brkcrt-2301
TRANSCRIPT
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKCRT-230114363_04_2008_c2 2
CCSP Prep: Preparing to Take the Securing Networks with PIX and ASA (SNPA) 642-523 Exam
BRKCRT-2301
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKCRT-230114363_04_2008_c2
Agenda
Cisco Certified Security Professional
Preparing for the SNPA Exam
Exam Format
Exam TopicsWhat you need to know
Key Technology Reviews
Sample Exam Questions
Q & A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKCRT-230114363_04_2008_c2
Cisco Certified Security Professional
Course NameAcronym
Implementing Cisco Intrusion Prevention SystemsIPS
Securing Networks with PIX and ASA v.5SNPA
Securing Networks with Cisco Routers and SwitchesSNRSSecuring Cisco Network DevicesSND
Implementing Network Admissions ControlCANAC or
Implementing Cisco Security Monitoring, Analysis and Response System
MARS orSecuring Hosts Using Cisco Security Agent HIPS or
Plus one of the electives below
“The CCSP certification (Cisco Certified Security Professional) validates advanced knowledge and skills required to secure Cisco networks.”
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKCRT-230114363_04_2008_c2
Preparing for the SNPA Exam
Instructor Led and Web Based TrainingSecuring Networks with PIX and ASA
CCOConfig GuidesCommand References
Cisco PressPrepare: CCSP SNPA Official Exam Certification Guide, 3rd Ed. Practice: CCSP Flash Cards and Exam Practice PackRecommended Reading: Cisco ASA, PIX, and FWSM Firewall Handbook, Second Ed. Recommended Reading: CCSP SNPA Quick Reference
Practical Experience
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKCRT-230114363_04_2008_c2
Test Practical Implementation SkillsExam Format
Question FormatsDeclarative—A declarative exam item tests simple recall of pertinent facts
Procedural—A procedural exam item tests the ability to apply knowledge to solve a given issue
Complex Procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue
Types of questionsDrag and drop Multiple choice
Simulation Simlet
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKCRT-230114363_04_2008_c2
Practical Tips on Taking a Multiple-choice ExaminationExam Taking Tips
Eliminate nonsense optionsLook for the “best” answerLook for subtletiesMake an intelligent guessUse a time budget—Don’t spend too much time on one question
Test-Taking Advice
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKCRT-230114363_04_2008_c2
What We Will Cover
Impossible to cover all topics for SNPA in two hour session
Session is about “How to Prepare for the SNPA Exam”, not about “Cover all SNPA knowledge in two hours”
Will provide:Suggestions
Resources
Some sample questions
Will cover key and newer exam topics likely to be included on the exam based on exam topics listed on the Cisco SNPA Certification website:
www.cisco.com/web/learning/le3/current_exams/642-523.html
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKCRT-230114363_04_2008_c2
Cisco SNPA Certification Website—SNPA Exam Topics
SNPA Exam Topics from the Cisco SNPA Certification website provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam
Install and configure a security appliance for basic network connectivity
Configure a security appliance to restrict inbound traffic from untrusted sources
Configure a security appliance to provide secure connectivity using site-to-site VPNs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKCRT-230114363_04_2008_c2
Exam Topics (Con’t)
Configure a security appliance to provide secure connectivity using remote access VPNs
Configure transparent firewall, virtual firewall, and high availability firewall features on a security appliance
Configure AAA services for the security appliance
Configure routing and switching on a security appliance
Configure security appliance advanced application layer and modular policy features
Monitor and manage an installed security appliance
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKCRT-230114363_04_2008_c2
Disclaimer
We may not be able to address your specific question
If you have taken the exam please refrain from asking questions from the exam
We will be available after the session to direct you to resources to assist with specific questions or to provide clarification
This Session Will Strictly Adhere to Cisco’s Rules of Confidentiality
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKCRT-230114363_04_2008_c2
Exam Topic—Install and configure a security appliance for basic network connectivity
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKCRT-230114363_04_2008_c2
Install and Configure a Security Appliance for Basic Network Connectivity Subtopics
Describe the firewall technology Describe the Security Appliance hardware and software architecture Determine the Security Appliance hardware and software configuration and verify if it is correct Use setup or the CLI to configure basic network settings, including interface configurations Use appropriate show commands to verify initial configurations Configure NAT and global addressing to meet user requirements Configure DHCP client option
What You Need to Know:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKCRT-230114363_04_2008_c2
Install and Configure a Security Appliance for Basic Network Connectivity Subtopics
Set default route
Configure logging options
Explain the information contained in syslog files
Configure static address translations
Configure Network Address Translations: PAT
Verify network address translation operation
(Con’t)
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKCRT-230114363_04_2008_c2
SMBSMB
Pric
e
Functionality
Gigabit Ethernet
EnterpriseEnterpriseROBOROBOSOHOSOHO SPSP
ASA 5520
ASA 5540
ASA 5510
ASA 5505
ASA 5550
ASA Security Appliance Family
Describe the Security Appliance Hardware and Software Architecture
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKCRT-230114363_04_2008_c2
Malware Protection
• Anti-Virus
• Anti-Spyware
• File Blocking
• URL Filtering
• Anti-Spam
• Anti-Phishing
• Email Content Filtering
Content Control
Base License Plus License
CSC-SSM
ASA Content Security Control Security Services Module (AIP-SSM)
The CSC-SSM can block or clean malicious traffic from SMTP, POP3, HTTP, and FTP network traffic.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKCRT-230114363_04_2008_c2
AIP-SSM
ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM)
Network sweeps and scans, Common network anomalies on most Open Systems Interconnection (OSI) layers,
Malformed Address Resolution Protocol (ARP) requests or repliesInvalid IP datagrams (for example, a “Christmas tree” packet)Invalid TCP packets (For example, a source or destination port is 0.)Malformed application-layer protocol units
Flooding denial of service (DoS) attacksApplication layer content attacks
An AIP-SSM has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources. The following attacks are the most commonly detected attacks by a AIP-SSM:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKCRT-230114363_04_2008_c2
ASA 5505 and 5510 LicensingRel 7.2 Licensing
ASA 5510
ASA 5505
Yes
N/A
Yes*N/A
Yes
N/A
N/AN/A
Failover
A/S A/A
250
250
2510
IPSec
VPN Peers
50,00050N/A3 x 10/1001 x Mgmt Base
130,000
25,00010,000
Concurrent Firewall
Connections
2/5
N/AN/A
Security
Contexts
100
203
VLANs
8 x 10/100Base8 x 10/100Security Plus
5 x 10/100
Interfaces
Security Plus
Licenses
* Stateless A/S failover
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKCRT-230114363_04_2008_c2
ASA 5520, 5540, and 5550 LicensingRel 7.2 Licensing
4 x 10/100/10001 10/100
ASA 5540
ASA 5520
N/A
Yes
N/A
Yes
N/A
Yes
N/A
Yes
Failover
A/S A/A
N/A
5000
N/A
750
IPSec
VPN Peers
21502Base
2
10, 25,50, 100, 250, 500, 750
WebVPN Peers
5, 10, 20, 50
2
5, 10, 20
Security
Contexts
N/A
200
N/A
VLANs
N/AOptional
4 x 10/100/10001 10/100
Base
N/A
Interfaces
Optional
Licenses
ASA 5550
N/A
Yes
N/A
Yes
N/A
5000 2
5, 10, 20, 50
2
N/A
250
N/AOptional
8 x 10/100/10004 fiber
1 10/100
Base
10, 25,50, 100, 250, 500, 750,
1000, 2500
10, 25,50, 100, 250, 500, 750, 1000, 2500,
5000
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKCRT-230114363_04_2008_c2
Describe the Security Appliance Hardware and Software Architecture
ASA 5540
Port A
Port B
Port C
Port D
Drag the port name on the left to correct port location on the right. Not all apply.
