ASA Express - cisco.com · Lab 8-1: Cisco ASA NGFW Web Security Essentials C-56 Lab 8-2: Cisco ASA...

ASA ExpressVersion 2.2 Course Guide

SAEXS

Part Number: partnumber (Ignore: for DTP only)Version 1.0

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam,The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

© 2014 Cisco Systems, Inc.

http://www.cisco.com/go/offices

http://www.cisco.com/go/trademarks

Table of ContentsCourse High Level Design C-3

Course Goal C-3Job Tasks and Domain and Skill Objectives (formerly “Claims and Component Skills”) C-3Course Flow Diagram C-4Required Classroom Environment C-4Instructor Certification Requirements C-4General Information C-4

Laboratory Topology (Delivery) C-4Laboratory Topology C-4

Lab Topology Diagram (Backbone Pod View) C-4Lab Topology Diagram (Student Pod View) C-4Laboratory Equipment C-4Software List C-5Workstation Configuration C-5Initial Lab Build C-5General Lab Setup C-5Notes on Delivery Lab Equipment C-5

Development Lab Equipment Requirements C-5Required Materials Laboratory Topology (Development) C-5Notes on Development Lab Equipment C-6

Course Management Template C-7Course Description C-7Curricula C-7Course Goal and Objectives C-7Target Audiences C-8Prerequisite Skills and Knowledge C-9Course Instruction Details C-9

Instructor Certification Requirements C-9Required Classroom Environment C-9Detailed Course Flow C-9

Course Outlines C-11High Level Course Outline C-11Detailed Course Outline C-11

Course Introduction C-12Module 1: Introducing Cisco ASA Solutions C-12Module 2: Exploring Cisco ASA Connectivity Basics C-12Module 3: Configuring ASA Basic Access Control Foundation C-14Module 4: Deploying Cisco Remote Access VPN C-15Module 5: Introducing Cisco ASA High Availability C-16

Module 6: Introducing the Combined NGFW Security Services C-16Module 7: Exploring IPS for Cisco ASA NGFW - IPS Features C-17Module 8: Exploring the Cisco ASA NGFW WSE and AVC C-18Module 9: Introducing Cisco ASA Cloud Web Security C-19

Course Evaluation Template C-21Curriculum Evaluation C-21

Lab Setup C-23General Information C-23Laboratory Topology C-23

Lab Topology Diagram C-24Laboratory Equipment C-25Software List C-25Workstation Configuration C-26Initial Lab Build C-27General Lab Setup C-28

Configuration Files Summary C-28Lab IP Addressing C-51Lab Details C-52

Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings C-52Lab 3-1: Configuring NAT and Basic Access Control C-52Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution C-53Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic Redirection C-54Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters C-55Lab 8-1: Cisco ASA NGFW Web Security Essentials C-56Lab 8-2: Cisco ASA NGFW Application Visibility & Control C-57Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional) C-57

ii ASA Express © 2014 Cisco Systems, Inc.

Course High Level Design

Course GoalThe goal of the course is to provide an understanding of the Cisco ASA solution portfolio and successfully configure various aspects of the Cisco ASA components including Cisco ASA NGFW, Cisco ASA NGFW Security Services and Cisco ASA Remote Access VPN including Clientless and AnyConnect.

Job Tasks and Domain and Skill Objectives (formerly “Claims and Component Skills”)These are the job tasks (domains and skill objectives from the audience, as well as job definition and job task analyses that will be taught and practiced in the course).

Domain # Domains Skill Objectives/Job Tasks

x Domain (Claim) 1 First Skill Objective/Job Task of Domain 1

x.01 Second Skill Objective/Job Task of Domain 1

x.02

x.03

x.04

x.05

Domain # Domains Skill Objectives/Job Tasks

n-th Domain First Skill Objective/Job Task of n-th Domain

Course Flow DiagramThis section illustrates the flow of the course.

AM PM

Day 1 Course Intro

Introducing Cisco ASA Solutions

Exploring Cisco ASA Connectivity Basics

Configuring ASA Basic Access Control Foundation

Deploying Cisco Remote Access VPN

Day 2 Introducing the Combined NGFW Security Services

Exploring IPS for Cisco ASA NGFW - IPS Features

Introducing the Combined NGFW Security Services

Exploring the Cisco ASA NGFW WSE and AVC

Introducing Cisco ASA Cloud Web Security

Required Classroom EnvironmentRoom setup, layout, logistics, and equipment:

Instructor Certification RequirementsCredentials to teach this version of the course are:

CCSI in good standing

Certified to teach Firewall 2.0

Attend SASAA v1.0 course or SASAA v1.0 TTT or Certified SAEXS v1.0

General InformationHigh-level description of lab environment.

Laboratory Topology (Delivery)Introduction to lab

Laboratory TopologyLab Topology Diagram (Backbone Pod View)

Lab Topology Diagram (Student Pod View)

Laboratory EquipmentThese tables list the recommended equipment to support the lab activities. These tables assume a class size of XX students.

Description Mfr. Part Number Total Qty.

Examples

Learner Pod Equipment – X learners per pod – Y pods total per class

C-4 ASA Express © 2014 Cisco Systems, Inc.


Other Required Equipment

Software List


Workstation Configuration

These instructions describe how to set up the lab when workstations are required

Step 1

[Insert instructions to set up, locate, prepare for, or conduct activities]

Initial Lab BuildThis topic contains information required to interconnect lab equipment

General Lab SetupThis topic details the procedure to set up and configure the lab equipment at the beginning of each class.

Notes on Delivery Lab Equipment

Development Lab Equipment RequirementsThis section details the resources and requirements needed to develop and test the course labs.

Required Materials Laboratory Topology (Development)These tables list the recommended equipment to support the lab activities. These tables assume a class size of n learners.

© 2014 Cisco Systems, Inc. Course Guide C-5

Describe which equipment can be remote, and what must be physically accessible by the developer(s). Note any other considerations, such as number of pods, interconnections between pods, and external connections to servers or Internet.


Learner Pod Equipment – x pods for development

Other Required Equipment

Notes on Development Lab Equipment


Course Management Template

Course DescriptionThe goal of the course is to provide an understanding of the Cisco ASA solution portfolio and successfully configure various aspects of the Cisco ASA components including Cisco ASA NGFW, Cisco ASA NGFW Security Services and Cisco ASA Remote Access VPN including Clientless and AnyConnect.

Full Title of Course Cisco ASA Express Security

Course Order Code SAEXS

Course Version Number 1.0

New Course? Yes

Replaces

CurriculaThe course is used in the following curricula, certifications, specializations, and learning maps:

Certifications:

Curricula, specializations, and learning maps:

Course Goal and ObjectivesThis topic describes the course goal and objectives.

Course Goals

Upon completing this course, you will be able to:

Describe the Cisco ASA technology

Describe how to configure network integration and manage network settings for the Cisco ASA

Choose, configure, and troubleshoot Cisco ASA security appliance features

Introduce and Deploy Cisco Remote Access VPN

Describe NGFW Security Services and explore the feature and benefits found of the Policy Modular Framework


Course Goals (Cont.)

Describe how to configure IPS for NGFW Settings and Filtering

Describe the Cisco ASA NFWG WSE and AVC solutions and how to configure Cisco ASA NGFW Objects and Policies

Describe the features of Cisco’s ASA Cloud Web Security

Explore Cisco ASA Active/Standby High Availability


Target AudiencesThis section specifies the primary and secondary target audiences of this course by job roles and notes the relevance to each job role.


