Deploying Cisco ASA Firewall Features (FIREWALL) v1.0. Global Knowledge European Remote Labs Instructor Guide

Similar documents
Deploying Cisco ASA Firewall Solutions (FIREWALL) v2.0. Global Knowledge European Remote Labs Instructor Guide

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Lab 3.4.6a Configure the PIX Security Appliance using Setup Mode and ASDM Startup Wizard

Lab Student Lab Orientation

Lab Student Lab Orientation

Troubleshooting. Testing Your Configuration CHAPTER

PIX/ASA 7.x to 7.x Upgrade a Software Image using ASDM or CLI Configuration Example

Release Notes for the Cisco ASA Services Module, Version 8.5(x)

PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example

Troubleshooting the Security Appliance

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Device Interface IP Address Subnet Mask Default Gateway

Upgrade ASA and ASDM Cisco ASA Firewall

Upgrading Software and Firmware

Lab 1.3.2: Review of Concepts from Exploration 1 - Challenge

Laboration 2 Troubleshooting Switching and First-Hop Redundancy

Lab 9.6.3: EIGRP Troubleshooting Lab

Skills Assessment Student Training

ASACAMP - ASA Lab Camp (5316)

Configure the ASA for Dual Internal Networks

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Skills Assessment Student Training Exam

Laboration 1 Examine the Topology and Basic Troubleshooting Commands

202 Lab Introduction Connecting to the Lab Environment

Set the Hostname, Domain Name, and the Enable and Telnet

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Password Recovery Procedure for the PIX

Cisco ASA 5500 LAB Guide

Lab : OSPF Troubleshooting Lab

Cisco - ASA Lab Camp v9.0

Symantec NetBackup Appliances Hands-On Lab

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Identity Firewall. About the Identity Firewall

Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall Using ASDM

Lab Configure Cisco IOS Firewall CBAC

ASA/PIX Security Appliance

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Exam Name: Implementing Cisco Edge Network Security Solutions

Lab Configuring the PIX Security Appliance as a DHCP Server

Managing Services Modules

Skills Assessment Student Practice

Lab - Install Windows 7 or Vista

Fundamentals of Network Security v1.1 Scope and Sequence

Configuring GNS3 for CCNA Security Exam (for Windows) Software Requirements to Run GNS3

Multiple Context Mode

Upgrading the Server Software

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Set the Hostname, Domain Name, and the Enable and Telnet

Lab - Connect to a Router for the First Time

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Implementing Core Cisco ASA Security (SASAC)

Release Notes for Cisco ASDM Version 5.2(5)

CISCO EXAM QUESTIONS & ANSWERS

Reimage Procedures. Firepower 2100 Series Software Reimage and Disaster Recovery

ASA 8.x to 9.x Migration with FirePOWER Services

Router pod documentation

Chapter 5 Review Questions

Skills Assessment Student Training Exam

Upgrade the ASA FirePOWER Module

Deploying Cisco ASA VPN Solutions v2.0 (VPN)

Lab Configuring and Verifying Extended ACLs Topology

Retake - Skills Assessment Student Training (Answer Key)

PT Activity: Configuring a Zone-Based Policy Firewall (ZPF)

Basic Router Pod Planning and Installation Guide

Configuring the SMA 500v Virtual Appliance

CCNA Security 1.0 Student Packet Tracer Manual

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings

Lab 7 Configuring Basic Router Settings with IOS CLI

Getting Started. Getting Started with Your Platform Model. Factory Default Configurations CHAPTER

DEPLOYING BASIC CISCO WIRELESS LANS (WDBWL)

PIX/ASA: PPPoE Client Configuration Example

This study aid describes the purpose of security contexts and explains how to enable, configure, and manage multiple contexts.

Getting Started. Access the Console for the Command-Line Interface. Access the Appliance Console

Lab 8.5.2: Troubleshooting Enterprise Networks 2

Chapter 9 Lab A: Configuring ASA Basic Settings and Firewall Using CLI

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Interconnecting Cisco Network Devices, Part 2 (ICND2) v2.0 Global Knowledge European n Remote Labs Instructor Guide Revision Draft 0.

INDEX. Cisco Unity Express CLI Administrator Guide for Cisco CallManage, Release Cisco Unity Express Release 1.1

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

Installation. Installation Overview. Installation and Configuration Taskflows CHAPTER

Accessing the WAN Chapter 4 - PART II Modified by Tony Chen 07/20/2008

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Lab Install Windows 8

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

Cisco Branch Routers Series Network Analysis Module (NME-NAM-120S) Installation and Configuration Note, 4.2

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

Lab 7.5.1: Basic Wireless Configuration

Overview. ACE Appliance Device Manager Overview CHAPTER

Introduction to Networks: Case Study, Option 2

Installing CMX 10.5 on Cisco MSE 3375

Lab Troubleshooting VTP Configuration

Configuring Logging. Information About Logging CHAPTER

Lab Managing Router Configuration Files with Terminal Emulation Software

Recovery Procedure for Cisco Digital Media Manager 5.2

Network Controller 3500 Quick Start Guide

To access the Startup Wizard, choose one of the following options: Wizards > Startup Wizard.

