CSPFA (Cisco® Secure PIX™ Firewall Advanced 3.0)

This authorized Cisco course covers the in-depth and important topics required to aid you in securing your organization's information resources.

Sixteen advanced hands-on labs guide you through using the PIX® Firewall and the Cisco Secure IOS® Firewall including Proxy Authentication, Attack Guards, and PIX® to PIX® VPN scenarios. There are also 6 optional labs to challenge the more advanced student.

To register, call 1-800-968-8648
This course can be delivered by the methods below:
Classroom Learning $2795 USD

You Learn...

Identify components and functions of the following PIX® models: 501, 506, 515, 520, 525, and 535
Configure PIX® and router security features from the command line interface
Perform OS image and feature license upgrades
Address translation: NAT, PAT, and Static
Access control and content filtering
AAA configuration on the Cisco PIX® Firewall
Advanced protocol handling and attack guards
Configure and test SSH
Configure Cisco IOS® Firewall Content Based Access Control (CBAC)
Configure and test Cisco IOS® Firewall proxy ­authentication
Configure PIX® to PIX® VPN using IPsec and IKE

Who Would Benefit

This course is targeted at individuals tasked with securing enterprise networks with the Cisco Secure PIX Firewall and Cisco Secure IOS Firewall. Systems Engineers, IT Auditors, Security Architects, Technical Managers

 

Course Outline

1. Network Security and the Cisco PIX Firewall

Overview of network security
Network security threats
Network attack types
The Cisco security wheel

2. PIX Firewall Technologies

Firewalling defined
PIX Firewall models
Finesse operating system
Adaptive security algorithm
Cut-through proxy operation
Stateful failover and hot standby

3. Identification of the Cisco PIX Firewall

PIX 501 controls and connectors
PIX 506E controls and connectors
PIX 515E controls and connectors
PIX 525 controls and connectors
PIX 535 controls and connectors

4. Basic Configuration of the Cisco PIX Firewall

ASA security levels
The six basic commands
Firewall Status
Viewing and saving the configuration
The two ways through
Statics and conduits
NTP (Network Time Support)
Syslog configuration
Static & Dynamic Routing
DHCP
Multicast Support

5. Cisco Secure PIX Firewall Translations

Transport protocols
NAT, Bi-directional NAT and PAT
DNS Aliasing
PAT Port Redirection and the Static command
The xlate command
Configure three interfaces
Configure four interfaces
The name command

6. Access Control Configuration and Content Filtering

Configuration of access control lists (ACLs)
Converting Conduits to Access-Lists
ICMP Interface control
Malicious active code filtering
URL filtering

7. Object Grouping

Understanding Object Groups
Network Objects
Service Objects
Port Objects
Object Nesting Rules
Using Object Groups to build Multi-layered access control

8. Advanced Protocol Handling

Multi-Channel Application Support
H.323
SQL*NET
RSH
FTP
Multimedia Support and the role of RTSP
SIP
Skinny (SSCP)

9. Attack Guards and Intrusion Detection

DNS Guard
Fragmentation Guard
Mail Guard
AAA Flood Guard
Mitigating Syn Flood Attacks
IDS Support
IDS Signatures
Configuring PIX IDS Support
Using the SHUN command to block traffic from attackers

10. AAA Configuration on the Cisco PIX Firewall

The AAA Model
Cut-through proxy operation
Installation of Cisco secure ACS 3.0 software
Authentication of non-telnet, FTP or HTTP Traffic
AAA authorization configuration
Downloadable ACL's
AAA accounting configuration
Troubleshooting AAA

11. Cisco Secure PIX Firewall Failover

Understanding failover
Configuration replication
Interface testing
Configuring LAN-based failover
Test LAN-based Failover and Stateful Failover

12. VPN Configuration

IPSec
Supported IPSec standards
Planning IKE configuration
Planning IPSec configuration
Configure policy and crypto map
Cisco VPN Client
Dynamic crypto map
IKE Mode config
IP Local Pool
Scaling IPSec with Certificate Authority
PPPoE configuration

13. System Maintenance

Remote access
Command-level authorization
Monitor mode and image upgrade
Password recovery
Secure Shell (SSH)
SNMP
Management tools
Upgrading activation keys to enable features

14. PIX Device Manager

GUI Overview
New features of PDM 2.0
Access Control Rules
System Monitoring and Graphing
Configuration tasks
Using the VPN Wizard to greatly simplify VPN configuration

Course Labs

Hands-On Lab 1: Configure the IP Network

Configure your Servers
Connect the console cable
Run a serial cable from your Perimeter router to the backbone
Configure your Perimeter Router
Verify connectivity to the backbone 3640
Cable the Ethernet interfaces of the PIX to the Catalyst 6500
Assign IP addresses to the PIX Inside, Outside, and DMZ interfaces
Verify IP configuration of PIX interfaces via ICMP

Hands-On Lab 2: Basic PIX Configuration

Verify that Ethernet 0, 1, and 2 are configured for full duplex 100Mbps operation
Configure a global pool of IP Addresses for translation
Tell the PIX which Inside hosts should use this global pool for NAT
Verify the operation of NAT with the global pool via NAT
Create a default route on the PIX
Test the default route via Telnet
View an active NAT translation entry on the PIX

Hands-On Lab 3: Syslog

Configure the PIX to send syslog messages to a syslog Server
Generate and view Syslog messages
Configure NTP Support
Add timestamps to Syslog message
Learn how to filter Syslog messages

Hands-On Lab 4: Statics, Conduits & ICMP

Modify your NAT statement to allow ONLY the hosts on the Inside subnet to translate to the "Internet"
Clear the NAT translation table
Test your NAT configuration using Telnet
Enable HTTP access to your perimeter router
Create an ICMP conduit to allow pings through the firewall
Debug real-time ICMP traffic through the PIX firewall
Create a static NAT translation that permits Outside hosts to access your Inside PC
Test HTTP access into other Pod's Inside web servers
Test Port Redirection by connecting a non-standard FTP port to a Pod Peer

Hands-On Lab 5: Multiple Interfaces

Use the name command to assign a name to the IP address of the DMZ Server
Create a global pool for the DMZ subnet
Test connectivity to the DMZ from the Inside Server
Display a filtered translation table
Configure a static translation for the DMZ Server
Test your static translation via ICMP
Configure conduits to permit HTTP and FTP traffic to the DMZ Server
Test HTTP and FTP conduits

Hands-On Lab 6: Access-Lists

Configure and test an Access-List to block FTP and Web traffic from the Inside subnet
Configure an Access-List to allow Web & FTP access to the Inside and DMZ Servers
Use the ICMP command to block PING to the Outside interface
Remove your access-lists configuration from your PIX

Hands-On Lab 7: Object Grouping

Configure and test and access-lists using object-groups to filter inbound access through your PIX
Configure and test object-groups to control ICMP access to your pod
Demonstrate the effects of nesting object-groups
Return your access-lists to baseline

Hands-On Lab 8: AAA - ***RADIUS Authentication

Install Cisco Secure ACS 3.0 for Windows NT server
Add a user to the Cisco Secure ACS database
Configure your AAA server to use Radius
Configure and test inbound authentication
Configure and test outbound authentication
Configure and test a remote access ACS Admin user

Hands-On Lab 9: AAA - ***RADIUS Downloadable ACL's & Accounting

Configure the PIX to check Cisco Secure ACS to authorize outbound ICMP and FTP to your pod peer
Configure Shared Profile Components to download a named access-list to the PIX for the aaauser
Configure the PIX to generate RADIUS Accounting messages to your Cisco Secure ACS Server
Verify Accounting messages are being logged by your ACS Server

Hands-On Lab 10: Failover

Configure PIX Failover for Hot Standby and test with FTP
Configure Stateful Failover and test with FTP and Ping

Hands-On Lab 11: Server to Server IPSec

Configure IPSec between two translated hosts using IKE pre-shared keys
Test and verify IPSec configuration.