Prerequisite Skills and KnowledgeThis sections lists the skills and knowledge that learners must possess to benefit fully from the course. It includes recommended Cisco learning offerings that the learner may complete to benefit fully from this course.

The knowledge and skills that a learner must have before attending this course are as follows:

Cisco ASA Overview (SAAOV) v1.0 E-learning

Firewall knowledge

[Pre-req - add as necessary]

Course Instruction DetailsInstructor Certification RequirementsCredentials to teach this version of the course are:

CCSI in good standing

Certified to teach Firewall 2.0

Attend SASAA v1.0 course or SASAA v1.0 TTT or Certified SAEXS v1.0

Required Classroom EnvironmentRoom setup, layout, logistics, and equipment:

Detailed Course FlowThe course schedule specifies the recommended teaching time for each lesson, lab, and activity. Optionally, indicate breaks and starting and ending times for each day.

Day 1:

8:30–9:20 (0830–0920) Introducing Cisco ASA Solutions

9:30–10:40 (0930–1040) Exploring Cisco ASA Connectivity Basics

10:50–12:00 (1050–1200) Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings

12:00–1:00 (1200–1300) Lunch

1:00–1:50 (1300–1350) Configuring ASA Basic Access Control Foundation

Lab 3-1: Configuring NAT and Basic Access Control

2:00–2:50 (1400–1450) Deploying Cisco Remote Access VPN

3:00–5:00 (1500–1700) Lab 4-1: Configure Ciscon AnyConnect Client SSL Solution

5:00 (1700) Day ends


Day 2:

8:30–9:20 (0830–0920) Introducing the CombinedNGFW Security Services

9:30–10:30 (0930–1030) Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic REdirection

10:40–11:15 (1000–1115) Exploring IPS for Cisco ASA NGFW - IPS Features

11:15–12:00 (1115–1200) Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters

12:00–12:00 (1200–1300) Lunch

1:00–1:40 (1300–1340) Exploring the Cisco ASA NGFW WSE and AVC

1:40–2:10 (1340–1410) Lab 8-1: Cisco ASA NGFW Web Security Essentials

2:20–2:50(1420–1450) Lab 8-2: Cisco ASA NGFW Application Visibility & Control

2:50–3:20 (1450–1520) Introducing Cisco ASA Cloud Web Security

3:30-4:00 (1530-1600) Lab 9-1: Cisco ASA and Cloud Web Security Integration

4:00-5:00(1600-1700) Introducing Cisco ASA High Availability


Course Outlines

High Level Course OutlineThis subtopic provides an overview of how the course is organized. The course contains these components:

Introducing Cisco ASA Solutions

Exploring Cisco ASA Connectivity Basics

Configuring ASA Basic Access Control Foundation

Deploying Cisco Remote Access VPN

Introducing Cisco ASA High Availability

Introducing the Combined NGFW Security Services

Exploring IPS for Cisco ASA NGFW - IPS Features

Exploring the Cisco ASA NGFW WSE and AVC

Introducing Cisco ASA Cloud Web Security

Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings

Lab 3-1: Configuring NAT and Basic Access Control

Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution

Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic Redirection

Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters

Lab 8-1: Cisco ASA NGFW Web Security Essentials

Lab 8-2: Cisco ASA NGFW Application Visibility & Control

Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)

Detailed Course OutlineThis in-depth outline of the course structure lists each module, lesson, and topic.

Course IntroductionThe Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures. This course component also describes the curriculum for this course, providing learners with the information that they need to make decisions regarding their specific learning path.

Overview

Course Goal and Objectives

Course Flow

Additional References

Your Training Curriculum

Module 1: Introducing Cisco ASA SolutionsModule Objective: Describe and evaluate technologies that you can use for firewall systems

Lesson 1: Firewall TechnologiesLesson Objective: Describe and evaluate technologies that you can use for firewall systems

This lesson includes these topics:

Firewall Technologies

Cisco ASA Adaptive Security Appliance Features

Summary

Lesson 2: Cisco ASA Adaptive Security Appliance FeaturesLesson Objective: Describe Cisco ASA adaptive security appliance models


Cisco ASA Adaptive Security Appliance Hardware

Summary

Lesson 3: Module SummaryThis lesson includes these topics:

References

Module 2: Exploring Cisco ASA Connectivity BasicsModule Objective: Describe how to configure initial device management features of a Cisco ASA security appliance to prepare for network integration

Lesson 1: Preparing the Cisco ASA Adaptive Security Appliance for Network IntegrationLesson Objective: Explain the Cisco ASA security appliance boot process


Managing the Cisco ASA Adaptive Security Appliance Boot Process

Managing the Cisco ASA Adaptive Security Appliance Using Cisco ASDM


Navigating Basic Cisco ASDM Features

Managing the Cisco ASA Adaptive Security Appliance Basic Upgrade

Summary

Lesson 2: Managing Basic Cisco ASA Adaptive Security Appliance Network SettingsLesson Objective: Describe how to configure Cisco ASA security appliance network interface security levels


Managing Cisco ASA Adaptive Security Appliance Security Levels

Managing Basic Cisco ASA Adaptive Security Appliance Network Settings

Configuring and Verifying Interface VLANs

Configuring a Default Route

Summary

Lesson 3: Configuring Cisco ASA Adaptive Security Appliance Routing FeaturesLesson Objective: Describe how to configure and verify static routing on Cisco ASA security appliances


Static Routing

Dynamic Routing

EIGRP Configuration and Verification

Summary

Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic SettingsLab Objective: Verify Cisco ASA security appliance and Cisco ASDM versions

This lab includes these tasks:

Task 1: Verify Cisco ASA Security Appliance and Cisco ASDM Versions

Task 2: Initialize the Cisco ASA Security Appliance from the CLI

Task 3: Launch Cisco ASDM and Test SSH Access

Task 4: Configure and Verify Interfaces

Task 5: Configure System Management Parameters

Lesson 4: Backing up and Restoring Cisco ASALesson Objective: Provide an overview of the Cisco ASA Backup and Restore procedures


Cisco ASA Backup and Restore Overview

Cisco ASA Backup – Configuring

Cisco ASA Restore - Configuring

Summary



References

Module 3: Configuring ASA Basic Access Control FoundationModule Objective: Choose and configure ASA security appliance NAT features

Lesson 1: Configuring Cisco ASA Adaptive Security Appliance NAT FeaturesLesson Objective: Describe the NAT functions in Cisco ASA Software


NAT on Cisco ASA Security Appliances

Configuring Object (Auto) NAT

Configuring Manual NAT

Configuring and Verifying Public Servers

Tuning and Troubleshooting NAT on the Cisco ASA Adaptive Security Appliance

Summary

Lesson 2: Configuring Cisco ASA Adaptive Security Appliance Basic Access Control FeaturesLesson Objective: Describe the connection table, the local host table, connection objects, and local host objects


Connection Table and Local Host Table

Configuring and Verifying Interface ACLs

Configuring and Verifying Global ACLs

Configuring and Verifying Object Groups

Configuring and Verifying Other Basic Access Controls

Summary

Lab 3-1: Configuring NAT and Basic Access ControlLab Objective: Configure object NAT for the inside network and DMZ server


Task 1: Configure Object NAT for the Client Network and DMZ Server

Task 2: Configure Manual NAT for the DMZ Server and Client Network

Task 3: Configure Access Rules


References


Module 4: Deploying Cisco Remote Access VPNModule Objective: Describe Cisco Basic Clientless VPN Features and Functions

