My Journey for 642-617: Firewall v1.0 (1 of 4 exams required for CCNP: Security)

instant000instant000 Member Posts: 1,745
**************************************************
=====================================
My Journey for 642-617: Firewall v1.0 (1 of 4 exams required for CCNP: Security)
=====================================
***************************************************

Initial Update:
Certification: 642-617 FIREWALL v1.0 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

000.00% - Overall Preparation
=============================
000.00% - Reading
000.00% - Labbing
000.00% - Confidence
==============================

========================================================================================
Header Explanations (this will only be done for this initial posting)
========================================================================================

<insertword> Update:
Which update I'm on. I like to use initial, second, third, etc. Hopefully, I clear the exam before the thirtieth update!

Certification: <title>
Title of certification I'm working on

Overall Preparation:
Basically, a mathematical average of the numbers of Reading, Labbing, and Confidence.

Reading:
Reading will have to come from cisco.com, as I've decided to try this one without buying a book for it. I believe that I posted in another thread that someone should be able to study for a vendor certification test, using the information freely available on the vendor's website. If this is not possible, then either the vendor does not have adequate documentation on their website, or I do not know how to properly study for their exam, from using the freely available materials.

Labbing (Doing the labs):
1. Labs will have to come from cisco.com, as I've decided to try this one without buying an actual book, just to see what result I get.
2. Focusing on exam objectives, not on doing a million different configurations.
3. Lab EQ: SDM/GNS3/3550 Switches will have to rely on using ASA at work, and the emulated ASA in GNS3.

Confidence (How confident I am in being able to pass this exam, if I took it today.):
Not very at this point, LOL. I don't use all the features of an ASA in day-to-day work, we tend to just use them for firewalling, and *rarely* to VPN, as we tend to use Juniper for VPNs.

=====================================

Now with that said, what would be my notes for studying for this test?

1. The official objectives:
https://learningnetwork.cisco.com/docs/DOC-8974

2. Looked at the table of contents of this book:
CCNP Security Firewall 642-617 Quick Reference

3. Looked at the table of contents of this book:
CCNP Security FIREWALL 642-617 Official Cert Guide, Rough Cuts

4. The CLI Guide for ASA
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

5. The ASDM Guide for ASA
Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 - Cisco Systems

I may branch out to other links, but these are the main things I am studying from for now.

I found it particularly interesting that the "quick reference" guide broke out AAA to an entire section, but it wasn't spelled out in the exam syllabus ... needless to say, I'll make sure to review AAA, as well as weigh the rest of those table of contents against the exam objectives, just AAA stuck out like a sore thumb.

I was going to post a table of links, but according to the exam objectives and the guide table of contents that I saw, about the only thing I didn't see taken from the CLI and ASDM guides was the items about VPN, but even with that said, I'm not going to ignore those, so I'm basically studying from the complete CLI and ASDM guides for the ASA.

We'll see how this goes.....
Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
«1

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Good luck! Which asa models do you work with? Are you CCNP:S bound?
  • instant000instant000 Member Posts: 1,745
    Good luck! Which asa models do you work with? Are you CCNP:S bound?

    I don't want to say which models of equipment that I work with (in case there are vulnerabilities), but is 5500 series a good enough answer? (I know, probably not, LOL.) I have one ticket where I'm replacing a PIX with an ASA, but as the PIX was running a later OS, there weren't as many caveats with transferring that configuration as it would be if it was with a wider variance in code revisions.

    I'm not sure if I'm CCNP:S bound, but no harm in becoming more knowledgeable about the equipment that I'm working with :D
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    I feel that this single exam might be the most applicable to my day-to-day work, of the one's available with this track, as most customer complaint's are something to the effect of "hey, application XYZ's not working right, are you guys blocking anything on the firewall?" .... of course everyone blames the firewall first. probably second place would be the VPN exam, as customers like to blame whatever they understand the least :D

    third would be the test for securing switches and routers, as we don't get to touch that as often, and fourth would be IPS, as I've met only one person who's using Cisco IPS.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Second Update:
    Certification: 642-617 FIREWALL v1.0 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

    003.33% - Overall Preparation
    =============================
    005.00% - Reading
    005.00% - Labbing
    000.00% - Confidence
    ==============================

    Today's Update:

    I'm closer to my goal, than when I started!

    Reading:
    I've read about the first 100 pages of the ASA CLI guide, and also have been doing hands on for all the commands covered so far.

    I probably won't be able to clear this one in the one month goal I originally set for myself, as my WGU classes just started up, and I want to hit those aggressively, as a priority.

    Labbing:
    As I've finally gotten the emulated ASA somewhat stable, I hope to be able to really get into some labs, coming up.

    Confidence:
    If I took the exam today, no way I deserve to pass, as I've never used a couple of the product features that will be tested on the exam. I hope for that to not be the case, by the time this is all wrapped up.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Third Update:
    Certification: 642-617 FIREWALL v1.0 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

    004.67% - Overall Preparation
    =============================
    007.00% - Reading
    007.00% - Labbing
    000.00% - Confidence
    ==============================

    Today's Update:

    I'm closer to my goal, than when I started!

    Reading:
    I've read about the first 150 pages of the ASA CLI guide, and also have been doing hands on for all the commands covered so far.

    Labbing:
    Only so far, just what I've covered in the guide. I have ASDM working now, also.

    Confidence:
    If I took the exam today, no way I deserve to pass, as I've never used a couple of the product features that will be tested on the exam. I hope for that to not be the case, by the time this is all wrapped up.
    =====================
    =====================
    ========================
    ======================
    ======================
    ====================
    ====================
    ======================================

    Also, another thing, just getting the ASA emulated seems to be a piece all onto itself, so this information in this posting will help others.

    I included a screenshot of my current lab setup at the end of this posting. I didn't have a clear idea of what to do, but I figured I could do DMZ's and VPN's with this setup, and use the C2 as a management computer, to do stuff like syslogs with. So far, I've only incorporated C2 and ASA1, but hope to be doing stuff across the entire setup, by the time I'm done. (Maybe the drawing changes by that time, but I figured this setup could address routing requirements, firewall, etc. not sure how much of the SSM's I can do with this one, but I guess I'll find out when it gets to that point.)

    ==================================================================
    I didn't just come up with this on my own, I used lots of tips from others on the interwebs, to come up with something that worked consistently for me.

    I originally posted on this here:
    http://www.techexams.net/forums/ccsp/68810-asa-gns3.html#post552337
    But ... decided to just stick it in this thread, as it would probably be a topic of inquiry for someone pursuing the Firewall examination.

    Sources:

    Saving ASA Config in GNS3 - Cozzi's
    Cozzi's - Cisco Knowledge Sharing Blog
    Cisco CCNA TOOLS

    ‪How to add asa in gns3 and run asdm - Part 1‬‏ - YouTube
    ^^^ all three videos of that series


    =========================

    How to get the ASA running
    ===========================


    1. Cozzi's - Cisco Knowledge Sharing Blog > Free Tools
    download: cisco asa 8 initrd.gz
    download: cisco asa8 kernel
    2. launch gns3 > edit > preferences > Qemu > ASA
    initrd: specify the file you downloaded earlier
    kernel: specify the other file you downloaded
    make sure to give it a name
    then, you can save, apply, and ok
    3. in GNS3, bring the firewall over
    start it
    minimize the window that comes up
    4. open the ASA console
    wait for one minute (it is loading up)
    5. after waiting one minute, enter this command:
    cd /mnt/disk0
    /mnt/disk0/lina_monitor


    ================================================== ==============

    Formatting the Flash (for when saving fails)
    =======================

    1. enter this command from enable mode:

    format flash:

    2. restart the ASA
    in GNS3 right click on the ASA Icon – “stop”
    give it a few seconds then select “start”

    3. open your ASA console
    if asked run the command
    cd /mnt/disk0
    /mnt/disk0/lina_monitor

    4. now try dir again … note the 0 bytes has gone :O)

    5. You can now save your configs !!

    (follow steps below, on how to do that, I just keep it in notepad, and just paste in when I need it)

    ================================================== ======
    Saving ASA Configuration
    ========================

    copy /noconfirm running-config disk0:/.private/running-config
    copy /noconfirm disk0:/.private/running-config disk0:/.private/startup-config
    configure terminal
    boot config disk0:/.private/startup-config
    exit
    ==============================
    INTERFACES PINGABLE?
    ======================

    In all the net demos I saw, the ASA was separated by a switch, so I did this, for all of mine. Whether or not this is required, I am not sure, as I have not verified.

    Let me test right quick ...

    Ok, if you try to connect directly, you get this error:

    "Device does not support this type of NIO. Use an ETHSW to bridge the connection to the NIO instead."

    So, definitely, you need to use the switches between your ASA's, and they work just fine.

    So, that explains that. It works fine. I even TFTP'ed through the thing, as well as run asdm.

    Guess next would be the instructions on using ASDM.

    ====================================
    ASDM CONFIGURATION
    ===========================
    java version used: 1.42_05
    OS used: XP Pro SP3 (this is actually running inside a Windows Virtual PC)
    web browser used: IE 8

    1. Download asdm.bin file - Cisco Systems, Inc > support > downloads > ASA 5500 > Cisco ASA 55XX Adaptive Security Appliance (choose whichever one you have .... login and support contract restricted download)
    2. Download TFTP server - TFTP server
    3. Install TFTP server
    4. Start TFTP server
    5. Configure TFTP server to point to your asdm bin file
    6. Verify ping between ASA and the TFTP server
    ===
    7. set up ASA for https access
    config t
    http server enable
    http 10.10.10.10 255.255.255.255 dmz
    username instant password techeXams privilege 15

    ^^^ Note: this assumes that your workstation that you are going to connect to the ASDM with is running IP address 10.10.10.10
    =========
    8. copy the asdm bin file to your ASA using tftp
    copy tftp://10.10.10.10/asdm-699.bin flash:

    ^^^ Note: this assumes that your asdm filename is asdm-699.bin (it should differ)

    9. set up file you just uploaded to your ASA as the ASDM image
    config t
    asdm image flash:asdm-699.bin

    10. Connect to your ASA via https
    https://<ASA IP ADDRESS>

    11. Install ASDM Launcher and Run ASDM

    12. Plug in your ASA's IP address (the one you could ping earlier) and login with the credentials you configured earlier, and you should be good to go!

    Have at it!


    ======================
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Fourth Update:

    1. I am downgrading the guides I am reading on Cisco's site to version 8.2 per some good information I gathered from comments on this site, and at the Cisco exam objectives page. (This saves about 400 or 500 pages of reading, as there's that much difference in content from the 8.2 to 8.4 guides).

    2. I found this book is available at WGU, through Books 24 x 7, so I can use this to study for my exam, yes!

    Amazon.com: Cisco ASA Configuration (Networking Professional's Library) (9780071622691): Richard Deal: Books
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Fifth Update:

    In this post, I decided to do a breakdown of the exam topics, versus items I could read through and study from the configuration guides and/or articles available on cisco.com. Then, I can use this as a "checklist" to make sure that I've studied everything that I need to cover, prior to sitting the exam. Since I didn't have an official text, this will serve as my "compass" as I study.

    TIP: I like to put "dates" alongside what I study. This helps me to get into a study mode on a daily basis. I realize that by covering the entire 8.2 guide, I'll probably study more than someone would if they went to the Firewall Course ... but as I work with ASAs on a daily basis, I'd want to know more about them than someone who just went to a class for a week.

    This can hopefully be used as a study template by others. I would hope that you gave original credit to me, but I'm not going to sue you over it, UNLESS you figure out a way to make money from it :D

    ===============================================

    My Breakdown of Exam Topics (compare to the 8.2 configuration guide, since the test is on 8.2, no need to read the 8.4 guide, especially when the 8.4 guide has about 400 or 500 more pages, AND has the new style of NAT, which wouldn't be covered, so I'd hurt myself with that one, while I still need it for work, not for this exam).

    I. Pre-Production Design

    A. ___ Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
    ^^^ This is about knowing everything an ASA is capable of, and designing your security perimeter based upon the appropriate technology. I imagine that questions from this topic would be about being given a set of things you'd want your network to be protected from, and being able to choose the appropriate ASA technology for the situation. In order to do that, you're going to have to understand all of the ASA capabilities. (to me, this means a general understanding of the Cisco Security Design, as well as knowing what features the ASA has, and what they do.)
    What to read: Security Design Guides

    B. ____ Choose the correct ASA model to implement HLD based on given performance requirements
    ^^^ This is about knowing what the performance capabilities of the different ASA models out there are. Some can give you more or less VPNs, contexts, etc. The best resource for this is going to be memorizing the model feature comparisons. (see II-A. 1, Licensing, for another thing to just memorize)
    What to memorize: Model Comparison Sheets

    C. ______ Create and test initial ASA appliance configurations using CLI
    ^^^ This is about things like IP addressing, naming interfaces, security levels, hostname, domain name, and setting up for https access, so you can manage the appliance via ASDM
    What to do: IP address, naming interfaces, security levels, host name, domain name, set up ASDM access, setting up basic local/AAA authentication, setting time, and logging. What files are required to boot the device, as well as run ASDM? How do I save the configuration (don't want to lose all your hard work).
    what to know: device setup

    II. Complex Operations Support

    Note to self: memorize licensing, understand and configure everything else

    A. ___ Optimize ASA Perimeter Security features performance, functions, and configurations
    ^^^ Not quite sure what this one means at this time, to be honest. I'll have to read and look for text such as "Cisco recommends". Just including some topics below that would HAVE to be covered, that I can't find elsewhere in the syllabus, that appear to be in this area.
    ___ 1. Managing Feature Licenses
    ___ 2. Configuring the Transparent or Routed Firewall
    ___ 3. Managing Multiple Context Mode
    ___ 4. Configuring DHCP and DDNS
    ___ 5. Modular Policy Framework

    B. ___ Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM
    ___ 1. ACLs
    ___ a. Extended
    ___ b. EtherType
    ___ c. Standard
    ___ d. Webtype
    ___ e. IPv6
    ___ f. Object Groups
    ___ g. Logging ACLs

    ___ 2. NAT/PAT
    ___ a. NAT Control
    ___ b. Dynamic NAT and PAT
    ___ c. Static NAT
    ___ d. Static PAT
    ___ e. Bypassing NAT

    ___ 3. L3/L4/L7 stateful inspections
    ___ a. Configuring Inspection of Basic Internet Protocols
    ___ b. Configuring Inspection of Voice and Video Protocols
    ___ c. Configuring Inspection of Database and Directory Protocols
    ___ d. Configuring Inspection of Management Application Protocols

    ___ 4. QoS policies
    ___ 5. cut-thru proxy
    ___ 6. threat detection
    ___ 7. botnet detection/filter
    ___ 8. TCP State Bypass
    ___ 9. TCP Normalization
    ___ 10. Web Cache Services Using WCCP
    ___ 11. Preventing Network Attacks

    C. ___ Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM
    ___ 1. AIP-SSM
    ___ 2. CSC-SSM

    D. ___ Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM
    ___ 1. Active/Standby
    ___ 2. Active/Active
    ___ 3. Considerations for failover when using single/multiple contexts

    E. ___ Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM
    ___ 1. static routing
    ___ 2. default routing
    ___ 3. RIP
    ___ 4. EIGRP
    ___ 5. OSPF
    ___ 6. Multicast
    ___ 7. IPv6 Neighbor Discovery

    F. ___ Configure, verify and troubleshoot ASA transparent firewall operations using CLI

    G. ___ Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM
    ___ 1. management interface (or was this covered in initial configuration?)
    ___ 2. Permitting or Denying Netowrk Access
    ___ 3. Configuring AAA Servers and the Local Database
    ___ 4. Configuring Management Access
    ___ 5. Configuring AAA for Network Access
    ___ 6. Configuring Filtering Services
    ___ 7. How to avoid locking yourself out of the firewall (this just seems obvious to add somewhere)
    ___ 8. password recovery (would seem to be an important part of management access)
    ___ 9. Loggings
    ___ 10. NSEL
    ___ 11. NSMP
    ___ 12. Smart Call Home

    III. Describe Advanced Troubleshooting

    A. _____ Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing
    ______ 1. Managing Software and Configurations
    ______ 2. Troubleshooting

    B. ___ Additional Reading: (just some stuff that makes sense for me to read)
    ____ 1. Cisco article on troubleshooting connectivity through ASA/PIX
    ____ 2. packet tracer articles
    ____ 3. Glossary terms (I actually prefer to start here, it makes everything else in the guide easier to read)
    ____ 4. cisco.com (exam objectives) - right below the exam objectives, a poster makes remarks about exam content. (apparently, this post is legal, as another post right beside it was moderated) several posts clue you in to what ASA version is tested on the test, and this is also not moderated. Before, I was ignoring the posts down there, as most of them were just complaints, but knowing which ASA version to test on is important, considering the vast difference between the natting setups in 8.2 and 8.3.
    _____ 5. Richard Deal's book: Cisco ASA Firewalls (available thru WGU, on books 24x7... (also noticed they appear to have the new CCNP series of books available there, too, so this is another incentive, if you're a WGU student! ... yes, I'm plugging my U!)
    _____ 6. VPN items in the config guide. Though not listed in any objectives, considering there is an entirely separate "VPN" test, I do not want to take a chance at going into the test "unaware". There's a complete section of the config guide on VPN, and I will at least read over it, so I don't walk into the test blind-sided.
    ================================================
    Compared vs. the Cisco Exam Topics for 642-617:


    Pre-Production Design

    Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
    Choose the correct ASA model to implement HLD based on given performance requirements
    Create and test initial ASA appliance configurations using CLI
    Determine which ASA licenses will be required based on given requirements

    Complex Operations Support

    Optimize ASA Perimeter Security features performance, functions, and configurations
    Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM
    Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM
    Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM
    Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM
    Configure, verify and troubleshoot ASA transparent firewall operations using CLI
    Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM

    Describe Advanced Troubleshooting

    Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing

    ^^^Note: Typo's are in the actual topics at cisco.com
    (available at cisco.com)
    ======================================================
    Compared vs. 642-617 Official Cert Guide Table of Contents:

    1. Cisco ASA Overview
    2. Working with an ASA
    3. Deploying Basic Connectivity
    4. Deploying IP Connectivity
    5. Managing an ASA
    6. Recording ASA Activity
    7. Using Address Translation
    8. Controlling Access through the ASA
    9. Inspecting Traffic with the ASA
    10. Using Proxy Services to Control Access
    11. Controlling Quality of Service
    12. Creating Virtual Firewalls with the ASA
    13. Deploying High Availability Features
    14. Integrating ASA Service Modules

