642-522 PIX/ASA

AhriakinAhriakin SupremeNetworkOverlordMember Posts: 1,800 ■■■■■■■■□□
As usual I don't know if these types of posts are that useful since being NDA bound we can't go into details but I know they have helped me in the past. The main reason I am writing this is in response to a number of posts about whether pre 7.0 experience is useful or not for this exam.
My own experience has been purely on 6.3 for about 2 months now - but I've hammered the hell out of it in that time. I recently took over a network admin position for a system that hadn't been updated since purchase (a long LONG time ago) so I did some major upgrading/studied my ass off more for the work than this cert, actually sitting the exam was an afterthought. I've worked primarily with the PIX units (515s and 501s at remote sites) and some with their connectivity to our VPN concentrator. I am hoping to replace most of this with a nice AIP-SSM equipped ASA unit as soon as my boss thinks it won't damage his bonus. On the CCSP track I've also completed the SNRS so I had a bit of background with Inspection and IPSEC principals before starting with the PIX side.

I originally started with the Cisco ASA and Pix Firewall handbook and was immediately way out of my depth. I switched to the second edition of the Cisco Study guide, though old it covered the latest software we had access to - it's not a very good guide, the first time I've been disappointed with a Cisco Press guide. I finished it anyway and then moved to the 3rd edition which is night and day compared to the 2nd (even excluding the additions for ASA and 7.x). That Safari bookshelf subscription came in quite handy. The 3rd edition could spend a little more time on some of the new areas and seemed to skim a little but for the most part I think this is a very competent guide, at least good enough to teach you enough to know what you might want to look into elsewhere on the few occasions it isn't clear enough. After reading through it twice I went back to the Handbook for more clarifications on areas like MPF and Active/Active failovers etc. BTW while I've still barely scratched the surface the Handbook is incredibly detailed, even now after completing the course I realise it probably has as much information again to offer if I can just get time to go through it all. For practical work as I mentioned it was all on 6.3, after getting some of the older units off of 5.2...fun...Having things like our entire VPN link to Europe disappear one lunchtime did wonders to accelerate learning and at least what I broke during the process taught me how to fix it...eventually....;). I was also allowed to borrow a 501 for home use which was pretty handy. I found the need for practice much greater for this exam than the CCNA/SNRS, a lot of the theory was easier to absorb from implementing it (albeit blindly at first) and then examining the configs (I definitely found this to be true for VPN configurations, I read the chapter once to refresh the theory but studied the commands purely from the config files.).
Its late and I know I'm rambling a bit, bad habit. All in all I thought the exam was quite tough, definitely tougher than the SNRS (if it was a 7.5 I'd rate this as an 8.5) but like all Cisco exams I've taken so far I felt the tasks/questions did accurately test real-world knowledge. Some were obscure but they were on topics that would have relevance in different implementations (as opposed to those that are obscure simply to try and make the exam harder/give it more credibility). I did have issues with the Sims being too exclusive on the commands they would accept. As I mentioned in another post there were times that valid commands were rejected because whoever put the software together did not allow for the correct commands with slightly different syntax (like being told to perform an action relating to ethernet0 but only 'e0' being accepted), another was where the stated requirements could be accomplished a two ways and no stipulations were made to favour one method over another and yet only one would work....seems small but in these cases to me it's no longer a real-world sim but a badly implemented and contrived exam task.

I finished in an hour with a 906. So with this post I'm putting this puppy behind me. VPN concentrators next.....joy.....
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?


  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Copngrats on the nice score! icon_thumright.gif

    Sounds like you got thrown into the fire at work and came out unscathed. icon_cool.gif
    All things are possible, only believe.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Thanks, the deep end is the best way to learn imho.

    After re-reading my post I guess I should have started with what I set out to explain: that yes experience with pre 7.x OS is still very useful so don't panic if you can't get a more modern unit to work with. It'll just take a little extra study, it's not a show-stopper at all.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • dissolveddissolved Inactive Imported Users Posts: 228
    Thanks for the write up. I have 6.3 here at the house in a 501. i doubt I can get my hands on a 7.0 unit anytime soon. I'm about to begin studying for the Pix exam. Would you say the questions were pretty evenly matched in regards to the version of software? Or were there more 7.0 questions?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    The straight answer is misleading and it's that they're all 7.x . BUT there is so much similarity between the two that it's not that big of an issue. For example with 6.x you would specify security levels alongside interface to name mappings on the one NAMEIF command, with 7.x you just remember it works more like IOS in that you enter interface config. mode first and then do each step (ie. Int E0 , nameif outside, security-level 0 etc. line by line). Translations (NAT, PAT, STATIC,GLOBAL etc.) all work the same way except for having to enable Nat-control on 7.x and they play a part in the vast majority of questions, some of the VPN commands are a little different but IPSEC is IPSEC so it's not hard to remember both. Do as much practice as you can on the 501 and then hit the books harder for the differences but when you have a choice choose the 7.x version of the commands in the exam.
    For my own part I found Modular Policy Framework, Active/Active Failover and Multiple contexts daunting the first time I read through them (and had no way to practice them) but they really are not as bad as they seem, certainly not as complex as VPN setups, a few reads and you should find them easy to memorize.
    ASDM is the PDM on steroids, get familiar with 3.04 and again studying the additions for the ASDM should be easy enough.

    For study definitely get the 3rd edition of the Cisco Press guide, anything earlier is worthless. Its been mentioned many times but just in case, http://certcities.com/editorial/exams/story.asp?EditorialsID=109 has links to some free articles that might help.
    I didn't spend much time on OSPF and WebVPN as they were both reasonably complex for such 'small' areas of the course (ie. for me the amount of effort they would have taken was not justified by their listing in the exam objectives relative to other areas). That was a bit of a gamble but I figured there were more important areas worthy of the study time.

    Anyway, hope that helps a little.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.