Gigabit 0/1
Gigabit 0/4
Gigabit 0/5
AUX
Console
Failover
Gigabit 0/3
Gigabit 0/0
Management 0/0
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKCRT-230114363_04_2008_c2
Customize Syslog Output
fw1(config)# A logging B 710005
A customer wants to stop a security appliance from outputting “uninteresting” syslog messages such as message 710005. Drag the parameter on the left to correct letter on the right tocomplete the command.
AB
clear
no
trap
message
The actual exam items do not look like
this. These are for review purposes only
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKCRT-230114363_04_2008_c2
Explain the Information Contained in Syslog Files
Item A
Item B
Item C
Item D
Item E
Drag the logging descriptor on the left to correct location on the right
Logging Level
Logging Device IP address
Logging Device-ID
Logging Date/Timestamp
Logging Message-ID
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKCRT-230114363_04_2008_c2
NAT/Global vs. Static Command
NAT/Global
For dynamic NAT/PAT address assignmentsInside end-user receives an address from a pool of available addresses Used mostly for outbound end-user connections
Internet
Inside
Outside
Bob Smith10.0.0.11
Static
For a “permanent” address assignmentsUsed mostly for server connections
InternetInsideOutside
Sam Jones10.0.0.12
FTP Server 172.16.1.10
WWW Server 172.16.1.9
GlobalPool
FixedFixed
Bob Smith10.0.0.11
Sam Jones10.0.0.12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKCRT-230114363_04_2008_c2
Configure Network Address Translations: PAT
fw1(config)# nat (inside) 2 10.0.2.0 255.255.255.0
fw1(config)# global ( A ) B C netmask 255.255.255.255
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
192 .168.0.8
.2
.1
.1
192 .168.0.9
Customer desires packets from subnet 10.0.2.0 on the inside to be dynamically translated to 192.168.0.9 on the outside. Drag the parameter on the left to correct letter on the right to complete the command.
ABC
outside
2
1
10.0.2.0
192.168.0.9
inside
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKCRT-230114363_04_2008_c2
Configure Static Address Translations
fw1(config)# static (A,B) C D netmask 255.255.255.255
Customer desires packets sent to 192.168.1.3 on the outside to be translated to 172.16.1.9 on the DMZ. Drag the parameter on the left to correct letter on the right.
ABC
D
Outside
172.16.1.9
DMZ192.168.1.3
InternetInsideOutside
WWW Server 172.16.1.9
192.168.1.3
DMZ
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKCRT-230114363_04_2008_c2
Configure a Net Static
FTP Server 172.16.1.10
ABC
D
fw1(config)# static (A,B) C D netmask 255.255.255.0
A customer desires packets sent to 192.168.10.0 subnet on the outsideto be translated to the same host number on the 172.16.1.0 subnet on the DMZ. Drag the parameter on the left to correct letter on the right.
Outside
172.16.1.0
DMZ
192.168.10.0
InternetInsideOutside
WWW Server 172.16.1.9
192.168.10.9
DMZ
192.168.10.10
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKCRT-230114363_04_2008_c2
192.168.0.9/2121
Configure Static Port Redirection
fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255
A customer wants packets sent to 192.168.0.9/2121 be redirected by security appliance to 172.16.1.10/ftp. Drag the parameter on the left to correct letter on the right to accomplish this task.
InternetInsideOutside
FTP2 Server 172.16.1.10
FTP1 Server172.16.1.9
DMZ
ftp 192.168.0.9:2121
AB
C
D
E
F
Outside
FTP172.16.1.10
DMZ
2121192.168.0.9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKCRT-230114363_04_2008_c2
InternetInsideOutside
DMZ
Set Embryonic and Connection Limits on the Security Appliance
fw1(config)# static (dmz,outside) 192.168.1.3172.16.1.9 A B C D
A customer wants to limit the number of TCP and UDP packets to DMZ Server 2. Using the static command, drag the parameter on the left to correct letter on the right to accomplish this task.
ABC
D
DMZ Server 2 172.16.1.9
192.168.1.3
UDP_Max_Conns = 100TCP_Max_Conns = 200Embryonic_limit = 25
100
UDP
200
25
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKCRT-230114363_04_2008_c2
Exam Topic—Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKCRT-230114363_04_2008_c2
Configure a Security Appliance to Restrict Inbound Traffic from Untrusted Sources Subtopics
Configure access-lists to filter traffic based on address, time, and protocols
Configure object-groups to optimize access-list processing
Configure Network Address Translations: Nat0
Configure Network Address Translations: Policy NAT
Configure java/activeX filtering
Configure URL filtering
Verify inbound traffic restrictions
Configure static port redirection
Configure a net static
Set embryonic and connection limits on the security appliance
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKCRT-230114363_04_2008_c2
Security Appliance ACL Configuration
Outside InsideInternet
ACL forinbound access
ACL to denyoutbound access
No ACLOutbound permitted by default
Inbound denied by default
Interface ACL permits or denies the initial packet incoming or outgoing on that interface
ACL needs to describe only the initial packet of the application; no need to think about return traffic
If no ACL is attached to an interface, the following ASA policy applies:Outbound packet is permitted by default
Inbound packet is denied by default
Security appliance configuration philosophy is interface based.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKCRT-230114363_04_2008_c2
Configure Access-Lists to Filter Traffic Based on Address and Protocol
fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2
fw1(config)# access-list aclout permit tcp A B C eq D
192.168.0.0
10.0.0.0
DMZ-WWW Server
Internet InsideOutside .2
192.168.0.9
172.16.0.2Inbound
An customer wants to enable Internet users HTTP only access to the company’s DMZ WWW Server. Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.
172.16.0.2
ABC
D
255.255.255.0
anyhost
192.168.0.9
WWW
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKCRT-230114363_04_2008_c2
Configure Access-Lists to Filter Traffic Based on Address and Time
Define a time when certain resources can be accessedAbsolute start and stop time and dateRecurring time range time and day of the weekApply time-range to an ACL
fw1(config)# time-range temp-workerfw1(config-time-range)# absolute start 00:00 1 June 2006 end 00:00 30 June 2006
fw1(config-time-range)# periodic weekdays 8:00 to 17:00fw1(config)# static (dmz,outside) 192.168.0.6 172.16.0.6fw1(config)# access-list aclin permit tcp host 192.168.10.2 host 192.168.0.6 eq www time-range temp-worker
192.168.0.6 10.0.0.0
DMZ Server
172.16.0.6
Internet Inside.9
Enable access:8 AM to 5 PM
1 Jun to 30 JunTempWorker
192.168.10.2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKCRT-230114363_04_2008_c2
Configure Network Address Translations: Policy NAT
fw1(config)# access-list company_a permit tcp A 255.255.255.0 host B
fw1(config)# nat (inside) 10 access-list company_a
fw1(config)# global (outside) C D netmask 255.255.255.255
Internet
10.0.0.15/24192.168.0.33Company ASales Server192.168.10.11
ABC Corp.
192.168.0.330
192.168.10.11
10.0.0.15A
C
B
D10.0.0.0
10
When sending sales orders to Company A, All ABC Corp. IP source addresses must be to translated to 192.168.0.33. Using the access-list and global command, drag the parameter on the left to correct letter on the right to accomplish this task.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKCRT-230114363_04_2008_c2
Configure Network Address Translations: Nat0
10.100.1.0 /24 10.10.0.0/24
Corporate officeHome office
A customer does NOT want to translate home office to corporate office VPN traffic . Using the access-list and nat command, drag the parameter on the left to correct letter on the right to accomplish this task.
10.10.0.010.100.1.0
0
1
ABC
fw1(config)# access-list VPN-NO-NAT permit ip A255.255.255.0 B 255.255.255.0
fw1(config)# nat (inside) C access-list VPN-NO-NAT
fw1Internet
No Translation
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKCRT-230114363_04_2008_c2
Configure Object-Groups to Optimize Access-List Processing
fw1(config)# object-group service object1 tcpfw1(config-service)# port-object eq httpsfw1(config)# object-group network object2fw1(config-network)# network-object 172.16.1.0 255.255.255.0fw1(config)# object-group network object3fw1(config-network)# network-object 192.168.10.0 255.255.255.0
fw1(config)# access-list IT extended permit tcp object-group A object-group B object-group C
ABC
object1object2object3
A network administrator wants to grant external IT personnel, on subnet 192.168.10.0/24, HTTPS access to the servers on the DMZ subnet, 172.16.1.0/24 Using the access-list command, drag the parameter on the left to correct letter on the right to accomplish this task.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKCRT-230114363_04_2008_c2
Exam Topic—Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKCRT-230114363_04_2008_c2
Configure a Security Appliance to Provide Secure Connectivity Using Site-to-Site VPNs
Explain the basic functionality of IPSec
Configure IKE with preshared keys
Differentiate between the types of encryption
Configure IPSec parameters
Configure crypto-maps and ACLs
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKCRT-230114363_04_2008_c2
fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0
fw6(config)#access-list 101 permit ip C255.255.255.0 D 255.255.255.0
Identify Interesting Traffic
10.0.1.010.0.6.010.0.1.0
10.0.6.0
ABC
D
e0 192.168.1.2
Site 1 Site 2
e0 192.168.6.210.0.1.11
fw1 fw6
10.0.6.11
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKCRT-230114363_04_2008_c2
Configure Tunnel-Group Attributes—Pre-Shared Key
pre-shared-key cisco123 Tunnel-group192.168.1.2
pre-shared-key cisco123Tunnel-Group192.168.6.2
fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2Lfw1(config)# tunnel-group 192.168.6.2 ipsec-attributesfw1(config-ipsec)# pre-shared-key cisco123
Tunnel-group192.168.6.2
L2LTunnel-group
192.168.1.2L2L
IPSecIPSec
192.168.1.2
Site 1 Site 2
192.168.6.210.0.1.11
fw1 fw6
10.0.6.11
Internet
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKCRT-230114363_04_2008_c2
e0 192.168.1.2
Site 1 Site 2
e0 192.168.6.210.0.1.11
fw1 fw6
10.0.6.11
Internet
Configure IKE with Pre-Shared Keys
fw1(config)# isakmp policy 10 encryption 3desfw1(config)# isakmp policy 10 hash shafw1(config)# isakmp policy 10 authentication pre-sharefw1(config)# isakmp policy 10 group 1fw1(config)# isakmp policy 10 lifetime 86400
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKCRT-230114363_04_2008_c2
Security Appliance 1
Security Appliance 6
e0 192.168.1.2
Site 1 Site 2
e0 192.168.6.210.0.1.11 10.0.6.11
Internet
Configure IPSec Parameters
esp-des ESP transform using DES cipher (56 bits)esp-3des ESP transform using 3DES cipher(168 bits)esp-aes ESP transform using AES-128 cipheresp-aes-192 ESP transform using AES-192 cipher esp-aes-256 ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 authesp-sha-hmac ESP transform using HMAC-SHA auth
fw1(config)# crypto ipsec transform-set FW6 esp-desesp-md5-hmac
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKCRT-230114363_04_2008_c2
Configure IPSec Parameters
fw1(config)# crypto ipsec transform-set FW6 A B
esp-3des
esp-rc4
ah-md5-hmac
ah-aes-128
AB
esp-sha-hmac
Select two secure transforms for the IPSec tunnel. Drag the parameter on the left to correct letter on the right to accomplish this task.
Security Appliance 1
Security Appliance 6
e0 192.168.1.2
Site 1 Site 2
e0 192.168.6.210.0.1.11 10.0.6.11
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKCRT-230114363_04_2008_c2
Configure Crypto-Maps and ACLs
fw1(config)# access-list 101 permit ip A 255.255.255.0 B 255.255.255.0
fw1(config)# crypto ipsec transform-set FW6 esp-3des esp-sha-hmac
fw1(config)# crypto map FW1MAP 10 set peer Cfw1(config)# crypto map FW1MAP 10 match address Dfw1(config)# crypto map FW1MAP 10 set transform-set fw6
fw1(config)#crypto map FW1MAP interface outside
10.0.1.010.0.6.0
192.168.1.2 192.168.6.2
A BC D
101FW1MAP
e0 192.168.1.2
Site 1 Site 2
e0 192.168.6.210.0.1.11
fw1 fw6
10.0.6.11
Internet
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKCRT-230114363_04_2008_c2
Site-to-Site VPN: Hub and Spoke
Understand the traffic flowUtilize existing S2S tunnelsAdd additional crypto access-listsAdd “same-security-traffic permit intra-interface” at the hub site
Traffic FlowHQ to BR AHQ to BR BBR A to BR BHQ
Branch B
Branch A
Internet
10.0.1.0/24
10.0.2.0/24
10.0.4.0/24
Permitintra-interface
Traffic
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKCRT-230114363_04_2008_c2
Understand the traffic flowUtilize existing S2S tunnelsAdd additional crypto access-listsAdd “same-security-traffic permit intra-interface” at the hub site
HQ
Branch B
Branch A
Internet
10.0.1.0/24
10.0.2.0/24
10.0.4.0/24
Permitintra-interface
Traffic
Site-to-Site VPN: Hub and Spoke
HQ192.168.1.10
192.168.1.12
IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12
Encrypted Traffic10.0.1.0/24 10.0.2.0/2410.0.1.0/24 10.0.4.0/24
192.168.1.1
IPsec Tunnels192.168.1.10 192.168.1.1
Encrypted Traffic10.0.2.0/24 10.0.1.0/2410.0.2.0/24 10.0.4.0/24
IPsec Tunnels192.168.1.12 192.168.1.1
Encrypted Traffic10.0.4.0/24 10.0.1.0/2410.0.4.0/24 10.0.2.0/24
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKCRT-230114363_04_2008_c2
Understand the traffic flowUtilize existing S2S tunnelsAdd additional crypto access-listsAdd “same-security-traffic permit intra-interface” at the hub site
HQ
Branch B
Branch A
Internet
10.0.1.0/24
10.0.2.0/24
10.0.4.0/24
Permitintra-interface
Traffic
Site-to-Site VPN: Hub and Spoke
HQ192.168.1.10
192.168.1.12
IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12
Encrypted Traffic10.0.1.0/24 10.0.2.0/2410.0.1.0/24 10.0.4.0/24
192.168.1.1
IPsec Tunnels192.168.1.10 192.168.1.1
Encrypted Traffic10.0.2.0/24 10.0.1.0/2410.0.2.0/24 10.0.4.0/24
IPsec Tunnels192.168.1.12 192.168.1.1
Encrypted Traffic10.0.4.0/24 10.0.1.0/2410.0.4.0/24 10.0.2.0/24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKCRT-230114363_04_2008_c2
Understand the traffic flowUtilize existing S2S tunnelsAdd additional crypto access-listsAdd “same-security-traffic permit intra-interface” at the hub site
HQ
Branch B
Branch A
Internet
10.0.1.0/24
10.0.2.0/24
10.0.4.0/24
Permitintra-interface
Traffic
Site-to-Site VPN: Hub and Spoke
HQ192.168.1.10
192.168.1.12
IPsec Tunnels192.168.1.1 192.168.1.10192.168.1.1 192.168.1.12
Encrypted Traffic10.0.1.0/24 10.0.2.0/2410.0.1.0/24 10.0.4.0/24
192.168.1.1
Hub and Spoke Configuration
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKCRT-230114363_04_2008_c2
Exam Topics—Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKCRT-230114363_04_2008_c2
Configure a Security Appliance to Provide Secure Connectivity Using Remote Access VPNs
Explain the functions of EasyVPN
Configure IPSec using EasyVPN Server/Client
Configure the Cisco Secure VPN client
Explain the purpose of WebVPN
Configure WebVPN services: Server/Client
Verify VPN operations
Install and Configure SVCs
Install and Configure Cisco Secure Desktop
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKCRT-230114363_04_2008_c2
Configure ISAKMP Parameters
Fw1(config)# isakmp enable outside…………………………………………………………………………………………..fw1(config)# isakmp policy 10 encryption 3desfw1(config)# isakmp policy 10 hash shafw1(config)# isakmp policy 10 authentication pre-sharefw1(config)# isakmp policy 10 group 2fw1(config)# isakmp policy 10 lifetime 86400
172.26.26.1Remote Client
Server10.0.0.15Internet
InsideOutside
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKCRT-230114363_04_2008_c2
Configure IPSec Tunnel-Group
fw1(config)# ip local pool mypool 10.0.0.100-10.0.0.254!--- Configure tunnel-group parametersfw1(config)# tunnel-group training type Afw1(config)# tunnel-group training Bfw1(config-ipsec)# pre-shared-key cisco123fw1(config)# tunnel-group training Cfw1(config-general)# address-pool mypool
IPSec_RAipsec-attributes
general-attributes
IPSec-L2L
ABC
172.26.26.1Remote Client
Server10.0.0.15Internet
InsideOutside
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKCRT-230114363_04_2008_c2
Configure Group Policy
fw1(config)# group-policy training internal fw1(config)# group-policy training attributesfw1(config-group-policy)# wins-server value 10.0.0.15 fw1(config-group-policy)# dns-server value 10.0.0.15fw1(config-group-policy)# vpn-idle-timeout 15fw1(config-group-policy)# default-domain value cisco.com
Group PolicyDNS serverWINS serverDNS domainAddress pool
Idle time
Pushto client
172.26.26.1Remote Client
Server10.0.0.15Internet
InsideOutside
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKCRT-230114363_04_2008_c2
Configure Crypto Map
fw1(config)# crypto ipsec transform-set rmtuser1 esp-3des esp-md5-hmac
fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set A
fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic-map B
!--- Apply crypto map to the outside interface.fw1(config)# crypto map C interface outside
rmt-user-maprmt-dyna-map
rmtuser1
ABC
An administrator needs to complete a dynamic crypto map for thissolution. Drag the parameter on the left to correct letter on the right toaccomplish this task.