    (available at ciscopress.com)
    ================================================================

    Compared vs. the CCNP Security Firewall 642-617 Quick Reference:

    Cisco Firewall and ASA Technology
    Basic Connectivity and Device Management
    ASA Access Control
    ASA Network Integration
    AAA Configuration on the Cisco ASA
    ASA High Availability

    (available at ciscopress.com)
    ============================================================

    Compared vs. the Cisco ASA Firewall Course:

    Course Objectives

    Upon completing this course, the learner will be able to meet these overall objectives:

    Evaluate the basic technology, features, and hardware models of the Cisco ASA adaptive security appliance product line.
    Implement and maintain basic Cisco ASA adaptive security appliance connectivity and device management plane features.
    Implement and maintain data plane access control features of the Cisco ASA adaptive security appliance product family.
    Implement and maintain Cisco ASA adaptive security appliance features that integrate it with the local and global routing and switching infrastructure.
    Implement and maintain Cisco ASA adaptive security appliance virtualization and high availability features.
    Evaluate Cisco ASA adaptive security appliance SSM modules, their major features, and integrate them with the Cisco ASA adaptive security appliance.

    Course Outline

    Introduction to the Cisco ASA Adaptive Security Appliance
    Implementation of Basic Connectivity and Device Management
    Deployment of Cisco ASA Adaptive Security Appliance Access Control Features
    Deployment of Cisco ASA Adaptive Security Appliance Network Integration Features
    Deployment of Cisco ASA Adaptive Security Appliance Virtualization and High-Availability Features
    Integration of Cisco ASA Adaptive Security Appliance Security Service Modules
    Appendix A: Configuring Routing on the Cisco ASA Adaptive Security Appliance
    Appendix B: Lab (Optional): Configuring Dynamic Routing

    (available at cisco.com)
    ==============================
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I talked to a TAC engineer, a 5505 ASA should be able to do everything for this exam (from what he said).
  • instant000instant000 Member Posts: 1,745
    I talked to a TAC engineer, a 5505 ASA should be able to do everything for this exam (from what he said).


    Thanks for the advice.

    One day, I hope to return the favor. :D

    Yes, those ASA are less than $300 (including shipping) on some of the Buy it now, so at this point, the question becomes (how bad do you want it?).

    .... And then I also wonder about ... how will I ever be able to afford an IPS? But maybe I'll just leave that hurdle for when I come to it. I only know one person in this area that has physical Cisco IPS.

    That may be one of those "remote labs" type of things, as the cost per hour used won't be justified with the IPS product purchase, and remote lab time would probably make more sense. Since I can use the ASA for both the Firewall and VPN test (and is also something I support at work) it makes more sense to "own" this device, as the cost per hour used would be a lot less.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    instant000 wrote: »
    Thanks for the advice.

    One day, I hope to return the favor. :D

    Yes, those ASA are less than $300 (including shipping) on some of the Buy it now, so at this point, the question becomes (how bad do you want it?).

    .... And then I also wonder about ... how will I ever be able to afford an IPS? But maybe I'll just leave that hurdle for when I come to it. I only know one person in this area that has physical Cisco IPS.

    That may be one of those "remote labs" type of things, as the cost per hour used won't be justified with the IPS product purchase, and remote lab time would probably make more sense. Since I can use the ASA for both the Firewall and VPN test (and is also something I support at work) it makes more sense to "own" this device, as the cost per hour used would be a lot less.

    No problem.

    You can run the IDS in GNS3. Those IPS 4200s are way to expensive. I might be looking at Firewall before Secure due to a job responsibility change. Jimmy put this link up in his CCIE thread:
    http://www.gigavelocity.com/rack-3-ine-rs-40-july-2011-c-759_8141.html

    I checked them out. They seem to have great rates and they also have a full CCIE lab, which should be enough for the CCNP:S :)

    I also did some more checking on the 8.X version. I still can't figure out which one they are testing off of. I have the "ASA Bible" (which covers 8.3). 8.4 is out and 8.5 is on its way. I wonder which one they are testing off of. I might just have to wing it and do a little studying of all a few versions. Now that I've look at it, I think the only major changes involve nat and such.
  • lrblrb Member Posts: 526
    The FIREWALL exam quick reference guide is available which seems pretty good looking at hte one on mysafari. I can definately vouch for these quick reference guides, if nothing more than to help direct your study a little.
  • instant000instant000 Member Posts: 1,745
    No problem.

