Blog

IP and Mobile Trends and Education

 

Cisco ASA & ASA FirePOWER Services training agenda

Author:


01.02.2018

Cisco ASA FirePOWER Services training

Today I have privilige to announce our new Cisco ASA & ASA FirePOWER Services training agenda. In this post I will describe the agenda in detail and what you can expect from each training module. As you perhaps racall from short agenda posted on our training list, this training is a condensed meshup prepared specialy for those who work with Cisco ASA FirePOWER appliances with SFR modules.

How this ASA FirePOWER training applies to current Cisco offering?

As you may now, we live in reality where there are multiple lines of firewall security products from Cisco. There are Firepower appliances 9000, 4000 and 2000 lines, FTD (Firepower Threat Defense) images available on ASA, and ASA FirePOWER Services with FirePOWER module (SFR) so this may confusing some of you. However the good news is that Cisco is on the way to achieve funcional parity between ASA FirePOWER and Firepower aplliances so taking this course you will understand working with ASA FirePOWER as well as FirePOWER and FTP because main configuration is done on FMC (Firepower Management Center) that manages as Firepower Appliances as well as ASA FirePOWER Services in the same manner (at the time of writing with little differences related to functionalities).

 

Cisco ASA basics

The first module is the good old ASA and way through the iron rules of interface and subinterface configuration, security level concepts that dictates the behavior of Adaptive Security Algorithm. We talk about the traffic rules traversing the ASA, we stop for while and talk about IP traffic, TCP, UDP, ICMP protocols fundamentals in the context of stateful firewall that is Cisco ASA. In addition this module describes the management rules and concerns with ASA-OS, its hardening, ssh, telnet  and AAA configuration. Of course, there are labs in module 1 to get warmed and ready for challenges of next modules.

1) Networking basics with ASA

  • ASA Interfaces, Subinterfaces, VLANs
  • DHCP, Set route options
  • Security Level Concept
  • Inter and Intra interface flows
  • Basic Management (Logging, traffic to the box, aaa, ntp sync)
  • Management Real Life Use Cases

 

Static and dynamic routing on ASA

This module is about routing. For those who know routing module will be soft and easy. For those who are not familiar with EIGRP, RIP, OSPF i BGP this is good occasion to get familiar with these routing prcoesses. We configure dynamics that reflects most real life routing scenarios on Internet Edge like e.g. BGP (available from 9.2 ASA-OS) and default network 0.0.0.0/0 redistribution. We also send some LAN prefixes to ASA. At the end we show link redundancy (with redundant interface) and LACP often used in large and critical environment.

2) ASA Routing and Link Redundancy

  • ASA Static routing
  • ASA Dynamic routing
  • Port Channels, Link redundancy

 

ACL, NAT, objects and MPF

About the 3rd module we could write separate book. „Traffic restrictions” considers key concepts for ASA: ACL (Access Control List), NAT (Network Address Translation) of course for versions 8.3 and higher  (remember that we are at 9.X reality ! ) and MPF, the essence of L4 and higher level traffic inspection. In this module we practice twice NAT, object NAT, translate users to go to Internet remembering the definitions of static NAT, static PAT, dynamic NAT, PAT, source NAT and destination NAT (we draw on whiteboard the process ! want to know how NAT handles ICMP? ). We expose servcies to Internet i.e. from DMZ (servers: www and ftp). We check how does Modular Policy Framework for FTP traffic work and FTP without „inspect ftp”. This is the key module on the way to understand and master NAT, ACL in connection with routing. You will understand differences between traffic going through the ASA and „to the box” traffic.

3) Traffic Restrictions

  • Object and object groups
  • ACLs
  • NAT (8.3+) Concept
  • ASA Modular Policy Framework (MPF)

 

High Availability

You may or may not remember that ASA supports an Active / Standby in pair and Active / Active in multi-context mode HA atchitecture. In this section we foucus on how failover realy works, for example: if the two appliances need IP address each, or there is any virtual IP, what maximum delays (RTT – Round Trip Time) are accepted to beuilt Active / Standby and Active / Active? We analize the  failover process in detail: role switchover in active / standby and election process. In addition we talk about Cisco ASA Clustering supported on ASA 5580, 5585-X. We consider the pros and cons of clustering and how performance degrades in comparison with single appliance.

