brkcrt-2301

© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKCRT-230114363_04_2008_c2 2

CCSP Prep: Preparing to Take the Securing Networks with PIX and ASA (SNPA) 642-523 Exam

BRKCRT-2301


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKCRT-230114363_04_2008_c2

Agenda

Cisco Certified Security Professional

Preparing for the SNPA Exam

Exam Format

Exam TopicsWhat you need to know

Key Technology Reviews

Sample Exam Questions

Q & A


Cisco Certified Security Professional

Course NameAcronym

Implementing Cisco Intrusion Prevention SystemsIPS

Securing Networks with PIX and ASA v.5SNPA

Securing Networks with Cisco Routers and SwitchesSNRSSecuring Cisco Network DevicesSND

Implementing Network Admissions ControlCANAC or

Implementing Cisco Security Monitoring, Analysis and Response System

MARS orSecuring Hosts Using Cisco Security Agent HIPS or

Plus one of the electives below

“The CCSP certification (Cisco Certified Security Professional) validates advanced knowledge and skills required to secure Cisco networks.”


3


Preparing for the SNPA Exam

Instructor Led and Web Based TrainingSecuring Networks with PIX and ASA

CCOConfig GuidesCommand References

Cisco PressPrepare: CCSP SNPA Official Exam Certification Guide, 3rd Ed. Practice: CCSP Flash Cards and Exam Practice PackRecommended Reading: Cisco ASA, PIX, and FWSM Firewall Handbook, Second Ed. Recommended Reading: CCSP SNPA Quick Reference

Practical Experience


Test Practical Implementation SkillsExam Format

Question FormatsDeclarative—A declarative exam item tests simple recall of pertinent facts

Procedural—A procedural exam item tests the ability to apply knowledge to solve a given issue

Complex Procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue

Types of questionsDrag and drop Multiple choice

Simulation Simlet


4


Practical Tips on Taking a Multiple-choice ExaminationExam Taking Tips

Eliminate nonsense optionsLook for the “best” answerLook for subtletiesMake an intelligent guessUse a time budget—Don’t spend too much time on one question

Test-Taking Advice


What We Will Cover

Impossible to cover all topics for SNPA in two hour session

Session is about “How to Prepare for the SNPA Exam”, not about “Cover all SNPA knowledge in two hours”

Will provide:Suggestions

Resources

Some sample questions

Will cover key and newer exam topics likely to be included on the exam based on exam topics listed on the Cisco SNPA Certification website:

www.cisco.com/web/learning/le3/current_exams/642-523.html


5


Cisco SNPA Certification Website—SNPA Exam Topics

SNPA Exam Topics from the Cisco SNPA Certification website provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam

Install and configure a security appliance for basic network connectivity

Configure a security appliance to restrict inbound traffic from untrusted sources

Configure a security appliance to provide secure connectivity using site-to-site VPNs


Exam Topics (Con’t)

Configure a security appliance to provide secure connectivity using remote access VPNs

Configure transparent firewall, virtual firewall, and high availability firewall features on a security appliance

Configure AAA services for the security appliance

Configure routing and switching on a security appliance

Configure security appliance advanced application layer and modular policy features

Monitor and manage an installed security appliance


6


Disclaimer

We may not be able to address your specific question

If you have taken the exam please refrain from asking questions from the exam

We will be available after the session to direct you to resources to assist with specific questions or to provide clarification

This Session Will Strictly Adhere to Cisco’s Rules of Confidentiality


Exam Topic—Install and configure a security appliance for basic network connectivity


7


Install and Configure a Security Appliance for Basic Network Connectivity Subtopics

Describe the firewall technology Describe the Security Appliance hardware and software architecture Determine the Security Appliance hardware and software configuration and verify if it is correct Use setup or the CLI to configure basic network settings, including interface configurations Use appropriate show commands to verify initial configurations Configure NAT and global addressing to meet user requirements Configure DHCP client option

What You Need to Know:


Install and Configure a Security Appliance for Basic Network Connectivity Subtopics

Set default route

Configure logging options

Explain the information contained in syslog files

Configure static address translations

Configure Network Address Translations: PAT

Verify network address translation operation

(Con’t)


8


SMBSMB

Pric

e

Functionality

Gigabit Ethernet

EnterpriseEnterpriseROBOROBOSOHOSOHO SPSP

ASA 5520

ASA 5540

ASA 5510

ASA 5505

ASA 5550

ASA Security Appliance Family

Describe the Security Appliance Hardware and Software Architecture


Malware Protection

• Anti-Virus

• Anti-Spyware

• File Blocking

• URL Filtering

• Anti-Spam

• Anti-Phishing

• Email Content Filtering

Content Control

Base License Plus License

CSC-SSM

ASA Content Security Control Security Services Module (AIP-SSM)

The CSC-SSM can block or clean malicious traffic from SMTP, POP3, HTTP, and FTP network traffic.


9


AIP-SSM

ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM)

Network sweeps and scans, Common network anomalies on most Open Systems Interconnection (OSI) layers,

Malformed Address Resolution Protocol (ARP) requests or repliesInvalid IP datagrams (for example, a “Christmas tree” packet)Invalid TCP packets (For example, a source or destination port is 0.)Malformed application-layer protocol units

Flooding denial of service (DoS) attacksApplication layer content attacks

An AIP-SSM has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources. The following attacks are the most commonly detected attacks by a AIP-SSM:


ASA 5505 and 5510 LicensingRel 7.2 Licensing

ASA 5510

ASA 5505

Yes

N/A

Yes*N/A

Yes

N/A

N/AN/A

Failover

A/S A/A

250

250

2510

IPSec

VPN Peers

50,00050N/A3 x 10/1001 x Mgmt Base

130,000

25,00010,000

Concurrent Firewall

Connections

2/5

N/AN/A

Security

Contexts

100

203

VLANs

8 x 10/100Base8 x 10/100Security Plus

5 x 10/100

Interfaces

Security Plus

Licenses

* Stateless A/S failover


10


ASA 5520, 5540, and 5550 LicensingRel 7.2 Licensing

4 x 10/100/10001 10/100

ASA 5540

ASA 5520

N/A

Yes

N/A

Yes

N/A

Yes

N/A

Yes

Failover

A/S A/A

N/A

5000

N/A

750

IPSec

VPN Peers

21502Base

2

10, 25,50, 100, 250, 500, 750

WebVPN Peers

5, 10, 20, 50

2

5, 10, 20

Security

Contexts

N/A

200

N/A

VLANs

N/AOptional

4 x 10/100/10001 10/100

Base

N/A

Interfaces

Optional

Licenses

ASA 5550

N/A

Yes

N/A

Yes

N/A

5000 2

5, 10, 20, 50

2

N/A

250

N/AOptional

8 x 10/100/10004 fiber

1 10/100

Base

10, 25,50, 100, 250, 500, 750,

1000, 2500

10, 25,50, 100, 250, 500, 750, 1000, 2500,

5000


Describe the Security Appliance Hardware and Software Architecture

ASA 5540

Port A

Port B

Port C

Port D

Drag the port name on the left to correct port location on the right. Not all apply.

Gigabit 0/1

Gigabit 0/4

Gigabit 0/5

AUX

Console

Failover

Gigabit 0/3

Gigabit 0/0

Management 0/0


11


Customize Syslog Output

fw1(config)# A logging B 710005

A customer wants to stop a security appliance from outputting “uninteresting” syslog messages such as message 710005. Drag the parameter on the left to correct letter on the right tocomplete the command.

AB

clear

no

trap

message

The actual exam items do not look like

this. These are for review purposes only


Explain the Information Contained in Syslog Files

Item A

Item B

Item C

Item D

Item E

Drag the logging descriptor on the left to correct location on the right

Logging Level

Logging Device IP address

Logging Device-ID

Logging Date/Timestamp

Logging Message-ID


12


NAT/Global vs. Static Command

NAT/Global

For dynamic NAT/PAT address assignmentsInside end-user receives an address from a pool of available addresses Used mostly for outbound end-user connections

Internet

Inside

Outside

Bob Smith10.0.0.11

Static

For a “permanent” address assignmentsUsed mostly for server connections

InternetInsideOutside

Sam Jones10.0.0.12

FTP Server 172.16.1.10

WWW Server 172.16.1.9

GlobalPool

FixedFixed

Bob Smith10.0.0.11

Sam Jones10.0.0.12


Configure Network Address Translations: PAT

fw1(config)# nat (inside) 2 10.0.2.0 255.255.255.0

fw1(config)# global ( A ) B C netmask 255.255.255.255

SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

192 .168.0.8

.2

.1

.1

192 .168.0.9

Customer desires packets from subnet 10.0.2.0 on the inside to be dynamically translated to 192.168.0.9 on the outside. Drag the parameter on the left to correct letter on the right to complete the command.

ABC

outside

2

1

10.0.2.0

192.168.0.9

inside


13


Configure Static Address Translations

fw1(config)# static (A,B) C D netmask 255.255.255.255

Customer desires packets sent to 192.168.1.3 on the outside to be translated to 172.16.1.9 on the DMZ. Drag the parameter on the left to correct letter on the right.

ABC

D

Outside

172.16.1.9

DMZ192.168.1.3



192.168.1.3

DMZ


Configure a Net Static

FTP Server 172.16.1.10

ABC

D

fw1(config)# static (A,B) C D netmask 255.255.255.0

A customer desires packets sent to 192.168.10.0 subnet on the outsideto be translated to the same host number on the 172.16.1.0 subnet on the DMZ. Drag the parameter on the left to correct letter on the right.

Outside

172.16.1.0

DMZ

192.168.10.0



192.168.10.9

DMZ

192.168.10.10


14


192.168.0.9/2121

Configure Static Port Redirection

fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255

A customer wants packets sent to 192.168.0.9/2121 be redirected by security appliance to 172.16.1.10/ftp. Drag the parameter on the left to correct letter on the right to accomplish this task.


FTP2 Server 172.16.1.10

FTP1 Server172.16.1.9

DMZ

ftp 192.168.0.9:2121

AB

C

D

E

F

Outside

FTP172.16.1.10

DMZ

2121192.168.0.9



DMZ

Set Embryonic and Connection Limits on the Security Appliance

fw1(config)# static (dmz,outside) 192.168.1.3172.16.1.9 A B C D

A customer wants to limit the number of TCP and UDP packets to DMZ Server 2. Using the static command, drag the parameter on the left to correct letter on the right to accomplish this task.

ABC

D

DMZ Server 2 172.16.1.9

192.168.1.3

UDP_Max_Conns = 100TCP_Max_Conns = 200Embryonic_limit = 25

100

UDP

200

25


15


Exam Topic—Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources


Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources Subtopics

Configure access-lists to filter traffic based on address, time, and protocols

Configure object-groups to optimize access-list processing

Configure Network Address Translations: Nat0

Configure Network Address Translations: Policy NAT

Configure java/activeX filtering

Configure URL filtering

Verify inbound traffic restrictions

Configure static port redirection

Configure a net static

Set embryonic and connection limits on the security appliance



16


Security Appliance ACL Configuration

Outside InsideInternet

ACL forinbound access

ACL to denyoutbound access

No ACLOutbound permitted by default

Inbound denied by default

Interface ACL permits or denies the initial packet incoming or outgoing on that interface

ACL needs to describe only the initial packet of the application; no need to think about return traffic

If no ACL is attached to an interface, the following ASA policy applies:Outbound packet is permitted by default

Inbound packet is denied by default

Security appliance configuration philosophy is interface based.


Configure Access-Lists to Filter Traffic Based on Address and Protocol

fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2

fw1(config)# access-list aclout permit tcp A B C eq D

192.168.0.0

10.0.0.0

DMZ-WWW Server

Internet InsideOutside .2

192.168.0.9

172.16.0.2Inbound

An customer wants to enable Internet users HTTP only access to the company’s DMZ WWW Server. Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.

172.16.0.2

ABC

D

255.255.255.0

anyhost

192.168.0.9

WWW


17


Configure Access-Lists to Filter Traffic Based on Address and Time

Define a time when certain resources can be accessedAbsolute start and stop time and dateRecurring time range time and day of the weekApply time-range to an ACL

fw1(config)# time-range temp-workerfw1(config-time-range)# absolute start 00:00 1 June 2006 end 00:00 30 June 2006

fw1(config-time-range)# periodic weekdays 8:00 to 17:00fw1(config)# static (dmz,outside) 192.168.0.6 172.16.0.6fw1(config)# access-list aclin permit tcp host 192.168.10.2 host 192.168.0.6 eq www time-range temp-worker

192.168.0.6 10.0.0.0

DMZ Server

172.16.0.6

Internet Inside.9

Enable access:8 AM to 5 PM

1 Jun to 30 JunTempWorker

192.168.10.2


Configure Network Address Translations: Policy NAT

fw1(config)# access-list company_a permit tcp A 255.255.255.0 host B

fw1(config)# nat (inside) 10 access-list company_a

fw1(config)# global (outside) C D netmask 255.255.255.255

Internet

10.0.0.15/24192.168.0.33Company ASales Server192.168.10.11

ABC Corp.

192.168.0.330

192.168.10.11

10.0.0.15A

C

B

D10.0.0.0

10

When sending sales orders to Company A, All ABC Corp. IP source addresses must be to translated to 192.168.0.33. Using the access-list and global command, drag the parameter on the left to correct letter on the right to accomplish this task.


18


Configure Network Address Translations: Nat0

10.100.1.0 /24 10.10.0.0/24

Corporate officeHome office

A customer does NOT want to translate home office to corporate office VPN traffic . Using the access-list and nat command, drag the parameter on the left to correct letter on the right to accomplish this task.

10.10.0.010.100.1.0

0

1

ABC

fw1(config)# access-list VPN-NO-NAT permit ip A255.255.255.0 B 255.255.255.0

fw1(config)# nat (inside) C access-list VPN-NO-NAT

fw1Internet

No Translation


Configure Object-Groups to Optimize Access-List Processing

fw1(config)# object-group service object1 tcpfw1(config-service)# port-object eq httpsfw1(config)# object-group network object2fw1(config-network)# network-object 172.16.1.0 255.255.255.0fw1(config)# object-group network object3fw1(config-network)# network-object 192.168.10.0 255.255.255.0

fw1(config)# access-list IT extended permit tcp object-group A object-group B object-group C

ABC

object1object2object3

A network administrator wants to grant external IT personnel, on subnet 192.168.10.0/24, HTTPS access to the servers on the DMZ subnet, 172.16.1.0/24 Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.


19


Exam Topic—Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs


Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs

Explain the basic functionality of IPSec

Configure IKE with preshared keys

Differentiate between the types of encryption

Configure IPSec parameters

Configure crypto-maps and ACLs



20


fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0

fw6(config)#access-list 101 permit ip C255.255.255.0 D 255.255.255.0

Identify Interesting Traffic

10.0.1.010.0.6.010.0.1.0

10.0.6.0

ABC

D

e0 192.168.1.2

Site 1 Site 2

e0 192.168.6.210.0.1.11

fw1 fw6

10.0.6.11

Internet


Configure Tunnel-Group Attributes—Pre-Shared Key

pre-shared-key cisco123 Tunnel-group192.168.1.2

pre-shared-key cisco123Tunnel-Group192.168.6.2

fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2Lfw1(config)# tunnel-group 192.168.6.2 ipsec-attributesfw1(config-ipsec)# pre-shared-key cisco123

Tunnel-group192.168.6.2

L2LTunnel-group

192.168.1.2L2L

IPSecIPSec

192.168.1.2

Site 1 Site 2

192.168.6.210.0.1.11

fw1 fw6

10.0.6.11

Internet


21


e0 192.168.1.2

Site 1 Site 2

e0 192.168.6.210.0.1.11

fw1 fw6

10.0.6.11

Internet

Configure IKE with Pre-Shared Keys

fw1(config)# isakmp policy 10 encryption 3desfw1(config)# isakmp policy 10 hash shafw1(config)# isakmp policy 10 authentication pre-sharefw1(config)# isakmp policy 10 group 1fw1(config)# isakmp policy 10 lifetime 86400


Security Appliance 1


e0 192.168.1.2

Site 1 Site 2

e0 192.168.6.210.0.1.11 10.0.6.11

Internet

Configure IPSec Parameters

esp-des ESP transform using DES cipher (56 bits)esp-3des ESP transform using 3DES cipher(168 bits)esp-aes ESP transform using AES-128 cipheresp-aes-192 ESP transform using AES-192 cipher esp-aes-256 ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 authesp-sha-hmac ESP transform using HMAC-SHA auth

fw1(config)# crypto ipsec transform-set FW6 esp-desesp-md5-hmac


22


Configure IPSec Parameters

fw1(config)# crypto ipsec transform-set FW6 A B

esp-3des

esp-rc4

ah-md5-hmac

ah-aes-128

AB

esp-sha-hmac

Select two secure transforms for the IPSec tunnel. Drag the parameter on the left to correct letter on the right to accomplish this task.



e0 192.168.1.2

Site 1 Site 2

e0 192.168.6.210.0.1.11 10.0.6.11

Internet


Configure Crypto-Maps and ACLs

fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0

fw1(config)# crypto ipsec transform-set FW6 esp-3des esp-sha-hmac

fw1(config)# crypto map FW1MAP 10 set peer Cfw1(config)# crypto map FW1MAP 10 match address Dfw1(config)# crypto map FW1MAP 10 set transform-set fw6

fw1(config)#crypto map FW1MAP interface outside

10.0.1.010.0.6.0

192.168.1.2 192.168.6.2

A BC D

101FW1MAP

e0 192.168.1.2

Site 1 Site 2

e0 192.168.6.210.0.1.11

fw1 fw6

10.0.6.11

Internet


23


Site-to-Site VPN: Hub and Spoke

Understand the traffic flowUtilize existing S2S tunnelsAdd additional crypto access-listsAdd “same-security-traffic permit intra-interface” at the hub site

Traffic FlowHQ to BR AHQ to BR BBR A to BR BHQ

Branch B

Branch A

Internet

10.0.1.0/24

10.0.2.0/24

10.0.4.0/24

Permitintra-interface

Traffic



HQ

Branch B

Branch A

Internet

10.0.1.0/24

10.0.2.0/24

10.0.4.0/24


Traffic


HQ192.168.1.10

192.168.1.12

IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12

Encrypted Traffic10.0.1.0/24 10.0.2.0/2410.0.1.0/24 10.0.4.0/24

192.168.1.1

IPsec Tunnels192.168.1.10 192.168.1.1


IPsec Tunnels192.168.1.12 192.168.1.1



24



HQ

Branch B

Branch A

Internet

10.0.1.0/24

10.0.2.0/24

10.0.4.0/24


Traffic


HQ192.168.1.10

192.168.1.12

IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12


192.168.1.1

IPsec Tunnels192.168.1.10 192.168.1.1


IPsec Tunnels192.168.1.12 192.168.1.1




HQ

Branch B

Branch A

Internet

10.0.1.0/24

10.0.2.0/24

10.0.4.0/24


Traffic


HQ192.168.1.10

192.168.1.12

IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12


192.168.1.1

Hub and Spoke Configuration


25


Exam Topics—Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs


Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs

Explain the functions of EasyVPN

Configure IPSec using EasyVPN Server/Client

Configure the Cisco Secure VPN client

Explain the purpose of WebVPN

Configure WebVPN services: Server/Client

Verify VPN operations

Install and Configure SVCs

Install and Configure Cisco Secure Desktop



26


Configure ISAKMP Parameters

Fw1(config)# isakmp enable outside…………………………………………………………………………………………..fw1(config)# isakmp policy 10 encryption 3desfw1(config)# isakmp policy 10 hash shafw1(config)# isakmp policy 10 authentication pre-sharefw1(config)# isakmp policy 10 group 2fw1(config)# isakmp policy 10 lifetime 86400

172.26.26.1Remote Client

Server10.0.0.15Internet

InsideOutside


Configure IPSec Tunnel-Group

fw1(config)# ip local pool mypool 10.0.0.100-10.0.0.254!--- Configure tunnel-group parametersfw1(config)# tunnel-group training type Afw1(config)# tunnel-group training Bfw1(config-ipsec)# pre-shared-key cisco123fw1(config)# tunnel-group training Cfw1(config-general)# address-pool mypool

IPSec_RAipsec-attributes

general-attributes

IPSec-L2L

ABC



InsideOutside


27


Configure Group Policy

fw1(config)# group-policy training internal fw1(config)# group-policy training attributesfw1(config-group-policy)# wins-server value 10.0.0.15 fw1(config-group-policy)# dns-server value 10.0.0.15fw1(config-group-policy)# vpn-idle-timeout 15fw1(config-group-policy)# default-domain value cisco.com

Group PolicyDNS serverWINS serverDNS domainAddress pool

Idle time

Pushto client



InsideOutside


Configure Crypto Map

fw1(config)# crypto ipsec transform-set rmtuser1 esp-3des esp-md5-hmac

fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set A

fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic-map B

!--- Apply crypto map to the outside interface.fw1(config)# crypto map C interface outside

rmt-user-maprmt-dyna-map

rmtuser1

ABC

An administrator needs to complete a dynamic crypto map for thissolution. Drag the parameter on the left to correct letter on the right toaccomplish this task.

172.26.26.1 Server10.0.0.15Internet

InsideOutside


28


Explain the Purpose of WebVPN

Uses a standard SSLVPN to access the corporate networkAccess to internal websites (HTTP/HTTPS), including filtering Access to internal Windows (CIFS) File Shares TCP port forwarding for legacy application supportAccess to e-mail via POP, SMTP, and IMAP4 over SSL

Home Office

BroadbandProvider

ISP

Computer Kiosk WirelessProvider

WebVPN Tunnel

WebVPNTunnelCorporate Network


Configure SSLVPN Services

fw1(config)# group-policy corp_sslvpn attributes

fw1(config-group-policy)# webvpn

Enters the group-policy attributes subcommand mode

Enters WebVPN group-policy attributes subcommand mode

Remote Client

fw1(config-group-webvpn)# functions url-entry file-access file-entry file-browsing

Enables file access, entry, browsing, and URL entry for the groupfw1(config-group-webvpn)# url-list value URLs

Selects predefined URLs that were configured by using the url-list command

10.0.1.10/24

HTTP-Server

WebVPN Tunnel Console-Server

10.0.1.11/24

SecurityAppliance


29


Remote Client

WebVPN Tunnel

SecurityAppliance 10.0.1.10/24

Superserver

Training

10.0.1.11/24

Configure SSLVPN File Services

fw1(config)# group-policy corp_sslvpn attributesfw1(config-group-policy)# webvpnfw1(config-group-webvpn)# functions url-entry file-access file-entry file-

browsingfw1(config-group-webvpn)# url-list value sslvpn_urlsfw1(config)# url-list sslvpn_urls "Superserver" http://10.0.1.10fw1(config)# url-list sslvpn_urls "CIFS Share" cifs://10.0.1.11/training


10.0.1.10/24

Super-Server1

Mail-Server1

10.0.1.11/24

WebVPN Tunnel

SecurityAppliance

Configure SSLVPN Port-Forward Services

fw1(config)# group-policy corp_sslvpn attributesfw1(config-group-policy)# webvpnfw1(config-group-webvpn)# functions port-forwardfw1(config-group-webvpn)# port-forward value SSLVPN_APPSfw1(config-group-webvpn)# port-forward SSLVPN_APPS 2222 10.0.1.10 23fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2110

mailserver1.training.com 110fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2025

mailserver1.training.com 25

Remote Client


30


Exam Topics—Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance


Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance

Explain differences between L2 and L3 operating modes

Configure security appliance for transparent mode (L2)

Explain purpose of virtual firewalls

Configure security appliance to support virtual firewall

Monitor and maintain virtual firewall

Explain the types, purpose and operation of fail-over

Install and configure appropriate topology to support cable-based or LAN-based fail-over

Explain the hardware, software and licensing requirements for high-availability



31


Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance (Con’t)

Configure the SA for active/standby fail-over

Configure the SA for stateful fail-over

Configure the SA for active-active fail-over

Verify fail-over operation

Recover from a fail-over

Allocate resources to virtual firewalls



Explain Differences Between L2 and L3 Operating Modes

Routed—Based on IP Address

Transparent—Based on MAC Address

TransparentMode

10.0.1.0VLAN 100

10.0.2.0VLAN 200

RoutedMode

The following features are not supported in transparent mode:

NAT Dynamic routing protocols IPv6DHCP relay Quality of ServiceMulticast VPN termination for through traffic

10.0.1.0VLAN 100

10.0.1.0VLAN 200

The Security Appliance Can Run in Two Mode Settings:


32


Configure Security Appliance for Transparent Mode (L2)

Layer 3 traffic must be explicitly permittedEach directly connected network must be on the same subnetThe management IP address must be on the same subnet as the connected networkDo not specify the firewall appliance management IP address as the default gateway for connected devicesDevices need to specify the router on the other side of the firewall appliance as the default gatewayEach interface must be a different VLAN interface

VLAN 10010.0.1.0

VLAN 20010.0.1.0

TransparentMode

Management IP Address

10.0.1.1

10.0.1.10

IP–10.0.1.3GW–10.0.1.10

Internet

IP–10.0.1.4GW–10.0.1.10

fw1(config)# firewall transparent

Switched to transparent mode


Configure Security Appliance to Support Virtual Firewall

fw1(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm]

………………………………………………………………..

fw1# show mode

Security context mode: multiple

Internet

CTX1-admin

CTX2-

e0

e1

e3

e4

Internet

21


33



fw1(config)# admin-context ctx1

fw1(config)# context ctx1

fw1(config-ctx)# allocate-interface A

fw1(config-ctx)# allocate-interface B

fw1(config-ctx)# config-url flash:/C


fw1(config-ctx)# allocate-interface D

fw1(config-ctx)# allocate-interface E

fw1(config-ctx)# config-url flash:/F

ethernet0ethernet1

ethernet3

ethernet4 ABC

ctx1.cfgctx2.cfg

An administrator is tasked with allocating interfaces for the two contexts, ctx1 and ctx2. Using the allocate-interface command, drag the interface parameter on the left to correct letter on the right to accomplish this task.

DEF

CTX1-(admin)

CTX2-

e0

e1

e3

e4

Internet

21


CTX1-(admin)

CTX2-

e0

e1

e3

e4

Internet

21


fw1(config)# changeto context ctx1

fw1/ctx1(config)# interface ethernet0

fw1/ctx1(config-if)# ip address 192.168.1.2 255.255.255.0

fw1/ctx1(config-if)# nameif outside

fw1/ctx1(config)# interface ethernet1

fw1/ctx1(config-if)# ip address 10.0.1.1 255.255.255.0

fw1/ctx1(config-if)# nameif inside

Context 1• Interface e0

• IP address 192.168.1.2• Interface e1

• IP Address 10.0.1.1Context 2

• Interface e3• IP address 192.168.31.7

• Interface e4• IP address 10.0.31.7

192.168.1.2

10.0.31.710.0.1.1

192.168.31.7


34


Hardware and Stateful Failover

Hardware FailoverConnections are dropped.Client applications must reconnect.Provided by serial or LAN-based failover link.Active/Standby—only one unit can be actively processing traffic while other is hot standby.Active/Active—both units can actively process traffic and serve as backup units

Stateful failoverTCP connections remain active.No client applications need to reconnect.Provides redundancy and stateful connection.Provided by stateful link.

Internet


Explain the Hardware, Software and Licensing Requirements for High-Availability

The primary and secondary security appliances must be identical in the following requirements:

Same model number and hardware configurationsSame software versions-- The two units in a failover configuration should have the same major (first number) and minor (second number) software version. Starting in Rel. 7, you do not need to maintain version parity on the units during the upgrade process, e.g. 7.0(4) to 7.0(5) Same features (DES or 3DES)Same amount of Flash memory and RAMProper licensing

Primary: Standby

Internet

Secondary: Active

Active/Standby

Secondary: Active/Active

Primary: Failed/Standby

Internet

Active/Active

Contexts


35


Configure A/S Failover Link

fw1(config)# interface ethernet3fw1(config-if)# no shut fw1(config)# failover lan interface LANFAIL ethernet3fw1(config)# failover interface ip A B 255.255.255.0 C Dfw1(config)# failover lan unit Efw1(config)# failover

Primary – fw1

Internet

.7

Secondary

192.168.2.0 10.0.2.0

.1.2

.7

172.17.2.0.1

.7

activestandby

LANFAIL

172.17.2.1 ABC

172.17.2.7primary

DE


Configure A/A Failover Link

fw1(config)# interface GigabitEthernet0/2

fw1(config-if)# no shut

fw1(config)# failover lan interface LANFAIL GigabitEthernet0/2

fw1(config)# failover interface ip LANFAIL A 255.255.255.0 B C

fw1(config)# failover link LANFAIL GigabitEthernet0/2

fw1(config)# failover lan key 1234567

CTX1-Group 1

CTX2-Group 2

CTX2-Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/21 1

Failover Link

172.17.2.1 172.17.2.7 CTX1-Group 1

activestandby

172.17.1.1 AB172.17.1.7

C

1 2 1 2


36


A/A Failover Group

Active/active failover adds support for failover group. Failover is performed on a unit or group level.A group is comprised of one or more contexts.Each failover group contains separate state machines to keep track of the group failover state.

fw1(config)# failover group 1

fw1(config-fover-group)# primary

fw1(config)# failover group 2

fw1(config-fover-group)# secondary

CTX1-Group 1

CTX2-Group 2

CTX2-Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/21 1

172.17.1.1 172.17.1.7 CTX1-Group 1

SecondaryPrimary

Group 1

Group 2

1 2 1 2


Context: Allocate Interfaces and Assign a Failover Group Number


fw1(config-ctx)# allocate-interface GigabitEthernet0/0


fw1(config-ctx)# config-url flash:/ctx1.cfg

fw1(config-ctx)# join-failover-group 1




fw1(config-ctx)# config-url flash:/ctx2.cfg

fw1(config-ctx)# join-failover-group 2

Associate interfaces and a group to a context

CTX1-Group 1

CTX2-Group 2

CTX1-Group 1

CTX2-Group 2

g0/0 g0/3

g0/1 g0/4

g0/0 g0/3

g0/1 g0/4

Internet

1 11 2 1 2


37


Show Failover: Part 1

fw1# show failover

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: lanfail GigabitEthernet0/2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

Group 1 last failover at: 15:54:49 UTC Sept 17 2006

Group 2 last failover at: 15:55:00 UTC Sept 17 2006

CTX1-Group 1

Active

CTX2-Group 2Standby

g0/0 g0/3

g0/1 g0/4

Internet

1

10.0.1.1

192.168.1.2

10.0.31.7

192.168.31.7

172.17.1.1

g0/2

Primary

CTX1-Group 1Standby

CTX2-Group 2Active

g0/0 g0/3

g0/1 g0/4

1172.17.1.7

g0/2

10.0.1.7 10.0.31.1

192.168.31.1192.168.1.7

1 2 1 2


Resource Management Limits the use of resources per context

Prevents one or more contexts from using too many resources and causing other contexts to be denied use of resources

Enables you to configure limits for the following resources:ASDM connections Telnet sessions

Connections Xlate objects

Hosts Application inspections (rate only)

SSH sessions Syslogs per second (rate only)

Internet

CONTEXT 1

HTTP HTTP

Limit connectionsfor CONTEXT2

to 20%

CONTEXT 2

X


38


Configuring Resource Management

fw1(config)# context context2

fw1(config-ctx)# member MEDIUM_RESOURCE_SET

fw1(config)# class MEDIUM-RESOURCE-SET

fw1(config-class)# limit-resource conns 20%

Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit

Assigns the TEST context to the MEDIUM-RESOURCE-SET class

Internet

CONTEXT 1

HTTP HTTP

Limit connectionsfor CONTEXT2

to 20%

CONTEXT 2

X


Exam Topics—Configure AAA Services for Access Through a Security Appliance


39


Configure AAA Services for Access Through a Security Appliance

Configure ACS for security appliance support

Configure security appliance to use AAA feature

Configure authentication using both local and external databases

Configure authorization using an external database

Configure the ACS server for downloadable ACLs

Configure accounting of connection start/stop

Verify AAA operation



Configure ACS for Security Appliance Support

A

C

B

D

192.168.2.1010.0.1.1

10.0.1.10

NY1PIX

A

B

CNY_ACSaaauser D

When configuring a Cisco ACS Server network configuration window, the administrator must supply two names and IP addresses. Drag the parameter on the left to correct letter on the right to accomplish this task.

Internet

NY_ACS

“aaauser”192.168.2.10

NY1PIX

10.0.1.0

.1.10

.2


40


Internet

Authentication via LOCAL database

Telnet

fw1(config)# username admin1 password cisco123fw1(config)# aaa authentication telnet console LOCAL

InternetTelnet

fw1(config)# aaa-server NY_ACS protocol tacacs+fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkeyfw1(config)# aaa authentication telnet console NY_ACS LOCAL

NY_ACS 10.0.0.2

Authentication via External database

and LOCAL backup

Configure Authentication Using Both Local and External Databases


Configure Cut-Through Proxy Authentication

Internet NY_ACS10.0.0.2

Internet User192.168.2.10

fw1(config)# static (dmz,outside) 192.168.1.12 172.16.4.9fw1(config)# aaa-server NY_ACS protocol radiusfw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host A eq wwwfw1(config)# aaa authentication match B C D

DMZ Server172.16.4.9

RADIUS

192.168.1.12

192.168.1.12172.16.4.9

192.168.2.10

110A

B

CNY_ACSoutside D

The administrator wants every Internet user to be authenticated before gaining http access to the DMZ server, 172.16.4.9. Drag the parameter on the left to correct letter on the right to accomplish this task.


41


Configure Authorization Using an External Database

Internet

192.168.0.0192.168.9.10

.3

Authorization

FTPNY_ACS server

10.0.0.2

FTP server10.0.0.33

fw1(config)# aaa-server NY_ACS protocol tacacs+fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkeyfw1(config)# static (inside,outside) 192.168.0.12 10.0.0.33fw1(config)# access-list 110 permit tcp any host 192.168.0.12 eq ftpfw1(config)# aaa authorization match 110 outside NY_ACS

192.168.0.12


Authorization Rules Allowing Specific Services to Specific Hosts

Group setupUnmatched Cisco IOS commands

DenyPermit

CommandftpBlank (ftp is in the arguments list)

Argumentspermit 192.168.0.12permit tcp any host 192.168.0.12eq ftp

Unlisted argumentsDenyPermit

On the previous page, the administrator configured a PIX to verify users rightsbefore they ftp to the Inside FTP server. In the Access server, the administrator must configure TACACS+ group setup. Check the parameter for each subtask on the left that is needed to accomplish this task.


42


Configure the ACS Server for Downloadable ACLs


“aaauser”

fw1(config)# static (dmz,outside) 192.168.1.10 172.16.4.9fw1(config)# static (dmz,outside) 192.168.1.11 172.16.4.10fw1(config)# aaa-server NY_ACS protocol Afw1(config)# aaa-server NY_ACS (inside) host Bfw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftpfw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq Cfw1(config)# aaa authentication match 110 outside D

FTP Server172.16.4.9

Authentication(RADIUS)

192.168.1.10

WWW Server172.16.4.10

192.168.1.11

www

172.16.4.10A

B

CNY_ACS10.0.0.2 D

TACACS+

RADIUS


Configure the ACS Server for Downloadable ACLs


43


Authentication of Console Access

Defines a console access method that requires authentication

Identifies the authentication server group name (authentication server or LOCAL)

Enables fallback to LOCAL security appliance database

fw1(config)# aaa authentication serial console NY_ACS LOCALfw1(config)# aaa authentication enable console NY_ACS LOCALfw1(config)# aaa authentication telnet console NY_ACS LOCAL fw1(config)# aaa authentication ssh console NY_ACS LOCAL

Internet

Security ApplianceConsole Access

Security Appliance

Console Access

TACACS+NY_ACS Server10.0.0.2


Configure Accounting of Connection Start/Stop

fw1(config)# aaa-server NY_ACS protocol Afw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftpfw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq wwwfw1(config)# aaa B match C outside NY_ACS


“aaauser”


Accounting(RADIUS)

192.168.1.10


192.168.1.11

192.168.1.0

110

accounting

A

B

Cauthentication

LDAP

radius


44


Exam Topics—Configure Routing and Switching on a Security Appliance


Configure Routing and Switching on a Security Appliance Subtopics

Enable DHCP server and relay functionality

Configure VLANs on a security appliance interface

Configure security appliance to pass multi-cast traffic



45


Configure VLANs on a Security Appliance Interface

192.168.0.0 10.0.0.0

PublicServer

PartnerServer Proxy

Server

vlan30vlan20

Trunk port

vlan10

dmz1172.16.10.1

dmz3172.16.30.1

dmz2172.16.20.1

Internet

fw1(config)# interface ethernet3.1fw1(config-subif)# vlan 10 fw1(config-subif)# nameif dmz1fw1(config-subif)# security-level 10fw1(config-subif)# ip address 172.16.10.1


Configure Routing Functionality of Security Appliance Including OSPF, RIP

fw1(config)# rip outside passive version 2 authentication md5 MYKEY 2

fw1(config)# rip inside passivefw1(config)# rip dmz passive version 2

RIP v2 RIP v1

RIP v2

192.168.0.0

10.0.1.0

10.0.0.0

172.26.26.30


46


Configure Routing Functionality of Security Appliance Including OSPF, RIP

fw1(config)# router ospf 1fw1(config-router)# network 1.1.1.0 255.255.255.0 area 0fw1(config-router)# network 2.2.2.0 255.255.255.0 area 2.2.2.0fw1(config-router)# network 10.0.0.0 255.255.255.0 area 10.0.0.0

network prefix ip_address netmask area area_id

firewall(config)#

• Adds and removes interfaces to and from the OSPF routing process

Private1.1.1.010.0.1.0

Router OSPF 1

2.2.2.0

10.0.0.0

0

Internet


Configure Security Appliance to Pass Multi-Cast (MC) Traffic

fw1(config)# access-list 120 permit udp any host 224.0.1.50fw1(config)# interface Afw1(config-if)# igmp access-group 120fw1(config)# interface Bfw1(config-if)# igmp forward interface C

Multicastserver

MCrouter

MC client10.0.0.11

MC Group224.0.1.50

172.16.0.1

e1

e0

Inside

DMZ

e2

ethernet110.0.0.11

224.0.1.50

DMZ A

BC

Insideethernet2

OutsideA multicast (MC) client on the inside network wants to “view”a MC session from a MC server on the DMZ . Drag the parameter on the left to correct letter on the right to accomplish this task.


47


Exam Topics—Configure Security Appliance Advanced Application Layer and Modular Policy Features


Configure a Modular Policy on a Security Appliance Subtopics

Configure a class-map

Configure a policy-map

Configure a service-policy

Configure a class-map type inspect

Configure a policy-map type inspect

Configure regular expressions

Explain the function of protocol inspection

Explain DNS guard feature



48


Configure a Modular Policy on a Security Appliance Subtopics (Con’t)

Describe the AIP-SSM HW and SW

Load IPS SW on the AIP-SSM

Verify AIP-SSM

Configure an IPS modular policy

Describe the CSC-SSM HW and SW

Load CSC SW on the SSM

Verify the CSC-SSM

Configure an CSC modular policy



Layer 7: Application Inspection Overview

A Layer 7 policy is intended for protocol deep packet inspection.

You can configure Layer-7 protocol inspection criteria to recognize specific protocol attributes that you wish to control,

Actions can be applied to the desirable and undesirable traffic.

Application inspection (AI) varies in capability per supported protocol

Layer 7: Application Inspection—Deep packet inspection• “Get”—Allow• “Put”—Reset • “Post”—Reset

192.168.0.0

10.0.0.0

DMZ - HTTP Server

Internet InsideOutside .2


49


Layer 7: Application Inspection Configuration

To create a application inspection:Create a Layer 7 application inspection policy

Identify application inspection criteria based on the attributes of a given protocol Apply an action to identified packets, allow, reset, or log

Create a Layer 3 and 4 policy to identify a traffic streamDefine the Layer 3 and 4 traffic stream for inspection.Attach the traffic stream to a Layer 3 and 4 policy

Layer 3 and 4: • HTTP traffic to

WWW Server

10.0.0.0

DMZ - HTTP Server

Internet InsideOutside

Layer 7: Application Inspection—• “Get”—Allow• “Put”—Reset• “Post”—Reset


Configure Layer 7 Application Inspection Policy

fw1(config)# class-map type inspect http HTTP_SAFE_Methodfw1(config-cmap)# match request method getfw1(config)# class-map type inspect http HTTP_RESTRICTED_Methodsfw1(config-cmap)# match request method postfw1(config-cmap)# match request method putfw1(config)# policy-map type inspect HTTP inbound_http_trafficFw1(config-pmap)# class HTTP_SAFE_MethodFw1(config-pmap-c)# allowFw1(config)-pmap) class HTTP_RESTRICTED_MethodFw1(config-pmap-c)# reset log

Layer 7: Application Inspection—• “Get”—Allow• “Put”—Reset• “Post”—Reset

10.0.0.0

DMZ - HTTP Server


Create a Layer 7 application inspection policyClass-map type inspect —Identify application inspection criteria based on the attributes of a given protocol Policy-map type inspect —Apply an action to identified packets, allow, reset, or log


50


Configure a Layer 3 and 4 Policy

fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq wwwfw1(config)# class-map inbound_http_trafficfw1(config-ftp-map)# match access-list 102fw1(config)# policy-map dmz_http_inboundfw1(config-pmap)# class inbound_http_trafficfw1(config-pmap-c)# inspect http inbound_http_trafficfw1(config)# service-policy dmz_http_inbound outside

Layer 3 and 4: • HTTP traffic to

WWW Server

10.0.0.0

DMZ - HTTP Server


Create a Layer 3 and 4 inspection policy Define the Layer 3 and 4 traffic stream for inspection.Associate a traffic stream with a Layer 3 and 4 policy


Configure Class-Map Type Inspect Example

fw1(config)# class-map type inspect ftp ftp_methodfw1(config-cmap)# match request method Afw1(config-cmap)# match request method Bfw1(config)#policy-map type inspect ftp inbound_ftpfw1(config-pmap)#class Cfw1(config-pmap-c)#reset D

Internet

InternetUser


192.168.1.11

ftp_methodinbound_ftp

put

logA

B

Cdelereset D


51


Configure a Layer 3 and 4 Policy Example

fw1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftpfw1(config)# A ftp_trafficfw1(config-cmap)# match access-list 101 fw1(config)# B inboundfw1(config-pmap)# class Cfw1(config-pmap-c)# inspect D strictfw1(config)# E F outside

Internet192.168.2.10


192.168.1.11

ftp_trafficftp

inbound

class-map A

B

C

service-policy

policy-map

D

E

F


Configure Class-Map Type Inspect HTTP Example

fw1(config)# class-map type inspect http BLOCKED_METHOD_LISTfw1(config-cmap)# match request method deletefw1(config-cmap)# match request method postfw1(config-cmap)# match request method putfw1(config)# policy-map type inspect http inbound_httpfw1(config-pmap)# class BLOCKED_METHOD_LISTfw1(config-pmap-c)# reset logfw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq wwwfw1(config)# class-map inbound_http_trafficfw1(config-ftp-map)# match access-list 102fw1(config)# policy-map inboundfw1(config-pmap)# class inbound_http_trafficfw1(config-pmap-c)# inspect http inbound_httpfw1(config)# service-policy inbound outside

Internet

InternetUser


192.168.1.11


52


Class-Map Type Inspect and Policy-Map Type Inspect

fw1(config)#policy-map type inspect http MY_HTTP_MAPfw1(config-pmap)# match request method postfw1(config-pmap-c)#drop-connection log

Pair a single traffic match statement with an action directly in the policy map

fw1(config)#class-map type inspect http BLOCKED_METHOD_LISTfw1(config-cmap)# match request method deletefw1(config-cmap)# match request method postfw1(config-cmap)# match request method put

fw1(config)#policy-map type inspect http MY_HTTP_MAPfw1(config-pmap)#class BLOCKED_METHOD_LISTfw1(config-pmap-c)#drop-connection log

Inspection class maps enable you to group multiple traffic matching statements

The inspection class map is then assigned to the inspection policy map.


Regular Expressions

Enables you to identify text in a packet using a regular expressionA regular expression is characterized as follows:

Defined as a pattern to match against an input stringEnables you to permit, deny, or log any packet to create custom security checksMatches a text string

Literally as an exact stringBy using metacharacters, which enable you to match multiple variants of a text string

You can combine custom security checks for increased granular control

MailServer

Client ftp> username: root

ASA configured to drop packets containing the string “root”

Internet


53


fw1(config)#regex FTP_USER “root”fw1(config)#regex FTP_PATH “\/root”fw1(config)#class-map type regex match-any RESTRICTED_ACCESSfw1(config-cmap)#match regex Afw1(config-cmap)#match regex Bfw1(config)#policy-map type inspect ftp Cfw1(config-pmap)#class Dfw1(config-pmap-c)#reset log

Blocking Based on Matching (or Not) Regular Expressions (REGEX)

Denies all inbound users with a username of “root”Denies all access to “/root” from the Internet

FTPServerBob ftp> username: root

ftp>put /root/filename

FTP_USER

MY_FTP_MAP

A

CFTP_PATH

RESTRICTED_ACCESS B

D


Load IPS SW on the AIP-SSMfw1(config)# hw module 1 A

Image URL [tftp://0.0.0.0/]: tftp://10.0.31.10/AIP-SSM-K9-sys-1.1-a-5.0-0.22.img

Port IP Address [0.0.0.0]: 10.0.31.1fw1(config)# hw module 1 B

The module in slot 1 will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.

fw1# COpening command session with slot 1.Connected to slot 1. Escape character sequence is 'CTRL^X'.

sensor# D--- System Configuration Dialog ---

Current Configuration:

session 1session m2/0

setup

A

B

recover configure

D

C

recover boot


54


AIP-SSM Initialized

fw1(config)# show module 1

Mod Card Type Model Serial No.--- -------------------------------------------- ------------------ ----------1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 123456789

Mod MAC Address Range Hw Version Fw Version Sw Version--- --------------------------------- ------------ ------------ --------------1 0016.4687.a520 to 0016.4687.a520 1.0 1.0(10)0 6.0(2)E1

Mod SSM Application Name Status SSM Application Version--- ------------------------------ ---------------- --------------------------1 IPS Up 6.0(2)E1

Mod Status Data Plane Status Compatibility--- ------------------ --------------------- -------------1 Up Up

Internet

AIP-SSM


Configure an IPS Modular Policy

fw1(config)# access-list 101 permit TCP any 172.16.1.0 255.255.255.0fw1(config)# A dmz_trafficfw1(config-cmap)# match access-list 101 fw1(config)# B dmz_ipsfw1(config-pmap)# class Cfw1(config-pmap-c)# ips D Efw1(config)# service-policy dmz_ips outside

dmz_trafficips

fail-open

class-map A

B

C

inline

policy-map

D

E

DMZ Servers172.16.1.0

Internet

IPS

IPS Policy:• Inline• Fail open


55


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


56


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


brkcrt-2301

Documents