Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...

Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

Mark Bernard, CCIE (Security 23846)

Agenda

Overview of CCNP Security

FIREWALL Exam Information

FIREWALL Topics: Technical Introduction

– What You Need to Know

– Sample Questions

Overview of the CCNP Security Certification

CCNP Security Certified Means…

All four CCNP Security exams required. No elective options.

Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ:

– https://learningnetwork.cisco.com/docs/DOC-10424

Exam No Exam Name

642-637 Securing Networks with Cisco Routers and Switches

(SECURE)

642-627 Implementing Cisco Intrusion Prevention System (IPS)

642-618 Deploying Cisco ASA Firewall Solutions

(FIREWALL)

642-648 Deploying Cisco ASA VPN Solutions (VPN)

FIREWALL v2.0 Exam Information 642-618

642-618 FIREWALL v2.0 Exam

90-minute exam

Register with Pearson Vue

– www.vue.com/.cisco

Exam cost is $200.00 US

Preparing for the FIREWALL v2.0 Exam

Recommended reading

– CCNP Security Firewall 642-618 Quick Reference

– CCNP Security FIREWALL 642-618 Official Cert Guide

Recommended training via CLP

– Deploying Cisco ASA Firewall Solutions v2.0

Cisco learning network

– www.cisco.com/go/learnnetspace

Practical experience

Test Taking Tips

It’s not possible to cover everything!

We want you to get a feel for the technical level of the exam, not every topic possible

Give you suggestions, resources, some examples

Will focus on key topics

Firewall V 2.0 High-Level Topics

Cisco ASA Adaptive Security Appliance Basic Configurations

ASA Routing Features

ASA Inspection Policy

ASA Advanced Network Protections

ASA High Availability

Topic 1 Cisco ASA Adaptive Security Appliance Basic Configurations

Topic 1: What You Need to Know

Identify the ASA product family

Implement ASA licensing

Manage the ASA boot process

Implement ASA management and user authorization features

Implement ASA access control features

Implement ASA interface settings

Implement Network Address Translation (NAT) on the ASA

Implement ASDM public server feature

Implement ASA quality of service (QoS) settings

Implement ASA transparent firewall

Multi-Service

(Firewall/VPN and IPS)

ance a

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-20 (10 Gbps, 125K cps)

ASA 5555-X (4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

ASA 5525-X (2 Gbps,20K cps)

ASA 5512-X (1 Gbps, 10K

ASA 5515-X (1.2 Gbps,15K cps)

ASA 5510

(300 Mbps, 9K cps)

ASA 5510 +

(300 Mbps, 9K cps)

ASA 5520

(450 Mbps, 12K cps)

ASA 5540

(650 Mbps, 25K cps)

ASA 5550

(1.2 Gbps, 36K cps)

Firewall/VPN Only

ASA 5505 (150 Mbps, 4K cps)

Cisco ASA 5500 Series Portfolio

Implementing ASA Licensing

Install and Verify Licensing Using Adaptive Security Device Manager (ASDM)

Install and Verify Licensing Using ASDM (Cont.)

Time Based

Licensing (Stackable)

Manage the ASA boot process

To change the OS boot image to a new image name, enter the following:

asa(config)# clear configure boot

asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename

For example:

asa(config)# clear configure boot

asa(config)# boot system disk0:/asa841-k8.bin

To configure the ASDM image to the new image name, enter the following command:

asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename

Save configuration and Reload

asa(config)# write memory

asa(config)# reload

* Be sure to check memory requirements before upgrading to 8.3 and above

Implement ASA management features

asa(config)# http server enable

asa(config)# http 192.168.1.2 255.255.255.255 inside

To configure the firewall for ASDM access via cli:

To configure the firewall for SSH access via cli:

asa(config)# asa(config)# crypto key generate rsa modulus

asa(config)# write memory

asa(config)# aaa authentication ssh console LOCAL

WARNING: local database is empty! Use 'username' command to

define local users.

asa(config)# username asauser1 password asauser1_password

asa(config)# ssh 192.168.1.2 255.255.255.255 inside

asa(config)# ssh timeout 30

Implement ASA User Roles

Setting Privilege

Implement ASA interface settings

1. Interface name

2. Interface security level

3. IP address and subnet mask

4. Enable interface

Inside: 192.168.1.80/24

Outside: 10.1.1.80/24

Internet

asa(config)# interface ethernet0/0

asa(config-if)# nameif inside

asa(config-if)# security-level 100

asa(config-if)# ip address

192.168.1.80 255.255.255.0

asa(config-if)# no shutdown

Configure Network and Interface Settings (Cont.)

Inter-Interface

Or Intra-Interface

Communication

Public

server

Partner

server

172.16.30.1

Configure VLANs

Physical interfaces are separated into sub-interfaces (logical interfaces)

802.1Q trunking

192.168.1.0 10.1.1.0

Server

vlan30 vlan20

Trunk port

vlan10

172.16.10.1

172.16.20.1

Internet

Logical and Physical Interfaces

Configuring an EtherChannel Interface

Note: The device to which you connect the ASA EtherChannel

must also support 802.3ad EtherChannels

EtherChannel Configuration

Select Add Interface

Select EtherChannel

Interface

EtherChannel Configuration

interface Port-channel 1

lacp max-bundle 4

port-channel min-bundle 2

port-channel load-balance dst-ip

interface GigabitEthernet0/0

channel-group 1 mode active

interface GigabitEthernet0/1

channel-group 1 mode active

Configure Redundant Interfaces Using ASDM

A logical redundant interface pairs an active and a standby physical interface.

When the active interface fails, the standby interface becomes active and starts passing traffic.

Used to increase the adaptive security appliance reliability.

You can monitor redundant interfaces for failover using the monitor-interface command

Configure Redundant Interfaces Using ASDM (Cont.)

Select Add Interface

Select Redundant

Interface

Configure Redundant Interfaces Using ASDM (Cont.)

Redundant Interface CLI Configuration

int redundant 1

member-interface gig 0/0

member-interface gig 0/1

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

Security Appliance ACL Configuration

Security appliance configuration philosophy is interface based *

Interface ACL permits or denies the initial packet incoming or outgoing on that interface

Return traffic does not need to be specified if inspected

If no ACL is attached to an interface, the following ASA policy applies – Outbound packet is permitted by default

– Inbound packet is denied by default

ACLs can be simplified by defining object groups for IP addresses and services

* 8.3 Introduces the concept of the Global ACL (access-group <name> global)

Outside Inside Internet

ACL to deny

inbound access

ACL for

outbound access

NAT Overview

Network Address Translation (NAT) and Port Address Translation (PAT)

Used to translate IP addresses and ports

Not required by default (NAT control is disabled)

Concepts

– Static NAT and static policy NAT

– Dynamic NAT and dynamic policy NAT

– Identity NAT

NAT Post ASA Version 8.3

NAT is redesigned in 8.3 and above to simplify operations:

A single rule to translate the source and destination IP address.

You can also manually establish the order in which NAT rules are processed.

Introduction of NAT to “any” interface

Two Nat modes available in 8.3 and above

Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT

Sometimes referred to as "Auto-NAT“

Manual NAT: Policy based NAT when the source and destination address or port need to be considered

Sometimes referred to as Twice NAT

Dynamic NAT Using Network Object NAT

asa(config)# object network Network-Inside-Out

asa(config-network-object)# subnet 10.1.1.0 255.255.255.0

asa(config-network-object)# description Nat Inside Users To Outside

Interface

asa(config-network-object)# nat (inside,outside) dynamic interface

The following example configures dynamic NAT that

maps (dynamically hides) the 10.1.1.0 network to the

outside interface address:

96.33.100.1

External

Web Server

Internet

10.1.1.100

10.1.1.101

10.1.1.102

Dynamic NAT Using Network Object NAT

! ASA 8.3

asa(config)# object network Network-Inside-Out

asa(config-network-object)# subnet 10.1.1.0 255.255.255.0

asa(config-network-object)# nat (inside,outside) dynamic interface

96.33.100.1

External

Web Server

Internet

10.1.1.100

10.1.1.101

10.1.1.102

! ASA 8.2

asa(config)# Nat (inside) 1 10.1.1.0 255.255.255.0

asa(config)# global (outside) 1 interface

Network Object NAT On The ASDM

Select Network

Object

Check Auto

Translation Rule

Static Object NAT Example

96.33.100.5

DMZ Web Server

Internet

The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:

192.168.1.23

asa(config)# object network DMZ-WEBSERVER

asa(config-network-object)# host 192.168.1.23

asa(config-network-object)# Description Static Nat For DMZ WebServer

asa(config-network-object)# nat (dmz,outside) static 96.33.100.5

asa(config-network-object)# exit

asa(config)# access-list outside-in permit ip any host 192.168.1.23

asa(config)# access-group outside-in in interface outside

External Host

Inside

Static PAT (Object NAT)

192.168.1.100

HTTP 96.33.100.2

HTTP External

96.33.100.2

Internet

Used to create translation between a outside interface and local IP address/port.

– 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP

– 96.33.100.2/FTP redirected to 192.168.1.101/FTP

192.168.1.101

asa(config)# object network DMZ-WEBSERVER

asa(config-network-object)# nat (dmz,outside) static

interface service tcp www www

asa(config)# object network DMZ-FTPSERVER

asa(config-network-object)# nat (dmz,outside) static

interface service tcp ftp ftp

192.168.1.100

HTTP 96.3.100.2

96.3.100.2

Internet

192.168.1.101

Static PAT (Object NAT)

Manual Twice NAT

asa(config)# object network contractors

asa(config-network-object)# network 10.2.2.0 255.255.255.0

asa(config)# object network translated-ip

asa(config)# object network cisco-dot-com

Asa(config-network-object)#exit

asa(config)# nat (inside,outside) source static contractors

translated-ip static cisco-dot-com cisco-dot-com

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100

Manual Twice NAT

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100

asa(config)# object network vpn-subs

asa(config-network-object)# range 192.168.3.1 192.168.3.63

asa(config-network-object)#exit

asa(config)# nat (inside outside) source static inside-net inside-net

destination static vpn-subs

Identity NAT Example (Manual NAT)

Inside Outside

Original Packet

10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3

Translated Packet

Source Destination

192.168.3.3 10.1.1.15

VPN Tunnel

Branch A

Implement ASA quality of service (QoS) settings

Implement ASA transparent firewall

Explain Differences Between L2 and L3 Operating Modes

The security appliance can run in two mode settings:

– Routed—based on IP address

– Transparent—based on MAC address

Transparent

10.0.1.0

VLAN 100

10.0.2.0

VLAN 200

Routed

The following features are not

supported in transparent mode: NAT

Dynamic routing protocols

DHCP relay

Quality of service

Multicast

VPN termination for through traffic

10.0.1.0

VLAN 100

10.0.1.0

VLAN 200

Configure Security Appliance for Transparent Mode (L2)

Layer 3 traffic must be explicitly permitted

Each directly connected network must be on the same subnet

The management IP address must be on the same subnet as the connected network

Do not specify the firewall appliance management IP address as the default gateway for connected devices

Devices need to specify the router on the other side of the firewall appliance as the default gateway

Each interface must be a different VLAN interface

VLAN 100

10.0.1.0

VLAN 200

10.0.1.0

Transparent

Management

IP Address

10.0.1.1

10.0.1.10

IP - 10.0.1.3

GW – 10.0.1.10

Internet

IP - 10.0.1.4

GW – 10.0.1.10 asa(config)# firewall transparent

Switched to transparent mode

asa(config)# show firewall

asa(config)#Firewall mode: Transparent

Verify the Firewall Mode of the Security Appliance Using ASDM

Topic 2 ASA Routing Features

ASA Routing Capabilities

Static routing

Dynamic routing – RIP – OSPF – EIGRP

Multicast Stub or Bi-directional PIM (can’t be configured concurrently)

Outside Inside

Internet

Configuring Static Routes

10.10.10.1 Internet

asa(config)# route outside 0 0 10.10.10.1

asa(config)# sh run | inc route

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

route inside 192.168.10.0 255.255.255.0 192.168.1.2 1

route inside 192.168.10.0 255.255.255.0 192.168.2.1 2

route inside 192.168.30.0 255.255.255.0 192.168.1.2 1

Configuring Dynamic Routing (EIGRP)

Step 1

Step 2

Step 3

Topic 3 ASA Inspection Policy

http://www.example.com/long/URL/far2long

IM whiteboard

Kazaa X

Advanced Protocol Inspection

Advanced protocol inspection gives you options such as the following for defending against application layer attacks:

Blocking *.exe attachments

Prohibiting use of Kazaa or other peer-to-peer file-sharing programs

Setting limits on URL lengths

Prohibiting file transfer or whiteboard as part of IM sessions

Protecting your web services by ensuring that XML schema is valid

Resetting a TCP session if it contains a string you know is malicious

Dropping sessions with packets that are out of order

Configuring Layer 3/4 Inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Application inspection

