Anda di halaman 1dari 56

CCSP Prep: Preparing to

Take the Securing Networks


with PIX and ASA (SNPA)
642-523 Exam

BRKCRT-2301

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2008, Cisco Systems, Inc. All rights reserved. 1


14363_04_2008_c2.scr
Agenda

ƒ Cisco Certified Security Professional


ƒ Preparing for the SNPA Exam
ƒ Exam Format
ƒ Exam Topics
What you need to know
Key Technology Reviews
Sample Exam Questions

ƒQ&A

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Cisco Certified Security Professional


“The CCSP certification (Cisco Certified Security Professional)
validates advanced knowledge and skills required to secure
Cisco networks.”
Acronym Course Name
SND Securing Cisco Network Devices
SNRS Securing Networks with Cisco Routers and Switches
SNPA Securing Networks with PIX and ASA v.5
IPS Implementing Cisco Intrusion Prevention Systems

Plus one of the electives below

CANAC or Implementing Network Admissions Control


HIPS or Securing Hosts Using Cisco Security Agent
MARS or Implementing Cisco Security Monitoring, Analysis and
Response System

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2008, Cisco Systems, Inc. All rights reserved. 2


14363_04_2008_c2.scr
Preparing for the SNPA Exam

ƒ Instructor Led and Web Based Training


Securing Networks with PIX and ASA
ƒ CCO
Config Guides
Command References
ƒ Cisco Press
Prepare: CCSP SNPA Official Exam Certification Guide, 3rd Ed.
Practice: CCSP Flash Cards and Exam Practice Pack
Recommended Reading: Cisco ASA, PIX, and FWSM Firewall
Handbook, Second Ed.
Recommended Reading: CCSP SNPA Quick Reference
ƒ Practical Experience

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Exam Format
Test Practical Implementation Skills
ƒ Question Formats
Declarative—A declarative exam item tests simple recall of
pertinent facts
Procedural—A procedural exam item tests the ability to apply
knowledge to solve a given issue
Complex Procedural—A complex procedural exam item tests the
ability to apply multiple knowledge points to solve a given issue

ƒ Types of questions
Drag and drop Multiple choice
Simulation Simlet

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2008, Cisco Systems, Inc. All rights reserved. 3


14363_04_2008_c2.scr
Exam Taking Tips
Practical Tips on Taking a Multiple-choice Examination

Test-Taking Advice

9 Eliminate nonsense options


9 Look for the “best” answer
9 Look for subtleties
9 Make an intelligent guess
9 Use a time budget—Don’t spend too
much time on one question

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

What We Will Cover


ƒ Impossible to cover all topics for SNPA in two hour session
ƒ Session is about “How to Prepare for the SNPA Exam”, not
about “Cover all SNPA knowledge in two hours”
ƒ Will provide:
Suggestions
Resources
Some sample questions

ƒ Will cover key and newer exam topics likely to be included


on the exam based on exam topics listed on the Cisco SNPA
Certification website:
www.cisco.com/web/learning/le3/current_exams/642-523.html

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2008, Cisco Systems, Inc. All rights reserved. 4


14363_04_2008_c2.scr
Cisco SNPA Certification
Website—SNPA Exam Topics

ƒ SNPA Exam Topics from the Cisco SNPA Certification


website provides general guidelines for the content
likely to be included on the exam. However, other
related topics may also appear on any specific delivery
of the exam
Install and configure a security appliance for basic network
connectivity
Configure a security appliance to restrict inbound traffic from
untrusted sources
Configure a security appliance to provide secure connectivity
using site-to-site VPNs

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Exam Topics (Con’t)

ƒ Configure a security appliance to provide secure


connectivity using remote access VPNs
ƒ Configure transparent firewall, virtual firewall, and high
availability firewall features on a security appliance
ƒ Configure AAA services for the security appliance
ƒ Configure routing and switching on a security appliance
ƒ Configure security appliance advanced application
layer and modular policy features
ƒ Monitor and manage an installed security appliance

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2008, Cisco Systems, Inc. All rights reserved. 5


14363_04_2008_c2.scr
Disclaimer
This Session Will Strictly Adhere to Cisco’s Rules of
Confidentiality
ƒ We may not be able to address your specific question
ƒ If you have taken the exam please refrain from asking
questions from the exam
ƒ We will be available after the session to direct you
to resources to assist with specific questions or to
provide clarification

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Exam Topic—Install and


configure a security
appliance for basic
network connectivity

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2008, Cisco Systems, Inc. All rights reserved. 6


14363_04_2008_c2.scr
Install and Configure a Security Appliance
for Basic Network Connectivity Subtopics
What You Need to Know:
ƒ Describe the firewall technology
ƒ Describe the Security Appliance hardware and
software architecture
ƒ Determine the Security Appliance hardware and
software configuration and verify if it is correct
ƒ Use setup or the CLI to configure basic network
settings, including interface configurations
ƒ Use appropriate show commands to verify initial
configurations
ƒ Configure NAT and global addressing to meet
user requirements
ƒ Configure DHCP client option
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Install and Configure a Security Appliance


for Basic Network Connectivity Subtopics
(Con’t)
ƒ Set default route
ƒ Configure logging options
ƒ Explain the information contained in syslog files
ƒ Configure static address translations
ƒ Configure Network Address Translations: PAT
ƒ Verify network address translation operation

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2008, Cisco Systems, Inc. All rights reserved. 7


14363_04_2008_c2.scr
Describe the Security Appliance
Hardware and Software Architecture
ASA Security Appliance Family
ASA 5550

ASA 5540
Price

ASA 5520

ASA 5510

ASA 5505

Gigabit Ethernet

SOHO ROBO SMB Enterprise SP

Functionality
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

ASA Content Security Control


Security Services Module (AIP-SSM)

CSC-SSM

The CSC-SSM can block or clean malicious traffic from


SMTP, POP3, HTTP, and FTP network traffic.

Malware Protection Content Control


Base License Plus License
• Anti-Virus • URL Filtering
• Anti-Spyware • Anti-Spam
• File Blocking • Anti-Phishing
• Email Content Filtering
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2008, Cisco Systems, Inc. All rights reserved. 8


14363_04_2008_c2.scr
ASA Advanced Inspection and Prevention
Security Services Module (AIP-SSM)

AIP-SSM

An AIP-SSM has the capability to detect and prevent misuse and abuse
of, and unauthorized access to, network resources. The following attacks
are the most commonly detected attacks by a AIP-SSM:
ƒ Network sweeps and scans,
ƒ Common network anomalies on most Open Systems Interconnection
(OSI) layers,
Malformed Address Resolution Protocol (ARP) requests or replies
Invalid IP datagrams (for example, a “Christmas tree” packet)
Invalid TCP packets (For example, a source or destination port is 0.)
Malformed application-layer protocol units
ƒ Flooding denial of service (DoS) attacks
ƒ Application layer content attacks
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

ASA 5505 and 5510 Licensing


Rel 7.2 Licensing

Security IPSec Failover Concurrent


Licenses Interfaces VLANs Firewall
Contexts VPN Peers A/S A/A Connections
ASA 5505
Base 8 x 10/100 N/A 3 10 N/A N/A 10,000
Security Plus 8 x 10/100 N/A 20 25 Yes* N/A 25,000
ASA 5510
3 x 10/100
Base N/A 50 250 N/A N/A 50,000
1 x Mgmt
Security Plus 5 x 10/100 2/5 100 250 Yes Yes 130,000

* Stateless A/S failover


BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2008, Cisco Systems, Inc. All rights reserved. 9


14363_04_2008_c2.scr
ASA 5520, 5540, and 5550 Licensing
Rel 7.2 Licensing

Security IPSec Failover WebVPN


Licenses Interfaces VLANs Peers
Contexts VPN Peers A/S A/A
ASA 5520
4 x 10/100/1000
Base 2 150 750 Yes Yes 2
1 10/100
10, 25,50, 100,
Optional N/A 5, 10, 20 N/A N/A N/A N/A
250, 500, 750
ASA 5540

Base 4 x 10/100/1000 2 200 5000 Yes Yes 2


1 10/100
Optional N/A 5, 10, 20, 50 N/A N/A N/A N/A 10, 25,50, 100,
250, 500, 750,
1000, 2500
ASA 5550

Base 8 x 10/100/1000 2 250 5000 Yes Yes 2


4 fiber
1 10/100
10, 25,50, 100,
Optional N/A 5, 10, 20, 50 N/A N/A N/A N/A
250, 500, 750,
1000, 2500,
5000

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Describe the Security Appliance


Hardware and Software Architecture
Drag the port name on the left to correct port location on the right.
Not all apply.
Gigabit 0/0
Port A
Gigabit 0/1
Port B

Gigabit 0/3
ASA 5540
Gigabit 0/4

Gigabit 0/5

Management 0/0

AUX
Port C

Failover Port D

Console

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2008, Cisco Systems, Inc. All rights reserved. 10


14363_04_2008_c2.scr
Customize Syslog Output
A customer wants to stop a security appliance from outputting
“uninteresting” syslog messages such as message 710005.
Drag the parameter on the left to correct letter on the right to
complete the command.
The actual exam
items do not look like
this. These are for
review purposes only

fw1(config)# A logging B 710005

clear A
no B
message
trap

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Explain the Information Contained in


Syslog Files
Drag the logging descriptor on the left to correct location on
the right
Item A
Logging Level

Item B
Logging Device IP address
Item C
Logging Device-ID
Item D
Logging Date/Timestamp
Item E

Logging Message-ID

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2008, Cisco Systems, Inc. All rights reserved. 11


14363_04_2008_c2.scr
NAT/Global vs. Static Command
Inside
Sam Jones
Outside 10.0.0.12
Internet
Global Bob Smith
NAT/Global Pool 10.0.0.11

For dynamic NAT/PAT address assignments


Inside end-user receives an address from a pool of available addresses
Used mostly for outbound end-user connections
WWW Server FTP Server
172.16.1.9 172.16.1.10

Fixed Sam Jones


Fixed 10.0.0.12
Internet
Outside Inside
Static Bob Smith
10.0.0.11
For a “permanent” address assignments
Used mostly for server connections
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Configure Network Address


Translations: PAT
Customer desires packets from subnet 10.0.2.0 on the inside to be
dynamically translated to 192.168.0.9 on the outside. Drag the parameter
on the left to correct letter on the right to complete the command.

fw1(config)# nat (inside) 2 10.0.2.0


255.255.255.0
192 .168.0.9 fw1(config)# global ( A ) B C netmask
.1 255.255.255.255
192 .168.0.8 192.168.0.0
.2
outside
inside
.1 10.0.0.0
A
192.168.0.9
B
10.0.1.0 10.0.2.0 10.0.2.0
C
1
2
Engineering Sales
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2008, Cisco Systems, Inc. All rights reserved. 12


14363_04_2008_c2.scr
Configure Static Address Translations
Customer desires packets sent to 192.168.1.3 on the outside to be
translated to 172.16.1.9 on the DMZ. Drag the parameter on the left
to correct letter on the right.
DMZ
WWW Server
172.16.1.9

192.168.1.3
Internet
Outside Inside

fw1(config)# static (A,B) C D netmask 255.255.255.255

Outside A
DMZ B
192.168.1.3 C
172.16.1.9 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Configure a Net Static


A customer desires packets sent to 192.168.10.0 subnet on the outside
to be translated to the same host number on the 172.16.1.0 subnet on
the DMZ. Drag the parameter on the left to correct letter on the right.
DMZ
WWW Server FTP Server
172.16.1.9 172.16.1.10

192.168.10.9
Internet 192.168.10.10
Outside Inside

fw1(config)# static (A,B) C D netmask 255.255.255.0

Outside A
DMZ B
192.168.10.0 C
172.16.1.0 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2008, Cisco Systems, Inc. All rights reserved. 13


14363_04_2008_c2.scr
Configure Static Port Redirection
A customer wants packets sent to 192.168.0.9/2121 be redirected
by security appliance to 172.16.1.10/ftp. Drag the parameter on the
left to correct letter on the right to accomplish this task.
DMZ
FTP1 Server FTP2 Server
ftp 192.168.0.9:2121 172.16.1.9 172.16.1.10

192.168.0.9/2121
Internet
Outside Inside

fw1(config)# static (A,B) tcp C D E F netmask 255.255.255.255


Outside DMZ C
A
192.168.0.9 172.16.1.10 D
B
2121 FTP E
F
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Set Embryonic and Connection Limits on


the Security Appliance
A customer wants to limit the number of TCP and UDP packets to
DMZ Server 2. Using the static command, drag the parameter on
the left to correct letter on the right to accomplish this task.
DMZ
UDP_Max_Conns = 100 DMZ Server 2
TCP_Max_Conns = 200 172.16.1.9
Embryonic_limit = 25

192.168.1.3
Internet
Outside Inside
fw1(config)# static (dmz,outside) 192.168.1.3
172.16.1.9 A B C D

100
A
UDP
B
200 C

BRKCRT-2301
25 D
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2008, Cisco Systems, Inc. All rights reserved. 14


14363_04_2008_c2.scr
Exam Topic—Configure
a Security Appliance to
Restrict Inbound Traffic
from Untrusted Sources

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Configure a Security Appliance to Restrict


Inbound Traffic from Untrusted Sources Subtopics
What You Need to Know:
ƒ Configure access-lists to filter traffic based on address, time,
and protocols
ƒ Configure object-groups to optimize access-list processing
ƒ Configure Network Address Translations: Nat0
ƒ Configure Network Address Translations: Policy NAT
ƒ Configure java/activeX filtering
ƒ Configure URL filtering
ƒ Verify inbound traffic restrictions
ƒ Configure static port redirection
ƒ Configure a net static
ƒ Set embryonic and connection limits on the security appliance

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2008, Cisco Systems, Inc. All rights reserved. 15


14363_04_2008_c2.scr
Security Appliance ACL Configuration
Outside Inside
Internet
ACL for ACL to deny
inbound access outbound access
No ACL
Outbound permitted by default
Inbound denied by default

Security appliance configuration philosophy is interface based.


ƒ Interface ACL permits or denies the initial packet incoming or
outgoing on that interface
ƒ ACL needs to describe only the initial packet of the application;
no need to think about return traffic
ƒ If no ACL is attached to an interface, the following ASA policy applies:
Outbound packet is permitted by default
Inbound packet is denied by default
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Configure Access-Lists to Filter Traffic


Based on Address and Protocol
An customer wants to enable Internet users HTTP only access to the
company’s DMZ WWW Server. Using the access-list command, drag the
parameter on the left to correct letter on the right to accomplish this task.
172.16.0.2 DMZ-WWW
Inbound Server
192.168.0.9
192.168.0.0
Internet Inside
Outside .2 10.0.0.0

fw1(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2


fw1(config)# access-list aclout permit tcp A B C eq D

any WWW
A
host 255.255.255.0 B
172.16.0.2 C
192.168.0.9 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2008, Cisco Systems, Inc. All rights reserved. 16


14363_04_2008_c2.scr
Configure Access-Lists to Filter Traffic
Based on Address and Time
Enable access: DMZ
8 AM to 5 PM Server
Temp 1 Jun to 30 Jun 172.16.0.6
Worker
Internet 192.168.0.6 10.0.0.0 Inside
.9
192.168.10.2

ƒ Define a time when certain resources can be accessed


Absolute start and stop time and date
Recurring time range time and day of the week
Apply time-range to an ACL

fw1(config)# time-range temp-worker


fw1(config-time-range)# absolute start 00:00 1 June 2006
end 00:00 30 June 2006
fw1(config-time-range)# periodic weekdays 8:00 to 17:00
fw1(config)# static (dmz,outside) 192.168.0.6 172.16.0.6
fw1(config)# access-list aclin permit tcp host 192.168.10.2
host 192.168.0.6 eq www time-range temp-worker
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Configure Network Address


Translations: Policy NAT
When sending sales orders to Company A, All ABC Corp. IP source
addresses must be to translated to 192.168.0.33. Using the access-list
and global command, drag the parameter on the left to correct letter on
the right to accomplish this task.
ABC Corp.
Company A 192.168.0.33
Sales Server 10.0.0.15/24
192.168.10.11
Internet

fw1(config)# access-list company_a permit tcp A 255.255.255.0


host B
fw1(config)# nat (inside) 10 access-list company_a
fw1(config)# global (outside) C D netmask 255.255.255.255

192.168.0.33 10.0.0.15
A B
0 10.0.0.0
C D
192.168.10.11 10
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2008, Cisco Systems, Inc. All rights reserved. 17


14363_04_2008_c2.scr
Configure Network Address
Translations: Nat0
A customer does NOT want to translate home office to corporate office
VPN traffic . Using the access-list and nat command, drag the parameter
on the left to correct letter on the right to accomplish this task.
Home office Corporate office
No
Translation
fw1
Internet
10.100.1.0 /24 10.10.0.0/24

fw1(config)# access-list VPN-NO-NAT permit ip A


255.255.255.0 B 255.255.255.0
fw1(config)# nat (inside) C access-list VPN-NO-NAT

10.10.0.0
A
10.100.1.0
B
0
C
1
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Configure Object-Groups to Optimize


Access-List Processing
A network administrator wants to grant external IT personnel, on subnet
192.168.10.0/24, HTTPS access to the servers on the DMZ subnet,
172.16.1.0/24 Using the access-list command, drag the parameter on
the left to correct letter on the right to accomplish this task.
fw1(config)# object-group service object1 tcp
fw1(config-service)# port-object eq https
fw1(config)# object-group network object2
fw1(config-network)# network-object 172.16.1.0 255.255.255.0
fw1(config)# object-group network object3
fw1(config-network)# network-object 192.168.10.0
255.255.255.0
fw1(config)# access-list IT extended permit tcp object-group
A object-group B object-group C

object1 A
object2 B
object3 C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2008, Cisco Systems, Inc. All rights reserved. 18


14363_04_2008_c2.scr
Exam Topic—Configure a
Security Appliance to
Provide Secure Connectivity
Using Site-to-Site VPNs

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

Configure a Security Appliance to Provide


Secure Connectivity Using Site-to-Site VPNs
What You Need to Know:
ƒ Explain the basic functionality of IPSec
ƒ Configure IKE with preshared keys
ƒ Differentiate between the types of encryption
ƒ Configure IPSec parameters
ƒ Configure crypto-maps and ACLs

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2008, Cisco Systems, Inc. All rights reserved. 19


14363_04_2008_c2.scr
Identify Interesting Traffic

fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11

fw1(config)# access-list 101 permit ip A


255.255.255.0 B 255.255.255.0

fw6(config)#access-list 101 permit ip C


255.255.255.0 D 255.255.255.0

10.0.1.0 A
10.0.6.0 B
10.0.1.0 C
10.0.6.0 D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Configure Tunnel-Group
Attributes—Pre-Shared Key

fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 192.168.1.2 192.168.6.2 10.0.6.11

Tunnel-group
192.168.6.2 IPSec Tunnel-group
L2L IPSec 192.168.1.2
L2L

Tunnel-Group
pre-shared-key cisco123
192.168.6.2
Tunnel-group
pre-shared-key cisco123
192.168.1.2
fw1(config)# tunnel-group 192.168.6.2 type IPSec-L2L
fw1(config)# tunnel-group 192.168.6.2 ipsec-attributes
fw1(config-ipsec)# pre-shared-key cisco123

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2008, Cisco Systems, Inc. All rights reserved. 20


14363_04_2008_c2.scr
Configure IKE with Pre-Shared Keys

fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11

fw1(config)# isakmp policy 10 encryption 3des


fw1(config)# isakmp policy 10 hash sha
fw1(config)# isakmp policy 10 authentication pre-share
fw1(config)# isakmp policy 10 group 1
fw1(config)# isakmp policy 10 lifetime 86400

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

Configure IPSec Parameters


Security Security
Appliance 1 Appliance 6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11

fw1(config)# crypto ipsec transform-set FW6 esp-des


esp-md5-hmac

esp-des ESP transform using DES cipher (56 bits)


esp-3des ESP transform using 3DES cipher(168 bits)
esp-aes ESP transform using AES-128 cipher
esp-aes-192 ESP transform using AES-192 cipher
esp-aes-256 ESP transform using AES-256 cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2008, Cisco Systems, Inc. All rights reserved. 21


14363_04_2008_c2.scr
Configure IPSec Parameters
Security Security
Appliance 1 Appliance 6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11

fw1(config)# crypto ipsec transform-set FW6 A B

Select two secure transforms for the IPSec tunnel.


Drag the parameter on the left to correct letter on the
right to accomplish this task.
esp-3des

esp-rc4
A
ah-md5-hmac
B
ah-aes-128

esp-sha-hmac
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Configure Crypto-Maps and ACLs

fw1 fw6
Site 1 Site 2
Internet
10.0.1.11 e0 192.168.1.2 e0 192.168.6.2 10.0.6.11

fw1(config)# access-list 101 permit ip A 255.255.255.0


B 255.255.255.0
fw1(config)# crypto ipsec transform-set FW6 esp-3des esp-
sha-hmac
fw1(config)# crypto map FW1MAP 10 set peer C
fw1(config)# crypto map FW1MAP 10 match address D
fw1(config)# crypto map FW1MAP 10 set transform-set fw6
fw1(config)#crypto map FW1MAP interface outside

10.0.1.0 101
A B
10.0.6.0 FW1MAP
C D
192.168.1.2 192.168.6.2
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2008, Cisco Systems, Inc. All rights reserved. 22


14363_04_2008_c2.scr
Site-to-Site VPN:
Hub and Spoke

Traffic Flow
Branch A
ƒ HQ to BR A 10.0.2.0/24
ƒ HQ to BR B
HQ ƒ BR A to BR B

Internet

Permit
intra-interface
Traffic

10.0.1.0/24 10.0.4.0/24

ƒ Understand the traffic flow


ƒ Utilize existing S2S tunnels
Branch B
ƒ Add additional crypto access-lists
ƒ Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Site-to-Site VPN:
Hub and Spoke IPsec Tunnels
192.168.1.10 Æ 192.168.1.1
Encrypted Traffic
IPsec Tunnels 10.0.2.0/24 Æ 10.0.1.0/24
192.168.1.1 Æ 192.168.1.10 10.0.2.0/24 Æ 10.0.4.0/24
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1

Internet IPsec Tunnels


192.168.1.12 Æ 192.168.1.1
Encrypted Traffic
Permit 10.0.4.0/24 Æ 10.0.1.0/24
intra-interface 10.0.4.0/24 Æ 10.0.2.0/24
Traffic

10.0.1.0/24 10.0.4.0/24

ƒ Understand the traffic flow 192.168.1.12

ƒ Utilize existing S2S tunnels


Branch B
ƒ Add additional crypto access-lists
ƒ Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2008, Cisco Systems, Inc. All rights reserved. 23


14363_04_2008_c2.scr
Site-to-Site VPN:
Hub and Spoke IPsec Tunnels
192.168.1.10 Æ 192.168.1.1
Encrypted Traffic
IPsec Tunnels 10.0.2.0/24 Æ 10.0.1.0/24
192.168.1.1 Æ 192.168.1.10 10.0.2.0/24 Æ 10.0.4.0/24
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1

Internet IPsec Tunnels


192.168.1.12 Æ 192.168.1.1
Encrypted Traffic
Permit 10.0.4.0/24 Æ 10.0.1.0/24
intra-interface 10.0.4.0/24 Æ 10.0.2.0/24
Traffic

10.0.1.0/24 10.0.4.0/24

ƒ Understand the traffic flow 192.168.1.12

ƒ Utilize existing S2S tunnels


Branch B
ƒ Add additional crypto access-lists
ƒ Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

Site-to-Site VPN:
Hub and Spoke
Hub and Spoke Configuration
IPsec Tunnels
192.168.1.1 Æ 192.168.1.10
192.168.1.1 Æ 192.168.1.12 Branch A
Encrypted Traffic 10.0.2.0/24
10.0.1.0/24 Æ 10.0.2.0/24
10.0.1.0/24 Æ 10.0.4.0/24
192.168.1.10
HQ
192.168.1.1

Internet

Permit
intra-interface
Traffic

10.0.1.0/24 10.0.4.0/24

ƒ Understand the traffic flow 192.168.1.12

ƒ Utilize existing S2S tunnels


Branch B
ƒ Add additional crypto access-lists
ƒ Add “same-security-traffic permit intra-interface” at the hub site
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2008, Cisco Systems, Inc. All rights reserved. 24


14363_04_2008_c2.scr
Exam Topics—Configure a
Security Appliance to
Provide Secure Connectivity
Using Remote Access VPNs

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Configure a Security Appliance to Provide


Secure Connectivity Using Remote Access VPNs
What You Need to Know:
ƒ Explain the functions of EasyVPN
ƒ Configure IPSec using EasyVPN Server/Client
ƒ Configure the Cisco Secure VPN client
ƒ Explain the purpose of WebVPN
ƒ Configure WebVPN services: Server/Client
ƒ Verify VPN operations
ƒ Install and Configure SVCs
ƒ Install and Configure Cisco Secure Desktop

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2008, Cisco Systems, Inc. All rights reserved. 25


14363_04_2008_c2.scr
Configure ISAKMP Parameters
Remote Client
172.26.26.1 Outside Inside Server
Internet 10.0.0.15

Fw1(config)# isakmp enable outside


…………………………………………………………………………………………..
fw1(config)# isakmp policy 10 encryption 3des
fw1(config)# isakmp policy 10 hash sha
fw1(config)# isakmp policy 10 authentication pre-share
fw1(config)# isakmp policy 10 group 2
fw1(config)# isakmp policy 10 lifetime 86400

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Configure IPSec Tunnel-Group


Remote Client
172.26.26.1 Outside Inside Server
Internet 10.0.0.15

fw1(config)# ip local pool mypool 10.0.0.100-10.0.0.254


!--- Configure tunnel-group parameters
fw1(config)# tunnel-group training type A
fw1(config)# tunnel-group training B
fw1(config-ipsec)# pre-shared-key cisco123
fw1(config)# tunnel-group training C
fw1(config-general)# address-pool mypool

IPSec_RA A
ipsec-attributes B
general-attributes C
IPSec-L2L
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2008, Cisco Systems, Inc. All rights reserved. 26


14363_04_2008_c2.scr
Configure Group Policy
Remote Client
172.26.26.1 Outside Inside Server
Internet 10.0.0.15

Group Policy
Push
DNS server
to client
WINS server
DNS domain
Address pool
Idle time

fw1(config)# group-policy training internal


fw1(config)# group-policy training attributes
fw1(config-group-policy)# wins-server value 10.0.0.15
fw1(config-group-policy)# dns-server value 10.0.0.15
fw1(config-group-policy)# vpn-idle-timeout 15
fw1(config-group-policy)# default-domain value cisco.com

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Configure Crypto Map


An administrator needs to complete a dynamic crypto map for this
solution. Drag the parameter on the left to correct letter on the right to
accomplish this task.
172.26.26.1 Outside Inside Server
Internet 10.0.0.15

fw1(config)# crypto ipsec transform-set rmtuser1 esp-3des


esp-md5-hmac
fw1(config)# crypto dynamic-map rmt-dyna-map 10 set
transform-set A
fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp
dynamic-map B
!--- Apply crypto map to the outside interface.
fw1(config)# crypto map C interface outside
rmt-user-map A
rmt-dyna-map B
rmtuser1 C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2008, Cisco Systems, Inc. All rights reserved. 27


14363_04_2008_c2.scr
Explain the Purpose of WebVPN
Home Office

Broadband
Provider
WebV ISP
PNTu
nnel
Wireless Corporate
Computer Kiosk Provider
Tunnel Network
WebVPN

ƒ Uses a standard SSLVPN to access the corporate network


Access to internal websites (HTTP/HTTPS), including filtering
Access to internal Windows (CIFS) File Shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

Configure SSLVPN Services


HTTP-Server
Remote Client Security
Appliance 10.0.1.10/24

WebVPN Tunnel
Console-Server
10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes


Enters the group-policy attributes subcommand mode
fw1(config-group-policy)# webvpn
Enters WebVPN group-policy attributes subcommand mode
fw1(config-group-webvpn)# functions url-entry file-access file-
entry file-browsing
Enables file access, entry, browsing, and URL entry for the group
fw1(config-group-webvpn)# url-list value URLs

Selects predefined URLs that were configured by using the url-list command
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2008, Cisco Systems, Inc. All rights reserved. 28


14363_04_2008_c2.scr
Configure SSLVPN File Services
Superserver
Remote Client Security
Appliance 10.0.1.10/24

WebVPN Tunnel
Training
10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes


fw1(config-group-policy)# webvpn
fw1(config-group-webvpn)# functions url-entry file-access file-entry file-
browsing
fw1(config-group-webvpn)# url-list value sslvpn_urls
fw1(config)# url-list sslvpn_urls "Superserver" http://10.0.1.10
fw1(config)# url-list sslvpn_urls "CIFS Share" cifs://10.0.1.11/training

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Configure SSLVPN Port-Forward Services


Super-Server1
Remote Client
Security 10.0.1.10/24
Appliance
WebVPN Tunnel Mail-Server1
10.0.1.11/24

fw1(config)# group-policy corp_sslvpn attributes


fw1(config-group-policy)# webvpn
fw1(config-group-webvpn)# functions port-forward
fw1(config-group-webvpn)# port-forward value SSLVPN_APPS
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2222 10.0.1.10 23
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2110
mailserver1.training.com 110
fw1(config-group-webvpn)# port-forward SSLVPN_APPS 2025
mailserver1.training.com 25
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2008, Cisco Systems, Inc. All rights reserved. 29


14363_04_2008_c2.scr
Exam Topics—Configure
Transparent Firewall, Virtual
Firewall, and High Availability
Firewall Features on a
Security Appliance

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

Configure Transparent Firewall, Virtual Firewall, and High


Availability Firewall Features on a Security Appliance
What You Need to Know:
ƒ Explain differences between L2 and L3 operating modes
ƒ Configure security appliance for transparent mode (L2)
ƒ Explain purpose of virtual firewalls
ƒ Configure security appliance to support virtual firewall
ƒ Monitor and maintain virtual firewall
ƒ Explain the types, purpose and operation of fail-over
ƒ Install and configure appropriate topology to support cable-
based or LAN-based fail-over
ƒ Explain the hardware, software and licensing requirements
for high-availability

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2008, Cisco Systems, Inc. All rights reserved. 30


14363_04_2008_c2.scr
Configure Transparent Firewall, Virtual Firewall, and High
Availability Firewall Features on a Security Appliance (Con’t)
What You Need to Know:
ƒ Configure the SA for active/standby fail-over
ƒ Configure the SA for stateful fail-over
ƒ Configure the SA for active-active fail-over
ƒ Verify fail-over operation
ƒ Recover from a fail-over
ƒ Allocate resources to virtual firewalls

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Explain Differences Between L2 and L3


Operating Modes
The Security Appliance Can Run in Two Mode Settings:
ƒ Routed—Based on IP Address
ƒ Transparent—Based on MAC Address

10.0.1.0 10.0.1.0
The following features are not
VLAN 100 VLAN 100 supported in transparent mode:
ƒ NAT
ƒ Dynamic routing protocols
ƒ IPv6
10.0.2.0 10.0.1.0 ƒ DHCP relay
VLAN 200 VLAN 200 ƒ Quality of Service
ƒ Multicast
Routed Transparent ƒ VPN termination for through traffic
Mode Mode

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2008, Cisco Systems, Inc. All rights reserved. 31


14363_04_2008_c2.scr
Configure Security Appliance for
Transparent Mode (L2)
ƒ Layer 3 traffic must be explicitly Internet
permitted
ƒ Each directly connected network 10.0.1.10
must be on the same subnet VLAN 100
ƒ The management IP address must be 10.0.1.0
on the same subnet as the connected Transparent Management
network
Mode IP Address
ƒ Do not specify the firewall appliance 10.0.1.1
VLAN 200
management IP address as the default
10.0.1.0
gateway for connected devices
ƒ Devices need to specify the router on the
other side of the firewall appliance as the
default gateway
ƒ Each interface must be a different IP–10.0.1.3 IP–10.0.1.4
VLAN interface
GW–10.0.1.10 GW–10.0.1.10
fw1(config)# firewall transparent
Switched to transparent mode

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Configure Security Appliance to


Support Virtual Firewall

e1 e4

1 2 CTX1- CTX2-
admin

Internet Internet e0 e3

fw1(config)# mode multiple


WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
………………………………………………………………..
fw1# show mode
Security context mode: multiple
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2008, Cisco Systems, Inc. All rights reserved. 32


14363_04_2008_c2.scr
Configure Security Appliance to
Support Virtual Firewall
An administrator is tasked with allocating interfaces for the two contexts,
ctx1 and ctx2. Using the allocate-interface command, drag the interface
parameter on the left to correct letter on the right to accomplish this task.
fw1(config)# admin-context ctx1
fw1(config)# context ctx1
e1 e4
fw1(config-ctx)# allocate-interface A
fw1(config-ctx)# allocate-interface B
1 2 CTX1- CTX2- fw1(config-ctx)# config-url flash:/C
(admin)
fw1(config)# context ctx2
Internet e0 e3 fw1(config-ctx)# allocate-interface D
fw1(config-ctx)# allocate-interface E
fw1(config-ctx)# config-url flash:/F

ethernet0 ethernet4 A D
ethernet1 ctx1.cfg B E
ethernet3 ctx2.cfg C F
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Configure Security Appliance to


Support Virtual Firewall
10.0.1.1 10.0.31.7 Context 1
• Interface e0
e1 e4 • IP address 192.168.1.2
• Interface e1
1 2 CTX1- CTX2-
(admin)
• IP Address 10.0.1.1
Context 2
• Interface e3
Internet e0 e3
• IP address 192.168.31.7
192.168.1.2 192.168.31.7 • Interface e4
• IP address 10.0.31.7

fw1(config)# changeto context ctx1


fw1/ctx1(config)# interface ethernet0
fw1/ctx1(config-if)# ip address 192.168.1.2 255.255.255.0
fw1/ctx1(config-if)# nameif outside
fw1/ctx1(config)# interface ethernet1
fw1/ctx1(config-if)# ip address 10.0.1.1 255.255.255.0
fw1/ctx1(config-if)# nameif inside
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2008, Cisco Systems, Inc. All rights reserved. 33


14363_04_2008_c2.scr
Hardware and Stateful Failover

Internet

ƒ Hardware Failover
Connections are dropped.
Client applications must reconnect.
Provided by serial or LAN-based failover link.
Active/Standby—only one unit can be actively processing traffic while
other is hot standby.
Active/Active—both units can actively process traffic and serve as
backup units
ƒ Stateful failover
TCP connections remain active.
No client applications need to reconnect.
Provides redundancy and stateful connection.
Provided by stateful link.
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Explain the Hardware, Software and Licensing


Requirements for High-Availability
Active/Standby Active/Active

Contexts

Primary: Secondary:
Standby Active
Primary: Secondary:
Failed/Standby Active/Active

Internet Internet

ƒ The primary and secondary security appliances must be identical in


the following requirements:
Same model number and hardware configurations
Same software versions-- The two units in a failover configuration should have the
same major (first number) and minor (second number) software version. Starting in
Rel. 7, you do not need to maintain version parity on the units during the upgrade
process, e.g. 7.0(4) to 7.0(5)
Same features (DES or 3DES)
Same amount of Flash memory and RAM
Proper licensing
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2008, Cisco Systems, Inc. All rights reserved. 34


14363_04_2008_c2.scr
Configure A/S Failover Link
Primary – fw1
.2 .1
.1
192.168.2.0 10.0.2.0
Internet 172.17.2.0
.7
.7 .7

Secondary

fw1(config)# interface ethernet3


fw1(config-if)# no shut
fw1(config)# failover lan interface LANFAIL ethernet3
fw1(config)# failover interface ip A B 255.255.255.0 C D
fw1(config)# failover lan unit E
fw1(config)# failover

active 172.17.2.1 A D
standby 172.17.2.7 B E
LANFAIL primary C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

Configure A/A Failover Link


g0/1 g0/4 g0/1 g0/4

CTX1- CTX2- 172.17.2.1 172.17.2.7 CTX2-


1
1 2 1 2 CTX1-
Group 1 Group 2 1 Group 1 Group 2
g0/2 g0/2

g0/0 g0/3 Failover Link g0/0 g0/3

fw1(config)# interface GigabitEthernet0/2


fw1(config-if)# no shut
fw1(config)# failover lan interface LANFAIL GigabitEthernet0/2
fw1(config)# failover interface ip LANFAIL A 255.255.255.0 B C
fw1(config)# failover link LANFAIL GigabitEthernet0/2
fw1(config)# failover lan key 1234567

active 172.17.1.1 A C
standby 172.17.1.7 B
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2008, Cisco Systems, Inc. All rights reserved. 35


14363_04_2008_c2.scr
A/A Failover Group
Group 2
Primary Secondary
g0/1 g0/4 g0/1 g0/4

CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX2-


Group 1 Group 2 11 2
11 2 CTX1-
Group 2
g0/2 g0/2 Group 1

g0/0 g0/3 g0/0 g0/3

Group 1
Active/active failover adds support for failover group.
Failover is performed on a unit or group level.
A group is comprised of one or more contexts.
Each failover group contains separate state machines to keep track of the group failover state.
fw1(config)# failover group 1
fw1(config-fover-group)# primary
fw1(config)# failover group 2
BRKCRT-2301
fw1(config-fover-group)# secondary
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

Context: Allocate Interfaces and Assign


a Failover Group Number

g0/1 g0/4 g0/1 g0/4

CTX1- CTX2- 1 2 CTX1- CTX2-


Group 1 Group 2 1 11 2 Group 1 Group 2

g0/0 g0/3 g0/0 g0/3

Internet

Associate interfaces and a group to a context


fw1(config)# context ctx1
fw1(config-ctx)# allocate-interface GigabitEthernet0/0
fw1(config-ctx)# allocate-interface GigabitEthernet0/1
fw1(config-ctx)# config-url flash:/ctx1.cfg
fw1(config-ctx)# join-failover-group 1
fw1(config)# context ctx2
fw1(config-ctx)# allocate-interface GigabitEthernet0/3
fw1(config-ctx)# allocate-interface GigabitEthernet0/4
fw1(config-ctx)# config-url flash:/ctx2.cfg
fw1(config-ctx)# join-failover-group 2
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2008, Cisco Systems, Inc. All rights reserved. 36


14363_04_2008_c2.scr
Show Failover: Part 1
Primary 10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 g0/4 g0/1 g0/4

CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-


Group 1 Group 2 11 2 11 2 Group 1 Group 2
Active Standby g0/2 g0/2 Standby Active

g0/0 g0/3 g0/0 g0/3


192.168.1.2 192.168.31.7
192.168.1.7 192.168.31.1

Internet

fw1# show failover


Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: lanfail GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Group 1 last failover at: 15:54:49 UTC Sept 17 2006
BRKCRT-2301Group 2 last failover at: 15:55:00 UTC Sept 17 2006
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

Resource Management
ƒ Limits the use of resources per context
ƒ Prevents one or more contexts from using too many resources and
causing other contexts to be denied use of resources
ƒ Enables you to configure limits for the following resources:
ASDM connections Telnet sessions
Connections Xlate objects
Hosts Application inspections (rate only)
Limit connections
SSH sessions Syslogs per second (rate only) for CONTEXT2
to 20%

CONTEXT 1

HTTP HTTP
Internet CONTEXT 2

X
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2008, Cisco Systems, Inc. All rights reserved. 37


14363_04_2008_c2.scr
Configuring Resource Management
Limit connections
for CONTEXT2
to 20%

CONTEXT 1

HTTP HTTP
Internet CONTEXT 2

X
fw1(config)# class MEDIUM-RESOURCE-SET
fw1(config-class)# limit-resource conns 20%
Limits the MEDIUM-RESOURCE-SET class to 20 per cent of the system connection limit
fw1(config)# context context2
fw1(config-ctx)# member MEDIUM_RESOURCE_SET
Assigns the TEST context to the MEDIUM-RESOURCE-SET class
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

Exam Topics—Configure
AAA Services for Access
Through a Security
Appliance

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2008, Cisco Systems, Inc. All rights reserved. 38


14363_04_2008_c2.scr
Configure AAA Services for Access
Through a Security Appliance
What You Need to Know:
ƒ Configure ACS for security appliance support
ƒ Configure security appliance to use AAA feature
ƒ Configure authentication using both local and
external databases
ƒ Configure authorization using an external database
ƒ Configure the ACS server for downloadable ACLs
ƒ Configure accounting of connection start/stop
ƒ Verify AAA operation

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

Configure ACS for Security


Appliance Support
When configuring a Cisco ACS Server network configuration window, the
administrator must supply two names and IP addresses. Drag the
parameter on the left to correct letter on the right to accomplish this task.

“aaauser”
192.168.2.10 10.0.1.0
Internet .1 A B
.2
NY1PIX .10
NY_ACS

C D

192.168.2.10 NY1PIX
10.0.1.1 NY_ACS A C
10.0.1.10 aaauser B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2008, Cisco Systems, Inc. All rights reserved. 39


14363_04_2008_c2.scr
Configure Authentication Using Both
Local and External Databases
Telnet
Internet

Authentication via
LOCAL database
fw1(config)# username admin1 password cisco123
fw1(config)# aaa authentication telnet console LOCAL

Telnet
Internet
Authentication via NY_ACS
External database 10.0.0.2
and LOCAL backup
fw1(config)# aaa-server NY_ACS protocol tacacs+
fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key secretkey
fw1(config)# aaa authentication telnet console NY_ACS LOCAL
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

Configure Cut-Through Proxy


Authentication
The administrator wants every Internet user to be authenticated before
gaining http access to the DMZ server, 172.16.4.9. Drag the parameter
on the left to correct letter on the right to accomplish this task.
DMZ Server
Internet User 172.16.4.9
192.168.2.10 192.168.1.12
Internet NY_ACS
RADIUS 10.0.0.2

fw1(config)# static (dmz,outside) 192.168.1.12 172.16.4.9


fw1(config)# aaa-server NY_ACS protocol radius
fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key cisco123
fw1(config)# access-list 110 permit tcp any host A eq www
fw1(config)# aaa authentication match B C D

192.168.1.12 110
172.16.4.9 NY_ACS A C

192.168.2.10 outside B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2008, Cisco Systems, Inc. All rights reserved. 40


14363_04_2008_c2.scr
Configure Authorization Using an
External Database

FTP server
192.168.9.10 192.168.0.0 10.0.0.33
Internet FTP
.3 NY_ACS
server
192.168.0.12 Authorization 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol tacacs+


fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key secretkey
fw1(config)# static (inside,outside) 192.168.0.12 10.0.0.33
fw1(config)# access-list 110 permit tcp any host 192.168.0.12 eq ftp
fw1(config)# aaa authorization match 110 outside NY_ACS

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

Authorization Rules Allowing Specific


Services to Specific Hosts
On the previous page, the administrator configured a PIX to verify users rights
before they ftp to the Inside FTP server. In the Access server, the administrator
must configure TACACS+ group setup. Check the parameter for each subtask
on the left that is needed to accomplish this task.

Group setup
ƒ Unmatched Cisco IOS commands
‰ Deny
‰ Permit
ƒ Command
‰ ftp
‰ Blank (ftp is in the arguments list)
ƒ Arguments
‰ permit 192.168.0.12
‰ permit tcp any host 192.168.0.12eq ftp
ƒ Unlisted arguments
‰ Deny
‰ Permit
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2008, Cisco Systems, Inc. All rights reserved. 41


14363_04_2008_c2.scr
Configure the ACS Server for
Downloadable ACLs
FTP Server WWW Server
172.16.4.9 172.16.4.10

192.168.1.10
“aaauser” 192.168.1.11

Internet
Authentication NY_ACS
(RADIUS) 10.0.0.2

fw1(config)# static (dmz,outside) 192.168.1.10 172.16.4.9


fw1(config)# static (dmz,outside) 192.168.1.11 172.16.4.10
fw1(config)# aaa-server NY_ACS protocol A
fw1(config)# aaa-server NY_ACS (inside) host B
fw1(config-aaa-server)# key cisco123
fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftp
fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq C
fw1(config)# aaa authentication match 110 outside D

www NY_ACS TACACS+ A C


172.16.4.10 10.0.0.2 RADIUS B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

