This topic is to discuss the following lesson:
Hi. Although not directly related to this wondering if you could help me out as it relates to NTP and the ASA. Does the ASA only support NTP using authentication?
Normal NTP should work, I also did that in this example:
hi rene I’ve almost completed my ccnp route and switch and I hope to be starting the ccnp security track sometime this year but i’d like to build my own home lab but i’m not sure what i’d need to cover all the stuff on the new exam as I’ve heard a lot of people saying that cisco have not even released the training books for the exam yet could you help me with what I would need for a home lab thanks
Hi Shaun. I have a Cisco PIX515E and a 2851. Most of the commands that Rene uses are able to be used on the PIX. These are available on eBay for a fraction of the cost of an ASA. Get one with an unlimited licence and IOS version 8. This allows for a RAM upgrade to 256MB+ and failover if you get adventurous. The RAM & CPU are also easily upgradeable. Cheers, Matt.
Hi Shaun & Matt,
If your goal is to study for the exams then it’s best to start with the blueprints that have the exam topics. I’ve added them in the attachment.
Here’s a general overview:
The SIMOS exam has topics like DMVPN, FlexVPN, IPsec, GETVPN, etc. You can test any of these topics on IOS routers and the ASA. I would make sure that you use IOS 15 and the latest ASA images otherwise you might run into issues with commands that are not supported.
SENSS is all about security on switches, routers and the ASA.
In the SITCS exam you have some different topics…there’s WSA (Web Security Appliance) and ESA (Email Security Appliance). These products are available as hardware boxes but also as VMWare images.
SISAS is about 802.1X and using ISE (Cisco Identity Services Engine)
Basically, you need this:
- IOS routers
- IOS switches
- ASA Firewalls
- VMWare workstation or ESXi for the virtual appliances
If you want real hardware then you could look at some 3560/3750 switches, the 1841 or 28xx series routers, the ASA 5510s and/or the 5506-X (because of the new features).
Personally, I would build an ESXi server that runs Cisco VIRL. This allows you to run all routers, switches and ASA firewalls that are required. You can use your ESXi server to run all the other requires virtual appliances as well. You’ll be able to practice 99% of all the topics in the CCNP Security exams with a single server.
Hope this helps
300-206_senss.pdf (112.2 KB)
300-207_sitcs.pdf (116.1 KB)
300-208_sisas.pdf (120.2 KB)
300-209_simos.pdf (100.7 KB)
I’ve been looking round for a good reading list regarding firewalls and VPN’s as i already have passed my ccna security exam. The INE website gives you a list but alot of these book came out in 2005 thats a long time ago, and the tech world moves fast. Can you please tell me what books would be a good read i don’t mind if they are CCIE level because i can just take my time understanding them. This is the list i’m thinking of buying
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance / I’ve now got this book really good and upto date.
Cisco Router Firewall Security / I want to buy this book but came out in 2005 can’t seem to find anything newer does this mean that firewalls have not changed since then.
The Complete Cisco VPN Configuration Guide / Again i want to buy this but no IKEv2 or vti configuration
If you can tell me any better books to read please help as i love learning about firewall and vpn’s, and want to have my next reading list in place after i finish the last part of my CCNP route switch. Only the Tshoot to go.
I’ve just seen another book i’m thinking about buying.
Cisco Firewalls (Cisco Press Networking Technology) by Alexandre M.S.P. Moraes
what do you think about this book?
The “Cisco ASA All-in-One Next Generation Firewall” book is great. It’s up-to-date and covers pretty much everything. The only thing it doesn’t cover I think is Firepower so you might want to look for another resource to learn that.
“The Complete Cisco VPN Configuration Guide” is quite old so I wouldn’t recommend it, especially if you have the “all-in-one” book. The “Cisco Firewalls (Cisco Press Networking Technology) by Alexandre M.S.P.” gets good reviews and it’s from 2011. It might be nice to read just to review everything again.
In the ASA platform, version 8.3 (released in ~2010) was a major upgrade. The entire NAT configuration has changed. Another big change was around 2013 when ASA 9.X was released. That’s something to keep in mind when you look at books, they should cover at least ASA 8.3 or later.
I can also highly recommend the books from Andrea Harris (http://www.networkstraining.com) Those are easy to read and to the point. Great if you want to learn a couple of things fast.
Good Time OF The Day Rene,
Hope You Are Well… Stay Blessed…
Rene, All Of Your Lessons Are Great. You Always Start From Scratch And Take It To Peak…
But This ASA Firewall Topic… You Have Simply Started With Configuration… And No Basic Literature …
Can You Please Share Some Basics Toward ASA Firewall … That Would Be Highly Appreciated…
Many Thanks In Anticipation
I have this Cisco ASAv version 9.5.1
I am trying to set the management interface with ip address 10.8.32.199 and gateway 10.8.32.1 with mask 255.255.240.0
show running-config interface gigabitEthernet 0/0 ! Interface GigabitEthernet0/0 dewscription LAN Interface nameIf Inside security-level 100 ip address 10.8.32.199 255.255.240.0 show running-config interface gigabitEthernet 0/1 ! Interface GigabitEthernet0/1 dewscription WAN_Ingress Interface nameIf Outside security-level 0 ip address 10.8.80.66 255.255.240.0 show running-config route route Outside 0.0.0.0 0.0.0.0 10.8.32.1 1
But this is not pinging 220.127.116.11
I have another ASA but that works .
How do i set the default gateway 10.8.32.1 on the ASAv ?
When you use the
route outside command to configure routing, you are indicating that this default route should use the outside interface. However, you want this route to go to the Inside interface. Typically however you would want the Internet-facing interface to be the outside interface, but here you are obtaining connectivity to the internet via the inside interface. This is not typical good practice, especially since you have a security level of 100 on that interface.
Take a look at this Cisco documentation for further information concerning static routing on an ASA 9.5.1.
I hope this has been helpful!