Securing Networks with Cisco ASA Basic and Advanced (Cisco Courses: SNAF)

CCSP525 : 5 Day Instructor-Led Course

Advanced, Hands-on training of the Cisco ASA products

This class is not currently scheduled. Please see our SNAF Securing Networks with ASA Fundamentals course for equivalent content.

This comprehensive, extensively hands-on, 5-day Authorized Cisco course is designed to provide the Security Student (Security CCIE and/or CCSP Candidate), Technical CSO, Security Field Engineer, or Cisco Security Services Engineer, practical design, implementation and complete analysis of the ASA practices and components that have a large part in construction of the Cisco ‘Self-Defending Network” Solution. Experiencing the collective efforts of Cisco IOS devices, Out-of-Band Management Practices and a Heavy Focus on both the Basic and Advanced Elements of the Cisco ASA Product-line, commissioned into a ‘live’ enterprise network, each student will become intrinsically aware of how the ‘complete’ ASA solution is used to shield today’s networks against the ever-changing landscape of threats and attacks. You will also be primed to think like a hacker and be able to use many of the common methods used to compromise networks throughout the implementation of live and very realistic ASA business scenarios. As an Interface Exclusive, you will execute these advanced business scenarios using live hardware, servers and connectivity.

“The Cisco Self-Defending Network protects an organization by identifying, preventing, and adapting to threats from both internal and external sources.”
 
Your journey towards achieving the ultimate in network protection begins with in-depth coverage of the Adaptive Security Algorithm and the ASA products that implement this powerful component to lock down both internal and external networks to match a stated objective security policy. All aspects of design, configuration, secure connectivity, management, high-availability, and dynamic security are covered in this course. From basic transparent-mode firewall implementations on ASA appliances, to larger multi-context, multi-mode deployments of ASA on the 6500 FWSM are explained. Through your hands-on with the hardware and implementations following stated best-practice in firewall and security zone designs, you will be ultimately prepared to identify, construct and successfully manage your own personal ASA/FWSM implementation. Our goal at Interface is to deliver to you the most immediately relevant and rigorously tested solutions available in the Security Training Industry. If your goal is Mastery, then you are in the right place.
 
All discussions and exercises fixate on mastery of each technology based on its practical orientation within the ‘Big Picture’ and implementation using industry proven technique and ‘best practice’. The hands-on exercises, known as ‘Evolutions’ will test your ability to create solutions to security scenarios, implement each technology and troubleshoot efficiently within a dynamic network environment. All Evolutions within the CCSP525 follow the Interface HardHat™ framework, which focuses on the development of planning, execution and problem-solving skills critical in the real world. The HardHat™ framework is deliberately architected to mimic the most realistic and universal scenarios, forcing you to think through them and implement precise solutions based on a real scenario and stated objectives; step-by-step instructions do not exist for real-life and therefore do not exist in HardHat™.
 
Course Outline: *Interface exclusive
  1. Cisco Security Appliance Basics
    1. ASA version 8 Features Overview
    2. ASA Technology Semantics and Security Capabilities
    3. Navigation using the CLI and ASDM
    4. Initial Startup and Configuration of the ASA
    5. *ASDM File Management, Dynamic/Manual Upgrades and Hierarchical Archiving of Log Data
    6. *Implementation of the Out-of-Band Management Network for management of ASA/FWSM, IOS Devices, Cisco IPS, Cisco MARS, logging, authentication and network services architectures
    7. Collecting and Analyzing Real-Time ASDM Logs
  2. Configuring Access through the ASA
    1. Configuring Inside to Outside Traffic Flows
      1. Dynamic NAT and PAT, Identity NAT, Extensible NAT Combos, Static Translations
      2. Basic and Advanced Global Translations for NAT
      3. *Implementing Blended NAT and No NAT Control Scenarios based on Common Business Requirements
      4. *Advanced ASDM Object Naming Strategies for Object Control in Complex Environments
      5. Static Routes
    2. Configuring Outside to Inside Traffic Flows
      1. Advanced Static Translations, Port Redirection and NAT Scaling Techniques
      2. Basic Access Lists for Inbound Access
      3. Basic and Advanced Object Grouping
    3. *Configuring Advanced "Business-Class" Access through the ASA
      1. *Advanced Access-list Tricks Used by CCIEs in the Field
      2. *Using Identity NAT Exemptions and 'Dual-NAT' Options based on Uses of Common Real-Time Enterprise Applications Like OWA and Load Balanced Web Clusters
      3. *Delivering Dynamic Web Content by Properly Implementing Policy NAT, Content Delivery and Advanced Port Redirection Capabilities
      4. *Implementing TLS Proxy Options with SYN Cookies when Deploying Enterprise HTTPS Applications
  3. Advanced Security Appliance Operations
    1. Scaling the ASA Solution with Dynamic Routing, Redundant Interfaces and VLANs
    2. Advanced Static Routing for High-Availability and SLA Tracking
    3. Using Packet Tracer to Verify Optimal Data Flows Through the ASA
    4. Transparent Firewalls, Multiple Context Mode
    5. Securing Management and Service-level Access with AAA and Cut-through Proxy
    6. TACACS+ and RADIUS Operations
    7. *Complete Cisco ACS Server Implementation for Out-of-Band Management of ASA and IPS
    8. Advanced Protocol Inspection, Filtering and base Service Policy
    9. Protocol Options, Threat Detection and Malicious Protocol Filters
    10. Security Appliance High-Availability Solutions
    11. Transparent Firewalls, Multiple Context Mode, ASA Failover
    12. Security Appliance Maintenance, Logging and Tracing
    13. *Advanced management and naming practices when using the ASDM for ASA management
  4. Configuring secure Connectivity with VPNs on the ASA
    1. Configure and verify remote access VPNs using ASDM
    2. Configure and verify IPsec VPN clients with preshared keys using ASDM
    3. Configure and verify site-to-site VPNs with preshared keys using ASDM
    4. Verify IKE and IPsec using ASDM and CLI
    5. Configure and verify clientless SSL VPN using ASDM
    6. Configure and verify Client-based (AnyConnect) SSL VPNs using ASDM
    7. Configure end-point security posture with Cisco Secure Desktop
 
Prerequisites:
To fully benefit from this course, it is recommended that you have the following prerequisite skills and knowledge:
  • Skills and knowledge equivalent to those learned in Interconnecting Cisco Networking Devices Part 1 (ICND1) and Interconnecting Cisco Networking Devices Part 2 (ICND2) or Attendance of the Interface CCNA220 course.
  • IINS – Implementing IOS Network Security or SNRS – Securing Networks with Cisco Router and Switches are recommended but not required
  • Working knowledge of the Windows operating system
  • Working knowledge of Cisco IOS networking and concepts
  • 6-12 months of practical working experience with access lists on Cisco IOS or PIX/ASA products
Live! Hardware:
·         You will gain invaluable experience operating on a wide range of Cisco hardware; from Cisco 2800 ISRs, several models of Catalyst switches, 2960 to 6500, ASA5500s with AIP-SSM, IPS 4200 sensors, Cisco Secure MARS Appliances and multiple host systems running CSA, CTA and CSM. All of the gear mentioned is in the room with you for you to build yourself, and each pod of 2 students has a full complement of the stated gear. There is ‘no such thing’ as using a remote lab at Interface. (See topology below for more details.)
 
Additional Course Logistics:
 
Course runs from 8:30am to 6:00pm daily, Monday – Friday
 (Arrive early on Monday for Class Registration)
Expect to clear your schedule for the week and focus on the class. It is not uncommon for students to stay even past 6:00pm to get additional lab time. 
 
You will be provided the following courseware:
  • Authorized Cisco SNAF courseware
  • Interface CCNA Security Solutions Manual
  • Interface CCNA Security Lab Evolutions Manual, Associated Diagrams, Tools DVDs
  • Course Completion Certificate for Cisco SNAF
 
You will be operating in a ‘live’ dynamic, hands-on networking environment with tons of live Cisco gear and all of the tools you need to be successful; come prepared to have a great experience and challenge yourself to learn.
 
Exams: (if applicable to you)
 
642-524 SNAF - Securing Networks with ASA Foundation
 
Exam can be successfully taken after completion of this course
 
Pod Topology Diagram:
 
Each pod of 2 students consists of: (2) ASA-5510s, 1 with AIP-SSM, (3) 2800 ISR Routers with various connectivity running 12.4.21 Advanced Enterprise, (1) 1801 SOHO router running 12.4.21 Advanced Enterprise, (1) Linksys Cable Modem, (2) 3560 MLS Switches (2) 2960 Switches, dedicated 200Mb Internet connectivity, a live Cable Internet connection for testing ASA connectivity, business scenarios, IPSec / SSL VPNs and (3) Level-6 Host computers, running Windows XP, Windows 2003 Enterprise and Virtualization of Microsoft Exchange, SQL Server, Linux RedHat and Web/FTP Services. Bringing your own Laptop is also encouraged for flexibility.