Memoria TFG

SAEXS
ASA Express
Version 2.2 Course Guide
Part Number: partnumber (Ignore: for DTP only)

Version 1.0
Europe Headquarters
Americas Headquarters Asia Pacific Headquarters Cisco Systems International BV
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third
party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” AND AS SUCH MAY INCLUDE TYPOGRAPHICAL,
GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE
CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT
OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES,
INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE,
OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
© 2014 Cisco Systems, Inc.

Table of Contents
Course High Level Design C-3
Course Goal C-3
Job Tasks and Domain and Skill Objectives (formerly “Claims and
Component Skills”) C-3
Course Flow Diagram C-4
Required Classroom Environment C-4
Instructor Certification Requirements C-4
General Information C-4
Laboratory Topology (Delivery) C-4
Laboratory Topology C-4
Lab Topology Diagram (Backbone Pod View) C-4
Lab Topology Diagram (Student Pod View) C-4
Laboratory Equipment C-4
Software List C-5
Workstation Configuration C-5
Initial Lab Build C-5
General Lab Setup C-5
Notes on Delivery Lab Equipment C-5
Development Lab Equipment Requirements C-5
Required Materials Laboratory Topology (Development) C-5
Notes on Development Lab Equipment C-6
Course Management Template C-7
Course Description C-7
Curricula C-7
Course Goal and Objectives C-7
Target Audiences C-8
Prerequisite Skills and Knowledge C-9
Course Instruction Details C-9
Instructor Certification Requirements C-9
Required Classroom Environment C-9
Detailed Course Flow C-9
Course Outlines C-11
High Level Course Outline C-11
Detailed Course Outline C-11
Course Introduction C-12
Module 1: Introducing Cisco ASA Solutions C-12
Module 2: Exploring Cisco ASA Connectivity Basics C-12
Module 3: Configuring ASA Basic Access Control Foundation C-14
Module 4: Deploying Cisco Remote Access VPN C-15
Module 5: Introducing Cisco ASA High Availability C-16
Module 6: Introducing the Combined NGFW Security Services C-16
Module 7: Exploring IPS for Cisco ASA NGFW - IPS Features C-17
Module 8: Exploring the Cisco ASA NGFW WSE and AVC C-18
Module 9: Introducing Cisco ASA Cloud Web Security C-19
Course Evaluation Template C-21
Curriculum Evaluation C-21
Lab Setup C-23
General Information C-23
Laboratory Topology C-23
Lab Topology Diagram C-24
Laboratory Equipment C-25
Software List C-25
Workstation Configuration C-26
Initial Lab Build C-27
General Lab Setup C-28
Configuration Files Summary C-28
Lab IP Addressing C-51
Lab Details C-52
Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic
Settings C-52
Lab 3-1: Configuring NAT and Basic Access Control C-52
Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution C-53
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic
Redirection C-54
Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters C-55
Lab 8-1: Cisco ASA NGFW Web Security Essentials C-56
Lab 8-2: Cisco ASA NGFW Application Visibility & Control C-57
Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional) C-57
ii ASA Express © 2014 Cisco Systems, Inc.

Course High Level Design
Course Goal
The goal of the course is to provide an understanding of the Cisco ASA solution portfolio and successfully
configure various aspects of the Cisco ASA components including Cisco ASA NGFW, Cisco ASA NGFW
Security Services and Cisco ASA Remote Access VPN including Clientless and AnyConnect.
Job Tasks and Domain and Skill Objectives

(formerly “Claims and Component Skills”)
These are the job tasks (domains and skill objectives from the audience, as well as job definition and job
task analyses that will be taught and practiced in the course).
Domain # Domains Skill Objectives/Job Tasks
x Domain (Claim) 1 First Skill Objective/Job Task of

Domain 1
x.01 Second Skill Objective/Job Task of

Domain 1
x.02
x.03
x.04
x.05
Domain # Domains Skill Objectives/Job Tasks
n-th Domain First Skill Objective/Job Task of n-th

Domain
Course Flow Diagram
This section illustrates the flow of the course.
AM PM
Day 1 Course Intro Configuring ASA Basic Access Control

Foundation
Introducing Cisco ASA Solutions
Deploying Cisco Remote Access VPN
Exploring Cisco ASA Connectivity Basics
Day 2 Introducing the Combined NGFW Security Services Exploring the Cisco ASA NGFW WSE and AVC
Exploring IPS for Cisco ASA NGFW - IPS Features Introducing Cisco ASA Cloud Web Security
Introducing the Combined NGFW Security Services
Required Classroom Environment

Room setup, layout, logistics, and equipment:
Instructor Certification Requirements

Credentials to teach this version of the course are:
CCSI in good standing
Certified to teach Firewall 2.0
Attend SASAA v1.0 course or SASAA v1.0 TTT or Certified SAEXS v1.0
General Information
High-level description of lab environment.
Laboratory Topology (Delivery)

Introduction to lab
Laboratory Topology
Lab Topology Diagram (Backbone Pod View)
Lab Topology Diagram (Student Pod View)
Laboratory Equipment
These tables list the recommended equipment to support the lab activities. These tables assume a class size
of XX students.
Description Mfr. Part Number Total Qty.
Examples
Learner Pod Equipment – X learners per pod – Y pods

total per class
C-4 ASA Express © 2014 Cisco Systems, Inc.

Other Required Equipment
Software List
Workstation Configuration
These instructions describe how to set up the lab when workstations are required
Step 1
[Insert instructions to set up, locate, prepare for, or conduct activities]
Initial Lab Build

This topic contains information required to interconnect lab equipment
General Lab Setup

This topic details the procedure to set up and configure the lab equipment at the beginning of each class.
Notes on Delivery Lab Equipment
Development Lab Equipment Requirements

This section details the resources and requirements needed to develop and test the course labs.
Required Materials Laboratory Topology (Development)

of n learners.
© 2014 Cisco Systems, Inc. Course Guide C-5

Describe which equipment can be remote, and what must be physically accessible by the developer(s). Note
any other considerations, such as number of pods, interconnections between pods, and external connections
to servers or Internet.
Learner Pod Equipment – x pods for development
Other Required Equipment
Notes on Development Lab Equipment

Course Management
Template
Course Description
The goal of the course is to provide an understanding of the Cisco ASA solution portfolio and successfully
configure various aspects of the Cisco ASA components including Cisco ASA NGFW, Cisco ASA NGFW
Security Services and Cisco ASA Remote Access VPN including Clientless and AnyConnect.
Full Title of Course Cisco ASA Express Security
Course Order Code SAEXS
Course Version Number 1.0
New Course? Yes
Replaces
Curricula
The course is used in the following curricula, certifications, specializations, and learning maps:
Certifications:
Curricula, specializations, and learning maps:
Course Goal and Objectives

This topic describes the course goal and objectives.
Upon completing this
course, you will be able to:
Describe the Cisco ASA
technology
Describe how to configure

network integration and
manage network settings for
the Cisco ASA
Course Goals Choose, configure, and

troubleshoot Cisco ASA
security appliance features
Introduce and Deploy Cisco

Remote Access VPN
Describe NGFW Security

Services and explore the
feature and benefits found of
the Policy Modular Framework
Describe how to configure IPS

for NGFW Settings and
Filtering
Describe the Cisco ASA NFWG

WSE and AVC solutions and
Course Goals how to configure Cisco ASA
NGFW Objects and Policies
(Cont.)
Describe the features of
Cisco’s ASA Cloud Web
Security
Explore Cisco ASA Active/

Standby High Availability
Target Audiences
This section specifies the primary and secondary target audiences of this course by job roles and notes the
relevance to each job role.