172.26.26.1 Server10.0.0.15Internet
InsideOutside
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKCRT-230114363_04_2008_c2
Explain the Purpose of WebVPN
Uses a standard SSLVPN to access the corporate networkAccess to internal websites (HTTP/HTTPS), including filtering Access to internal Windows (CIFS) File Shares TCP port forwarding for legacy application supportAccess to e-mail via POP, SMTP, and IMAP4 over SSL
Home Office
BroadbandProvider
ISP
Computer Kiosk WirelessProvider
WebVPN Tunnel
WebVPNTunnelCorporate Network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKCRT-230114363_04_2008_c2
Configure SSLVPN Services
fw1(config)# group-policy corp_sslvpn attributes
fw1(config-group-policy)# webvpn
Enters the group-policy attributes subcommand mode
Enters WebVPN group-policy attributes subcommand mode
Remote Client
fw1(config-group-webvpn)# functions url-entry file-access file-entry file-browsing
Enables file access, entry, browsing, and URL entry for the groupfw1(config-group-webvpn)# url-list value URLs
Selects predefined URLs that were configured by using the url-list command
10.0.1.10/24
HTTP-Server
WebVPN Tunnel Console-Server
10.0.1.11/24
SecurityAppliance
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKCRT-230114363_04_2008_c2
Remote Client
WebVPN Tunnel
SecurityAppliance 10.0.1.10/24
Superserver
Training
10.0.1.11/24
Configure SSLVPN File Services
fw1(config)# group-policy corp_sslvpn attributesfw1(config-group-policy)# webvpnfw1(config-group-webvpn)# functions url-entry file-access file-entry file-
browsingfw1(config-group-webvpn)# url-list value sslvpn_urlsfw1(config)# url-list sslvpn_urls "Superserver" http://10.0.1.10fw1(config)# url-list sslvpn_urls "CIFS Share" cifs://10.0.1.11/training
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKCRT-230114363_04_2008_c2
10.0.1.10/24
Super-Server1
Mail-Server1
10.0.1.11/24
WebVPN Tunnel
SecurityAppliance
Configure SSLVPN Port-Forward Services
fw1(config)# group-policy corp_sslvpn attributesfw1(config-group-policy)# webvpnfw1(config-group-webvpn)# functions port-forwardfw1(config-group-webvpn)# port-forward value SSLVPN_APPSfw1(config-group-webvpn)# port-forward SSLVPN_APPS 2222 10.0.1.10 23fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2110
mailserver1.training.com 110fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2025
mailserver1.training.com 25
Remote Client
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKCRT-230114363_04_2008_c2
Exam Topics—Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKCRT-230114363_04_2008_c2
Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance
Explain differences between L2 and L3 operating modes
Configure security appliance for transparent mode (L2)
Explain purpose of virtual firewalls
Configure security appliance to support virtual firewall
Monitor and maintain virtual firewall
Explain the types, purpose and operation of fail-over
Install and configure appropriate topology to support cable-based or LAN-based fail-over
Explain the hardware, software and licensing requirements for high-availability
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKCRT-230114363_04_2008_c2
Configure Transparent Firewall, Virtual Firewall, and High Availability Firewall Features on a Security Appliance (Con’t)
Configure the SA for active/standby fail-over
Configure the SA for stateful fail-over
Configure the SA for active-active fail-over
Verify fail-over operation
Recover from a fail-over
Allocate resources to virtual firewalls
What You Need to Know:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKCRT-230114363_04_2008_c2
Explain Differences Between L2 and L3 Operating Modes
Routed—Based on IP Address
Transparent—Based on MAC Address
TransparentMode
10.0.1.0VLAN 100
10.0.2.0VLAN 200
RoutedMode
The following features are not supported in transparent mode:
NAT Dynamic routing protocols IPv6DHCP relay Quality of ServiceMulticast VPN termination for through traffic
10.0.1.0VLAN 100
10.0.1.0VLAN 200
The Security Appliance Can Run in Two Mode Settings:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKCRT-230114363_04_2008_c2
Configure Security Appliance for Transparent Mode (L2)
Layer 3 traffic must be explicitly permittedEach directly connected network must be on the same subnetThe management IP address must be on the same subnet as the connected networkDo not specify the firewall appliance management IP address as the default gateway for connected devicesDevices need to specify the router on the other side of the firewall appliance as the default gatewayEach interface must be a different VLAN interface
VLAN 10010.0.1.0
VLAN 20010.0.1.0
TransparentMode
Management IP Address
10.0.1.1
10.0.1.10
IP–10.0.1.3GW–10.0.1.10
Internet
IP–10.0.1.4GW–10.0.1.10
fw1(config)# firewall transparent
Switched to transparent mode
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKCRT-230114363_04_2008_c2
Configure Security Appliance to Support Virtual Firewall
fw1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
………………………………………………………………..
fw1# show mode
Security context mode: multiple
Internet
CTX1-admin
CTX2-
e0
e1
e3
e4
Internet
21
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKCRT-230114363_04_2008_c2
Configure Security Appliance to Support Virtual Firewall
fw1(config)# admin-context ctx1
fw1(config)# context ctx1
fw1(config-ctx)# allocate-interface A
fw1(config-ctx)# allocate-interface B
fw1(config-ctx)# config-url flash:/C
fw1(config)# context ctx2
fw1(config-ctx)# allocate-interface D
fw1(config-ctx)# allocate-interface E
fw1(config-ctx)# config-url flash:/F
ethernet0ethernet1
ethernet3
ethernet4 ABC
ctx1.cfgctx2.cfg
An administrator is tasked with allocating interfaces for the two contexts, ctx1 and ctx2. Using the allocate-interface command, drag the interface parameter on the left to correct letter on the right to accomplish this task.
DEF
CTX1-(admin)
CTX2-
e0
e1
e3
e4
Internet
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKCRT-230114363_04_2008_c2
CTX1-(admin)
CTX2-
e0
e1
e3
e4
Internet
21
Configure Security Appliance to Support Virtual Firewall
fw1(config)# changeto context ctx1
fw1/ctx1(config)# interface ethernet0
fw1/ctx1(config-if)# ip address 192.168.1.2 255.255.255.0
fw1/ctx1(config-if)# nameif outside
fw1/ctx1(config)# interface ethernet1
fw1/ctx1(config-if)# ip address 10.0.1.1 255.255.255.0
fw1/ctx1(config-if)# nameif inside
Context 1• Interface e0
• IP address 192.168.1.2• Interface e1
• IP Address 10.0.1.1Context 2
• Interface e3• IP address 192.168.31.7
• Interface e4• IP address 10.0.31.7
192.168.1.2
10.0.31.710.0.1.1
192.168.31.7
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKCRT-230114363_04_2008_c2
Hardware and Stateful Failover
Hardware FailoverConnections are dropped.Client applications must reconnect.Provided by serial or LAN-based failover link.Active/Standby—only one unit can be actively processing traffic while other is hot standby.Active/Active—both units can actively process traffic and serve as backup units
Stateful failoverTCP connections remain active.No client applications need to reconnect.Provides redundancy and stateful connection.Provided by stateful link.
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKCRT-230114363_04_2008_c2
Explain the Hardware, Software and Licensing Requirements for High-Availability
The primary and secondary security appliances must be identical in the following requirements:
Same model number and hardware configurationsSame software versions-- The two units in a failover configuration should have the same major (first number) and minor (second number) software version. Starting in Rel. 7, you do not need to maintain version parity on the units during the upgrade process, e.g. 7.0(4) to 7.0(5) Same features (DES or 3DES)Same amount of Flash memory and RAMProper licensing
Primary: Standby
Internet
Secondary: Active
Active/Standby
Secondary: Active/Active
Primary: Failed/Standby
Internet
Active/Active
Contexts
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKCRT-230114363_04_2008_c2
Configure A/S Failover Link
fw1(config)# interface ethernet3fw1(config-if)# no shut fw1(config)# failover lan interface LANFAIL ethernet3fw1(config)# failover interface ip A B 255.255.255.0 C Dfw1(config)# failover lan unit Efw1(config)# failover
Primary – fw1
Internet
.7
Secondary
192.168.2.0 10.0.2.0
.1.2
.7
172.17.2.0.1
.7
activestandby
LANFAIL
172.17.2.1 ABC
172.17.2.7primary
DE
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKCRT-230114363_04_2008_c2
Configure A/A Failover Link
fw1(config)# interface GigabitEthernet0/2
fw1(config-if)# no shut
fw1(config)# failover lan interface LANFAIL GigabitEthernet0/2
fw1(config)# failover interface ip LANFAIL A 255.255.255.0 B C
fw1(config)# failover link LANFAIL GigabitEthernet0/2
fw1(config)# failover lan key 1234567
CTX1-Group 1
CTX2-Group 2
CTX2-Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/21 1
Failover Link
172.17.2.1 172.17.2.7 CTX1-Group 1
activestandby
172.17.1.1 AB172.17.1.7
C
1 2 1 2
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKCRT-230114363_04_2008_c2
A/A Failover Group
Active/active failover adds support for failover group. Failover is performed on a unit or group level.A group is comprised of one or more contexts.Each failover group contains separate state machines to keep track of the group failover state.
fw1(config)# failover group 1
fw1(config-fover-group)# primary
fw1(config)# failover group 2
fw1(config-fover-group)# secondary
CTX1-Group 1
CTX2-Group 2
CTX2-Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/21 1
172.17.1.1 172.17.1.7 CTX1-Group 1
SecondaryPrimary
Group 1
Group 2
1 2 1 2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKCRT-230114363_04_2008_c2
Context: Allocate Interfaces and Assign a Failover Group Number
fw1(config)# context ctx1
fw1(config-ctx)# allocate-interface GigabitEthernet0/0
fw1(config-ctx)# allocate-interface GigabitEthernet0/1
fw1(config-ctx)# config-url flash:/ctx1.cfg
fw1(config-ctx)# join-failover-group 1
fw1(config)# context ctx2
fw1(config-ctx)# allocate-interface GigabitEthernet0/3
fw1(config-ctx)# allocate-interface GigabitEthernet0/4
fw1(config-ctx)# config-url flash:/ctx2.cfg
fw1(config-ctx)# join-failover-group 2
Associate interfaces and a group to a context
CTX1-Group 1
CTX2-Group 2
CTX1-Group 1
CTX2-Group 2
g0/0 g0/3
g0/1 g0/4
g0/0 g0/3
g0/1 g0/4
Internet
1 11 2 1 2
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKCRT-230114363_04_2008_c2
Show Failover: Part 1
fw1# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: lanfail GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Group 1 last failover at: 15:54:49 UTC Sept 17 2006
Group 2 last failover at: 15:55:00 UTC Sept 17 2006
CTX1-Group 1
Active
CTX2-Group 2Standby
g0/0 g0/3
g0/1 g0/4
Internet
1
10.0.1.1
192.168.1.2
10.0.31.7
192.168.31.7
172.17.1.1
g0/2
Primary
CTX1-Group 1Standby
CTX2-Group 2Active
g0/0 g0/3
g0/1 g0/4
1172.17.1.7
g0/2
10.0.1.7 10.0.31.1
192.168.31.1192.168.1.7
1 2 1 2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKCRT-230114363_04_2008_c2
Resource Management Limits the use of resources per context
Prevents one or more contexts from using too many resources and causing other contexts to be denied use of resources
Enables you to configure limits for the following resources:ASDM connections Telnet sessions
Connections Xlate objects
Hosts Application inspections (rate only)
SSH sessions Syslogs per second (rate only)
Internet
CONTEXT 1
HTTP HTTP
Limit connectionsfor CONTEXT2
to 20%
CONTEXT 2
X
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKCRT-230114363_04_2008_c2
Configuring Resource Management
fw1(config)# context context2
fw1(config-ctx)# member MEDIUM_RESOURCE_SET
fw1(config)# class MEDIUM-RESOURCE-SET
fw1(config-class)# limit-resource conns 20%
Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit
Assigns the TEST context to the MEDIUM-RESOURCE-SET class
Internet
CONTEXT 1
HTTP HTTP
Limit connectionsfor CONTEXT2
to 20%
CONTEXT 2
X
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKCRT-230114363_04_2008_c2
Exam Topics—Configure AAA Services for Access Through a Security Appliance
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKCRT-230114363_04_2008_c2
Configure AAA Services for Access Through a Security Appliance
Configure ACS for security appliance support
Configure security appliance to use AAA feature
Configure authentication using both local and external databases
Configure authorization using an external database
Configure the ACS server for downloadable ACLs
Configure accounting of connection start/stop
Verify AAA operation
What You Need to Know:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKCRT-230114363_04_2008_c2
Configure ACS for Security Appliance Support
A
C
B
D
192.168.2.1010.0.1.1
10.0.1.10
NY1PIX
A
B
CNY_ACSaaauser D
When configuring a Cisco ACS Server network configuration window, the administrator must supply two names and IP addresses. Drag the parameter on the left to correct letter on the right to accomplish this task.
Internet
NY_ACS
“aaauser”192.168.2.10
NY1PIX
10.0.1.0
.1.10
.2
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKCRT-230114363_04_2008_c2
Internet
Authentication via LOCAL database
Telnet
fw1(config)# username admin1 password cisco123fw1(config)# aaa authentication telnet console LOCAL
InternetTelnet
fw1(config)# aaa-server NY_ACS protocol tacacs+fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkeyfw1(config)# aaa authentication telnet console NY_ACS LOCAL
NY_ACS 10.0.0.2
Authentication via External database
and LOCAL backup
Configure Authentication Using Both Local and External Databases
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKCRT-230114363_04_2008_c2
Configure Cut-Through Proxy Authentication
Internet NY_ACS10.0.0.2
Internet User192.168.2.10
fw1(config)# static (dmz,outside) 192.168.1.12 172.16.4.9fw1(config)# aaa-server NY_ACS protocol radiusfw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host A eq wwwfw1(config)# aaa authentication match B C D
DMZ Server172.16.4.9
RADIUS
192.168.1.12
192.168.1.12172.16.4.9
192.168.2.10
110A
B
CNY_ACSoutside D
The administrator wants every Internet user to be authenticated before gaining http access to the DMZ server, 172.16.4.9. Drag the parameter on the left to correct letter on the right to accomplish this task.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKCRT-230114363_04_2008_c2
Configure Authorization Using an External Database
Internet
192.168.0.0192.168.9.10
.3
Authorization
FTPNY_ACS server
10.0.0.2
FTP server10.0.0.33
fw1(config)# aaa-server NY_ACS protocol tacacs+fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key secretkeyfw1(config)# static (inside,outside) 192.168.0.12 10.0.0.33fw1(config)# access-list 110 permit tcp any host 192.168.0.12 eq ftpfw1(config)# aaa authorization match 110 outside NY_ACS
192.168.0.12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKCRT-230114363_04_2008_c2
Authorization Rules Allowing Specific Services to Specific Hosts
Group setupUnmatched Cisco IOS commands
DenyPermit
CommandftpBlank (ftp is in the arguments list)
Argumentspermit 192.168.0.12permit tcp any host 192.168.0.12eq ftp
Unlisted argumentsDenyPermit
On the previous page, the administrator configured a PIX to verify users rightsbefore they ftp to the Inside FTP server. In the Access server, the administrator must configure TACACS+ group setup. Check the parameter for each subtask on the left that is needed to accomplish this task.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKCRT-230114363_04_2008_c2
Configure the ACS Server for Downloadable ACLs
Internet NY_ACS10.0.0.2
“aaauser”
fw1(config)# static (dmz,outside) 192.168.1.10 172.16.4.9fw1(config)# static (dmz,outside) 192.168.1.11 172.16.4.10fw1(config)# aaa-server NY_ACS protocol Afw1(config)# aaa-server NY_ACS (inside) host Bfw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftpfw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq Cfw1(config)# aaa authentication match 110 outside D
FTP Server172.16.4.9
Authentication(RADIUS)
192.168.1.10
WWW Server172.16.4.10
192.168.1.11
www
172.16.4.10A
B
CNY_ACS10.0.0.2 D
TACACS+
RADIUS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKCRT-230114363_04_2008_c2
Configure the ACS Server for Downloadable ACLs
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKCRT-230114363_04_2008_c2
Authentication of Console Access
Defines a console access method that requires authentication
Identifies the authentication server group name (authentication server or LOCAL)
Enables fallback to LOCAL security appliance database
fw1(config)# aaa authentication serial console NY_ACS LOCALfw1(config)# aaa authentication enable console NY_ACS LOCALfw1(config)# aaa authentication telnet console NY_ACS LOCAL fw1(config)# aaa authentication ssh console NY_ACS LOCAL
Internet
Security ApplianceConsole Access
Security Appliance
Console Access
TACACS+NY_ACS Server10.0.0.2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKCRT-230114363_04_2008_c2
Configure Accounting of Connection Start/Stop
fw1(config)# aaa-server NY_ACS protocol Afw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2 fw1(config-aaa-server)# key cisco123fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftpfw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq wwwfw1(config)# aaa B match C outside NY_ACS
Internet NY_ACS10.0.0.2
“aaauser”
FTP Server172.16.4.9
Accounting(RADIUS)
192.168.1.10
WWW Server172.16.4.10
192.168.1.11
192.168.1.0
110
accounting
A
B
Cauthentication
LDAP
radius
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKCRT-230114363_04_2008_c2
Exam Topics—Configure Routing and Switching on a Security Appliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKCRT-230114363_04_2008_c2
Configure Routing and Switching on a Security Appliance Subtopics
Enable DHCP server and relay functionality
Configure VLANs on a security appliance interface
Configure security appliance to pass multi-cast traffic
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKCRT-230114363_04_2008_c2
Configure VLANs on a Security Appliance Interface
192.168.0.0 10.0.0.0
PublicServer
PartnerServer Proxy
Server
vlan30vlan20
Trunk port
vlan10
dmz1172.16.10.1
dmz3172.16.30.1
dmz2172.16.20.1
Internet
fw1(config)# interface ethernet3.1fw1(config-subif)# vlan 10 fw1(config-subif)# nameif dmz1fw1(config-subif)# security-level 10fw1(config-subif)# ip address 172.16.10.1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKCRT-230114363_04_2008_c2
Configure Routing Functionality of Security Appliance Including OSPF, RIP
fw1(config)# rip outside passive version 2 authentication md5 MYKEY 2
fw1(config)# rip inside passivefw1(config)# rip dmz passive version 2
RIP v2 RIP v1
RIP v2
192.168.0.0
10.0.1.0
10.0.0.0
172.26.26.30
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKCRT-230114363_04_2008_c2
Configure Routing Functionality of Security Appliance Including OSPF, RIP
fw1(config)# router ospf 1fw1(config-router)# network 1.1.1.0 255.255.255.0 area 0fw1(config-router)# network 2.2.2.0 255.255.255.0 area 2.2.2.0fw1(config-router)# network 10.0.0.0 255.255.255.0 area 10.0.0.0
network prefix ip_address netmask area area_id
firewall(config)#
• Adds and removes interfaces to and from the OSPF routing process
Private1.1.1.010.0.1.0
Router OSPF 1
2.2.2.0
10.0.0.0
0
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKCRT-230114363_04_2008_c2
Configure Security Appliance to Pass Multi-Cast (MC) Traffic
fw1(config)# access-list 120 permit udp any host 224.0.1.50fw1(config)# interface Afw1(config-if)# igmp access-group 120fw1(config)# interface Bfw1(config-if)# igmp forward interface C
Multicastserver
MCrouter
MC client10.0.0.11
MC Group224.0.1.50
172.16.0.1
e1
e0
Inside
DMZ
e2
ethernet110.0.0.11
224.0.1.50
DMZ A
BC
Insideethernet2
OutsideA multicast (MC) client on the inside network wants to “view”a MC session from a MC server on the DMZ . Drag the parameter on the left to correct letter on the right to accomplish this task.
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKCRT-230114363_04_2008_c2
Exam Topics—Configure Security Appliance Advanced Application Layer and Modular Policy Features
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKCRT-230114363_04_2008_c2
Configure a Modular Policy on a Security Appliance Subtopics
Configure a class-map
Configure a policy-map
Configure a service-policy
Configure a class-map type inspect
Configure a policy-map type inspect
Configure regular expressions
Explain the function of protocol inspection
Explain DNS guard feature
What You Need to Know:
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKCRT-230114363_04_2008_c2
Configure a Modular Policy on a Security Appliance Subtopics (Con’t)
Describe the AIP-SSM HW and SW
Load IPS SW on the AIP-SSM
Verify AIP-SSM
Configure an IPS modular policy
Describe the CSC-SSM HW and SW
Load CSC SW on the SSM
Verify the CSC-SSM
Configure an CSC modular policy
What You Need to Know:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKCRT-230114363_04_2008_c2
Layer 7: Application Inspection Overview
A Layer 7 policy is intended for protocol deep packet inspection.
You can configure Layer-7 protocol inspection criteria to recognize specific protocol attributes that you wish to control,
Actions can be applied to the desirable and undesirable traffic.
