ASA 1day Labguide (Ajh)

1 Day ASA Workshop Lab Guide Overview
This guide presents the instructions and other information concerning the activities for this course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities: Lab 1-1: Prepare to Use Cisco ASDM to Configure the Security Appliance Lab 2-1: Configure the Security Appliance with Cisco ASDM (Hostname, Interfaces, Syslog, SNMP, Time Settings & PPPoE) Lab 3-1: Enabling SSH and Telnet Access & Enabling Source IP Anti Spoofing Lab 4-1: Configure a DMZ to enable access to a public DMZ server Lab 5-1: Configure Basic SSL VPN functionality Lab 6-1: Configure a Reverse Access Rule Lab 8-1: Optional Labs Lab 9-1: Configure Basic IPS (AIP-SSM) functionality IP Addressing is based on the SNAF course and may differ by course location: Outside ASA Interface: 192.168.P.2/24 ASA Default Gateway: 192.168.P.1/24 Outside NAT Address of DMZ Server: 192.168.P.11/24 Outside client PC address: Any IP coming in through the outside DMZ Server real address: DMZ ASA Interface: Inside Host (ASDM access): Inside ASA Interface: 172.16.P.10/24 172.16.P.1/24 10.0.P.10/24 10.0.P.10/24
The DMZ Server is running an FTP and HTTP server, as well as a protected CIFS service. The Inside Host is running a Syslog Server (such as 3C-Daemon or Kiwi) & Wireshark. ---------------------------------------------------------------------------------------------------------------Please visit the following links to download and view useful information:
1 Day ASA 5505 Workshop v1.0
Page 1 of 57
2008 Cisco Systems, Inc
http://www.cisco.com/en/US/products/ps6120/prod_models_compari son.html http://www.cisco.com/en/US/products/ps6120/prod_literature.html http://www.cisco.com/en/US/products/ps6120/products_data_sheets _list.html http://www.cisco.com/en/US/products/ps6120/prod_configuration_ex amples_list.html
Page 2 of 57
Lab 1-1: Prepare to Use Cisco ASDM to Configure the Security Appliance
Complete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this activity, you will prepare to use Cisco ASDM to configure the security appliance. After completing this activity, you will be able to meet these objectives: Execute general commands Use the CLI to configure basic network settings Prepare the security appliance for configuration via Cisco ASDM and launch Cisco ASDM
Visual Objective
The figure illustrates what you will accomplish in this activity.
Page 3 of 57
Task 1: Execute General Commands

In this task, you will familiarize yourself with the general getting started commands. Observe the output of the commands carefully. Pay close attention to the questions that are asked after certain steps. The instructor will provide you with the procedures to access the security appliance console port because these will vary according to your lab connectivity setup. After you access the security appliance console port, the security appliance prompt will appear.
Activity Procedure
Complete these steps: Step 1 Erase the default configuration of the security appliance. When prompted to confirm, press Enter. ciscoasa# write erase Erase configuration in flash memory? [confirm] <Enter> [OK]
Step 2 Reboot the security appliance. When prompted to confirm, press Enter. ciscoasa# reload Proceed with reload? [confirm} <Enter> Step 3 After the security appliance reboots, it will prompt you to bootstrap it through interactive prompts. Press Ctrl-Z to escape. The unprivileged mode prompt is displayed. Pre-configure Firewall now through interactive prompts [yes]? <Control+Z> Type help or '?' for a list of available commands. ciscoasa> Display the list of help commands. ciscoasa> ? Enter the privileged mode of the security appliance. When prompted for a password, press Enter. ciscoasa> enable Password: ciscoasa# Display the list of help commands. Press the spacebar keyboard to scroll through the list.
1 Day ASA 5505 Workshop v1.0 Page 4 of 57 2008 Cisco Systems, Inc
Step 4 Step 5
Step 6 on the
ciscoasa# ?
Page 5 of 57
Task 2: Initialize the Security Appliance

In this task, you will prepare the security appliance for configuration via Cisco ASDM. You will first specify which physical interface will be used as the inside interface. You will then use the setup command interactive prompts to configure the basic parameters needed for accessing Cisco ASDM.
Activity Procedure
Complete these steps: Step 1 Step 2 Enter configuration mode. ciscoasa# configure terminal
Specify Vlan1 as the inside vlan and accept the default security level. ciscoasa(config)# interface vlan1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. Assign interface E0/1 to the inside vlan (vlan1) ciscoasa(config)# interface e0/1 ciscoasa(config-if)# switchport access vlan 1 Return to configuration mode. ciscoasa(config-if)# exit
Step 3
Step 4
Step 5 Enter the setup command to access the setup command interactive prompts. ciscoasa(config)# setup Step 6 Press Enter to answer yes when prompted to preconfigure the firewall through interactive prompts. Pre-configure Firewall now through interactive prompts [yes]? <Enter> Press Enter to accept the default firewall mode, which is Firewall Mode [Routed]: <Enter> Step 8 Step 9 allow Enter the enable password cisco123. Enable password [<use current password>]: cisco123 Press Enter to answer yes when asked if you want to
Step 7 routed.
Page 6 of 57
password recovery. Allow password recovery [yes]? <Enter> Step 10 Press Enter to accept the year shown in brackets if it is correct. If not, enter the current year. Clock (UTC): Year [2008]: <Enter> Step 11 Press Enter to accept the month shown in brackets if it is correct. If not, enter the current month. Month [Mar]: <Enter> Step 12 Press Enter to accept the day shown in brackets if it is correct. If not, enter the current day. Day [24]: <Enter> Step 13 Press Enter to accept the time shown in brackets if it is correct. If not, enter the current time in hh:mm:ss format and 24-hour time. Time [09:48:06]: <Enter> Step 14 Step 15 address. Enter an IP address for the inside interface. Inside IP address [0.0.0.0]: 10.0.P.1 Enter the network mask for the inside interface IP
Inside network mask [255.255.255.255]: 255.255.255.0 Step 16 Step 17 Enter a host name for the security appliance. Host name [ciscoasa]: asaP Enter a domain name for the security appliance. Domain name: training.com
Step 18 Enter the IP address of the corporate server, from which you will run Cisco ASDM. IP address of host running Device Manager: 10.0.P.10 The following configuration will be used: Enable password: cisco123 Allow password recovery: yes Clock (UTC): 09:48:06 Mar 24 2008 Firewall Mode: Routed
Page 7 of 57
Inside IP address: 10.0.P.1 Inside network mask: 255.255.255.0 Host name: asaP Domain name: training.com IP address of host running Device Manager: 10.0.P.10 Step 19 Enter yes when asked if you want to use this configuration and write it to flash memory. Use this configuration and write to flash? Yes
Page 8 of 57
Task 3: Launch Cisco ASDM

