Content

Securing Networks with ASA Foundation v1.0

This set of lab exercises contains all exercises associated with the Securing Networks with ASA Foundation (SNAF) v1.0 course. The lab exercises address a wide range of the Cisco Adaptive Security Appliance (ASA) features, from the configuration of NAT, ACLs, and object groups, to the configuration of AAA, protocol inspection, threat detection, and IPsec and SSL VPNs. Exercises also cover configuration of Cisco ASA in high availability environments using the active/standby and active/active failover. The last exercise also covers management of the Cisco ASA using the SSH, as well as authentication and authorization of console access.

Content

This set of lab exercises contains the following exercises:

Objectives

Upon finishing this set of exercises, you will be able to:

  • Use the CLI to configure basic network settings
  • Configure the boot system variable
  • Prepare the security appliance for configuration via Cisco ASDM and launch Cisco ASDM
  • Use Cisco ASDM to configure basic network settings, including interface and default route configurations
  • Use Cisco ASDM and the CLI to determine if the security appliance software is configured properly
  • Use Cisco ASDM to configure logging to a syslog server
  • Use Cisco ASDM to configure dynamic address translation
  • Use Cisco ASDM to configure static address translations
  • Use Cisco ASDM to configure inbound and outbound ACLs
  • Use the Packet Tracer to test and verify configuration
  • Configure a service object group
  • Configure an ICMP-type object group
  • Configure network object groups
  • Configure an inbound ACL with object groups to enable inbound web and ICMP traffic
  • Test and verify the inbound ACL
  • Install and configure Cisco Secure ACS on a Microsoft Windows server
  • Configure and test inbound and outbound authentication
  • Configure and test virtual Telnet authentication
  • Change and test authentication timeouts and prompts
  • Configure Cisco Secure ACS to send downloadable ACLs to the Cisco ASA security appliance during RADIUS inbound authentication
  • Test downloadable ACLs with inbound and outbound authentication
  • Configure and test accounting
  • Display the inspection protocol configurations
  • Change the inspection protocol configurations
  • Test the outbound FTP inspection protocol
  • Configure a policy for the outside adaptive security appliance interface
  • Use the CLI to configure basic threat detection
  • Use the CLI to configure scanning threat detection with shunning
  • Use the CLI to verify and analyze threats
  • Prepare to configure VPN support
  • Use the Cisco ASDM IPsec VPN Wizard to configure a site-to-site VPN
  • Use Cisco ASDM to verify the site-to-site VPN configuration
  • Test the site-to-site VPN
  • Configure a remote access VPN on the Cisco ASA security appliance
  • Verify the configuration of the remote access VPN
  • Configure the Cisco VPN Client
  • Verify the Cisco VPN Client properties
  • Launch the Cisco VPN Client
  • Verify the VPN connection
  • Use Cisco ASDM to configure the Cisco ASA security appliance for basic SSL VPN services
  • Use Cisco ASDM to configure users and groups for SSL VPN services
  • Test and verify SSL VPN connectivity on a Cisco ASA security appliance
  • Enable transparent firewall mode on Cisco ASA device
  • Configure the interfaces and management IP address on the Cisco ASA security appliance
  • Test inside and outside connectivity
  • Allow ICMP traffic through the transparent firewall
  • Disable transparent firewall mode
  • Prepare the primary and secondary Cisco ASA security appliances for failover configuration via Cisco ASDM
  • Use the Cisco ASDM High Availability and Scalability Wizard to configure the primary and secondary Cisco ASA security appliances for LAN-based failover
  • Test LAN-based failover
  • Enable stateful LAN-based failover
  • Test stateful LAN-based failover
  • Make the primary Cisco ASA security appliance active
  • Enable multiple context mode on the Cisco ASA security appliances
  • Create security contexts on the primary Cisco ASA security appliance
  • Configure the CTX1 context on the primary Cisco ASA security appliance
  • Prepare the Cisco ASA security appliances for active/active failover configuration via Cisco ASDM
  • Use the Cisco ASDM High Availability and Scalability Wizard to configure active/active failover
  • Configure standby IP addresses for CTX1
  • Exercise active/active failover
  • Return the failover devices to single mode
  • Configure and test enable-level command authorization with enable passwords
  • Generate an RSA key pair for encrypted SSH sessions
  • Establish an SSH connection to the Cisco ASA security appliance
  • Configure and test command authorization using the local user database
  • Upgrade the Cisco ASA security appliance software image

Importance

The lab exercises in this set are important for all network engineers, administrators, and designers involved in designing, implementing, and operating security solutions based on Cisco Adaptive Security Appliance (ASA) devices.

Target Audience

The primary audience for this course comprises network engineers and systems engineer responsible for security solutions deployment using Cisco ASA devices. Because most of the exercises are done using the Cisco ASDM, labs are suitable for administrators who wish to expedite and simplify a Cisco ASA configuration process, as well as for less-experienced users not familiar with the CLI.

Prerequisite Knowledge

To successfully complete exercises, a good knowledge of basic TCP/IP principles, as well as advanced knowledge of Cisco security appliance features and security technologies, such as AAA framework, IPsec VPNs, and protocol inspection, is needed. This knowledge is best gained by attending the Securing Networks with ASA Foundation (SNAF) v1.0 course.