4) High Availability

  • Failover Active-Standby
  • Clustering Active-Active
  • Security Contexts
  • Resource Limitations
  • Cisco ASA Clustering

 

VPN on ASA

Virtual Private Networking on ASA is most common used VPN solution on enterprise (i can get the risk saying that 😉 ). During this module we analyse functionalities that ASA gives in terms of IPSec VPN implementation, for example we consider how lack of GRE (Generic Route Encapsulation) tunneling impacts the VPN solution in large scale etc. We check if its possible to establish IPSec VPN with peers from different vendors. At the end we take the Cisco Anyconnect Secure Mobility Client for testing while understanding VPN remote access solutions. We consider the impact on UX and service reliability for SSL VPN contrary to IPSec IKEv2 VPN where Anyconnect supports both. Implementing VPN we are still in context of real enterprise network thus we integrate Anyconnect with ASA and Cisco ISE (Identity Services Engine) and give the example of how to apply the Multi-factor Authentication (MFA). The description of such implementation  you can find here.

5) VPNs

  • IPSec Site2Site
  • Anyconnect SSL VPN client

 

FirePOWER Services

We are getting to the point in module no 6. We start working with FirePOWER Services. We get familiar with licesnign of FirePOWER, solution design and implementation limitations. We go through the installation steps of firepower managements system called FMC (Firepower Management Center), and teh install SFR module, module installed on ASA as a „software” module. After that we register our modules in FMC and redirect traffic to SFR. In such way we establish Firepower environment and we are ready to work with Cisco Next Generation Firewall.

6) FirePOWER Architecture and licensing

  • Licensing, Architecture, Limitations
  • Firepower Management Center installation
  • SFR Modules Provisioning
  • Traffic Flow & Redirection

 

ACP, Intrusion policy, AMP, File Policy i URL Filtering…

Module 7 is a cream de la cream of firepower part. We start going to describe the rules and configuration of ACP (Access Control Policy), policies that aggregate the FirePOWER rules. Each participant of Cisco ASA FirePOWER training is able to configure and test inside out the policies and their behavior. We add to game step by step following concepts: URL filtering, AMP (Anti-Malware Protection), File Policy, IPS (Intrusion Policy) – of course every policy that you built is checked to fully understand it. Remember that we all have test machines and DMZ server exclusively for each participant. Often during Application Control section it is raised a question: „how is it possible to control application enrypted by SSL”? Very good question! Time to touch the SSL Policy. At the end there is something handy for network admins and companies that have separate network and security departments: List & Feeds.

7) ASA FirePOWER core features configuration

  • Traffic processing and actions
  • Access Control Policies
  • ACP rules
  • AND OR logic
  • Application control
  • URL and URL categories – filtering
  • AMP for Networks Concept – File & Malware policy
  • IPS Concept – basic ruleset – Intrusion Policy
  • SSL Policies
  • Lists & Feeds

Active Directory, pxGRID i troubleshooting

The last module is kind of “advanced” topic where we check how FirePOWER integrates with other systems like AD. We consider two options: Active Directory with Firepower User Agent vs. pxGRID protocol. Each participant has to decide which approach is better for his / her environment. Two approaches and two solutions for identity firewalling. What would be bootcamp without troubleshooting, established sessions check, tracking packets and guessing the actions that were taken on? Or also how to verify hitcounts  service-policy MPF in order to check sensor matching traffic? Troubleshootin is one of the key topics in this bootcamp.

8) ASA FirePOWER advanced features configuration

  • AD integration
  • FMC User Agents vs Cisco pxGRID
  • Troubleshooting and reporting

 

You can download the agenda and check the dates of coming training here.

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 12 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter