Cisco ASA Firewall Deployment (ASAFW) – Outline

Detailed Course Outline

Cisco ASA Adaptive Security Appliance Essentials

Evaluating Cisco ASA Adaptive Security Appliance Technologies

  • Firewalls and Security Domains
  • Firewall Technologies
  • Cisco ASA Adaptive Security Appliance Features
  • Summary

Identifying Cisco ASA Adaptive Security Appliance Families

  • Cisco ASA Adaptive Security Appliance Hardware
  • Cisco ASA 5500-X Hardware modules
  • Cisco ASA 5500-X Software modules
  • Summary

Identifying Cisco ASA Adaptive Security Appliance Licensing Options

  • Cisco ASA Adaptive Security Appliance Licensing Options
  • Cisco ASA Adaptive Security Appliance Licensing Requirements
  • Summary

Basic Connectivity and Device Management

Preparing the ASA for Network Integration

  • Managing the Cisco ASA Adaptive Security Appliance Boot Process
  • Managing the Cisco ASA Adaptive Security Appliance Using the CLI
  • Managing the Cisco ASA Adaptive Security Appliance Using Cisco ASDM
  • Navigating Basic Cisco ASDM Features
  • Managing the Cisco ASA Adaptive Security Appliance Basic Upgrade

Managing Basic Cisco ASA Adaptive Security Appliance Network Settings

  • Managing Cisco ASA Adaptive Security Appliance Security Levels
  • Configuring and Verifying Basic Connectivity Parameters
  • Configuring and Verifying Interface VLANs
  • Configuring a Default Route
  • Configuring and Verifying the Cisco ASA Security Appliance DHCP Server
  • Troubleshooting Basic Connectivity

Configuring Cisco ASA Adaptive Security Appliance Device Management Features

  • Configuring and Verifying Basic Device Management Settings
  • File System Management Overview
  • Managing Cisco ASA Software and Feature Activation
  • Configuring and Verifying Time Settings
  • Configuring and Verifying Event and Session Logging
  • Configuring and Verifying Remote Management Channels
  • Configuring and Verifying AAA for Management Access
  • Troubleshooting AAA for Management Access

Network Integration

Configuring ASA NAT Features

  • NAT on Cisco ASA Software Version 8.3 and Later
  • NAT Changes in Cisco Software Version 8.3 and Later
  • Cisco ASA Software Version 8.3 and Later: Object Introduction
  • NAT Table Changes: Cisco ASA Software Version 8.3 and Later
  • Order of Operation: Cisco ASA Software Version 8.3 and Later
  • Configuring Object (Auto) NAT
  • Configuration Scenario
  • Configuring Static Translations Using Auto NAT
  • Configuring the Auto NAT Traffic Direction
  • Configuring Auto NAT: Static Port (Optional)
  • Static Translations Version 8.3 and Later
  • Configuring Dynamic Translations Using Auto NAT
  • Dynamic Translations Version 8.3 and Later
  • Show xlate command
  • Configuring Manual NAT
  • Configuration Scenario
  • Overlapping Networks Configuration Scenario
  • Configuring Translations Using Manual NAT After Auto NAT
  • NAT Table Cisco ASA Software Version 8.3 and Later
  • Manual Static NAT: Unidirectional Rule
  • Manual NAT: Inserting Rule in Specific Location
  • General Deployment Guidelines
  • Tuning and Troubleshooting NAT on the ASA
  • Tuning Translation Idle Timeout (Optional)
  • Tuning Per-Session PAT
  • NAT Route-Lookup
  • Tuning Proxy-ARP
  • Static NAT DNS Rewrite Overview
  • Troubleshooting Flow
  • Packet Tracer Tool
  • Verify NAT configuration
  • Syslog Messages
  • Packet Processing Flow Diagram

Configuring ASA Basic Access Control Features

  • Connection Table and Local Host Table
  • Statefully Tracked Protocols
  • Examining the Connection Table
  • Basic Connection States
  • Administering the Connection Table
  • Local Host Table
  • Examining the Local Host Table
  • Administering the Local Host Table
  • State Table Logging
  • Configuring and Verifying Interface ACLs
  • Interface Access Rules Structure
  • Access Rule Statefulness
  • Configuring and Verifying Interface Access Rules and Interface Security Levels
  • Interface Access Rules Direction
  • Interface Access Rules Configuration Tasks
  • Task 1: Configure Access Rules on an Interface
  • Task 2: Optionally, Configure Time Ranges
  • Task 3: Optionally, Configure Time-Based Access Rules
  • Verify Access Rule Table
  • Interface Access Rules CLI Configuration
  • Verify Access Lists
  • Case Study: Access Rules on Three Interfaces
  • Managing Rules in Cisco ASDM
  • Managing Rules in the CLI
  • Implementation Guidelines
  • Configuring and Verifying Global ACLs
  • Case Study: Permit and Deny Specific Traffic
  • Configure Global ACL
  • Verify Global Configuration
  • View the Global ACL Configuration at the CLI
  • Configuring and Verifying Object Groups
  • Object Groups Configuration Tasks
  • Object Groups Configuration Scenario
  • Task 1: Optionally, Create Network Objects
  • Task 2: Create Network Object Groups
  • Task 3: Create Service Object Groups
  • Task 4: Use Object Groups in Access Rules
  • Object Groups CLI Configuration
  • Verifying Object Groups
  • Verifying Object Groups Using the CLI
  • Configuring and Verifying Public Servers
  • Configuring and Verifying Other Basic Access Controls
  • Cisco ASA Security Appliance uRPF Implementation
  • Configure uRPF on Cisco ASA Security Appliance Interfaces
  • Cisco ASA Security Appliance Shunning
  • Shunning CLI Configuration and Administration
  • Troubleshooting ACLs
  • Troubleshooting Flow
  • Syslog Messages
  • Correlate Access Rule to Log Messages
  • Using the Cisco ASDM Packet Tracer

Configuring ASA Routing Features

  • Static Routing
  • Static Routing Configuration Scenario
  • Create a Static or Default Route
  • Static Routing CLI Commands
  • Verify Static Routing
  • Policy Based Routing
  • Policy Based Routing Configuration
  • Management Routing
  • Multicast Support
  • IGMP vs. PIM
  • Cisco ASA Adaptive Security Appliance Multicast Features
  • Enabling Multicast Support
  • Multicast Support in ASDM

Configuring the ASA Transparent Firewall

  • Transparent Firewall Essentials
  • Transparent Firewall Configuration Tasks
  • Transparent Firewall Limitations
  • Transparent Firewall Outbound Data Flow
  • Transparent Firewall Outbound Data Flow with NAT
  • Transparent Firewall Inbound Data Flow
  • Configuring and Verifying Transparent Firewall Mode
  • Task 1: Change to Transparent Mode
  • Task 2: Configure BVIs
  • Task 3: Configure Interfaces
  • Task 4: Configure Management Access
  • Task 5: Configure Static Routes
  • Configuring and Verifying Transparent Firewall Layer 3 Through Layer 7 Access Controls
  • Transparent Firewall Default Security Policy
  • Allow Broadcast and Multicast Traffic
  • Allow Non-IP Traffic
  • Access Lists CLI Commands
  • Configuring and Verifying Transparent Firewall Layer 2 Access Controls
  • ARP Inspection
  • ARP Inspection Configuration Scenario
  • Task 1: Create Static ARP Mappings
  • Task 2: Enable ARP Inspection
  • ARP Inspection CLI Configuration
  • Verify ARP Inspection
  • MAC Address Table
  • Disable MAC Address Learning Configuration Scenario
  • Task 1: Disable Dynamic MAC Address Learning
  • Task 2: Configure MAC Address to Interface Mappings
  • Disable MAC Address Learning CLI Commands
  • Verify MAC Address Learning
  • Troubleshooting Transparent Firewall
  • Troubleshooting Flow

Cisco ASA Policy Control

Defining MPF on the ASA

  • Cisco MPF Overview
  • Cisco MPF Components
  • Cisco MPF Basic Configuration
  • Configuring and Verifying Layer 3 and Layer 4 Policies
  • OSI Layer 3 and Layer 4 Class Maps
  • OSI Layer 3 and Layer 4 Policy Map
  • Configuration Tasks:
  • Task 1: Create a Service Policy Rule
  • Task 2: Identify Traffic Class Map
  • Task 3: Assign Actions to Traffic
  • Task 3: Assign Actions to Traffic (Optional)
  • Configure OSI Layer 3 and Layer 4 Policies: CLI Commands
  • Verify OSI Layer 3 and Layer 4 Policies
  • Configuring and Verifying a Policy for Management Traffic
  • Configure Management Policies
  • Task 1: Create a Management Service Policy Rule
  • Task 2: Identify Traffic Class Map
  • Task 3: Assign Actions to Traffic
  • Configure Management Policies: CLI Commands

