Labs
Our investment in enhanced and exclusive lab content means you get the experience you need using current software and hardware. No other training company offers a unique, real-world lab solution like ours.
In our lab descriptions, an enhanced lab exercise contains a significant addition to the standard labs and may or may not be offered by other providers, while an exclusive lab exercise contains material that is not offered by any other provider.
We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SNAF, each pod has a 2811 router, a 3560 switch, an ASA 5520, a VMware Server with nine VM systems, and an 1841 router that simulates the Internet environment. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The nine PCs are strategically placed in the topology to provide interesting and realistic functional demonstrations. For example, the Admin PC is treated as the Security Administrator's office desktop PC. Management connections to the ASA, including SSH to the CLI and HTTPS to ASDM, are performed from the Admin PC. The Data Server is an Active Directory Domain Controller. Included in its duties are user and group management, DNS, e-mail, and Certificate Authority services. The Security Server runs security applications such as Cisco Secure Access Control Server and the PHP Kiwi Syslog system. The DMZ server is partially exposed to the Internet and provides HTTP, FTP, DNS, and SMTP services. The Outside PC is connected to the simulated Internet and can be used as an external web/FTP server, the source of inbound connections to the DMZ server, an attack source, or as a trusted VPN client, depending on the current scenario. The Services-R-Us server acts as a public DNS, e-mail, web/FTP, and certificate server. The BackTrack2 PC is a Linux system with hundreds of security tools installed, the User PC is another internal PC system, and the Site1 PC is connected to a small remote network.
The SNAF courseware and Cisco's standard SNAF labs focus mainly on the ASDM GUI. Our SNAF labs also demonstrate the use of ASDM and pay respect to the CLI as well. For all operations completed using the GUI, the corresponding CLI commands are always displayed in our SNAF lab guide. Also, the full, final configuration is displayed at the end of each lab with the configuration commands that were entered during the lab highlighted. This helps to make our lab guide a valuable reference long after you have completed the lab exercises.
Lab 1: Preparing the ASA for Administration
The goal of this lab is to prepare the ASA for remote administration by both SSH and HTTPS/ASDM. You will find the ASA currently has an unusable configuration. You will have to access it via its physical console port and reset the configuration back to factory defaults. You will use the setup dialog to configure the inside interface and enable ASDM access via HTTP. You will also enable SSH from the CLI. You will test SSH access from the Admin PC. You will also install and configure ASDM on the Admin PC and test initial access with ASDM.
- Access the ASA Console Port
- Clearing an Existing Configuration
- Taking Inventory of the ASA
- The Setup Dialog
- Enable SSH
- Set Up ASDM
- Verify the ASA Configuration
Lab 2: Essential Security Appliance Configuration
In this lab, you will configure many of the basic settings on the ASA. You will configure the inside, outside, and DMZ interfaces, and you will configure authenticated NTP support and Syslog support. You will then use different scenarios and features to test the behavior of the ASA with this simple configuration in place.
- Execute the Startup Wizard
- ASDM Device Setup
- Configure Syslog
- Test and Verify the ASA's Configuration
- The Packet Capture Wizard
- Verify the ASA Configuration
Lab 3: Translations and Connections
In this lab, you will work with configuring address translations through the ASA. You will begin by experimenting with nat 0 and no nat-control to understand the differences between the two. Next, you will implement a temporary PAT configuration. You will then move on to configure Dynamic NAT, NAT Exemption, and Static NAT as appropriate for the lab topology. At each step along the way, you will test and verify the results of the configuration, both on the host systems that are communicating as well as on the ASA. During this lab, you will learn how to configure and monitor address translation and you will see the difference between the ASA's translation table and its connection table.
- Understanding NAT Control and NAT 0
- Configure PAT
- Configure Dynamic NAT and NAT Exemption
- Configure Static NAT
- Verify the ASA Configuration
Lab 4: Configuring ACLs and Object Groups
In this lab, you will configure access policy through the ASA. The policy will allow access to the public services running on the DMZ Server from the outside. It will also be very restrictive on what connections are allowed to originate from the DMZ Server. Policy from the internal network will be unrestricted. While configuring and testing policy, you will also be introduced to Object Groups, the Packet Tracer, and ICMP Inspection.
- Configure Inbound HTTP Access
- Complete Inbound Policy using Object Groups
- Configure Policy from the DMZ
- Verify the ASA Configuration
Lab 5: AAA and Cut Through Proxy
Cut Through Proxy is a feature on the security appliance that allows access control to be based on a user instead of an IP address. That is, instead of using statically defined ACLs that key off expected user IP addresses, when the ASA sees matching traffic from a new IP address, it can intercept the connection and challenge for a username and password. If the user is authorized, connections are allowed. This can be extended one step further where downloadable ACLs provided by the AAA server very precisely define the access control for that particular user. You will explore AAA and the Cut Through Proxy feature in this lab exercise.
- Configure ACS and ASA Communication
- Exclusive - Configure ACS Integration with Active Directory
- Cut Through Authentication
- User Authentication Timeouts
- Virtual Telnet Server
- Downloadable ACLs
- Per User Override
- AAA Accounting
- Verify the ASA Configuration
Lab 6: Modular Policy Framework and Advanced Protocol Handling
In this lab you will work with the Modular Policy Framework (MPF) in various ways. First, you will inspect the current global policy and see how class maps, policy maps, and service policy are built into a hierarchy. Then you will use the MPF to apply DOS protection to the DMZ interface, testing the feature with an attempted SYN Flood attack. You will implement QoS features, limiting bandwidth used by the DMZ interface, insuring traffic to and from the inside network is not starved by DMZ access. You will finish by experimenting with FTP inspection. With FTP inspection turned on, if the FTP control channel is allowed, so are all the associated dynamically negotiated data connections. When FTP inspection is turned off, if the FTP data connections are not allowed by the static policy in place, the data connections will not be allowed.
- Examine the Current Policy
- Exclusive - DOS Protection with MPF
- Exclusive - Quality of Service with MPF
- FTP Protocol Inspection
- Verify the ASA Configuration
Lab 7: Threat Detection
By default the ASA monitors the rate of dropped packets and security events due to a number of reasons including (but not limited to) DoS attack, ACL drop, Conn limit, ICMP attack, and SYN attack. When the ASA detects a threat, it sends a Syslog message to inform of its occurrence. In this lab, you will work with Basic Threat Detection. You will verify that it is enabled by default, and you will see how to enable and view additional threat detection statistics.
- Basic Threat Detection
- Threat Detection Statistics
- Verify the ASA Configuration
Lab 8: Site-to-Site VPN
In this lab you will work with creating and testing a site-to-site VPN using the ASDM VPN Wizard. You will begin by verifying that without a VPN, there is no connectivity between the local network and Site 1. You will then proceed to create and test a site-to-site VPN to Site 1 using the VPN Wizard. Lastly, you will experiment with ways to limit access through the tunnel for those users connecting from Site 1.
- Verify Current Environment
- ASDM VPN Wizard
- Verify the Resulting Configuration
- Test and Verify the VPN Tunnel
- Exclusive - Enforce Access Policy from Site 1
- Verify the ASA Configuration
Lab 9: Remote Access VPN
In this lab you will once again use the VPN Wizard. This time it will be used to enable Remote Access VPN. Since completion of the link requires a client, you will also configure the VPN software client to initiate the connection. After testing and verifying the Remote Access VPN, you will implement split tunneling in order to allow Remote Access VPN clients to access Internet resources without using the tunnel. Lastly, you will work with Hairpin VPN, an alternative to split tunnel, to allow Remote Access VPN users to access the Internet.
- Prepare the ASA for Remote Access VPN
- Prepare the Cisco VPN Client
- Test and Verify Remote Access VPN
- Update the NAT Configuration
- Exclusive - Allow Internet Access via Split Tunneling
- Exclusive - Allow Internet Access via Hairpin
- Verify the ASA Configuration
Lab 10: Clientless SSL VPN
In this lab you will run the SSL VPN Wizard to configure ASA to allow access to the Web VPN. Once the SSL VPN is up and running, you will explore the features it provides. You will then create different policies for different groups of users. General users will have fewer privileges with the clientless VPN than administrative users.
- SSL VPN Wizard
- Test Clientless SSL VPN
- Define a Group Policy for General Users
- Test the Policy for General Users
- Exclusive - Provide Greater Customization for the AdminPolicy
- Exclusive - Test the Admin Customization and OnScreen Keyboard
- Monitor SSL VPN Connections
- Verify the ASA Configuration
Lab 11: Transparent Mode Firewall & Security Contexts
In this lab, you will configure and test two features which first appeared in version 7.0 of the Security Appliance OS: Transparent firewalling and security contexts.
Transparent firewall mode is designed for two primary reasons: 1) an organization wants to add a firewall to an existing network without requiring re-addressing, and 2) an organization operates a multiprotocol network, including non-IP traffic, and wants to allow that traffic through the firewall without requiring GRE tunneling. In this lab, the transparent firewall will be inserted between the routing interfaces of the L3-Switch and the PC systems. The transparent firewall can then provide firewalling services without modifying the L3-Switch or PC configurations.
Security contexts were designed to allow a single physical firewall to perform jobs that generally require multiple firewalls. A limitation of transparent firewall mode on the security appliance is that only two interfaces are allowed. Obviously, dedicating a single physical firewall with more than two physical interfaces (and the ability to support multiple VLANs off each of its physical interfaces) is quite limiting. Hence using security contexts with transparent firewalling allows a single physical firewall to provide transparent firewalling to multiple IP subnets.
- Understand the Updated Topology
- Access the Security Appliance Console
- Configure Transparent Firewall Mode
- Configure Interfaces and the Management IP Address
- Exclusive - Configure the Switching Fabric
- Test Connectivity through the Security Appliance
- Prepare the ASA for and Launch ASDM
- Define and Test Inbound Policy with ASDM
- Understand the Updated Scenario
- Exclusive - Enable Multiple Context Mode
- Exclusive - Multiple Context Mode from ASDM
- Exclusive - Create and Configure a New Context
- Exclusive - Update the Switching Fabric
- Exclusive - Verify Functionality of the New Context
- Verify the ASA Configuration
Lab 12: Active/Standby Failover
In this lab, two pods are linked together. The Primary Pod's ASA will be configured as the primary ASA for failover and the Secondary Pod's ASA will be configured as the secondary ASA for failover. Stateful failover will also be enabled. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.
- Understand the Updated Topology
- High Availability and Scalability Wizard
- Verify Failover Status
- Test Failover Operation
- Return to a Normal State
- Verify the ASA Configuration
Lab 13: Active/Active Failover
In this lab, two pods are linked together. The Primary and Secondary Pod's ASA will be configured for failover using two contexts each assigned to different failover groups. Stateful failover will be enabled, and preemption will be configured so that different ASAs will be active for each failover group. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state.
- Understand the Updated Topology
- High Availability and Scalability Wizard
- Verify Failover Status
- Enable Preemption
- Test Failover Operation
- Return to a Normal State
- Verify the ASA Configuration
Lab 14: Managing the Security Appliance
You will begin this lab by experimenting with the configuration of Authentication, Authorization, and Accounting. You will configure various methods of AAA including using the Local ASA database as well as scaling the solution by using Cisco Secure ACS. Next, you will perform an upgrade including the ASA OS as well as ASDM. Lastly, you will perform a password recovery on the ASA.
- Connect to the ASA via SSH
- Configure Commands at a New Privilege Level
- Configure Command Authorization for LOCAL Users
- Exclusive - Configure Command Authorization using TACACS+
- Exclusive - Configure Command Accounting
- View the AAA Configuration from ASDM
- Perform a "System Upgrade"
- Exclusive - Perform a Password Recovery
- Verify the ASA Configuration