Lesson 1: Deploying Basic Clientless VPN SolutionsLesson Objective: Describe the building blocks of, and use cases for, the Cisco ASA clientless SSL VPN solution


Cisco ASA Clientless SSL VPN Solution

Configuration Choices and Configuration Procedure

Configuring Basic Cisco ASA Adaptive Security Appliance Gateway Features and Gateway Authentication

Configuring Basic User Authentication

Configuring Basic Access Control

Tuning Gateway Content Rewriting

Summary

Lesson 2: Cisco AnyConnect SSL VPN OverviewLesson Objective:


Introduction to Cisco AnyConnect Client

Cisco AnyConnect Client Core Features

Cisco AnyConnect Network Access Manager

Cisco AnyConnect Secure Mobility Modules

Cisco AnyConnect Secure Reporting and Troubleshooting Modules

Cisco AnyConnect Secure Mobility Licensing

Summary

Lesson 3: Deploying a Cisco AnyConnect Client SSL VPN SolutionLesson Objective: Describes the operation of full-tunnel SSL VPN technology


Basic Cisco AnyConnect SSL VPN

Additional Cisco AnyConnect Deployment Options

Configuring Cisco ASA Gateway Features

Configuring Local User Authentication and IP Address Assignment

Configuring Access Control and Split Tunneling

Deploying DTLS

Installing and Configuring Cisco AnyConnect 3.0

Managing Cisco AnyConnect Software

Summary


Lab 4-1: Configure Cisco AnyConnect Client SSL VPN SolutionLab Objective: Configure basic full-tunnel SSL VPN support on the Cisco ASA security appliance


Task 1: Configure Basic Cisco AnyConnect Client SSL VPN Support on the Cisco ASA Security Appliance

Task 2: Configure a Connection Profile, Group Policy, and User Account in the Local User Database

Task 3: Establish a Cisco AnyConnect Client SSL VPN using WebLaunch


References

Module 5: Introducing Cisco ASA High AvailabilityModule Objective: Describe the concepts of Cisco ASA Active/Standby High Availability.

Lesson 1: Overview of Cisco ASA Active/Standby High AvailabilityLesson Objective: Describe ASA Active/Standby High Availability


Cisco ASA Adaptive Security Appliance Active/Standby Failover Overview

Active Unit Election

Switchover Event

Failover Management

Failover Deployment Options

Summary

Lesson 2: Configuring Cisco ASA Adaptive Security Appliance Active/Standby High AvailabilityLesson Objective: Configure and verify active/standby failover on the Cisco ASA security appliance


Configuring and Verifying Active/Standby Failover

Tuning and Managing Active/Standby Failover

Remote Command Execution

Summary

Lesson 3: Module Summary

Module 6: Introducing the Combined NGFW Security ServicesModule Objective: Describe the features of NGFW Security Services

Lesson 1: Introducing the NGFW Security ServicesLesson Objective: Describe Cisco ASA Next Generation Firewall Security Services



Cisco NGFW Security Services Overview

Cisco Application Visibility and Control (AVC)

Cisco Web Security Essentials (WSE)

Cisco Security Intelligence Operations (SIO)

IPS for NGFW

Cisco Prime Security Manager (PRSM) — Cisco ASA NGFW Management

Cisco Adaptive Security Appliance NGFW Deployment

Cisco ASA CX Policy Object Types

Cisco ASA CX Access Policy Configuration

Summary

Lesson 2: Defining the Cisco ASA Adaptive Security Appliance MPFLesson Objective: Plan the deployment of the Cisco MPF on the Cisco ASA security appliance


Cisco MPF Overview

Configuring and Verifying Layer 3 and Layer 4 Policies

Summary

Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic RedirectionLab Objective: Describe how to install and setup ASA CX Software Module.


Task 1: Install and Set Up the ASA CX Software Module

Task 2: Redirect Traffic from the ASA to Cisco ASA NGFW

Task 3: Explore the On-Box PRSM GUI


References

Module 7: Exploring IPS for Cisco ASA NGFW - IPS FeaturesModule Objective: Discuss the features that are included in IPS for Cisco ASA Next-Generation Firewalls

Lesson 1: Configuring IPS for Cisco ASA Next Generation Firewall SettingsLesson Objective: Describe IPS for Cisco ASA NGFW IPS settings.


IPS for Cisco ASA NGFW Settings Overview

IPS for Cisco ASA NGFW Settings Configuration

Summary


Lesson 2: Configuring IPS for Cisco ASA Next Generation Firewall FilteringLesson Objective: Describe IPS for Cisco ASA NGFW IPS filtering.


IPS for Cisco ASA NGFW Filtering Overview

IPS for Cisco ASA NGFW Filtering Configuration

Summary

Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & FiltersLab Objective: Describe how to configure and verify IPS for Cisco ASA NGFW settings


Task 1: Configure IPS for Cisco ASA NGFW Settings

Task 2: Configure IPS for Cisco ASA NGFW Filters


References

Module 8: Exploring the Cisco ASA NGFW WSE and AVCModule Objective: Understand the basic features and concepts of Cisco ASA NGFW WSE & AVC.

Lesson 1: Introducing Cisco ASA Next Generation Firewall Web Security Essentials & Application Visibility and ControlLesson Objective: Describe Cisco Application Visibility and Control


Cisco Web Security Essentials Overview

Cisco Application Visibility and Control

Summary

Lesson 2: Configuring WSE & AVCLesson Objective:


Cisco ASA CX URL Filtering Configuration

Configuring AVC

Summary

Lab 8-1: Cisco ASA NGFW Web Security EssentialsLab Objective: Describe how to configure and verify Cisco ASA NGFW web security


Task 1: Configuring Cisco ASA NGFW - Acceptable Use Policy (URL Filtering)

Task 2: Configuring Cisco ASA NFGW - Malware Blocking using Web Reputation


Lab 8-2: Cisco ASA NGFW Application Visibility & ControlLab Objective: Describe how to configure and verify Cisco ASA NGFW application visibility and control


Task 1: Configure the Cisco ASA NGFW Access Policy to Deny Any Executable File Download


References

Module 9: Introducing Cisco ASA Cloud Web SecurityLesson 1: Introducing Cisco ASA with Cisco Cloud Web SecurityThis lesson includes these topics:

Cisco ASA with Cisco Cloud Web Security

Cisco ScanCenter

Cisco ASA with Cloud Web Security Authentication Keys

Summary

Lesson 2: Configuring Cisco ASA with Cisco Cloud Web SecurityLesson Objective: Configure the Cisco Cloud Web Security proxy servers and license in Cisco ASA


Cisco ASA and Cloud Web Security Proxy-Server Configuration

ScanCenter Generation of an Authentication Key for Cisco ASA

Traffic Redirection from Cisco ASA to Cloud Web Security Proxy Servers

Cisco ASA and Cloud Web Security Proxy Server User-Identity Configuration

Summary

Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)Lab Objective: Configure the Cisco ASA to integrate with Cisco Cloud Web Security


Task 1: Configure the Cisco ASA-to-Cloud Web Security Integration


References



Course Evaluation Template

Curriculum EvaluationEffectiveness of the course will be evaluated at these Levels of Kirkpatrick’s performance evaluation.