Configuring ASA Connection Policy and QoS Settings

  • Basic Stateful Inspection Tuning Features
  • Basic Procedures: Input Parameters
  • Basic Stateful Inspection Tuning Guidelines
  • Tuning Basic OSI Layer 3 and Layer 4 Inspection
  • Session Timers
  • Cisco ASA IP TTL Handling
  • Cisco ASA IP Fragment Handling
  • Tune Basic OSI Layers 3 and 4 Inspection: Configuration Scenario
  • Tune Basic OSI Layers 3 and 4 Inspection: CLI Configuration
  • Tune Basic OSI Layers 3 and 4 Inspection Guidelines
  • Configuring and Verifying Advanced Connection Settings
  • TCP State Bypass
  • Tune the Cisco ASA TCP Normalizer: Configuration Scenario
  • Tune the Cisco ASA TCP Normalizer: CLI Configuration
  • Tune the Cisco ASA TCP Normalizer Guidelines
  • TCP SYN flooding attack
  • TCP Intercept
  • Tasks 1–3: Set Maximum Number of Embryonic Connections
  • Configure Cisco TCP Intercept: CLI Commands
  • Verify Cisco TCP Intercept
  • Configure Connection Limits Overview
  • Configure Connection Limits: CLI Commands
  • Verify Connection Limits
  • Configuring and Verifying Support for Dynamic Protocols
  • Default Ports in the Default Inspection Class
  • Default Dynamic Inspectors in the Default Inspection Class
  • Inactive Dynamic Inspectors in the Default Inspection Class
  • Cisco WAAS Inspector
  • Support for Dynamic Protocols Configuration Scenario
  • Configure Support for Dynamic Protocols: CLI Configuration
  • Task 3: Optionally, Configure Support for Custom Dynamic Applications
  • Support for Dynamic Protocols Guidelines
  • Configuring the Botnet Traffic Filter
  • Botnet Traffic Filter and the Dynamic Database
  • Botnet Traffic Filter and the Static Database
  • Configure Cisco Botnet Traffic Filter
  • Configure Cisco Botnet Traffic Filter: CLI Commands
  • Verify Cisco Botnet Traffic Filter
  • Configuring QoS on the ASA Appliance
  • Traffic Policing
  • Traffic Policing Overview
  • Traffic Policing Configuration Tasks
  • Verify Traffic Policing
  • Priority Queuing Overview
  • Configuration Tasks
  • CLI Commands
  • Troubleshooting OSI Layer 3 and Layer 4 Inspection
  • Troubleshooting Flow
  • Syslog Messages
  • TCP Normalizer Troubleshooting
  • Advanced Dynamic Inspector Troubleshooting

Configuring ASA Advanced Application Inspections

  • Module Objectives
  • Layer 5 to Layer 7 Policy Control Overview
  • Application Layer Controls
  • Input Parameters
  • OSI Layers 5 to 7 (Application) Policies: Overview
  • OSI Layers 5 to 7 (Application): Class Map
  • OSI Layers 5 to 7 (Application): Policy-Map
  • OSI Layers 5 to 7 (Application): Regular Expressions
  • Regular Expressions Overview
  • Regular Expressions: Basics and Grouping
  • Regular Expressions: Character Choice
  • Regular Expressions: Special Character and Escaping
  • Regular Expressions: Repetition
  • Regular Expressions: Spaces and Boundaries
  • Enable OSI Layers 5 to 7 (Application) Policies
  • Configure OSI Layers 5 to 7 (Application): Configuration Tasks
  • Configure OSI Layers 5 to 7 Policies
  • Verify OSI Layers 5 to 7 Policies
  • Application Layer Access Control Guidelines
  • Configuring and Verifying HTTP Inspection
  • HTTP Request and Response
  • HTTP Request and Response Details
  • Request Inspection Options
  • URL Filtering
  • Configuration Tasks: Server Protection Example
  • Preconfigured Security Levels (Optional)
  • Verify HTTP Inspection: Examine Service Policy Statistics
  • HTTP Inspection Guidelines
  • Configuration Scenario: Client Protection Example
  • Configure HTTP Inspection: CLI Configuration
  • Configuring and Verifying FTP Inspection
  • FTP Inspect Maps: Detailed Inspection Parameters
  • FTP Inspect Maps: Detailed Custom Inspections
  • FTP Inspect Maps: Security Level Macros
  • Supporting Other Layer 5 to Layer 7 Applications
  • Overview of the Cisco Unified Communications Configuration Wizard
  • Evaluate Inspection of Other Protocols
  • Troubleshooting Application Layer Inspection
  • Troubleshooting Flow
  • Syslog Messages
  • Advanced Dynamic Inspector Troubleshooting

