Qualified PIC Ver 7.5 FastTrack Page 1 I I n n t t e e r r n n e e t t L L e e a a r r n n i i n n g g S S o o l l u u t t i i o o n n s s G G r r o o u u p p F F a a s s t t T T r r a a c c k k P P r r o o d d u u c c t t I I n n f f o o r r m m a a t t i i o o n n C C h h e e c c k k l l i i s s t t F F a a s s t t T T r r a a c c k k : : Q Q u u a a l l i i f f i i e e d d P P r r o o d d u u c c t t I I n n f f o o r r m m a a t t i i o o n n ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) Name of course or offering: Cisco Secure PIX Firewall Advanced Course acronym (must be unique, up to 5 letters, no #s): CSPFA Version: 2.1 FCS Date (PLM-PM): January 7, 2002 LOB: Enterprise BU: VPN & SECURITY SERVICES Estimated product life: Revisions required during product life: Offering type: course If other, please specify: Delivery method: ILT WBT/e-learning Other: Duration if WBT in hours: Duration if ILT in days 4 and hours: 32 E E n n d d O O f f L L i i f f e e ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) Does course replace existing one?: Yes No If yes, provide course name and acronym: CSPFA 2.0 and EOL date: February 28, 2002 If this is a new version, what are the differences? The CSPFA 2.1 course is a revision to the existing Cisco Secure PIX Firewall Advanced 2.0 course. It includes coverage of new features of PIX Firewall Releases 6.0 and 6.1 and corrections to errata in the CSPFA 2.0 course. New features include the following: PIX Firewall 501 PAT port redirection Converting conduits to ACLs CPU utilization monitoring Cisco VPN Client 3.1 support Copy tftp flash command Skinny fixup command SIP fixup enhancements T T a a r r g g e e t t A A u u d d i i e e n n c c e e ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) System Engineers Account Managers Channel Partners/Resellers Customers Who should attend this course? The target audience for this course is as follows: Cisco customers who implement and maintain Cisco Secure PIX Firewalls Cisco Channel Partners who sell, implement and maintain Cisco Secure PIX Firewalls Cisco System engineers who support sales of Cisco Secure PIX Firewall and security product solutions. T T r r a a i i n n t t h h e e T T r r a a i i n n e e r r ( ( B B u u s s i i n n e e s s s s U U n n i i t t – – I I L L S S G G I I R R P P ) ) Train the Trainer Required? Yes No If yes, TTT date: TTT registration information: Instructor prerequisites (including certifications and background knowledge) to attend TTT: To become certified to teach this course, the instructor must - be a Certified Cisco Systems Instructors (CCSI) in good standing, and - either a) have been previously certified to teach CSPFF or CSPFA, or b) attend a CSPFA course and pass the CSPFA certification Exam 9E0-571 Qualified PIC Ver 7.5 FastTrack Page 2 S S t t u u d d e e n n t t P P r r e e r r e e q q u u i i s s i i t t e e s s ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) (Note: This field has a limit of 2000 characters.) A CSPFA student should possess Cisco Certified Network Associate (CCNA) certification or the equivalent knowledge (working knowledge of basic network security and a solid grasp of TCP/IP and fundamental networking concepts), be familiar with encryption technologies: DES, 3DES, RSA, hashing algorithms (MD5/SHA), and IPSec, and have a basic knowledge of the Windows operating system. C C o o u u r r s s e e O O b b j j e e c c t t i i v v e e s s ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) After completing this course, the student should be able to: Students will be able to perform the following tasks upon completion of this course: Identify PIX Firewall features, models, components and benefits Describe PIX Firewall installation procedures Upgrade software images Configure inbound and outbound access through the PIX Firewall Configure multiple interfaces on the PIX Firewall Configure the PIX Firewall as a DHCP server Configure the PIX Firewall as a DHCP client Configure the PIX Firewall to send messages to a syslog server Perform password recovery Configure access control and content filtering on the PIX Firewall Configure special protocol handling on the PIX Firewall Configure attack guards and SSH Configure AAA on the PIX Firewall Configure and test failover using the PIX Firewall Configure the IDS feature set Configure a site-to-site VPN utilizing the PIX Firewall Configure a VPN Client-to-PIX Firewall VPN Install PIX Device Manager and use it to configure the PIX Firewall Test and verify PIX Firewall operations Configure Cisco IOS Firewall Context-based Access Control C C o o u u r r s s e e D D e e s s c c r r i i p p t t i i o o n n ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) (Note: This field has a limit of 2000 characters.) The CSPFA course is a four-day, leader-led, lab-intensive course. The CSPFA course is designed for delivery by Cisco Learning Partners. This task-oriented course teaches the knowledge and skill needed to describe, configure, verify and manage the PIX Firewall product family and the Cisco IOS Firewall feature set. C C o o u u r r s s e e O O u u t t l l i i n n e e ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) The following is an outline of the course chapters: Chapter 1: Course Introduction Chapter 2: Network Security and the Cisco PIX Firewall Reasons for securing network The four primary types of threats The three primary methods of attack The Security Wheel Cisco AVVID and SAFE overview Chapter 3: Cisco PIX Firewall Technology Firewalls and firewall technologies The PIX Firewall family The finesse OS Qualified PIC Ver 7.5 FastTrack Page 3 ASA and ASA Security Levels Cut-through proxy Chapter 4: Identifying the Cisco PIX Firewall PIX Firewall 501, 506, 515, 520, 525, and 535 controls, connectors, and LED’s Proper location for the various perimeter network cables Chapter 5: Basic Configuration of the PIX Firewall General maintenance commands ASA security levels The six primary commands (nameif, interface, ip address, route, nat, global) Lab exercise: Configure the PIX Firewall and execute general maintenance commands Chapter 6: PIX Firewall Translations Transport protocols PIX Firewall translations Access through the PIX Firewall Lab exercise: Configuring access through the PIX Firewall Chapter 7: Configuring Multiple Interfaces Configuring additional interfaces Lab exercise: Configuring multiple interfaces Chapter 8: DHCP Support Dynamic Host Configuration Protocol PIX Firewall as DHCP Server PIX Firewall as DHCP Client Lab exercise: Configure the PIX Firewall's DHCP server and client features Chapter 9: Configuring Syslog Syslog messages Lab exercise: Configuring syslog Chapter 10: Access Control Configuration and Content Filtering Access control lists Converting conduits to access control lists Configuring access control Malicious active code filtering Url filtering Lab Exercise: Configure ACLs in the PIX Firewall Chapter 11: Advanced Protocol Handling Advanced protocols Multimedia support Lab exercise: Configure and test advanced protocol handling Chapter 12: Attack Guards and Intrusion Detection Attack guards Intrusion Detection Lab exercise: Configure the PIX Firewall to use IDS signatures Chapter 13: AAA Configuration on the Cisco PIX Firewall Introduction to AAA Installation of Cisco Secure ACS for Windows NT Authentication configuration Authorization configuration Accounting configuration Troubleshooting the AAA configuration Lab Exercise: Configure AAA on the PIX Firewall using CSACS for Windows NT Chapter 14: Failover Understanding failover Configuring failover Qualified PIC Ver 7.5 FastTrack Page 4 Lab exercise: Configure failover Chapter 15: VPN Configuration Explanation of IPSec Configure PIX Firewall IPSec Scale PIX Firewall VPNs Create a VPN with the Cisco VPN Client 3.1 Lab exercise: Configure a PIX Firewall VPN Chapter 16: System Maintenance Password recovery Image upgrade Lab exercise: Upgrade the PIX Firewall image Chapter 17: Cisco PIX Device Manager PDM overview PDM operating requirements Prepare for PDM Using PDM Lab exercise: Install and configure PDM Chapter 18: The Cisco IOS Firewall Context-Based Access Control Configuration Introduction to Cisco IOS Firewall How CBAC works Alerts and audit trails Global timeouts and thresholds Port-to-application mapping Defining inspection rules Applying inspection rules and ACLs to router interfaces Testing and verifying CBAC Lab exercise: Configure IOS Firewall on a Cisco router Chapter 19: The Cisco IOS Firewall Authentication Proxy Configuration Introduction to the Cisco IOS Firewall Authentication proxy AAA server configuration AAA configuration Authentication proxy configuration Testing and verification of the configuration Lab exercise: Configure authentication proxy on a Cisco router K K e e y y w w o o r r d d s s ( ( B B u u s s i i n n e e s s s s U U n n i i t t ) ) (Maximum of 7): PIX E E q q u u i i p p m m e e n n t t R R e e q q u u i i r r e e m m e e n n t t s s Resources needed / Quantities / Comments: (Note: If the equipment list is already formatted, you may include it in a separate document. Please list the name of the file here.) The following lab equipment is required for delivery of this course: Common equipment shared by all pods: – Cisco 2621 router: Dual 10/100 Ethernet Router with 2 WIC slots, 1 NM slot, and the following: IP SW 2600 SF26C - IP SOFTWARE S26C-12106 Cisco 2600 Series IOS IP 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series 8 to 16 MB Flash Factory Upgrade for the Cisco 2600 32 port Asynchronous Module 8 Lead Octal Cable (68 pin to 8 Male RJ-45's) – Multi-VLAN Server with the following: Qualified PIC Ver 7.5 FastTrack Page 5 Windows 2000 Server software Intel Pentium III 800 MHz processor 256 MB RAM 8 GB HD CD-ROM/Floppy Drive Intel PRO/100 S Server Adapter (part number PILA8470C3) – Five Cisco 2924 XL 10/100 switches for VLANs (WS-C2924-XL-EN) – Cisco Secure Access Control Server 2.6 – Kiwi’s Syslog Daemon Freeware Rel. – VPN Client Software for Win9x-XP 3.1 Equipment required for each pod: – Cisco 2611 router: Dual Ethernet Modular Router with Cisco IOS IP software and the following: IP SW 2600 SF26C - IP SOFTWARE S26C-12103T Cisco 2600 Series IOS IP 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series 8 to 16 MB Flash Factory Upgrade for the Cisco 2600 Series – Primary PIX Firewall: PIX 515FO Bundle (Chassis, failover SW, 2 FE ports) with the following: 56-bit DES IPSec software license PIX v6.1 software PIX four-port 10/100 Ethernet interface – Secondary PIX Firewall: PIX 515FO Bundle (Chassis, failover SW, 2 FE ports) with the following: 56-bit DES IPSec software license PIX v6.1 software PIX four-port 10/100 Ethernet interface – Dell latitude laptop with the following: Windows 2000 Server software Internet Explorer 5.5 InternetInformation Services 5.0 Pentium III 800 MHz 256 MB RAM 8 GB HD (or better) -- NTFS partitioned – CD-ROM/Floppy Drive 10/100 Ethernet NIC S S K K U U N N u u m m b b e e r r s s f f o o r r C C o o u u r r s s e e M M a a t t e e r r i i a a l l s s ( ( B B u u s s i i n n e e s s s s U U n n i i t t : : C C h h e e c c k k n n e e e e d d e e d d b b o o x x e e s s , , P P L L M M D D e e p p l l o o y y m m e e n n t t : : P P r r o o v v i i d d e e S S K K U U s s ) ) ILT Student Kit includes: Student Guide (SG), Other: SK SKU: ILT Instructor Kit includes: SG, Course Management Guide, Slides, Other: IK SKU: ILT Employee Brown Bag SKU: WBT/e-learning SKU: Self Study: CD: Book: Tape: Video: Other: Self Study CD Packaging: Jewel Case or Sleeve? If Jewel Case: Front Tray Card Booklet Back Tray Card . SERVICES Estimated product life: Revisions required during product life: Offering type: course If other, please specify: Delivery method: ILT WBT/e -learning Other:. latitude laptop with the following: Windows 2000 Server software Internet Explorer 5.5 Internet Information Services 5.0 Pentium III 800 MHz 256 MB RAM 8 GB