Prerequisite Skills and Knowledge
This sections lists the skills and knowledge that learners must possess to benefit fully from the course. It
includes recommended Cisco learning offerings that the learner may complete to benefit fully from this
course.
The knowledge and skills that a learner must have before attending this course are as follows:
Cisco ASA Overview (SAAOV) v1.0 E-learning
Firewall knowledge
[Pre-req - add as necessary]
Course Instruction Details

Instructor Certification Requirements
Credentials to teach this version of the course are:
CCSI in good standing
Certified to teach Firewall 2.0
Attend SASAA v1.0 course or SASAA v1.0 TTT or Certified SAEXS v1.0
Required Classroom Environment

Room setup, layout, logistics, and equipment:
Detailed Course Flow

The course schedule specifies the recommended teaching time for each lesson, lab, and activity. Optionally,
indicate breaks and starting and ending times for each day.
Day 1:
8:30–9:20 (0830–0920) Introducing Cisco ASA Solutions
9:30–10:40 (0930–1040) Exploring Cisco ASA Connectivity

Basics
10:50–12:00 (1050–1200) Lab 2-1: Preparing Cisco ASA for

Network Integration and Configuring
Basic Settings
12:00–1:00 (1200–1300) Lunch
1:00–1:50 (1300–1350) Configuring ASA Basic Access

Control Foundation
Lab 3-1: Configuring NAT and Basic

Access Control
2:00–2:50 (1400–1450) Deploying Cisco Remote Access

VPN
3:00–5:00 (1500–1700) Lab 4-1: Configure Ciscon

AnyConnect Client SSL Solution
5:00 (1700) Day ends

Day 2:
8:30–9:20 (0830–0920) Introducing the Combined

NGFW Security Services
9:30–10:30 (0930–1030) Lab 6-1: Preparing the Cisco ASA

NGFW and Configuring the Cisco
ASA for Traffic REdirection
10:40–11:15 (1000–1115) Exploring IPS for Cisco ASA NGFW -

IPS Features
11:15–12:00 (1115–1200) Lab 7-1: Configure IPS for Cisco ASA

NGFW Settings & Filters
12:00–12:00 (1200–1300) Lunch
1:00–1:40 (1300–1340) Exploring the Cisco ASA NGFW

WSE and AVC
1:40–2:10 (1340–1410) Lab 8-1: Cisco ASA NGFW Web

Security Essentials
2:20–2:50(1420–1450) Lab 8-2: Cisco ASA NGFW

Application Visibility & Control
2:50–3:20 (1450–1520) Introducing Cisco ASA Cloud Web

Security
3:30-4:00 (1530-1600) Lab 9-1: Cisco ASA and Cloud Web

Security Integration
4:00-5:00(1600-1700) Introducing Cisco ASA High

Availability

Course Outlines
High Level Course Outline
This subtopic provides an overview of how the course is organized. The course contains these components:
Introducing Cisco ASA Solutions
Exploring Cisco ASA Connectivity Basics
Configuring ASA Basic Access Control Foundation
Deploying Cisco Remote Access VPN
Introducing Cisco ASA High Availability
Introducing the Combined NGFW Security Services
Exploring IPS for Cisco ASA NGFW - IPS Features
Exploring the Cisco ASA NGFW WSE and AVC
Introducing Cisco ASA Cloud Web Security
Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings
Lab 3-1: Configuring NAT and Basic Access Control
Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic Redirection
Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters
Lab 8-1: Cisco ASA NGFW Web Security Essentials
Lab 8-2: Cisco ASA NGFW Application Visibility & Control
Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)
Detailed Course Outline

This in-depth outline of the course structure lists each module, lesson, and topic.
Course Introduction
The Course Introduction provides learners with the course objectives and prerequisite learner skills and
knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the
course illustrations and figures. This course component also describes the curriculum for this course,
providing learners with the information that they need to make decisions regarding their specific learning
path.
Overview
Course Goal and Objectives
Course Flow
Additional References
Your Training Curriculum
Module 1: Introducing Cisco ASA Solutions

Module Objective: Describe and evaluate technologies that you can use for firewall systems
Lesson 1: Firewall Technologies

Lesson Objective: Describe and evaluate technologies that you can use for firewall systems
This lesson includes these topics:
Firewall Technologies
Cisco ASA Adaptive Security Appliance Features
Summary
Lesson 2: Cisco ASA Adaptive Security Appliance Features

Lesson Objective: Describe Cisco ASA adaptive security appliance models
Cisco ASA Adaptive Security Appliance Hardware
Summary
Lesson 3: Module Summary

References
Module 2: Exploring Cisco ASA Connectivity Basics

Module Objective: Describe how to configure initial device management features of a Cisco ASA security
appliance to prepare for network integration
Lesson 1: Preparing the Cisco ASA Adaptive Security Appliance for Network Integration
Lesson Objective: Explain the Cisco ASA security appliance boot process
Managing the Cisco ASA Adaptive Security Appliance Boot Process
Managing the Cisco ASA Adaptive Security Appliance Using Cisco ASDM

Navigating Basic Cisco ASDM Features
Managing the Cisco ASA Adaptive Security Appliance Basic Upgrade
Summary
Lesson 2: Managing Basic Cisco ASA Adaptive Security Appliance Network Settings
Lesson Objective: Describe how to configure Cisco ASA security appliance network interface security
levels
Managing Cisco ASA Adaptive Security Appliance Security Levels
Managing Basic Cisco ASA Adaptive Security Appliance Network Settings
Configuring and Verifying Interface VLANs
Configuring a Default Route
Summary
Lesson 3: Configuring Cisco ASA Adaptive Security Appliance Routing Features

Lesson Objective: Describe how to configure and verify static routing on Cisco ASA security appliances
Static Routing
Dynamic Routing
EIGRP Configuration and Verification
Summary
Lab 2-1: Preparing Cisco ASA for Network Integration and Configuring Basic Settings
Lab Objective: Verify Cisco ASA security appliance and Cisco ASDM versions
This lab includes these tasks:
Task 1: Verify Cisco ASA Security Appliance and Cisco ASDM Versions
Task 2: Initialize the Cisco ASA Security Appliance from the CLI
Task 3: Launch Cisco ASDM and Test SSH Access
Task 4: Configure and Verify Interfaces
Task 5: Configure System Management Parameters
Lesson 4: Backing up and Restoring Cisco ASA

Lesson Objective: Provide an overview of the Cisco ASA Backup and Restore procedures
Cisco ASA Backup and Restore Overview
Cisco ASA Backup – Configuring
Cisco ASA Restore - Configuring
Summary

References
Module 3: Configuring ASA Basic Access Control Foundation

Module Objective: Choose and configure ASA security appliance NAT features
Lesson 1: Configuring Cisco ASA Adaptive Security Appliance NAT Features

Lesson Objective: Describe the NAT functions in Cisco ASA Software
NAT on Cisco ASA Security Appliances
Configuring Object (Auto) NAT
Configuring Manual NAT
Configuring and Verifying Public Servers
Tuning and Troubleshooting NAT on the Cisco ASA Adaptive Security Appliance
Summary
Lesson 2: Configuring Cisco ASA Adaptive Security Appliance Basic Access Control
Features
Lesson Objective: Describe the connection table, the local host table, connection objects, and local host
objects
Connection Table and Local Host Table
Configuring and Verifying Interface ACLs
Configuring and Verifying Global ACLs
Configuring and Verifying Object Groups
Configuring and Verifying Other Basic Access Controls
Summary

Lab Objective: Configure object NAT for the inside network and DMZ server
Task 1: Configure Object NAT for the Client Network and DMZ Server
Task 2: Configure Manual NAT for the DMZ Server and Client Network
Task 3: Configure Access Rules

References

Module 4: Deploying Cisco Remote Access VPN
Module Objective: Describe Cisco Basic Clientless VPN Features and Functions
Lesson 1: Deploying Basic Clientless VPN Solutions

Lesson Objective: Describe the building blocks of, and use cases for, the Cisco ASA clientless SSL VPN
solution
Cisco ASA Clientless SSL VPN Solution
Configuration Choices and Configuration Procedure
Configuring Basic Cisco ASA Adaptive Security Appliance Gateway Features and Gateway
Authentication
Configuring Basic User Authentication
Configuring Basic Access Control
Tuning Gateway Content Rewriting
Summary
Lesson 2: Cisco AnyConnect SSL VPN Overview

Lesson Objective:
Introduction to Cisco AnyConnect Client
Cisco AnyConnect Client Core Features
Cisco AnyConnect Network Access Manager
Cisco AnyConnect Secure Mobility Modules
Cisco AnyConnect Secure Reporting and Troubleshooting Modules
Cisco AnyConnect Secure Mobility Licensing
Summary
Lesson 3: Deploying a Cisco AnyConnect Client SSL VPN Solution

Lesson Objective: Describes the operation of full-tunnel SSL VPN technology
Basic Cisco AnyConnect SSL VPN
Additional Cisco AnyConnect Deployment Options
Configuring Cisco ASA Gateway Features
Configuring Local User Authentication and IP Address Assignment
Configuring Access Control and Split Tunneling
Deploying DTLS
Installing and Configuring Cisco AnyConnect 3.0
Managing Cisco AnyConnect Software
Summary

Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution
Lab Objective: Configure basic full-tunnel SSL VPN support on the Cisco ASA security appliance
Task 1: Configure Basic Cisco AnyConnect Client SSL VPN Support on the Cisco ASA Security
Appliance
Task 2: Configure a Connection Profile, Group Policy, and User Account in the Local User Database
Task 3: Establish a Cisco AnyConnect Client SSL VPN using WebLaunch

References
Module 5: Introducing Cisco ASA High Availability

Module Objective: Describe the concepts of Cisco ASA Active/Standby High Availability.
Lesson 1: Overview of Cisco ASA Active/Standby High Availability

Lesson Objective: Describe ASA Active/Standby High Availability
Cisco ASA Adaptive Security Appliance Active/Standby Failover Overview
Active Unit Election
Switchover Event
Failover Management
Failover Deployment Options
Summary
Lesson 2: Configuring Cisco ASA Adaptive Security Appliance Active/Standby High

Availability
Lesson Objective: Configure and verify active/standby failover on the Cisco ASA security appliance
Configuring and Verifying Active/Standby Failover
Tuning and Managing Active/Standby Failover
Remote Command Execution
Summary
Module 6: Introducing the Combined NGFW Security Services

Module Objective: Describe the features of NGFW Security Services
Lesson 1: Introducing the NGFW Security Services

Lesson Objective: Describe Cisco ASA Next Generation Firewall Security Services

Cisco NGFW Security Services Overview
Cisco Application Visibility and Control (AVC)
Cisco Web Security Essentials (WSE)
Cisco Security Intelligence Operations (SIO)
IPS for NGFW
Cisco Prime Security Manager (PRSM) — Cisco ASA NGFW Management
Cisco Adaptive Security Appliance NGFW Deployment
Cisco ASA CX Policy Object Types
Cisco ASA CX Access Policy Configuration
Summary
Lesson 2: Defining the Cisco ASA Adaptive Security Appliance MPF

Lesson Objective: Plan the deployment of the Cisco MPF on the Cisco ASA security appliance
Cisco MPF Overview
Configuring and Verifying Layer 3 and Layer 4 Policies
Summary
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco ASA for Traffic
Redirection
Lab Objective: Describe how to install and setup ASA CX Software Module.
Task 1: Install and Set Up the ASA CX Software Module
Task 2: Redirect Traffic from the ASA to Cisco ASA NGFW
Task 3: Explore the On-Box PRSM GUI

References
Module 7: Exploring IPS for Cisco ASA NGFW - IPS Features

Module Objective: Discuss the features that are included in IPS for Cisco ASA Next-Generation Firewalls
Lesson 1: Configuring IPS for Cisco ASA Next Generation Firewall Settings
Lesson Objective: Describe IPS for Cisco ASA NGFW IPS settings.
IPS for Cisco ASA NGFW Settings Overview
IPS for Cisco ASA NGFW Settings Configuration
Summary

Lesson 2: Configuring IPS for Cisco ASA Next Generation Firewall Filtering
Lesson Objective: Describe IPS for Cisco ASA NGFW IPS filtering.
IPS for Cisco ASA NGFW Filtering Overview
IPS for Cisco ASA NGFW Filtering Configuration
Summary
Lab Objective: Describe how to configure and verify IPS for Cisco ASA NGFW settings
Task 1: Configure IPS for Cisco ASA NGFW Settings
Task 2: Configure IPS for Cisco ASA NGFW Filters

References
Module 8: Exploring the Cisco ASA NGFW WSE and AVC

Module Objective: Understand the basic features and concepts of Cisco ASA NGFW WSE & AVC.
Lesson 1: Introducing Cisco ASA Next Generation Firewall Web Security Essentials &
Application Visibility and Control
Lesson Objective: Describe Cisco Application Visibility and Control
Cisco Web Security Essentials Overview
Cisco Application Visibility and Control
Summary
Lesson 2: Configuring WSE & AVC

Lesson Objective:
Cisco ASA CX URL Filtering Configuration
Configuring AVC
Summary

Lab Objective: Describe how to configure and verify Cisco ASA NGFW web security
Task 1: Configuring Cisco ASA NGFW - Acceptable Use Policy (URL Filtering)
Task 2: Configuring Cisco ASA NFGW - Malware Blocking using Web Reputation

Lab Objective: Describe how to configure and verify Cisco ASA NGFW application visibility and control
Task 1: Configure the Cisco ASA NGFW Access Policy to Deny Any Executable File Download

References
Module 9: Introducing Cisco ASA Cloud Web Security

Lesson 1: Introducing Cisco ASA with Cisco Cloud Web Security
Cisco ASA with Cisco Cloud Web Security
Cisco ScanCenter
Cisco ASA with Cloud Web Security Authentication Keys
Summary
Lesson 2: Configuring Cisco ASA with Cisco Cloud Web Security

Lesson Objective: Configure the Cisco Cloud Web Security proxy servers and license in Cisco ASA
Cisco ASA and Cloud Web Security Proxy-Server Configuration
ScanCenter Generation of an Authentication Key for Cisco ASA
Traffic Redirection from Cisco ASA to Cloud Web Security Proxy Servers
Cisco ASA and Cloud Web Security Proxy Server User-Identity Configuration
Summary
Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional)
Lab Objective: Configure the Cisco ASA to integrate with Cisco Cloud Web Security
Task 1: Configure the Cisco ASA-to-Cloud Web Security Integration

References

Course Evaluation Template
Curriculum Evaluation
Effectiveness of the course will be evaluated at these Levels of Kirkpatrick’s performance evaluation.
Level 1: Reaction to the course
Course effects:
Course evaluation:
Level 2: Learning retained
Course effects:
Course evaluation:
Level 3: Performance changes after the course
Course effects:
Course evaluation:
Level 4: Results on the job, after the course
Course effects:
Course evaluation:
Lab Setup
General Information
Each student pod will contain a Cisco ASA 5512-X with an SSD, an outside router, along with the VMs for
the PCs and servers. Every two pods will share a Cisco Catalyst 3560-X Series Switch.
Laboratory Topology
Each lab pod consists of a Cisco ASA 5515-X with the SSD, a shared Cisco Unified Computing System
C22 server for implementing the Windows 7 and Linux/Kali VMs : the Microsoft Windows 2008 Server
VM.
Lab Topology Diagram
A lab topology is used where each pod is independent:
Inside-PC (Win 7) Syslog Server
CDA Inside-SRV (Win 2008 R2) AD/DNS

.4 .3
3
.2
Inside
192.168.1.0/24
Gi0/1 DMZ-SRV (Linux)
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
209.165.200.225/27 Outside-SRV (Linux)
Gi0/0.9x
Term Shared Cisco Lab
Server ISR VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
In the Learning@Cisco lab setup, each Cisco Unified Computing System server also has a connection to the
backbone switch (ports 0/1 to 0/6). These connections are meant for students to use RDP to access the
springboard VMs for launching the VM, Cisco ASA, and router console connections.
For the Cisco Learning Partner remote lab environment, it is up to the CLPs for how they decide to manage
the physical servers for the VMs and how the students will access the VMs for their pods.

Laboratory Equipment
of 32 students (16 pods).
Manufactur
Description Part Number Quantity
er
Cisco ASA 5512-X (or ASA 5515-X) Cisco ASA5512-K9 16
SSD for the Cisco ASA 5500-X for CX Cisco ASA5500X-SSD120 16
WS-C3560X-24 pod switch Cisco WS-C3560X-24 8
WS-C3560X-24 backbone switch Cisco WS-C3560X-24 1
Pod router Cisco Cisco Learning Partner to decide 16

which router to use
Backbone shared router using VRFs (with Cisco ISR G2 (2900) 1

outbound Internet access)
Term server Cisco Cisco Learning Partner to decide 1

which router to use
ASA VPN gateway for the Cisco AnyConnect SSL Cisco Any ASA 1
VPN
Physical server for the VMs Cisco

Learning The Learning @Cisco lab uses the 6
Partner to Cisco Unified Computing System
decide which C22 server
server
hardware to
use and how
many
servers are
needed
VMs: Inside Windows 7 PC, Inside Windows 2008 1 set of

Server R2 Standard, DMZ Linux Server, Outside VMs per
Windows 7 PC, Outside Linux Server, Cisco CDA pod
Software List
Description Mfr. Part Number Qty.
Cisco 5500-X ASA 9.1.3 Image Cisco asa913-smp-k8.bin 16
Cisco ASDM 7.1.3 Cisco asdm-713.bin 16
Cisco ASA CX 9.2.1(52) boot image Cisco asacx-5500x-boot-9.2.1-52.img 16
Cisco ASA CX 9.1.2 package Cisco asacx-sys-9.2.1.2-52.pkg 16
Cisco AnyConnect 3.1.04059 package Cisco anyconnect-win.3.1.04059-k9.pk 16
Cisco ASA CX AVC and Web Security Subscription Cisco L-ASA5515-AW3Y-PR= 16

Licenses (or just use the free trial license and reset the
CX database when the trial license expires by using
the asa-cx> config reset command)

Description Mfr. Part Number Qty.
Cisco ASA CX K9 License (free with export restriction) Cisco 16
https://tools.cisco.com/SWIFT/LicensingUI/
loadDemoLicensee?FormId=2618
ScanSafe account Cisco Seat/Services: 20 Web 1
Windows 2008 Server R2 Standard License Microsoft Standard Edition Windows 2008 16
Server R2 License
Windows 7 License Microsoft Windows 7 License 16
Workstation Configuration
Set up the Windows and Linux VMs per the lab requirements.
Set up similar FTP, HTTP, and other services on the servers per the lab requirements.
Set up the inside server as the DNS server.

Initial Lab Build
This topic contains information that is required to interconnect the lab equipment.
Connections chart
Shared Router (ISR G2)

Gi0/1 allow outbound internet access
Term Server VPN GW Internet

Gi0/0
0/21 0/22
BB-Switch
0/11 0/12 0/18
UCS1 ……………. UCS6
0/22 & 0/23 0/22 & 0/23

To Switch-7
Switch-1 Switch-2 Switch-8
0/24 0/24 0/22 & 0/23 0/24
0/1 to 0/7 0/1 to 0/7 0/1 to 0/7
0/11 to 0/17 0/11 to 0.17 0/11 to 0/17
0/8 & 0/18 Fa0/8 & 18 0/8 & 0/18
0/0 0/0 0/0
……….
P1-ASA P3-ASA P16-ASA
P2-ASA P1-Rtr P4-ASA P3-Rtr P16-ASA P17-Rtr
P2-Rtr P4-Rtr P17-Rtr Trunk
Each Pod ASA has 7 interfaces connected to the pod switch (gi0/0 to gi0/5 and m0/0)
Each Pod Router has a single trunk interface connected to the pod switch
Each Pod Switch supports 2 Pods
Physical topology overview

General Lab Setup
This topic details the procedure to set up and configure the lab equipment.
Follow your own procedures to set up the physical servers for the VMs per the lab requirements. This
section does not cover the details on how to set up the physical servers for the VMs.
In the Learning@Cisco lab setup, vCenter is used to manage all of the ESXi servers. The vCenter and the
ESXi servers are connected to a lab management network (172.16.150.0/24). The term server
(172.16.150.90) is also set up on the lab management network (VLAN 10).
This section also does not cover the details on how to set up the inside server as the Active Directory server
and DNS server. Please refer to the Microsoft documentation for setting up the server.
A sample of each of the configurations is shown in the "Configuration Files Summary" section.
In the Learning@Cisco lab setup, all of the different VMs are set up in nonpersistent mode.
The ASAs in the lab should have the ASA CX module installed.
Note In the ASA CX labs, use the on-box PRSM only, not the multidevice off-box PRSM, because the next
version of the off-box PRSM will have big changes. There is no need to discuss how the current off-box
PRSM works (such as how the ASA CX and ASA devices are imported into the off-box PRSM and how
the off-box PRSM policy model works for configuring common policies across multiple ASA CX devices).
Configuration Files Summary

The ASA starting configuration can be the same for all pods except for the ASA hostname.
The pod router starting configuration can be the same for all pods except for the router hostname.
Six pod switches are used, one per every two pods. Each pod switch will require different VLANs that are
configured on it.
The shared backbone router is using VRFs to support the 16 different pods. The shared backbone router is
performing PAT for the outbound Internet access. For the Learning@Cisco lab, an outbound access list is
used to restrict the outbound Internet traffic from the lab pods. TCP intercept and IOS IPS are also used to
prevent students from triggering outbound scanning.
The Learning@Cisco lab has an extra spare pod setup (Pod 17).
! vlan 10 is the L@C lab management vlan for managing the physical ESXi servers and
term server and etc..)
!
vlan 10
name VLAN0010
!
!Example: outside vlan 1xx, xx =pod number, xx = 01 to 16.
!Example: inside vlan 2xx, xx =pod number, xx = 01 to 16.
!Example: dmz vlan 3xx, xx =pod number, xx = 01 to 16.
!Example: mgmt vlan 4xx, xx = odd pod number, only used in the Clustering lab.
!
vlan 101
name pod1-outside
vlan 201
name pod1-inside
vlan 301
name pod1-dmz
vlan 401
name pod1-mgmt
!

vlan 102
name pod2-outside
vlan 202
name pod2-inside
vlan 302
name pod2-dmz
!
vlan 103
name pod3-outside
vlan 203
name pod3-inside
vlan 303
name pod3-dmz
vlan 403
name pod3-mgmt
!
vlan 104
name pod4-outside
vlan 204
name pod4-inside
vlan 304
name pod4-dmz
!
vlan 105
name pod5-outside
vlan 205
name pod5-inside
vlan 305
name pod5-dmz
vlan 405
name pod5-mgmt
!
vlan 106
name pod6-outside
vlan 206
name pod6-inside
vlan 306
name pod6-dmz
!
vlan 107
name pod7-outside
vlan 207
name pod7-inside
vlan 307
name pod7-dmz
vlan 407
name pod7-mgmt
!
vlan 108
name pod8-outside
vlan 208
name pod8-inside
vlan 308
name pod8-dmz
!
vlan 109
name pod9-outside
vlan 209
name pod9-inside
vlan 309
name pod9-dmz
vlan 409
name pod9-mgmt

!
vlan 110
name pod10-outside
vlan 210
name pod10-inside
vlan 310
name pod10-dmz
!
vlan 111
name pod11-outside
vlan 211
name pod11-inside
vlan 311
name pod11-dmz
vlan 411
name pod11-mgmt
!
vlan 112
name pod12-outside
vlan 212
name pod12-inside
vlan 312
name pod12-dmz
!
vlan 113
name pod13-outside
vlan 213
name pod13-inside
vlan 313
name pod13-dmz
vlan 413
name pod13-mgmt
!
vlan 114
name pod14-outside
vlan 214
name pod14-inside
vlan 314
name pod14-dmz
!
vlan 115
name pod15-outside
vlan 215
name pod15-inside
vlan 315
name pod15-dmz
vlan 415
name pod15-mgmt
!
vlan 116
name pod16-outside
vlan 216
name pod16-inside
vlan 316
name pod16-dmz
!
vlan 117
name pod17-outside
vlan 217
name pod17-inside
vlan 317
name pod17-dmz
vlan 417

name pod17-mgmt
!
vlan 801
name pod1-serviceprovider
vlan 901
name pod1-internet
!
vlan 802
vlan 902
name pod2-internet
!
vlan 803
vlan 903
name pod3-internet
!
vlan 804
vlan 904
name pod4-internet
!
vlan 805
vlan 905
name pod5-internet
!
vlan 806
vlan 906
name pod6-internet
!
vlan 807
vlan 907
name pod7-internet
!
vlan 808
vlan 908
name pod8-internet
!
vlan 809
vlan 909
name pod9-internet
!
vlan 810
vlan 910
name pod10-internet
!
vlan 811
vlan 911
name pod11-internet
!
vlan 812
vlan 912
name pod12-internet
!
vlan 813

vlan 913
name pod13-internet
!
vlan 814
vlan 914
name pod14-internet
!
vlan 815
vlan 915
name pod15-internet
!
vlan 816
vlan 916
name pod16-internet
!
vlan 817
vlan 917
name pod17-internet
ASA Initial Configuration:

hostname Px-ASA
enable password C!sco!23
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.201.2 255.255.255.224
no shut
!
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
no shut
!
no shutdown
!
no shutdown
!
no shutdown
!
interface Management0/0
no nameif management
no ip address
no shut
!
domain-name secure-x.local
!

dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
!
boot system disk0:/asa912-smp-k8.bin
asdm image disk0:/asdm-713.bin
username student password C!sco!23 priv 15
username tec password C!sco!23 priv 15
http server enable
http 192.168.1.0 255.255.255.0 inside
aaa authentication http console LOCAL
ssh timeout 5
ssh 192.168.1.0 255.255.255.0 inside
console timeout 0
!
clock timezone pst -8
ntp server 10.81.254.202
!
!
route outside 0.0.0.0 0.0.0.0 209.165.201.1
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
Pod Router Initial Configuration:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Px-Rtr
!
enable secret cisco
!
ip subnet-zero

!
!
ip name-server 171.70.168.183
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
no shut
!
interface FastEthernet0/0.101
encapsulation dot1Q 101
ip address 209.165.201.1 255.255.255.224
!
ip address 209.165.202.129 255.255.255.224
!
ip address 209.165.200.226 255.255.255.224
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.200.225
ip route 172.16.1.0 255.255.255.0 209.165.201.2
ip route 192.168.1.0 255.255.255.0 209.165.201.2
ip http server
!
!
!
line con 0
line aux 0
line vty 0 4
login
password cisco
Pod Switch Configuration for Nonclustering Labs (this example is only for Pod Switch-1, which supports
pods 1 and 2):
service timestamps debug uptime
service timestamps log uptime
!
hostname P1P2-Sw
!
no aaa new-model
ip subnet-zero
!
!
ip domain-name secure-x.com
!
vtp domain secure-x
vtp mode transparent
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!

!
!
description P1-ASA G0/0 (Outside)
switchport access vlan 101
switchport mode access
no shut
!
description P1-ASA G0/1 (Inside)
no shut
!
description P1-ASA G0/2 (DMZ)
no shut
!
description P1-ASA G0/3 (unused)
shutdown
!
shutdown
!
shutdown
!
description P1-ASA M0/0
no shutdown
!
description P1-Rtr F0/0 (trunk)
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
!
!
!
description P2-ASA G0/0 (Outside)
no shut
!
description P2-ASA G0/1 (Inside)
no shut
!
description P2-ASA G0/2 (DMZ)

no shut
!
shutdown
!
shutdown
!
shutdown
!
description P2-ASA M0/0
no shut
!
description P2-Rtr F0/0 (trunk)
no shut
!
!
!
!
!
description ESX-Srv Pod1 Link
no shut
!
no shut
!
description BB-Sw Link (trunk)
no shut
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip http server
ip http secure-server
!
control-plane
!
!

line con 0
line vty 0 15
login
password cisco
Pod Switch Configuration for the Clustering Lab (this example is only for Pod Switch-1, which supports
pods 1 and 2):
hostname P1P2-Sw-Cluster
!
!
ip subnet-zero
no ip domain-lookup
!
!
!
description to ASA1 gi0/0 - outside
channel-group 1 mode active
no ip address
no shut
!
description to ASA1 gi0/1 - inside
no ip address
no shut
!
description to ASA1 gi0/2 - CCL
spanning-tree portfast
no ip address
no shut
!
no ip address
no shut
!
no ip address
no shut
!

no ip address
no shut
!
description to ASA1 m0/0 - mgmt
no ip address
no shut
!
description to pod1-router-fa0/0 - outside
no ip address
no shut
!
!
!
no ip address
no shut
!
no ip address
no shut
!
description to ASA2 gi0/2 - ccl
no ip address
no shut
!
no ip address
no shut
!
no ip address
no shut

!
no ip address
no shut
!
description to ASA2 m0/0 - mgmt
no ip address
no shut
!
description to pod2-router-fa0/0 - not used in cluster lab
shut
!
no shut
!
no shut
!
description BB-Sw Link (trunk)
no shut
Shared Backbone Router (ISR-G2) Initial Configuration:

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service sequence-numbers
!
hostname BB-Rtr
!
boot-start-marker
boot-end-marker
!
!
vrf definition pod01
description Internet access for pod 1
rd 1:1
!
address-family ipv4
exit-address-family
!
rd 2:2
!
address-family ipv4

exit-address-family
!
rd 3:3
!
address-family ipv4
exit-address-family
!
rd 4:4
!
address-family ipv4
exit-address-family
!
rd 5:5
!
address-family ipv4
exit-address-family
!
rd 6:6
!
address-family ipv4
exit-address-family
!
rd 7:7
!
address-family ipv4
exit-address-family
!
rd 8:8
!
address-family ipv4
exit-address-family
!
rd 9:9
!
address-family ipv4
exit-address-family
!
rd 10:10
!
address-family ipv4
exit-address-family
!
rd 11:11
!
address-family ipv4

exit-address-family
!
rd 12:12
!
address-family ipv4
exit-address-family
!
rd 13:13
!
address-family ipv4
exit-address-family
!
rd 14:14
!
address-family ipv4
exit-address-family
!
rd 15:15
!
address-family ipv4
exit-address-family
!
rd 16:16
!
address-family ipv4
exit-address-family
!
rd 17:17
!
address-family ipv4
exit-address-family
!
no logging console
enable secret 4 E4DbAFTuwtHWgeDbf26D1IEPfPTiddXoyYQC9hTlZ9o
!
aaa new-model
!
!
aaa session-id common
clock timezone PST -7 0
!
no ip source-route
ip cef
!
no ip bootp server
ip domain name secure-x.local
ip ips config location flash:ips retries 1

ip ips notify SDEE
ip ips name ips list 199
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
no ipv6 cef
!
parameter-map type inspect DoS-param-map
max-incomplete low 100
max-incomplete high 200
one-minute low 50
one-minute high 100
udp idle-time 5
icmp idle-time 1
tcp synwait-time 5
tcp max-incomplete host 5 block-time 2
sessions maximum 2000
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-36482759
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-36482759
revocation-check none
rsakeypair TP-self-signed-36482759
!
!
crypto pki certificate chain TP-self-signed-36482759
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363438 32373539 301E170D 31333037 30333136 33373530
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333634 38323735
3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C892
24B73CEA 9DFE2FF5 06083000 ACB94C03 4441B280 E176AA44 9EBAE806 F41D11FA
89952C60 1BF01533 BD86D4B6 3CD0966E 04637F44 FB256453 9A9BD7C1 9198DD4F
ABF2084B 1580AE00 A89E146A E532A949 D87532AF 35E79A1A 85ABC15D 9740BDD4
301732F2 F41B623C E80782A3 C20E9993 74F21008 503678ED EEEF030C 40650203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1493A5FB F8C4C5B2 35695314 33FFA9C3 BFE035E1 21301D06 03551D0E
04160414 93A5FBF8 C4C5B235 69531433 FFA9C3BF E035E121 300D0609 2A864886
F70D0101 05050003 8181005A 5B7E3057 6BC99037 032A68F9 250B2A87 AE7507AF
74A74BEA D9AF8B3F 562EC19C FF45D91B A1C55D44 465AC1AF F0C3058D F77C0742
7C760320 838C0DB8 939DA2A6 EA33E349 0B4D8E04 8809DF5D AD969DF0 AA512F4E
0C296B1C 97C73644 A813C48C 38C67E41 069B4B27 C97AD5BD 71AA92D8 7BFF6F62
95B2C532 0FC88CAB 0A283B
quit
license udi pid CISCO2901/K9 sn FTX1712Y080
!
!
username student password 0 cisco
username tec privilege 15 password 0 b33rb0y
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature

key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
!
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all all
match access-group 101
!
policy-map type inspect in-to-out-pmap
class type inspect all
inspect DoS-param-map
class class-default
drop
!
zone security in
zone security out
zone-pair security in-out source in destination out
service-policy type inspect in-to-out-pmap
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.901
vrf forwarding pod01
ip address 209.165.200.225 255.255.255.224
ip nat inside
ip virtual-reassembly in
zone-member security in
!
ip address 209.165.200.225 255.255.255.224

ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!

ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 209.165.200.225 255.255.255.224
ip nat inside
!
ip address 172.16.150.89 255.255.255.0

ip access-group 100 out
ip nat outside
ip ips ips out
zone-member security out
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
no ip address
!
no ip address
!
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list NAT-SRC interface GigabitEthernet0/1 vrf pod01 overload
ip route 0.0.0.0 0.0.0.0 172.16.150.254
ip route vrf pod01 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.16.150.254 global 2
ip route vrf pod01 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod01 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod01 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod01 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod02 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod02 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod02 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod02 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod03 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod03 192.168.1.0 255.255.255.0 209.165.200.226

ip route vrf pod03 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod03 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod04 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod04 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod04 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod04 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod05 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod05 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod05 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod05 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod06 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod06 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod06 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod06 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod07 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod07 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod07 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod07 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod08 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod08 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod08 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod08 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod09 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod09 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod09 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod09 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod10 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod10 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod10 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod10 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod11 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod11 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod11 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod11 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod12 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod12 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod12 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod12 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod13 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod13 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod13 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod13 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod14 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod14 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod14 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod14 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod15 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod15 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod15 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod15 209.165.202.128 255.255.255.224 209.165.200.226

ip route vrf pod16 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod16 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod16 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod16 209.165.202.128 255.255.255.224 209.165.200.226
ip route vrf pod17 172.16.1.0 255.255.255.0 209.165.200.226
ip route vrf pod17 192.168.1.0 255.255.255.0 209.165.200.226
ip route vrf pod17 209.165.201.0 255.255.255.224 209.165.200.226
ip route vrf pod17 209.165.202.128 255.255.255.224 209.165.200.226
!
ip access-list extended NAT-SRC
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 209.165.201.0 0.0.0.255 any
permit ip 209.165.202.0 0.0.0.255 any
permit ip 209.165.200.0 0.0.0.255 any
!
access-list 23 permit any
access-list 100 deny ip any 172.16.0.0 0.0.255.255
access-list 100 deny ip any 128.107.246.0 0.0.0.255
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq ntp
access-list 100 permit icmp any any
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq 8080
access-list 101 permit ip any any
access-list 199 permit ip any any
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input ssh
line vty 5 24
password cisco
transport input ssh
line vty 25 1114
transport input ssh
!
scheduler allocate 20000 1000
ntp server clock.cisco.com
Backbone Switch Initial Configuration:

service timestamps debug datetime msec

service timestamps log datetime msec
!
hostname BB-Sw
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
crypto pki trustpoint TP-self-signed-1902717568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1902717568
revocation-check none
rsakeypair TP-self-signed-1902717568
!
!
crypto pki certificate chain TP-self-signed-1902717568
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393032 37313735 3638301E 170D3933 30333031 30303030
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39303237
31373536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F264 4C62C26B 7EEEE8BD 14769F40 94D5CFE0 6C80115E F26E63CC D02B0E83
E33C3787 D8E37A99 13549336 E76985DC DC0E670B 868B0644 19A66F40 3462C350
8FE9DF74 97A53109 4B0F7548 7FE19991 DFD130B0 98369E87 2BA27A27 6F6D55E3
5A1D4A49 E6431403 D40F7923 4284C4F9 946BC4C0 B3FCE911 D21438FF B9125A99
08AF0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 0642422D 53772E30 1F060355 1D230418 30168014 B1631FBE
A5DEF293 9B31DA4C 3DAF36E1 14F02963 301D0603 551D0E04 160414B1 631FBEA5
DEF2939B 31DA4C3D AF36E114 F0296330 0D06092A 864886F7 0D010104 05000381
81006281 94F2D28E 29BE35FF C03B0C19 676511D0 DDA702A1 EA5F9AE4 5BCE3663
B0459698 07C77F5D B86EED77 98AF8B18 9F0BDAE9 70824A0D 3F44C1CB 95DA1A4B
F3EE8658 56386034 072E4526 6B6C2BD1 CA1A0410 2A6DFF0A B881E6C6 AB9FE7B7
7BA2634E 8DE7CAF6 089EE45A 954D3EB3 D4C932C7 571C66E8 56407115 27FF194A 7B0B
quit
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
no ip route-cache
!
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login

Lab IP Addressing
Lab IP addressing
Lab Device IP Address
Cisco ASA inside interface (Gi0/1) 192.168.1.1/24
Cisco ASA outside interface (Gi0/0) 209.165.201.2/27
Cisco ASA DMZ interface (Gi0/2) 172.16.1.1/24
Outside router ASA-facing interface (Fa0/0.1x) 209.165.201.1/27
Outside router Internet-facing interface (Fa0/0.9x) 209.165.200.226/27
Outside router service provider/outside network-facing interface (Fa0/0.8x) 209.165.202.129/27
Inside server (Windows 2008 Server) 192.168.1.2/24
Inside PC (Windows 7) 192.168.1.3/24
DMZ server (Linux/Kali) 172.16.1.2/24
Outside PC (Windows 7) 209.165.202.131/27
Outside server (Linux/Kali) 209.165.202.130/27

Lab Details
Lab 2-1: Preparing Cisco ASA for Network Integration and
Configuring Basic Settings
This topic details the lab activity for Lab 2-1: Preparing Cisco ASA for Network Integration and
Configuring Basic Settings.
Objectives
Upon completing this exercise, you will be able to:
Verify Cisco ASA security appliance and Cisco ASDM versions
Initialize the Cisco ASA security appliance from the CLI
Launch Cisco ASDM and test SSH access
Configure and verify interfaces
Configure system management parameters
Visual Objective
The figure illustrates the lab topology.
Visual Objective

This topic details the lab activity for Lab 3-1: Configuring NAT and Basic Access Control.
Objectives
Configure object NAT for the inside network and DMZ server
Configure manual NAT for the DMZ server and client network

Configure an access rule to allow outside access to the DMZ server
Visual Objective
Visual Objective
Inside-PC (Win 7)
Syslog Srv
.3 .2
Inside 192.168.1.0/24
Gi0/1 vlan 2xx Inside-SRV
.1 (Win 2008 R2) AD/DNS
Px-ASA Gi0/2 .2
IPS or CX
ASA 5500-X .5 .1 dmz 172.16.1.0/24
vlan 3xx
.2 DMZ-SRV (Linux)
Outside Gi0/0
209.165.201.0/27 vlan 1xx
Fa0/0.1x
.1 209.165.202.128/27
Px-Rtr .129 vlan 8xx .131
2610XM Fa0/0.8x .130
Lab Topology Fa0/0.9x Outside-PC (Win 7)
Pod XX 209.165.200.226/27
(XX = 01 to 16) vlan 9xx
Gi0/0.9x
Term Cisco Lab
Server Shared ISR
VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24
.254 gateway
Lab 4-1: Configure Cisco AnyConnect Client SSL VPN

Solution
This topic details the lab activity for Lab 4-1: Configure Cisco AnyConnect Client SSL VPN Solution.
Objectives
In this activity, you will configure and verify baseline client-based, SSL VPN remote access features of the
Cisco AnyConnect client and the Cisco ASA security appliance. After completing this activity, you will be
able to meet these objectives:
Configure basic Cisco AnyConnect Client SSL VPN support on the Cisco ASA security appliance
Configure a connection profile and a group policy with all required settings for Cisco AnyConnect
Client SSL VPN remote access users
Establish a Cisco AnyConnect Client SSL VPN between the client and the gateway
Verify the Cisco AnyConnect Client SSL VPN configuration and test connectivity over the configured
VPN connection
Visual Objective

Visual Objective
Inside-PC (Win 7)
Syslog Srv
.3 .2
Inside 192.168.1.0/24
Gi0/1 vlan 2xx Inside-SRV
.1 (Win 2008 R2) AD/DNS
Px-ASA Gi0/2 .2
IPS or CX
ASA 5500-X .5 .1 dmz 172.16.1.0/24
vlan 3xx
.2 DMZ-SRV (Linux)
Outside Gi0/0
209.165.201.0/27 vlan 1xx
Fa0/0.1x
.1 209.165.202.128/27
Px-Rtr .129 vlan 8xx .131
2610XM Fa0/0.8x .130
Lab Topology Fa0/0.9x Outside-PC (Win 7)
Pod XX 209.165.200.226/27
(XX = 01 to 16) vlan 9xx
Gi0/0.9x
Term Cisco Lab
Server Shared ISR
VPN Gateway
.89 Gi0/1
Internet
172.16.150.0/24
.254 gateway
Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the
Cisco ASA for Traffic Redirection
This topic details the lab activity for Lab 6-1: Preparing the Cisco ASA NGFW and Configuring the Cisco
ASA for Traffic Redirection.
Objectives
Describe how to install and setup ASA CX Software Module.
Describe how to redirect traffic from the Cisco ASA to the Cisco ASA NGFW.
Discuss the on-box PRSM GUI.
Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective

.4 .3
3
.2
Inside
192.168.1.0/24
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
Gi0/0.9x
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
This topic details the lab activity for Lab 7-1: Configure IPS for Cisco ASA NGFW Settings & Filters.
Objectives
Describe how to configure and verify IPS for Cisco ASA NGFW settings
Describe how to configure and verify IPS for Cisco ASA NGFW filters
Visual Objective

Visual Objective

.4 .3
3
.2
Inside
192.168.1.0/24
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
Gi0/0.9x
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway

This topic details the lab activity for Lab 8-1: Cisco ASA NGFW Web Security Essentials.
Objectives
Describe how to configure and verify Cisco ASA NGFW web security
Visual Objective
Visual Objective

.4 .3
3
.2
Inside
192.168.1.0/24
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
Gi0/0.9x
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway

This topic details the lab activity for Lab 8-2: Cisco ASA NGFW Application Visibility & Control.
Objectives
Describe how to configure and verify Cisco ASA NGFW application visibility and control
Visual Objective
Visual Objective

.4 .3
3
.2
Inside
192.168.1.0/24
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
Gi0/0.9x
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Lab 9-1: Cisco ASA and Cloud Web Security Integration

(Optional)
This topic details the lab activity for Lab 9-1: Cisco ASA and Cloud Web Security Integration (Optional).
Objectives
Upon completing this lesson, you will be able to:
Configure the Cisco ASA to integrate with Cisco Cloud Web Security
Visual Objective

Visual Objective

.4 .3
3
.2
Inside
192.168.1.0/24
.1 VLAN 2xx
IPS or CX Gi0/2 .2
Px-ASA
.5 .1 DMZ 172.16.1.0/24
ASA 5500-X
VLAN 3xx
.2
Outside Gi0/0
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1 209.165.202.128/27 Outside-PC (Win 7)
Px-Rtr .129 .131
VLAN 8xx
2610XM
Fa0/0.8x .130
Fa0/0.9x
209.165.200.226/27
VLAN 9xx
Gi0/0.9x
.89 Gi0/1
Internet
172.16.150.0/24.254 gateway
Setup Notes
From ScanCenter, create a simple web-filtering rule to block using the "default" web filter.
Common Issues
This subtopic presents common issues for this lab.
During the optional step for configuring the ASA to send a default username and group name, if the
ASA is reporting a previously logged-in Active Directory user to ScanSafe instead, use the clear user-
identity active-user-database command to remove all the user-to-IP mappings on the ASA.

Memoria TFG

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Memoria TFG

Hochgeladen von

Copyright:

Verfügbare Formate

SAEXS

Part Number: partnumber (Ignore: for DTP only)

© 2014 Cisco Systems, Inc.

ii ASA Express © 2014 Cisco Systems, Inc.

Job Tasks and Domain and Skill Objectives

Domain # Domains Skill Objectives/Job Tasks

x Domain (Claim) 1 First Skill Objective/Job Task of

x.01 Second Skill Objective/Job Task of

Domain # Domains Skill Objectives/Job Tasks

n-th Domain First Skill Objective/Job Task of n-th

Day 1 Course Intro Configuring ASA Basic Access Control

Introducing the Combined NGFW Security Services

Required Classroom Environment

Instructor Certification Requirements

Laboratory Topology (Delivery)

Description Mfr. Part Number Total Qty.

Learner Pod Equipment – X learners per pod – Y pods

C-4 ASA Express © 2014 Cisco Systems, Inc.

Other Required Equipment

[Insert instructions to set up, locate, prepare for, or conduct activities]

Initial Lab Build

General Lab Setup

Notes on Delivery Lab Equipment

Development Lab Equipment Requirements

Required Materials Laboratory Topology (Development)

© 2014 Cisco Systems, Inc. Course Guide C-5

Description Mfr. Part Number Total Qty.

Learner Pod Equipment – x pods for development

Other Required Equipment

Notes on Development Lab Equipment

C-6 ASA Express © 2014 Cisco Systems, Inc.

Full Title of Course Cisco ASA Express Security

Course Order Code SAEXS

Course Version Number 1.0

New Course? Yes

Curricula, specializations, and learning maps:

Course Goal and Objectives

Describe how to configure

Course Goals Choose, configure, and

Introduce and Deploy Cisco

Describe NGFW Security

Describe how to configure IPS

Describe the Cisco ASA NFWG

Explore Cisco ASA Active/

© 2014 Cisco Systems, Inc.

C-8 ASA Express © 2014 Cisco Systems, Inc.

Course Instruction Details

Required Classroom Environment

Detailed Course Flow

8:30–9:20 (0830–0920) Introducing Cisco ASA Solutions

9:30–10:40 (0930–1040) Exploring Cisco ASA Connectivity

10:50–12:00 (1050–1200) Lab 2-1: Preparing Cisco ASA for

12:00–1:00 (1200–1300) Lunch

1:00–1:50 (1300–1350) Configuring ASA Basic Access

Lab 3-1: Configuring NAT and Basic

2:00–2:50 (1400–1450) Deploying Cisco Remote Access

3:00–5:00 (1500–1700) Lab 4-1: Configure Ciscon

5:00 (1700) Day ends

© 2014 Cisco Systems, Inc. Course Guide C-9

8:30–9:20 (0830–0920) Introducing the Combined

9:30–10:30 (0930–1030) Lab 6-1: Preparing the Cisco ASA

10:40–11:15 (1000–1115) Exploring IPS for Cisco ASA NGFW -

11:15–12:00 (1115–1200) Lab 7-1: Configure IPS for Cisco ASA

12:00–12:00 (1200–1300) Lunch