In this task, you will launch Cisco ASDM.
Activity Procedure
Complete these steps: Step 1 Verify that Sun Java SE2 Plug-In 1.4.2, 1.5.0, or 1.6.0 is loaded on the corporate server (inside host behind the inside interface)
Step 2 Verify that encryption is enabled on the security appliance. What version of ASDM and ASA is in use? ASA? ASDM? asaP(config)# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2) Compiled on Fri 15-Jun-07 19:29 by builders System image file is "disk0:/asa802-k8.bin" Config file at boot was "startup-config" asa1 up 3 hours 23 mins Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 64MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : .CN1000-MC-BOOT-2.00 SSL/IKE microcode: .CNLite-MC-SSLm-PLUS-2.01 IPSec microcode : .CNlite-MC-IPSECm-MAIN-2.04 0: Ext: GigabitEthernet0/0 : address is 0013.c482.2e52, irq 9 1: Ext: GigabitEthernet0/1 : address is 0013.c482.2e53, irq 9 2: Ext: GigabitEthernet0/2 : address is 0013.c482.2e54, irq 9 3: Ext: GigabitEthernet0/3 : address is 0013.c482.2e55, irq 9 4: Ext: Management0/0 : address is 0013.c482.2e51, irq 11 5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
Page 9 of 57
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 750 WebVPN Peers :2 Advanced Endpoint Assessment : Disabled This platform has an ASA 5520 VPN Plus license. Serial Number: JMX0944K06T Running Activation Key: 0x96311f61 0xe8cc56cc 0xe4138530 0x831454e0 0x8d34d9ad Configuration register is 0x2001 Configuration last modified by enable_15 at10:00:59.276 UTC Tue Feb 18 2008 Step 3 Verify that the time and date on the security appliance and on the corporate server match. If they do not match, any issued certificates may not be valid. asaP(config)# show clock 09:03:38:832 UTC Mon Feb 25 2008 Notice that the clock defaults to UTC time. Make sure that the time and time zone match on the security appliance and on the device manager PC. If they do not, the certificate may not be valid. Step 4 Check the version of Cisco ASDM on the security appliance. asaP(config)# show version Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(1) Step 5 If the show version output does not display Device Manager Version 6.2 (1), configure the Cisco ASDM image. asaP(config)# asdm image disk0:/asdm-621.bin Step 6 Open the Internet Explorer web browser on the corporate server (internal host facing the inside interface of the ASA) and delete cookies by completing the following substeps:
Page 10 of 57
1. From the Internet Explorer toolbar, choose Tools > Internet Options The Internet Options window opens. 2. Click Delete Cookies. The Delete Cookies window opens. 3. Click OK. 4. In the Internet Options window, click OK. Step 7 Access the Cisco ASDM console by completing the following substeps: 1. In the URL field of the browser window, enter https://10.0.P.1. 2. The Security Alert window opens. Click View Certificate. The Certificate pop-up window opens. 3. Click Install Certificate. The Certificate Import Wizard pop-up window opens. 4. Click Next. The Certificate Import Wizard > Certificate Store panel is displayed. 5. Click Next. The Certificate Import Wizard > Completing the Certificate Import Wizard panel is displayed. 6. Click Finish. The Root Certificate Store pop-up window opens. Note If a Security Warning window is displayed, click Yes. 7. Click Yes. The Certificate Import Wizard pop-up window opens. 8. Click OK. 9. Click OK in the Certificate window. 10. Click Yes in the Security Alert window. The Cisco ASDM 6.2 window opens.
Page 11 of 57
11. Click Run ASDM. The WarningSecurity popup window opens. 12. Click Yes. 13. If another WarningSecurity pop-up window is displayed, click Run. 14. The Cisco ASDM Launcher login window is displayed. 15. If a pop-up window is displayed asking if you would like to create a shortcut on your desktop, click No. 16. Enter cisco123 in the Password field. 17. Click OK. Cisco ASDM should load now and display the Home window. Step 8 Notice that the current security appliance configuration was imported. Examine the configuration by clicking the Configuration icon and then completing the following substeps: 1. Select Device Setup from the navigation pane. 2. Click Interfaces. Notice that the inside interface is configured. 3. Select Device Name/Password. Notice that the host name asaP is displayed in the Hostname field and the domain name training.com is displayed in the Domain Name field of the Device Name/Password configuration pane. 4. Select Device Management from the navigation pane. 5. Expand the Management Access menu. 6. Select ASDM/HTTPS. Notice that IP address 10.0.P.10 is displayed in the list of hosts that are allowed to access the adaptive security appliance using Cisco ASDM
Page 12 of 57
Lab 2-1: Configure the Security Appliance with Cisco ASDM (Hostname, Interfaces, Syslog, SNMP, Time Settings & PPPoE)
Activity Objective
In this activity, you will learn how to configure a security appliance using Cisco ASDM. After completing this activity, you will be able to meet these objectives: Use Cisco ASDM to configure basic network settings, including interface configurations & the hostname Use Cisco ASDM to configure logging to a syslog server Configure basic SNMP functionality
Visual Objective
Page 13 of 57
Task 1: Run the Cisco ASDM Startup Wizard

In this task, you will run the Cisco ASDM Startup Wizard.
Activity Procedure
Complete these steps: Step 1 Choose Wizards > Startup Wizard from the main menu. The Startup Wizard opens, displaying the Starting Point (Step 1 of .) page. Step 2 Verify that the Modify Existing Configuration radio button is selected. -------------------------------------------------------------------------------------------Tip: If you would choose the Reset Configuration to Factory Defaults, you would reset the ASA to factory default. -------------------------------------------------------------------------------------------Step 3 Click Next. The Basic Configuration (Step 2 of ...) page is displayed. Step 4 field. number) Step 5 Name field. Verify that training.com appears in the Domain Verify that asaP is displayed in the ASA Host Name Change the hostname to ASA-P (where P is your POD
Step 6 Click Next. The Interface Selection (Step 3 of ...) page is displayed. Create vlans for the following Inside vlan1 Dmz vlan3 Outside vlan4 Make sure that all vlans are enabled Step 7 Click Next. The Switch Port Allocation (Step 4 of ...) page is displayed. Assign the following ports to the appropriate vlan Inside vlan1 int E0/1 Dmz vlan3 int E0/2 Outside vlan4 int E0/0
Step 8 page is
Click Next. Interface IP Address Allocation (Step 5 of ...) displayed. Assign the following IP addresses ports to the appropriate vlan Outside IP 192.168.P.2 Mask 255.255.255.0 Inside IP 10.0.P.1 Mask 255.255.255.0 Dmz IP 172.16.P.1 Mask 255.255.255.0
Step 9 In the Static Routes (Step 6 of 10) page, click Next. The DHCP Server (Step 7 of 10) page is displayed. You will not be using DHCP at this time. Do not make any changes to this page. Step 10 Click Next. The Address Translation (NAT/PAT) (Step 8 of 10) page is displayed. Step 11 Select the Enable Traffic Through the Firewall Without Address Translation radio button. You will not be using NAT at this time. Step 12 Click Next. The Administrative Access (Step 9 of 10) page is displayed. Step 13 Verify the information. Notice that the Enable HTTP Server for HTTPS/ASDM Access check box is selected. The security appliance HTTP server was automatically enabled when you responded to the setup command interactive prompts. Step 14 For a later lab we also need access to the asdm from the outside interface. Click the Add button and enter the following information.
Page 15 of 57
Step 15 Click the Next button. The Startup Wizard Summary (Step 10 of 10) page is displayed. Step 16 Verify your configuration, and click the Finish button.
Page 16 of 57
Task 2: Use Cisco ASDM to Configure Logging to a Syslog Server

In this task, you will configure syslog output to a syslog server. The instructor will provide you with the procedure to access a syslog server or host. This will vary according to the type of syslog server used in your classroom environment. Note Verify that the syslog server or host is turned on and that the syslog service is installed and started.
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 pane. Step 3 Step 4 displayed. Step 5 Click Device Management in the navigation Expand the Logging menu. Click Logging Setup. The Logging Setup panel is Check the Enable Logging check box.
Step 6 Click Apply. Step 7 Click Syslog Servers in the Logging menu. The Syslog Servers panel is displayed. Step 8 Click Add. The Add Syslog Server window opens. Step 9 menu. Choose inside from the Interface drop-down
Step 10 Enter 10.0.P.10, the IP address of the syslog server, in the IP Address field. Step 11 Click OK. You are returned to the Syslog Servers configuration panel. Step 12 Click Apply.
Page 17 of 57
Step 13 Click Logging Filters in the Logging menu.The Logging Filters panel is displayed. Step 14 column. Step 15 Click Syslog Servers in the Logging Destination Click Edit. The Edit Logging Filters window opens.
Step 16 In the Syslogs from All Event Classes area, click the Filter on Severity radio button. Step 17 down list. Step 18 Step 19 Choose Debugging from the Filter on Severity dropClick OK. Click Apply.
Step 20 Click Save in the toolbar. The Save Running Configuration to Flash window opens. Step 21 Click Apply.
Task 3: Use Cisco ASDM to Configure Basic SNMP functionality

In this task, you will configure basic SNMP functionality.
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Click Device Management in the navigation pane. Step 3 Step 4 displayed. Click SNMP Click Add. The SNMP Access Entry panel is
Page 18 of 57
Step 5 Enter 10.0.P.10, the IP address of the SNMP server, in the IP Address field. Step 6 SNMP server on Step 7 Step 8 Step 9 options Step 10 Step 11 Choose inside interface on how to reach the Choose a community string of cisco Choose the SNMP version 2c Choose UDP port 162 and select trap and poll Click OK Click Apply followed by Send button
Task 4: Use Cisco ASDM to Configure Time Settings

In this task, you will configure Time Settings.
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Step 3 Step 4 Step 5 Step 6 Click Device Setup in the navigation pane. Expand the System Time field Click Clock. Set the Timezone , Date and Time. Click Apply
Page 19 of 57
Task 5: Use Cisco ASDM to Configure PPPoE

In this task, you will configure PPPoE : BUT NOT APPLY THE CHANGES
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Step 3 Step 4 Step 5 Click Device Setup in the navigation pane. Choose Interfaces Select the outside interface and click edit Choose Use PPPoE
Step 6 Enter PPPoE credentials (Make up some example usernames and passwords) Step 7 Step 8 Step 9 Step 10 and apply Click IP Address and Route Settings Choose Use PPPoE Choose Obtain default route using PPPoE Choose Cancel in the live network you would select ok
Page 20 of 57
Lab 3-1: Enabling SSH and Telnet Access & Enabling Source IP Anti Spoofing
Activity Objective
In this activity, you will learn how to configure basic Security using Cisco ASDM. After completing this activity, you will be able to meet these objectives: Enabling Telnet Access Enabling SSH Access Enabling Source IP Anti Spoofing
Visual Objective
Page 21 of 57
Task 1: Enabling Telnet Access

