Description

Securing Networks with ASA Advanced (SNAA) v1.0 is a five-day, instructor-led, lab-intensive course, which teaches the knowledge and skills needed advanced configuration, maintenance, and operation Cisco ASA 5500 Series Adaptive Security Appliances

In SNAA 1.0, lessons have been updated to cover new features in Cisco ASA Security Appliance Software Version 8.0(2), including the following:

• Policy NAT
• Modular policy framework enhancements
• ASA 5505 VLAN configuration
• EIGRP routing
• FTP support for SSL VPN
• Onscreen keyboard for the SSL VPN
• Administrator-defined customization of all SSL VPN user-visible content
• Personal bookmarks for SSL VPN users
• ASA as a local certificate authority
• Cisco AnyConnect client configuration
• Cisco Secure Desktop version 3.2
• Dynamic Access Policy

Securing Networks with ASA Advanced (SNAA) v1.0 replaces the Cisco Secure Virtual Private Networks (CSVPN) course & portions of the Securing Networks with PIX and ASA (SNPA) course.

In order to cover new features in ASA software v8.0 and to fully cover the VPN features of the ASA, the content of SNPA was split into two courses, one that covers the fundamentals, SNAF, and one that covers more advanced topics, SNAA.

SNAA also utilizes the graphical user interface instead of the command line interface for explanation and discussions of configuring the ASA.

Objectives

Upon completing this course, the learner will be able to meet these overall objectives:

• Configure policy NAT based on traffic type.
• Describe the layer 7 modular policy framework for the security appliance and how it is configured.
• Describe the layer 7 advanced protocol handling capabilities of modular policy frame and how it is configured.
• Identify the steps need to configure the security appliance to segment traffic with VLANs.
• Identify the steps need to configure the security appliance to configure the ASA for dynamic routing.
• Explain the components of IPsec and the functionality of IPsec and explain what digital certificates are and how they are used.
• Identify the steps needed to configure the security appliance to establish LAN-to-LAN tunnels with the digital certificate.
• Identify the necessary steps to configure the IPSec VPN Client using digital certificates.
• Identify the necessary steps to configure the security appliance for remote access using digital certificates.
• Explain the advanced remote access features of the ASA.
• Determine the necessary configuration for the ASA 5505 to be a VPN hardware client.
• Identify the steps to configure QoS for VPN traffic.
• List the steps needed to configure the WebVPN functionality of the security appliance.
• Identify the basic clientless SSL VPN features of the security appliance
• Configure full network access SSL VPNs using the AnyConnect Client.
• List the feature and functionality of the Cisco Secure Desktop.
• Configure CSD and DAP for SSL VPN connections on the Cisco ASA.
• Identify and list the characteristics of the services modules for the ASA.
• Identify the steps needed to configure, inspect, and filter traffic with the Content Security and Control SSM.
• Identify the steps needed to configure the security appliance to identify, alert, and defend against attacks.

Prerequisites

The knowledge and skills that a learner must have before attending this course are as follows:

• SNAF v1.0
• Cisco CCNA® certification or the equivalent knowledge
• Basic knowledge of the Microsoft Windows operating system
• Familiarity with networking and security terms and concepts

Who Should Attend

The primary audience for this course is as follows:

• Cisco customers who implement and maintain Cisco ASA security appliances

The secondary audience for this course is as follows:

• Cisco channel partners who sell, implement, and maintain ASA security appliances
• Cisco engineers who support the sale of ASA security appliances

Lesson 1: Applying NAT 0 and Policy NAT
• ACLs
• NAT
• Translation Behavior
• NAT Exemption
• Policy NAT
• Verify and Troubleshoot

Lesson 1: Applying the Cisco Modular Policy Framework
• Modular Policy Framework Overview
• Configuring the Modular Policy Framework
• Configuring a Layer 7 Class Map
• Configuring a REGEX Class Map
• Configuring a Layer 7 Policy Map
• Verifying the Modular Policy Framework Configuration
Lesson 2: Handling Advanced Protocol
• Protocol Inspection Overview
• FTP Inspection
• HTTP Inspection
• Instant Messaging Inspection
• ESMTP Inspection
• DNS Inspection
• ICMP Inspection
• Verifying Protocol Inspection

Lesson 1: Switching with VLANs
• ASA VLAN Operations
• VLAN Configuration
• Configuring VLANs on the ASA 5505
• Verify VLANs
Lesson 2: Routing with Dynamic Protocols
• Dynamic versus Static Routing
• RIP
• OSPF
• EIGRP
• Redistribution
• Verification and Troubleshooting

Lesson 1: Understanding IPsec and Digital Certificates
• What is IPsec
• IPsec Operation
• Digital Certificates and Public Key Cryptography
• Certificates and Scalability
• Certificate Enrollment Process
• Validating the Certificate
• Certificate Revocation Lists
• Security Appliance Certificate Enrollment Support
• Key Pairs and Trustpoints
Lesson 2: Implementing Site-to-Site VPNs with Digital Certificates
• Site-to-Site VPNs
• Configuring CA Certificates
• Site-to-Site IPsec Connection Profiles
• Modifying Certificate to Connection Mapping
• Hub and Spoke
• Site-to-Site Redundancy
• Verifying Site-to-Site VPNs
• Troubleshooting Site-to-Site VPNs
Lesson 3: Configuring the Cisco VPN Client
• Cisco VPN Client
• Client Installation
• Digital Certificates with Cisco VPN Client
• Connection Entry
• Advanced Options
• Verify and Troubleshoot Client Configuration
Lesson 4: Implementing Remote Access VPNs with Digital Certificates
• Remote Access VPNs
• Configuring an ASA for Remote Access
• Installing ASA Certificates
• Defining a Remote Access Address Pool
• User Policy Attribute Inheritance
• Configuring an IPSec Connection Profile
• Configuring the Certificate to Connection Profile Policy
• Verifying Remote Access VPNs
• Troubleshooting Remote Access VPNs
Lesson 5: Configuring Advanced Remote Access Features and Policy
• Load Balancing
• Reverse Route Injection
• Backup Servers
• Intra-interface VPN Traffic
• NAT Transparency
• Client Update
• Split Tunneling
• Personal Firewalls
Lesson 6: Configuring the ASA 5505 as an Easy VPN Hardware Client
• Introduction to Cisco Easy VPN
• Cisco Easy VPN Server Policy
• Easy VPN Hardware Client
Lesson 7: IPsec VPNs and QoS
• QoS Overview
• ASA QoS
• Configuring QoS for VPNs

Lesson 1: SSL VPN Technology Overview
• SSL Overview
• Clientless SSL VPN
• Cisco Secure Desktop (CSD)
Lesson 2: Configuring Clientless SSL VPNs
• Configuring Clientless SSL VPN
• Verifying Clientless SSL VPN Operation
• Configuring Port-Forwarding SSL VPN
• Verifying Port-Forwarding SSL VPN
• Configuring Additional SSL VPN Features
• Troubleshooting Clientless and Port-Forwarding SSL VPNs
Lesson 3: Configuring Full Network Access SSL VPNs
• Cisco Full Network Access SSL VPN Overview
• Configuring Cisco AnyConnect SSL VPN
• Verifying Cisco AnyConnect SSL VPN Operation
• Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client
• Configuring Certificate-Based Authentication for AnyConnect SSL VPN
• Troubleshooting Cisco AnyConnect SSL VPN Client Operation
Lesson 4: Cisco Secure Desktop
• Cisco Secure Desktop Overview
• Cisco Secure Desktop Interoperability
• Preparing the ASA for Cisco Secure Desktop
Lesson 5: Securing the Desktop with CSD and DAP
• CSD Workflow
• Prelogin Assessment
• Secure Session
• Cache Cleaner
• Host Emulation and Keystroke Logger Detection
• Host Scan
• Dynamic Access Policy
• DAP Testing

Lesson 1: Examining the SSMs
• Business Challenges
• SSMs
• CSC-SSM
• AIP-SSM
• AIP-SSM or CSC-SSM
Lesson 2: CSC-SSM: Getting Started
• CSC-SSM Overview
• CSC-SSM SW Loading
• Initial CLI CSC Configuration
• Initial Configuration of the CSC-SSM using CSC Setup Wizard from ASDM
Lesson 3: AIP-SSM: Getting Started
• AIP-SSM Overview
• AIP-SSM SW Loading
• Initial IPS ASDM Configuration
• Configure an IPS Security Policy