Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...

Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

Mark Bernard, CCIE (Security 23846)

© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public

Agenda

Overview of CCNP Security

FIREWALL Exam Information

FIREWALL Topics: Technical Introduction

– What You Need to Know

– Sample Questions

Q & A

6

Overview of the CCNP Security Certification


CCNP Security Certified Means…

All four CCNP Security exams required. No elective options.

Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ:

– https://learningnetwork.cisco.com/docs/DOC-10424

Exam No Exam Name

642-637 Securing Networks with Cisco Routers and Switches

(SECURE)

642-627 Implementing Cisco Intrusion Prevention System (IPS)

642-618 Deploying Cisco ASA Firewall Solutions

(FIREWALL)

642-648 Deploying Cisco ASA VPN Solutions (VPN)

8

https://learningnetwork.cisco.com/docs/DOC-10424



FIREWALL v2.0 Exam Information 642-618


642-618 FIREWALL v2.0 Exam

90-minute exam

Register with Pearson Vue

– www.vue.com/.cisco

Exam cost is $200.00 US

10

http://www.cisco.com/


Preparing for the FIREWALL v2.0 Exam

Recommended reading

– CCNP Security Firewall 642-618 Quick Reference

– CCNP Security FIREWALL 642-618 Official Cert Guide

Recommended training via CLP

– Deploying Cisco ASA Firewall Solutions v2.0

Cisco learning network

– www.cisco.com/go/learnnetspace

Practical experience

11

http://www.cisco.com/go/learnnetspace


Test Taking Tips

It’s not possible to cover everything!

We want you to get a feel for the technical level of the exam, not every topic possible

Give you suggestions, resources, some examples

Will focus on key topics

12


Firewall V 2.0 High-Level Topics

Cisco ASA Adaptive Security Appliance Basic Configurations

ASA Routing Features

ASA Inspection Policy

ASA Advanced Network Protections

ASA High Availability

13

Topic 1 Cisco ASA Adaptive Security Appliance Basic Configurations


Topic 1: What You Need to Know

Identify the ASA product family

Implement ASA licensing

Manage the ASA boot process

Implement ASA management and user authorization features

Implement ASA access control features

Implement ASA interface settings

Implement Network Address Translation (NAT) on the ASA

Implement ASDM public server feature

Implement ASA quality of service (QoS) settings

Implement ASA transparent firewall

15


Multi-Service

(Firewall/VPN and IPS)

Perf

orm

ance a

nd S

cala

bili

ty

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-20 (10 Gbps, 125K cps)




ASA 5555-X (4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

NEW

ASA 5525-X (2 Gbps,20K cps)

NEW

ASA 5512-X (1 Gbps, 10K

cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW

ASA 5510

(300 Mbps, 9K cps)

ASA 5510 +

(300 Mbps, 9K cps)

ASA 5520

(450 Mbps, 12K cps)

ASA 5540

(650 Mbps, 25K cps)

ASA 5550

(1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

Cisco ASA 5500 Series Portfolio

16

Implementing ASA Licensing


Install and Verify Licensing Using Adaptive Security Device Manager (ASDM)

18


Install and Verify Licensing Using ASDM (Cont.)

19

Time Based

Licensing (Stackable)


Manage the ASA boot process

To change the OS boot image to a new image name, enter the following:

asa(config)# clear configure boot

asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename

For example:

asa(config)# clear configure boot

asa(config)# boot system disk0:/asa841-k8.bin

To configure the ASDM image to the new image name, enter the following command:

asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename

Save configuration and Reload

asa(config)# write memory

asa(config)# reload

* Be sure to check memory requirements before upgrading to 8.3 and above

20


Implement ASA management features

asa(config)# http server enable

asa(config)# http 192.168.1.2 255.255.255.255 inside

To configure the firewall for ASDM access via cli:

To configure the firewall for SSH access via cli:

asa(config)# asa(config)# crypto key generate rsa modulus

1024

asa(config)# write memory

asa(config)# aaa authentication ssh console LOCAL

WARNING: local database is empty! Use 'username' command to

define local users.

asa(config)# username asauser1 password asauser1_password

asa(config)# ssh 192.168.1.2 255.255.255.255 inside

asa(config)# ssh timeout 30

21


Implement ASA User Roles

Setting Privilege

Level

22


Implement ASA interface settings

1. Interface name

2. Interface security level

3. IP address and subnet mask

4. Enable interface

Inside: 192.168.1.80/24

Outside: 10.1.1.80/24

Internet

asa(config)# interface ethernet0/0

asa(config-if)# nameif inside

asa(config-if)# security-level 100

asa(config-if)# ip address

192.168.1.80 255.255.255.0

asa(config-if)# no shutdown

23


Configure Network and Interface Settings (Cont.)

Inter-Interface

Or Intra-Interface

Communication

24


Public

server

Partner

server

dmz3

172.16.30.1

Configure VLANs

Physical interfaces are separated into sub-interfaces (logical interfaces)

802.1Q trunking

192.168.1.0 10.1.1.0

Proxy

Server

vlan30 vlan20

Trunk port

vlan10

dmz1

172.16.10.1

dmz2

172.16.20.1

Internet

25


Logical and Physical Interfaces

26


Configuring an EtherChannel Interface

Note: The device to which you connect the ASA EtherChannel

must also support 802.3ad EtherChannels

27


EtherChannel Configuration

Select Add Interface

Select EtherChannel

Interface

28


EtherChannel Configuration

interface Port-channel 1

lacp max-bundle 4

port-channel min-bundle 2

port-channel load-balance dst-ip

interface GigabitEthernet0/0

channel-group 1 mode active

interface GigabitEthernet0/1

channel-group 1 mode active

29


Configure Redundant Interfaces Using ASDM

A logical redundant interface pairs an active and a standby physical interface.

When the active interface fails, the standby interface becomes active and starts passing traffic.

Used to increase the adaptive security appliance reliability.

You can monitor redundant interfaces for failover using the monitor-interface command

30


Configure Redundant Interfaces Using ASDM (Cont.)

31

Select Add Interface

Select Redundant

Interface


Configure Redundant Interfaces Using ASDM (Cont.)

32


Redundant Interface CLI Configuration

int redundant 1

member-interface gig 0/0

member-interface gig 0/1

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

33


Security Appliance ACL Configuration

Security appliance configuration philosophy is interface based *

Interface ACL permits or denies the initial packet incoming or outgoing on that interface

Return traffic does not need to be specified if inspected

If no ACL is attached to an interface, the following ASA policy applies – Outbound packet is permitted by default

– Inbound packet is denied by default

ACLs can be simplified by defining object groups for IP addresses and services

* 8.3 Introduces the concept of the Global ACL (access-group <name> global)

Outside Inside Internet

ACL to deny

inbound access

ACL for

outbound access

34



35



36



37



38


NAT Overview

Network Address Translation (NAT) and Port Address Translation (PAT)

Used to translate IP addresses and ports

Not required by default (NAT control is disabled)

Concepts

– Static NAT and static policy NAT

– Dynamic NAT and dynamic policy NAT

– Identity NAT

39


NAT Post ASA Version 8.3

NAT is redesigned in 8.3 and above to simplify operations:

A single rule to translate the source and destination IP address.

You can also manually establish the order in which NAT rules are processed.

Introduction of NAT to “any” interface

Two Nat modes available in 8.3 and above

Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT

Sometimes referred to as "Auto-NAT“

Manual NAT: Policy based NAT when the source and destination address or port need to be considered

Sometimes referred to as Twice NAT

40


Dynamic NAT Using Network Object NAT

asa(config)# object network Network-Inside-Out

asa(config-network-object)# subnet 10.1.1.0 255.255.255.0

asa(config-network-object)# description Nat Inside Users To Outside

Interface

asa(config-network-object)# nat (inside,outside) dynamic interface

The following example configures dynamic NAT that

maps (dynamically hides) the 10.1.1.0 network to the

outside interface address:

96.33.100.1

External

Web Server

Internet

10.1.1.100

10.1.1.101

10.1.1.102

41


Dynamic NAT Using Network Object NAT

! ASA 8.3

asa(config)# object network Network-Inside-Out

asa(config-network-object)# subnet 10.1.1.0 255.255.255.0

asa(config-network-object)# nat (inside,outside) dynamic interface

96.33.100.1

External

Web Server

Internet

10.1.1.100

10.1.1.101

10.1.1.102

! ASA 8.2

asa(config)# Nat (inside) 1 10.1.1.0 255.255.255.0

asa(config)# global (outside) 1 interface

42


Network Object NAT On The ASDM

Select Network

Object

Check Auto

Translation Rule

43


Static Object NAT Example

96.33.100.5

DMZ Web Server

Internet

The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:

192.168.1.23

asa(config)# object network DMZ-WEBSERVER

asa(config-network-object)# host 192.168.1.23

asa(config-network-object)# Description Static Nat For DMZ WebServer

asa(config-network-object)# nat (dmz,outside) static 96.33.100.5

asa(config-network-object)# exit

asa(config)# access-list outside-in permit ip any host 192.168.1.23

asa(config)# access-group outside-in in interface outside

External Host

Inside

44


Static PAT (Object NAT)

192.168.1.100

HTTP 96.33.100.2

HTTP External

User

96.33.100.2

FTP

Internet

Used to create translation between a outside interface and local IP address/port.

– 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP

– 96.33.100.2/FTP redirected to 192.168.1.101/FTP

192.168.1.101

FTP

45


asa(config)# object network DMZ-WEBSERVER


asa(config-network-object)# nat (dmz,outside) static

interface service tcp www www

asa(config)# object network DMZ-FTPSERVER


asa(config-network-object)# nat (dmz,outside) static

interface service tcp ftp ftp

192.168.1.100

HTTP 96.3.100.2

HTTP

96.3.100.2

FTP

Internet

192.168.1.101

FTP

Static PAT (Object NAT)

46


Manual Twice NAT

asa(config)# object network contractors

asa(config-network-object)# network 10.2.2.0 255.255.255.0

asa(config)# object network translated-ip


asa(config)# object network cisco-dot-com


Asa(config-network-object)#exit

asa(config)# nat (inside,outside) source static contractors

translated-ip static cisco-dot-com cisco-dot-com

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100

47


Manual Twice NAT

48

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100


asa(config)# object network vpn-subs

asa(config-network-object)# range 192.168.3.1 192.168.3.63

asa(config-network-object)#exit

asa(config)# nat (inside outside) source static inside-net inside-net

destination static vpn-subs

Identity NAT Example (Manual NAT)

Inside Outside

Original Packet

10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3

Translated Packet

Source Destination

192.168.3.3 10.1.1.15

VPN Tunnel

Branch A

49


Implement ASA quality of service (QoS) settings

50

Implement ASA transparent firewall


Explain Differences Between L2 and L3 Operating Modes

The security appliance can run in two mode settings:

– Routed—based on IP address

– Transparent—based on MAC address

Transparent

Mode

10.0.1.0

VLAN 100

10.0.2.0

VLAN 200

Routed

Mode

The following features are not

supported in transparent mode: NAT

Dynamic routing protocols

IPv6

DHCP relay

Quality of service

Multicast

VPN termination for through traffic

10.0.1.0

VLAN 100

10.0.1.0

VLAN 200

52


Configure Security Appliance for Transparent Mode (L2)

Layer 3 traffic must be explicitly permitted

Each directly connected network must be on the same subnet

The management IP address must be on the same subnet as the connected network

Do not specify the firewall appliance management IP address as the default gateway for connected devices

Devices need to specify the router on the other side of the firewall appliance as the default gateway

Each interface must be a different VLAN interface

VLAN 100

10.0.1.0

VLAN 200

10.0.1.0

Transparent

Mode

Management

IP Address

10.0.1.1

10.0.1.10

IP - 10.0.1.3

GW – 10.0.1.10

Internet

IP - 10.0.1.4

GW – 10.0.1.10 asa(config)# firewall transparent

Switched to transparent mode

asa(config)# show firewall

asa(config)#Firewall mode: Transparent

53


Verify the Firewall Mode of the Security Appliance Using ASDM

54

Topic 2 ASA Routing Features


ASA Routing Capabilities

Static routing

Dynamic routing – RIP – OSPF – EIGRP

Multicast Stub or Bi-directional PIM (can’t be configured concurrently)

Outside Inside

DMZ1

Internet

DMZ2

56


Configuring Static Routes

10.10.10.1 Internet

asa(config)# route outside 0 0 10.10.10.1

asa(config)# sh run | inc route

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

route inside 192.168.10.0 255.255.255.0 192.168.1.2 1

route inside 192.168.10.0 255.255.255.0 192.168.2.1 2

route inside 192.168.30.0 255.255.255.0 192.168.1.2 1

57


Configuring Dynamic Routing (EIGRP)

58

Step 1



59

Step 2



60

Step 3

Topic 3 ASA Inspection Policy


.exe

http://www.example.com/long/URL/far2long

IM whiteboard

Kazaa X

Advanced Protocol Inspection

Advanced protocol inspection gives you options such as the following for defending against application layer attacks:

Blocking *.exe attachments

Prohibiting use of Kazaa or other peer-to-peer file-sharing programs

Setting limits on URL lengths

Prohibiting file transfer or whiteboard as part of IM sessions

Protecting your web services by ensuring that XML schema is valid

Resetting a TCP session if it contains a string you know is malicious

Dropping sessions with packets that are out of order

62


Configuring Layer 3/4 Inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Application inspection

Cisco CSC

1. Create a Layer 3/4 class map to identify traffic by matching:

An ACL

Any packet

The default inspection traffic

A DSCP value

A destination IP address

TCP or UDP ports

IP precedence

RTP ports

A tunnel-group

Cisco IPS

QoS policing

QoS priority queuing

2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:

3. Use a service policy to activate the Layer 3/4 policy.

63


1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:

2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action

3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:

4. Use a service policy to activate the Layer 3/4 policy on an interface or globally

IM

RTSP

SIP

DNS

FTP

H.323

HTTP

Configuring Layer 7 Inspection

64


Match traffic based on protocols, ports, IP addresses, and other layer 3 or 4 attributes:

ACL

Any packet

Default inspection traffic

IP differentiated services code point

TCP and UDP ports

IP precedence

RTP port numbers

VPN tunnel group

Typically contain only one match condition

Are mandatory MPF components

Layer 7 Class Maps Layer 3/4 Class Maps

Work with layer 7 policy maps to implement advanced protocol inspection

Match criteria is specific to one of the following applications:

DNS

FTP

H.323

HTTP

Enable you to specify a not operator for a match condition

Can contain one or more match conditions

Can use regular expressions as match criteria

Are optional MPF components (match criteria can be specified in a layer 7 policy map instead)

IM

RTSP

SIP

Layer 3/4 Class Maps vs. Layer 7 Class Maps

65


Implement advanced protocol inspection, which defends against application layer attacks

Also called Inspection Policy Maps

Used to create the following policy types:

Application inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Cisco CSC

Cisco IPS

QoS input policing

QoS output policing

QoS priority queue

Must be applied to an interface or globally via a service policy

Are mandatory MPF components

Layer 7 Policy Maps Layer 3/4 Policy Maps

Can be used for advanced inspection of:

DCERPC

DNS

ESMTP

FTP

GTP

H.323

HTTP

IM

IPsec Pass Through

MGCP

NetBIOS

RTSP

SCCP (Skinny)

SIP

SNMP

Must be applied to a layer 3/4 policy map

Are optional MPF components

Layer 3/4 Policy Maps vs. Layer 7 Policy Maps

66


Filtering FTP Commands: Layer 7 Policy Map

67


Filtering FTP Commands: Layer 7 Policy Map (Cont.)

68


Filtering FTP Commands: Service Policy Rule

69


Filtering FTP Commands: Service Policy Rule (Cont.)

70

Topic 4 ASA Advanced Network Protection


Task Flow for Configuring the ASA Botnet Traffic Filter

72

1. Enable use of the dynamic database.

2.(Optional) Add static entries to the database.

3. Enable DNS snooping.

4. Enable traffic classification and actions for the Botnet Traffic Filter.

5.(Optional) Block traffic manually based on syslog message information.

To configure the Botnet Traffic Filter, perform

the following steps:


Configure Threat Detection

73

Internet

ASA

Basic threat detection

- Blocks attackers by monitoring rate of dropped packets and security events per second

- When event thresholds are exceeded, attackers are blocked

- Enabled by default

Scanning threat detection

- Blocks attackers performing port scans

- Disabled by default

DMZ

Server

Attacker


Configuring Threat Detection

74

Topic 5 ASA High Availability


Configuring Virtual Firewalls

Enables a physical firewall to be partitioned into multiple standalone firewalls

Each standalone firewall acts and behaves as an independent entity with it’s own

– Configuration

– Interfaces

– Security Policy

– Routing Table

Examples scenarios to use Virtual Firewalls

– Education network that wants to segregate student networks from teacher networks

– Service provider that wants to protect several customers without a physical firewall for each.

– Large enterprise with various departments

76

Secondary:

Active/Active

Primary:

Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1


Active/Active Failover Configuration

77

1. Cable the interfaces on both ASAs

2. Ensure that both ASAs are in multiple context mode

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context

5. Prepare both security appliances for configuration via ASDM

6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover

7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set

8. Save the configuration to the secondary ASA to flash

CTX1-

Group 1

CTX2-

Group 2 CTX2-

Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2 1 1

Failover Link

172.17.2.1 172.17.2.7 CTX1-

Group 1 2


Hardware and Stateful Failover

78

Hardware failover – Connections are dropped

– Client applications must reconnect

– Provided by serial or LAN-based failover link

– Active/Standby—only one unit can be actively processing traffic while other is hot standby

– Active/Active—both units can actively process traffic and serve as backup units

Stateful failover – TCP connections remain active

– No client applications need to reconnect

– Provides redundancy and stateful connection

– Provided by stateful link

Internet


Explain the Hardware, Software, and Licensing Requirements for High-Availability

79

The primary and secondary security appliances must be identical in the following requirements: – Same model number and hardware configurations

– Similar software versions

– Same Hardware

– Proper licensing (8.3 and above)

Primary:

Standby

Internet

Secondary:

Active

Active/Standby

Secondary:

Active/Active

Primary:

Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1


Active/Standby Failover Configuration

One ASA acts as the active or primary and the other acts as a secondary or standby firewall

Primary and secondary communicate over a configured interfaces over the LAN-based interface

The primary is active and passes traffic, in the event of a failure the secondary takes over

Primary – fw1

Internet

.7

Secondary

192.168.2.0 10.0.2.0

.1 .2

.7

172.17.2.0

.1

.7

80


Active/Standby Failover Configuration



3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover



Primary – fw1

.7

Secondary

192.168.2.0 10.0.2.0

.1 .2

.7

172.17.2.0

.1

.7

Internet

81


Select Active/Standby

Configure Active/Standby Using ASDM

82



2. Ensure that both ASAs are in multiple context mode (mode multiple)

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context


6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover



CTX1-

Group 1

CTX2-

Group 2 CTX2-

Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2

1 1

Failover Link

172.17.2.1 172.17.2.7 CTX1-

Group 1 2

Active/Active Failover Configuration

83


Select Active/Active

Configure Active/Active Using ASDM

84

SAMPLE QUESTIONS


Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

86


Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

87


Question 2

Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

88


Question 2

Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

89


Question 3

When provisioning a service policy using ASDM what order are the elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

90


Question 3

When provisioning a service policy using ASDM what order are the elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

91


Question 4

When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

92


Question 4

When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

93


Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

94


Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

95


Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

96


Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

97


Question 7

For which purpose is the Cisco ASA CLI command aaa authentication match used?

A. Enable authentication for connections through the Cisco ASA appliance

B. Enable authentication to the Cisco ASA appliance for SSH

C. Enable authentication to the Cisco ASA appliance for TELNET

D. Enable authentication for console connections to the Cisco ASA appliance

98


Question 7

For which purpose is the Cisco ASA CLI command aaa authentication match used?

A. Enable authentication for connections through the Cisco ASA appliance

B. Enable authentication to the Cisco ASA appliance for SSH

C. Enable authentication to the Cisco ASA appliance for TELNET

D. Enable authentication for console connections to the Cisco ASA appliance

99


Question 8

What is the reason that you want to configure VLANs on a security appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to contexts

100


Question 8

What is the reason that you want to configure VLANs on a security appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to contexts

101


Question 9

What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface.

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec protected

D. Allow traffic between different interfaces with matching security levels

102


Question 9

What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec protected

D. Allow traffic between different interfaces with matching security levels

103


Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

104


Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

105


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

106

Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...

Documents

Transcript of Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...