    You can run the IDS in GNS3. Those IPS 4200s are way to expensive. I might be looking at Firewall before Secure due to a job responsibility change. Jimmy put this link up in his CCIE thread:
    http://www.gigavelocity.com/rack-3-ine-rs-40-july-2011-c-759_8141.html

    I checked them out. They seem to have great rates and they also have a full CCIE lab, which should be enough for the CCNP:S :)

    I also did some more checking on the 8.X version. I still can't figure out which one they are testing off of. I have the "ASA Bible" (which covers 8.3). 8.4 is out and 8.5 is on its way. I wonder which one they are testing off of. I might just have to wing it and do a little studying of all a few versions. Now that I've look at it, I think the only major changes involve nat and such.

    yes, I saw a guy was running the IPS emulated also. I'll look at that one when I get to it. I'm still going to lab with virtual ASA, unless I have to use physical.

    According to the posts I see about the test at cisco.com, they test on version 8.2
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    lrb wrote: »
    The FIREWALL exam quick reference guide is available which seems pretty good looking at hte one on mysafari. I can definately vouch for these quick reference guides, if nothing more than to help direct your study a little.

    Thanks.

    I've been considering getting a book, but I think it'll be more challenging this way.

    Of course, if I fail the test, I will break down and get the book. I'm just experimenting to see whether or not buying a book is necessary to pass a Cisco exam, if you properly cover the objectives.

    My biggest complaint is that the exam objectives are VAGUE.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Also, I decided to slow down on studying for any certification tests until after I've cleared all of my certification tests for my Master's at WGU. Studying for two certs at once doesn't feel too fun, and I have two classes + CEH to look at right now, so I'll just do those.

    ... Not killing this thread, just may not update it that often, until I get all of the degree-required certs out of the way.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • lrblrb Member Posts: 526
    instant000 wrote: »
    My biggest complaint is that the exam objectives are VAGUE.

    What are you talking about? This seems pretty specific to me:

    "Create and test initial ASA appliance configurations using CLI "

    icon_lol.gif
  • alan2308alan2308 Member Posts: 1,854 ■■■■■■■■□□
    instant000 wrote: »
    Also, I decided to slow down on studying for any certification tests until after I've cleared all of my certification tests for my Master's at WGU. Studying for two certs at once doesn't feel too fun, and I have two classes + CEH to look at right now, so I'll just do those.

    ... Not killing this thread, just may not update it that often, until I get all of the degree-required certs out of the way.

    The CEH section could use the activity. icon_lol.gif
  • Maced129Maced129 Member Posts: 78 ■■□□□□□□□□
    Thanks for the ASA guide in GNS3! I've tried it a few times, but I am never able to get the logging to work properly. Have you been using the logging or are you using it just for configuration?
  • instant000instant000 Member Posts: 1,745
    lrb wrote: »
    What are you talking about? This seems pretty specific to me:

    "Create and test initial ASA appliance configurations using CLI "

    icon_lol.gif

    They're basically saying that if you want to optimize your study time, you better buy a book. I know I'm trying to go without getting a book for this one (as it is just a personal thing I want to attempt), but I'll probably end up getting a book for the others, as it would speed up the study time.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Maced129 wrote: »
    Thanks for the ASA guide in GNS3! I've tried it a few times, but I am never able to get the logging to work properly. Have you been using the logging or are you using it just for configuration?

    I looked at the logging tab in the ASDM, and it looked like a bunch of gibberish traffic! Guess you can't emulate everything!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    I've decided to buy the rough cuts. My apologies, but I felt totally misguided in my preparations, and I felt that I was wasting my time, reading all sorts of guides, on stuff that won't help me at my job, or on the certification exam.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I found a good video on the "new" way to nat

    Hope it helps someone:


    Cisco ASA Version 8.3 Network Address Translation (NAT) - YouTube!
  • instant000instant000 Member Posts: 1,745
    I found a good video on the "new" way to nat

    Hope it helps someone:


    Cisco ASA Version 8.3 Network Address Translation (NAT) - YouTube!

    Hah.

    We have some devices running 8.3, and some running earlier versions. Have to be extra careful in building configs now :D .... just hope I can convince them to get everything running the same version.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Maced129Maced129 Member Posts: 78 ■■□□□□□□□□
    how is the journey going?
  • instant000instant000 Member Posts: 1,745
    Maced129 wrote: »
    how is the journey going?

    Hahahhaa, LOL. I decided to re-focus my energies on my Master's degree. I figure that I might pick back up on studying this, once I hit a strong groove with my WGU studies.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Just another course I looked up, if someone wanted to see what kind of syllabus are out there:


    [h=4]Cisco Course 1.0 | ASA Software v8.2 | Prepares you for Cisco Exam 642-617 FIREWALL.[/h]
    Part of Cisco's recent announcement for the CCNP Security certification program, includes two new courses, FIREWALL and VPN which replace SNAF and SNAA.
    If you have already completed some of the exams for your CCNP Security, you have a limited time to finish. For complete details, and a suggested training path for your particular situation, visit our CCNP Security page.


    Learn the skills needed to configure, maintain, and operate the firewall features of the Cisco ASA 5500 Series Adaptive Security Appliances (ASAs).
    We have enhanced this course and added depth to the standard labs, using a topology that simulates a typical production network. You'll use ASA 5520 appliances to work through configuring access control to and from your network. You will also examine the PIX firewall and the Firewall Services Module (FWSM).
    [h=4]A Global Knowledge Exclusive: Bonus Lab Credits[/h] You'll receive five extra FIREWALL e-Lab credits (good for 30 days) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training. The credits can also be used towards our one-of-a-kind ASA 8.3 labs.

    This course has extended hours - 8:30am - 6:00pm each day - to give you the most complete training experience possible. There is a lot of in-depth material included on these exams, and we want to make sure you have the proper time to absorb and understand it.





    Cisco Course 1.0 | ASA Software v8.2 | Prepares you for Cisco Exam 642-617 FIREWALL.


    What You'll Learn


    • Technology and features of the Cisco ASA
    • Cisco ASA product family
    • How ASAs and Cisco PIX Security Appliances protect network devices from attacks
    • Bootstrap the security appliance
    • Prepare the security appliance for configuration via the Cisco Adaptive Security Device Manager (ASDM)
    • Launch and navigate ASDM
    • Perform essential security appliance configuration using ASDM and the CLI
    • Configure dynamic and static address translations
    • Configure access policy based on Access Control Lists (ACLs)
    • Use object groups to simplify ACL complexity and maintenance
    • Use the Modular Policy Framework to provide unique policies to specific data flows
    • Handle advanced protocols with application inspection
    • Deep packet inspection of application layer traffic
    • Troubleshoot with Syslog, Packet Tracer, and packet capture
    • Configure access-control based on authenticated users
    • Configure threat detection to meet security policy requirements
    • Configure the security appliance to run in transparent firewall mode
    • Enable, configure, and manage multiple contexts to meet security policy requirements
    • Select and configure the type of failover that best suits the network topology
    • Monitor and manage an installed security appliance
    • Initialize ASA Security Service Modules including the AIP-SSM and CSC-SSM

    Cisco Course 1.0 | ASA Software v8.2 | Prepares you for Cisco Exam 642-617 FIREWALL.


    Course Outline


    1. Cisco ASA Adaptive Security Appliance

    • Technology and Features
    • ASA Family
    2. Basic Connectivity and Device Management

    • Cisco ASA and Cisco ASDM
    • Interfaces and Static Routing
    • Basic Device Management Features
    • Management Access
    3. Cisco ASA Access Control Features

    • Basic Access Control
    • Modular Policy Framework
    • Basic Stateful Inspection Features
    • Application-Layer Policies
    • Advanced Access Controls
    • Resource Limits and Guarantees
    • User-Based Policies
    4. Cisco ASA Network Integration Features

    • Network Address Translation
    • Transparent Firewall Operations
    5. Cisco ASA Virtualization and High Availability Features

    • Virtualization Features
    • Redundant Interfaces
    • Active/Standby High Availability Failover
    • Active/Active High Availability Failover
    6. Cisco ASA Security Service Modules

    • AIP-SSM and AIP-AIP-SSC Module Integration
    • CSC-SSM Module Integration

    Cisco Course 1.0 | ASA Software v8.2 | Prepares you for Cisco Exam 642-617 FIREWALL.

    [h=4]Cisco Course 1.0 | ASA Software v8.2 | Prepares you for Cisco Exam 642-617 FIREWALL.[/h]
    [h=3]Labs[/h]
    [h=4]Lab 1: Enhanced - Preparing for Administration[/h] [h=4]Lab 2: Enhanced - Fundamental Configuration[/h] [h=4]Lab 3: Enhanced - AAA for Administrative Access[/h] [h=4]Lab 4: Enhanced - Network Address Translation[/h] [h=4]Lab 5: Enhanced - Basic Access Control[/h][h=4]Lab 6: Exclusive - Troubleshooting Tools[/h][h=4]Lab 7: Enhanced - Basic Protocol Inspection[/h] [h=4]Lab 8: Enhanced - Advanced Protocol Inspection[/h] [h=4]Lab 9: Enhanced - Advanced Access Control[/h][h=4]Lab 10: Enhanced - User Based Policies[/h][h=4]Lab 11: Enhanced - Transparent Firewall and Security Contexts[/h] [h=4]Lab 12: Enhanced - Active/Standby Failover[/h][h=4]Lab 13: Enhanced - Active/Active Failover[/h]


    Source: Cisco FIREWALL Deploying Cisco ASA Firewall Solutions at Global Knowledge
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    Update:

    Settling back into this one, might start back up the cert tracker on it. Still don't use Cisco IPS, but I can do hands-on at work for everything on the Security blueprint except the IPS.

    Going to try to not be too worried about possible blueprint changes down the line, and just take it day by day. The possible blueprint changes (IPv6, Wireless/Live Attack Simulation) make sense anyway, for any modern network. Right now, the Master's classes are priority, so I won't be updating this one like crazy, LOL. Apologies in advance. Think I might even just use my blog to update on this one, as I can kill two birds in one stone (get my site more popular, due to linking back to itself, over-and-over again as I like to do) and study for the test at the same time. Just realized that I hadn't updated my blog since 2010 ....
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    instant000 wrote: »
    Update:

    Settling back into this one, might start back up the cert tracker on it. Still don't use Cisco IPS, but I can do hands-on at work for everything on the Security blueprint except the IPS.

    Going to try to not be too worried about possible blueprint changes down the line, and just take it day by day. The possible blueprint changes (IPv6, Wireless/Live Attack Simulation) make sense anyway, for any modern network. Right now, the Master's classes are priority, so I won't be updating this one like crazy, LOL. Apologies in advance. Think I might even just use my blog to update on this one, as I can kill two birds in one stone (get my site more popular, due to linking back to itself, over-and-over again as I like to do) and study for the test at the same time. Just realized that I hadn't updated my blog since 2010 ....

    Good luck. We have an FWSM -> ASA context migration on. The differences between NAT implementations etc are interesting.
  • shednikshednik Member Posts: 2,005
    instant000 wrote: »
    Update:

    Settling back into this one, might start back up the cert tracker on it. Still don't use Cisco IPS, but I can do hands-on at work for everything on the Security blueprint except the IPS.

    Going to try to not be too worried about possible blueprint changes down the line, and just take it day by day. The possible blueprint changes (IPv6, Wireless/Live Attack Simulation) make sense anyway, for any modern network. Right now, the Master's classes are priority, so I won't be updating this one like crazy, LOL. Apologies in advance. Think I might even just use my blog to update on this one, as I can kill two birds in one stone (get my site more popular, due to linking back to itself, over-and-over again as I like to do) and study for the test at the same time. Just realized that I hadn't updated my blog since 2010 ....


    Sounds good I'm trying to get myself off my lazy you know what to get back into the studying....I think last year between the busy travel schedule for work and finishing my masters that I have been unconsciously prioritizing things more fun than my studies. So I definitely know where you are coming from there.

    I would definitely like to follow your blog though since I plan to finish my CCNP and get the CCNP:Security going this year. best of luck and I hear you in the IPS stuff...I have a few of the AIP-SSMs to play with but not the appliances so I'm not sure how different they actually are. Doesn't help that we're probably moving to checkpoint for firewalls and IPS either.
  • shednikshednik Member Posts: 2,005
    Turgon wrote: »
    Good luck. We have an FWSM -> ASA context migration on. The differences between NAT implementations etc are interesting.

    Turgon...which version of FWSM are you migrating from and to what ASA version 8.4? The best way to describe cisco's new way of NAT is that it's very close to the way Checkpoint does it, at least looking at it with SmartDashboard vs ASDM.
  • instant000instant000 Member Posts: 1,745
    Turgon wrote: »
    Good luck. We have an FWSM -> ASA context migration on. The differences between NAT implementations etc are interesting.

    Hah, a past gig ran a mix of 8.2, 8.3, and 8.4. Some with and without "nat-control" turned on. It made you very "on your toes" whenever you had to troubleshoot an issue, unnecessarily complicated by "nat-control" and multiple version NAT requirements, as if it's not enough just to make sure the traffic is getting to the right location, you also have to be sure that it is translated correctly.

    A great command to use is the "packet-tracer". I know that I use it daily. (Not the GUI version, but the command line version.) Once you get to using packet-tracer, your people will be very happy to have it at their disposal. (FWSM doesn't have it. From my perspective, packet-tracer was the killer app the ASA had.)

    Also, the ASDM real-time logger is okay to use from time-to-time when you're trying to track down an issue.

    The main thing I have to warn you about with the contexts is that depending on how you set it up, and you choose to go Active/Active with your ASA's, keep in mind that if one of them goes down, the other one will have to be able to support all of the contexts, and the device is supposed to set aside resources to accomodate the contexts running on its partner, anyway ... for this reason, running Active/Standby would be better, unless you need the higher bandwidth that I guess you would momentarily get from running Active/Active.

    The best thing is that with the arrival of 8.3, I was able to find several places in Cisco documentation that were recommending turning off nat-control.

    Anyway, since you probably are dealing with the NAT transitions, when i was trying to understand it, I found this link that gave one of the simplest comparisons I could find:

    Cisco ASA 8.3 / 8.4 NAT Guide (simple yet practical overview) « OSI Matrix
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.