Deploying Cisco ASA Firewall Solutions for CCNP Securityd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKCRT-8104.pdf · Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8104 Cisco Public

Deploying Cisco ASA Firewall Solutions

for CCNP Security BRKCRT-8104

Mark Bernard, CCIE (Security 23846)

2


Agenda

Overview of CCNP Security

FIREWALL Exam Information

FIREWALL Topics: Technical Introduction

What You Need to Know

Sample Questions

Q & A

3


Disclaimer/Warning

This session will strictly adhere to Cisco’s rules

of confidentiality

‒ We may not be able to address specific question

‒ If you have taken the exam please refrain from asking questions from the

exam—this is a protection from disqualification

‒ We will be available after the session to direct you to resources to assist with

specific questions or to provide clarification

4

Overview of the CCNP Security Certification


CCNP Security Certified Means…

•All four CCNP Security exams required. No elective options.

•Some legacy CCSP exams may qualify for CCNP Security credit. See FAQ:

https://learningnetwork.cisco.com/docs/DOC-10424

Exam No Exam Name

642-637 Securing Networks with Cisco Routers and Switches

(SECURE)

642-627 Implementing Cisco Intrusion Prevention System

(IPS)

642-618 Deploying Cisco ASA Firewall Solutions

(FIREWALL)

642-648 Deploying Cisco ASA VPN Solutions (VPN)

6




BBRKCRT-2062_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

―Cisco CCNP Security and Cisco’s Qualified Specialist—showed healthy numbers, as well, with a $93,995 average for the security title and an $87,247 average for those of you holding one or more of Cisco’s 20-plus Qualified Specialist certifications.‖

TCPmag.com

Redmond Media Group

FIREWALL v2.0 Exam Information

642-618


642-618 FIREWALL v2.0 Exam

90-minute exam

Register with Pearson Vue

‒ www.vue.com/.cisco

Exam cost is $200.00 US

9

http://www.cisco.com/


Special Exam Measures

Include the use of digital photographs for candidate-identity verification

Forensic analysis of testing data

Photo on Score Report and Web

Preliminary Score Report

Source: http://newsroom.cisco.com/dlls/2008/prod_072208.html 10


Preparing for the FIREWALL v2.0 Exam

Recommended reading

CCNP Security Firewall 642-618 Quick Reference

CCNP Security FIREWALL 642-618 Official Cert Guide

Recommended training via CLP

DEPLOYING CISCO ASA FIREWALL SOLUTIONS V2.0

Cisco learning network

www.cisco.com/go/learnnetspace

Practical experience

11

http://www.cisco.com/go/learnnetspace


Testing Implementation Skills

Question formats

Declarative—a declarative exam item tests simple recall of pertinent facts

Procedural—a procedural exam item tests the ability to apply knowledge to solve a given issue

Complex procedural—A complex procedural exam item tests the ability to apply multiple knowledge points to solve a given issue

Types of questions

Drag and drop

Multiple choice

Simulation and simlet

12


Test Taking Tips

Rule out the nonsense

Look for the best answer when multiple exist

Look for subtle keys

Narrow it down

Relate to how the device works

Don’t waste too much time

13


Test Taking Tips

It’s not possible to cover everything!

We want you to get a feel for the technical level of the exam, not every

topic possible

Give you suggestions, resources, some examples

Will focus on key topics

14

Firewall v2.0 High-Level Topics


High-Level Topics

Cisco ASA Adaptive Security Appliance Basic Configurations

ASA Routing Features

ASA Inspection Policy

ASA Advanced Network Protections

ASA High Availability

16

Topic 1

Cisco ASA Adaptive Security Appliance Basic

Configurations


Topic 1: What You Need to Know

Identify the ASA product family

Implement ASA licensing

Manage the ASA boot process

Implement ASA interface settings

Implement ASA management features

Implement ASA access control features

Implement Network Address Translation (NAT) on the ASA

Implement ASDM public server feature

Implement ASA quality of service (QoS) settings

Implement ASA transparent firewall

18


Cisco ASA 5500 Series

Portfolio

Multi-Service (Firewall/VPN and IPS)

Per

form

ance

an

d S

cala

bili

ty

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-20 (10 Gbps, 125K cps)




ASA 5555-X (4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

NEW ASA 5525-X

(2 Gbps,20K cps)

NEW ASA 5512-X

(1 Gbps, 10K cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW

ASA 5510 (300 Mbps, 9K cps)

ASA 5510 + (300 Mbps, 9K cps)

ASA 5520 (450 Mbps, 12K cps)

ASA 5540 (650 Mbps, 25K cps)

ASA 5550 (1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

19


Implement ASA licensing

20


Install and Verify Licensing

Using ASDM

21


Install and Verify Licensing

Using ASDM (Cont.)