Configure the ACS Server for


Downloadable ACLs

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2008, Cisco Systems, Inc. All rights reserved. 42


14363_04_2008_c2.scr
Authentication of Console Access
Security
Appliance
Console Access
Security Appliance
Console Access

Internet NY_ACS
TACACS+ Server
10.0.0.2

ƒ Defines a console access method that requires authentication


ƒ Identifies the authentication server group name (authentication server
or LOCAL)
ƒ Enables fallback to LOCAL security appliance database

fw1(config)# aaa authentication serial console NY_ACS LOCAL


fw1(config)# aaa authentication enable console NY_ACS LOCAL
fw1(config)# aaa authentication telnet console NY_ACS LOCAL
fw1(config)# aaa authentication ssh console NY_ACS LOCAL
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

Configure Accounting of
Connection Start/Stop
FTP Server WWW Server
172.16.4.9 172.16.4.10

192.168.1.10
“aaauser” 192.168.1.11
Internet
Accounting NY_ACS
(RADIUS) 10.0.0.2

fw1(config)# aaa-server NY_ACS protocol A


fw1(config)# aaa-server NY_ACS (inside) host 10.0.0.2
fw1(config-aaa-server)# key cisco123
fw1(config)# access-list 110 permit tcp any host 192.168.1.10 eq ftp
fw1(config)# access-list 110 permit tcp any host 192.168.1.11 eq www
fw1(config)# aaa B match C outside NY_ACS

radius accounting
192.168.1.0 authentication A C
110 LDAP B
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2008, Cisco Systems, Inc. All rights reserved. 43


14363_04_2008_c2.scr
Exam Topics—Configure
Routing and Switching on
a Security Appliance

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

Configure Routing and Switching on a


Security Appliance Subtopics
What You Need to Know:
ƒ Enable DHCP server and relay functionality
ƒ Configure VLANs on a security appliance interface
ƒ Configure security appliance to pass multi-cast traffic

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2008, Cisco Systems, Inc. All rights reserved. 44


14363_04_2008_c2.scr
Configure VLANs on a Security
Appliance Interface
dmz2
172.16.20.1
dmz1 dmz3
172.16.10.1 172.16.30.1 Partner
Public Server Proxy
Server Server

vlan20
vlan10 vlan30

Trunk port

Internet
10.0.0.0
192.168.0.0

fw1(config)# interface ethernet3.1


fw1(config-subif)# vlan 10
fw1(config-subif)# nameif dmz1
fw1(config-subif)# security-level 10
fw1(config-subif)# ip address 172.16.10.1
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

Configure Routing Functionality of


Security Appliance Including OSPF, RIP

RIP v2

192.168.0.0 10.0.0.0
10.0.1.0
172.26.26.30 RIP v2 RIP v1

fw1(config)# rip outside passive version 2


authentication md5 MYKEY 2
fw1(config)# rip inside passive
fw1(config)# rip dmz passive version 2

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2008, Cisco Systems, Inc. All rights reserved. 45


14363_04_2008_c2.scr
Configure Routing Functionality of
Security Appliance Including OSPF, RIP
Router OSPF 1

0
10.0.0.0
Internet 10.0.1.0
1.1.1.0 Private

2.2.2.0

firewall(config)#
network prefix ip_address netmask area area_id
• Adds and removes interfaces to and from the OSPF routing process
fw1(config)# router ospf 1
fw1(config-router)# network 1.1.1.0 255.255.255.0 area 0
fw1(config-router)# network 2.2.2.0 255.255.255.0 area 2.2.2.0
fw1(config-router)# network 10.0.0.0 255.255.255.0 area 10.0.0.0
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Configure Security Appliance to Pass


Multi-Cast (MC) Traffic
Outside
A multicast (MC) client on the
172.16.0.1 MC DMZ
inside network wants to “view”
e0 router
a MC session from a MC Multicast
server on the DMZ . Drag the server
e1 e2 MC Group
parameter on the left to correct
224.0.1.50
letter on the right to accomplish Inside
this task. MC client
10.0.0.11

fw1(config)# access-list 120 permit udp any host 224.0.1.50


fw1(config)# interface A
fw1(config-if)# igmp access-group 120
fw1(config)# interface B
fw1(config-if)# igmp forward interface C

ethernet1 DMZ A
10.0.0.11 Inside B
224.0.1.50 ethernet2 C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2008, Cisco Systems, Inc. All rights reserved. 46


14363_04_2008_c2.scr
Exam Topics—Configure
Security Appliance
Advanced Application Layer
and Modular Policy Features

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Configure a Modular Policy on a Security


Appliance Subtopics
What You Need to Know:
ƒ Configure a class-map
ƒ Configure a policy-map
ƒ Configure a service-policy
ƒ Configure a class-map type inspect
ƒ Configure a policy-map type inspect
ƒ Configure regular expressions
ƒ Explain the function of protocol inspection
ƒ Explain DNS guard feature

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2008, Cisco Systems, Inc. All rights reserved. 47


14363_04_2008_c2.scr
Configure a Modular Policy on a Security
Appliance Subtopics (Con’t)
What You Need to Know:
ƒ Describe the AIP-SSM HW and SW
ƒ Load IPS SW on the AIP-SSM
ƒ Verify AIP-SSM
ƒ Configure an IPS modular policy
ƒ Describe the CSC-SSM HW and SW
ƒ Load CSC SW on the SSM
ƒ Verify the CSC-SSM
ƒ Configure an CSC modular policy

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Layer 7: Application
Inspection Overview
Layer 7: Application Inspection—
Deep packet inspection
• “Get”—Allow
• “Put”—Reset
• “Post”—Reset
DMZ - HTTP
Server

Internet 192.168.0.0 Inside


.2 10.0.0.0
Outside

ƒ A Layer 7 policy is intended for protocol deep packet inspection.


ƒ You can configure Layer-7 protocol inspection criteria to recognize
specific protocol attributes that you wish to control,
ƒ Actions can be applied to the desirable and undesirable traffic.
ƒ Application inspection (AI) varies in capability per supported protocol

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2008, Cisco Systems, Inc. All rights reserved. 48


14363_04_2008_c2.scr
Layer 7: Application
Inspection Configuration
Layer 7: Application Inspection—
• “Get”—Allow
• “Put”—Reset
• “Post”—Reset
Layer 3 and 4:
• HTTP traffic to DMZ - HTTP
WWW Server Server

Internet Inside
10.0.0.0
Outside

To create a application inspection:


ƒ Create a Layer 7 application inspection policy
Identify application inspection criteria based on the attributes of
a given protocol
Apply an action to identified packets, allow, reset, or log
ƒ Create a Layer 3 and 4 policy to identify a traffic stream
Define the Layer 3 and 4 traffic stream for inspection.
Attach the traffic stream to a Layer 3 and 4 policy
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

Configure Layer 7 Application


Inspection Policy
Layer 7: Application Inspection—
• “Get”—Allow
• “Put”—Reset DMZ - HTTP
• “Post”—Reset Server

Internet Inside
10.0.0.0
Outside
Create a Layer 7 application inspection policy
ƒ Class-map type inspect —Identify application inspection criteria based on
the attributes of a given protocol
ƒ Policy-map type inspect —Apply an action to identified packets, allow,
reset, or log
fw1(config)# class-map type inspect http HTTP_SAFE_Method
fw1(config-cmap)# match request method get
fw1(config)# class-map type inspect http HTTP_RESTRICTED_Methods
fw1(config-cmap)# match request method post
fw1(config-cmap)# match request method put
fw1(config)# policy-map type inspect HTTP inbound_http_traffic
Fw1(config-pmap)# class HTTP_SAFE_Method
Fw1(config-pmap-c)# allow
Fw1(config)-pmap) class HTTP_RESTRICTED_Method
Fw1(config-pmap-c)# reset log
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2008, Cisco Systems, Inc. All rights reserved. 49


14363_04_2008_c2.scr
Configure a Layer 3 and 4 Policy
Layer 3 and 4:
• HTTP traffic to DMZ - HTTP
WWW Server Server

Internet Inside
10.0.0.0
Outside

Create a Layer 3 and 4 inspection policy


ƒ Define the Layer 3 and 4 traffic stream for inspection.
ƒ Associate a traffic stream with a Layer 3 and 4 policy

fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www


fw1(config)# class-map inbound_http_traffic
fw1(config-ftp-map)# match access-list 102
fw1(config)# policy-map dmz_http_inbound
fw1(config-pmap)# class inbound_http_traffic
fw1(config-pmap-c)# inspect http inbound_http_traffic
fw1(config)# service-policy dmz_http_inbound outside
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

Configure Class-Map Type


Inspect Example
WWW Server
172.16.4.9
Internet 192.168.1.11
User
Internet

fw1(config)# class-map type inspect ftp ftp_method


fw1(config-cmap)# match request method A
fw1(config-cmap)# match request method B
fw1(config)#policy-map type inspect ftp inbound_ftp
fw1(config-pmap)#class C
fw1(config-pmap-c)#reset D

ftp_method log
inbound_ftp dele A C

put reset B D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2008, Cisco Systems, Inc. All rights reserved. 50


14363_04_2008_c2.scr
Configure a Layer 3 and 4 Policy Example
FTP Server
172.16.4.9
192.168.1.11
192.168.2.10
Internet

fw1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftp


fw1(config)# A ftp_traffic
fw1(config-cmap)# match access-list 101
fw1(config)# B inbound
fw1(config-pmap)# class C
fw1(config-pmap-c)# inspect D strict
fw1(config)# E F outside

ftp_traffic class-map A D
ftp service-policy B E
inbound policy-map C F
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Configure Class-Map Type Inspect


HTTP Example
WWW Server
172.16.4.9
Internet 192.168.1.11
User
Internet

fw1(config)# class-map type inspect http BLOCKED_METHOD_LIST


fw1(config-cmap)# match request method delete
fw1(config-cmap)# match request method post
fw1(config-cmap)# match request method put
fw1(config)# policy-map type inspect http inbound_http
fw1(config-pmap)# class BLOCKED_METHOD_LIST
fw1(config-pmap-c)# reset log
fw1(config)# access-list 102 permit TCP any host 192.168.1.11 eq www
fw1(config)# class-map inbound_http_traffic
fw1(config-ftp-map)# match access-list 102
fw1(config)# policy-map inbound
fw1(config-pmap)# class inbound_http_traffic
fw1(config-pmap-c)# inspect http inbound_http
fw1(config)# service-policy inbound outside

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2008, Cisco Systems, Inc. All rights reserved. 51


14363_04_2008_c2.scr
Class-Map Type Inspect and
Policy-Map Type Inspect
fw1(config)#class-map type inspect http BLOCKED_METHOD_LIST
fw1(config-cmap)# match request method delete
fw1(config-cmap)# match request method post
fw1(config-cmap)# match request method put

Inspection class maps enable you to group multiple traffic matching statements

fw1(config)#policy-map type inspect http MY_HTTP_MAP


fw1(config-pmap)#class BLOCKED_METHOD_LIST
fw1(config-pmap-c)#drop-connection log

The inspection class map is then assigned to the inspection policy map.

fw1(config)#policy-map type inspect http MY_HTTP_MAP


fw1(config-pmap)# match request method post
fw1(config-pmap-c)#drop-connection log

Pair a single traffic match statement with an action directly in the policy map

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

Regular Expressions
Mail
Server
Client
ftp> username: root
Internet
ASA configured to drop
packets containing the
string “root”

ƒ Enables you to identify text in a packet using a regular expression


ƒ A regular expression is characterized as follows:
Defined as a pattern to match against an input string
Enables you to permit, deny, or log any packet to create custom
security checks
Matches a text string
Literally as an exact string
By using metacharacters, which enable you to match multiple variants
of a text string
ƒ You can combine custom security checks for increased granular
control
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2008, Cisco Systems, Inc. All rights reserved. 52


14363_04_2008_c2.scr
Blocking Based on Matching (or Not)
Regular Expressions (REGEX)
ftp> username: root FTP
Bob
Server
ftp>put /root/filename

ƒ Denies all inbound users with a username of “root”


ƒ Denies all access to “/root” from the Internet
fw1(config)#regex FTP_USER “root”
fw1(config)#regex FTP_PATH “\/root”
fw1(config)#class-map type regex match-any RESTRICTED_ACCESS
fw1(config-cmap)#match regex A
fw1(config-cmap)#match regex B
fw1(config)#policy-map type inspect ftp C
fw1(config-pmap)#class D
fw1(config-pmap-c)#reset log

FTP_USER RESTRICTED_ACCESS A B
FTP_PATH MY_FTP_MAP C D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

Load IPS SW on the AIP-SSM


fw1(config)# hw module 1 A
Image URL [tftp://0.0.0.0/]: tftp://10.0.31.10/AIP-SSM-K9-
sys-1.1-a-5.0-0.22.img
Port IP Address [0.0.0.0]: 10.0.31.1
fw1(config)# hw module 1 B
The module in slot 1 will be recovered. This may
erase all configuration and all data on that device and
attempt to download a new image for it.
fw1# C
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL^X'.
sensor# D
--- System Configuration Dialog ---
Current Configuration:

recover configure
A
recover boot
B
session 1
session m2/0 C

setup D
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2008, Cisco Systems, Inc. All rights reserved. 53


14363_04_2008_c2.scr
AIP-SSM Initialized

Internet

AIP-SSM

fw1(config)# show module 1

Mod Card Type Model Serial No.


--- -------------------------------------------- ------------------ ----------
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 123456789

Mod MAC Address Range Hw Version Fw Version Sw Version


--- --------------------------------- ------------ ------------ --------------
1 0016.4687.a520 to 0016.4687.a520 1.0 1.0(10)0 6.0(2)E1

Mod SSM Application Name Status SSM Application Version


--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.0(2)E1

Mod Status Data Plane Status Compatibility


--- ------------------ --------------------- -------------
1 Up Up
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Configure an IPS Modular Policy


DMZ Servers
172.16.1.0
IPS Policy:
• Inline
Internet
• Fail open

IPS

fw1(config)# access-list 101 permit TCP any 172.16.1.0 255.255.255.0


fw1(config)# A dmz_traffic
fw1(config-cmap)# match access-list 101
fw1(config)# B dmz_ips
fw1(config-pmap)# class C
fw1(config-pmap-c)# ips D E
fw1(config)# service-policy dmz_ips outside

dmz_traffic class-map A D
ips inline B E
fail-open policy-map C
BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2008, Cisco Systems, Inc. All rights reserved. 54


14363_04_2008_c2.scr
Q and A

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

Recommended Reading

ƒ Continue your Cisco Live


learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store


BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2008, Cisco Systems, Inc. All rights reserved. 55


14363_04_2008_c2.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

BRKCRT-2301
14363_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112

© 2008, Cisco Systems, Inc. All rights reserved. 56


14363_04_2008_c2.scr