My Journey for 642-617: Firewall v1.0 (1 of 4 exams required for CCNP: Security)



  • TurgonTurgon Banned Posts: 6,313 ■■■■■■■■■□
    instant000 wrote: »
    Hah, a past gig ran a mix of 8.2, 8.3, and 8.4. Some with and without "nat-control" turned on. It made you very "on your toes" whenever you had to troubleshoot an issue, unnecessarily complicated by "nat-control" and multiple version NAT requirements, as if it's not enough just to make sure the traffic is getting to the right location, you also have to be sure that it is translated correctly.

    A great command to use is the "packet-tracer". I know that I use it daily. (Not the GUI version, but the command line version.) Once you get to using packet-tracer, your people will be very happy to have it at their disposal. (FWSM doesn't have it. From my perspective, packet-tracer was the killer app the ASA had.)

    Also, the ASDM real-time logger is okay to use from time-to-time when you're trying to track down an issue.

    The main thing I have to warn you about with the contexts is that depending on how you set it up, and you choose to go Active/Active with your ASA's, keep in mind that if one of them goes down, the other one will have to be able to support all of the contexts, and the device is supposed to set aside resources to accomodate the contexts running on its partner, anyway ... for this reason, running Active/Standby would be better, unless you need the higher bandwidth that I guess you would momentarily get from running Active/Active.

    The best thing is that with the arrival of 8.3, I was able to find several places in Cisco documentation that were recommending turning off nat-control.

    Anyway, since you probably are dealing with the NAT transitions, when i was trying to understand it, I found this link that gave one of the simplest comparisons I could find:

    Cisco ASA 8.3 / 8.4 NAT Guide (simple yet practical overview) « OSI Matrix

    Thanks for this. The conversion of code from one to another is a concern.

    Im looking at active/active and the contexts will be the same on both devices. It's 2012 so time to move away from active/standby, although I have resisted for a while :)
  • instant000instant000 Member Posts: 1,745
    Update 6:

    Lewis Lampkin, III: Sixth Update: Certification: 642-617 FIREWALL v1.0 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

    (And yes, I am trying to drive traffic to my blog, LOL.)

    Need to update my signature ...
    Currently Working: CCIE R&S
    LinkedIn: (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Appears Cisco is updating the security curriculum to ASA 8.4:

    I was counting on practicing on ASA at work, but they're all 8.2 or lower, looks like, so it looks like I'll be going here: :: View topic - ASA 8.4(2) on QEMU

    to figure out how to virtualize ASA (lots of posters claim to have issues there, so ... probably not worth bothering with for now).

    In the meantime, I think I'll switch back to the ROUTE student lab manual, I've been through the Bryant ROUTE book twice, and done all his labs at least once, and figure if I go through the official lab book at least twice (according to a prior poster) I should be good to to. Might throw in some OCG if I don't do well on the Boson.

    But, putting this one on hold, probably. My only investment in this has been the FW book for 642-617, and about ten hours of reading, whereas I've already placed about 100 hours into ROUTE .... I just wanted the flexibility to spend a good 2 or 3 months to prep at a pace that allowed me to keep up with my schoolwork and such, and it's practically March already ...

    It looks like you need to be ready for the NEW FW and VPN on May 28 and June 1, respectively. For CCNA Security, you need to be ready for the new exam on October 1. See for more details.

    This is no pile on Cisco, I actually got the book last September, (and if I wasn't doing schoolwork) three months would be very comfortable preparation time. But, with schoolwork also, it would not create a great time (i.e., sleep) management situation for me :D
    Currently Working: CCIE R&S
    LinkedIn: (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.