Cisco CSC

1. Create a Layer 3/4 class map to identify traffic by matching:

An ACL

Any packet

The default inspection traffic

A DSCP value

A destination IP address

TCP or UDP ports

IP precedence

RTP ports

A tunnel-group

Cisco IPS

QoS policing

QoS priority queuing

2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:

3. Use a service policy to activate the Layer 3/4 policy.

1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:

2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action

3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:

4. Use a service policy to activate the Layer 3/4 policy on an interface or globally

Configuring Layer 7 Inspection

Match traffic based on protocols, ports, IP addresses, and other layer 3 or 4 attributes:

Any packet

Default inspection traffic

IP differentiated services code point

TCP and UDP ports

IP precedence

RTP port numbers

VPN tunnel group

Typically contain only one match condition

Are mandatory MPF components

Layer 7 Class Maps Layer 3/4 Class Maps

Work with layer 7 policy maps to implement advanced protocol inspection

Match criteria is specific to one of the following applications:

Enable you to specify a not operator for a match condition

Can contain one or more match conditions

Can use regular expressions as match criteria

Are optional MPF components (match criteria can be specified in a layer 7 policy map instead)

Layer 3/4 Class Maps vs. Layer 7 Class Maps

Implement advanced protocol inspection, which defends against application layer attacks

Also called Inspection Policy Maps

Used to create the following policy types:

Application inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Cisco CSC

Cisco IPS

QoS input policing

QoS output policing

QoS priority queue

Must be applied to an interface or globally via a service policy

Are mandatory MPF components

Layer 7 Policy Maps Layer 3/4 Policy Maps

Can be used for advanced inspection of:

DCERPC

IPsec Pass Through

NetBIOS

SCCP (Skinny)

Must be applied to a layer 3/4 policy map

Are optional MPF components

Layer 3/4 Policy Maps vs. Layer 7 Policy Maps

Filtering FTP Commands: Layer 7 Policy Map

Filtering FTP Commands: Layer 7 Policy Map (Cont.)

Filtering FTP Commands: Service Policy Rule

Filtering FTP Commands: Service Policy Rule (Cont.)

Topic 4 ASA Advanced Network Protection

Task Flow for Configuring the ASA Botnet Traffic Filter

1. Enable use of the dynamic database.

2.(Optional) Add static entries to the database.

3. Enable DNS snooping.

4. Enable traffic classification and actions for the Botnet Traffic Filter.

5.(Optional) Block traffic manually based on syslog message information.

To configure the Botnet Traffic Filter, perform

the following steps:

Configure Threat Detection

Internet

Basic threat detection

- Blocks attackers by monitoring rate of dropped packets and security events per second

- When event thresholds are exceeded, attackers are blocked

- Enabled by default

Scanning threat detection

- Blocks attackers performing port scans

- Disabled by default

Server

Attacker

Configuring Threat Detection

Topic 5 ASA High Availability

Configuring Virtual Firewalls

Enables a physical firewall to be partitioned into multiple standalone firewalls

Each standalone firewall acts and behaves as an independent entity with it’s own

– Configuration

– Interfaces

– Security Policy

– Routing Table

Examples scenarios to use Virtual Firewalls

– Education network that wants to segregate student networks from teacher networks

– Service provider that wants to protect several customers without a physical firewall for each.

– Large enterprise with various departments

Secondary:

Active/Active

Primary:

Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1

Active/Active Failover Configuration

1. Cable the interfaces on both ASAs

2. Ensure that both ASAs are in multiple context mode

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context

5. Prepare both security appliances for configuration via ASDM

6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover

7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set

8. Save the configuration to the secondary ASA to flash

Group 1

Group 2 CTX2-

Group 2

g0/0 g0/3

g0/1 g0/4

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2 1 1

Failover Link

172.17.2.1 172.17.2.7 CTX1-

Group 1 2

Hardware and Stateful Failover

Hardware failover – Connections are dropped

– Client applications must reconnect

– Provided by serial or LAN-based failover link

– Active/Standby—only one unit can be actively processing traffic while other is hot standby

– Active/Active—both units can actively process traffic and serve as backup units

Stateful failover – TCP connections remain active

– No client applications need to reconnect

– Provides redundancy and stateful connection

– Provided by stateful link

Internet

Explain the Hardware, Software, and Licensing Requirements for High-Availability

The primary and secondary security appliances must be identical in the following requirements: – Same model number and hardware configurations

– Similar software versions

– Same Hardware

– Proper licensing (8.3 and above)

Primary:

Standby

Internet

Secondary:

