CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance

Chapter Outline:

9.0 Introduction
9.1 Introduction to the ASA
9.2 ASA Firewall Configuration
9.3 Summary

Section 9.1: Introduction to the ASA

Upon completion of this section, you should be able to:

  • Compare ASA solutions to other routing firewall technologies.
  • Explain ASA 5505 operation with the default configuration.

Topic 9.1.1: ASA Solutions

ASA Firewall Models

Small Office and Branch Office ASA Models

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 90

Internet Edge Models

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 91

Enterprise Data Center Models

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 92

Advanced ASA Firewall Feature

ASA Virtualization

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 93

High Availability

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 94

Identity Firewall

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 95

ASA Threat Control

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 96

Review of Firewalls in Network Design

Permitted Traffic

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 97

DeniedTraffic

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 98

ASA Firewall Modes of Operation

Routed Mode

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 99

Transparent Mode

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 100

ASA Licensing Requirements

Base License Specifics

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 101

Security Plus License Specifics

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 102

show version Command Output

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 103

Topic 9.1.2: Basic ASA Configuration

Overview of ASA 5505

ASA 5505 Back Panel

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 104

ASA 5505 Front Panel

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 105

ASA Security Levels

Security Level Control:

  • Network Access
  • Inspection Engines
  • Application Filtering

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 106

ASA 5505 Deployment Scenarios

ASA Deployment in a Small Branch

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 107

ASA Deployment in a Small Business

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 108

ASA Deployment in an Enterprise

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 109

Section 9.2: ASA Firewall Configuration

Upon completion of this section, you should be able to:

  • Explain what ASA firewall services are enabled using the default configuration.
  • Configure an ASA to provide basic firewall services.
  • Configure object groups on an ASA.
  • Configure access lists with object groups on an ASA.
  • Configure an ASA to provide NAT services.
  • Configure access control using the local database and AAA server.
  • Explain how the Cisco Modular Framework (MPF) is used to configure ASA policies.

Topic 9.2.1: The ASA Firewall Configuration

Introduce Basic ASA Settings

Base License Specifics

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 110

Security Plus License Specifics

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 111

show version Command Output

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 112

ASA Default Configuration

ASA 5505 Default Configuration Overview.

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 113

ASA Interactive Setup Initialization Wizard

Entering the ASA 5505 Setup Initialization Wizard

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 114

Topic 9.2.2: Configuring Management Settings and Services

Enter Global Configuration Mode

Entering Global Configuration Mode Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 115

Configuring Basic Settings

ASA Basic Configuration Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 116

Configuring Basic Settings

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 117

Enabling AES Encryption Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 118

Configuring Logical VLAN Interfaces

Local VLAN Interface Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 119

Configuring IP Addresses on VLAN Interfaces

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 120

Configuring VLAN Interfaces Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 121

Assigning Layer 2 Ports to VLANs

Configuring Layer 2 Ports Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 122

Verifying VLAN Port Assignment Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 123

Verifying Interfaces Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 124

Verifying IP Addresses Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 125

Configuring a Default Static Route

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 126

Configuring Remote Access Services

Telnet Configuration Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 127

Telnet Configuration Commands Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 128

SSH Configuration Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 129

Configuring SSH Access Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 130

Configuring Network Time Protocol Services

NTP Authentication Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 131

Configuring NTP Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 132

Topic 9.2.3: Object Groups

Introduction to Objects and Object Groups

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 133

Configuring Network Objects

Network Object Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 134

Configuring a Network Object Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 135

Configuring Service Objects

Service Object Options Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 136

Common Service Object Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 137

Configuring a Service Object Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 138

Object Groups

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 139

Configuring Common Object Groups

Network Object Group Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 140

ICMP-type Object Group Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 141

Services Object Group Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 142

Topic 9.2.4: ACLS

ASA ACLs

ASA ACL and IOS ACL Similarities

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 143

ASA ACL and IOS ACL Similarities

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 144

Types of ASA ACL Filtering

Higher Levels Allowed To Lower Levels

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 145

Lower Levels Denied To Higher Levels

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 146

Types of ASA ACLs

Extended ACL Examples

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 147

Standard ACL Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 148

IPv6 ACL Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 149

Configuring ACLs

ACL Command Parameters

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 150

Condensed Extended ACL Syntax

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 151

ASA ACL Elements

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 152

Applying ACLs

access-group Command Syntax

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 153

ACLs and Object Groups

ACL Reference Topology

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 154

Extended ACL Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 155

Verifying the ACL

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 156

ACL Using Object Groups Examples

Condensed Extended ACL Syntax with Object Groups

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 157

ACL Reference Topology

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 158

ACL and Object Group Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 159

Verifying the ACL and Object Group Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 160

Topic 9.2.5: NAT Services on an ASA

ASA NAT Overview

Types of NAT Deployments:

  • Inside NAT
  • Outside NAT
  • Bidirectional NAT

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 161

Configuring Dynamic NAT

Dynamic NAT Reference Topology

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 162

Dynamic NAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 163

Enable Return Traffic Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 164

Verifying the Dynamic NAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 165

Configuring Dynamic PAT

Dynamic PAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 166

Verifying the Dynamic PAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 167

Configuring Static NAT

Configure the DMZ Interface Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 168

Static NAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 169

Verifying the Static NAT Configuration Example

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 170

Topic 9.2.6: AAA

AAA Review

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 171

Local Database and Servers

RADIUS and TACACS+ Server Commands

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 172

Sample AAA TACACS+ Server Configuration

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 173

AAA Configuration

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 174

Topic 9.2.7: Service Policies on an ASA

Overview of MPF

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 175

Configuring Class Maps

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 176

Define and Activate a Policy

Implementing Modular Policy Framework

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 177

ASA Default Policy

Default Service Policy Configuration

CCNA Security 2.0 Study Material – Chapter 9: Implementing the Cisco Adaptive Security Appliance 178

Section 9.3: Summary

Chapter Objectives:

  • Explain how the ASA operates as an advanced stateful firewall.
  • Implement an ASA firewall configuration.

Download Slide PowerPoint (pptx):

[sociallocker id=”54558″]

Icon

CCNASv2_InstructorPPT_CH9.pptx 6.76 MB 1790 downloads

...
[/sociallocker]


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments