IPS/SNRS Mini Camp

5-day Course

Course Description

In this Mini Camp based on Authorized Cisco SNPA and CSVPN course material, get the knowledge and skills you need to configure, maintain, and operate Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances. Learn to securely extend your computing environment using Cisco VPN solutions. Effectively install and configure VPN connections using the latest VPN technology on Cisco VPN 3000 Series Concentrator and PIX Firewalls. SNPA and CSVPN are recommended training for Cisco Certified Security Professional (CCSP) certification.

Twenty advanced SNPA hands-on labs guide you through configuring the Security Appliance, executing general maintenance commands, and configuring ACLs on the Security Appliance. Since all labs are performed on PIX 515 Security Appliances, features unique to the 5500 Series Adaptive Security Appliances are discussed but are not covered in hands-on labs.

We have included several exclusive items in the SNPA labs, such as using the capture and management-access commands, stateful ICMP inspection, TCP Intercept, digital certificates, and a full lab on configuring a Modular Policy Framework.

Over 20 advanced CSVPN hands-on labs guide you through using the VPN Concentrator, VPN Software Client, and VPN Hardware Client to set up secure network connectivity in both LAN-to-LAN and Remote Access scenarios. A PIX Firewall-based VPN lab is included as a refresher on IPSec VPN principles. The labs include using the VPN 3000 Series Concentrator to host remote access VPN connections using the Cisco VPN Software Client and VPN 3002 Hardware Client with Pre-Shared Keys and digital certificates, integrated firewall features of the Software Client, and LAN-to-LAN IPSec VPN connections using the VPN 3000 Series Concentrator. New features in Version 4.7 of the Concentrator code, such as SSL VPN and Secure Desktop, are demonstrated.

Labs include configuring and testing split tunneling, bandwidth management, pre-configuring and customizing the Cisco VPN Software Client, RADIUS and TACACS-based authentication, and configuring a Windows 2000 Server as a Certificate Authority.

Attend this Mini Camp for the most relevant, hands-on, real-world experience available from any training provider. Apply what you learn in labs based on a single, enhanced topology designed to simulate a typical production network instead of a classroom.

Course Objectives

In this course students will learn:

SNPA

• Security Appliance features, models, components, and benefits
• Security Appliance interface security levels
• Configure a Security Appliance for basic network connectivity
• Configure the Security Appliance to send syslog messages to a syslog server
• How the TCP and UDP protocols function with the Security Appliance
• How static and dynamic translations function
• Security Appliance Port Address Translation (PAT) feature
• Function and configuration of ACLs and NAT 0 ACLs
• Configure active code filtering (ActiveX and Java applets)
• Configure the Security Appliance for URL filtering
• Object grouping feature of the Security Appliance and its advantages
• AAA protocols supported by the Security Appliance
• Configure AAA authentication for Security Appliance access
• Configure cut-through proxy authentication and tunnel access authentication
• Configure AAA accounting
• Install and configure basic Cisco Secure ACS functions
• How the Security Appliance implements FTP and HTTP protocol inspection
• How the Security Appliance implements remote shell (rsh), SQL, SMTP, ICMP, and SNMP protocol inspection
• Tasks and commands to configure Security Appliance IPSec support
• Configure the Easy VPN Server for remote access VPN using the Cisco VPN Client
• Configure WebVPN general parameters, servers, URLs, and port forwarding
• Monitor and maintain transparent firewall mode
• Configure and manage a security context
• Security Appliance hardware failover requirements
• Configure Active/Standby Failover
• Configure Active/Active Failover
• Install ASDM and use it to configure the Security Appliance
• Configure the AIP-SSM setup parameters
• Configure a security policy on an ASA Security Appliance using ASDM
• Configure Telnet and SSH access to the Security Appliance console
• Recover the Security Appliance passwords using general password recovery procedures
• Use TFTP to install and upgrade the software image on the Security Appliance

CSVPN

• Features, functions, and benefits of Cisco Secure VPN products
• Cisco Secure VPN 3000 Series Concentrator
• Cisco Secure VPN Software Client Version 4.x
• Cisco Secure VPN 3002 Hardware Client
• IPSec fundamentals and operation
• Public Key Infrastructure (PKI) organization and concepts
• Processes involved in creating and using digital certificates
• VPN 3000 Series Concentrator Redundancy and Load Balancing (Clustering)
• VPN Software Client firewall features and creating and applying centrally managed firewall policies
• Configure and use split tunneling and split DNS
• Configure Certificate Revocation List (CRL) caching
• Configure and apply bandwidth policing or bandwidth reservation policies
• Monitoring functions, including using the Filterable Event Log
• Reverse Route Injection
• Differences between Client Mode and Network Extension Mode when using the VPN 3002 Hardware Client
• How and why to configure IPSec over UDP, NAT Traversal, and IPSec over TCP
• Configure and use WebVPN clientless connectivity
• Configure and use the Cisco SSL VPN Client (new in Concentrator Version 4.7)
• Configure and use the Cisco Secure Desktop (new in Concentrator Version 4.7)

Intended Audience

Cisco customers who implement and maintain PIX and ASA Security Appliances as well as networking professionals tasked with ensuring the effective use of Cisco VPN technologies within their networks; Cisco channel partners who sell, implement, and maintain PIX, ASA Security Appliances, and VPN devices; and Cisco systems engineers who support the sale of PIX, ASA Security Appliances, and VPN.

This course is specifically designed for students preparing for the CCSP certification exam.

Course Outline

SNPA

• Cisco Security Appliance Technology and Features
• Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families
• Getting Started with Cisco Security Appliances
• Translations and Connections
• Access Control Lists (ACLs) and Content Filtering
• Authentication, Authorization, and Accounting (AAA)
• Switching and Routing
• Modular Policy Framework
• Advanced Protocol Handling
• VPN Configuration
• Configuring Security Appliance Remote Access Using Cisco Easy VPN
• Configuring ASA for WebVPN
• Configuring Transparent Firewall
• Configuring Security Contexts
• Failover
• Cisco Security Appliance Device Manager
• AIP-SSM - Getting Started
• Managing Security Appliances

CSVPN

• Security Fundamentals
• Overview of Virtual Private Networks and IPSec Technologies
• Cisco Virtual Private Network 3000 Concentrator Series Hardware Overview
• VPN 3000 Series Concentrator Remote Access Using Pre-Shared Keys
• VPN 3000 Series Concentrator Remote Access Using Digital Certificates
• VPN Firewall Feature for the Software Client
• VPN Client Auto-Initiation Feature
• Monitor and Administer the Cisco VPN 3000 Series Concentrator Remote Access Networks
• VPN 3002 Hardware Client for Remote Access Using Pre-Shared Keys
• VPN 3002 Hardware Client for Unit and User Authentication
• VPN Client Backup Server and Load Balancing
• VPN 3002 Hardware Client for Software Auto-Update
• VPN 3000 Series Concentrator for IPSec Over UDP and IPSec Over TCP
• VPN 3000 Series Concentrator LAN-to-LAN with Pre-Shared Keys
• VPN 3000 Series Concentrator LAN-to-LAN with NAT
• VPN 3000 Series Concentrator LAN-to-LAN Using Digital Certificates
• Configure the Cisco VPN 3000 Series Concentrator for Web VPN
• Using Cisco SSL VPN Client
• Installing and Configuring Cisco Secure Desktop

Course Labs

SNPA

For SNPA, each pod has a router, a switch, a PIX Firewall, and four PC systems. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The four PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. An Inside PC is treated as the Security Administrator's office desktop PC, and an Inside Server runs the applications, such as Cisco Secure Access Control Server, intended to be installed in the data center and shared among multiple administrators. The DMZ server is partially exposed to the Internet and provides HTTP and FTP services. An Outside PC is connected to the simulated Internet and can be used as a simulated web server and as the source of inbound connections.

• Lab 1: Remote Lab Environment Familiarization
• Lab 2: Basic Security Appliance Configuration
• Lab 3: Syslog and NTP
• Lab 4: Translations and Connections
• Lab 5: Access Control Lists (ACLs) and ICMP Filters
• Lab 6: Object Groups
• Lab 7: AAA Authentication and Accounting
• Lab 8: AAA Authorization Using Downloadable ACLs
• Lab 9: Configure Modular Policy Framework
• Lab 10: Advanced Protocol Inspection
• Lab 11: Site-to-Site VPN with Pre-Shared Keys
• Lab 12: Site-to-Site VPN with Digital Certificates
• Lab 13: Remote Access VPN
• Lab 14: Transparent Firewall
• Lab 15: Secure Shell
• Lab 16: Command Authorization.
• Lab 17: System Maintenance
• Lab 18: Active/Standby LAN-Based Failover
• Lab 19: Multiple Contexts
• Lab 20: Active/Active LAN-Based Failover

CSVPN

For CSVPN, each pod has a router, a switch, a PIX Firewall, a VPN 3000 Series Concentrator, and four PC systems. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The four PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. An Inside PC is treated as the Security Administrator's office desktop PC, and an Inside Server runs the applications, such as Cisco Secure Access Control Server, intended to be installed in the data center and shared among multiple administrators. The DMZ server is partially exposed to the Internet and provides HTTP and FTP services. An Outside PC is connected to the simulated Internet and can be used as a simulated web server and as the source of inbound VPN client connections.

• Lab 1: Remote Lab Familiarization
• Lab 2: Exclusive - PIX Site-to-Site IPSec Using Pre-Shared Keys
• Lab 3: Initialize the VPN Concentrator
• Lab 4: VPN Software Client Remote Access Using Pre-Shared Keys via Quick-Configuration Mode
• Lab 5: Pre-Configuring and Customizing the VPN Software Client
• Lab 6: Exclusive - Configure a Windows 2000 Server as a Certificate Authority (CA)
• Lab 7: Configure the VPN Concentrator for Digital Certificates
• Lab 8: Configure the VPN Software Client for Digital Certificates
• Lab 9: VPN Software Client Remote Access Using Digital Certificates
• Lab 10: Configure the Firewall Feature for the VPN Software Client
• Lab 11: VPN Client Auto-Initiation
• Lab 12: VPN Concentrator Monitoring
• Lab 13: Concentrator Administration with TACACS+ Setup
• Lab 14: Exclusive - Configure Bandwidth Management Policies on the VPN Concentrator
• Lab 15: VPN 3002 Hardware Client Remote Access Using Pre-Shared Keys (Client Mode) and RADIUS
• Lab 16: VPN 3002 Hardware Client Remote Access Using Pre-Shared Keys (Network Extension Mode)
• Lab 17: Configure the VPN 3002 Hardware Client for Unit and User Authentication
• Lab 18: Exclusive - Configure Reverse Route Injection
• Lab 19: Configure Software Auto-Update
• Lab 20: VPN 3000 Series Concentrator LAN-to-LAN IPSec Using Pre-Shared Keys
• Lab 21: VPN 3000 Series Concentrator LAN-to-LAN IPSec Using Digital Certificates
• Lab 22: WebVPN
• Lab 23: SSL VPN Client
• Lab 24: Secure Desktop