Active

Active/Standby

Secondary:

Active/Active

Primary:

Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1

Active/Standby Failover Configuration

One ASA acts as the active or primary and the other acts as a secondary or standby firewall

Primary and secondary communicate over a configured interfaces over the LAN-based interface

The primary is active and passes traffic, in the event of a failure the secondary takes over

Primary – fw1

Internet

Secondary

192.168.2.0 10.0.2.0

172.17.2.0

Active/Standby Failover Configuration

3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover

Primary – fw1

Secondary

192.168.2.0 10.0.2.0

172.17.2.0

Internet

Select Active/Standby

Configure Active/Standby Using ASDM

2. Ensure that both ASAs are in multiple context mode (mode multiple)

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context

6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover

Group 1

Group 2 CTX2-

Group 2

g0/0 g0/3

g0/1 g0/4

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2

Failover Link

172.17.2.1 172.17.2.7 CTX1-

Group 1 2

Active/Active Failover Configuration

Select Active/Active

Configure Active/Active Using ASDM

SAMPLE QUESTIONS

Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

Question 2

Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

Question 2

Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

Question 3

When provisioning a service policy using ASDM what order are the elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

Question 3

When provisioning a service policy using ASDM what order are the elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

Question 4

When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

Question 4

When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

Question 7

For which purpose is the Cisco ASA CLI command aaa authentication match used?

A. Enable authentication for connections through the Cisco ASA appliance

B. Enable authentication to the Cisco ASA appliance for SSH

C. Enable authentication to the Cisco ASA appliance for TELNET

D. Enable authentication for console connections to the Cisco ASA appliance

Question 7

For which purpose is the Cisco ASA CLI command aaa authentication match used?

A. Enable authentication for connections through the Cisco ASA appliance

B. Enable authentication to the Cisco ASA appliance for SSH

C. Enable authentication to the Cisco ASA appliance for TELNET

D. Enable authentication for console connections to the Cisco ASA appliance

Question 8

What is the reason that you want to configure VLANs on a security appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to contexts

Question 8

What is the reason that you want to configure VLANs on a security appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to contexts

Question 9

What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface.

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec protected

D. Allow traffic between different interfaces with matching security levels

Question 9

What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec protected

D. Allow traffic between different interfaces with matching security levels

Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...

Documents

Transcript of Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...

ASA Firewall, Microsoft ForeFront Gateway y TACACS

Deploying Cisco ASA Firewall Solutions for CCNP Securityd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKCRT-8104.pdf · Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

Cisco Deploying Cisco ASA Firewall Solutions (FIREWALL) by Jassean · 2019-10-25 · The Cisco ASA has NAT control disabled on each security context. B. The Cisco ASA is using inside

Upgrade ASA and ASDM Cisco ASA Firewall - · PDF fileUpgrade ASA and ASDM Cisco ASA Firewall Complete these steps to upgrade a software image on the ASA 5500 using ASDM. 1. Select

Configure the ASA/PIX firewall Firewall · Web viewConfigure the ASA/PIX firewall Firewall names!--- Access control list (ACL) for interesting traffic to be encrypted and !--- to

Deploying the BIG-IP Data Center Firewall - F5 Networks · Document version 1.0 Deployment Guide Deploying the BIG-IP Data Center Firewall Welcome to the F5 BIG-IP data center firewall

Cau Hinh Firewall ASA Co Ban

Insidetests 642-617 Exam - Deploying Cisco ASA Firewall Solutions

Creating a cisco asa or pix firewall

CISCO ASA Firewall quick configuration guide

'Cisco ASA Series Firewall ASDM 컨피그레이션 가이드'...1-2 Cisco ASA Series Firewall ASDM 컨피그레이션 가이드 1 장 Cisco ASA Firewall Services 소개 기본 액세스

CISCO 642-618 EXAM QUESTIONS & ANSWERS 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0) Exactquestions QUESTION 1 By default, which

Deploying Oracle Audit Vault and Database Firewall in ...

CISCO ASA Firewall Training

Actividad Firewall Cisco ASA 5510

Configuración de firewall ASA

343o do Firewall Cisco ASA 5500)

Maximising Firewall Performance - alcatron.net Live 2013 Melbourne/Cisco Live... · Maximising Firewall Performance BRKSEC-3021 . ... Firewall and VPN Firewall Multiservice ASA 5540

Cisco ASA Firewall v1.0.pdf

Deploying Vyatta Core Firewall 33493