In this task, you will enable telnet access into the ASA.
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Access Step 3 Step 4 Click Device Management > Management Select ASDM/HTTPS/Telnet/SSH Click Add then select the Telnet radio button
Step 5 Select the network / mask from which telnet will be allowed (select your inside interface range and mask) Step 6 Step 7 Step 8 Click OK Click Apply Click Send
Step 9 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Click Device Management in the navigation pane. In the Users/AAA menu choose User accounts Select the Add button Assign username: cisco and password cisco123 Choose Full Access and Privilege Level 15 Click OK In the Users/AAA menu choose AAA
Page 22 of 57
Step 17 Under the Authentication Tab enable the Server Group Local Step 18 Step 19 Step 20 Step 21 Tick Telnet and SSH boxes Click Apply Click OK Click Send
Step 22 From the inside host, launch a telnet to the inside IP address of the ASA
Task 2: Enabling SSH Access

In this task, you will enable SSH access into the ASA.
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Access Step 3 Step 4 Step 5 Click Device Management > Management Select ASDM/HTTPS/Telnet/SSH Click Add Select the SSH radio button
Step 6 Enter the network / mask from which SSH access will be allowed from (select your inside interface range and mask) Step 7 Step 8 Step 9 Click OK Click Apply Click Send
Step 10 Using putty to test this ssh connection will fail, as the units do not yet
Page 23 of 57
have the necessary RSA keys generated to allow the ssh session to the unit Step 11 This can either be done via the cli (easy) or the gui (harder to find) CLI ASA-4(config)# crypto key generate rsa general-keys modulus 1024 GUI Configuration > Device Management > Certificate Management > Identity Certificates Click Add, Select add a new identity certificate. New will generate key
Page 24 of 57
Task 3: Enabling Source IP Anti Spoofing

In this task, you will enable Source IP Anti Spoofing Functionality
Activity Procedure
Complete these steps: Step 1 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Step 2 Step 3 Step 4 Step 5 Step 6 Click Firewall in the navigation pane. Expand the Advanced tab Select Anti Spoofing Select the outside interface Select Enable
Page 25 of 57
Lab 4-1: Configure a DMZ to enable access to a public DMZ server

Complete this lab activity to practice what you learned in the related lesson. At this point your laptop needs to move from the inside interface to the outside. RE-ip your laptop to 192.168.P.10
Activity Objective
In this activity, you will learn how to configure access to a server in the DMZ using Cisco ASDM. After completing this activity, you will be able to meet these objectives: Configuring a static NAT rule Configuring an ACL rule to allow access to the DMZ from the outside
Visual Objective
Page 26 of 57
Task 1: Configuring a static NAT rule

In this task, you will configure static translations for the bastion host
Activity Procedure
Complete these steps: Step 1 In the NAT Rules panel, click Add.
Step 2 Choose Add Static NAT Rule from the Add menu. The Add Static NAT Rule window opens. Step 3 Choose dmz from the Interface drop-down list in the Original area. Step 4 area. Enter 172.16.P.10 in the Source field of the Original
Step 5 Choose outside from the Interface drop-down list in the Translated area. Step 6 and enter Step 7 Step 8 Step 9 your Verify that the Use IP Address radio button is selected, 192.168.P.11 in the corresponding field. Click OK. Click Apply in the NAT Rules panel. Use the Save button in the Cisco ASDM toolbar to save configuration to flash memory. Step 10 Complete the following substeps to test the functionality of the static translations you created: 1. From the Windows command line of the remote office server, attempt to establish an FTP session to the bastion host. You should be unable to access the bastion host via FTP without configuring an ACL to permit the inbound FTP
Traffic to the bastion host. C:\> ftp 192.168.P.11 2. Open a web browser on the remote office server to test web access to the bastion host. Enter http://192.168.P.11 . You should be unable to access the bastion host via its static mapping without configuring an ACL to permit the inbound HTTP traffic to the bastion host
Task 2: Configure Inbound Access Rules on the Security Appliance

