Deploying Cisco ASA Firewall Solutions (FIREWALL) v2.0. Global Knowledge European Remote Labs Instructor Guide

Transcription

1 Deploying Cisco ASA Firewall Solutions (FIREWALL) v2.0 Global Knowledge European Remote Labs Instructor Guide

2 1. Contents 1. Contents Introduction Remote Labs Topology, Connections and Setup Initial Lab Configuration Set-up Lab Clear Down Procedure Lab Exercises Support Information Web Support Portal Telephone Other Contact Methods Copyright Global Knowledge Page 2

3 2. Introduction This guide has been developed to complement the existing Cisco CAG and Lab Guides, relating to the Deploying Cisco ASA Firewall Solutions v2.0 course. As such, this document should ONLY be read and utilised in conjunction with those Cisco guides. The Global Knowledge FIREWALL v2.0 European Remote Lab has been built to mirror, as closely as possible, the Cisco lab configuration. You may therefore assume that any detail not contained in this Remote Lab Instructor Guide will remain as documented in the Cisco manuals. Instructions and login/connection details for access to the Global Knowledge European Remote lab solution will be provided via an Access . This will contain links to any required documentation, along with detail of contact methods to obtain further information and Support services. Copyright Global Knowledge Page 3

4 3. Remote Labs Topology, Connections and Setup FIREWALL v2.0 Instructor Web Page - Figure 3-1 Core Devices The RBB router is common to all pods and provides the Internet Backbone connection. There are 2 Core Switches deployed for the 8 pod, 8 delegate racks, but only 1 Core Switch for the 4 pod, 4 delegate racks. Core Switch 2 is not required for the smaller racks. Lab IP Addressing The Pod Addressing scheme follows the Cisco Lab Guide, with each Pod using an identical addressing scheme. The RBB and Core Switch(es) are configured with vlans and vrf routing to allow for this. Copyright Global Knowledge Page 4

5 4. Initial Lab Configuration Set-up PC Logins Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. All PC s will have been reset to default, prior to the lab being available for use. It is recommended for the ASA s to first run the Erase Device then Load Base Config occasionally a previous class may not have cleared down correctly and the Erase will ensure no configuration corruption. Note: The initial configuration for the Pod ASA Firewalls will ensure that the correct starting IOS and ASDM files are loaded. The Core RBB Router is used as an NTP Master Clock for the ASA s Ensure that the Router clock is set to the current time/date. The Pod Client and Server logins for all pods are: Core Device Logins Username: administrator Password: cisco Core Router logins are: VTY password: cisco Enable password: globalk For several labs, the students are required to login to the Core RBB router: Username: student Password: cisco Core Switch logins are: Enable password: globalk Copyright Global Knowledge Page 5

6 IMPORTANT NOTE Loading Lab Start Configurations The course lab exercises are written such that each lab builds on the configuration completed in the previous lab exercise. It is therefore not normally necessary to load the Lab Start configuration for each lab However, there may be circumstances where the lab has not been completed fully and successfully. To assist in these circumstances, Lab Start Configurations have been provided, via the Device Management tool, for each lab. There are 2 important points to remember when using these Lab Start Configs, however: 1. A number of lab exercises may demand the uploading of additional software to the ASA Flash memory. Loading a Lab Start Configuration will not install these files. The Instructor/Student(s) should identify whether these files are in place and, where necessary, identify and perform, from previous lab exercises, the lab steps required to upload/construct these files. 2. The Student ASDM sessions to the ASA s should be closed down, prior to loading the Lab Start Configs for the next lab. Failure to do this could result in cached config data from the ASDM sessions overwriting the new Lab Start Config and cause lab errors. Copyright Global Knowledge Page 6

7 5. Lab Clear Down Procedure Load the Base configurations for all of the Core Devices and Erase all of the ASA devices, from the Device Management tool on the Instructor Web Access page. The PC clear down/revert will be performed by the Remote Lab Support team. Notify Remote Lab Support that you have finished using the equipment by replying to the End of Course Confirmation , which will have been sent to you during the class. Please do NOT reply to the End of Course Confirmation for ANY OTHER purpose this may cause confusion, it may be taken that you have completed your class and your rack may be disconnected or cleared as a result..!! If, for any reason, you have not received the above , please send an to the Support address (Section 2 above), confirming the Course and Rack used, that you have completed the class and finished using the equipment. IMPORTANT NOTE It is normally expected that your class will finish at 5pm in your local time zone. If for ANY reason, you anticipate requiring a later finish, please ENSURE that you notify the Support team as early as possible, CLEARLY stating the need to extend access after normal class hours. Please ensure that you receive a RESPONSE from the Support team confirming this. Copyright Global Knowledge Page 7

8 6. Lab Exercises Lab 2-1: Preparing the Cisco ASA Adaptive Security Appliance for Network Integration Setup Setup is completed as part of the Initial Lab Setup (as detailed in Section 4 of this guide). Task 1 Step 6: Verify that the running image and the Cisco ASDM image are correct. For this lab, you should have a Cisco ASA device image of 8.4(2) and a Cisco ASDM image of 6.4(5) Task 2 Step 2: Set the interface Speed to 100 and the Duplex to Full. Task 3 Step 2: From a Web Browser, start Cisco ASDM with a URL of: Step 3: The Cisco ASDM 6.4(5) window appears. Step 4: Click on the Run ASDM button in the Run Cisco ASDM as a Java Web Start Application window. Copyright Global Knowledge Page 8

9 Lab 2-2: Configuring the Cisco ASA Adaptive Security Appliance for Secure Network Integration Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-1). However, if necessary, load Lab 2-2 configs onto appropriate ASA devices. Task 1 Steps 1 & 3: Set the interface Speed and Duplex to 100 & Full (Configure Hardware Properties). Ignore Step 2..!! Lab 2-3: Configuring Management Features Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-2). However, if necessary, load Lab 2-3 configs onto appropriate ASA devices. Task 1 All OK Task 3 All OK Task 4 All OK Task 5 Step 10: You may be asked to login in order to Save the configuration. Use can the new student account to do this. Lab 3-1: Configuring NAT Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-3). However, if necessary, load Lab 3-1 configs onto appropriate ASA devices. Task 1 All OK Copyright Global Knowledge Page 9

10 Lab 3-2: Configuring Basic Cisco Access Control Features Setup No setup required. Lab configs used are as at completion of previous lab (Lab 3-1). However, if necessary, load Lab 3-2 configs onto appropriate ASA devices. Task 1 All OK Task 3 All OK Task 4 All OK Task 5 All OK Task 6 All OK Lab 3-3: Configuring Transparent Firewall (Optional) Setup Students should complete the setup as described in the Cisco Lab Guide. ENSURE students have properly backed up their ASA configurations and made a note of the original PC interface settings.. Task 1 Step 1: Select the Class LAB Interface. Task 3 Steps 2 & 3: Set the interface Speed and Duplex to 100 & Full Task 4 All OK Task 5 All OK Task 6 All OK Copyright Global Knowledge Page 10

11 Lab 4-1: Configuring MPF, Basic Stateful Inspections and QoS Setup No setup required. Lab configs used are as at completion of Lab 3-2 or students should have successfully reloaded their saved configs on completion of Lab 3-3, if the Optional lab was completed. However, if necessary, load Lab 4-1 configs onto appropriate ASA devices. Task 1 All OK Task 3 All OK Task 4 All OK Task 5 BOTNET licenses are currently unavailable in the lab, therefore this Optional exercise cannot be completed at this time. Lab 4-2: Configuring MPF Advanced Application Inspections Setup No setup required. Lab configs used are as at completion of previous lab (Lab 4-1). However, if necessary, load Lab 4-2 configs onto appropriate ASA devices. Task 1 Step 9: It is recommended to view the Real Time Log Viewer in Cisco ASDM. Step 15: This regular expression was temperamental in testing. Recommended to use the following: Regular expression that matches /welcome.png (welcome\.png) Task 3 All OK Copyright Global Knowledge Page 11

12 Lab 4-3: Configuring Cut-Through Proxy Setup No setup required. Lab configs used are as at completion of previous lab (Lab 4-2). However, if necessary, load Lab 4-3 configs onto appropriate ASA devices. Task 1 Step 9: It is recommended to view the Real Time Log Viewer in Cisco ASDM. Task 3 All OK Task 4 All OK Copyright Global Knowledge Page 12

13 Lab 5-1: Configuring Active/Standby High Availability Setup From the Device Management tool, load the Lab 5-1 Configs for Core Switch 1, Core Switch 2 (SW2 is not used for the smaller, 4 pod racks) and all EVEN numbered Pod ASA s (Pods 2, 4 etc.). Note: Loading the Lab 5-1 configurations on the even numbered Pod ASA s will erase any previous configuration. At this stage, students will be paired up in order to provide the required pair of ASA s for the Failover Labs (Lab 5-1 and Lab 5-2), as follows: Pod 1 pairs with Pod 2 Pod 3 pairs with Pod 4 Pod 5 pairs with Pod 6 Pod 7 pairs with Pod 8 Students should now switch their Web Access page view, via the drop-down menu at the top right of the page, selecting Lab 5-1 Active/Standby Failover. Note: Even-numbered pod students should close down all PC and ASA sessions to their devices and then open the Web Access page for their odd-numbered partners pod. E.g. Pod 2 will now open Pod 1 web page and select the Lab 5-1 diagram. The required devices will all be accessed via this diagram, in conjunction with their Pod 1 partner. Note: Even numbered pods web pages only have the Main Lab Diagram. Task 1 Step 2: Set the interface Speed and Duplex to 100 & Full Task 2 Steps 6 & 12: The config save will fail via the ASDM perform save via the CLI Task 3 All OK Task 4 Step 8: Close the commands prompt on the client PC and return the Primary firewall to active Task 5 All OK Copyright Global Knowledge Page 13

14 Lab 5-1: Configuring Active/Standby High Availability Setup From the Device Management tool, load the Lab 5-2 Configs for Shared Core Router, Core Switch 1 and Core Switch 2 (SW2 is not used for the smaller, 4 pod racks). Students will continue to work in the pod pairs as for the previous lab (Lab 5-1). The pod diagram Lab 5-2 Active/Active Failover should be selected for the Web Access page. Task 1 All OK Task 2 Step 13: Ensue that ALL interfaces Hardware Properties are set to Duplex = Full and Speed = 100. Step 21: Change the IP address of the CLASS LAB INTERFACE on the DMZ Server to /24 and the default gateway to Task 3 All OK Task 4 All OK Task 5 All OK Task 6 All OK Copyright Global Knowledge Page 14

15 7. Support Information Web Support Portal The Web Support Portal provides the following: Direct logging of Support Calls into the Support Call database Direct Real-time monitoring of your logged Support Call progress Recall of previous logged Support Calls (max. 30 days) Knowledge Base Self-Help FAQ s on Common Support Questions and Calls, Course information and Guides, Hints and Tips Bulletin Board Current Lab Status, New Course Information, New Document Releases Access to User and Setup Guides, Classroom Kit Lists and other information (access to some data will require valid Event credentials) For login information and details of how to use our Web-based Support Portal, please access the User Guide at the following URL: To access the Web Support Portal, go to: The Support Team address is: rls@globalknowledge.net Telephone Support Direct Telephone Line: +44 (0) Other Contact Methods We do not normally encourage contact methods (e.g. Skype, MSN etc.), other than the above, as these other methods often do not easily provide a means to record and track support information. Such information is important to us, as it allows us to continually monitor and improve our support service to you. Copyright Global Knowledge Page 15