Firewall v2 642-618

doverdover Member Posts: 184 ■■■■□□□□□□
Not too much activity on this board but I thought I'd post my firewall v.2 exam experience anyway. Took the 642-618 exam last Thursday and passed with a 915. I really lived this material everyday for the last 5 months.

Study materials:
CCNP Security Firewall Official Cert Guide both version 1 (for NAT) and version 2
Cisco Firewalls (Networking Technology: Security)
Cisco ASDM 6.4 Config Guide
Cisco CLI 8.4 Guide
Cisco CLI 8.2 Guide (for pre 8.3 NAT)


Background: I've worked with (installed, maintained, etc) older model PIX and newer ASA' for a few years but not as in-depth as I'd like: initial setups, determining requirements and testing/making changes.

I bought an ASA 5505 and set it up between my workstation and the rest of my employer's network. Every day I would wipe the configuration on my way out so I would have to come in and reconfigure the thing from scratch. One day it would be command-line only, the next ASDM only. Couple weeks at version 8.2 then a couple of weeks running 8.4. I have some downtime at work and a boss who encourages education so I took full advantage to make the most of the situation.

GNS3 - one word-AWESOME.

I used MS OneNote and made chapter by chapter notes of the Official Cert Guide. I ended up with about 100 pages of study notes I used for review. I also created mini-labs from each covered topic (requirements, topology and IP schemes, etc.) so I could come back and do the labs : NAT (8.2 and 8.4), active-active/active-standby failover, LACP etherchannel, multiple context, logging, redundant interfaces....


Exam review - much easier than I thought it would be. I was expecting tons of do-it-yourself GUI or CLI simlets. I really kind of wished it had been but I guess that is too much to both design and properly grade. I thought it focused on the GUI too much, but in retrospect I think it is fairly evenly spread between knowing the GUI and the cli commands.

On to VPN.

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Nice work! Thank you for the write up.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Congrats!
    An expert is a man who has made all the mistakes which can be made.
  • MrBrianMrBrian Member Posts: 520
    Thanks for the write-up and congrats!
    Currently reading: Internet Routing Architectures by Halabi
  • spiderjerichospiderjericho Registered Users, Member Posts: 890 ■■■■■□□□□□
    I want to obtain the CCNP Security after I finish my BS at WGU (and then start my Master's). When you studied for this exam, did you mostly use GNS3? I was thinking of buying the 5505 (possibly two), but I hear there are some shortcomings for studying for certain exams. Also, I just saw Cisco has the new line of firewalls like the 5515X. I'd like one of those, since they have all Ge ports, but they're a bit to rich for my blood. It would be cool if they came out with a 5505X with four Ge ports for the same price as the 5505. But for Cisco now a days, it's about the hardware profit and software profit (one of the few companies like that).
  • BroadcastStormBroadcastStorm Member Posts: 496
    What's the complete lab recomened for CCNP Security?

    I have 2 asa 5505 with security license, I heard about a key generator...

    I also have a full blown CCNP lab at home, I am currently using my 5505 as my FIOS router facing to cloud.
  • doverdover Member Posts: 184 ■■■■□□□□□□
    Spiderjericho,

    I used GNS3 quite a bit. When I first started I thought I'd get a couple ASA 5505's and be able to do everything except active/active failover and multiple contexts. I ended up buying one NEW ASA 5505 with a base license (and an active -personal- smartnet agreement). The device itself is very cool and I'm using it as at home to be my main firewall, switch, SSL vpn...all that good stuff - but from a certification point of view you have to have something much better - and with Cisco that means much more expensive. The 5505 is great for the routine things but for most of the time having

    Buying a pair of 5510's with Sec plus licenses - way too expensive; rack rental time - too inconvenient for my hit and miss opportunities to sit down and lab (I have a job -or two - and a little one running amok).

    I'm hoping one day Cisco will recognize that there is a legitimate need (and potentially lucrative market) for certification training resources - emulators, simulators, etc. - for their more advanced certifications and equipment. Hell, I'm IN THE FIELD and do hands on work with their expensive equipment everyday but my employer (like most) can't justify the cost of full blown labs or allow employees to learn on whatever spare equipment they may have. I do have access to some 5510's and 20's at work but they tend to frown on people using corporate equipment to lab....can't understand that :)

    Yeah I'm looking forward to playing with their X series ASA's too. I'm sure it'll be a little while until the certification exams cover it (since they just did a refresh on the Firewall and VPN certs) but it looks interesting!
  • BroadcastStormBroadcastStorm Member Posts: 496
    Are there a huge gap as far as studying with a 5505 (security license) vs. 5510? the 5510 is just too expensive for an average joe.
  • doverdover Member Posts: 184 ■■■■□□□□□□
    Yeah, there are quite a few things you would not be able to do with the 5505 even with a Security Plus license. Off the top of my head you wouldn't be able to configure LACP etherchannels, do active/active failover (or active/standby i don't think) and definitely no multiple contexts. If you have the Sec plus license on a 5505 you can do trunking and support for 20 vlans but a base model can not be configured for trunking and it can have 3 vlans (2 full vlans and 1 restricted vlan). Plus everything interface oriented on the 5505s is based on VLAN interfaces....so you assign one (or more) of the 8 switchports to a particular vlan and then configure ip info on the vlan interfaces.
  • BroadcastStormBroadcastStorm Member Posts: 496
    dover wrote: »
    Yeah, there are quite a few things you would not be able to do with the 5505 even with a Security Plus license. Off the top of my head you wouldn't be able to configure LACP etherchannels, do active/active failover (or active/standby i don't think) and definitely no multiple contexts. If you have the Sec plus license on a 5505 you can do trunking and support for 20 vlans but a base model can not be configured for trunking and it can have 3 vlans (2 full vlans and 1 restricted vlan). Plus everything interface oriented on the 5505s is based on VLAN interfaces....so you assign one (or more) of the 8 switchports to a particular vlan and then configure ip info on the vlan interfaces.

    You can do HA Failover on a paired ASA 5505 (security license)

    : Active/Standby perpetual

    But not active/active, there's always GNS3 for this.
Sign In or Register to comment.