Describing the ASA Identity Firewall Solution

  • Cisco ASA Identity Firewall Benefits
  • Cisco ASA Identity Firewall Solution Components
  • Cisco ASA Identity Firewall Flow
  • Cisco Identity Firewall Policies
  • Cisco ASA Identity-Based MFP Policy
  • Summary
  • Setting Up CDA
  • Cisco CDA versus Active Directory Agent
  • CDA Hardware Appliance and VM Requirements
  • Cisco CDA Installation
  • Cisco CDA Setup
  • CDA Application Status Verification
  • CDA CLI Operations
  • CDA GUI
  • Configuring CDA
  • Active Directory Server Configuration
  • ASA Configuration
  • Syslog Server Configuration
  • CDA User-Account Configuration
  • CDA GUI User Accounts
  • CDA GUI Password Policy Configuration
  • Cisco CDA Session Timeout Configuration
  • IP-to-Identity Mapping Display
  • Registered-Device Verification
  • Configuring ASA Identity Firewall
  • User Object Group Configuration
  • FQDN Network Object Configuration
  • Identity Firewall with Cut-Through Proxy Use Case
  • Identity Firewall with Remote-Access VPN Use Case
  • Verifying and Troubleshooting Identity Firewall
  • CDA and Active Directory Server Connectivity Test
  • Show user-identity Command
  • Show user-identity Command for Cisco CDA Verification
  • Show user-identity Command for Active Directory User Verification
  • Show user-identity Command for Active Directory
  • Group Verification
  • Show All Activated Active Directory User Groups
  • Show user-identity Command for Memory-Usage Verification
  • Identity-Based Firewall Cisco ASDM Monitoring Panes
  • CDA Management with the CLI
  • CDA Live Log Monitoring
  • Cisco CDA Troubleshooting
  • Cisco CDA Open Ports

ASA High Availability and Virtualization Configuring ASA Interface Redundancy Features

  • Configuring and Verifying EtherChannel
  • EtherChannel Configuration
  • Configuration Scenario
  • Tasks 1–3: Configure an EtherChannel Interface
  • Configure EtherChannel: CLI Commands
  • Verify EtherChannel Interfaces: CLI Commands
  • Configuring and Verifying Redundant Interfaces
  • Cisco ASA Adaptive Security Appliance Redundant Interfaces General Deployment Guidelines
  • Redundant Interfaces Cabling Example
  • Redundant Interfaces Switchover
  • Interface Configuration
  • Configure Redundant Interfaces
  • Configure Redundant Interfaces: CLI Commands
  • Verify Redundant Interfaces: CLI Commands
  • Changing the Active Interface
  • Troubleshooting EtherChannel and Redundant Interfaces
  • Troubleshooting Flow
  • Verify Active EtherChannel
  • Troubleshoot Redundant Interfaces
  • Troubleshooting Flow
  • Verify the Switchover

Configuring ASA Active/Standby High Availability

  • Configuration Choices, Basic Procedures, and Required Input Parameters
  • Active Unit Election
  • Switchover Event
  • Failover Management
  • Failover Deployment Options
  • Failover Interfaces
  • Stateful Failover Support
  • Active/Standby Failover
  • Active/Standby Failover General Deployment Guidelines
  • Cisco ASA Security Appliance Failover Requirements
  • Configuring and Verifying Active/Standby Failover
  • Task 1: Cable Network Interfaces on Both Devices
  • Task 3: Configure Failover on the Secondary Device
  • Task 4: Configure Active and Standby IP Addresses
  • Primary Security Appliance: CLI Commands
  • Secondary Security Appliance: CLI Commands
  • Verify Active/Standby Failover
  • Forcing Failover: CLI Commands
  • Tuning and Managing Active/Standby Failover
  • Fixed Active/Standby MAC Addresses
  • Task 1: Change Failover Criteria
  • Task 2: Configure Fixed Active/Standby MAC Addresses
  • Tune Active/Standby Failover: CLI Commands
  • Zero-Downtime Failover Pair Upgrade
  • Zero-Downtime Upgrade Procedure
  • Remote Command Execution
  • Execute Remote Commands
  • Verify Configuration Mode
  • Troubleshooting Active/Standby Failover
  • Troubleshooting Flow
  • Verify Failover Peer
  • Syslog Messages

Configuring Security Contexts on the ASA

  • Multiple-Context Mode
  • ASA High Availability and Virtualization
  • Security Contexts
  • Security Contexts General Deployment Guidelines
  • Security Contexts Limitations
  • Configuring Security Contexts
  • Allocating Interfaces to a Context
  • Configure Security Contexts
  • Task 1: Enable Multiple Mode
  • Task 2: Create a Context
  • Task 3: Allocate Interfaces to the Context
  • Task 4: Specify the Startup Configuration Location
  • Configure Security Contexts: CLI Commands
  • Verifying and Managing Security Contexts
  • Changing Between Contexts in the CLI
  • Edit and Remove Security Context
  • Packet Classification
  • Packet Classification via MAC Addresses
  • Packet Classification via NAT Configuration
  • Assign Context-Specific MAC Addresses to an Interface
  • Assign Context-Specific MAC Addresses to an Interface: CLI Commands
  • Changing the Admin Context
  • Configuring and Verifying Resource Management
  • Resource Management Configuration Tasks
  • Configure Resource Management: CLI Commands
  • Troubleshooting Security Contexts
  • Troubleshooting Flow
  • Syslog Messages

Describing ASA Cluster Features

  • Cluster Performance Figures and Supported Platforms
  • Cluster Data-Interface Modes
  • Cluster Data-Interface Connections
  • CCL Functions
  • Cluster Master and Slave Unit Election
  • Centralized, Distributed, and Unsupported Cisco ASA Features
  • Cluster Dynamic-Routing Operations
  • Cluster NAT and PAT Operations
  • Summary
  • Describing ASA Cluster Terminology and Data Flows
  • Overview
  • Cluster Terminology
  • TCP Sequence Number Randomization
  • TCP Traffic Flows
  • Asymmetric UDP Traffic Flows
  • Short-Lived Traffic Flows
  • Centralized-Feature Traffic Flows
  • Traffic Flows with Secondary Connections
  • TCP Flow Rebalancing
  • Cluster Health-Check Mechanisms
  • Clustering with Multi-Context
  • Using the CLI to Configure a ASA Cluster
  • Overview
  • Cluster Configuration with the CLI
  • Cluster Interface-Mode Configuration on Each Unit
  • CCL Configuration on Each Unit
  • Cluster Management Interface Configuration from the Master Unit
  • Configuration from the Master Unit
  • Individual (Layer 3) Interface Configuration from the Master Unit
  • Cluster Bootstrap Configuration and Enabling
  • Clustering on Each Unit
  • Sample Configuration of a Two-Unit Cluster with Spanned EtherChannel Interface
  • Sample Configuration of a Two-Unit Cluster with Individual Interface
  • Cisco ASDM High Availability and Scalability Wizard
  • Verifying ASA Cluster Operations
  • Cluster Licensing
  • Cluster Interface-Mode Verification
  • Cluster Member-Status Verification
  • Cluster Health-Status Verification
  • Cluster Connections State Table Verification
  • Cluster EtherChannel Status Verification
  • Cluster Aggregated ACL Hit-Count Verification
  • Cluster Memory and CPU Usage Verification
  • Cluster Traffic-Distribution Verification
  • TCP Flow-Rebalancing Verification
  • Cluster Operation Verification via ASDM
  • Troubleshooting an ASA Cluster
  • Overview
  • Cluster Packet Captures
  • Cluster Syslog Messages
  • The debug cluster CLI Command
  • Cluster Crashinfo and Coredump
  • Split-Cluster Scenario

Appendix

Identifying Cisco ASA Adaptive Security Appliance Families

  • Legacy Cisco ASA 5500 Series Performance
  • Legacy Cisco ASA SSMs

Configuring ASA Routing Features

  • Dynamic Routing
  • How the Routing Table Is Populated
  • OSPF Configuration and Verification
  • OSPF Process Instances
  • OSPF Networks
  • OSPF Commands
  • OSPF Commands
  • OSPF Commands
  • EIGRP Configuration and Verification
  • EIGRP Process Instances
  • EIGRP Networks
  • EIGRP Commands

Configuring ASA Active/Active High Availability

  • Load Sharing of Unrelated Traffic Flows
  • Load Sharing of Related Traffic Flows
  • Active Failover Group Election
  • Failover Links
  • General Deployment Guidelines
  • Configuring and Verifying Active/Active Failover
  • Configure Active/Active Failover:
  • Task 2: Enable Multiple-Context Mode
  • Task 3: Create Security Context
  • Task 5: Assign Contexts to Failover Groups
  • Task 7: Configure Failover on the Secondary Device
  • Task 8: Configure Standby IP Addresses
  • Configuration Replication
  • Verify Active/Active Failover: CLI Commands
  • Forcing Failover: CLI Commands
  • Tuning and Managing Active/Active Failover
  • Configure Support for Asymmetrically Routed Packets
  • Asymmetric Routing Support-CLI Commands
  • Change Failover Criteria-CLI Commands
  • Zero-Downtime Upgrade Procedure
  • Troubleshooting Active/Active Failover
  • Troubleshoot Active/Active Failover: Other Issues