CCNA Security lab

Archon

If I was to build a small lab what model switches, routers and ASAs would you recommend? Ideally I would want to keep the cost down.



Thanks

Priston

ASA - ASA5505 or ASA5510
routers - 1841 or 2811
switches - 2960 or 3560 (with 32mb flash)

joelsfood

If you work for a Cisco partner, you can make use of the CCIE Security labs and save yourself some money

Archon

Priston wrote: »

ASA - ASA5505 or ASA5510
routers - 1841 or 2811
switches - 2960 or 3560 (with 32mb flash)

I think i will need:


1x ASA
3x routers
2x switches

I will probably buy it all second hand if needed.

joelsfood wrote: »

If you work for a Cisco partner, you can make use of the CCIE Security labs and save yourself some money

Just found the Partner Learning in my Cisco account as its linked to the company i work for.

AMD4EVER

I had considered buying the kit below but haven't at this point. Been living with Packet Tracer and that seems to do pretty well. Still, for someone building a lab this might be something to look at. No ASA is included in this which I find weird. I think that would be needed as well

Cisco CCNA 200-120 Premium Kit - CertificationKits

Hardware Included:
•Three Cisco 2811 512/128 Routers (Dual FE router supports 15.1(4) Advanced Enterprise)
•Three Cisco 2960 Switches (Supports 15.0(2) IOS)
•Three Ethernet Cables
•Three Ethernet Crossover Cables
•Three WIC-2A/S Modules
•Three Smart to Smart Serial Cables
•Cisco Console Kit
•Power Cords

Additional Items Include:
•450 Page CCNA Lab Workbook Covering 60+ Labs! ($44.99 value) (more info)
•How & Why We Subnet Workbook ($19.99 value) (more info)
•CCENT, ICND2 & CCNA Boot Camp Study Guide eBooks ($39.99 value) (more info)
•CCENT, ICND2 & CCNA Practice Exam Simulators ($49.99 value) (more info)
•CCNA CRAM Sheet ($14.99 value) (more info)
•TCP/IP Study Poster ($9.99 value) (more info)
•CertificationKits TFTP Server
•CertificationKits Subnet Calculator
•CertificationKits Binary Bits Game
•35 CCNA Instructional Videos
•Cisco Network Assistant
•Cisco Router Password Decryptor
•Cisco VPN Client 5.0.04.0410
•Port Scanner
•WinPcap 4.1.3
•WireShark 1.10.05
•IOS Backup Disc for the routers and switches

Archon

That's a lot of kit. I live in the UK so not an option.

Archon

So far i have:

2x 2960 switches
1x asa 5505 with Security Plus License

Hopefully got 3x 1841 routers as well

Archon

So my new lab consists of:

1x ASA 5505 (Security Plus License ASA5505-SEC-BUN-K9 RAM: 1GB)
2x 2960 switches
3x 1841 routers (256MB DRAM & 64MB Flash) (all with WIC-2T cards and cables)

Got a 12u rack and CAT5e cables on its way ready for a weekend of hitting the CCNA Security Lab Manual: Version 2 (Lab Companion).


Anything I'm missing?

clarson

on your 1841 routers you will need 256/64 memory to run version 15 of the ios
a 1841 comes with 128 on the system board, so you will only need to add a 128 memory stick.
and what is the version of asa, asdm, anyconnect, etc. that is on the 5505

Archon

Oops typo in the spec The routers were originally 128MB DRAM & 32MB Flash but this was upgraded to run c1841-adventerprisek9-mz.151-4.M10.bin.

I've only briefly powered on the asa to check the license. I'm planning to set it all up at the weekend to will let you know then.

mackenzae

I downloaded the ASAv and am using that with no issues. Only restriction is the throughput when its unlicensed which doesn't matter in a lab environment.

AMD4EVER

mackenzae wrote: »

I downloaded the ASAv and am using that with no issues. Only restriction is the throughput when its unlicensed which doesn't matter in a lab environment.

You are my hero!!! I've been wanting to at least get my hands on the ASA and the ASDM software but it didn't seem possible using GNU or Packet Tracer. I haven't installed ASAv yet but I at least confirmed that I can download it so I should be able to get it running in my lab! Woohoo!

AMD4EVER

I haven't got this fully working yet but I am close and wanted to share my new knowledge with other ASA novices. I downloaded ASAv and opened the OVA in VMware Workstation. I then configured G0/0 with an IP on the Host network which by default is 192.168.137.0/24 and did a No Shut. I was disappointed to find that I couldn't ping the interface IP that I gave it. I found that the reason for this is that you need to run the command "nameif inside" on the interface. After that I could ping. This sounds like a minor victory but it took half an hour to figure this out

Next I'm going to work on importing the ASDM bin into my ASA and then hopefully figuring out how to download an ASDM executable from the ASA.

AMD4EVER

I've come to a standstill but I'll at least give a list of successes before starting a new thread to troubleshoot this.

I installed TFTPD32 on my computer and was able to run copy tftp: flash: on the ASA to get the ASDM bin file. I then ran the command "asdm image" and gave it the location of the asdm image in flash.

Now is where my problem comes in. Everything I've read said that I just need to HTTPS to the interface on the ASA to download ASDM from it. The problem is that HTTPS just brings up "Problem loading page". I can ping the ASA interface from both directions so I know connectivity is good. I thought that maybe the issue is that I was trying to use a regular port and needed to use the Management port so I set that up. Same result. No idea where to go from here

AMD4EVER

I got help from another thread and wanted to just follow up here with the final steps.

Run "http server enable" followed by "http 192.168.137.0 255.255.255.0 INSIDE". After that I could browse to the interface but I got a 404 error. Double checked the running config and found that my "asdm image" command had reverted to being empty. Re-ran that and now I can browse to the site and download ASDM! Hurrah!

aocferreira

Hey,

Just a quick question, maybe you can help me out. ASA5510-SSM-10 has requirements to study & practice for CCNA Sec?
ASDM - 7.3
Software - 8.2.57K8
Ram - 512

thanks!

AMD4EVER

I would think that would be good enough for studying. I'm going to try it with the ASAv 5505 running version 9.4 and ASDM 7.5. I'm making my way through the CCNA Security Lab Manual Version 2 and it doesn't start hitting on ASAs for another few chapters for me. I guess I'll know more then but just being able to have hands on with ASDM his probably an incredible benefit based on what I've been reading about people's test experiences lately.

aocferreira

Thanks for your reply. If anyone else can comment on that I would appreciate!

Archon

clarson wrote: »

on your 1841 routers you will need 256/64 memory to run version 15 of the ios
a 1841 comes with 128 on the system board, so you will only need to add a 128 memory stick.
and what is the version of asa, asdm, anyconnect, etc. that is on the 5505

All 3 routers actually came with 378MB DRAM in the end.

Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz,
Cisco Adaptive Security Appliance Software Version 9.1(6)8
Device Manager Version 7.5(2)

asdm-752.bin
anyconnect/anyconnect-win-3.1.04072-k9.pkg

gncsmith

Other than your lab, what are your study materials?

Archon

CBT Nuggets old and new CCNA: Security including the additional suggested videos from CCNP security, Boot Camp with Chris Bryant, the lab manual and the Cisco OCG.

creamy_stew

I would add a third switch so you can make a triangle and do STP and other experiments. Doesn't have to be fancy. An old 2950 would do.

Three switches makes it easier to try a lot of stuff out.

I would probably have gone GNS3 with the routers, but hey, nothing beats real iron

Archon

creamy_stew wrote: »

I would add a third switch so you can make a triangle and do STP and other experiments. Doesn't have to be fancy. An old 2950 would do.

Three switches makes it easier to try a lot of stuff out.

I would probably have gone GNS3 with the routers, but hey, nothing beats real iron

I started off with Packet Tracer but that lacked a lot of commands for CCNA: Security so i tried GNS3. I found the ISO versions which worked with GNS3 froze and I couldn't console to the routers. I didn't want to waste time trying to fix issues with it. It was quicker just to build the lab.

I can easily grab another 2960 or 3560 off eBay.


Thanks.