shutdown command on the main interface
C. Omit the nameif command on the subinterface
D. Omit the nameif command on the main interface
109
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 5
Choose two correct statements about multiple context mode:
A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs
B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces
C. Multiple context mode enables support for additional hardware modules and firewalls
D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"
110
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 5
Choose two correct statements about multiple context mode:
A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs
B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces
C. Multiple context mode enables support for additional hardware modules and firewalls
D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"
111
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 6
Which three features does the ASA support?
A. BGP dynamic routing
B. 802.1Q trunking
C. EIGRP dynamic routing
D. OSPF dynamic routing
112
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 6
Which three features does the ASA support?
A. BGP dynamic routing
B. 802.1Q trunking
C. EIGRP dynamic routing
D. OSPF dynamic routing
113
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 7
Which command will display information about ASA crypto map
configurations?
A. show crypto sa
B. show crypto map
C. show run ipsec sa
D. show run crypto map
114
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 7
Which command will display information about ASA crypto map
configurations?
A. show crypto sa
B. show crypto map
C. show run ipsec sa
D. show run crypto map
115
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 8
What is the reason that you want to configure VLANs on a security
appliance interface?
A. Enable failover and VLANs to improve reliability
B. Allow transparent firewall mode to be used
C. Increase the number of interfaces available to the network without adding
additional physical interfaces or security appliances
D. Enable multiple context mode where you can map only VLAN interfaces to
contexts
116
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 8
What is the reason that you want to configure VLANs on a security
appliance interface?
A. Enable failover and VLANs to improve reliability
B. Allow transparent firewall mode to be used
C. Increase the number of interfaces available to the network without adding
additional physical interfaces or security appliances
D. Enable multiple context mode where you can map only VLAN interfaces to
contexts
117
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 9
What are two purposed of the same-security-traffic permit intra-interface
command? (Choose two.)
A. Allow a hub-and-spoke VPN design on one interface.
B. Enable Dynamic Multipoint VPN
C. Allow traffic in and out of the same interface when the traffic is IPSec
protected
D. Allow traffic between different interfaces with matching security levels
118
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 9
What are two purposed of the same-security-traffic permit intra-interface
command? (Choose two.)
A. Allow a hub-and-spoke VPN design on one interface
B. Enable Dynamic Multipoint VPN
C. Allow traffic in and out of the same interface when the traffic is IPSec
protected
D. Allow traffic between different interfaces with matching security levels
119
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 10
Which command will display NAT translations on the ASA?
A. show ip nat all
B. show running-configuration nat
C. show xlate
D. show nat translation
120
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 10
Which command will display NAT translations on the ASA?
A. show ip nat all
B. show running-configuration nat
C. show xlate
D. show nat translation
121
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
Receive 20 Cisco Preferred Access
points for each session evaluation
you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
123
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
124
top related