High Availability on the SonicWALL TZ 210

Transcription:

Deploying Cisco ASA Firewall Features (FIREWALL) v1.0 Global Knowledge European Remote Labs Instructor Guide Revision Draft 0.2 11/03/2011

1. Contents 1. Contents.2 2. Introduction.3 3. Remote Labs Topology, Connections and setup.3 4. Initial Lab Configuration Set-up.5 5. Lab Clear Down / Set-up Procedure.5 6. Lab Exercises.6 Lab 2:...6 Lab 3: 9 Lab 4: Lab 6:.10.13 Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 2

2. Introduction xxxxxxxx Support Contact Details: Web Support Portal: http://rlsupport.globalknowledge.net E-Mail: rls@globalknowledge.net Telephone: +44 (0) 118 989 7735 3. Remote Labs Topology, Connections and Setup xxxxx Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 3

4. Initial Lab Configuration Set-up PC Logins Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. All PC s will have been reset to default, prior to the lab being available for use. It is recommended for the ASA s to first run the Erase Device then Load Base Config occasionally a previous class may not have cleared down correctly and the Erase will ensure no configuration corruption. Note: The initial configuration for the Pod ASA Firewalls will ensure that the correct starting IOS and ASDM files are loaded. It is also sufficient to test basic connectivity (see Lab 2-1, Task 1 in Lab Notes section below). The Core Router is used as an NTP Master Clock ensure that the Router clock is set to the current time. The Pod Client and Server logins are: administrator / cisco The Shared Server logins are: Instructor Login: administrator / globalk Student Login: studentx / cisco123 (where X is the Pod number). Note: The issue with launching the Shared Server from the Web page link for the Students has now been resolved and should work OK via the link. Core Device Logins Core Router logins are: VTY password: cisco Instructor Enable password: globalk Core Switch Instructor Enable password: globalk Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 4

5. Lab Clear Down Procedure Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. Notify Remote Lab Support that you have finished using the equipment by replying to the End of Course Confirmation e-mail, which will have been sent to you during the class. Please do NOT reply to the End of Course Confirmation e-mail for any other purpose this may cause confusion and your rack may be disconnected or cleared as a result..!! Should you have not received the above e-mail, please send an e-mail to the Support e-mail address (Section 2 above), confirming the Course and Rack used, that you have completed the class and finished using the equipment. Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 5

6. Lab Exercises Lab 2-1: Configuring Basic Connectivity Task 1 Pre-Lab Steps: The ASA firewalls start with a base configuration, which will ensure that the correct starting IOS is loaded and also provide sufficient configuration to test connectivity to the Pod Client PC, Pod DMZ Server and the Core Router. To test, from the ASA, ping the following devices (where X is the Pod number): Client PC: DMZ Server: Core Router: 10.0.X.11 192.168.X.2 172.16.X.2 Task 2 Step 2: Additionally, set the interface Speed to 100 and Duplex to full. For all occasions throughout the labs, where an interface is to be configured, please set the speed and duplex as above. This will ensure correct operation and data speeds. If left to auto, incorrect operation can result, e.g. ASDM is very slow to load up, etc. Task 3 The starting ASDM version is 6.1(3). Do NOT install the Desktop icons when asked. Once ASDM is upgraded to version 6.2(5)53, they will no longer operate. always launch ASDM via a Web browser to http://10.0.x.1 Task 4 - Steps 2 & 3: Reminder to set speed to 100 and duplex to full. Task 5 All OK Task 6 All OK Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 6

Lab 2-2: Configuring Management Features Task 1 Step 3: DO NOT use the ASDM to TFTP the files to the ASA. Although the transfer will work OK, many times the IOS will then fail to load. Instead use command line to TFTP the files across to the ASA. copy tftp: disk0: Additionally, if the file already exists in flash, it should first be deleted it has been found that a pre-existing file in flash may cause the file corruption on TFTP transfer. Should the reload fail, do the following: Reboot the ASA via the Power Management tool on the Instructor Web page. Press ESC when prompted during the boot process. Enter: boot disk0:/asa803-k8.bin Wait for the ASA to reboot and then TFTP the files again via the command line. Task 2 Step 1: The old 6.1(3) ASDM may have been left open, if so, close all windows and reopen via a Web Browser (any desktop icon will fail). Note: The correct time for the NTP Master Core Router should have been set prior to this lab. Task 3 Step 4: via Logging Filters Task 4 All OK Task 5 Step 5: The ASA command required is: crypto key generate rsa modulus 2048 Task 6 Step 9: Supply the User credentials of student / cisco Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 7

Lab 3-1: Configuring Basic Access Control Task 2 All OK Task 3 Step 2: Note that this step is to configure incorrect IP address for the Shared Server HOWEVER the DMZ network SHOULD be 192.168.X.0 /24. This allows for a failure test to be performed first. Then the correct IP address for the Shared Server is configured. Task 4 All OK. Lab 3-2: Tuning Basic Cisco ASA Adaptive Security Appliance Stateful Inspection Features Task 2 All OK Task 3 All OK Lab 3-3: Configuring Application-Layer Policies Task 2 All OK Except, during testing it was not possible to block the PNG image file. Currently not sure if this is a lab step problem or an issue with the Web Site build. Further testing is on-going. Does not affect any other lab steps so can safely move on. Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 8

Lab 3-4: Configuring Advanced Access Controls Task 2 All OK Task 3 A reboot of the ASA may be required before logging output is seen. Task 4 All OK Task 5 Botnet This is an optional task. Skip this task as we do not currently have the BOTNET licenses. Lab 3-5: Configuring User-Based Policies (Cut-Through Proxy) Task 2 All OK Task 3 All OK Task 4 All OK On completion, ensure that all AAA configuration is removed. The simplest method is to use the command line: clear configure aaa Lab 4-1: Configuring Cisco ASA Adaptive Security Appliance NAT Task 2 All OK Task 3 All OK. Student Telnet password for the Core Router is: cisco Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 9

Lab 4-2: Configuring Transparent Firewall Mode Task 1 Step 1: Record the Client PC IP settings first to allow later reconfiguration. Use the PC interface marked CLASS LAB INTERFACE. Task 2 Step 2: ENSURE that the configuration has been properly saved to flash BEFORE setting the firewall to transparent mode. (It is intended that a recovery configuration will be supplied, to be loaded via the Device Management tool in case of accidents..). Task 3 Reminder to set interface speed and duplex. Task 4 If the ping to the Core Router fails, try clearing the ARP cache on the ASA Firewall (see note in Lab Guide at the top of Page 100). Task 5 Note: Ensure that the ASA is configured to provide ASDM version 6.2(5)53: asdm image disk0:/asdm-625.bin Step 14: The source network is incorrect in the Answer Key. It should be 172.16.X.0/24 Task 6 Step 3: Only restore the configurations on the odd numbered Pod ASA s (1, 3, 5 & 7) as the even numbered Pod ASA s will be used as Failover Devices during the next lab. Client PC IP addressing is: IP Address: 10.0.X.11 255.255.255.0 Default Gateway: 10.0.X.1 Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 10

Lab 5-1: Deploying a Cisco ASA Adaptive Security Appliance Active/Standby Failover Setup Load the Lab 5-1 configurations to Core Switches 1 and 2, ASA s 2, 4, 6 and 8 as required. At this stage, students will be paired up in order to provide the required pair of ASA s for the Failover Labs (lab 5-1 and Lab 5-2). The pairs are set as follows: Pod 1 & 2, Pod 3 & 4, Pod 5 & 6, Pod 7 & 8 Note: Loading the Lab 5-1 configurations on the Even numbered Pod ASA s (2, 4, 6 & 8) will erase any remaining configuration. At this point students should switch their Web Access page view from the drop-down menu at the top right of the page select Lab 5-1 Active/Standby Failover Note: Both the even and odd numbered pod ASA s are now shown, HOWEVER the PC s used for this lab (Lab 5-1) and the next lab (Lab 5-2) will be only the odd numbered Pod PC s. e.g. For the Pod 1 / 2 pair, the PC s are from Pod 1, for the Pod 3 / 4 pair, the Pc s are from Pod 3 etc. Access the Core Router and ensure that the ARP Cache is cleared: clear arp Ensure ALL Pod ASA s are running with IOS version 8.2(2) and that the ASDM image is set to version 6.2(5)53. Failover will fail unless both ASA s in a pair are running identical IOS and ASDM images. Task 2 All OK Task 3 Step 5: show ip and show fail. Step 7: Using ls in FTP fails as this has not been permitted during earlier lab steps. pwd will work to prove the connection. As an alternative, telnet to the Core Router on 172.16.X.2 would prove the test successfully. Step 9: Also, review the Syslog output on the DMZ server for failover messages. Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 11

Task 4 All OK Task 5 All OK Lab 5-2: Deploying a Cisco ASA Adaptive Security Appliance Active/Active Failover Setup Load the Lab 5-2 configurations to the Core Router, Core Switches 1 and 2. Students are asked to erase the ASA configurations as part of the initial lab steps, however, if preferred, the Erase Device configuration script can be used instead. Task 1 Verify that all ASA s now have a Blank configuration and all are running IOS version 8.2(2) and ASDM version 6.2(5)53. Task 2 Set all interfaces for speed and duplex. Note: The X for the ASA2 is the Odd numbered Pod number NOT the even pod number e.g. Pod 1 not Pod 2, Pod 3 not Pod 4 etc Task 3 All OK Task 4 Initial Answer key output example for the show fail command shows the initial stae when the ASA1 is Active for both groups. The second show fail command is the output after the ASA2 has been configured to be Active for Group 2. Task 5 All OK Task 6 All OK Copyright Global Knowledge - Revision Draft 0.2 11/03/2011 Page 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback