Skip Navigation Links

Course Length:
5 Days
Course Description:
Securing Networks with ASA Advanced (SNAA) v1.0 is a five-day, instructor-led, lab-intensive course, which teaches the knowledge and skills needed advanced configuration, maintenance, and operation Cisco ASA 5500 Series Adaptive Security Appliances. In SNAA 1.0, lessons have been updated to cover new features in Cisco ASA Security Appliance Software Version 8.0(2), including Policy NAT, Modular policy framework enhancements, ASA 5505 VLAN configuration, EIGRP routing, FTP support for SSL VPN, Onscreen keyboard for the SSL VPN, Administrator-defined customization of all SSL VPN user-visible content, Personal bookmarks for SSL VPN users, ASA as a local certificate authority, Cisco AnyConnect client configuration, Cisco Secure Desktop version 3.2, and Dynamic Access Policy. Securing Networks with ASA Advanced (SNAA) v1.0 replaces the Cisco Secure Virtual Private Networks (CSVPN) course & portions of the Securing Networks with PIX and ASA (SNPA) course. In order to cover new features in ASA software v8.0 and to fully cover the VPN features of the ASA, the content of SNPA was split into two courses, one that covers the fundamentals, SNAF, and one that covers more advanced topics, SNAA. SNAA also utilizes the graphical user interface instead of the command line interface for explanation and discussions of configuring the ASA.
Who Should Attend:
The primary audience for this course includes Cisco customers who implement and maintain Cisco ASA security appliances. The secondary audience for this course includes Cisco channel partners who sell, implement, and maintain ASA security appliances, and Cisco engineers who support the sale of ASA security appliances.
Benefits of Attendance:
Upon completion of this course, students will be able to:
  • Describe the layer 7 modular policy framework for the security appliance and how it is configured.
  • Describe the layer 7 advanced protocol handling capabilities of modular policy frame and how it is configured.
  • Identify the steps need to configure the security appliance to segment traffic with VLANs.
  • Identify the steps need to configure the security appliance to configure the ASA for dynamic routing.
  • Explain the components of IPsec and the functionality of IPsec and explain what digital certificates are and how they are used.
  • Identify the steps needed to configure the security appliance to establish LAN-to-LAN tunnels with the digital certificate.
  • Identify the necessary steps to configure the IPSec VPN Client using digital certificates.
  • Identify the necessary steps to configure the security appliance for remote access using digital certificates.
  • Explain the advanced remote access features of the ASA.
  • Determine the necessary configuration for the ASA 5505 to be a VPN hardware client.
  • Identify the steps to configure QoS for VPN traffic.
  • List the steps needed to configure the WebVPN functionality of the security appliance.
  • Identify the basic clientless SSL VPN features of the security appliance.
  • Configure full network access SSL VPNs using the AnyConnect Client.
  • List the feature and functionality of the Cisco Secure Desktop.
  • Configure CSD and DAP for SSL VPN connections on the Cisco ASA.
  • Identify and list the characteristics of the services modules for the ASA.
  • Identify the steps needed to configure, inspect, and filter traffic with the Content Security and Control SSM.
  • Identify the steps needed to configure the security appliance to identify, alert, and defend against attacks.
Prerequisites:
The knowledge and skills that a learner must have before attending this course include:SNAF v1.0, Cisco CCNA® certification or the equivalent knowledge, Basic knowledge of the Microsoft Windows operating system, and familiarity with networking and security terms and concepts
Course Outline:
  • Module 1: Advanced ASA NAT
    1. Applying NAT 0 and Policy NAT
    2. ACLs
    3. NAT
    4. Translation Behavior
    5. NAT Exemption
    6. Policy NAT
    7. Verify and Troubleshoot
  • Module 2: Advanced Protocol Handling
    1. Applying the Cisco Modular Policy Framework
    2. Modular Policy Framework Overview
    3. Configuring the Modular Policy Framework
    4. Configuring a Layer 7 Class Map
    5. Configuring a REGEX Class Map
    6. Configuring a Layer 7 Policy Map
    7. Verifying the Modular Policy Framework Configuration
    8. Handling Advanced Protocol
    9. Protocol Inspection Overview
    10. FTP Inspection
    11. HTTP Inspection
    12. Instant Messaging Inspection
    13. ESMTP Inspection
    14. DNS Inspection
    15. ICMP Inspection
    16. Verifying Protocol Inspection
  • Module 3: Dynamic Routing and Switching
    1. Switching with VLANs
    2. ASA VLAN Operations
    3. VLAN Configuration
    4. Configuring VLANs on the ASA 5505
    5. Verify VLANs
    6. Routing with Dynamic Protocols
    7. Dynamic versus Static Routing
    8. RIP
    9. OSPF
    10. EIGRP
    11. Redistribution
    12. Verification and Troubleshooting
  • Module 4: IPsec VPNs
    1. Understanding IPsec and Digital Certificates
    2. What is IPsec
    3. IPsec Operation
    4. Digital Certificates and Public Key Cryptography
    5. Certificates and Scalability
    6. Certificate Enrollment Process
    7. Validating the Certificate
    8. Certificate Revocation Lists
    9. Security Appliance Certificate Enrollment Support
    10. Key Pairs and Trustpoints
    11. Implementing Site-to-Site VPNs with Digital Certificates
    12. Site-to-Site VPNs
    13. Configuring CA Certificates
    14. Site-to-Site IPsec Connection Profiles
    15. Modifying Certificate to Connection Mapping
    16. Hub and Spoke
    17. Site-to-Site Redundancy
    18. Verifying Site-to-Site VPNs
    19. Troubleshooting Site-to-Site VPNs
    20. Configuring the Cisco VPN Client
    21. Cisco VPN Client
    22. Client Installation
    23. Digital Certificates with Cisco VPN Client
    24. Connection Entry
    25. Advanced Options
    26. Verify and Troubleshoot Client Configuration
    27. Implementing Remote Access VPNs with Digital Certificates
    28. Remote Access VPNs
    29. Configuring an ASA for Remote Access
    30. Installing ASA Certificates
    31. Defining a Remote Access Address Pool
    32. User Policy Attribute Inheritance
    33. Configuring an IPSec Connection Profile
    34. Configuring the Certificate to Connection Profile Policy
    35. Verifying Remote Access VPNs
    36. Troubleshooting Remote Access VPNs
    37. Configuring Advanced Remote Access Features and Policy
    38. Load Balancing
    39. Reverse Route Injection
    40. Backup Servers
    41. Intra-interface VPN Traffic
    42. NAT Transparency
    43. Client Update
    44. Split Tunneling
    45. Personal Firewalls
    46. Configuring the ASA 5505 as an Easy VPN Hardware Client
    47. Introduction to Cisco Easy VPN
    48. Cisco Easy VPN Server Policy
    49. Easy VPN Hardware Client
    50. IPsec VPNs and QoS
    51. QoS Overview
    52. ASA QoS
    53. Configuring QoS for VPNs
  • Module 5: SSL VPNs
    1. SSL VPN Technology Overview
    2. SSL Overview
    3. Clientless SSL VPN
    4. Cisco Secure Desktop (CSD)
    5. Configuring Clientless SSL VPNs
    6. Configuring Clientless SSL VPN
    7. Verifying Clientless SSL VPN Operation
    8. Configuring Port-Forwarding SSL VPN
    9. Verifying Port-Forwarding SSL VPN
    10. Configuring Additional SSL VPN Features
    11. Troubleshooting Clientless and Port-Forwarding SSL VPNs
    12. Configuring Full Network Access SSL VPNs
    13. Cisco Full Network Access SSL VPN Overview
    14. Configuring Cisco AnyConnect SSL VPN
    15. Verifying Cisco AnyConnect SSL VPN Operation
    16. Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client
    17. Configuring Certificate-Based Authentication for AnyConnect SSL VPN
    18. Troubleshooting Cisco AnyConnect SSL VPN Client Operation
    19. Cisco Secure Desktop
    20. Cisco Secure Desktop Overview
    21. Cisco Secure Desktop Interoperability
    22. Preparing the ASA for Cisco Secure Desktop
    23. Securing the Desktop with CSD and DAP
    24. CSD Workflow
    25. Prelogin Assessment
    26. Secure Session
    27. Cache Cleaner
    28. Host Emulation and Keystroke Logger Detection
    29. Host Scan
    30. Dynamic Access Policy
    31. DAP Testing
  • Module 6: Security Services Modules
    1. Examining the SSMs
    2. Business Challenges
    3. SSMs
    4. CSC-SSM
    5. AIP-SSM
    6. AIP-SSM or CSC-SSM
    7. CSC-SSM: Getting Started
    8. CSC-SSM Overview
    9. CSC-SSM SW Loading
    10. Initial CLI CSC Configuration
    11. Initial Configuration of the CSC-SSM using CSC Setup Wizard from ASDM
    12. AIP-SSM: Getting Started
    13. AIP-SSM Overview
    14. AIP-SSM SW Loading
    15. Initial IPS ASDM Configuration
    16. Configure an IPS Security Policy
  • Lab 1-1: Implementing Advanced NAT
  • Lab 2-1: Implementing MPF for FTP and HTTP
  • Lab 3-1: Dynamic Routing with EIGRP and OSPF
  • Lab 4-1: Site-to-Site with Digital Certificates
  • Lab 4-2: Remote Access with Digital Certificates
  • Lab 4-3: ASA 5505 Easy VPN Hardware Client
  • Lab 5-1: Clientless SSL VPNs
  • Lab 5-2: SSL VPNs with AnyConnect Client
  • Lab 5-3: Cisco Secure Desktop and Dynamic Access Policy
  • Lab 6-1: Initializing AIP-SSM