Consulting Training Blog Careers About Us Contact Us

Implementing Advanced Cisco ASA Security Training

Course ID: SKY-1574
Duration: 5 Days

Upcoming Classes

Sorry, nothing scheduled right now. Click the Get Notified button below to be alerted when a class is scheduled.

Get Notified

On Site/Private

Can't find a class that fits right for you? Contact us to inquire about scheduling your own private class

Contact Us

Description

This course provides updated training on the key features of the Cisco ASA, including the ASA FirePOWER Services Module and ASA Clustering.

Implementing Advanced Cisco ASA Security (SASAA) v2.1 is an instructor-led course that provides updated training with labs. The labs focus on the key features of the Cisco ASA (covering up to the ASA 9.5.1 release). The goal of the course is to be able to implement the key features of the Cisco ASA, including Cisco ASA Firepower Services (including Firepower v6.0), ASA Cloud Web Security, ASA Identity Firewall, ASA Clustering and the Virtual ASA (ASAv).

To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

  • Windows 7 or 8.1 or 10 is recommended. Mac OSX 10.6 or greater is supported as well.
  • Intel Celeron or better processors are preferred.
  • 1 GB or more of RAM
  • Browser Requirements: Internet Explorer 10 or greater or Mozilla Firefox. (Safari and Mozilla Firefox for Mac OSX)
  • All students are required to have administrator rights to their PCs and cannot be logged in to a domain using any Group Policies that will limit their machine's capabilities.
  • If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Cisco Any Connect Client.
  • If you are participating in a WebEx event, it is highly recommended to take this class at a location that has bandwidth speeds at a minimum of 1 Mbps bandwidth speeds.

Note: Students registering for this course will be receiving their course kit in a digital format. To be able to view your digital kit you will need to bring a laptop PC and/or a compatible iPad or Android tablet. The recommended system requirements and instructions to access the course kit content can be found at the following link: Digital Course Kit Requirements and Instructions

Please be aware that this digital version is designed for online use, not for printing. You can print up to 10 pages only in each guide within a course. Please note that every time you click the Print button in the book, this counts as one page printed, whether or not you click OK in the Print dialog.

Bring This Course To You

For groups of 5 or more, let Intertech bring this course to your location. Customized versions tailored towards your objectives are also available.

Learn More

Learning Objectives

Upon completing this course students will be able to:

  • Describe the Cisco ASA 5500-X series Next Generation Firewalls, ASAv, ASA 5506-X, 5508-X, 5516-X, and ASASM and implement new ASA 9.4.1 features.
  • Implement Cisco ASA Identity Firewall policies.
  • Install and setup the Cisco Firepower Services Module (SFR)
  • Implement Cisco ASA Cloud Web Security
  • Implement Cisco ASA Clustering
  • Describe Cisco ASA Security Group Firewall and Change of Authorization Support

Audience

The primary audience for this course is as follows:

  • Network engineers supporting Cisco ASA 9.x implementations

Prerequisites

The knowledge and skills that a learner must have before attending this course are as follows:

  • Implementing Core Cisco ASA Security (SASAC) v1.0 or equivalent knowledge of the Cisco ASA

Course Outline

Module 1: Cisco ASA Product Family

Lesson 1: Introducing the Cisco ASA 5500-X Next-Generation Firewalls

  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA 5500-X Series SSDs
  • Cisco ASA 5585-X Dual Firewall Support
  • Cisco ASA 5506-X, 5508-X, and 5516-X Overview
  • Cisco ASA NGE Support
  • Cisco ASA FirePOWER Services, CWS, NGFW Services, IPS Modules Comparisons

Lesson 2: Introducing the Cisco ASAv

  • ASAv Initial 9.2.1 Release Overview
  • Deploy the ASAv OVF Template
  • ASAv 9.3.2+ KVM Hypervisor Support
  • ASAv Digitally Signed Image
  • ASAv Management Options
  • ASAv 9.3.2+ Smart Licensing
  • Verify the ASAv VM Using the CLI
  • Verify the ASAv VM Using the ASDM
  • ASA 9.2.1 BGP IPv4 Support

Lesson 3: Implementing ASA 9.3 and 9.4.1 New Features

  • ASA REST API Basics
  • ASA ACL Forward Reference and ACL Manual Commit
  • ASA CLI Config Backup and Restore
  • ASA Policy Based Routing
  • ASA Equal Cost Multiple Path Routing
  • ASA NSF Support
  • ASA 9.4.1+ VXLAN Support
  • Other New ASA Features

Lesson 4: Introducing the Cisco ASASM

  • Cisco ASASM Supported Platforms
  • Cisco ASASM Performance Numbers
  • Cisco ASASM Architecture
  • Cisco ASASM Features Parity
  • Cisco ASASM VLAN Interface

Module 2: Cisco ASA Identity Firewall

Lesson 1: Describing the Cisco ASA Identity Firewall Solution

  • Cisco ASA Identity Firewall Benefits
  • Cisco ASA Identity Firewall Flow
  • Cisco ASA Identity Firewall Policies

Lesson 2: Setting Up Cisco CDA

  • Cisco CDA versus Active Directory Agent
  • Cisco CDA Hardware Appliance and VM Requirements
  • Cisco CDA Installation
  • Cisco CDA Setup
  • Cisco CDA Application Status Verification
  • Cisco CDA CLI Operations
  • Cisco CDA GUI

Lesson 3: Configuring Cisco CDA

  • Active Directory Server Configuration
  • Cisco ASA Configuration
  • Syslog Server Configuration
  • Cisco CDA User-Account Configuration
  • Cisco CDA GUI Password Policy Configuration
  • Cisco CDA Session Timeout Configuration
  • IP-to-Identity Mapping Display
  • Registered-Device Verification

Lesson 4: Configuring Cisco ASA Identity Firewall

  • Identity-Based Firewall Configuration Tasks
  • Active Directory Server Configuration
  • Cisco CDA Configuration
  • User-Identity Options Configuration Using Cisco ASDM
  • User-Identity Option Configuration Using the CLI
  • User-Identity-Based Access Rules
  • User Object Group Configuration
  • FQDN Network Object Configuration
  • Identity Firewall with Cut-Through Proxy Use Case
  • Identity Firewall with Remote-Access VPN Use Case

Lesson 5: Verifying and Troubleshooting Cisco ASA Identity Firewall

  • Cisco CDA and Active Directory Server Connectivity Test
  • Verify User-Identity Operations Using the CLI
  • ASA to CDA Connectivity Verifications
  • Active Directory Users Verifications
  • Verify the Active Directory Groups
  • Memory Usage Verifications
  • Identity-Based Firewall Cisco ASDM Monitoring Panes
  • Cisco CDA Management with the CLI
  • Cisco CDA Live Log Monitoring
  • Cisco CDA Troubleshooting

Module 3: Cisco ASA FirePOWER Services

Lesson 1: Installing the Cisco ASA FirePOWER Services Module

  • Cisco ASA FirePOWER Services (SFR) Module Overview
  • Cisco FireSIGHT Management Center Overview
  • Cisco ASA FirePOWER Services Software Module Management Interface
  • Cisco ASA FirePOWER Services Module Package Installation
  • Cisco ASA FirePOWER Services Module Verification
  • Redirect Traffic to Cisco ASA FirePOWER Services Module

Lesson 2: Managing the Cisco ASA FirePOWER Services Module Using the FireSIGHT Management Center