Hands-On Lab 12: ***Site to Site IPSec

Encrypt all traffic from your Inside subnet to the Inside subnet of your pod peer using IKE pre-shared keys
Test and verify IPSec configuration
Ensure you can ping from your PIX console to the Outside interface of your pod peer's PIX
Clear crypto-map, access-lists & statics
Configure nat 0 to prevent encrypted traffic from being translated

Hands-On Lab 13: VPN Client

Clear crypto-map, access-lists & statics
Create Dynamic Crypto Map entry
Readdress your DMZ Server with an IP address on the Outside Subnet
Create a local IP Pool for VPN Clients
Configure IKE Mode Config
Install Cisco VPN Client 3.x on your outside PC
Ensure you can ping from your PIX console to your new Outside Server
Encrypt all traffic from your Outside Server to your Inside Server using IKE pre-shared keys
Initiate an HTTP session to your Inside Server via the encrypted tunnel

Hands-On Lab 14: Image Upgrade & Password Recovery

Prepare for a PIX OS upgrade
Configure the 3CDaemon TFTP server on your Inside Server
Upgrade your PIX to PIX OS 6.2.2
Learn how to enable licensed feature sets with an Activation Key
Use the Monitor mode to configure TFTP parameters
Have a Pod Peer change your enable password and perform password recovery

Hands-On Lab 15: Command Level Authorization

Configure AAA to use the local database and secure the console and SSH connections
Create a Privileged user account for master administration
Create a user account for NOC personnel to monitor your PIX
Test a restricted privilege user

Hands-On Lab 16: PIX Device Manager 2.02 GUI Configuration

Save your old configuration to your tftp server.
Demonstrate the problem mixing Conduits and Access-lists.
Erase your configuration and reload your PIX.
Configure your PIX using the PIX Device Manager GUI.

Optional Hands-On Lab 1: DHCP

Configure your Inside Server as a DHCP Client
Configure the PIX to function as a DHCP Server
Force your Inside Server to acquire an IP Address, DNS and WINS addresses
Test connectivity using DHCP assigned Address
Disable DHCP on the PIX
Reassign a static IP Address to your Inside Server

Optional Hands-On Lab 2: Advanced Protocol Handling

Test Active Mode FTP with fixup protocol ftp
Test Active Mode FTP without fixup protocol ftp
Monitor via syslog

Optional Hands-On Lab 3: Intrusion Detection

Configure your PIX to use informational signatures
Test the info policy with your pod peer
Configure your PIX to use attack signatures
Test the attack policy with your pod peer

Optional Hands-On Lab 4: ***AAA - RADIUS Two-Factor Authentication

Install CRYPTOAdmin, EasyRADIUS and MySQL servers on your Inside Server
Use CRYPTOCard Soft Tokens to authenticate users
Configure your AAA server to authenticate through EasyRADIUS
Use CRYPTOAdmin to generate and initialize a Soft Token
Import the Soft Token into the ST-1 Client
Configure your PIX to authenticate outbound connections with RADIUS
Test two-factor authentication on Outbound traffic

Optional Hands-On Lab 5: ***Full-Mesh IPSec With Three Peers

Encrypt all traffic from your Inside subnet to the Inside subnet of two peers using IKE pre-shared keys
Test and verify IPSec configuration
Ensure you can ping from your PIX console to the Outside interface of your pod peer's PIX
Clear crypto-map, access-lists & statics
Configure Pre-Shared Keys for your new peers
Configure nat 0 to prevent encrypted traffic from being translated to IPSec protected destinations

Optional Hands-On Lab 6: SSH

Clear all previously generated RSA Keys
Generate RSA key pair to use with your SSH Client
Securely connect to your PIX using TerraTerm Pro SSH

*** denotes Global Knowledge Exclusive Lab Content

 

Suggested Prerequisites

Prior attendance of the Interconnecting Cisco Network Devices (ICND) course is required.

ICND (Interconnecting Cisco® Network Devices)

 

Suggested Follow-ons

Students followed up CSPFA (Cisco® Secure PIX™ Firewall Advanced 3.0) by attending these popular classes:

CSIDS (Cisco® Secure Intrusion Detection System 3.0)
CSVPN (Cisco® Secure Virtual Private Networks)
ACP 1 - Datalink and IGP Protocols
ACP 2 - BGP and IP Services
ACP 3 - Desktop Protocols and Technologies
ACP 4 - Security

 

Certifications

CCSP® (Cisco® Certified Security Professional)
CCIE® (Cisco® Certified Internetwork Expert) Security
Cisco® Firewall Specialist