Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...
Transcript of Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·...
Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104
Mark Bernard, CCIE (Security 23846)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Agenda
Overview of CCNP Security
FIREWALL Exam Information
FIREWALL Topics: Technical Introduction
– What You Need to Know
– Sample Questions
Q & A
6
Overview of the CCNP Security Certification
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
CCNP Security Certified Means…
All four CCNP Security exams required. No elective options.
Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ:
– https://learningnetwork.cisco.com/docs/DOC-10424
Exam No Exam Name
642-637 Securing Networks with Cisco Routers and Switches
(SECURE)
642-627 Implementing Cisco Intrusion Prevention System (IPS)
642-618 Deploying Cisco ASA Firewall Solutions
(FIREWALL)
642-648 Deploying Cisco ASA VPN Solutions (VPN)
8
FIREWALL v2.0 Exam Information 642-618
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
642-618 FIREWALL v2.0 Exam
90-minute exam
Register with Pearson Vue
– www.vue.com/.cisco
Exam cost is $200.00 US
10
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Preparing for the FIREWALL v2.0 Exam
Recommended reading
– CCNP Security Firewall 642-618 Quick Reference
– CCNP Security FIREWALL 642-618 Official Cert Guide
Recommended training via CLP
– Deploying Cisco ASA Firewall Solutions v2.0
Cisco learning network
– www.cisco.com/go/learnnetspace
Practical experience
11
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Test Taking Tips
It’s not possible to cover everything!
We want you to get a feel for the technical level of the exam, not every topic possible
Give you suggestions, resources, some examples
Will focus on key topics
12
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Firewall V 2.0 High-Level Topics
Cisco ASA Adaptive Security Appliance Basic Configurations
ASA Routing Features
ASA Inspection Policy
ASA Advanced Network Protections
ASA High Availability
13
Topic 1 Cisco ASA Adaptive Security Appliance Basic Configurations
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Topic 1: What You Need to Know
Identify the ASA product family
Implement ASA licensing
Manage the ASA boot process
Implement ASA management and user authorization features
Implement ASA access control features
Implement ASA interface settings
Implement Network Address Translation (NAT) on the ASA
Implement ASDM public server feature
Implement ASA quality of service (QoS) settings
Implement ASA transparent firewall
15
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Multi-Service
(Firewall/VPN and IPS)
Perf
orm
ance a
nd S
cala
bili
ty
Data Center Campus Branch Office Internet Edge
ASA 5585-X SSP-20 (10 Gbps, 125K cps)
ASA 5585-X SSP-60 (40 Gbps, 350K cps)
ASA 5585-X SSP-40 (20 Gbps, 200K cps)
ASA 5585-X SSP-10 (4 Gbps, 50K cps)
ASA 5555-X (4 Gbps,50K cps)
NEW ASA 5545-X (3 Gbps,30K cps)
NEW
ASA 5525-X (2 Gbps,20K cps)
NEW
ASA 5512-X (1 Gbps, 10K
cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5510
(300 Mbps, 9K cps)
ASA 5510 +
(300 Mbps, 9K cps)
ASA 5520
(450 Mbps, 12K cps)
ASA 5540
(650 Mbps, 25K cps)
ASA 5550
(1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
Cisco ASA 5500 Series Portfolio
16
Implementing ASA Licensing
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Install and Verify Licensing Using Adaptive Security Device Manager (ASDM)
18
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Install and Verify Licensing Using ASDM (Cont.)
19
Time Based
Licensing (Stackable)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manage the ASA boot process
To change the OS boot image to a new image name, enter the following:
asa(config)# clear configure boot
asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename
For example:
asa(config)# clear configure boot
asa(config)# boot system disk0:/asa841-k8.bin
To configure the ASDM image to the new image name, enter the following command:
asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
Save configuration and Reload
asa(config)# write memory
asa(config)# reload
* Be sure to check memory requirements before upgrading to 8.3 and above
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA management features
asa(config)# http server enable
asa(config)# http 192.168.1.2 255.255.255.255 inside
To configure the firewall for ASDM access via cli:
To configure the firewall for SSH access via cli:
asa(config)# asa(config)# crypto key generate rsa modulus
1024
asa(config)# write memory
asa(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to
define local users.
asa(config)# username asauser1 password asauser1_password
asa(config)# ssh 192.168.1.2 255.255.255.255 inside
asa(config)# ssh timeout 30
21
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA User Roles
Setting Privilege
Level
22
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA interface settings
1. Interface name
2. Interface security level
3. IP address and subnet mask
4. Enable interface
Inside: 192.168.1.80/24
Outside: 10.1.1.80/24
Internet
asa(config)# interface ethernet0/0
asa(config-if)# nameif inside
asa(config-if)# security-level 100
asa(config-if)# ip address
192.168.1.80 255.255.255.0
asa(config-if)# no shutdown
23
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Network and Interface Settings (Cont.)
Inter-Interface
Or Intra-Interface
Communication
24
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Public
server
Partner
server
dmz3
172.16.30.1
Configure VLANs
Physical interfaces are separated into sub-interfaces (logical interfaces)
802.1Q trunking
192.168.1.0 10.1.1.0
Proxy
Server
vlan30 vlan20
Trunk port
vlan10
dmz1
172.16.10.1
dmz2
172.16.20.1
Internet
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Logical and Physical Interfaces
26
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring an EtherChannel Interface
Note: The device to which you connect the ASA EtherChannel
must also support 802.3ad EtherChannels
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
EtherChannel Configuration
Select Add Interface
Select EtherChannel
Interface
28
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
EtherChannel Configuration
interface Port-channel 1
lacp max-bundle 4
port-channel min-bundle 2
port-channel load-balance dst-ip
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
29
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces Using ASDM
A logical redundant interface pairs an active and a standby physical interface.
When the active interface fails, the standby interface becomes active and starts passing traffic.
Used to increase the adaptive security appliance reliability.
You can monitor redundant interfaces for failover using the monitor-interface command
30
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces Using ASDM (Cont.)
31
Select Add Interface
Select Redundant
Interface
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Redundant Interfaces Using ASDM (Cont.)
32
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Redundant Interface CLI Configuration
int redundant 1
member-interface gig 0/0
member-interface gig 0/1
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
33
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
Security appliance configuration philosophy is interface based *
Interface ACL permits or denies the initial packet incoming or outgoing on that interface
Return traffic does not need to be specified if inspected
If no ACL is attached to an interface, the following ASA policy applies – Outbound packet is permitted by default
– Inbound packet is denied by default
ACLs can be simplified by defining object groups for IP addresses and services
* 8.3 Introduces the concept of the Global ACL (access-group <name> global)
Outside Inside Internet
ACL to deny
inbound access
ACL for
outbound access
34
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
35
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
36
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
37
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Security Appliance ACL Configuration
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
NAT Overview
Network Address Translation (NAT) and Port Address Translation (PAT)
Used to translate IP addresses and ports
Not required by default (NAT control is disabled)
Concepts
– Static NAT and static policy NAT
– Dynamic NAT and dynamic policy NAT
– Identity NAT
39
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
NAT Post ASA Version 8.3
NAT is redesigned in 8.3 and above to simplify operations:
A single rule to translate the source and destination IP address.
You can also manually establish the order in which NAT rules are processed.
Introduction of NAT to “any” interface
Two Nat modes available in 8.3 and above
Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT
Sometimes referred to as "Auto-NAT“
Manual NAT: Policy based NAT when the source and destination address or port need to be considered
Sometimes referred to as Twice NAT
40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Dynamic NAT Using Network Object NAT
asa(config)# object network Network-Inside-Out
asa(config-network-object)# subnet 10.1.1.0 255.255.255.0
asa(config-network-object)# description Nat Inside Users To Outside
Interface
asa(config-network-object)# nat (inside,outside) dynamic interface
The following example configures dynamic NAT that
maps (dynamically hides) the 10.1.1.0 network to the
outside interface address:
96.33.100.1
External
Web Server
Internet
10.1.1.100
10.1.1.101
10.1.1.102
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Dynamic NAT Using Network Object NAT
! ASA 8.3
asa(config)# object network Network-Inside-Out
asa(config-network-object)# subnet 10.1.1.0 255.255.255.0
asa(config-network-object)# nat (inside,outside) dynamic interface
96.33.100.1
External
Web Server
Internet
10.1.1.100
10.1.1.101
10.1.1.102
! ASA 8.2
asa(config)# Nat (inside) 1 10.1.1.0 255.255.255.0
asa(config)# global (outside) 1 interface
42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Network Object NAT On The ASDM
Select Network
Object
Check Auto
Translation Rule
43
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Static Object NAT Example
96.33.100.5
DMZ Web Server
Internet
The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:
192.168.1.23
asa(config)# object network DMZ-WEBSERVER
asa(config-network-object)# host 192.168.1.23
asa(config-network-object)# Description Static Nat For DMZ WebServer
asa(config-network-object)# nat (dmz,outside) static 96.33.100.5
asa(config-network-object)# exit
asa(config)# access-list outside-in permit ip any host 192.168.1.23
asa(config)# access-group outside-in in interface outside
External Host
Inside
44
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Static PAT (Object NAT)
192.168.1.100
HTTP 96.33.100.2
HTTP External
User
96.33.100.2
FTP
Internet
Used to create translation between a outside interface and local IP address/port.
– 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP
– 96.33.100.2/FTP redirected to 192.168.1.101/FTP
192.168.1.101
FTP
45
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
asa(config)# object network DMZ-WEBSERVER
asa(config-network-object)# host 192.168.1.100
asa(config-network-object)# nat (dmz,outside) static
interface service tcp www www
asa(config)# object network DMZ-FTPSERVER
asa(config-network-object)# host 192.168.1.101
asa(config-network-object)# nat (dmz,outside) static
interface service tcp ftp ftp
192.168.1.100
HTTP 96.3.100.2
HTTP
96.3.100.2
FTP
Internet
192.168.1.101
FTP
Static PAT (Object NAT)
46
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manual Twice NAT
asa(config)# object network contractors
asa(config-network-object)# network 10.2.2.0 255.255.255.0
asa(config)# object network translated-ip
asa(config-network-object)# host 96.33.100.100
asa(config)# object network cisco-dot-com
asa(config-network-object)# host 64.32.2.4
Asa(config-network-object)#exit
asa(config)# nat (inside,outside) source static contractors
translated-ip static cisco-dot-com cisco-dot-com
64.32.2.4
Contractors
Inside Users
10.2.2.0
10.1.1.0
Inside Outside
www.cisco.com
96.33.100.1
96.33.100.100
47
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Manual Twice NAT
48
64.32.2.4
Contractors
Inside Users
10.2.2.0
10.1.1.0
Inside Outside
www.cisco.com
96.33.100.1
96.33.100.100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
asa(config)# object network vpn-subs
asa(config-network-object)# range 192.168.3.1 192.168.3.63
asa(config-network-object)#exit
asa(config)# nat (inside outside) source static inside-net inside-net
destination static vpn-subs
Identity NAT Example (Manual NAT)
Inside Outside
Original Packet
10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3
Translated Packet
Source Destination
192.168.3.3 10.1.1.15
VPN Tunnel
Branch A
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement ASA quality of service (QoS) settings
50
Implement ASA transparent firewall
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Explain Differences Between L2 and L3 Operating Modes
The security appliance can run in two mode settings:
– Routed—based on IP address
– Transparent—based on MAC address
Transparent
Mode
10.0.1.0
VLAN 100
10.0.2.0
VLAN 200
Routed
Mode
The following features are not
supported in transparent mode: NAT
Dynamic routing protocols
IPv6
DHCP relay
Quality of service
Multicast
VPN termination for through traffic
10.0.1.0
VLAN 100
10.0.1.0
VLAN 200
52
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Security Appliance for Transparent Mode (L2)
Layer 3 traffic must be explicitly permitted
Each directly connected network must be on the same subnet
The management IP address must be on the same subnet as the connected network
Do not specify the firewall appliance management IP address as the default gateway for connected devices
Devices need to specify the router on the other side of the firewall appliance as the default gateway
Each interface must be a different VLAN interface
VLAN 100
10.0.1.0
VLAN 200
10.0.1.0
Transparent
Mode
Management
IP Address
10.0.1.1
10.0.1.10
IP - 10.0.1.3
GW – 10.0.1.10
Internet
IP - 10.0.1.4
GW – 10.0.1.10 asa(config)# firewall transparent
Switched to transparent mode
asa(config)# show firewall
asa(config)#Firewall mode: Transparent
53
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Verify the Firewall Mode of the Security Appliance Using ASDM
54
Topic 2 ASA Routing Features
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
ASA Routing Capabilities
Static routing
Dynamic routing – RIP – OSPF – EIGRP
Multicast Stub or Bi-directional PIM (can’t be configured concurrently)
Outside Inside
DMZ1
Internet
DMZ2
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Static Routes
10.10.10.1 Internet
asa(config)# route outside 0 0 10.10.10.1
asa(config)# sh run | inc route
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.2.1 2
route inside 192.168.30.0 255.255.255.0 192.168.1.2 1
57
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Dynamic Routing (EIGRP)
58
Step 1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Dynamic Routing (EIGRP)
59
Step 2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Dynamic Routing (EIGRP)
60
Step 3
Topic 3 ASA Inspection Policy
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
.exe
http://www.example.com/long/URL/far2long
IM whiteboard
Kazaa X
Advanced Protocol Inspection
Advanced protocol inspection gives you options such as the following for defending against application layer attacks:
Blocking *.exe attachments
Prohibiting use of Kazaa or other peer-to-peer file-sharing programs
Setting limits on URL lengths
Prohibiting file transfer or whiteboard as part of IM sessions
Protecting your web services by ensuring that XML schema is valid
Resetting a TCP session if it contains a string you know is malicious
Dropping sessions with packets that are out of order
62
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Layer 3/4 Inspection
TCP normalization
TCP and UDP connection limits and timeouts
TCP sequence number randomization
Application inspection
Cisco CSC
1. Create a Layer 3/4 class map to identify traffic by matching:
An ACL
Any packet
The default inspection traffic
A DSCP value
A destination IP address
TCP or UDP ports
IP precedence
RTP ports
A tunnel-group
Cisco IPS
QoS policing
QoS priority queuing
2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:
3. Use a service policy to activate the Layer 3/4 policy.
63
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:
2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action
3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:
4. Use a service policy to activate the Layer 3/4 policy on an interface or globally
IM
RTSP
SIP
DNS
FTP
H.323
HTTP
Configuring Layer 7 Inspection
64
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Match traffic based on protocols, ports, IP addresses, and other layer 3 or 4 attributes:
ACL
Any packet
Default inspection traffic
IP differentiated services code point
TCP and UDP ports
IP precedence
RTP port numbers
VPN tunnel group
Typically contain only one match condition
Are mandatory MPF components
Layer 7 Class Maps Layer 3/4 Class Maps
Work with layer 7 policy maps to implement advanced protocol inspection
Match criteria is specific to one of the following applications:
DNS
FTP
H.323
HTTP
Enable you to specify a not operator for a match condition
Can contain one or more match conditions
Can use regular expressions as match criteria
Are optional MPF components (match criteria can be specified in a layer 7 policy map instead)
IM
RTSP
SIP
Layer 3/4 Class Maps vs. Layer 7 Class Maps
65
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Implement advanced protocol inspection, which defends against application layer attacks
Also called Inspection Policy Maps
Used to create the following policy types:
Application inspection
TCP normalization
TCP and UDP connection limits and timeouts
TCP sequence number randomization
Cisco CSC
Cisco IPS
QoS input policing
QoS output policing
QoS priority queue
Must be applied to an interface or globally via a service policy
Are mandatory MPF components
Layer 7 Policy Maps Layer 3/4 Policy Maps
Can be used for advanced inspection of:
DCERPC
DNS
ESMTP
FTP
GTP
H.323
HTTP
IM
IPsec Pass Through
MGCP
NetBIOS
RTSP
SCCP (Skinny)
SIP
SNMP
Must be applied to a layer 3/4 policy map
Are optional MPF components
Layer 3/4 Policy Maps vs. Layer 7 Policy Maps
66
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands: Layer 7 Policy Map
67
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands: Layer 7 Policy Map (Cont.)
68
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands: Service Policy Rule
69
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Filtering FTP Commands: Service Policy Rule (Cont.)
70
Topic 4 ASA Advanced Network Protection
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Task Flow for Configuring the ASA Botnet Traffic Filter
72
1. Enable use of the dynamic database.
2.(Optional) Add static entries to the database.
3. Enable DNS snooping.
4. Enable traffic classification and actions for the Botnet Traffic Filter.
5.(Optional) Block traffic manually based on syslog message information.
To configure the Botnet Traffic Filter, perform
the following steps:
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configure Threat Detection
73
Internet
ASA
Basic threat detection
- Blocks attackers by monitoring rate of dropped packets and security events per second
- When event thresholds are exceeded, attackers are blocked
- Enabled by default
Scanning threat detection
- Blocks attackers performing port scans
- Disabled by default
DMZ
Server
Attacker
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Threat Detection
74
Topic 5 ASA High Availability
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Configuring Virtual Firewalls
Enables a physical firewall to be partitioned into multiple standalone firewalls
Each standalone firewall acts and behaves as an independent entity with it’s own
– Configuration
– Interfaces
– Security Policy
– Routing Table
Examples scenarios to use Virtual Firewalls
– Education network that wants to segregate student networks from teacher networks
– Service provider that wants to protect several customers without a physical firewall for each.
– Large enterprise with various departments
76
Secondary:
Active/Active
Primary:
Failed/Standby
Internet
Active/Active
Contexts
2 1 2 1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Active Failover Configuration
77
1. Cable the interfaces on both ASAs
2. Ensure that both ASAs are in multiple context mode
3. Configure contexts and allocate interfaces to contexts
4. Enable and assign IP addresses to each interface that is allocated to a context
5. Prepare both security appliances for configuration via ASDM
6. Use the ASDM high availability and scalability Wizard to configure the ASA
for failover
7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
8. Save the configuration to the secondary ASA to flash
CTX1-
Group 1
CTX2-
Group 2 CTX2-
Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/2 1 1 2 1 1
Failover Link
172.17.2.1 172.17.2.7 CTX1-
Group 1 2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Hardware and Stateful Failover
78
Hardware failover – Connections are dropped
– Client applications must reconnect
– Provided by serial or LAN-based failover link
– Active/Standby—only one unit can be actively processing traffic while other is hot standby
– Active/Active—both units can actively process traffic and serve as backup units
Stateful failover – TCP connections remain active
– No client applications need to reconnect
– Provides redundancy and stateful connection
– Provided by stateful link
Internet
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Explain the Hardware, Software, and Licensing Requirements for High-Availability
79
The primary and secondary security appliances must be identical in the following requirements: – Same model number and hardware configurations
– Similar software versions
– Same Hardware
– Proper licensing (8.3 and above)
Primary:
Standby
Internet
Secondary:
Active
Active/Standby
Secondary:
Active/Active
Primary:
Failed/Standby
Internet
Active/Active
Contexts
2 1 2 1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Standby Failover Configuration
One ASA acts as the active or primary and the other acts as a secondary or standby firewall
Primary and secondary communicate over a configured interfaces over the LAN-based interface
The primary is active and passes traffic, in the event of a failure the secondary takes over
Primary – fw1
Internet
.7
Secondary
192.168.2.0 10.0.2.0
.1 .2
.7
172.17.2.0
.1
.7
80
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Active/Standby Failover Configuration
1. Cable the interfaces on both ASAs
2. Prepare both security appliances for configuration via ASDM
3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover
4. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
5. Save the configuration to the secondary ASA to flash
Primary – fw1
.7
Secondary
192.168.2.0 10.0.2.0
.1 .2
.7
172.17.2.0
.1
.7
Internet
81
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Select Active/Standby
Configure Active/Standby Using ASDM
82
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
1. Cable the interfaces on both ASAs
2. Ensure that both ASAs are in multiple context mode (mode multiple)
3. Configure contexts and allocate interfaces to contexts
4. Enable and assign IP addresses to each interface that is allocated to a context
5. Prepare both security appliances for configuration via ASDM
6. Use the ASDM high availability and scalability Wizard to configure the ASA
for failover
7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set
8. Save the configuration to the secondary ASA to flash
CTX1-
Group 1
CTX2-
Group 2 CTX2-
Group 2
g0/0 g0/3
g0/1 g0/4
g0/2
g0/0 g0/3
g0/1 g0/4
g0/2 1 1 2
1 1
Failover Link
172.17.2.1 172.17.2.7 CTX1-
Group 1 2
Active/Active Failover Configuration
83
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Select Active/Active
Configure Active/Active Using ASDM
84
SAMPLE QUESTIONS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 1
A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?
A. Failover active
B. Failover active group 1
C. Failover secondary group 1
D. Standby group 1 active
86
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 1
A primary ASA in a failover pair has failed causing the secondary ASA to become active. After resolving the issue, what command should be executed on the primary ASA to make it the active firewall?
A. Failover active
B. Failover active group 1
C. Failover secondary group 1
D. Standby group 1 active
87
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 2
Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)
A. dir
B. show info flash
C. directory view disk0:/
D. show run disk
E. flash view
F. show flash
88
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 2
Which of these commands will show you the contents of flash memory on the Cisco ASA? (Choose two.)
A. dir
B. show info flash
C. directory view disk0:/
D. show run disk
E. flash view
F. show flash
89
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 3
When provisioning a service policy using ASDM what order are the elements created in?
A. Class-map > Policy-Map > Service-Policy
B. Service-Policy > Class-map > Policy-Map
C. Service-Policy > Policy-Map > Service-Policy
D. Policy-Map > Service-Policy > Class-Map
90
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 3
When provisioning a service policy using ASDM what order are the elements created in?
A. Class-map > Policy-Map > Service-Policy
B. Service-Policy > Class-map > Policy-Map
C. Service-Policy > Policy-Map > Service-Policy
D. Policy-Map > Service-Policy > Class-Map
91
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 4
When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?
A. Use the vlan command on the main interface
B. Use the shutdown command on the main interface
C. Omit the nameif command on the subinterface
D. Omit the nameif command on the main interface
92
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 4
When using sub-interfaces, which method prevents the main interfaces from sending untagged traffic?
A. Use the vlan command on the main interface
B. Use the shutdown command on the main interface
C. Omit the nameif command on the subinterface
D. Omit the nameif command on the main interface
93
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 5
Choose two correct statements about multiple context mode:
A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs
B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces
C. Multiple context mode enables support for additional hardware modules and firewalls
D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"
94
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 5
Choose two correct statements about multiple context mode:
A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs
B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces
C. Multiple context mode enables support for additional hardware modules and firewalls
D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"
95
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 6
Which three features does the ASA support?
A. BGP dynamic routing
B. 802.1Q trunking
C. EIGRP dynamic routing
D. OSPF dynamic routing
96
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 6
Which three features does the ASA support?
A. BGP dynamic routing
B. 802.1Q trunking
C. EIGRP dynamic routing
D. OSPF dynamic routing
97
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 7
For which purpose is the Cisco ASA CLI command aaa authentication match used?
A. Enable authentication for connections through the Cisco ASA appliance
B. Enable authentication to the Cisco ASA appliance for SSH
C. Enable authentication to the Cisco ASA appliance for TELNET
D. Enable authentication for console connections to the Cisco ASA appliance
98
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 7
For which purpose is the Cisco ASA CLI command aaa authentication match used?
A. Enable authentication for connections through the Cisco ASA appliance
B. Enable authentication to the Cisco ASA appliance for SSH
C. Enable authentication to the Cisco ASA appliance for TELNET
D. Enable authentication for console connections to the Cisco ASA appliance
99
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 8
What is the reason that you want to configure VLANs on a security appliance interface?
A. Enable failover and VLANs to improve reliability
B. Allow transparent firewall mode to be used
C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances
D. Enable multiple context mode where you can map only VLAN interfaces to contexts
100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 8
What is the reason that you want to configure VLANs on a security appliance interface?
A. Enable failover and VLANs to improve reliability
B. Allow transparent firewall mode to be used
C. Increase the number of interfaces available to the network without adding additional physical interfaces or security appliances
D. Enable multiple context mode where you can map only VLAN interfaces to contexts
101
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 9
What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)
A. Allow a hub-and-spoke VPN design on one interface.
B. Enable Dynamic Multipoint VPN
C. Allow traffic in and out of the same interface when the traffic is IPSec protected
D. Allow traffic between different interfaces with matching security levels
102
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 9
What are two purposed of the same-security-traffic permit intra-interface command? (Choose two.)
A. Allow a hub-and-spoke VPN design on one interface
B. Enable Dynamic Multipoint VPN
C. Allow traffic in and out of the same interface when the traffic is IPSec protected
D. Allow traffic between different interfaces with matching security levels
103
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 10
Which command will display NAT translations on the ASA?
A. show ip nat all
B. show running-configuration nat
C. show xlate
D. show nat translation
104
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Question 10
Which command will display NAT translations on the ASA?
A. show ip nat all
B. show running-configuration nat
C. show xlate
D. show nat translation
105
© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
106