Level 1: Reaction to the course

Course effects:

Course evaluation:

Level 2: Learning retained

Course effects:

Course evaluation:

Level 3: Performance changes after the course

Course effects:

Course evaluation:

Level 4: Results on the job, after the course

Course effects:

Course evaluation:


Lab Setup

General InformationEach student pod will contain a Cisco ASA 5512-X with an SSD, an outside router, along with the VMs for the PCs and servers. Every two pods will share a Cisco Catalyst 3560-X Series Switch.

Laboratory TopologyEach lab pod consists of a Cisco ASA 5515-X with the SSD, a shared Cisco Unified Computing System C22 server for implementing the Windows 7 and Linux/Kali VMs : the Microsoft Windows 2008 Server VM.

Lab Topology DiagramA lab topology is used where each pod is independent:

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3

Inside-PC (Win 7) Syslog Server

Inside-SRV (Win 2008 R2) AD/DNS

DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA

In the Learning@Cisco lab setup, each Cisco Unified Computing System server also has a connection to the backbone switch (ports 0/1 to 0/6). These connections are meant for students to use RDP to access the springboard VMs for launching the VM, Cisco ASA, and router console connections.

For the Cisco Learning Partner remote lab environment, it is up to the CLPs for how they decide to manage the physical servers for the VMs and how the students will access the VMs for their pods.


Laboratory EquipmentThese tables list the recommended equipment to support the lab activities. These tables assume a class size of 32 students (16 pods).

Description Manufacturer Part Number Quantity

Cisco ASA 5512-X (or ASA 5515-X) Cisco ASA5512-K9 16

SSD for the Cisco ASA 5500-X for CX Cisco ASA5500X-SSD120 16

WS-C3560X-24 pod switch Cisco WS-C3560X-24 8

WS-C3560X-24 backbone switch Cisco WS-C3560X-24 1

Pod router Cisco Cisco Learning Partner to decide which router to use

16

Backbone shared router using VRFs (with outbound Internet access)

Cisco ISR G2 (2900) 1

Term server Cisco Cisco Learning Partner to decide which router to use

1

ASA VPN gateway for the Cisco AnyConnect SSL VPN

Cisco Any ASA 1

Physical server for the VMs Cisco Learning Partner to decide which server hardware to use and how many servers are needed

The Learning @Cisco lab uses the Cisco Unified Computing System C22 server

6

VMs: Inside Windows 7 PC, Inside Windows 2008 Server R2 Standard, DMZ Linux Server, Outside Windows 7 PC, Outside Linux Server, Cisco CDA

1 set of VMs per pod

Software List

Description Mfr. Part Number Qty.

Cisco 5500-X ASA 9.1.3 Image Cisco asa913-smp-k8.bin 16

Cisco ASDM 7.1.3 Cisco asdm-713.bin 16

Cisco ASA CX 9.2.1(52) boot image Cisco asacx-5500x-boot-9.2.1-52.img 16

Cisco ASA CX 9.1.2 package Cisco asacx-sys-9.2.1.2-52.pkg 16

Cisco AnyConnect 3.1.04059 package Cisco anyconnect-win.3.1.04059-k9.pk 16

Cisco ASA CX AVC and Web Security Subscription Licenses (or just use the free trial license and reset the CX database when the trial license expires by using the asa-cx> config reset command)

Cisco L-ASA5515-AW3Y-PR= 16


Description Mfr. Part Number Qty.

Cisco ASA CX K9 License (free with export restriction)

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=2618

Cisco 16

ScanSafe account Cisco Seat/Services: 20 Web 1

Windows 2008 Server R2 Standard License Microsoft Standard Edition Windows 2008 Server R2 License

16

Windows 7 License Microsoft Windows 7 License 16

Workstation Configuration

Set up the Windows and Linux VMs per the lab requirements.

Set up similar FTP, HTTP, and other services on the servers per the lab requirements.

Set up the inside server as the DNS server.


Initial Lab BuildThis topic contains information that is required to interconnect the lab equipment.

Connections chart

TrunkP17-RtrP17-Rtr

0/0

P3-RtrP4-Rtr

0/0

P1-RtrP2-Rtr

0/0

P16-ASAP16-ASA

P3-ASAP4-ASA

Switch-1 Switch-8

Term Server

Shared Router (ISR G2)

Switch-2

…………….

allow outbound internet access

Gi0/0

Gi0/1

42/042/042/0

81/021/011/0

81/0 & 8/081 & 8/0aF81/0 & 8/0

0/1 to 0/7

0/11 to 0/17

0/1 to 0/7

0/11 to 0.17

6SCU1SCU

To Switch-7

……….

0/22 & 0/23 0/22 & 0/23

0/22 & 0/23

VPN GW Internet

BB-Switch

0/21 0/22

P1-ASAP2-ASA

0/1 to 0/7

0/11 to 0/17

Each Pod ASA has 7 interfaces connected to the pod switch (gi0/0 to gi0/5 and m0/0)Each Pod Router has a single trunk interface connected to the pod switch Each Pod Switch supports 2 Pods

Physical topology overview


General Lab SetupThis topic details the procedure to set up and configure the lab equipment.

Follow your own procedures to set up the physical servers for the VMs per the lab requirements. This section does not cover the details on how to set up the physical servers for the VMs.

In the Learning@Cisco lab setup, vCenter is used to manage all of the ESXi servers. The vCenter and the ESXi servers are connected to a lab management network (172.16.150.0/24). The term server (172.16.150.90) is also set up on the lab management network (VLAN 10).

This section also does not cover the details on how to set up the inside server as the Active Directory server and DNS server. Please refer to the Microsoft documentation for setting up the server.

A sample of each of the configurations is shown in the "Configuration Files Summary" section.

In the Learning@Cisco lab setup, all of the different VMs are set up in nonpersistent mode.

The ASAs in the lab should have the ASA CX module installed.

Note In the ASA CX labs, use the on-box PRSM only, not the multidevice off-box PRSM, because the next version of the off-box PRSM will have big changes. There is no need to discuss how the current off-box PRSM works (such as how the ASA CX and ASA devices are imported into the off-box PRSM and how the off-box PRSM policy model works for configuring common policies across multiple ASA CX devices).

Configuration Files SummaryThe ASA starting configuration can be the same for all pods except for the ASA hostname.

The pod router starting configuration can be the same for all pods except for the router hostname.

Six pod switches are used, one per every two pods. Each pod switch will require different VLANs that are configured on it.

The shared backbone router is using VRFs to support the 16 different pods. The shared backbone router is performing PAT for the outbound Internet access. For the Learning@Cisco lab, an outbound access list is used to restrict the outbound Internet traffic from the lab pods. TCP intercept and IOS IPS are also used to prevent students from triggering outbound scanning.

The Learning@Cisco lab has an extra spare pod setup (Pod 17).