Application inspection (AI) varies in capability per supported protocol
Layer 7: Application Inspection—Deep packet inspection• “Get”—Allow• “Put”—Reset • “Post”—Reset
192.168.0.0
10.0.0.0
DMZ - HTTP Server
Internet InsideOutside .2
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKCRT-230114363_04_2008_c2
Layer 7: Application Inspection Configuration
To create a application inspection:Create a Layer 7 application inspection policy
Identify application inspection criteria based on the attributes of a given protocol Apply an action to identified packets, allow, reset, or log
Create a Layer 3 and 4 policy to identify a traffic streamDefine the Layer 3 and 4 traffic stream for inspection.Attach the traffic stream to a Layer 3 and 4 policy
Layer 3 and 4: • HTTP traffic to
WWW Server
10.0.0.0
DMZ - HTTP Server
Internet InsideOutside
Layer 7: Application Inspection—• “Get”—Allow• “Put”—Reset• “Post”—Reset
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKCRT-230114363_04_2008_c2
Configure Layer 7 Application Inspection Policy
fw1(config)# class-map type inspect http HTTP_SAFE_Methodfw1(config-cmap)# match request method getfw1(config)# class-map type inspect http HTTP_RESTRICTED_Methodsfw1(config-cmap)# match request method postfw1(config-cmap)# match request method putfw1(config)# policy-map type inspect HTTP inbound_http_trafficFw1(config-pmap)# class HTTP_SAFE_MethodFw1(config-pmap-c)# allowFw1(config)-pmap) class HTTP_RESTRICTED_MethodFw1(config-pmap-c)# reset log
Layer 7: Application Inspection—• “Get”—Allow• “Put”—Reset• “Post”—Reset
10.0.0.0
DMZ - HTTP Server
Internet InsideOutside
Create a Layer 7 application inspection policyClass-map type inspect —Identify application inspection criteria based on the attributes of a given protocol Policy-map type inspect —Apply an action to identified packets, allow, reset, or log
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKCRT-230114363_04_2008_c2
Configure a Layer 3 and 4 Policy
fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq wwwfw1(config)# class-map inbound_http_trafficfw1(config-ftp-map)# match access-list 102fw1(config)# policy-map dmz_http_inboundfw1(config-pmap)# class inbound_http_trafficfw1(config-pmap-c)# inspect http inbound_http_trafficfw1(config)# service-policy dmz_http_inbound outside
Layer 3 and 4: • HTTP traffic to
WWW Server
10.0.0.0
DMZ - HTTP Server
Internet InsideOutside
Create a Layer 3 and 4 inspection policy Define the Layer 3 and 4 traffic stream for inspection.Associate a traffic stream with a Layer 3 and 4 policy
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKCRT-230114363_04_2008_c2
Configure Class-Map Type Inspect Example
fw1(config)# class-map type inspect ftp ftp_methodfw1(config-cmap)# match request method Afw1(config-cmap)# match request method Bfw1(config)#policy-map type inspect ftp inbound_ftpfw1(config-pmap)#class Cfw1(config-pmap-c)#reset D
Internet
InternetUser
WWW Server172.16.4.9
192.168.1.11
ftp_methodinbound_ftp
put
logA
B
Cdelereset D
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKCRT-230114363_04_2008_c2
Configure a Layer 3 and 4 Policy Example
fw1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftpfw1(config)# A ftp_trafficfw1(config-cmap)# match access-list 101 fw1(config)# B inboundfw1(config-pmap)# class Cfw1(config-pmap-c)# inspect D strictfw1(config)# E F outside
Internet192.168.2.10
FTP Server172.16.4.9
192.168.1.11
ftp_trafficftp
inbound
class-map A
B
C
service-policy
policy-map
D
E
F
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKCRT-230114363_04_2008_c2
Configure Class-Map Type Inspect HTTP Example
fw1(config)# class-map type inspect http BLOCKED_METHOD_LISTfw1(config-cmap)# match request method deletefw1(config-cmap)# match request method postfw1(config-cmap)# match request method putfw1(config)# policy-map type inspect http inbound_httpfw1(config-pmap)# class BLOCKED_METHOD_LISTfw1(config-pmap-c)# reset logfw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq wwwfw1(config)# class-map inbound_http_trafficfw1(config-ftp-map)# match access-list 102fw1(config)# policy-map inboundfw1(config-pmap)# class inbound_http_trafficfw1(config-pmap-c)# inspect http inbound_httpfw1(config)# service-policy inbound outside
Internet
InternetUser
WWW Server172.16.4.9
192.168.1.11
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKCRT-230114363_04_2008_c2
Class-Map Type Inspect and Policy-Map Type Inspect
fw1(config)#policy-map type inspect http MY_HTTP_MAPfw1(config-pmap)# match request method postfw1(config-pmap-c)#drop-connection log
Pair a single traffic match statement with an action directly in the policy map
fw1(config)#class-map type inspect http BLOCKED_METHOD_LISTfw1(config-cmap)# match request method deletefw1(config-cmap)# match request method postfw1(config-cmap)# match request method put
fw1(config)#policy-map type inspect http MY_HTTP_MAPfw1(config-pmap)#class BLOCKED_METHOD_LISTfw1(config-pmap-c)#drop-connection log
Inspection class maps enable you to group multiple traffic matching statements
The inspection class map is then assigned to the inspection policy map.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKCRT-230114363_04_2008_c2
Regular Expressions
Enables you to identify text in a packet using a regular expressionA regular expression is characterized as follows:
Defined as a pattern to match against an input stringEnables you to permit, deny, or log any packet to create custom security checksMatches a text string
Literally as an exact stringBy using metacharacters, which enable you to match multiple variants of a text string
You can combine custom security checks for increased granular control
MailServer
Client ftp> username: root
ASA configured to drop packets containing the string “root”
Internet
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
53
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKCRT-230114363_04_2008_c2
fw1(config)#regex FTP_USER “root”fw1(config)#regex FTP_PATH “\/root”fw1(config)#class-map type regex match-any RESTRICTED_ACCESSfw1(config-cmap)#match regex Afw1(config-cmap)#match regex Bfw1(config)#policy-map type inspect ftp Cfw1(config-pmap)#class Dfw1(config-pmap-c)#reset log
Blocking Based on Matching (or Not) Regular Expressions (REGEX)
Denies all inbound users with a username of “root”Denies all access to “/root” from the Internet
FTPServerBob ftp> username: root
ftp>put /root/filename
FTP_USER
MY_FTP_MAP
A
CFTP_PATH
RESTRICTED_ACCESS B
D
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKCRT-230114363_04_2008_c2
Load IPS SW on the AIP-SSMfw1(config)# hw module 1 A
Image URL [tftp://0.0.0.0/]: tftp://10.0.31.10/AIP-SSM-K9-sys-1.1-a-5.0-0.22.img
Port IP Address [0.0.0.0]: 10.0.31.1fw1(config)# hw module 1 B
The module in slot 1 will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.
fw1# COpening command session with slot 1.Connected to slot 1. Escape character sequence is 'CTRL^X'.
sensor# D--- System Configuration Dialog ---
Current Configuration:
session 1session m2/0
setup
A
B
recover configure
D
C
recover boot
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKCRT-230114363_04_2008_c2
AIP-SSM Initialized
fw1(config)# show module 1
Mod Card Type Model Serial No.--- -------------------------------------------- ------------------ ----------1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 123456789
Mod MAC Address Range Hw Version Fw Version Sw Version--- --------------------------------- ------------ ------------ --------------1 0016.4687.a520 to 0016.4687.a520 1.0 1.0(10)0 6.0(2)E1
Mod SSM Application Name Status SSM Application Version--- ------------------------------ ---------------- --------------------------1 IPS Up 6.0(2)E1
Mod Status Data Plane Status Compatibility--- ------------------ --------------------- -------------1 Up Up
Internet
AIP-SSM
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKCRT-230114363_04_2008_c2
Configure an IPS Modular Policy
fw1(config)# access-list 101 permit TCP any 172.16.1.0 255.255.255.0fw1(config)# A dmz_trafficfw1(config-cmap)# match access-list 101 fw1(config)# B dmz_ipsfw1(config-pmap)# class Cfw1(config-pmap-c)# ips D Efw1(config)# service-policy dmz_ips outside
dmz_trafficips
fail-open
class-map A
B
C
inline
policy-map
D
E
DMZ Servers172.16.1.0
Internet
IPS
IPS Policy:• Inline• Fail open
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKCRT-230114363_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKCRT-230114363_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2008, Cisco Systems, Inc. All rights reserved.14363_04_2008_c2.scr
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKCRT-230114363_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKCRT-230114363_04_2008_c2