In this task, you will configure inbound access rules on the outside interface to perform these functions: Allow inbound web traffic from the outside network to the bastion host Allow inbound FTP traffic from the outside network to the bastion host
Activity Procedure
Complete these steps: Step 1 Use the capture command to capture packets on the outside interface so that you can later view detailed information about packets and how they are processed by the security appliance. asaP(config)# capture OUTSIDE_CAP interface outside trace buffer 1534 Step 2 Open a web browser on the remote office server to test web access to the bastion server. Enter http://192.168.P.11 . You should be unable to access the bastion host via its static mapping without configuring an ACL to permit the inbound HTTP traffic to the bastion host. Step 3 Display information about the packets that you captured on the outside interface. asaP(config)# show capture OUTSIDE_CAP 2 packets captured 1: 07:08:33.715584 172.26.26.50.2531 > 192.168.P.11.80: S 2401680706:2401680706(0) win 64512 <mss 1260,nop,nop,sackOK>
Page 28 of 57
2: 07:08:39.732277 172.26.26.50.2531 > 192.168.P.11.80: S 2401680706:2401680706(0) win 64512 <mss 1260,nop,nop,sackOK> 2 packets shown Step 4 Use the packet tracer to view the cause of your denied HTTP request to the bastion host by completing the following substeps. These substeps will enable you to trace an HTTP packet that is attempting to travel through the outside interface from the remote office server to the bastion server. This will also enable you to observe the lifespan of an HTTP packet through the security appliance. 1. Return to the Cisco ASDM session. 2. Click the Tools option in the Cisco ASDM menu bar. 3. Choose Packet Tracer. The Cisco ASDM Packet Tracer window opens. 4. Choose outside from the Interface drop-down list. 5. Verify that the TCP radio button is selected. 6. Enter 192.168.P.10 in the Source IP Address field. 7. Enter 1025 in the Source Port field. 8. Enter 192.168.P.11 in the Destination IP Address field. 9. Enter 80 in the Destination Port field. 10. Verify that the Show Animation check box is checked. 11. Click Start. 12. Expand the CAPTURE item in the Packet Tracer Phase panel. You should see the following information: Type: CAPTURE Action: ALLOW
Page 29 of 57
Info: MAC Access list
13. Expand ACCESS LIST. You should see the following information: Type: ACCESS-LIST Action: ALLOW Config: Implicit Rule Info: MAC Access list
14. Expand FLOW-LOOKUP. You should see the following information: new flow Type: FLOW-LOOKUP Action: ALLOW Info: Found no matching flow, creating a
15. Expand UN-NAT. You should see the following information: Type: UN-NAT Subtype: Static Action: ALLOW Config: static (inside,outside) 192.168.P. 11 insidehost netmask 255.255.255.255 nat-control match ip inside host insidehost outside any static translation to 192.168.P.11 translate_hits = 0, untranslate_hits = 3 Info: NAT divert to egress interface inside Untranslate 192.168.P. 11/0 to insidehost/0 using netmask 255.255.255.255
16. Expand ACCESS-LIST. You should see the following information: Type: ACCESS-LIST Action: DROP Config: Implicit Rule 17. Expand RESULT - The packet is dropped. You should see the following information: Info: (acl-drop) Flow is denied by configured rule.
Page 30 of 57
18. Expand the second instance of ACCESS-LIST again. 19. Click Show Rule in Access Rule Table. Cisco ASDM displays the Access Rules table with the rule that denied the HTTP request highlighted. Step 5 Complete the following substeps to create an ACL to permit inbound web access from the 192.168.P.0 network to the bastion host. 1. Click Access Rules in the Firewall menu within the navigation pane. 2. Click Add in the Access Rules panel. 3. Choose Add Access Rule. The Add Access Rule window opens. 4. Choose outside from the Interface drop-down list. 5. Verify that the Permit radio button is selected. 6. Enter 192.168.P.0/24 in the Source field. 7. Enter 192.168.P.11 in the Destination field. 8. Enter tcp/http in the Service field. 9. Click OK. Step 6 Complete the following substeps to create an access rule to permit inbound FTP access from the 192.168.P.0 network to the bastion host. 1. Click Add in the Access Rules panel. 2. Choose Add Access Rule. The Add Access Rule window opens. 3. Choose outside from the Interface drop-down list.
Page 31 of 57
4. Verify that the Permit radio button is selected. 5. Enter 192.168.P.0/24 in the Source field. 6. Enter 192.168.P.11 in the Destination field. 7. Enter tcp/ftp in the Service field. 8. Click OK. 9. From the Windows command line on the remote office server, establish an FTP session to the bastion host. You have reached the bastion host if you receive the Connected to 192.168.P.11 message. You should now be able to access the bastion host. C:\> ftp 192.168.P.11 Use the web browser on the remote office server to access the bastion host. You should now be able to access the bastion host. Enter http://192.168.P.11 .
Page 32 of 57
Lab 5-1: Configure the Security Appliance to Provide Secure Clientless SSL VPN Connectivity
Activity Objective
In this activity, you will implement Clientless SSL VPN (WebVPN) on the Cisco ASA security appliance. After completing this activity, you will be able to meet these objectives: Use Cisco ASDM to configure the security appliance for basic SSL VPN services Use Cisco ASDM to configure users and groups for SSL VPN services Test and verify security appliance SSL VPN connectivity
Scenario
Your company wants to implement remote access using remotely located PCs that terminate at a centrally located Cisco ASA security appliance, without using any client software. You must configure the security appliance for remote access using the WebVPN feature set.
Visual Objective
Page 33 of 57
Page 34 of 57
Task 1: Use the SSL VPN Wizard to Configure a Secure SSL VPN
In this task, you will use the SSL VPN Wizard in Cisco ASDM to configure the corporate adaptive security appliance for SSL VPN connections.
Activity Procedure
Complete these steps: Step 1 Step 2 Return to your Cisco ASDM session on the inside server. Click Wizards in the Cisco ASDM menu bar.
Step 3 Choose SSL VPN Wizard. The SSL VPN Connection Type page of the wizard is displayed. Step 4 Verify that the Clientless SSL VPN Access check box is checked. Step 5 Click Next. The SSL VPN Interface page is displayed.
Step 6 Complete the following substeps to configure a connection profile name and specify the interface that users will access for SSL VPN connections: 1. Enter AUSTIN in the Connection Name field. 2. Verify that outside is displayed in the SSL VPN Interface drop-down list. If it is not, choose outside from the drop-down list. 3. Click Next. The User Authentication page is displayed. Step 7 Complete the following substeps to configure authentication for the SSL VPN: 1. Check the Authenticate Using the Local User Database radio button. 2. Enter cisco in the Username field. 3. Enter cisco in the Password field.
Page 35 of 57
4. Enter cisco in the Confirm Password field. 5. Click Add. The user name is displayed in the field to the right of the Add button. 6. Click Next. The Group Policy page is displayed. Step 8 Complete the following substeps to create a group policy to group attributes that are common to specific groups of users: 1. Verify that the Create a New Group Policy radio button is selected. If it is not, select it. 2. Enter FIRSTGROUP in the corresponding field. 3. Click Next. The Clientless Connections OnlyBookmark List page is displayed. Step 9 Complete the following substeps to create a bookmark list for the SSL VPN end-user portal: 1. Click Manage. The Configure GUI Customization Objects window opens. 2. Click Add. The Add Bookmark List window opens. 3. Enter URLs in the Bookmark List Name field. 4. Click Add. The Add Bookmark Entry window opens. 5. Enter INTRANET in the Bookmark Title field. 6. Choose http from the URL Value dropdown list to add a file-sharing bookmark. 7. In the corresponding URL field, enter 172.16.P.10/inside.htm 8. Click OK.
Page 36 of 57
9. Click OK in the Add Bookmark List window. 10. Click OK in the Configure GUI Customization Objects window. The bookmark list name URLs is displayed in the Bookmark List field on the Clientless Connections OnlyBookmark List page. 11. Click Next. The Summary page is displayed. Step 10 Review your configuration in the Summary page. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. Step 11 Click the Save button in the Cisco ASDM toolbar.
Step 12 Complete the following substeps to verify that user cisco is configured to inherit settings from the FIRSTGROUP group policy: 1. Click the Configuration button in the Cisco ASDM toolbar. 2. Click Device Management in the navigation pane. 3. Expand the Users/AAA menu. 4. Click User Accounts. The User Accounts panel is displayed. 5. In the user accounts table, verify that VPN group policy FIRSTGROUP is assigned to user cisco. Step 13 Minimize the Cisco ASDM window.
Task 2: Test Your SSL VPN

