CCSP Prep: Preparing to Take the Securing Networks with PIX and ASA (SNPA) 642-523 Exam

BRKCRT-2301

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

1

Agenda
Cisco Certified Security Professional Preparing for the SNPA Exam Exam Format Exam Topics
What you need to know Key Technology Reviews Sample Exam Questions

Q&A

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Cisco Certified Security Professional
“The CCSP certification (Cisco Certified Security Professional) validates advanced knowledge and skills required to secure Cisco networks.”
Acronym Course Name

SND SNRS SNPA IPS

Securing Cisco Network Devices Securing Networks with Cisco Routers and Switches Securing Networks with PIX and ASA v.5 Implementing Cisco Intrusion Prevention Systems
Plus one of the electives below

CANAC or HIPS or MARS or

Implementing Network Admissions Control Securing Hosts Using Cisco Security Agent Implementing Cisco Security Monitoring, Analysis and Response System
4

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

2

Preparing for the SNPA Exam
Instructor Led and Web Based Training
Securing Networks with PIX and ASA

CCO
Config Guides Command References

Cisco Press
Prepare: CCSP SNPA Official Exam Certification Guide, 3rd Ed. Practice: CCSP Flash Cards and Exam Practice Pack Recommended Reading: Cisco ASA, PIX, and FWSM Firewall Handbook, Second Ed. Recommended Reading: CCSP SNPA Quick Reference

Practical Experience
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

5

Exam Format
Test Practical Implementation Skills Question Formats
Declarative—A declarative exam item tests simple recall of pertinent facts Procedural—A procedural exam item tests the ability to apply knowledge to solve a given issue Complex Procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue

Types of questions
Drag and drop Simulation Multiple choice Simlet

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

3

Exam Taking Tips
Practical Tips on Taking a Multiple-choice Examination Test-Taking Advice Eliminate nonsense options Look for the “best” answer Look for subtleties Make an intelligent guess Use a time budget—Don’t spend too much time on one question

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

7

What We Will Cover
Impossible to cover all topics for SNPA in two hour session Session is about “How to Prepare for the SNPA Exam”, not about “Cover all SNPA knowledge in two hours” Will provide:
Suggestions Resources Some sample questions

Will cover key and newer exam topics likely to be included on the exam based on exam topics listed on the Cisco SNPA Certification website: www.cisco.com/web/learning/le3/current_exams/642-523.html
BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

4

Cisco SNPA Certification Website—SNPA Exam Topics
SNPA Exam Topics from the Cisco SNPA Certification website provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam
Install and configure a security appliance for basic network connectivity Configure a security appliance to restrict inbound traffic from untrusted sources Configure a security appliance to provide secure connectivity using site-to-site VPNs

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Exam Topics (Con’t)
Configure a security appliance to provide secure connectivity using remote access VPNs Configure transparent firewall, virtual firewall, and high availability firewall features on a security appliance Configure AAA services for the security appliance Configure routing and switching on a security appliance Configure security appliance advanced application layer and modular policy features Monitor and manage an installed security appliance

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

5

Disclaimer
This Session Will Strictly Adhere to Cisco’s Rules of Confidentiality We may not be able to address your specific question If you have taken the exam please refrain from asking questions from the exam We will be available after the session to direct you to resources to assist with specific questions or to provide clarification

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Exam Topic—Install and configure a security appliance for basic network connectivity

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

6

Install and Configure a Security Appliance for Basic Network Connectivity Subtopics
What You Need to Know: Describe the firewall technology Describe the Security Appliance hardware and software architecture Determine the Security Appliance hardware and software configuration and verify if it is correct Use setup or the CLI to configure basic network settings, including interface configurations Use appropriate show commands to verify initial configurations Configure NAT and global addressing to meet user requirements Configure DHCP client option
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

13

Install and Configure a Security Appliance for Basic Network Connectivity Subtopics
(Con’t) Set default route Configure logging options Explain the information contained in syslog files Configure static address translations Configure Network Address Translations: PAT Verify network address translation operation

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

7

Describe the Security Appliance Hardware and Software Architecture
ASA Security Appliance Family
ASA 5550

ASA 5540

Price

ASA 5520

ASA 5510

ASA 5505

Gigabit Ethernet SOHO
BRKCRT-2301 14363_04_2008_c2

ROBO

SMB

Enterprise

SP

Functionality
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

15

ASA Content Security Control Security Services Module (AIP-SSM)

CSC-SSM

The CSC-SSM can block or clean malicious traffic from SMTP, POP3, HTTP, and FTP network traffic.

Malware Protection
• Anti-Virus • Anti-Spyware • File Blocking Base License

Content Control
• URL Filtering • Anti-Spam • Anti-Phishing • Email Content Filtering Plus License

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

8

ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM)

AIP-SSM An AIP-SSM has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources. The following attacks are the most commonly detected attacks by a AIP-SSM: Network sweeps and scans, Common network anomalies on most Open Systems Interconnection (OSI) layers,
Malformed Address Resolution Protocol (ARP) requests or replies Invalid IP datagrams (for example, a “Christmas tree” packet) Invalid TCP packets (For example, a source or destination port is 0.) Malformed application-layer protocol units

Flooding denial of service (DoS) attacks Application layer content attacks
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

ASA 5505 and 5510 Licensing
Rel 7.2 Licensing

Licenses

Interfaces

Security Contexts N/A N/A

VLANs

IPSec VPN Peers 10 25

Failover A/S N/A Yes* A/A N/A N/A

Concurrent Firewall Connections 10,000 25,000

ASA 5505 Base Security Plus 8 x 10/100 8 x 10/100 3 x 10/100 1 x Mgmt 5 x 10/100 3 20 ASA 5510 Base Security Plus N/A 2/5 50 100 250 250 N/A Yes N/A Yes 50,000 130,000

* Stateless A/S failover
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

9

ASA 5520, 5540, and 5550 Licensing
Rel 7.2 Licensing
Licenses Interfaces Security Contexts VLANs ASA 5520 Base Optional 4 x 10/100/1000 1 10/100 N/A 2 5, 10, 20 150 N/A ASA 5540 Base Optional 4 x 10/100/1000 1 10/100 N/A 2 5, 10, 20, 50 200 N/A 5000 N/A Yes N/A Yes N/A 2 10, 25,50, 100, 250, 500, 750, 1000, 2500 750 N/A Yes N/A Yes N/A 2 10, 25,50, 100, 250, 500, 750 IPSec VPN Peers Failover A/S A/A WebVPN Peers

ASA 5550 Base 8 x 10/100/1000 4 fiber 1 10/100 N/A 2 250 5000 Yes Yes 2 10, 25,50, 100, 250, 500, 750, 1000, 2500, 5000

Optional

5, 10, 20, 50

N/A

N/A

N/A

N/A

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Describe the Security Appliance Hardware and Software Architecture
Drag the port name on the left to correct port location on the right. Not all apply.
Gigabit 0/0 Port A Gigabit 0/1 Gigabit 0/3 Port B

ASA 5540
Gigabit 0/4 Gigabit 0/5 Management 0/0 AUX Failover Console
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Port C Port D

20

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

10

Customize Syslog Output
A customer wants to stop a security appliance from outputting “uninteresting” syslog messages such as message 710005. Drag the parameter on the left to correct letter on the right to complete the command.

The actual exam items do not look like this. These are for review purposes only

fw1(config)# A logging B 710005 clear no message trap
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B

21

Explain the Information Contained in Syslog Files
Drag the logging descriptor on the left to correct location on the right
Logging Level Logging Device IP address Logging Device-ID Item D Logging Date/Timestamp Logging Message-ID Item E Item A Item B Item C

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

11

NAT/Global vs. Static Command
Inside Internet Outside
Global Pool
Sam Jones 10.0.0.12 Bob Smith 10.0.0.11

NAT/Global

For dynamic NAT/PAT address assignments Inside end-user receives an address from a pool of available addresses Used mostly for outbound end-user connections
WWW Server 172.16.1.9 Fixed FTP Server 172.16.1.10
Sam Jones 10.0.0.12

Internet

Fixed

Static

Outside

Inside

Bob Smith 10.0.0.11

For a “permanent” address assignments Used mostly for server connections
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

23

Configure Network Address Translations: PAT
Customer desires packets from subnet 10.0.2.0 on the inside to be dynamically translated to 192.168.0.9 on the outside. Drag the parameter on the left to correct letter on the right to complete the command.
fw1(config)# nat (inside) 2 10.0.2.0 255.255.255.0
192 .168.0.9 .1 192 .168.0.8 192.168.0.0 .2

fw1(config)# global ( A ) B C netmask 255.255.255.255

outside
10.0.0.0

.1

inside 192.168.0.9 A B C

10.0.1.0

10.0.2.0

10.0.2.0 1

Engineering
BRKCRT-2301 14363_04_2008_c2

Sales
Cisco Public

2
24

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

12

Configure Static Address Translations
Customer desires packets sent to 192.168.1.3 on the outside to be translated to 172.16.1.9 on the DMZ. Drag the parameter on the left to correct letter on the right.
DMZ
WWW Server

172.16.1.9 192.168.1.3 Internet Outside Inside

fw1(config)# static (A,B) C D netmask 255.255.255.255
Outside DMZ 192.168.1.3 172.16.1.9
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C D
25

Configure a Net Static
A customer desires packets sent to 192.168.10.0 subnet on the outside to be translated to the same host number on the 172.16.1.0 subnet on the DMZ. Drag the parameter on the left to correct letter on the right.
DMZ
WWW Server FTP Server

172.16.1.9 192.168.10.9 192.168.10.10 Outside

172.16.1.10

Internet

Inside

fw1(config)# static (A,B) C D netmask 255.255.255.0
Outside DMZ 192.168.10.0 172.16.1.0
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C D
26

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

13

Configure Static Port Redirection
A customer wants packets sent to 192.168.0.9/2121 be redirected by security appliance to 172.16.1.10/ftp. Drag the parameter on the left to correct letter on the right to accomplish this task.
DMZ
FTP1 Server FTP2 Server

ftp 192.168.0.9:2121

172.16.1.9 192.168.0.9/2121
Outside

172.16.1.10

Internet

Inside

fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255 Outside 192.168.0.9 2121 DMZ 172.16.1.10 FTP C A B D E F
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

27

Set Embryonic and Connection Limits on the Security Appliance
A customer wants to limit the number of TCP and UDP packets to DMZ Server 2. Using the static command, drag the parameter on the left to correct letter on the right to accomplish this task.
UDP_Max_Conns = 100 TCP_Max_Conns = 200 Embryonic_limit = 25 192.168.1.3
Internet Outside Inside DMZ
DMZ Server 2

172.16.1.9

fw1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9 A B C D

100 UDP 200
BRKCRT-2301 14363_04_2008_c2

A B C D
Cisco Public

25
© 2008 Cisco Systems, Inc. All rights reserved.

28

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

14

Exam Topic—Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources Subtopics
What You Need to Know:
Configure access-lists to filter traffic based on address, time, and protocols Configure object-groups to optimize access-list processing Configure Network Address Translations: Nat0 Configure Network Address Translations: Policy NAT Configure java/activeX filtering Configure URL filtering Verify inbound traffic restrictions Configure static port redirection Configure a net static Set embryonic and connection limits on the security appliance
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

30

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

15

Security Appliance ACL Configuration
Internet
Outside ACL for inbound access Inside ACL to deny outbound access

No ACL Outbound permitted by default Inbound denied by default

Security appliance configuration philosophy is interface based. Interface ACL permits or denies the initial packet incoming or outgoing on that interface ACL needs to describe only the initial packet of the application; no need to think about return traffic If no ACL is attached to an interface, the following ASA policy applies:
Outbound packet is permitted by default Inbound packet is denied by default
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

31

Configure Access-Lists to Filter Traffic Based on Address and Protocol
An customer wants to enable Internet users HTTP only access to the company’s DMZ WWW Server. Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.
172.16.0.2

Inbound
192.168.0.9 Internet
192.168.0.0

DMZ-WWW Server

Inside 10.0.0.0 Outside .2 fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2 fw1(config)# access-list aclout permit tcp A B C eq D any host 172.16.0.2 192.168.0.9
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

WWW 255.255.255.0

A B C D
32

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

16

Configure Access-Lists to Filter Traffic Based on Address and Time
Temp Worker

Enable access: 8 AM to 5 PM 1 Jun to 30 Jun Internet 192.168.0.6

DMZ Server 172.16.0.6
10.0.0.0 .9

Inside

192.168.10.2

Define a time when certain resources can be accessed
Absolute start and stop time and date Recurring time range time and day of the week Apply time-range to an ACL

fw1(config)# time-range temp-worker fw1(config-time-range)# absolute start 00:00 1 June 2006 end 00:00 30 June 2006 fw1(config-time-range)# periodic weekdays 8:00 to 17:00 fw1(config)# static (dmz,outside) 192.168.0.6 172.16.0.6 fw1(config)# access-list aclin permit tcp host 192.168.10.2 host 192.168.0.6 eq www time-range temp-worker
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

Configure Network Address Translations: Policy NAT
When sending sales orders to Company A, All ABC Corp. IP source addresses must be to translated to 192.168.0.33. Using the access-list and global command, drag the parameter on the left to correct letter on the right to accomplish this task.
Company A Sales Server 192.168.10.11 ABC Corp. 192.168.0.33 Internet 10.0.0.15/24

fw1(config)# access-list company_a permit tcp A 255.255.255.0 host B fw1(config)# nat (inside) 10 access-list company_a fw1(config)# global (outside) C D netmask 255.255.255.255 192.168.0.33 0 192.168.10.11
BRKCRT-2301 14363_04_2008_c2

10.0.0.15 10.0.0.0 10
Cisco Public

A C

B D
34

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

17

Configure Network Address Translations: Nat0
A customer does NOT want to translate home office to corporate office VPN traffic . Using the access-list and nat command, drag the parameter on the left to correct letter on the right to accomplish this task.
Home office fw1
10.100.1.0 /24

Corporate office No Translation
Internet 10.10.0.0/24

fw1(config)# access-list VPN-NO-NAT permit ip A 255.255.255.0 B 255.255.255.0 fw1(config)# nat (inside) C access-list VPN-NO-NAT 10.10.0.0 10.100.1.0 0 1
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C
35

Configure Object-Groups to Optimize Access-List Processing
A network administrator wants to grant external IT personnel, on subnet 192.168.10.0/24, HTTPS access to the servers on the DMZ subnet, 172.16.1.0/24 Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.
fw1(config)# object-group service object1 tcp fw1(config-service)# port-object eq https fw1(config)# object-group network object2 fw1(config-network)# network-object 172.16.1.0 255.255.255.0 fw1(config)# object-group network object3 fw1(config-network)# network-object 192.168.10.0 255.255.255.0 fw1(config)# access-list IT extended permit tcp object-group A object-group B object-group C object1 object2 object3
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C
36

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

18

Exam Topic—Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs
What You Need to Know: Explain the basic functionality of IPSec Configure IKE with preshared keys Differentiate between the types of encryption Configure IPSec parameters Configure crypto-maps and ACLs

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

19

Identify Interesting Traffic
Site 1
10.0.1.11 fw1 fw6

Internet
e0 192.168.1.2 e0 192.168.6.2

Site 2
10.0.6.11

fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0 fw6(config)#access-list 101 permit ip C 255.255.255.0 D 255.255.255.0

10.0.1.0 10.0.6.0 10.0.1.0 10.0.6.0
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C D
39

Configure Tunnel-Group Attributes—Pre-Shared Key
Site 1
10.0.1.11 fw1 fw6

Internet
192.168.1.2 192.168.6.2

Site 2
10.0.6.11

Tunnel-group 192.168.6.2 L2L

IPSec IPSec

Tunnel-group 192.168.1.2 L2L

Tunnel-Group 192.168.6.2

pre-shared-key cisco123 pre-shared-key cisco123 Tunnel-group 192.168.1.2

fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2L fw1(config)# tunnel-group 192.168.6.2 ipsec-attributes fw1(config-ipsec)# pre-shared-key cisco123
BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

20

Configure IKE with Pre-Shared Keys
Site 1
10.0.1.11 fw1 fw6

Internet
e0 192.168.1.2 e0 192.168.6.2

Site 2
10.0.6.11

fw1(config)# fw1(config)# fw1(config)# fw1(config)# fw1(config)#

isakmp isakmp isakmp isakmp isakmp

policy policy policy policy policy

10 10 10 10 10

encryption 3des hash sha authentication pre-share group 1 lifetime 86400

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

Configure IPSec Parameters
Security Appliance 1 Security Appliance 6

Site 1
10.0.1.11 e0 192.168.1.2

Internet
e0 192.168.6.2

Site 2
10.0.6.11

fw1(config)# crypto ipsec transform-set FW6 esp-des esp-md5-hmac
esp-des esp-3des esp-aes esp-aes-192 esp-aes-256 esp-md5-hmac esp-sha-hmac
BRKCRT-2301 14363_04_2008_c2

ESP ESP ESP ESP ESP ESP ESP

transform transform transform transform transform transform transform
Cisco Public

using using using using using using using

DES cipher (56 bits) 3DES cipher(168 bits) AES-128 cipher AES-192 cipher AES-256 cipher HMAC-MD5 auth HMAC-SHA auth
42

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

21

Configure IPSec Parameters
Security Appliance 1 Security Appliance 6

Site 1
10.0.1.11 e0 192.168.1.2

Internet
e0 192.168.6.2

Site 2
10.0.6.11

fw1(config)# crypto ipsec transform-set FW6 A B Select two secure transforms for the IPSec tunnel. Drag the parameter on the left to correct letter on the right to accomplish this task.
esp-3des esp-rc4 ah-md5-hmac ah-aes-128 esp-sha-hmac
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B

43

Configure Crypto-Maps and ACLs
Site 1
10.0.1.11 fw1 fw6

Internet
e0 192.168.1.2 e0 192.168.6.2

Site 2
10.0.6.11

fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0 fw1(config)# crypto ipsec transform-set FW6 esp-3des espsha-hmac fw1(config)# crypto map FW1MAP 10 set peer C fw1(config)# crypto map FW1MAP 10 match address D fw1(config)# crypto map FW1MAP 10 set transform-set fw6 fw1(config)#crypto map FW1MAP interface outside 10.0.1.0 10.0.6.0 192.168.1.2
BRKCRT-2301 14363_04_2008_c2

101 FW1MAP 192.168.6.2
Cisco Public

A C

B D
44

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

22

Site-to-Site VPN: Hub and Spoke
Traffic Flow
HQ to BR A HQ to BR B BR A to BR B

Branch A

10.0.2.0/24

HQ

Internet Permit intra-interface Traffic 10.0.1.0/24 Understand the traffic flow Utilize existing S2S tunnels Add additional crypto access-lists Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

10.0.4.0/24

Branch B

45

Site-to-Site VPN: Hub and Spoke
IPsec Tunnels 192.168.1.1 192.168.1.10 192.168.1.1 192.168.1.12 Encrypted Traffic 10.0.1.0/24 10.0.2.0/24 10.0.1.0/24 10.0.4.0/24

IPsec Tunnels 192.168.1.10 192.168.1.1 Encrypted Traffic 10.0.2.0/24 10.0.1.0/24 10.0.2.0/24 10.0.4.0/24

Branch A
192.168.1.10

10.0.2.0/24

HQ
192.168.1.1 Internet Permit intra-interface Traffic 10.0.1.0/24 Understand the traffic flow Utilize existing S2S tunnels Add additional crypto access-lists Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