22


Manage the ASA boot process

To change the OS boot image to a new image name, enter the following:

asa(config)# clear configure boot

asa(config)# boot system {disk0:/ | disk1:/}[path/]new_filename

For example:

asa(config)# clear configure boot

asa(config)# boot system disk0:/asa841-k8.bin

To configure the ASDM image to the new image name, enter the following command:

asa(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename

Save configuration and Reload

asa(config)# write memory

asa(config)# reload

23


Implement ASA interface settings

1. Interface name

2. Interface security level

3. IP address and subnet mask

4. Enable interface

Inside: 192.168.1.80/24

Outside: 10.1.1.80/24

Internet

asa(config)# interface ethernet0/0

asa(config-if)# nameif inside

asa(config-if)# security-level 100

asa(config-if)# ip address

192.168.1.80 255.255.255.0

asa(config-if)# no shutdown

24


Configure Network and

Interface Settings (Cont.)

Inter-Interface Or Intra-Interface Communication

25


Implement ASA management features

asa(config)# http server enable

asa(config)# http 192.168.1.2 255.255.255.255 inside

To configure the firewall for ASDM access via cli:

To configure the firewall for SSH access via cli:

asa(config)# asa(config)# crypto key generate rsa modulus

1024

asa(config)# write memory

asa(config)# aaa authentication ssh console LOCAL

WARNING: local database is empty! Use 'username' command to

define local users.

asa(config)# username asauser1 password asauser1_password

asa(config)# ssh 192.168.1.2 255.255.255.255 inside

asa(config)# ssh timeout 30

26


Implement ASA User Roles

Setting Privilege Level

27


Security Appliance ACL Configuration

Security appliance configuration philosophy is interface based

Interface ACL permits or denies the initial packet incoming or outgoing on that interface

Return traffic does not need to be specified if inspected

If no ACL is attached to an interface, the following ASA policy applies

‒ Outbound packet is permitted by default

‒ Inbound packet is denied by default

ACLs can be simplified by defining object groups for IP addresses and services

Outside Inside Internet

ACL for inbound access

ACL to deny outbound access

28





30





32


NAT Overview

Network Address Translation (NAT) and Port Address

Translation (PAT)

Used to translate IP addresses and ports

Not required by default (NAT control is disabled)

Concepts

Static NAT and static policy NAT

Dynamic NAT and dynamic policy NAT

Identity NAT

33


NAT Post ASA Version 8.3

NAT is redesigned in 8.3 and above to simplify operations:

A single rule to translate the source and destination IP address.

You can also manually establish the order in which NAT rules are processed.

Introduction of NAT to ―any‖ interface

Two Nat modes available in 8.3 and above

Network Object NAT: translation rule that defines a network object. Well suited for source-only NAT

Sometimes referred to as "Auto-Nat―

Manual NAT: Policy based NAT when the source and destination addresses need to be considered

Sometimes referred to as Twice NAT

34


Dynamic NAT Using Network Object NAT

asa(config)# object network Network-Inside-Out

asa(config-network-object)# subnet 10.1.1.0 255.255.255.0

asa(config-network-object)# description Nat Inside Users To Outside

Interface

asa(config-network-object)# nat (inside,outside) dynamic interface

The following example configures dynamic NAT that maps (dynamically hides) the 10.1.1.0 network to the outside interface address:

96.33.100.1

External Web Server

Internet

10.1.1.100

10.1.1.101

10.1.1.102

35


Network Object NAT On The ASDM

Select Network Object

Check Auto

Translation Rule

36


Static Object NAT Example

96.33.100.5

DMZ Web Server

Internet

The following example configures a translation to a Web Server in the DMZ. The external address in DNS is 96.33.100.5 and the internal address is 192.168.1.23:

192.168.1.23

asa(config)# object network DMZ-WEBSERVER

asa(config-network-object)# host 192.168.1.23

asa(config-network-object)# Description Static Nat For DMZ WebServer

asa(config-network-object)# nat (dmz,outside) static 96.33.100.5

asa(config-network-object)# exit

asa(config)# access-list outside-in permit ip any any host 192.168.1.23

asa(config)# access-group outside-in in interface outside

External Host

Inside

37


Static PAT (Object NAT)

192.168.1.100

HTTP 96.33.100.2

HTTP External User

96.33.100.2

FTP

Internet

Used to create translation between a outside interface and local IP address/port.

– 96.33.100.2/HTTP redirected to 192.168.1.100/HTTP

– 96.33.100.2/FTP redirected to 192.168.1.101/FTP

192.168.1.101

FTP

38


asa(config)# object network DMZ-WEBSERVER


asa(config-network-object)# nat (dmz,outside) static

interface service tcp www www

asa(config)# object network DMZ-FTPSERVER


asa(config-network-object)# nat (dmz,outside) static

interface service tcp ftp ftp

192.168.1.100

HTTP 96.3.100.2

HTTP

96.3.100.2

FTP

Internet

192.168.1.101

FTP

Static PAT (Object NAT)

39


Manual Twice NAT

asa(config)# object network contractors

asa(config-network-object)# network 10.2.2.0 255.255.255.0

asa(config)# object network translated-ip


asa(config)# object network cisco-dot-com


Asa(config-network-object)#exit

asa(config)# nat (inside,outside) source static contractors

translated-ip static cisco-dot-com cisco-dot-com

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100

40


Manual Twice NAT

64.32.2.4

Contractors

Inside Users

10.2.2.0

10.1.1.0

Inside Outside

www.cisco.com

96.33.100.1

96.33.100.100

41


asa(config)# object network vpn-subs

asa(config-network-object)# range 192.168.3.1 192.168.3.63

asa(config-network-object)#exit

asa(config)# nat (inside outside) source static inside-net inside-net

destination static vpn-subs

Identity NAT Example (Manual NAT)

Inside Outside

Original Packet

10.1.1.15 -> 192.168.3.3 10.1.1.15 -> 192.168.3.3

Translated Packet

Source Destination

192.168.3.3 10.1.1.15

VPN Tunnel

Branch A

42


Implement ASA quality of service (QoS)

settings

43


Implement ASA transparent firewall

44


Explain Differences Between L2 and L3

Operating Modes

The security appliance can run in two mode settings: ‒ Routed—based on IP address

‒ Transparent—based on MAC address

Transparent Mode

10.0.1.0 VLAN 100

10.0.2.0 VLAN 200

Routed Mode

The following features are not supported in transparent mode: NAT Dynamic routing protocols IPv6 DHCP relay Quality of service Multicast VPN termination for through traffic

10.0.1.0 VLAN 100

10.0.1.0 VLAN 200

45


Configure Security Appliance for

Transparent Mode (L2) Layer 3 traffic must be explicitly permitted

Each directly connected network must be on the same subnet

The management IP address must be on the same subnet as the connected network

Do not specify the firewall appliance management IP address as the default gateway for connected devices

Devices need to specify the router on the other side of the firewall appliance as the default gateway

Each interface must be a different VLAN interface

VLAN 100 10.0.1.0

VLAN 200 10.0.1.0

Transparent Mode

Management IP Address 10.0.1.1

10.0.1.10

IP - 10.0.1.3 GW – 10.0.1.10

Internet

IP - 10.0.1.4 GW – 10.0.1.10

asa(config)# firewall transparent

Switched to transparent mode

asa(config)# show firewall

asa(config)#Firewall mode: Transparent

46


Verify the Firewall Mode

of the Security Appliance Using ASDM

47

Topic 2

ASA Routing Features



Implement ASA static routing

Implement ASA dynamic routing

49


ASA Routing Capabilities

Static routing

Dynamic routing

‒ RIP

‒ OSPF

‒ EIGRP

Multicast Stub or Bi-directional PIM

Outside Inside

DMZ1

Internet

DMZ2

50


Implement ASA static routing

51


Configuring Static Routes

10.10.10.1 Internet

asa(config)# route outside 0 0 10.10.10.1

asa(config)# sh run | inc route

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

route inside 192.168.10.0 255.255.255.0 192.168.1.2 1

route inside 192.168.10.0 255.255.255.0 192.168.2.1 2

route inside 192.168.30.0 255.255.255.0 192.168.1.2 1

52


Implement ASA Dynamic routing

53


Configuring EIGRP (Step 1)

54



55



56


Public

server

Partner

server

dmz3

172.16.30.1

Configure VLANs

Physical interfaces are separated into

sub-interfaces (logical interfaces)

802.1Q trunking

192.168.1.0 10.1.1.0

Proxy

Server

vlan30 vlan20

Trunk port

vlan10

dmz1

172.16.10.1

dmz2

172.16.20.1

Internet

57


Logical and Physical Interfaces

58

Topic 3

ASA Inspection Policy



Implement ASA inspections features

60


.exe

http://www.example.com/long/URL/far2long

IM whiteboard

Kazaa X

Advanced Protocol Inspection Advanced protocol inspection gives you options such as the following for

defending against application layer attacks:

Blocking *.exe attachments

Prohibiting use of Kazaa or other peer-to-peer file-sharing programs

Setting limits on URL lengths

Prohibiting file transfer or whiteboard as part of IM sessions

Protecting your web services by ensuring that XML schema is valid

Resetting a TCP session if it contains a string you know is malicious

Dropping sessions with packets that are out of order

61


Configuring Layer 3/4 Inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Application inspection

Cisco CSC

1. Create a Layer 3/4 class map to identify traffic by matching:

2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map:

3. Use a service policy to activate the Layer 3/4 policy.

An ACL

Any packet

The default inspection traffic

A DSCP value

A destination IP address

TCP or UDP ports

IP precedence

RTP ports

A tunnel-group

Cisco IPS

QoS policing

QoS priority queuing

62


1. Create a Layer 7 class map to identify traffic by matching criteria specific to applications:

2. Create a Layer 7 policy map to defend against Application Layer attacks by referencing a Layer 7 class-map and applying an action

3. Create a Layer 3/4 policy map to associate traffic defined in a Layer 3/4 class map and reference the Layer 7 policy map:

4. Use a service policy to activate the Layer 3/4 policy on an interface or globally

IM

RTSP

SIP

DNS

FTP

H.323

HTTP

Configuring Layer 7 Inspection

63


Match traffic based on protocols, ports, IP addresses, and other layer 3 or 4 attributes:

ACL

Any packet

Default inspection traffic

IP differentiated services code point

TCP and UDP ports

IP precedence

RTP port numbers

VPN tunnel group

Typically contain only one match condition

Are mandatory MPF components

Layer 7 Class Maps Layer 3/4 Class Maps

Work with layer 7 policy maps to implement advanced protocol inspection

Match criteria is specific to one of the following applications:

DNS

FTP

H.323

HTTP

Enable you to specify a not operator for a match condition

Can contain one or more match conditions

Can use regular expressions as match criteria

Are optional MPF components (match criteria can be specified in a layer 7 policy map instead)

IM

RTSP

SIP

Layer 3/4 Class Maps vs. Layer 7 Class Maps

64


Implement advanced protocol inspection, which defends against application layer attacks

Also called Inspection Policy Maps

Used to create the following policy types:

Application inspection

TCP normalization

TCP and UDP connection limits and timeouts

TCP sequence number randomization

Cisco CSC

Cisco IPS

QoS input policing

QoS output policing

QoS priority queue

Must be applied to an interface or globally via a service policy

Are mandatory MPF components

Layer 7 Policy Maps Layer 3/4 Policy Maps

Can be used for advanced inspection of:

DCERPC

DNS

ESMTP

FTP

GTP

H.323

HTTP

IM

IPsec Pass Through

MGCP

NetBIOS

RTSP

SCCP (Skinny)

SIP

SNMP

Must be applied to a layer 3/4 policy map

Are optional MPF components

Layer 3/4 Policy Maps vs. Layer 7 Policy Maps

65


Filtering FTP Commands:

Layer 7 Policy Map

66



Layer 7 Policy Map (Cont.)

67



Service Policy Rule

68



Service Policy Rule (Cont.)

69

Topic 4

ASA Advanced Network Protection


What You Need to Know

Configure Threat Detection on the ASA

Implement ASA Botnet Traffic Filter

71


Task Flow for Configuring the ASA Botnet

Traffic Filter

1. Enable use of the dynamic database.

2.(Optional) Add static entries to the database.

3. Enable DNS snooping.

4. Enable traffic classification and actions for the Botnet Traffic Filter.

5.(Optional) Block traffic manually based on syslog message information.

To configure the Botnet Traffic Filter, perform the following steps:

72


Configure Threat Detection

Internet

ASA

Basic threat detection

- Blocks attackers by monitoring rate of dropped packets and security events per second

- When event thresholds are exceeded, attackers are blocked

- Enabled by default

Scanning threat detection

- Blocks attackers performing port scans

- Disabled by default

DMZ Server

Attacker

73


Configuring Threat Detection

74

Topic 5

ASA High Availability



Implement ASA Interface redundancy and load sharing features

Implement ASA virtualization feature

Implement ASA stateful failover

76


Implement ASA Interface redundancy and

load sharing features

77


Configure Redundant Interfaces

Using ASDM

A logical redundant interface pairs an active and a standby physical interface.

When the active interface fails, the standby interface becomes active and starts passing traffic.

Used to increase the adaptive security appliance reliability.

You can monitor redundant interfaces for failover using the monitor-interface command

78



Using ASDM (Cont.)

Select Add Interface

Select Redundant Interface

79



Using ASDM (Cont.)

80


Configuring EtherChannel Interfaces

81


EtherChannel Example

Note: The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels

82


EtherChannel Configuration

Select Add Interface

Select EtherChannel Interface

83


EtherChannel Configuration

channel-group 1 mode passive

interface Port-channel1

lacp max-bundle 4

port-channel min-bundle 2

port-channel load-balance dst-ip

interface GigabitEthernet0/0

channel-group 1 mode active

interface GigabitEthernet0/1

channel-group 1 mode active

84


Implement ASA virtualization feature

85


Virtual Firewalls

Enables a physical firewall to be partitioned into

multiple standalone firewalls

Each standalone firewall acts and behaves as an

independent entity with it’s own

‒ Configuration

‒ Interfaces

‒ Security Policy

‒ Routing Table

Examples scenarios to use Virtual Firewalls

‒ Education network that wants to segregate student

networks from teacher networks

‒ Service provider that wants to protect several customers

without a physical firewall for each.

‒ Large enterprise with various departments

Secondary: Active/Active

Primary: Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1

86


Active/Active Failover Configuration

1. Cable the interfaces on both ASAs

2. Ensure that both ASAs are in multiple context mode

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context

5. Prepare both security appliances for configuration via ASDM

6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover

7. Verify that ASDM configured the secondary ASA with the LAN-based failover command set

8. Save the configuration to the secondary ASA to flash

CTX1- Group 1

CTX2- Group 2

CTX2- Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2 1 1

Failover Link

172.17.2.1 172.17.2.7 CTX1- Group 1 2

87


Implement ASA stateful failover

88


Hardware and Stateful Failover

Hardware failover

‒ Connections are dropped

‒ Client applications must reconnect

‒ Provided by serial or LAN-based failover link

‒ Active/Standby—only one unit can be actively processing traffic while other is hot standby

‒ Active/Active—both units can actively process traffic and serve as backup units

Stateful failover

‒ TCP connections remain active

‒ No client applications need to reconnect

‒ Provides redundancy and stateful connection

‒ Provided by stateful link

Internet

89


Explain the Hardware, Software, and Licensing

Requirements for High-Availability

The primary and secondary security appliances must be identical in the following requirements: ‒ Same model number and hardware configurations

‒ Same software versions

‒ Same features (DES or 3DES)

‒ Same amount of Flash memory and RAM

‒ Proper licensing

Primary: Standby

Internet

Secondary: Active

Active/Standby

Secondary: Active/Active

Primary: Failed/Standby

Internet

Active/Active

Contexts

2 1 2 1

90


Active/Standby Failover Configuration Concepts

One ASA acts as the active or primary and the other acts as a

secondary or standby firewall

Primary and secondary communicate over a configured interfaces

over the LAN-based interface

The primary is active and passes traffic, in the event of a failure the

secondary takes over

Primary – fw1

Internet

.7

Secondary

192.168.2.0 10.0.2.0

.1 .2

.7

172.17.2.0

.1

.7

91


Active/Standby Failover Configuration Steps



3. Use the ASDM high availability and scalability Wizard to configure the primary ASA for failover



Primary – fw1

.7

Secondary

192.168.2.0 10.0.2.0

.1 .2

.7

172.17.2.0

.1

.7 Internet

92


Select Active/Standby

Configure Active/Standby Using ASDM (Step 1 of 6)

93



94



95



96



97


Configure Active/Standby Using

ASDM (Step 6 of 6)

98


Active/Active Failover Configuration


2. Ensure that both ASAs are in multiple context mode (mode multiple)

3. Configure contexts and allocate interfaces to contexts

4. Enable and assign IP addresses to each interface that is allocated to a context


6. Use the ASDM high availability and scalability Wizard to configure the ASA

for failover



CTX1- Group 1

CTX2- Group 2

CTX2- Group 2

g0/0 g0/3

g0/1 g0/4

g0/2

g0/0 g0/3

g0/1 g0/4

g0/2 1 1 2 1 1

Failover Link

172.17.2.1 172.17.2.7 CTX1- Group 1 2

99


Select Active/Active

Configure Active/Active Using ASDM (Step 1 of 7)

100

Sample Questions

Can You Identify the Correct Answer?


Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to

become active. After resolving the issue, what command should be

executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

102


Question 1

A primary ASA in a failover pair has failed causing the secondary ASA to

become active. After resolving the issue, what command should be

executed on the primary ASA to make it the active firewall?

A. Failover active

B. Failover active group 1

C. Failover secondary group 1

D. Standby group 1 active

103


Question 2

Which of these commands will show you the contents of flash memory on

the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

104


Question 2

Which of these commands will show you the contents of flash memory on

the Cisco ASA? (Choose two.)

A. dir

B. show info flash

C. directory view disk0:/

D. show run disk

E. flash view

F. show flash

105


Question 3

When provisioning a service policy using ASDM what order are the

elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

106


Question 3

When provisioning a service policy using ASDM what order are the

elements created in?

A. Class-map > Policy-Map > Service-Policy

B. Service-Policy > Class-map > Policy-Map

C. Service-Policy > Policy-Map > Service-Policy

D. Policy-Map > Service-Policy > Class-Map

107


Question 4

When using sub-interfaces, which method prevents the main interfaces

from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

108


Question 4

When using sub-interfaces, which method prevents the main interfaces

from sending untagged traffic?

A. Use the vlan command on the main interface

B. Use the shutdown command on the main interface

C. Omit the nameif command on the subinterface

D. Omit the nameif command on the main interface

109


Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

110


Question 5

Choose two correct statements about multiple context mode:

A. Multiple context mode does not support dynamic routing protocols, IPS, and VPNs

B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security polices and interfaces

C. Multiple context mode enables support for additional hardware modules and firewalls

D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin"

111


Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

112


Question 6

Which three features does the ASA support?

A. BGP dynamic routing

B. 802.1Q trunking

C. EIGRP dynamic routing

D. OSPF dynamic routing

113


Question 7

Which command will display information about ASA crypto map

configurations?

A. show crypto sa

B. show crypto map

C. show run ipsec sa

D. show run crypto map

114


Question 7

Which command will display information about ASA crypto map

configurations?

A. show crypto sa

B. show crypto map

C. show run ipsec sa

D. show run crypto map

115


Question 8

What is the reason that you want to configure VLANs on a security

appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding

additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to

contexts

116


Question 8

What is the reason that you want to configure VLANs on a security

appliance interface?

A. Enable failover and VLANs to improve reliability

B. Allow transparent firewall mode to be used

C. Increase the number of interfaces available to the network without adding

additional physical interfaces or security appliances

D. Enable multiple context mode where you can map only VLAN interfaces to

contexts

117


Question 9

What are two purposed of the same-security-traffic permit intra-interface

command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface.

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec

protected

D. Allow traffic between different interfaces with matching security levels

118


Question 9

What are two purposed of the same-security-traffic permit intra-interface

command? (Choose two.)

A. Allow a hub-and-spoke VPN design on one interface

B. Enable Dynamic Multipoint VPN

C. Allow traffic in and out of the same interface when the traffic is IPSec

protected

D. Allow traffic between different interfaces with matching security levels

119


Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

120


Question 10

Which command will display NAT translations on the ASA?

A. show ip nat all

B. show running-configuration nat

C. show xlate

D. show nat translation

121

Q&A

And Now Time for Questions…


Complete Your Online

Session Evaluation

Give us your feedback and you

could win fabulous prizes. Winners

announced daily.

Receive 20 Cisco Preferred Access

points for each session evaluation

you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

123

http://www.ciscolivevirtual.com/


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

124

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI


Deploying Cisco ASA Firewall Solutions for CCNP Securityd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKCRT-8104.pdf · Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

Documents