In this task, you will test and verify your SSL VPN.
Activity Procedure
Complete these steps:
Page 37 of 57
Step 1
Open a web browser on the remote office server.
Step 2 Enter https://192.168.P.2 to access the outside interface of the corporate adaptive security appliance, which you configured to accept Clientless SSL VPN connections. A Security Alert window opens. Step 3 Step 4 and the Click Yes. Log in to the SSL VPN service with the username cisco
password cisco. The SSL VPN Service window displays the Home page. Step 5 Complete the following substeps to test the file-sharing bookmark you created with the SSL VPN Wizard:
Page 38 of 57
1. Click the INTRANET link under File Bookmarks. 2. Select the url to test the link
Page 39 of 57
Lab 6-1: Configure a Reverse Access Rule

Activity Objective
In this activity, you will configure a Reverse Access Rule on the Cisco ASA security appliance. After completing this activity, you will be able to meet these objectives: Use Cisco ASDM Real-Time Log Viewer to determine why a connection from the outside world to port 23 (Telnet) on the DMZ server is blocked Use Cisco ASDM Real Time Log Viewer to create a Reverse Access Rule Test and verify security appliance connectivity after the new rule is in place
Visual Objective
Page 40 of 57
Task 1: Use the ASDM Real Time Log Viewer to determine why telnet Access from an outside machine to the DMZ server is denied
In this task, you will use the Cisco ASDM Real Time Log Viewer to determine why a telnet connection to the DMZ is denied.
Activity Procedure
Complete these steps: Step 1 Step 2 bar. Step 3 Step 4 Return to your Cisco ASDM session on the inside server. Click Monitoring> Logging in the Cisco ASDM menu Choose View. The Real Time log viewer is displayed. Verify that the Resume box is clicked.
Step 5 Go to the Outside machine (IP address will be given to you) and follow the following steps: 1. Telnet to 192.168.P.11 from the CMD.exe bash 2. The connection will be unsuccessful 3. Return to the ASDM Real Time Log Viewer Step 6 You will see the log event related to your unsuccessful telnet attempt
Task 2: Create a Reverse Access Rule

In this task, you will create a reverse Access Rule.
Activity Procedure
Complete these steps: Step 1 Right Click the log event which indicated the blocked telnet attempt
Page 41 of 57
Step 2 Step 3 untouched
Select Create Reverse Access Rule Leave the values in the popped up window
Step 4 Enter a description of Reverse Access Rule for Telnet in the Description field. Step 5 Delete the Source Service entry (this is because a subsequent connection destined for port 23 will use a different source port than the previous session captured) Click OK Click Apply Click Send
Step 6 Step 7 Step 8
Step 9 Go to the Outside machine (IP address will be given to you) and follow the following steps: 1. Telnet to 192.168.P.11 from the CMD.exe bash 2. The connection will be Successful
Page 42 of 57
Lab 7-1: Optional Labs

Activity Objective
In this activity, you will perform a couple of additional lab exercises. After completing this activity, you will be able to meet these objectives: Use Cisco ASDM Packet Capture Functionality Enabling the EIGRP routing process on the ASA firewall Enabling Application Inspection for FTP
Visual Objective
Page 43 of 57
Task 1: Packet Capture

In this task, you will use the Cisco ASDM Packet Capture Functionality to capture packet flows.
Activity Procedure
Complete these steps: Step 1 Step 2 Return to your Cisco ASDM session on the inside server. Go to Tools -> Preferences
Step 3 Ensure the Wireshark path matches the installation path on the inside machine from where you launched the ASDM Step 4 Step 5 Step 6 Click OK Go to Wizards -> Packet Capture Wizard Click Next
Step 7 Choose 0.0.0.0 0.0.0.0 (any/any) for source and destination networks Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Choose the inside interface to capture packets on Choose protocol tcp for all services Click Next Click Next (default outbound services) Click Next (default packet sizes) Click Next (verify the entries which are being used) Click Start Wait 5 seconds Click Stop Click Get Packet Capture to review captured packets
Page 44 of 57
Task 2: Preparing the ASA for EIGRP Routing

In this task, you will configure the EIGRP routing on the ASA.
Activity Procedure
Complete these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Go to Configuration -> Device Setup Expand the Routing tab Expand the EIGRP routing tab Go to Setup Tick Enable this EIGRP process Enter 100 for the EIGRP AS number Click Apply Click Send Choose the Networks Tab Click Add Enter 10.0.0.0 in the network field Choose 255.255.255.0 in the network mask field Click OK Click Apply Click Send
Page 45 of 57
Task 3: Enabling application inspection for FTP

In this task, you will configure FTP application inspection on the ASA.
Activity Procedure
Complete these steps: Step 1 Go to Configuration -> Firewall -> Objects -> Class Maps -> FTP Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Click Add Enter ftp_class_map in the Name field Select Match Any Click Add Choose Request-Command as match criterion Tick the Put option Click OK Click Apply Click Send
Step 11 Go to Configuration -> Firewall -> Objects -> Inspect Maps -> FTP Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Click Add Enter ftp_inspect in the Name field Click Apply Click Details Click the Inspections tab Click Add Tick Multiple Matches
Step 19 Choose the previously created traffic class ftp_class_map
Page 46 of 57
Step 20 Step 21 Step 22 Step 23
Click OK Click OK Click Apply Click Send
Step 24 Go to Firewall -> Service Policy rules in the left navigation pane Step 25 Step 26 interface Step 27 Step 28 Step 29 Step 30 Step 31 Step 32 Step 33 Step 34 Step 35 Step 36 Step 37 Step 38 Step 39 Step 40 Step 41 Click Add Tick the interface button and select the inside For the Policy-Name enter: ftp_policy Click Next Select the Create a New Traffic Class button Name the traffic class: ftp-class Tick the Default Inspection Traffic box Click Next Click Next Select FTP Select Configure Select Use Strict FTP Tick Select a FTP inspect map. Click OK Click Finish Click Apply Click Send
Step 42 Open an FTP session from the CMD window of the inside machine to
Page 47 of 57
the DMZ FTP server and try to upload a file and observe the results.
Page 48 of 57
Lab 8-1: Initializing the Cisco ASA AIP SSM

Complete this lab activity to practice what you learned in the related lesson. Please verify the IP addressing with your instructor.
Activity Objective
In this activity, you will load and initialize Cisco IPS software on the Cisco ASA AIP SSM. After completing this activity, you will be able to meet these objectives: Verify the Cisco ASA AIP SSM Load the Cisco IPS recovery software on the Cisco ASAAIP SSM Configure the Cisco ASA AIP SSM setup parameters Configure a Cisco IPS security policy on the security appliance Verify the Cisco IPS security policy
Visual Objective
Page 49 of 57
Task 1: Verify the Cisco ASA AIP SSM

In this task, you will view the Cisco ASA AIP SSM status.
Activity Procedure
Complete these steps: Step 1 View the status of both the Cisco ASA security appliance and the Cisco ASA AIP SSM. asaP# show module asaP# show module 1 detail asaP# show module 1 recover
Task 2: Configure the Cisco ASA AIP SSM Setup Parameters

Now you will need to configure the setup parameters. Once the setup parameters are configured, ASDM can connect to the Cisco ASA AIP SSM. In this task, you will configure the Cisco ASA AIP SSM setup parameters.
Activity Procedure
Complete these steps: Step 1 From the command line, session into the Cisco ASA AIP SSM. asaP# session 1 Step 2 The first time the administrator initiates a session with the Cisco ASA AIP SSM, the administrator will be prompted to log in. Enter the default login, cisco, and password, cisco. Login: cisco Password: cisco Step 3 After entering the default login and password, the administrator will be prompted to change the password. Enter training as the new password. You are required to change your password immediately (password aged) Changing password for cisco
Page 50 of 57
(current) UNIX password: cisco New password: training Retype new password: training. . sensor# Step 4 To access the Cisco ASA AIP SSM via ASDM, the network parameters must be set. To set these parameters, enter setup mode. sensor# setup Step 5 To modify the setup configuration, continue with the configuration dialog. Continue with configuration dialog?[yes]: yes Step 6 Change the host name to sensorP. (where P = pod number) Enter host name [sensor]: sensorP Step 7 Change the IP address of the external Cisco ASA AIP SSM interface to the following: Enter IP interface[10.0.P.201/24,10.0.P.1]: 10.0.P.41/24,10.0.P.1 (to be confirmed by the instructor) (where P = pod number) Step 8 Press Enter for the change telnet-server status leaving it in the default state of disabled. Step 9 port of 443. Step 10 can gain Press Enter for web-server port taking the default Add your student PC (inside LAN) to the list of hosts that
access to the Cisco ASA AIP SSM through the external interface. Modify current access list?[no]: yes Current access list entries: No entries Permit: 10.0.P.0/24 Permit: <Enter> (where P = pod number)
Page 51 of 57
Step 11 until you
Press Enter for the remaining entries in the setup menu encounter the message The Following Configuration Was Entered. From the display, verify that the host IP address is correct and that the host name was changed to sensorP. (where P = pod number)
Step 12
If the changes are correct, save this configuration and exit setup mode. Exit [0] Goto command prompt without saving this config. [1] Return back to setup without saving this config. [2] Save this configuration and exit setup . Enter your selection[2]: <Enter> Configuration saved. sensor#
Step 13 Step 14
Verify your configuration, host IP, host name, and ACL. sensor# show configuration Verify the current user. Sensor# show users CLI ID User Privilege * 431 cisco administrator Exit the Cisco ASA AIP SSM session. sensor# exit Remote card closed command session. Press any key to continue. <Enter> Command session with slot 1 terminated. asa1#
Step 15
Step 16 Verify the path between your student PC (inside LAN) and the Cisco ASA AIP SSM. From your student PC, a ping to the Cisco ASA AIP SSM external interface should be successful. C:\> ping 10.0.P.41 (where P = pod number)
Task 4: Configure a Cisco IPS Security Policy on the Security Appliance

So far in this lab, you have initialized the Cisco ASA AIP SSM. You have gained access to the module via ASDM. Next, you need to configure a Cisco IPS modular policy. In this task, you will configure
Page 52 of 57
the modular policy for Cisco IPS traffic inspection of any traffic from the inside host to the outside.
Activity Procedure
Complete these steps: Step 1 Log in to ASDM.
Step 2 From the ASDM Configuration features, choose Security Policy. The Security Policy window will open. Step 3 In the Security Policy window, click the Service Policy Rules tab. Step 4 Click Add. The Add Service Policy Rule Wizard Service Policy window will open. Step 5 In the Add Service Policy Rule WizardService Policy window, configure a service policy and assign it to an interface. To configure a service policy and assign it to an interface, complete the following substeps: 1. Verify that the Interface button is selected. 2. From the Interface drop-down menu, choose Inside(Create New Service Policy). 3. In the Policy Name field, verify the policy name assigned by the ASDM, inside-policy. 4. Click Next. The Add Service Policy Rule Wizard Traffic Classification Criteria window will open. Step 6 In the Add Service Policy Rule WizardTraffic Classification window, configure a traffic-matching criterion as follows. Select the Source and Destination IP Address (Uses ACL) check box. Click Next. The Add Service Policy Rule WizardTraffic MatchSource and Destination Address window will open. Step 7 In the Add Service Policy Rule WizardTraffic MatchSource and Destination Address window, verify that Match is selected in the Action drop-down menu. 1. Choose IP Address from the Source Type drop down list.
Page 53 of 57
2. Choose insidesidehost from the IP Address drop-down list and 255.255.255.255 from the Netmask drop-down list in the Source group box. Note, you will need to create the insidehost on the ASA first and define a NAT / ACL rule for this host to communicate with the outside world. This is a good exercise to practise the skills obtained in the DMZ section. You may browse back for reference. 3. Choose any from the Type drop-down list in the Destination group box. 4. Click Next. The Add Service Policy Rule WizardRule Actions window will open. Step 8 In the Add Service Policy Rule WizardRule Actions window, configure the Cisco IPS rule by completing the following substeps: 1. Under the Intrusion Prevention tab, check the Enable IPS for This Traffic Flow check box. 2. In the Mode group box, verify that the Inline Mode button is selected. 3. In the If IPS Card Fails, Then group box, verify that the Permit Traffic button is selected. 4. Click Finish. You will be returned to the Service Policy Rules window. Step 9 In the Service Policy Rules window, click Apply. The Preview CLI Commands window will open. Step 10 In the Preview CLI Commands window, view the accesslist, class map, policy map, and service policy CLI commands before they are sent to the security appliance. Click Send.
Page 54 of 57
Task 5: Verify IPS Security Policy

In this task, you will configure the security appliance to monitor intrusion detection.
Activity Procedure
Complete these steps: Step 1 From the CLI command prompt, view the class map used by the security appliance to identify a class of traffic. asaP# show run class-map class-map inside-class match access-list inside_mpc Step 2 From the CLI command prompt, view the ACL used by the security appliance to identify matching traffic to be copied to the Cisco ASA AIP SSM. asaP# show run access-list access-list inside_mpc extended permit ip host insidehost any Step 3 From the CLI command prompt, view the policy map used by the security appliance to apply the Cisco IPS policy to a class of traffic. asaP# show run policy-map policy-map inside-policy class inside-class IPS inline fail-open Step 4 From the CLI command prompt, view the interface to which the service policy was applied. asaP# show run service-policy service-policy inside-policy interface inside Step 5 Verify that inbound ICMP packets from the inside host are being copied and sent to the Cisco ASA AIP SSM. From the Windows command line, ping 172.26.26.50 continuously with an ICMP packet size of 1000. C:\> ping l 1000 172.26.26.50 -t Pinging 172.26.26.50 with 100 bytes of data: Reply from 172.26.26.50: bytes=1000 time<10ms TTL=125> Reply from 172.26.26.50: bytes=1000 time<10ms TTL=125>
Page 55 of 57 2008 Cisco Systems, Inc
Reply from 172.26.26.50: bytes=1000 time<10ms TTL=125> Reply from 172.26.26.50: bytes=1000 time<10ms TTL=125> Step 6 packets. Verify that the service policy is identifying ICMP asaP# show service-policy Interface inside: Service-policy: inside-policy Class-map: inside-class IPS: card status Up, mode inline fail-open packet input 22, packet output 22, drop 0, reset-drop 0 Step 7 Verify that the security appliance is sending packets to the Cisco ASA AIP SSM via the internal data channel. Complete the following substeps to view the statistics. 1. Open a session with the Cisco ASA AIP SSM. asaP# session 1 2. Log in to the Cisco ASA AIP SSM. login: cisco password: training 3. Confirm that data packets are being routed to the Cisco ASA AIP SSM internal data channel. sensorP# show interface Mac statistics from interface GigabitEthernet0/1 Media Type = backplane Total Packets Received = 81 Total Bytes Received = 75353 4. Confirm that the data packets count is incrementing. sensorP# show interface Mac statistics from interface GigabitEthernet0/1 Media Type = backplane
Page 56 of 57
Total Packets Received = 92 Total Bytes Received = 87409 5. Exit the Cisco ASA AIP SSM session. SensorP# exit Remote card closed command session. Press any key to continue. <Enter> Command session with slot 1 terminated. asaP# Step 8 In the Command Line window, press Ctrl-C to end the continuous ping. Step 9 Step 10 Running Step 11 Step 12 Step 13 Step 14 Close the command prompt window. In the ASDM window, click the Save icon. The Save Configuration to Flash window will open. Click Yes. The Preview CLI Commands window will open. Click Send. Close the ASDM window. The Are You Sure window will open. Click Yes. Close all open browser windows
Step 15 OPTIONAL: Try to access the AIP-SSM IPS module through ASDM and familiarize yourself with the configuration options through ASDM
Page 57 of 57

ASA 1day Labguide (Ajh)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ASA 1day Labguide (Ajh)

Hochgeladen von

Copyright:

Verfügbare Formate

1 Day ASA Workshop Lab Guide Overview

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

http://www.cisco.com/en/US/products/ps6120/prod_models_compari son.html http://www.cisco.com/en/US/products/ps6120/prod_literature.html http://www.cisco.com/en/US/products/ps6120/products_data_sheets _list.html http://www.cisco.com/en/US/products/ps6120/prod_configuration_ex amples_list.html

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 1: Execute General Commands

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 2: Initialize the Security Appliance

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 3: Launch Cisco ASDM

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 1: Run the Cisco ASDM Startup Wizard

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 2: Use Cisco ASDM to Configure Logging to a Syslog Server

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 3: Use Cisco ASDM to Configure Basic SNMP functionality

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 4: Use Cisco ASDM to Configure Time Settings

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 5: Use Cisco ASDM to Configure PPPoE

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 1: Enabling Telnet Access

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 2: Enabling SSH Access

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 3: Enabling Source IP Anti Spoofing

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Lab 4-1: Configure a DMZ to enable access to a public DMZ server

1 Day ASA 5505 Workshop v1.0

2008 Cisco Systems, Inc

Task 1: Configuring a static NAT rule