SNPA

Securing Networks with PIX and the ASA

Course Overview

Securing Networks with PIX and ASA (SNPA) is a five-day, leader-led, lab-intensive course. This task-oriented course teaches the knowledge and skills needed to configure, maintain, and operate Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances. The SNPA class will cover the PIX and ASA, however since the PIX and the ASA use the same tactics and language, all labs will be conducted on the PIX 500 Series Security Appliance.

Target Audience

The primary audience for this course is as follows:

• Cisco customers who implement and maintain PIX Security Appliance and ASA security appliances

The secondary audience for this course is as follows:

• Cisco channel partners who sell, implement, and maintain PIX Security Appliance and ASA security appliances
• Cisco systems engineers who support the sale of PIX Security Appliance and ASA security appliances

Course Objectives

After completing this course, the student should be able to:

• Describe the security appliance features, models, components, and benefits
• Explain the four access modes
• Describe the security appliance file management system
• Discuss Adaptive Security Algorithm (ASA) and ASA security levels
• Configure a security appliance for basic network connectivity
• Use appropriate show commands to verify initial configuration
• Explain how to set the clock and synchronize the time on security appliances
• Configure the security appliance to send syslog messages to a syslog server
• Describe how the TCP and UDP protocols function within the security appliance
• Describe how static and dynamic translations function
• Configure the security appliance to permit outbound connections
• Explain the security appliance PAT feature
• Configure and explain the function of ACLs
• Configure and explain the function of NAT 0 ACLs
• Configure active code filtering (ActiveX and Java applets)
• Configure the security appliance for URL filtering
• Describe the object grouping feature of the security appliance and its advantages
• Configure object groups
• Configure nested object groups
• Use object groups in ACLs
• Define authentication, authorization, and accounting
• Describe the differences between authentication, authorization, and accounting
• Name the AAA protocols supported by the security appliance
• Define and configure security appliance access authentication
• Define and configure cut-through proxy authentication
• Define and configure tunnel access authentication
• Define and configure AAA accounting
• Install and configure basic Cisco Secure ACS functions
• Configure a class map
• Configure a policy map
• Configure service policy
• Describe the need for advanced protocol handling
• Describe the inspect command
• Configure protocol inspection
• Describe how the security appliance implements FTP and HTTP protocol inspection
• Describe how the security appliance implements remote shell (rsh), SQL, SMTP, ICMP, and SNMP protocol inspection
• Describe the issues with multimedia applications
• Describe how the security appliance supports multimedia call control and audio sessions
• Identify how the security appliance enables a secure VPN
• Identify the tasks to configure security appliance IPSec support
• Identify the commands to configure security appliance IPSec support
• Configure a VPN between security appliances
• Describe the Easy VPN Server
• Describe the Easy VPN Remote
• Configure the Easy VPN Server
• Configure the Easy VPN Remote using the Cisco VPN Client
• Explain the purpose of WebVPN
• Describe the WebVPN end-user interface
• Configure WebVPN general parameters
• Configure WebVPN servers and URLs
• Configure WebVPN port forwarding
• Define e-mail proxy servers
• Configure WebVPN content filters and ACLs
• Explain the purpose of transparent firewall mode
• Enable transparent firewall mode
• Monitor and maintain transparent firewall mode
• Explain the purpose of security contexts
• Enable and disable multiple context mode
• Configure a security context
• Manage a security context
• Describe the difference between hardware and stateful failover
• Describe the difference between active/standby and active/active failover
• Define the security appliance hardware failover requirements
• Describe how active/standby failover works
• Explain the security appliance roles of primary, secondary, active, and standby
• Describe how active/standby failover works
• Configure active/standby cable-based and LAN-based failover
• Configure active/active failover
• Install ASDM and use it to configure the security appliance
• Use ASDM to monitor the security appliance
• Compare and contrast promiscuous and in-line modes
• Explain the steps necessary to load software on an AIP-SSM
• Configure the AIP-SSM setup parameters
• Configure a security policy on an ASA security appliance using ASDM
• Configure Telnet access to the security appliance console
• Configure SSH access to the security appliance console
• Configure command authorization
• Recover the security appliance passwords using general password recovery procedures
• Use TFTP to install and upgrade the software image on the security appliance

Course Outline

• Course Introduction
• Cisco Security Appliance Technology and Features
• Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families
• Getting Started with Cisco Security Appliances
• Translations and Connections
• Access Control Lists and Content Filtering
• Object Grouping
• Authentication, Authorization, and Accounting
• Switching and Routing
• Modular Policy Framework
• Advanced Protocol Handling
• Virtual Private Network Configuration
• Configuring Security Appliance Remote Access Using Cisco Easy VPN
• Configuring ASA for WebVPN
• Configuring Transparent Firewall
• Configuring Security Contexts
• Failover
• Cisco Security Appliance Device Manager
• AIP-Security Services Module-Getting Started
• Managing Security Appliances
• Configuring PIX Security Appliance Remote Access Using Cisco Easy VPN
• Firewall Services Module
• Labs