Beruflich Dokumente
Kultur Dokumente
ASA Express
Version 2.2 Course Guide
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third
party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” AND AS SUCH MAY INCLUDE TYPOGRAPHICAL,
GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE
CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT
OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES,
INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE,
OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
x.02
x.03
x.04
x.05
AM PM
Day 2 Introducing the Combined NGFW Security Services Exploring the Cisco ASA NGFW WSE and AVC
Exploring IPS for Cisco ASA NGFW - IPS Features Introducing Cisco ASA Cloud Web Security
General Information
High-level description of lab environment.
Laboratory Topology
Lab Topology Diagram (Backbone Pod View)
Lab Topology Diagram (Student Pod View)
Laboratory Equipment
These tables list the recommended equipment to support the lab activities. These tables assume a class size
of XX students.
Examples
Software List
Description Mfr. Part Number Total Qty.
Workstation Configuration
These instructions describe how to set up the lab when workstations are required
Step 1
Replaces
Curricula
The course is used in the following curricula, certifications, specializations, and learning maps:
Certifications:
Target Audiences
This section specifies the primary and secondary target audiences of this course by job roles and notes the
relevance to each job role.
Day 1:
Lesson 1: Preparing the Cisco ASA Adaptive Security Appliance for Network Integration
Lesson Objective: Explain the Cisco ASA security appliance boot process
This lesson includes these topics:
Managing the Cisco ASA Adaptive Security Appliance Boot Process
Managing the Cisco ASA Adaptive Security Appliance Using Cisco ASDM
Lesson 2: Managing Basic Cisco ASA Adaptive Security Appliance Network Settings
Lesson Objective: Describe how to configure Cisco ASA security appliance network interface security
levels
This lesson includes these topics:
Managing Cisco ASA Adaptive Security Appliance Security Levels
Managing Basic Cisco ASA Adaptive Security Appliance Network Settings
Configuring and Verifying Interface VLANs
Configuring a Default Route
Summary
Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings
Lab Objective: Verify Cisco ASA security appliance and Cisco ASDM versions
This lab includes these tasks:
Task 1: Verify Cisco ASA Security Appliance and Cisco ASDM Versions
Task 2: Initialize the Cisco ASA Security Appliance from the CLI
Task 3: Launch Cisco ASDM and Test SSH Access
Task 4: Configure and Verify Interfaces
Task 5: Configure System Management Parameters
Lesson 2: Configuring Cisco ASA Adaptive Security Appliance Basic Access Control
Features
Lesson Objective: Describe the connection table, the local host table, connection objects, and local host
objects
This lesson includes these topics:
Connection Table and Local Host Table
Configuring and Verifying Interface ACLs
Configuring and Verifying Global ACLs
Configuring and Verifying Object Groups
Configuring and Verifying Other Basic Access Controls
Summary
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic
Redirection
Lab Objective: Describe how to install and setup ASA CX Software Module.
This lab includes these tasks:
Task 1: Install and Set Up the ASA CX Software Module
Task 2: Redirect Traffic from the ASA to Cisco ASA NGFW
Task 3: Explore the On-Box PRSM GUI
Lesson 1: Configuring IPS for Cisco ASA Next Generation Firewall Settings
Lesson Objective: Describe IPS for Cisco ASA NGFW IPS settings.
This lesson includes these topics:
IPS for Cisco ASA NGFW Settings Overview
IPS for Cisco ASA NGFW Settings Configuration
Summary
Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters
Lab Objective: Describe how to configure and verify IPS for Cisco ASA NGFW settings
This lab includes these tasks:
Task 1: Configure IPS for Cisco ASA NGFW Settings
Task 2: Configure IPS for Cisco ASA NGFW Filters
Lesson 1: Introducing Cisco ASA Next Generation Firewall Web Security Essentials &
Application Visibility and Control
Lesson Objective: Describe Cisco Application Visibility and Control
This lesson includes these topics:
Cisco Web Security Essentials Overview
Cisco Application Visibility and Control
Summary
Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)
Lab Objective: Configure the Cisco ASA to integrate with Cisco Cloud Web Security
This lab includes these tasks:
Task 1: Configure the Cisco ASA-to-Cloud Web Security Integration
Laboratory Topology
Each lab pod consists of a Cisco ASA 5515-X with the SSD, a shared Cisco Unified Computing System
C22 server for implementing the Windows 7 and Linux/Kali VMs : the Microsoft Windows 2008 Server
VM.
Lab Topology Diagram
A lab topology is used where each pod is independent:
Inside-PC (Win 7) Syslog Server
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
In the Learning@Cisco lab setup, each Cisco Unified Computing System server also has a connection to the
backbone switch (ports 0/1 to 0/6). These connections are meant for students to use RDP to access the
springboard VMs for launching the VM, Cisco ASA, and router console connections.
For the Cisco Learning Partner remote lab environment, it is up to the CLPs for how they decide to manage
the physical servers for the VMs and how the students will access the VMs for their pods.
Manufactur
Description Part Number Quantity
er
ASA VPN gateway for the Cisco AnyConnect SSL Cisco Any ASA 1
VPN
Software List
Description Mfr. Part Number Qty.
https://tools.cisco.com/SWIFT/LicensingUI/
loadDemoLicensee?FormId=2618
Windows 2008 Server R2 Standard License Microsoft Standard Edition Windows 2008 16
Server R2 License
Workstation Configuration
Set up the Windows and Linux VMs per the lab requirements.
Set up similar FTP, HTTP, and other services on the servers per the lab requirements.
Connections chart
0/21 0/22
BB-Switch
0/11 0/12 0/18
UCS1 ……………. UCS6
……….
P1-ASA P3-ASA P16-ASA
P2-ASA P1-Rtr P4-ASA P3-Rtr P16-ASA P17-Rtr
P2-Rtr P4-Rtr P17-Rtr Trunk
Each Pod ASA has 7 interfaces connected to the pod switch (gi0/0 to gi0/5 and m0/0)
Each Pod Router has a single trunk interface connected to the pod switch
Each Pod Switch supports 2 Pods
Note In the ASA CX labs, use the on-box PRSM only, not the multidevice off-box PRSM, because the next
version of the off-box PRSM will have big changes. There is no need to discuss how the current off-box
PRSM works (such as how the ASA CX and ASA devices are imported into the off-box PRSM and how
the off-box PRSM policy model works for configuring common policies across multiple ASA CX devices).
Pod Switch Configuration for Nonclustering Labs (this example is only for Pod Switch-1, which supports
pods 1 and 2):
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P1P2-Sw
!
no aaa new-model
ip subnet-zero
!
!
ip domain-name secure-x.com
!
vtp domain secure-x
vtp mode transparent
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
Pod Switch Configuration for the Clustering Lab (this example is only for Pod Switch-1, which supports
pods 1 and 2):
hostname P1P2-Sw-Cluster
!
!
ip subnet-zero
no ip domain-lookup
!
spanning-tree extend system-id
!
!
interface GigabitEthernet0/1
description to ASA1 gi0/0 - outside
switchport mode access
switchport access vlan 101
channel-group 1 mode active
no ip address
no shut
!
interface GigabitEthernet0/2
description to ASA1 gi0/1 - inside
switchport mode access
switchport access vlan 201
channel-group 2 mode active
no ip address
no shut
!
interface GigabitEthernet0/3
description to ASA1 gi0/2 - CCL
switchport mode access
switchport access vlan 301
channel-group 3 mode active
spanning-tree portfast
no ip address
no shut
!
interface GigabitEthernet0/4
description to ASA1 gi0/3 - CCL
switchport mode access
switchport access vlan 301
channel-group 3 mode active
spanning-tree portfast
no ip address
no shut
!
interface GigabitEthernet0/5
description to ASA1 gi0/4 - outside
switchport mode access
switchport access vlan 101
channel-group 1 mode active
no ip address
no shut
!
interface GigabitEthernet0/6
description to ASA1 gi0/5 - inside
switchport mode access
switchport access vlan 201
Visual Objective
The figure illustrates the lab topology.
Visual Objective
Visual Objective
The figure illustrates the lab topology.
Visual Objective
Inside-PC (Win 7)
Syslog Srv
.3 .2
Inside 192.168.1.0/24
Gi0/1 vlan 2xx Inside-SRV
.1 (Win 2008 R2) AD/DNS
Px-ASA Gi0/2 .2
IPS or CX
ASA 5500-X .5 .1 dmz 172.16.1.0/24
vlan 3xx
.2 DMZ-SRV (Linux)
Outside Gi0/0
209.165.201.0/27 vlan 1xx
Fa0/0.1x
.1 209.165.202.128/27
Px-Rtr .129 vlan 8xx .131
2610XM Fa0/0.8x .130
Lab Topology Fa0/0.9x Outside-PC (Win 7)
Pod XX 209.165.200.226/27
(XX = 01 to 16) vlan 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Cisco Lab
Server Shared ISR
VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24
.254 gateway
Visual Objective
The figure illustrates the lab topology.
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the
Cisco ASA for Traffic Redirection
This topic details the lab activity for Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco
ASA for Traffic Redirection.
Objectives
Upon completing this exercise, you will be able to:
Describe how to install and setup ASA CX Software Module.
Describe how to redirect traffic from the Cisco ASA to the Cisco ASA NGFW.
Discuss the on-box PRSM GUI.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters
This topic details the lab activity for Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters.
Objectives
Upon completing this exercise, you will be able to:
Describe how to configure and verify IPS for Cisco ASA NGFW settings
Describe how to configure and verify IPS for Cisco ASA NGFW filters
Visual Objective
The figure illustrates what you will accomplish in this activity.
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Describe how to configure and verify Cisco ASA NGFW web security
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective
Inside-PC (Win 7) Syslog Server
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Describe how to configure and verify Cisco ASA NGFW application visibility and control
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective
Inside-PC (Win 7) Syslog Server
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Visual Objective
The figure illustrates what you will accomplish in this activity.
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Setup Notes
From ScanCenter, create a simple web-filtering rule to block using the "default" web filter.
Common Issues
This subtopic presents common issues for this lab.
During the optional step for configuring the ASA to send a default username and group name, if the
ASA is reporting a previously logged-in Active Directory user to ScanSafe instead, use the clear user-
identity active-user-database command to remove all the user-to-IP mappings on the ASA.