  • FireSIGHT Management Center VM Installation and Setup
  • FirePOWER Services Module and FireSIGHT License Requirements
  • Add the FirePOWER Services Module into FireSIGHT
  • FireSIGHT Policy Types Overview
  • Task Status Monitoring
  • System Policy Overview
  • Health Policy Overview
  • Objects Management Overview
  • Network Discovery Overview
  • Security Zones Overview
  • Active Directory Integration Overview
  • SourceFire User Agent Overview
  • Access Control Policy Overview
  • Intrusion Policy Overview
  • FireSIGHT Recommended Rules Overview
  • Intrusion Event Impact Levels Overview
  • File Policy Overview
  • Connection Events Monitoring
  • Events Display Time Range
  • Switch Workflow
  • IPS Events Monitoring
  • File Events Monitoring
  • Users Monitoring
  • Indication of Compromise Overview
  • Context Explorer
  • Dashboards
  • System Updates

Lesson 3: Describing the Cisco ASA 5506-X, 5508-X, and 5516-X FirePOWER Services

  • ASDM and FirePOWER On-Box FireSIGHT Manager
  • ASA FirePOWER Dashboard, Reporting, and Status
  • ASA FirePOWER Events Viewer
  • Gather ASA FirePOWER Troubleshooting Information for Cisco TAC
  • FirePOWER Licensing

Lesson 4: Configuring New Features in Cisco ASA Firepower Services 6.0

  • Firepower 6.0 Platforms
  • Deployment Dialog
  • Message Center
  • System Configurations and Device Platform Settings
  • Network Analysis Policy
  • File Policy Enhancements
  • URL-Based Security Intelligence
  • DNS Inspection
  • OpenAppID
  • Intelligent Application Bypass
  • PKI, Cipher Suite List, and Distinguished Name Objects
  • SSL Policy
  • Realm and Directory Server
  • Identity Policy
  • Captive Portal Active Authentication
  • Cisco ISE pxGrid Integration
  • Cisco ASDM On-Box Firepower Management
  • Firepower Multidomain Management

Module 4: Cisco ASA Cloud Web Security

Lesson 1: Introducing Cisco ASA Cisco Cloud Web Security

  • Cisco ASA with Cisco Cloud Web Security
  • Cisco Cloud Web Security URL Filtering, AVC, and Reporting Features Overview
  • Cisco Cloud Web Security Scanning Processes and Day Zero Outbreak Intelligence Overview
  • Cisco ScanCenter
  • Cisco ASA Cloud Web Security Licenses

Lesson 2: Configuring Cisco ASA with Cisco Cloud Web Security

  • Cisco ASA and Cloud Web Security Proxy-Server Configuration
  • ScanCenter Generation of an Authentication Key for Cisco ASA
  • Traffic Redirection from Cisco ASA to Cloud Web Security Proxy Servers
  • Cisco ASA and Cloud Web Security Proxy Server User-Identity Configuration

Lesson 3: Verifying Cisco ASA Cloud Web Security Operations

  • Cisco ASA Cloud Web Security Operations Verification Using the CLI
  • Cisco ASA Cloud Web Security Operations Verification by Using Cisco ASDM
  • Verification of Traffic Redirection from Cisco ASA to Cloud Web Security Proxy Servers
  • Cisco ASA Cloud Web Security Syslog Messages
  • Cisco ASA Cloud Web Security Operations Verification Using Debug

Lesson 4: Describing the Web Filtering Policy in Cisco ScanCenter

  • ScanCenter Web Filtering Policy Overview
  • ScanCenter Web Filtering Policy Configuration
  • ScanCenter HTTPS Inspection Configuration Overview
  • ScanCenter Web Filtering Reporting

Lesson 5: Describing Cisco ASA Cloud Web Security AMP and CTA

  • Cisco ASA CWS Advanced Malware Protection Overview
  • Cisco Cloud Web Security Cognitive Threat Analytics
  • Cisco ASA Cloud Web Security ScanCenter Threats Reporting Overview

Module 5: Cisco ASA Clustering

Lesson 1: Describing Cisco ASA Cluster Features

  • Cluster Performance Figures and Supported Platforms
  • Cluster Data-Interface Modes
  • Cluster Data-Interface Connections
  • CCL Functions
  • Cluster Master and Slave Unit Election
  • Centralized, Distributed, and Unsupported Cisco ASA Features
  • Cluster Dynamic-Routing Operations
  • Cluster NAT and PAT Operations

Lesson 2: Describing Cisco ASA Cluster Terminology and Data Flows

  • Cluster Terminology
  • TCP Sequence Number Randomization
  • TCP Traffic Flows
  • Asymmetric UDP Traffic Flows
  • Short-Lived Traffic Flows
  • Centralized-Feature Traffic Flows
  • Traffic Flows with Secondary Connections
  • TCP Flow Rebalancing
  • Cluster Health-Check Mechanisms
  • Clustering with Multi-Context

Lesson 3: Using the CLI to Configure a Cisco ASA Cluster

  • Cluster Management
  • Cluster Configuration with the CLI
  • Cluster Interface-Mode Configuration on Each Unit
  • CCL Configuration on Each Unit
  • Cluster Management Interface Configuration from the Master Unit
  • Spanned EtherChannel (Layer 2) Interface Configuration from the Master Unit
  • Individual (Layer 3) Interface Configuration from the Master Unit
  • Cluster Bootstrap Configuration and Enabling Clustering on Each Unit
  • Sample Configuration of a Two-Unit Cluster with Spanned EtherChannel Interface
  • Sample Configuration of a Two-Unit Cluster with Individual Interface
  • Cluster Configuration Options

Lesson 4: Using the ASDM to Configure a Cisco ASA Cluster

  • Cisco ASDM Cluster Dashboards
  • Cluster Configuration Using Cisco ASDM
  • Cisco ASDM High Availability and Scalability Wizard
  • Cisco ASDM ASA Cluster Pane

Lesson 5: Verifying Cisco ASA Cluster Operations

  • Cluster Licensing
  • Cluster Interface-Mode Verification
  • Cluster Member-Status Verification
  • Cluster Health-Status Verification
  • Cluster Connections State Table Verification
  • Cluster EtherChannel Status Verification
  • Cluster Aggregated ACL Hit-Count Verification
  • Cluster Memory and CPU Usage Verification
  • Cluster Traffic-Distribution Verification
  • TCP Flow-Rebalancing Verification
  • Cluster Operation Verification Using ASDM

Lesson 6: Troubleshooting Cisco ASA Cluster Operations

  • Cluster Packet Captures
  • Cluster Syslog Messages
  • Cluster Debug
  • Cluster Crashinfo and Coredump
  • Split-Cluster Scenario

Lesson 7: Describing Cisco ASA Version 9.1.4 and Later Clustering Features

  • More Switches Support for Clustering
  • ASA 5500-X Clustering Support (v9.1.4+)
  • 16 Units Cluster with 32 Active Members Port Channel Support (v9.2.1+)
  • BGP Support with Clustering (v9.3.1+)
  • Cluster Selective Interface Monitoring Support (v9.4.1+)
  • Individual Mode Inter-DC Clustering: Routed Firewall Mode Only (v9.1.4+)
  • Extended Spanned EtherChannel for Inter-DC Clustering: Transparent Firewall Mode Only (v9.2.1+)
  • Spilt Spanned EtherChannel Inter-DC Clustering: Transparent Firewall Mode Only (v9.2.1+)
  • Inter-DC Redundancy with a Split Cluster

Module 6: Cisco ASA Security Group Firewall and CoA

Lesson 1: Introducing Cisco Security Group Tagging

  • IEEE 802.1X Overview
  • Cisco Secure Access Architecture

Lesson 2: Configuring Cisco ASA Security Group Firewall

  • SG Firewall Configuration
  • SGACL Operations Monitoring

Lesson 3: Describing the Cisco ASA 9.2.1 and Later Releases SGT Features

  • Cisco ASA 9.2.1 SGT Support for VPN Users
  • Cisco ASA 9.3.1 VPN Inline SGT Tagging Support
  • Cisco ASA 9.3.1 Inline SGT Tagging Support
  • Cisco ASA Inline SGT Tagging Configurations

Lesson 4: Describing the Cisco ASA 9.2.1 and Later Releases CoA Support

  • RADIUS Change of Authorization Overview
  • ASA CoA Support Overview
  • ASA CoA CLI Configurations
  • ASA CoA ASDM Configurations

Lab Outline

Lab 1: Cisco Learning Lab Remote Access

  • Access the Learning@Cisco Hosted ASA Remote Lab

Lab 2: Cisco ASAv Basic Setup

  • Setup and Test the ASAv

Lab 3: Cisco ASA 9.3 and 9.4.1 New Features

  • REST API
  • ACL Forward Reference
  • ACL Manual Commit
  • Policy Based Routing
  • Equal Cost Multi Path Routing
  • Reset the Inside PC Network Connectivity Through the ASA 5512-X Instead of the ASAv

Lab 4: Cisco CDA Configuration

  • Explore the Cisco CDA CLI
  • Manage the Cisco CDA CLI User Accounts
  • Explore the Cisco CDA GUI
  • Configure the Cisco CDA to Communicate with the Active Directory Server, Cisco ASA, and Syslog Server

Lab 5: Cisco ASA Identity-Based Firewall Configuration

  • Configure the ASA to Communicate with the Active Directory Server
  • Configure the ASA to Communicate with the CDA
  • Configure ASA User-Identity Options
  • Configure ASA Identity-Based Access Rules

Lab 6: Cisco ASA FirePOWER Services Module Installation

  • Install and Set Up the ASA FirePower (SFR) Services Module
  • Redirect Traffic to the ASA FirePOWER Services Module

Lab 7: Cisco FireSIGHT Management Center Configuration

  • Add the ASA FirePOWER Services Module in the Cisco FireSIGHT Management Center
  • Edit the Default FreSIGHT Network Discovery Rule
  • Configure the File Policy, Intrusion Policy, and Access Control Policy
  • Test ASA FirePOWER Basic IPS Operations
  • Test ASA FirePOWER Basic AMP Operations
  • Examine the FireSIGHT Network Discovery Results
  • Integrate FireSIGHT with Microsoft Active Directory
  • Setup and Test User Based Access Control Policy
  • Verify the Traffic Redirection to the ASA FirePOWER Services Module
  • Disable Traffic Redirection to the ASA FirePOWER Services Module
  • Shut Down and Uninstall the ASA FirePower Services Module

Lab 8: Cisco ASA Cloud Web Security Configuration

  • Configure the Cisco ASA-to-Cloud Web Security Integration

Lab 9: Cisco ASA Cluster Configuration

  • Configure Spanned EtherChannel Mode on Each ASA in the Cluster (Pod X ASA and Pod X+1 ASA)
  • Configure the Cluster Hostname on the Pod X ASA Only
  • Configure the CCL Using a Local EtherChannel on Each ASA in the Cluster (Pod X ASA and Pod X+1 ASA)
  • Configure the Management Interface in Individual (Layer 3) Mode on the Pod X ASA Only
  • Configure the (Inside and Outside) Data Interfaces in Spanned EtherChannel (Layer 2) Mode on the Pod X ASA Only
  • Configure the Cluster Bootstrap Configurations on Each ASA in the Cluster (Pod X ASA and Pod X+1 ASA)
  • Enable Clustering on the Pod X ASA Only
  • Enable Clustering on the Pod X+1 ASA
  • Verify and Manage the Cluster Operations Using the CLI
  • Verify the Cluster Operations Using the ASDM
  • Verify HTTP Connections Through the Cluster and Identify the Owner and Director of a Flow
  • Enable ICMP Inspection from the Master Unit
  • Simulate a Master Unit Failure and Observe the Results
  • Disable the Cluster

Free Resources from Intertech

Free On-Demand Video Bundle: IoT, Agile/Scrum, and Leadership

Free Whitepaper: Design and Code Review Checklist

Free Recorded Webinar - Agile Design Principles, a Precursor to .Net Design Patterns

X