IPsec Tunnels 192.168.1.12 192.168.1.1 Encrypted Traffic 10.0.4.0/24 10.0.1.0/24 10.0.4.0/24 10.0.2.0/24 10.0.4.0/24

192.168.1.12

Branch B

46

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

23

Site-to-Site VPN: Hub and Spoke
IPsec Tunnels 192.168.1.1 192.168.1.10 192.168.1.1 192.168.1.12 Encrypted Traffic 10.0.1.0/24 10.0.2.0/24 10.0.1.0/24 10.0.4.0/24

IPsec Tunnels 192.168.1.10 192.168.1.1 Encrypted Traffic 10.0.2.0/24 10.0.1.0/24 10.0.2.0/24 10.0.4.0/24

Branch A
192.168.1.10

10.0.2.0/24

HQ
192.168.1.1 Internet Permit intra-interface Traffic 10.0.1.0/24 Understand the traffic flow Utilize existing S2S tunnels Add additional crypto access-lists Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

IPsec Tunnels 192.168.1.12 192.168.1.1 Encrypted Traffic 10.0.4.0/24 10.0.1.0/24 10.0.4.0/24 10.0.2.0/24 10.0.4.0/24

192.168.1.12

Branch B

47

Site-to-Site VPN: Hub and Spoke
Hub and Spoke Configuration
IPsec Tunnels 192.168.1.1 192.168.1.10 192.168.1.1 192.168.1.12 Encrypted Traffic 10.0.1.0/24 10.0.2.0/24 10.0.1.0/24 10.0.4.0/24

Branch A
192.168.1.10

10.0.2.0/24

HQ
192.168.1.1 Internet Permit intra-interface Traffic 10.0.1.0/24 Understand the traffic flow Utilize existing S2S tunnels Add additional crypto access-lists Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

10.0.4.0/24 192.168.1.12

Branch B

48

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

24

Exam Topics—Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs
What You Need to Know: Explain the functions of EasyVPN Configure IPSec using EasyVPN Server/Client Configure the Cisco Secure VPN client Explain the purpose of WebVPN Configure WebVPN services: Server/Client Verify VPN operations Install and Configure SVCs Install and Configure Cisco Secure Desktop

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

25

Configure ISAKMP Parameters
Remote Client 172.26.26.1 Internet

Outside

Inside

Server 10.0.0.15

Fw1(config)# isakmp enable outside ………………………………………………………………………………………….. fw1(config)# isakmp policy 10 encryption 3des fw1(config)# isakmp policy 10 hash sha fw1(config)# isakmp policy 10 authentication pre-share fw1(config)# isakmp policy 10 group 2 fw1(config)# isakmp policy 10 lifetime 86400

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Configure IPSec Tunnel-Group
Remote Client 172.26.26.1 Internet

Outside

Inside

Server 10.0.0.15

fw1(config)# ip local pool mypool 10.0.0.100-10.0.0.254 !--- Configure tunnel-group parameters fw1(config)# tunnel-group training type A fw1(config)# tunnel-group training B fw1(config-ipsec)# pre-shared-key cisco123 fw1(config)# tunnel-group training C fw1(config-general)# address-pool mypool IPSec_RA ipsec-attributes general-attributes IPSec-L2L
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C

52

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

26

Configure Group Policy
Remote Client 172.26.26.1 Internet Push to client Group Policy DNS server WINS server DNS domain Address pool Idle time

Outside

Inside

Server 10.0.0.15

fw1(config)# group-policy fw1(config)# group-policy fw1(config-group-policy)# fw1(config-group-policy)# fw1(config-group-policy)# fw1(config-group-policy)#

training internal training attributes wins-server value 10.0.0.15 dns-server value 10.0.0.15 vpn-idle-timeout 15 default-domain value cisco.com

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Configure Crypto Map
An administrator needs to complete a dynamic crypto map for this solution. Drag the parameter on the left to correct letter on the right to accomplish this task.
172.26.26.1 Internet

Outside

Inside

Server 10.0.0.15

fw1(config)# crypto ipsec transform-set rmtuser1 esp-3des esp-md5-hmac fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set A fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic-map B !--- Apply crypto map to the outside interface. fw1(config)# crypto map C interface outside rmt-user-map rmt-dyna-map rmtuser1
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C
54

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

27

Explain the Purpose of WebVPN
Home Office
Broadband Provider

WebV
Wireless

PNTu

nnel

ISP

Computer Kiosk Provider Tunnel WebVPN

Corporate Network

Uses a standard SSLVPN to access the corporate network
Access to internal websites (HTTP/HTTPS), including filtering Access to internal Windows (CIFS) File Shares TCP port forwarding for legacy application support Access to e-mail via POP, SMTP, and IMAP4 over SSL

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

Configure SSLVPN Services
Remote Client
WebVPN Tunnel

Security Appliance

HTTP-Server 10.0.1.10/24 Console-Server 10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes Enters the group-policy attributes subcommand mode fw1(config-group-policy)# webvpn Enters WebVPN group-policy attributes subcommand mode
fw1(config-group-webvpn)# functions url-entry file-access fileentry file-browsing

Enables file access, entry, browsing, and URL entry for the group
fw1(config-group-webvpn)# url-list value URLs

Selects predefined URLs that were configured by using the url-list command
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

56

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

28

Configure SSLVPN File Services
Remote Client
WebVPN Tunnel

Security Appliance

Superserver 10.0.1.10/24 Training 10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes fw1(config-group-policy)# webvpn fw1(config-group-webvpn)# functions url-entry file-access file-entry filebrowsing fw1(config-group-webvpn)# url-list value sslvpn_urls fw1(config)# url-list sslvpn_urls "Superserver" http://10.0.1.10 fw1(config)# url-list sslvpn_urls "CIFS Share" cifs://10.0.1.11/training

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Configure SSLVPN Port-Forward Services
Remote Client Super-Server1 Security Appliance
WebVPN Tunnel

10.0.1.10/24 Mail-Server1 10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes fw1(config-group-policy)# webvpn fw1(config-group-webvpn)# functions port-forward fw1(config-group-webvpn)# port-forward value SSLVPN_APPS fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2222 10.0.1.10 23 fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2110 mailserver1.training.com 110 fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2025 mailserver1.training.com 25
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

58

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

29

Exam Topics—Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance

What You Need to Know:
Explain differences between L2 and L3 operating modes Configure security appliance for transparent mode (L2) Explain purpose of virtual firewalls Configure security appliance to support virtual firewall Monitor and maintain virtual firewall Explain the types, purpose and operation of fail-over Install and configure appropriate topology to support cablebased or LAN-based fail-over Explain the hardware, software and licensing requirements for high-availability

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

60

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

30

Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance (Con’t)

What You Need to Know:
Configure the SA for active/standby fail-over Configure the SA for stateful fail-over Configure the SA for active-active fail-over Verify fail-over operation Recover from a fail-over Allocate resources to virtual firewalls

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Explain Differences Between L2 and L3 Operating Modes
The Security Appliance Can Run in Two Mode Settings: Routed—Based on IP Address Transparent—Based on MAC Address
10.0.1.0 VLAN 100 10.0.1.0 VLAN 100

The following features are not supported in transparent mode:
NAT Dynamic routing protocols IPv6 DHCP relay Quality of Service Multicast VPN termination for through traffic

10.0.2.0 VLAN 200 Routed Mode

10.0.1.0 VLAN 200 Transparent Mode

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

31

Configure Security Appliance for Transparent Mode (L2)
Layer 3 traffic must be explicitly permitted Each directly connected network must be on the same subnet The management IP address must be on the same subnet as the connected network Do not specify the firewall appliance management IP address as the default gateway for connected devices Devices need to specify the router on the other side of the firewall appliance as the default gateway Each interface must be a different VLAN interface Internet
10.0.1.10

VLAN 100 10.0.1.0

Transparent Mode
VLAN 200 10.0.1.0

Management IP Address 10.0.1.1

IP–10.0.1.3 GW–10.0.1.10

IP–10.0.1.4 GW–10.0.1.10

fw1(config)# firewall transparent Switched to transparent mode
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

Configure Security Appliance to Support Virtual Firewall
e1
1 2

e4 CTX2-

CTX1admin

Internet

Internet

e0

e3

fw1(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] ……………………………………………………………….. fw1# show mode Security context mode: multiple
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

32

Configure Security Appliance to Support Virtual Firewall
An administrator is tasked with allocating interfaces for the two contexts, ctx1 and ctx2. Using the allocate-interface command, drag the interface parameter on the left to correct letter on the right to accomplish this task.
fw1(config)# admin-context ctx1 fw1(config)# context ctx1
e1
1 2

e4 CTX2-

fw1(config-ctx)# allocate-interface A fw1(config-ctx)# allocate-interface B fw1(config-ctx)# config-url flash:/C fw1(config)# context ctx2 fw1(config-ctx)# allocate-interface D fw1(config-ctx)# allocate-interface E fw1(config-ctx)# config-url flash:/F

CTX1(admin) e0

Internet

e3

ethernet0 ethernet1 ethernet3
BRKCRT-2301 14363_04_2008_c2

ethernet4 ctx1.cfg ctx2.cfg
Cisco Public

A B C

D E F
65

© 2008 Cisco Systems, Inc. All rights reserved.

Configure Security Appliance to Support Virtual Firewall
10.0.1.1 e1
1 2

10.0.31.7 e4 CTX2-

CTX1(admin) e0 192.168.1.2

Internet

e3 192.168.31.7

Context 1 • Interface e0 • IP address 192.168.1.2 • Interface e1 • IP Address 10.0.1.1 Context 2 • Interface e3 • IP address 192.168.31.7 • Interface e4 • IP address 10.0.31.7

fw1(config)# changeto context ctx1 fw1/ctx1(config)# interface ethernet0 fw1/ctx1(config-if)# ip address 192.168.1.2 255.255.255.0 fw1/ctx1(config-if)# nameif outside fw1/ctx1(config)# interface ethernet1 fw1/ctx1(config-if)# ip address 10.0.1.1 255.255.255.0 fw1/ctx1(config-if)# nameif inside
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

66

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

33

Hardware and Stateful Failover

Internet

Hardware Failover
Connections are dropped. Client applications must reconnect. Provided by serial or LAN-based failover link. Active/Standby—only one unit can be actively processing traffic while other is hot standby. Active/Active—both units can actively process traffic and serve as backup units

Stateful failover
TCP connections remain active. No client applications need to reconnect. Provides redundancy and stateful connection. Provided by stateful link.
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

67

Explain the Hardware, Software and Licensing Requirements for High-Availability
Active/Standby Active/Active

Contexts

Primary: Standby

Secondary: Active Primary: Failed/Standby
Internet Internet

Secondary: Active/Active

The primary and secondary security appliances must be identical in the following requirements:
Same model number and hardware configurations Same software versions-- The two units in a failover configuration should have the same major (first number) and minor (second number) software version. Starting in Rel. 7, you do not need to maintain version parity on the units during the upgrade process, e.g. 7.0(4) to 7.0(5) Same features (DES or 3DES) Same amount of Flash memory and RAM Proper licensing
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

68

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

34

Configure A/S Failover Link
Primary – fw1
.2 .1 Internet .1

192.168.2.0

172.17.2.0
.7 .7 .7

10.0.2.0

Secondary

fw1(config)# interface ethernet3 fw1(config-if)# no shut fw1(config)# failover lan interface LANFAIL ethernet3 fw1(config)# failover interface ip A B 255.255.255.0 C D fw1(config)# failover lan unit E fw1(config)# failover active standby LANFAIL
BRKCRT-2301 14363_04_2008_c2

172.17.2.1 172.17.2.7 primary
Cisco Public

A B C

D E
69

© 2008 Cisco Systems, Inc. All rights reserved.

Configure A/A Failover Link
g0/1 g0/4 CTX1Group 1 CTX2Group 2 172.17.2.1 g0/2 g0/1 g0/4

1 1

2

1 1

2

172.17.2.7 g0/2

CTX1Group 1

CTX2Group 2

g0/0 g0/3

Failover Link

g0/0

g0/3

fw1(config)# interface GigabitEthernet0/2 fw1(config-if)# no shut fw1(config)# failover lan interface LANFAIL GigabitEthernet0/2 fw1(config)# failover interface ip LANFAIL A 255.255.255.0 B C fw1(config)# failover link LANFAIL GigabitEthernet0/2 fw1(config)# failover lan key 1234567

active standby
BRKCRT-2301 14363_04_2008_c2

172.17.1.1 172.17.1.7
Cisco Public

A B

C

© 2008 Cisco Systems, Inc. All rights reserved.

70

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

35

A/A Failover Group
Group 2 Primary
g0/1 g0/4 CTX1Group 1 CTX2Group 2 172.17.1.1 g0/2 g0/1 g0/4

Secondary

1 1

2

11

2

172.17.1.7 g0/2

CTX1Group 1

CTX2Group 2

g0/0 g0/3

g0/0

g0/3

Group 1
Active/active failover adds support for failover group. Failover is performed on a unit or group level. A group is comprised of one or more contexts. Each failover group contains separate state machines to keep track of the group failover state.

fw1(config)# failover group 1 fw1(config-fover-group)# primary fw1(config)# failover group 2
BRKCRT-2301 14363_04_2008_c2

fw1(config-fover-group)# secondary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

71

Context: Allocate Interfaces and Assign a Failover Group Number
g0/1 g0/4 CTX1Group 1 CTX2Group 2 g0/1 g0/4

1 1

2

1 1

2

CTX1Group 1

CTX2Group 2

g0/0 g0/3

g0/0

g0/3

Internet

Associate interfaces and a group to a context fw1(config)# context ctx1 fw1(config-ctx)# allocate-interface GigabitEthernet0/0 fw1(config-ctx)# allocate-interface GigabitEthernet0/1 fw1(config-ctx)# config-url flash:/ctx1.cfg fw1(config-ctx)# join-failover-group 1 fw1(config)# context ctx2 fw1(config-ctx)# allocate-interface GigabitEthernet0/3 fw1(config-ctx)# allocate-interface GigabitEthernet0/4 fw1(config-ctx)# config-url flash:/ctx2.cfg fw1(config-ctx)# join-failover-group 2 BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

72

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

36

Show Failover: Part 1
Primary
10.0.1.1 10.0.31.7 g0/1 g0/4 CTX2Group 2 Standby 172.17.1.1 g0/2 172.17.1.7 g0/2 10.0.1.7 10.0.31.1 g0/1 g0/4 CTX1Group 1 Standby g0/0 CTX2Group 2 Active g0/3

CTX1Group 1 Active

1 1

2

1 1

2

192.168.1.2

g0/0 g0/3 192.168.31.7
Internet

192.168.1.7 192.168.31.1

fw1# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: lanfail GigabitEthernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at: 15:54:49 UTC Sept 17 2006
BRKCRT-2301 14363_04_2008_c2

Group 2 last failover at: 15:55:00 UTC Sept 17 2006
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

73

Resource Management
Limits the use of resources per context Prevents one or more contexts from using too many resources and causing other contexts to be denied use of resources Enables you to configure limits for the following resources:
ASDM connections Connections Hosts SSH sessions Telnet sessions Xlate objects Application inspections (rate only) Syslogs per second (rate only)
CONTEXT 1 HTTP HTTP CONTEXT 2 Limit connections for CONTEXT2 to 20%

Internet

X
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

74

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

37

Configuring Resource Management
Limit connections for CONTEXT2 to 20% CONTEXT 1 HTTP HTTP CONTEXT 2

Internet

X
fw1(config)# class MEDIUM-RESOURCE-SET fw1(config-class)# limit-resource conns 20%
Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit

fw1(config)# context context2 fw1(config-ctx)# member MEDIUM_RESOURCE_SET
Assigns the TEST context to the MEDIUM-RESOURCE-SET class
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

75

Exam Topics—Configure AAA Services for Access Through a Security Appliance

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

76

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

38

Configure AAA Services for Access Through a Security Appliance
What You Need to Know: Configure ACS for security appliance support Configure security appliance to use AAA feature Configure authentication using both local and external databases Configure authorization using an external database Configure the ACS server for downloadable ACLs Configure accounting of connection start/stop Verify AAA operation

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

Configure ACS for Security Appliance Support
When configuring a Cisco ACS Server network configuration window, the administrator must supply two names and IP addresses. Drag the parameter on the left to correct letter on the right to accomplish this task.

“aaauser” 192.168.2.10
Internet .1 .2 NY1PIX

10.0.1.0 A
.10

B

NY_ACS

C

D

192.168.2.10 10.0.1.1 10.0.1.10
BRKCRT-2301 14363_04_2008_c2

NY1PIX NY_ACS aaauser
Cisco Public

A B

C D
78

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

39

Configure Authentication Using Both Local and External Databases
Telnet

Internet
Authentication via LOCAL database fw1(config)# username admin1 password cisco123 fw1(config)# aaa authentication telnet console LOCAL Telnet

Internet
Authentication via External database and LOCAL backup NY_ACS 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol tacacs+ fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkey fw1(config)# aaa authentication telnet console NY_ACS LOCAL
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

79

Configure Cut-Through Proxy Authentication
The administrator wants every Internet user to be authenticated before gaining http access to the DMZ server, 172.16.4.9. Drag the parameter on the left to correct letter on the right to accomplish this task.
Internet User 192.168.2.10 DMZ Server 172.16.4.9 192.168.1.12

Internet

RADIUS

NY_ACS 10.0.0.2

fw1(config)# static (dmz,outside) 192.168.1.12 172.16.4.9 fw1(config)# aaa-server NY_ACS protocol radius fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123 fw1(config)# access-list 110 permit tcp any host A eq www fw1(config)# aaa authentication match B C D

192.168.1.12 172.16.4.9 192.168.2.10
BRKCRT-2301 14363_04_2008_c2

110 NY_ACS outside
Cisco Public

A B

C D
80

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

40

Configure Authorization Using an External Database
192.168.9.10
Internet FTP server 10.0.0.33

192.168.0.0 .3 192.168.0.12 FTP Authorization

NY_ACS server 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol tacacs+ fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkey fw1(config)# static (inside,outside) 192.168.0.12 10.0.0.33 fw1(config)# access-list 110 permit tcp any host 192.168.0.12 eq ftp fw1(config)# aaa authorization match 110 outside NY_ACS

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

Authorization Rules Allowing Specific Services to Specific Hosts
On the previous page, the administrator configured a PIX to verify users rights before they ftp to the Inside FTP server. In the Access server, the administrator must configure TACACS+ group setup. Check the parameter for each subtask on the left that is needed to accomplish this task.
Group setup Unmatched Cisco IOS commands Deny Permit Command ftp Blank (ftp is in the arguments list) Arguments permit 192.168.0.12 permit tcp any host 192.168.0.12eq ftp Unlisted arguments Deny Permit
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

82

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

41

Configure the ACS Server for Downloadable ACLs
FTP Server 172.16.4.9 192.168.1.10 192.168.1.11 Internet
Authentication (RADIUS)

WWW Server 172.16.4.10

“aaauser”

NY_ACS 10.0.0.2

fw1(config)# static (dmz,outside) 192.168.1.10 172.16.4.9 fw1(config)# static (dmz,outside) 192.168.1.11 172.16.4.10 fw1(config)# aaa-server NY_ACS protocol A fw1(config)# aaa-server NY_ACS (inside) host B fw1(config-aaa-server)# key cisco123 fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftp fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq C fw1(config)# aaa authentication match 110 outside D

www 172.16.4.10
BRKCRT-2301 14363_04_2008_c2

NY_ACS 10.0.0.2
Cisco Public

TACACS+ RADIUS

A B

C D
83

© 2008 Cisco Systems, Inc. All rights reserved.

Configure the ACS Server for Downloadable ACLs

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

42

Authentication of Console Access
Security Appliance Console Access Security Appliance Console Access

Internet
TACACS+

NY_ACS Server 10.0.0.2

Defines a console access method that requires authentication Identifies the authentication server group name (authentication server or LOCAL) Enables fallback to LOCAL security appliance database fw1(config)# fw1(config)# fw1(config)# fw1(config)#
BRKCRT-2301 14363_04_2008_c2

aaa aaa aaa aaa

authentication authentication authentication authentication
Cisco Public

serial console NY_ACS LOCAL enable console NY_ACS LOCAL telnet console NY_ACS LOCAL ssh console NY_ACS LOCAL
85

© 2008 Cisco Systems, Inc. All rights reserved.

Configure Accounting of Connection Start/Stop
FTP Server 172.16.4.9 “aaauser” 192.168.1.10 192.168.1.11 Internet
Accounting (RADIUS)

WWW Server 172.16.4.10

NY_ACS 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol A fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123 fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftp fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq www fw1(config)# aaa B match C outside NY_ACS

radius 192.168.1.0 110
BRKCRT-2301 14363_04_2008_c2

accounting authentication LDAP
Cisco Public

A B

C

© 2008 Cisco Systems, Inc. All rights reserved.

86

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

43

Exam Topics—Configure Routing and Switching on a Security Appliance

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

Configure Routing and Switching on a Security Appliance Subtopics
What You Need to Know: Enable DHCP server and relay functionality Configure VLANs on a security appliance interface Configure security appliance to pass multi-cast traffic

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

44

Configure VLANs on a Security Appliance Interface
dmz2 172.16.20.1 dmz1 172.16.10.1 dmz3 172.16.30.1
Public Server Partner Server

Proxy Server

vlan20 vlan10
Trunk port

vlan30

Internet
192.168.0.0 10.0.0.0

fw1(config)# interface ethernet3.1 fw1(config-subif)# vlan 10 fw1(config-subif)# nameif dmz1 fw1(config-subif)# security-level 10 fw1(config-subif)# ip address 172.16.10.1
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

89

Configure Routing Functionality of Security Appliance Including OSPF, RIP
RIP v2
192.168.0.0 172.26.26.30 10.0.0.0

RIP v2

RIP v1

10.0.1.0

fw1(config)# rip authentication fw1(config)# rip fw1(config)# rip

outside passive version 2 md5 MYKEY 2 inside passive dmz passive version 2

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

45

Configure Routing Functionality of Security Appliance Including OSPF, RIP
Router OSPF 1

0
Internet

10.0.0.0 1.1.1.0
Private

10.0.1.0

2.2.2.0 firewall(config)#

network prefix ip_address netmask area area_id
• Adds and removes interfaces to and from the OSPF routing process fw1(config)# router fw1(config-router)# fw1(config-router)# fw1(config-router)#
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

ospf 1 network 1.1.1.0 255.255.255.0 area 0 network 2.2.2.0 255.255.255.0 area 2.2.2.0 network 10.0.0.0 255.255.255.0 area 10.0.0.0
Cisco Public

91

Configure Security Appliance to Pass Multi-Cast (MC) Traffic
A multicast (MC) client on the inside network wants to “view” a MC session from a MC server on the DMZ . Drag the parameter on the left to correct letter on the right to accomplish this task.
Outside
172.16.0.1 e0 e1 e2 MC router

DMZ
Multicast server

Inside

MC Group 224.0.1.50

MC client 10.0.0.11

fw1(config)# access-list 120 permit udp any host 224.0.1.50 fw1(config)# interface A fw1(config-if)# igmp access-group 120 fw1(config)# interface B fw1(config-if)# igmp forward interface C

ethernet1 10.0.0.11 224.0.1.50
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

DMZ Inside ethernet2
Cisco Public

A B C
92

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

46

Exam Topics—Configure Security Appliance Advanced Application Layer and Modular Policy Features

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

Configure a Modular Policy on a Security Appliance Subtopics
What You Need to Know: Configure a class-map Configure a policy-map Configure a service-policy Configure a class-map type inspect Configure a policy-map type inspect Configure regular expressions Explain the function of protocol inspection Explain DNS guard feature

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

94

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

47

Configure a Modular Policy on a Security Appliance Subtopics (Con’t)
What You Need to Know: Describe the AIP-SSM HW and SW Load IPS SW on the AIP-SSM Verify AIP-SSM Configure an IPS modular policy Describe the CSC-SSM HW and SW Load CSC SW on the SSM Verify the CSC-SSM Configure an CSC modular policy

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Layer 7: Application Inspection Overview
Layer 7: Application Inspection— Deep packet inspection • “Get”—Allow • “Put”—Reset • “Post”—Reset
DMZ - HTTP Server Internet
192.168.0.0

Inside
10.0.0.0

Outside

.2

A Layer 7 policy is intended for protocol deep packet inspection. You can configure Layer-7 protocol inspection criteria to recognize specific protocol attributes that you wish to control, Actions can be applied to the desirable and undesirable traffic. Application inspection (AI) varies in capability per supported protocol
BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

96

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

48

Layer 7: Application Inspection Configuration
Layer 7: Application Inspection— • “Get”—Allow • “Put”—Reset • “Post”—Reset Layer 3 and 4: DMZ - HTTP • HTTP traffic to Server WWW Server
Internet

Inside Outside
10.0.0.0

To create a application inspection:
Create a Layer 7 application inspection policy Identify application inspection criteria based on the attributes of a given protocol Apply an action to identified packets, allow, reset, or log Create a Layer 3 and 4 policy to identify a traffic stream Define the Layer 3 and 4 traffic stream for inspection. Attach the traffic stream to a Layer 3 and 4 policy
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

97

Configure Layer 7 Application Inspection Policy
Layer 7: Application Inspection— • “Get”—Allow • “Put”—Reset DMZ - HTTP Server • “Post”—Reset
Internet

Inside Outside
10.0.0.0

Create a Layer 7 application inspection policy
Class-map type inspect —Identify application inspection criteria based on the attributes of a given protocol Policy-map type inspect —Apply an action to identified packets, allow, reset, or log
fw1(config)# class-map type inspect http HTTP_SAFE_Method fw1(config-cmap)# match request method get fw1(config)# class-map type inspect http HTTP_RESTRICTED_Methods fw1(config-cmap)# match request method post fw1(config-cmap)# match request method put fw1(config)# policy-map type inspect HTTP inbound_http_traffic Fw1(config-pmap)# class HTTP_SAFE_Method Fw1(config-pmap-c)# allow Fw1(config)-pmap) class HTTP_RESTRICTED_Method Fw1(config-pmap-c)# reset log
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

98

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

49

Configure a Layer 3 and 4 Policy
Layer 3 and 4: • HTTP traffic to WWW Server
Internet DMZ - HTTP Server

Inside Outside
10.0.0.0

Create a Layer 3 and 4 inspection policy
Define the Layer 3 and 4 traffic stream for inspection. Associate a traffic stream with a Layer 3 and 4 policy
fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www fw1(config)# class-map inbound_http_traffic fw1(config-ftp-map)# match access-list 102 fw1(config)# policy-map dmz_http_inbound fw1(config-pmap)# class inbound_http_traffic fw1(config-pmap-c)# inspect http inbound_http_traffic fw1(config)# service-policy dmz_http_inbound outside
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

99

Configure Class-Map Type Inspect Example
WWW Server 172.16.4.9 Internet User 192.168.1.11

Internet

fw1(config)# class-map type inspect ftp ftp_method fw1(config-cmap)# match request method A fw1(config-cmap)# match request method B fw1(config)#policy-map type inspect ftp inbound_ftp fw1(config-pmap)#class C fw1(config-pmap-c)#reset D

ftp_method inbound_ftp put
BRKCRT-2301 14363_04_2008_c2

log dele reset
Cisco Public

A B

C D
100

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

50

Configure a Layer 3 and 4 Policy Example
FTP Server 172.16.4.9 192.168.2.10 192.168.1.11

Internet

fw1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftp fw1(config)# A ftp_traffic fw1(config-cmap)# match access-list 101 fw1(config)# B inbound fw1(config-pmap)# class C fw1(config-pmap-c)# inspect D strict fw1(config)# E F outside

ftp_traffic ftp inbound
BRKCRT-2301 14363_04_2008_c2

class-map service-policy policy-map
Cisco Public

A B C

D E F
101

© 2008 Cisco Systems, Inc. All rights reserved.

Configure Class-Map Type Inspect HTTP Example
WWW Server 172.16.4.9 Internet User 192.168.1.11

Internet

fw1(config)# class-map type inspect http BLOCKED_METHOD_LIST fw1(config-cmap)# match request method delete fw1(config-cmap)# match request method post fw1(config-cmap)# match request method put fw1(config)# policy-map type inspect http inbound_http fw1(config-pmap)# class BLOCKED_METHOD_LIST fw1(config-pmap-c)# reset log fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www fw1(config)# class-map inbound_http_traffic fw1(config-ftp-map)# match access-list 102 fw1(config)# policy-map inbound fw1(config-pmap)# class inbound_http_traffic fw1(config-pmap-c)# inspect http inbound_http fw1(config)# service-policy inbound outside
BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

51

Class-Map Type Inspect and Policy-Map Type Inspect
fw1(config)#class-map type inspect http BLOCKED_METHOD_LIST fw1(config-cmap)# match request method delete fw1(config-cmap)# match request method post fw1(config-cmap)# match request method put Inspection class maps enable you to group multiple traffic matching statements fw1(config)#policy-map type inspect http MY_HTTP_MAP fw1(config-pmap)#class BLOCKED_METHOD_LIST fw1(config-pmap-c)#drop-connection log The inspection class map is then assigned to the inspection policy map. fw1(config)#policy-map type inspect http MY_HTTP_MAP fw1(config-pmap)# match request method post fw1(config-pmap-c)#drop-connection log Pair a single traffic match statement with an action directly in the policy map
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

103

Regular Expressions
Client Mail Server

ftp> username: root

Internet
ASA configured to drop packets containing the string “root”

Enables you to identify text in a packet using a regular expression A regular expression is characterized as follows:
Defined as a pattern to match against an input string Enables you to permit, deny, or log any packet to create custom security checks Matches a text string Literally as an exact string By using metacharacters, which enable you to match multiple variants of a text string

You can combine custom security checks for increased granular control
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

104

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

52

Blocking Based on Matching (or Not) Regular Expressions (REGEX)
Bob ftp> username: root ftp>put /root/filename FTP Server

Denies all inbound users with a username of “root” Denies all access to “/root” from the Internet
fw1(config)#regex FTP_USER “root” fw1(config)#regex FTP_PATH “\/root” fw1(config)#class-map type regex match-any RESTRICTED_ACCESS fw1(config-cmap)#match regex A fw1(config-cmap)#match regex B fw1(config)#policy-map type inspect ftp C fw1(config-pmap)#class D fw1(config-pmap-c)#reset log
FTP_USER FTP_PATH
BRKCRT-2301 14363_04_2008_c2

RESTRICTED_ACCESS MY_FTP_MAP
Cisco Public

A C

B D
105

© 2008 Cisco Systems, Inc. All rights reserved.

Load IPS SW on the AIP-SSM
fw1(config)# hw module 1 A Image URL [tftp://0.0.0.0/]: tftp://10.0.31.10/AIP-SSM-K9sys-1.1-a-5.0-0.22.img Port IP Address [0.0.0.0]: 10.0.31.1 fw1(config)# hw module 1 B The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. fw1# C Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL^X'. sensor# D --- System Configuration Dialog --Current Configuration:

recover configure recover boot session 1 session m2/0 setup
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A B C D
106

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

53

AIP-SSM Initialized
Internet

AIP-SSM

fw1(config)# show module 1 Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ ---------1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 123456789 Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ -------------1 0016.4687.a520 to 0016.4687.a520 1.0 1.0(10)0 6.0(2)E1 Mod SSM Application Name Status SSM Application Version --- ------------------------------ ---------------- -------------------------1 IPS Up 6.0(2)E1 Mod Status Data Plane Status Compatibility --- ------------------ --------------------- ------------1 Up Up
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

107

Configure an IPS Modular Policy
DMZ Servers 172.16.1.0

Internet
IPS

IPS Policy: • Inline • Fail open

fw1(config)# access-list 101 permit TCP any 172.16.1.0 255.255.255.0 fw1(config)# A dmz_traffic fw1(config-cmap)# match access-list 101 fw1(config)# B dmz_ips fw1(config-pmap)# class C fw1(config-pmap-c)# ips D E fw1(config)# service-policy dmz_ips outside

dmz_traffic ips fail-open
BRKCRT-2301 14363_04_2008_c2

class-map inline policy-map
Cisco Public

A B C

D E

© 2008 Cisco Systems, Inc. All rights reserved.

108

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

54

Q and A

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKCRT-2301 14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

110

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

55

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

BRKCRT-2301 14363_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

© 2008, Cisco Systems, Inc. All rights reserved. 14363_04_2008_c2.scr

56