! vlan 10 is the L@C lab management vlan for managing the physical ESXi servers and term server and etc..)!vlan 10name VLAN0010 !!Example: outside vlan 1xx, xx =pod number, xx = 01 to 16.!Example: inside vlan 2xx, xx =pod number, xx = 01 to 16.!Example: dmz vlan 3xx, xx =pod number, xx = 01 to 16.!Example: mgmt vlan 4xx, xx = odd pod number, only used in the Clustering lab.!vlan 101 name pod1-outsidevlan 201 name pod1-insidevlan 301 name pod1-dmzvlan 401 name pod1-mgmt!


vlan 102 name pod2-outsidevlan 202 name pod2-insidevlan 302 name pod2-dmz!vlan 103 name pod3-outsidevlan 203 name pod3-insidevlan 303 name pod3-dmzvlan 403 name pod3-mgmt!vlan 104 name pod4-outsidevlan 204 name pod4-insidevlan 304 name pod4-dmz!vlan 105 name pod5-outsidevlan 205 name pod5-insidevlan 305 name pod5-dmzvlan 405 name pod5-mgmt!vlan 106 name pod6-outsidevlan 206 name pod6-insidevlan 306 name pod6-dmz!vlan 107 name pod7-outsidevlan 207 name pod7-insidevlan 307 name pod7-dmzvlan 407 name pod7-mgmt!vlan 108 name pod8-outsidevlan 208 name pod8-insidevlan 308 name pod8-dmz!vlan 109 name pod9-outsidevlan 209 name pod9-insidevlan 309 name pod9-dmzvlan 409 name pod9-mgmt


!vlan 110 name pod10-outsidevlan 210 name pod10-insidevlan 310 name pod10-dmz!vlan 111 name pod11-outsidevlan 211 name pod11-insidevlan 311 name pod11-dmzvlan 411 name pod11-mgmt!vlan 112 name pod12-outsidevlan 212 name pod12-insidevlan 312 name pod12-dmz!vlan 113 name pod13-outsidevlan 213 name pod13-insidevlan 313 name pod13-dmzvlan 413 name pod13-mgmt!vlan 114 name pod14-outsidevlan 214 name pod14-insidevlan 314 name pod14-dmz!vlan 115 name pod15-outsidevlan 215 name pod15-insidevlan 315 name pod15-dmzvlan 415 name pod15-mgmt!vlan 116 name pod16-outsidevlan 216 name pod16-insidevlan 316 name pod16-dmz!vlan 117 name pod17-outsidevlan 217 name pod17-insidevlan 317 name pod17-dmzvlan 417


name pod17-mgmt!vlan 801 name pod1-serviceprovidervlan 901 name pod1-internet!vlan 802 name pod2-serviceprovidervlan 902 name pod2-internet!vlan 803 name pod3-serviceprovidervlan 903 name pod3-internet!vlan 804 name pod4-serviceprovidervlan 904 name pod4-internet!vlan 805 name pod5-serviceprovidervlan 905 name pod5-internet!vlan 806 name pod6-serviceprovidervlan 906 name pod6-internet!vlan 807 name pod7-serviceprovidervlan 907 name pod7-internet!vlan 808 name pod8-serviceprovidervlan 908 name pod8-internet!vlan 809 name pod9-serviceprovidervlan 909 name pod9-internet!vlan 810 name pod10-serviceprovidervlan 910 name pod10-internet!vlan 811 name pod11-serviceprovidervlan 911 name pod11-internet!vlan 812 name pod12-serviceprovidervlan 912 name pod12-internet!vlan 813


name pod13-serviceprovidervlan 913 name pod13-internet!vlan 814 name pod14-serviceprovidervlan 914 name pod14-internet!vlan 815 name pod15-serviceprovidervlan 915 name pod15-internet!vlan 816 name pod16-serviceprovidervlan 916 name pod16-internet!vlan 817 name pod17-serviceprovidervlan 917 name pod17-internet

ASA Initial Configuration:

hostname Px-ASAenable password C!sco!23!interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 no shut!interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 no shut!interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 172.16.1.1 255.255.255.0 no shut!interface GigabitEthernet0/3 no shutdown!interface GigabitEthernet0/4 no shutdown!interface GigabitEthernet0/5 no shutdown!interface Management0/0 no nameif management no ip address no shut!domain-name secure-x.local!


dns domain-lookup insidedns server-group DefaultDNS name-server 192.168.1.2!boot system disk0:/asa912-smp-k8.binasdm image disk0:/asdm-713.binusername student password C!sco!23 priv 15username tec password C!sco!23 priv 15http server enablehttp 192.168.1.0 255.255.255.0 insideaaa authentication http console LOCALssh timeout 5ssh 192.168.1.0 255.255.255.0 insideconsole timeout 0!clock timezone pst -8ntp server 10.81.254.202!!route outside 0.0.0.0 0.0.0.0 209.165.201.1!!class-map inspection_default match default-inspection-traffic!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512!policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp!service-policy global_policy global

Pod Router Initial Configuration:

version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Px-Rtr!enable secret cisco!ip subnet-zero


!!ip name-server 171.70.168.183ip name-server 173.36.131.10ip name-server 173.37.87.157ip name-server 64.102.6.247!interface FastEthernet0/0 no ip address duplex auto speed auto no shut!interface FastEthernet0/0.101 encapsulation dot1Q 101 ip address 209.165.201.1 255.255.255.224!interface FastEthernet0/0.801 encapsulation dot1Q 801 ip address 209.165.202.129 255.255.255.224!interface FastEthernet0/0.901 encapsulation dot1Q 901 ip address 209.165.200.226 255.255.255.224!ip classlessip route 0.0.0.0 0.0.0.0 209.165.200.225ip route 172.16.1.0 255.255.255.0 209.165.201.2ip route 192.168.1.0 255.255.255.0 209.165.201.2ip http server!!!line con 0line aux 0line vty 0 4 login password cisco

Pod Switch Configuration for Nonclustering Labs (this example is only for Pod Switch-1, which supports pods 1 and 2):

service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname P1P2-Sw!no aaa new-modelip subnet-zero!!ip domain-name secure-x.com!vtp domain secure-xvtp mode transparent!spanning-tree mode pvstspanning-tree etherchannel guard misconfigspanning-tree extend system-id!vlan internal allocation policy ascending!


!!interface GigabitEthernet0/1 description P1-ASA G0/0 (Outside) switchport access vlan 101 switchport mode access no shut!interface GigabitEthernet0/2 description P1-ASA G0/1 (Inside) switchport access vlan 201 switchport mode access no shut!interface GigabitEthernet0/3 description P1-ASA G0/2 (DMZ) switchport access vlan 301 switchport mode access no shut!interface GigabitEthernet0/4 description P1-ASA G0/3 (unused) shutdown!interface GigabitEthernet0/5 description P1-ASA G0/4 (unused) shutdown!interface GigabitEthernet0/6 description P1-ASA G0/5 (unused) shutdown!interface GigabitEthernet0/7 description P1-ASA M0/0 switchport access vlan 201 switchport mode access no shutdown!interface GigabitEthernet0/8 description P1-Rtr F0/0 (trunk) switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/9!interface GigabitEthernet0/10!interface GigabitEthernet0/11 description P2-ASA G0/0 (Outside) switchport access vlan 102 switchport mode access no shut!interface GigabitEthernet0/12 description P2-ASA G0/1 (Inside) switchport access vlan 202 switchport mode access no shut!interface GigabitEthernet0/13 description P2-ASA G0/2 (DMZ) switchport access vlan 302


switchport mode access no shut!interface GigabitEthernet0/14 description P2-ASA G0/3 (unused) shutdown!interface GigabitEthernet0/15 description P2-ASA G0/4 (unused) shutdown!interface GigabitEthernet0/16 description P2-ASA G0/5 (unused) shutdown!interface GigabitEthernet0/17 description P2-ASA M0/0 switchport access vlan 202 switchport mode access no shut!interface GigabitEthernet0/18 description P2-Rtr F0/0 (trunk) switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/19!interface GigabitEthernet0/20!interface GigabitEthernet0/21!!interface GigabitEthernet0/22 description ESX-Srv Pod1 Link switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/23 description ESX-Srv Pod2 Link switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/24 description BB-Sw Link (trunk) switchport trunk encapsulation dot1q switchport mode trunk no shut!interface Vlan1 no ip address no ip route-cache shutdown!ip http serverip http secure-server!control-plane!!


line con 0line vty 0 15 login password cisco

Pod Switch Configuration for the Clustering Lab (this example is only for Pod Switch-1, which supports pods 1 and 2):

hostname P1P2-Sw-Cluster!!ip subnet-zerono ip domain-lookup!spanning-tree extend system-id!!interface GigabitEthernet0/1 description to ASA1 gi0/0 - outside switchport mode access switchport access vlan 101 channel-group 1 mode active no ip address no shut!interface GigabitEthernet0/2 description to ASA1 gi0/1 - inside switchport mode access switchport access vlan 201 channel-group 2 mode active no ip address no shut!interface GigabitEthernet0/3 description to ASA1 gi0/2 - CCL switchport mode access switchport access vlan 301 channel-group 3 mode active spanning-tree portfast no ip address no shut!interface GigabitEthernet0/4 description to ASA1 gi0/3 - CCL switchport mode access switchport access vlan 301 channel-group 3 mode active spanning-tree portfast no ip address no shut!interface GigabitEthernet0/5 description to ASA1 gi0/4 - outside switchport mode access switchport access vlan 101 channel-group 1 mode active no ip address no shut!interface GigabitEthernet0/6 description to ASA1 gi0/5 - inside switchport mode access switchport access vlan 201


channel-group 2 mode active no ip address no shut!interface GigabitEthernet0/7 description to ASA1 m0/0 - mgmt switchport mode access switchport access vlan 401 no ip address no shut! interface GigabitEthernet0/8 description to pod1-router-fa0/0 - outside switchport trunk encapsulation dot1q switchport mode trunk no ip address no shut!interface GigabitEthernet0/9!interface GigabitEthernet0/10!interface GigabitEthernet0/11 description to ASA2 gi0/0 - outside switchport mode access switchport access vlan 101 channel-group 1 mode active no ip address no shut!interface GigabitEthernet0/12 description to ASA2 gi0/1 - inside switchport mode access switchport access vlan 201 channel-group 2 mode active no ip address no shut!interface GigabitEthernet0/13 description to ASA2 gi0/2 - ccl switchport mode access switchport access vlan 301 channel-group 4 mode active spanning-tree portfast no ip address no shut!interface GigabitEthernet0/14 description to ASA2 gi0/3 - CCL switchport mode access switchport access vlan 301 channel-group 4 mode active spanning-tree portfast no ip address no shut!interface GigabitEthernet0/15 description to ASA2 gi0/4 - outside switchport mode access switchport access vlan 101 channel-group 1 mode active no ip address no shut


!interface GigabitEthernet0/16 description to ASA2 gi0/5 - inside switchport mode access switchport access vlan 201 channel-group 2 mode active no ip address no shut! interface GigabitEthernet0/17 description to ASA2 m0/0 - mgmt switchport mode access switchport access vlan 401 no ip address no shut!interface GigabitEthernet0/18 description to pod2-router-fa0/0 - not used in cluster lab shut !interface GigabitEthernet0/22 description ESX-Srv Pod1 Link switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/23 description ESX-Srv Pod2 Link switchport trunk encapsulation dot1q switchport mode trunk no shut!interface GigabitEthernet0/24 description BB-Sw Link (trunk) switchport trunk encapsulation dot1q switchport mode trunk no shut

Shared Backbone Router (ISR-G2) Initial Configuration:

service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneno service password-encryptionservice sequence-numbers!hostname BB-Rtr!boot-start-markerboot-end-marker!!vrf definition pod01 description Internet access for pod 1 rd 1:1 ! address-family ipv4 exit-address-family!vrf definition pod02 description Internet access for pod 2 rd 2:2 ! address-family ipv4


exit-address-family!vrf definition pod03 description Internet access for pod 3 rd 3:3 ! address-family ipv4 exit-address-family!vrf definition pod04 description Internet access for pod 4 rd 4:4 ! address-family ipv4 exit-address-family!vrf definition pod05 description Internet access for pod 5 rd 5:5 ! address-family ipv4 exit-address-family!vrf definition pod06 description Internet access for pod 6 rd 6:6 ! address-family ipv4 exit-address-family!vrf definition pod07 description Internet access for pod 7 rd 7:7 ! address-family ipv4 exit-address-family!vrf definition pod08 description Internet access for pod 8 rd 8:8 ! address-family ipv4 exit-address-family!vrf definition pod09 description Internet access for pod 9 rd 9:9 ! address-family ipv4 exit-address-family!vrf definition pod10 description Internet access for pod 10 rd 10:10 ! address-family ipv4 exit-address-family!vrf definition pod11 description Internet access for pod 11 rd 11:11 ! address-family ipv4


exit-address-family!vrf definition pod12 description Internet access for pod 12 rd 12:12 ! address-family ipv4 exit-address-family!vrf definition pod13 description Internet access for pod 13 rd 13:13 ! address-family ipv4 exit-address-family!vrf definition pod14 description Internet access for pod 14 rd 14:14 ! address-family ipv4 exit-address-family!vrf definition pod15 description Internet access for pod 15 rd 15:15 ! address-family ipv4 exit-address-family!vrf definition pod16 description Internet access for pod 16 rd 16:16 ! address-family ipv4 exit-address-family!vrf definition pod17 description Internet access for pod 17 rd 17:17 ! address-family ipv4 exit-address-family!no logging consoleenable secret 4 E4DbAFTuwtHWgeDbf26D1IEPfPTiddXoyYQC9hTlZ9o!aaa new-model!!aaa session-id commonclock timezone PST -7 0!no ip source-routeip cef!no ip bootp serverip domain name secure-x.localip name-server 171.70.168.183ip name-server 173.36.131.10ip name-server 173.37.87.157ip name-server 64.102.6.247ip ips config location flash:ips retries 1


ip ips notify SDEEip ips name ips list 199!ip ips signature-category category all retired true category ios_ips basic retired false!no ipv6 cef!parameter-map type inspect DoS-param-map max-incomplete low 100 max-incomplete high 200 one-minute low 50 one-minute high 100 udp idle-time 5 icmp idle-time 1 tcp synwait-time 5 tcp max-incomplete host 5 block-time 2 sessions maximum 2000multilink bundle-name authenticated!!!crypto pki trustpoint TP-self-signed-36482759 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-36482759 revocation-check none rsakeypair TP-self-signed-36482759!!crypto pki certificate chain TP-self-signed-36482759 certificate self-signed 01 30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33363438 32373539 301E170D 31333037 30333136 33373530 5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333634 38323735 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C892 24B73CEA 9DFE2FF5 06083000 ACB94C03 4441B280 E176AA44 9EBAE806 F41D11FA 89952C60 1BF01533 BD86D4B6 3CD0966E 04637F44 FB256453 9A9BD7C1 9198DD4F ABF2084B 1580AE00 A89E146A E532A949 D87532AF 35E79A1A 85ABC15D 9740BDD4 301732F2 F41B623C E80782A3 C20E9993 74F21008 503678ED EEEF030C 40650203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1493A5FB F8C4C5B2 35695314 33FFA9C3 BFE035E1 21301D06 03551D0E 04160414 93A5FBF8 C4C5B235 69531433 FFA9C3BF E035E121 300D0609 2A864886 F70D0101 05050003 8181005A 5B7E3057 6BC99037 032A68F9 250B2A87 AE7507AF 74A74BEA D9AF8B3F 562EC19C FF45D91B A1C55D44 465AC1AF F0C3058D F77C0742 7C760320 838C0DB8 939DA2A6 EA33E349 0B4D8E04 8809DF5D AD969DF0 AA512F4E 0C296B1C 97C73644 A813C48C 38C67E41 069B4B27 C97AD5BD 71AA92D8 7BFF6F62 95B2C532 0FC88CAB 0A283B quitlicense udi pid CISCO2901/K9 sn FTX1712Y080!!username student password 0 ciscousername tec privilege 15 password 0 b33rb0y!redundancy!crypto key pubkey-chain rsa named-key realm-cisco.pub signature


key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit!!!!!ip tcp synwait-time 10!class-map type inspect match-all all match access-group 101!policy-map type inspect in-to-out-pmap class type inspect all inspect DoS-param-map class class-default drop!zone security inzone security outzone-pair security in-out source in destination out service-policy type inspect in-to-out-pmapcsdb tcp synwait-time 30csdb tcp idle-time 3600csdb tcp finwait-time 5csdb tcp reassembly max-memory 1024csdb tcp reassembly max-queue-length 16csdb udp idle-time 30csdb icmp idle-time 10csdb session max-session 65535! !interface Embedded-Service-Engine0/0 no ip address shutdown!interface GigabitEthernet0/0 no ip address duplex auto speed auto!interface GigabitEthernet0/0.901 encapsulation dot1Q 901 vrf forwarding pod01 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.902 encapsulation dot1Q 902 vrf forwarding pod02 ip address 209.165.200.225 255.255.255.224


ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.903 encapsulation dot1Q 903 vrf forwarding pod03 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.904 encapsulation dot1Q 904 vrf forwarding pod04 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.905 encapsulation dot1Q 905 vrf forwarding pod05 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.906 encapsulation dot1Q 906 vrf forwarding pod06 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.907 encapsulation dot1Q 907 vrf forwarding pod07 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.908 encapsulation dot1Q 908 vrf forwarding pod08 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.909 encapsulation dot1Q 909 vrf forwarding pod09 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.910 encapsulation dot1Q 910 vrf forwarding pod10


ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.911 encapsulation dot1Q 911 vrf forwarding pod11 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.912 encapsulation dot1Q 912 vrf forwarding pod12 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.913 encapsulation dot1Q 913 vrf forwarding pod13 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.914 encapsulation dot1Q 914 vrf forwarding pod14 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.915 encapsulation dot1Q 915 vrf forwarding pod15 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.916 encapsulation dot1Q 916 vrf forwarding pod16 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/0.917 encapsulation dot1Q 917 vrf forwarding pod17 ip address 209.165.200.225 255.255.255.224 ip nat inside ip virtual-reassembly in zone-member security in!interface GigabitEthernet0/1 ip address 172.16.150.89 255.255.255.0


ip access-group 100 out ip nat outside ip ips ips out ip virtual-reassembly in zone-member security out duplex auto speed auto!interface GigabitEthernet0/0/0 no ip address!interface GigabitEthernet0/0/1 no ip address!interface GigabitEthernet0/0/2 no ip address!interface GigabitEthernet0/0/3 no ip address!interface Vlan1 no ip address!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip dns serverip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod01 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod02 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod03 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod04 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod05 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod06 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod07 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod08 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod09 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod10 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod11 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod12 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod13 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod14 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod15 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod16 overloadip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod17 overloadip route 0.0.0.0 0.0.0.0 172.16.150.254ip route vrf pod01 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod01 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod01 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod01 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod01 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod02 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod02 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod02 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod02 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod02 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod03 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod03 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod03 192.168.1.0 255.255.255.0 209.165.200.226


ip route vrf pod03 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod03 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod04 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod04 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod04 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod04 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod04 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod05 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod05 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod05 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod05 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod05 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod06 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod06 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod06 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod06 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod06 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod07 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod07 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod07 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod07 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod07 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod08 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod08 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod08 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod08 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod08 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod09 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod09 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod09 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod09 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod09 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod10 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod10 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod10 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod10 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod10 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod11 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod11 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod11 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod11 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod11 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod12 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod12 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod12 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod12 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod12 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod13 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod13 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod13 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod13 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod13 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod14 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod14 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod14 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod14 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod14 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod15 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod15 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod15 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod15 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod15 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod16 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2


ip route vrf pod16 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod16 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod16 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod16 209.165.202.128 255.255.255.224 209.165.200.226ip route vrf pod17 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2ip route vrf pod17 172.16.1.0 255.255.255.0 209.165.200.226ip route vrf pod17 192.168.1.0 255.255.255.0 209.165.200.226ip route vrf pod17 209.165.201.0 255.255.255.224 209.165.200.226ip route vrf pod17 209.165.202.128 255.255.255.224 209.165.200.226!ip access-list extended NAT-SRC permit ip 192.168.1.0 0.0.0.255 any permit ip 172.16.1.0 0.0.0.255 any permit ip 209.165.201.0 0.0.0.255 any permit ip 209.165.202.0 0.0.0.255 any permit ip 209.165.200.0 0.0.0.255 any!access-list 23 permit anyaccess-list 100 deny ip any 172.16.0.0 0.0.255.255access-list 100 deny ip any 128.107.246.0 0.0.0.255access-list 100 permit tcp any any eq wwwaccess-list 100 permit tcp any any eq 443access-list 100 permit tcp any any eq smtpaccess-list 100 permit tcp any any eq ftpaccess-list 100 permit tcp any any eq ftp-dataaccess-list 100 permit tcp any any eq domainaccess-list 100 permit udp any any eq ntpaccess-list 100 permit icmp any anyaccess-list 100 permit udp any any eq domainaccess-list 100 permit tcp any any eq 8080access-list 101 permit ip any anyaccess-list 199 permit ip any any!!control-plane!!!line con 0 exec-timeout 5 0line aux 0line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1line vty 0 4 password cisco transport input sshline vty 5 24 password cisco transport input sshline vty 25 1114 transport input ssh!scheduler allocate 20000 1000ntp server clock.cisco.com

Backbone Switch Initial Configuration:

service timestamps debug datetime msec


service timestamps log datetime msecno service password-encryption!hostname BB-Sw!boot-start-markerboot-end-marker!no aaa new-modelsystem mtu routing 1500ip subnet-zero!crypto pki trustpoint TP-self-signed-1902717568 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1902717568 revocation-check none rsakeypair TP-self-signed-1902717568!!crypto pki certificate chain TP-self-signed-1902717568 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31393032 37313735 3638301E 170D3933 30333031 30303030 35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39303237 31373536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100F264 4C62C26B 7EEEE8BD 14769F40 94D5CFE0 6C80115E F26E63CC D02B0E83 E33C3787 D8E37A99 13549336 E76985DC DC0E670B 868B0644 19A66F40 3462C350 8FE9DF74 97A53109 4B0F7548 7FE19991 DFD130B0 98369E87 2BA27A27 6F6D55E3 5A1D4A49 E6431403 D40F7923 4284C4F9 946BC4C0 B3FCE911 D21438FF B9125A99 08AF0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104 0A300882 0642422D 53772E30 1F060355 1D230418 30168014 B1631FBE A5DEF293 9B31DA4C 3DAF36E1 14F02963 301D0603 551D0E04 160414B1 631FBEA5 DEF2939B 31DA4C3D AF36E114 F0296330 0D06092A 864886F7 0D010104 05000381 81006281 94F2D28E 29BE35FF C03B0C19 676511D0 DDA702A1 EA5F9AE4 5BCE3663 B0459698 07C77F5D B86EED77 98AF8B18 9F0BDAE9 70824A0D 3F44C1CB 95DA1A4B F3EE8658 56386034 072E4526 6B6C2BD1 CA1A0410 2A6DFF0A B881E6C6 AB9FE7B7 7BA2634E 8DE7CAF6 089EE45A 954D3EB3 D4C932C7 571C66E8 56407115 27FF194A 7B0B quit!spanning-tree mode pvstspanning-tree etherchannel guard misconfigspanning-tree extend system-id!vlan internal allocation policy ascending!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!


interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11 switchport mode trunk!interface FastEthernet0/12 switchport mode trunk!interface FastEthernet0/13 switchport mode trunk!interface FastEthernet0/14 switchport mode trunk!interface FastEthernet0/15 switchport mode trunk!interface FastEthernet0/16 switchport mode trunk!interface FastEthernet0/17 switchport mode trunk!interface FastEthernet0/18 switchport mode trunk!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21 switchport mode trunk!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1 no ip address no ip route-cache!ip http serverip http secure-server!control-plane!!line con 0line vty 0 4 no loginline vty 5 15 no login


Lab IP AddressingLab IP addressing

Lab Device IP Address

Cisco ASA inside interface (Gi0/1) 192.168.1.1/24

Cisco ASA outside interface (Gi0/0) 209.165.201.2/27

Cisco ASA DMZ interface (Gi0/2) 172.16.1.1/24

Outside router ASA-facing interface (Fa0/0.1x) 209.165.201.1/27

Outside router Internet-facing interface (Fa0/0.9x) 209.165.200.226/27

Outside router service provider/outside network-facing interface (Fa0/0.8x) 209.165.202.129/27

Inside server (Windows 2008 Server) 192.168.1.2/24

Inside PC (Windows 7) 192.168.1.3/24

DMZ server (Linux/Kali) 172.16.1.2/24

Outside PC (Windows 7) 209.165.202.131/27

Outside server (Linux/Kali) 209.165.202.130/27


Lab DetailsLab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic SettingsThis topic details the lab activity for Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings.

Objectives

Upon completing this exercise, you will be able to:

Verify Cisco ASA security appliance and Cisco ASDM versions

Initialize the Cisco ASA security appliance from the CLI

Launch Cisco ASDM and test SSH access

Configure and verify interfaces

Configure system management parameters

Visual ObjectiveThe figure illustrates the lab topology.

Visual Objective


Lab 3-1: Configuring NAT and Basic Access ControlThis topic details the lab activity for Lab 3-1: Configuring NAT and Basic Access Control.

Objectives


Configure object NAT for the inside network and DMZ server

Configure manual NAT for the DMZ server and client network


Configure an access rule to allow outside access to the DMZ server


Visual Objective

Lab TopologyPod XX (XX = 01 to 16)

Inside

Outside

dmz

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24

.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

Px-ASA

ASA 5500-X

vlan 2xx

vlan 3xx

vlan 1xx

vlan 8xx

vlan 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

Inside-PC (Win 7)

Syslog Srv

Inside-SRV

(Win 2008 R2) AD/DNS

DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)


Lab 4-1: Configure Cisco AnyConnect Client SSL VPN SolutionThis topic details the lab activity for Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution.

Objectives

In this activity, you will configure and verify baseline client-based, SSL VPN remote access features of the Cisco AnyConnect client and the Cisco ASA security appliance. After completing this activity, you will be able to meet these objectives:

Configure basic Cisco AnyConnect Client SSL VPN support on the Cisco ASA security appliance

Configure a connection profile and a group policy with all required settings for Cisco AnyConnect Client SSL VPN remote access users

Establish a Cisco AnyConnect Client SSL VPN between the client and the gateway

Verify the Cisco AnyConnect Client SSL VPN configuration and test connectivity over the configured VPN connection



Visual Objective

Lab TopologyPod XX (XX = 01 to 16)

Inside

Outside

dmz

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24

.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

Px-ASA

ASA 5500-X

vlan 2xx

vlan 3xx

vlan 1xx

vlan 8xx

vlan 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

Inside-PC (Win 7)

Syslog Srv

Inside-SRV

(Win 2008 R2) AD/DNS

DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)


Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic RedirectionThis topic details the lab activity for Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic Redirection.

Objectives


Describe how to install and setup ASA CX Software Module.

Describe how to redirect traffic from the Cisco ASA to the Cisco ASA NGFW.

Discuss the on-box PRSM GUI.

Visual ObjectiveThe figure illustrates what you will accomplish in this activity.


Visual Objective

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3



DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA


Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & FiltersThis topic details the lab activity for Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters.

Objectives


Describe how to configure and verify IPS for Cisco ASA NGFW settings

Describe how to configure and verify IPS for Cisco ASA NGFW filters



Visual Objective

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3



DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA


Lab 8-1: Cisco ASA NGFW Web Security EssentialsThis topic details the lab activity for Lab 8-1: Cisco ASA NGFW Web Security Essentials.

Objectives

Describe how to configure and verify Cisco ASA NGFW web security


Visual Objective

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3



DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA



Lab 8-2: Cisco ASA NGFW Application Visibility & ControlThis topic details the lab activity for Lab 8-2: Cisco ASA NGFW Application Visibility & Control.

Objectives

Describe how to configure and verify Cisco ASA NGFW application visibility and control


Visual Objective

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3



DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA


Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)This topic details the lab activity for Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional).

Objectives

Upon completing this lesson, you will be able to:

Configure the Cisco ASA to integrate with Cisco Cloud Web Security



Visual Objective

Inside

Outside

DMZ

Gi0/1

Gi0/0

Gi0/2IPS or CX

Term

Server

192.168.1.0/24

209.165.201.0/27

209.165.202.128/27

172.16.1.0/24

.3

.1

.2

.1

.129

.130

.131

.1

.2

Px-Rtr

2610XM

Fa0/0.9x

Fa0/0.1x

172.16.150.0/24.254 gateway

Fa0/0.8x

.2

.5

Shared ISR

Gi0/1

Gi0/0.9x

.4

Px-ASA

ASA 5500-X

VLAN 2xx

VLAN 3xx

VLAN 1xx

VLAN 8xx

VLAN 9xx

.89

209.165.200.226/27

209.165.200.225/27

Cisco Lab

VPN Gateway

Internet

3



DMZ-SRV (Linux)

Outside-PC (Win 7)

Outside-SRV (Linux)

CDA


Setup NotesFrom ScanCenter, create a simple web-filtering rule to block using the "default" web filter.

Common IssuesThis subtopic presents common issues for this lab.

During the optional step for configuring the ASA to send a default username and group name, if the ASA is reporting a previously logged-in Active Directory user to ScanSafe instead, use the clear user-identity active-user-database command to remove all the user-to-IP mappings on the ASA.


Date post:	21-Apr-2018
Category:	Documents
Upload:	lytu
View:	237 times
Download:	7 times

ASA Express - cisco.com · Lab 8-1: Cisco ASA NGFW Web Security Essentials C-56 Lab 8-2: Cisco ASA...

Documents