SASAC10LG

SASAC
Implementing Core
Cisco ASA Security
Version 1.0
Lab Guide
Part Number: 97-3369-01
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters

Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at http://www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This
learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer
above.
2014 Cisco Systems, Inc.
Table of Contents
Lab 1-1: Accessing the Remote Lab Environment
L-5
Visual Objective
Required Resources
L-6
L-6
Command List
Job Aids
Task 1: Access the Learning@Cisco-Hosted ASA Remote Lab
L-6
L-6
L-8
Lab 2-1: Configuring the Cisco ASA Adaptive Security Appliance

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Verify Cisco ASA Adaptive Security Appliance and Cisco ASDM Versions
Task 2: Initialize the Cisco ASA Adaptive Security Appliance from the CLI
Task 3: Launch Cisco ASDM and Test SSH Access
Task 4: Configure and Verify Interfaces
Task 5: Configure System Management Parameters
Lab 3-1: Configuring NAT

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure Object NAT for the Client Network and DMZ Server
Task 2: Configure Manual NAT for the DMZ Server and Client Network
Lab 3-2: Configuring Basic Cisco Access Control Features

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Troubleshoot Basic Connectivity
Task 2: Configure Network and Service Object Groups
Task 3: Configure Access Lists
Task 4: Configure Public Servers
Task 5: Configure Global Access Lists
Task 6: (Optional) Configure Unicast Reverse Path Forwarding Check
Lab 4-1: Configuring MPF, Basic Stateful Inspections, and QoS

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure ICMP and FTP Inspection
L-15
L-16
L-16
L-16
L-17
L-17
L-20
L-22
L-24
L-26
L-29
L-30
L-30
L-30
L-31
L-31
L-35
L-41
L-42
L-42
L-42
L-43
L-43
L-44
L-46
L-50
L-53
L-55
L-57
L-58
L-58
L-58
L-59
L-59
Task 2: Enable TTL Decrement and Disable TCP Initial Sequence Randomization
Task 3: Tune TCP Timeouts, Enable TCP DCD, and Configure TCP Normalization
Task 4: Configure a Priority Queue and Traffic Policing
Lab 4-2: Configuring MPF Advanced Application Inspections
L-62
L-66
L-69
L-73
Visual Objective
L-74
Required Resources
Command List
Job Aids
Task 1: Configure HTTP Inspection to Protect the DMZ Server
Task 2: Configure FTP Inspection to Protect the DMZ Server
Task 3: Return the Cisco ASA Security Appliance to the Default Inspection Policies
L-74
L-74
L-75
L-75
L-83
L-88
Lab 6-1: Implementing Basic Clientless SSL VPN on the Cisco ASA
L-89
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure the Cisco ASA to Use DNS
Task 2: Enable Clientless SSL VPN Connections
Task 3: Provision an Identity Certificate for the Cisco ASA
Task 4: Configure Local User Authentication
Task 5: Configure Bookmarks and Access Control
L-90
L-90
L-90
L-90
L-91
L-91
L-95
L-104
L-110
Lab 6-2: Configuring Application Access for Clientless SSL VPN on the
Cisco ASA
Visual Objective
Required Resources
Job Aids
Task 1: Configure Application Access Using Plug-ins
Task 2: Configure Application Access Using Smart Tunnels
L-118
L-118
L-118
L-119
L-125
Lab 6-3: Implementing External Authentication and Authorization for

Clientless SSL VPNs
L-131
Visual Objective
Required Resources
L-132
L-132
Job Aids
Task 1: Configure External Authentication Using Microsoft Active Directory
Task 2: Configure External Authorization Using Microsoft Active Directory
L-132
L-133
L-137
Lab 7-1: Implementing Basic Cisco AnyConnect SSL VPN on the Cisco
ASA
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Enable Cisco AnyConnect SSL VPN Connections
ii
L-117
Implementing Core Cisco ASA Security
L-143
L-144
L-144
L-144
L-144
L-145
Task 2: Configure the VPN IP Address Pool and Identity NAT

Task 3: Configure a VPN User and Create a Connection Profile
Task 4: Configure Group Policy: IP Pool, DNS, and Split Tunneling
Task 5: Test Cisco AnyConnect SSL VPNs
L-147
L-150
L-152
L-155
Lab 7-2: Configuring Advanced Authentication for Cisco AnyConnect

SSL VPNs
L-161
Visual Objective
Required Resources
Job Aids
Task 1: Review LDAP and Active Directory Server Settings on the Cisco ASA
Task 2: Deploy Local Authorization for Local VPN Users
Task 3: Deploy External Authorization Using Microsoft Active Directory
Task 4: Deploy a Standalone Cisco AnyConnect Client on the Outside PC
L-162
L-162
L-162
L-163
L-168
L-172
L-176
Lab 7-3: Implementing Cisco AnyConnect IPsec/IKEv2 VPNs
L-183
Visual Objective
Required Resources
Job Aids
Task 1: Deploy Cisco AnyConnect IPsec/IKEv2 VPN with WebLaunch
L-184
L-184
L-184
L-185
Lab 8-1: Configuring Active/Standby High Availability
L-197
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Prepare the Secondary Appliance for Failover Configuration via the CLI and
Cisco ASDM
Task 2: Configure Active/Standby Failover
Task 3: Configure Standby IP Addresses on the Active Appliance and Test Failover
Task 4: Tune Active/Standby Failover
Task 5: Enable Stateful Active/Standby Failover
L-198
L-198
L-199
L-199
L-200
L-201
L-205
L-209
L-212
Lab Answer Keys
L-217

Lab 2-1: Configuring the Cisco ASA Adaptive Security Appliance
L-217
L-217
L-219
Lab 3-2: Configuring Basic Cisco Access Control Features

Lab 4-1: Configuring MPF, Basic Stateful Inspections, and QoS
Lab 4-2: Configuring MPF Advanced Application Inspections
Lab 6-1: Implementing Basic Clientless SSL VPN on the Cisco ASA
Lab 6-2: Configuring Application Access for Clientless SSL VPN on the Cisco ASA
Lab 6-3: Implementing External Authentication and Authorization for Clientless SSL
VPNs
Lab 7-1: Implementing Basic Cisco AnyConnect SSL VPN on the Cisco ASA
Lab 7-2: Configuring Advanced Authentication for Cisco AnyConnect SSL VPNs
Lab 7-3: Implementing Cisco AnyConnect IPsec/IKEv2 VPNs
L-227
L-236
L-243
L-250
L-251
L-251
L-251
L-252
L-253
Lab Guide
iii
Lab 8-1: Configuring Active/Standby High Availability
iv
L-253
Lab 1-1: Accessing the

Remote Lab Environment
Complete this lab activity to become familiar with the Cisco Learning Labs environment.
Activity Objective
After completing this activity, you will be able to:
Describe how to access the Learning@Cisco-hosted ASA remote lab environment for your assigned pod
Visual Objective
The figure illustrates what you will accomplish in this activity.
Lab 1-1: Accessing the Remote Lab

Environment
Inside-PC (Win 7) Syslog Server
CDA
Inside-SRV (Win 2008 R2) AD/DNS

.4
Px-ASA
ASA 5500-X
.3
3
Inside
Gi0/1
.1
IPS or CX
.5
Outside
209.165.201.0/27 VLAN 1xx
Fa0/0.1x
.1
Px-Rtr
2610XM
.129
192.168.1.0/24
VLAN 2xx
Gi0/2
.1 DMZ
.2
Gi0/0
DMZ-SRV (Linux)
.2
172.16.1.0/24
VLAN 3xx
Outside-PC (Win 7)
209.165.202.128/27
VLAN 8xx
Fa0/0.8x
Fa0/0.9x
209.165.200.226/27
.2
.131
.130
VLAN 9xx
209.165.200.225/27
Outside-SRV (Linux)
Gi0/0.9x
Term
Server
Shared
ISR
Cisco Lab
VPN Gateway
.89 Gi0/1
172.16.150.0/24.254 gateway
Internet
Required Resources
The following resource is required to complete this activity:
Remote access to the Cisco ASA product training lab
Command List
No commands are used in this activity.
Job Aids
These job aids are provided to help you complete the lab activity.
The following information will help you complete this task:
Each pod contains a 5512-X ASA, all the VMs for the servers and PCs, and an outside router.
For the nonfailover lab, all pods work independently of each other.
For the failover lab, two pods will work together to form a two-unit failover pair.
The failover labs will provide you with the needed additional detail to perform those labs.
The following login information is for the lab devices:
Inside Windows 7 PC local user PC: login: inside-pc\student; password: Ci5coAdmin
Lab domain name: secure-x.local (x is not your pod number)
Inside Windows 7 PC secure-x.local domain users (it1, sales1, marketing1, engineer1,
contractor1, employee1, student) password: cisco
L-6
Inside (AD) Microsoft 2008 server login: login: Administrator; password: Cisco123
DMZ Linux server: login: root; password: Ci5coAdmin
Outside Linux server: login: root; password: Ci5coAdmin
Outside Windows PC: login: student; password: Ci5coAdmin
Cisco ASA enable password: C!sco!23.
Cisco ASDM: username: student; password: C!sco!23
Pod outside router enable password: cisco.
Your assigned pod number (to be provided): _____
Your VPN login (to be provided): _______________________________
Your Cisco Learning Labs web portal login (to be provided):
_______________________________
RDP login to the Student PC (to be provided): _______________________________
Other passwords if needed:
____________________________________________________________
Lab Guide
L-7
Task 1: Access the Learning@Cisco-Hosted ASA

Remote Lab
In this activity, you will test access to the assigned Learning@Cisco-hosted ASA remote lab environment
for your assigned pod.
Activity Procedure
Complete the following steps to test access to the ASA remote lab.
Step 1
Launch the Cisco AnyConnect VPN client and access the Cisco Learning Labs web portal.
L-8
Step 2
Launch Cisco AnyConnect from your PC. Begin a VPN connection to cll.cisco.com. The VPN username
and password will be provided.
Once you have VPN access, log in to the Cisco Learning Labs web portal at http://172.16.50.3/users/
pblogin.
The web portal login username and password will be provided.
In the web portal, click Start Lab, and then click Begin Lab.
Lab Guide
L-9
Step 3
On the web page (shown in the figure), click the StudentPC icon to launch an RDP session into the
Windows VM for your pod.
The RDP login username and password will be provided.
L-10 Implementing Core Cisco ASA Security
Step 4
Once the RDP has launched, click the respective icon on the desktop to do the following:
Launch the VM remote console to access the Inside-PC, Inside-SRV, Outside-PC, Outside-SRV, and
DMZ-SRV VM consoles
Launch a Telnet connection through the term server to access the ASA and pod router consoles
The desktop icons should look similar to the icons that are shown in the figure:
To move between the different windows (Inside-PC, Inside-SRV, DMZ-SRV, Outside-SRV, and OutsidePC VM), click the left and right arrow keys from the bar at the top of the RDP session screen (see the
following figure). (These arrows are available only if the VM console window is maximized.) If your RDP
session window is in full-screen mode and you move your cursor to the top of the RDP session screen, the
RDP bar will overlap the bar for moving between the different guest VMs that you opened. In this case,
slide the RDP bar to the left or to the right so that it does not overlap.
Lab Guide
L-11
Step 5
Navigate back to the desktop, or minimize all open VM console windows.
Step 6
Double-click the ASA console icon to open a CLI session with the Cisco ASA. Use the show run command
to view the configuration on your ASA.
The ASA enable password should be C!sco!23.
The ASA configuration should be similar to the following:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.201.2 255.255.255.224
!
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 209.165.201.1
Step 7
In the back of the Lab Guide, you will find the Answer Key. During some of the lab steps in this course,
you may be asked certain questions, and you can find those answers in the Answer Key. You can also find
corresponding examples of some of the lab task steps should you require additional assistance with any lab
procedures.
Activity Verification
You have completed this task when you attain this result:
You accessed all the devices in your assigned ASA remote lab pod.
Lab Guide
L-13
Lab 2-1: Configuring the

Cisco ASA Adaptive Security
Appliance
Activity Objective
In this activity, you will verify the Cisco ASA security appliance image and configure basic access to Cisco
ASDM.
Upon completing this exercise, you will be able to:
Verify the Cisco ASA security appliance and Cisco ASDM versions
Initialize the Cisco ASA security appliance from the CLI
Launch Cisco ASDM and test SSH access
Configure and verify interfaces
Configure system management parameters
Visual Objective
The figure illustrates the lab topology.
Lab 2-1: Configuring the Cisco ASA Adaptive

Security Appliance
Required Resources
The following resources and equipment are required to complete this activity:
Inside PC
Cisco ASA 5512 Adaptive Security Appliance
DMZ server
Outside server
Cisco ISR router
Cisco Catalyst switch (not shown)
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command
Description
configure terminal
This command enters configuration mode.
domain name
This command configures the domain name.
enable
This command enters privileged EXEC mode.
Command
Description
exit
This command exits current configuration mode.
HTTP server enable
This command enables the HTTP server process.
http x.x.x.x/x.x.x.x interface
This command defines allowed host or network management access.
interface interface
This command enters interface configuration mode.
nameif
This command assigns a name to the interface.
reload
This command reboots the Cisco ASA security appliance.
show flash
This command displays the contents of the internal flash memory.
show running-config
This command displays the configuration that is currently running on the

Cisco ASA security appliance.
show version
This command displays the software version, hardware configuration,

license key, and related uptime data.
write erase
This command erases the startup configuration.
write memory
This command saves the running configuration to memory.
Job Aids
These job aids are available to help you complete the lab activity.
The instructor will provide you with your pod number and other pod access information. Please write it
down in the table.
Pod number
Cisco ASA hostname
Px-ASA (x = your pod number)
Cisco ASA inside address
192.168.1.1/24
Cisco ASA outside address
209.165.201.2/27
Cisco ASA DMZ address
172.16.1.1/24
Inside PC username/password
student/Ci5coAdmin
Task 1: Verify Cisco ASA Adaptive Security

Appliance and Cisco ASDM Versions
In this task, you will verify that the Cisco ASA security appliance is running the correct Cisco ASA
software version and Cisco ASDM version.
Activity Procedure
Complete the following steps:
Step 1
From your student desktop RDP session, click the ASA console icon to open a connection to the Cisco ASA
security appliance CLI.
Lab Guide
L-17
Step 2
Erase the default configuration from the security appliance.
Step 3
Reload the security appliance.
Step 4
After the security appliance reboots, it will prompt you to configure it by using the interactive setup dialog.
Answer No to the prompt and interrupt the setup dialog. The user EXEC mode prompt appears.
Step 5
Enter the privileged EXEC mode. There is no password set at this time.
Step 6
Verify that the running image and Cisco ASDM image are correct. For this lab, you should have a Cisco
ASA device image of 9.1(x) and a Cisco ASDM image of 7.1(x).
ASA Image ______________
ASDM Image _____________
Step 1
The Cisco ASA security appliance was reloaded with a blank configuration and you verified the security
appliance images.
ciscoasa# show running-config

: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
<output omitted>
Lab Guide
L-19
ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is "disk1:/asa912-smp-k8.bin"
Config file at boot was "startup-config"
<output omitted>
Task 2: Initialize the Cisco ASA Adaptive Security

Appliance from the CLI
In this task, you will configure the Cisco ASA security appliance with a basic configuration that allows an
administrator to manage the appliance from the inside network by using Cisco ASDM.
Activity Procedure
Step 1
Enter the global configuration mode.
Step 2
Configure and enable the Gigabit Ethernet0/1 interface with the following parameters:
Name: inside
Security Level: 100
IP Address: 192.168.1.1/24
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
Step 3
Configure the device settings with the following parameters:
Hostname: Px-ASA (x = your pod number)
Domain Name: secure-x.local (x does not equal your pod number in the domain name)
Enable Password: C!sco!23
Hostname Px-ASA
Domain-name secure-x.local
Enable password C!sco!23
Step 4
Enable SSH and the HTTP server. Grant access for the administrators on the inside 192.168.1.0/24 network.
http server enable
http 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
Step 5
Create the student user in the LOCAL database with C!sco!23 as the password. Assign a privilege level of
15 to the user.
username student password C!sco!23 encrypted privilege 15
Step 6
Enable ASDM and SSH authentication by using the LOCAL user database.
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
Step 7
Save your configuration.
Step 1
The configuration is ready for the device to be managed from Cisco ASDM by administrators on the inside
network. Your configuration should contain the relevant configurations that are shown here:
Lab Guide
L-21
Px-ASA# show run

: Saved
:
ASA Version 9.1(2)
!
hostname Px-ASA
domain-name secure-x.local
enable password SGeFadGdTirefBRG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
shutdown
no nameif
no security-level
no ip address
!
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
shutdown
no nameif
no security-level
no ip address
<output omitted>
ftp mode passive
dns server-group DefaultDNS
domain-name secure-x.local
<output omitted>
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
!
!
ssh 192.168.1.0 255.255.255.0 inside
!
username student password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
<output omitted>
Task 3: Launch Cisco ASDM and Test SSH

Access
In this task, you will launch Cisco ASDM and familiarize yourself with basic panes in Cisco ASDM. You
will also test SSH access to the security appliance.
Activity Procedure
Complete these steps:
Step 1
Access the Inside PC.
Step 2
Start Cisco ASDM by using the ASDM-IDM Launcher that is found on the Inside PC desktop. Enter the
username and password that you previously configured. Accept all security warnings. The Cisco ASDM
window appears.
Step 3
In the Device Information area of the device dashboard, examine the contents of the General tab and answer
the following questions:
1
What is the hostname?
What is the security appliance version?
What is the Cisco ASDM version?
What is the firewall mode?
What is the total flash memory?
What is the device type?
What is the context mode?
Step 4
In the Device Information area, click the License tab. From the License tab information, answer the
following questions:
1
What is the license type?
What is the supported number of physical interfaces?
What is the supported number of VLANs?
Which kind of failover is supported?
How many contexts are supported?
Which type of encryption is supported?
How many VPN peers are supported?
How many SSL VPN peers are supported?
Lab Guide
L-23
Step 5
Using the Inside PC, launch PuTTY from the desktop. Use SSH to connect to the inside interface of the
security appliance at 192.168.1.1. Log in with the username and password that you configured previously.
This login should be successful.
Note
If you receive a security error, connect to the console port of the security appliance and enter the CLI
command crypto key generate rsa mod 1024 to generate new RSA keys. Once the generation
completes, attempt an SSH connection again.
Step 1
You successfully launched Cisco ASDM, connected via SSH, and answered the questions correctly.

In this task, you will use Cisco ASDM to configure and verify network interfaces on the security appliance.
You will configure an interface toward the DMZ server and toward the outside router.
Activity Procedure
Step 1
In Cisco ASDM, enable the Gigabit Ethernet0/2 interface. This interface connects the security appliance to
the DMZ server. Configure the Gigabit Ethernet0/2 interface with the following network parameters:
Name: dmz
Security Level: 50
IP Address: 172.16.1.1/24
Step 2
Enable the Gigabit Ethernet0/0 interface. This interface connects to the router. Configure the interface with
the following network parameters:
Name: outside
Security Level: 0
IP Address: 209.165.201.2/27
Step 3
Preview the commands. Click Apply, and then click Save.
Step 1
You verified your configuration by using the CLI and Cisco ASDM.
Lab Guide
L-25
Task 5: Configure System Management

Parameters
In this task, you will configure the security appliance to use NTP and syslog for logging system messages.
You will also set up a default outside static route. This configuration will allow the security appliance to
synchronize its clock with a source time server, send syslog messages to a syslog server, and route traffic to
the outside networks.
Activity Procedure
Step 1
Using Cisco ASDM, configure the following parameters:
Default Outside Static Route: Next-hop IP address of the outside router, which is 209.165.201.1, with
a metric of 1
NTP Server: IP address is 10.81.254.202 (this is an external time source used to synchronize system
time across other devices)
Syslog: Enable logging and set the syslog server to an IP address of 192.168.1.3 (this is the Inside PC
that runs the Kiwi Syslog server)
Set the logging filters to the following settings:
Console: Alerts (severity 1)
ASDM: Warning (severity 4)
Buffered: Warning (severity 4)
Syslog Servers: Warning (severity 4)
Other Logging Destination: Not required
Note
Notice the message and ASDM configuration path on the configuration screen to enable logging.
Step 2
Click Apply, and then click Save.
Step 1
You configured and verified your configurations by using the CLI and Cisco ASDM.
Lab Guide
L-27
Px-ASA# show logging

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level alerts, 0 messages logged
Monitor logging: disabled
Buffer logging: level warnings, 0 messages logged
Trap logging: level warnings, facility 20, 0 messages logged
Logging to inside 192.168.1.3
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level warnings, 0 messages logged
Px-ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 209.165.201.1 to network 0.0.0.0
C
172.16.1.0 255.255.255.0 is directly connected, dmz
C
209.165.201.0 255.255.255.224 is directly connected, outside
C
192.168.1.0 255.255.255.0 is directly connected, inside
S*
0.0.0.0 0.0.0.0 [1/0] via 209.165.201.1, outside
Px-ASA# sh ntp associations
address
ref clock
st when poll reach delay offset
disp
*~10.81.254.202
.GPS.
1
605 1024 377
94.5
-3.41
21.6
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Px-ASA# show ntp status
Clock is synchronized, stratum 2, reference is 10.81.254.202
nominal freq is 99.9984 Hz, actual freq is 99.9926 Hz, precision is 2**6
reference time is d5c0dc9c.1fc20ed9 (18:53:16.124 UTC Thu Aug 22 2013)
clock offset is 60.1853 msec, root delay is 171.42 msec
root dispersion is 76.75 msec, peer dispersion is 16.57 msec

Activity Objective
In this activity, you will configure and troubleshoot NAT configurations on a Cisco ASA security
appliance.
Configure object NAT for the inside network and DMZ server
Configure manual NAT for the DMZ server and client network
Visual Objective
Required Resources
Inside PC
Outside server
DMZ server
Cisco ISR router
Command List
Commands
Command
Description
show conn
This command displays the connection state for the designated

connection type.
show nat

connection type.
Command
Description
show run nat
This command displays the configured translation rules from the

running configuration.
show run object network
This command displays the configured network objects.
show run object service
This command displays the configured service objects.
show xlate
This command displays information about the translation table entries.
Job Aids
Client and Server Access Information
Pod number
DMZ server username/password
student/Ci5coAdmin
Outside server username/password
student/Ci5coAdmin
student/Ci5coAdmin
Cisco ASDM username/password
student/C!sco!23
Cisco ASA enable password
C!sco!23
Task 1: Configure Object NAT for the Client

Network and DMZ Server
In this task, you will configure NAT while adding objects to the security appliance configuration. The DMZ
server requires a static translation when routed to the outside interface. The inside network requires PAT
when routed to the outside interface.
Activity Procedure
Step 1
From the Inside PC, access Cisco ASDM.
Step 2
Add a network object for the DMZ server with the following parameters:
Name: DMZ-SRV
Type: Host
IP Address: 172.16.1.2
Lab Guide
L-31
Step 3
If needed, expand the NAT section and set the following parameters:
Check the Add Automatic Address Translation Rules check box.
Type: Static
Translated Address: 209.165.201.22
Step 4
Click the Advanced button and enter the following information:
Source Interface: dmz
Destination Interface: outside
Step 5
Click Apply to save your configuration.
Step 6
Add a network object for the inside network with the following parameters:
Name: INSIDE-NETWORK
Type: Network
IP Address: 192.168.1.0
Netmask: 255.255.255.0
Lab Guide
L-33
Step 7
If needed, expand the NAT section and set the following parameters:
Check the Add Automatic Address Translation Rules check box.
Type: Dynamic PAT (Hide)
Translated Address: 209.165.201.20
Step 8
Click Advanced and enter the following information:
Source Interface: inside
Step 9
Step 10
Access the Cisco ASA CLI from either the console or SSH. Verify the configured NAT rules by using the
show nat command.
Step 11
Open a web browser from the Inside PC and access a web page on the Outside server. Use the web page
http://209.165.202.130. This web page should load successfully.
Step 12
Access the Cisco ASA CLI from either the console or SSH. Verify the connections and configured
translation entries in the translation table by using the show conn and show xlate commands.
Note
HTTP connections happen quickly. You may have to attempt the browser connection again and
immediately issue the CLI show commands.
You have completed this task when you attain these results:
Step 1
You verified the configured NAT rules from the Cisco ASA CLI as follows:
Px-ASA# show nat

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ-SRV 209.165.201.22
translate_hits = 3, untranslate_hits = 0
2 (inside) to (outside) source dynamic INSIDE-NETWORK 209.165.201.20
Px-ASA# show xlate
3 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from dmz:172.16.1.2 to outside:209.165.201.22
flags s idle 0:13:04 timeout 0:00:00
TCP PAT from inside:192.168.1.3/36943 to outside:209.165.201.20/36943 flags ri idle
0:00:03 timeout 0:00:30
TCP PAT from inside:192.168.1.3/36942 to outside:209.165.201.20/36942 flags ri idle
0:00:03 timeout 0:00:30
Task 2: Configure Manual NAT for the DMZ Server

and Client Network
In this task, you will configure manual NAT for certain DMZ server functions. For the DMZ server, you
will configure a translation that should be used only when the destination is the outside network. For inside
clients, you will configure a translation that should be used only when accessing the DMZ server on TCP
port 8080.
Activity Procedure
Step 1
Return to Cisco ASDM and add a NAT rule before the Network Object NAT rule for traffic from the DMZ
server to the outside network.
Use the following original packet parameters:
Source Interface: dmz
Source Address: DMZ-SRV
Destination Address: Click the ellipsis button to add a new network object that is named OUTSIDENETWORK with the IP address 209.165.201.0 and the mask 255.255.255.224. Ensure that this newly
created object is chosen in the Original Destination Address field and click OK.
Use the following translated packet parameters:
Source NAT Type: static
Source Address: Click the ellipsis button to add a new network object that is named DMZ-MANUALNAT with the host IP address 209.165.201.23. Ensure that this newly created object is chosen in the
Translated Source Address field and click OK.
Leave all other fields at their defaults.
Lab Guide
L-35
Step 2
Click Apply to save your configurations.
Step 3
Access the Cisco ASA CLI from either the console or SSH. Verify the configured NAT rules.
Px-ASA# show nat
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static DMZ-SRV DMZ-MANUAL-NAT
NETWORK OUTSIDE-NETWORK
destination static OUTSIDE-
Step 4
From the CLI, clear all translations.
Step 5
From the DMZ server, use Telnet to connect to the router from a command prompt. Use the IP address
209.165.201.1. If you are prompted for a password, enter cisco. This Telnet connection should be
successful.
Note
If you get an error when using Telnet to connect to the router, access the router console port and set the
vty password to cisco.
line vty 0 4
password cisco
Step 6
Access the Cisco ASA CLI from either the console or SSH. Verify the connections and the configured
translation entries in the translation table.
Px-ASA# sh conn
TCP outside 209.165.201.1:23 dmz
172.16.1.2:54531, idle 0:00:55, bytes 150, flags UIO
Lab Guide
L-37
Step 7
Add a NAT rule before the Network Object NAT rule for the traffic from the inside network to the DMZ
server.
Use the following original packet parameters:
Source Interface: inside
Destination Interface: dmz
Source Address: INSIDE-NETWORK (previously configured)
Destination Address: DMZ-SRV (previously configured)
Destination Service: Click the ellipsis button to add a new service object that is named
HTTP_PROXY_PORT with the service type TCP and the destination port 8080. Ensure that this newly
created object is chosen in the Original Service field and click OK.
Use the following translated packet parameters:
Source NAT Type: Dynamic PAT (Hide)
Source Address: Click the ellipsis button to add a network object that is named DMZ_PAT with the
host IP address 172.16.1.10. Ensure that this newly created object is chosen in the Translated Source
Address field and click OK.
Leave the destination address as Original.
Service: Click the ellipsis button to add a service object that is named HTTP_80 with the service type
TCP and the destination port 80. Ensure that this newly created object is chosen in the Translated
Service field and click OK.
Step 8
Step 9
Access the Cisco ASA CLI from either the console or SSH. Verify the configured NAT rules.
Step 10
Open a web browser from the Inside PC and access a web page on the DMZ server by using the proxy port
8080. Enter http://172.16.1.2:8080. This web page should load successfully.
Lab Guide
L-39
Step 11
Access the Cisco ASA CLI from either the console or SSH. Verify the connections and the configured
translation entries in the translation table.
Note
HTTP connections happen quickly. You must issue the command immediately after connecting to the
server before the connections time out.
Step 1
You verified the configured NAT rules from the CLI as follows:
Px-ASA# show nat
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static DMZ-SRV DMZ-MANUAL-NAT
destination static OUTSIDENETWORK OUTSIDE-NETWORK
2 (inside) to (dmz) source dynamic INSIDE-NETWORK DMZ-PAT
destination static DMZ-SRV
DMZ-SRV service HTTP-PROXY-PORT HTTP-80
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ-SRV 209.165.201.22
2 (inside) to (outside) source dynamic INSIDE-NETWORK 209.165.201.20
Step 2
You verified the static and dynamic translations in the translation table. (Note: Translation entries will vary
over time.)
Px-ASA# show xlate
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from dmz:172.16.1.2 80-80 to inside:172.16.1.2 8080-8080
flags srIT idle 0:02:42 timeout 0:00:00
Lab 3-2: Configuring Basic

Cisco Access Control
Features
Activity Objective
In this activity, you will configure and troubleshoot basic access control features on a Cisco ASA security
appliance.
Troubleshoot basic connectivity using packet capture, ping, and Cisco Packet Tracer
Configure network and service object groups
Configure and verify interface access lists
Configure and verify inbound access to a server by using public servers
Configure and verify global ACLs
Configure antispoofing on all interfaces by using uRPF
Visual Objective
Lab 3-2: Configuring Basic Cisco Access

Control Features
Required Resources
Inside PC
DMZ server
Outside server
Cisco ISR router
Command List
Commands
Command
Description
capture capture_name type asp-drop acldrop
This command enables the capturing of packets that are dropped by the
configured rule.
ip verify reverse-path interface interface
This command enables the reverse path forwarding check.
Command
Description
show capture capture_name
This command displays the capture configuration.
show conn

connection type.
show local-host
This command displays the network states of local hosts.
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/Ci5coAdmin
Cisco ASA username/password
student/C!sco!23

In this task, you will try to establish an HTTP connection from the Outside server to the DMZ server. You
will use the packet capture tool on the outside interface of the Cisco ASA security appliance to investigate
the reason for the failed HTTP connection.
Activity Procedure
Step 1
Access the Cisco ASA security appliance CLI. Enable the capturing of packets that were dropped because
of an access list so that you can later view detailed information about the packets and how they were
processed by the security appliance. Use a capture name of CAPTURE for this capture command.
Px-ASA# capture CAPTURE type asp-drop acl-drop
Step 2
Access the Outside server and try to establish an HTTP connection by using the Iceweasel application from
the Outside server to the DMZ server (172.16.1.2). This attempt should fail because the default Cisco ASA
security appliance security policy allows only connections from interfaces with a higher security level to
interfaces with a lower security level.
Step 3
Return to the Cisco ASA security appliance CLI and display information about the packets that you
captured. You should see dropped HTTP packets from the server to the DMZ server.
Lab Guide
L-43
Px-ASA# show capture CAPTURE

10 packets captured
1: 13:38:03.158072
209.165.202.130.39086 > 172.16.1.2.80: S
2357552809:2357552809(0) win 14600 <mss 1460,sackOK,timestamp 432574485 0,nop,wscale
7> Drop-reason: (acl-drop) Flow is denied by configured rule
Step 1
You displayed information about the packets that you captured:
Px-ASA# show capture CAPTURE
10 packets captured
1: 13:38:03.158072
209.165.202.130.39086 > 172.16.1.2.80: S
2357552809:2357552809(0) win 14600 <mss 1460,sackOK,timestamp 432574485 0,nop,wscale
7> Drop-reason: (acl-drop) Flow is denied by configured rule
Task 2: Configure Network and Service Object

Groups
In this task, you will first configure two service groups and one network object group. The first service
object group will include HTTP, FTP, TFTP, and ICMP. The second object group will include HTTP, FTP,
DNS, and ICMP. The network object group will group the DMZ server and the Outside server.
Activity Procedure
Step 1
Access the Cisco ASDM from the Inside PC. Create a service group that is named DMZ_SERVICES that
includes the following services:
HTTP
FTP
TFTP
ICMP
Step 2
Step 3
Create another service group that is named OUTSIDE_SERVICES that includes the following services:
HTTP
DNS (udp-domain)
FTP
ICMP
Step 4
Step 5
Create a network object group that is named SERVERS that includes the following:
DMZ-SRV (172.16.1.2) (previously configured)
OUTSIDE-SRV (209.165.202.130) (choose Create New Network Object Member if needed)
Lab Guide
L-45
Step 6
Step 1
Object groups are verified in the next task.

In this task, you will configure two access lists. The first access list will permit inbound HTTP, FTP, TFTP,
and ICMP access from the Outside server to the DMZ server. The second access list will permit outbound
HTTP, FTP, DNS, and ICMP traffic from the Inside PC to the DMZ server and the Outside server.
Activity Procedure
Step 1
Return to the Cisco ASDM session that is running on the Inside PC.
Step 2
Configure an input access list on the outside interface to permit inbound HTTP, FTP, TFTP, and ICMP
services from the 172.16.1.0/24 network to the 172.16.1.2 DMZ server. Refer to the previously created
DMZ_SERVICES service object group.
Step 3
Access the Outside server. Try to establish an HTTP connection from the Outside server to the translated
address of the DMZ server (209.165.201.22). The attempt will fail.
Step 4
Return to the Cisco ASDM session. Troubleshoot the problem by using the Cisco Packet Tracer.
Note
You should find out that the implicit rule at the end of the access list dropped the packets.
Step 5
Reconfigure the access list on the outside interface by correcting the source IP address of the access list to
the IP address of the Outside server (209.165.202.130).
Step 6
Return to the Outside server. Try to establish an HTTP connection from the server to the translated address
of the DMZ server (209.165.201.22) again. The attempt should now be successful.
Step 7
Access the Cisco ASA security appliance CLI. Verify the content of the connection table.
Px-ASA# show conn
TCP outside 209.165.202.130:50935 dmz
UIOB
172.16.1.2:80, idle 0:00:02, bytes 651, flags
Note
DMZ server before the connections time out.
Note
Alternatively, you can open a command prompt on the Outside server and ping the DMZ server
(209.165.201.22); then view the ICMP connections and local host table entries. Remember to return to
the Outside server and stop the pings by pressing Ctrl-C.
Lab Guide
L-47
Step 8
Verify the local host state table.
Px-ASA# show local-host
Interface outside: 1 active, 17 maximum active, 0 denied
local host: <209.165.202.130>,
TCP flow count/limit = 3/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 209.165.202.130:50932 dmz 172.16.1.2:80,
flags UB
TCP outside 209.165.202.130:50931 dmz 172.16.1.2:80,
flags UIOB
TCP outside 209.165.202.130:50929 dmz 172.16.1.2:80,
flags UIOB
Interface dmz: 1 active, 1 maximum active, 0 denied
local host: <172.16.1.2>,
Conn:
TCP outside 209.165.202.130:50932 dmz 172.16.1.2:80,
flags UB
TCP outside 209.165.202.130:50931 dmz 172.16.1.2:80,
flags UIOB
TCP outside 209.165.202.130:50929 dmz 172.16.1.2:80,
flags UIOB
Interface inside: 0 active, 3 maximum active, 0 denied
idle 0:00:03, bytes 0,

idle 0:00:03, bytes 2583,
idle 0:00:03, bytes 9193,
idle 0:00:03, bytes 0,

idle 0:00:03, bytes 2583,
idle 0:00:03, bytes 9193,
Note
DMZ server before the connections time out.
Note
Alternatively, you can open a command prompt on the Outside server and ping the DMZ server
(209.165.201.22); then view the ICMP connections and local host table entries. Remember to return to
the Outside server and stop the pings by pressing Ctrl-C.
Step 9
Open a command prompt on the Outside server. Try to use Telnet to connect from the Outside server to the
DMZ server. The attempt should fail because the access list drops all traffic except HTTP, FTP, TFTP, and
ICMP traffic.
Step 10
Configure an input access list on the inside interface to permit outbound ICMP echo, HTTP, and FTP
services from the inside network to the DMZ server and to the Outside server. Refer to the previously
created OUTSIDE_SERVICES service object group and SERVERS network object group.
Step 11
Open a web browser on the Inside PC. Try to establish an HTTP connection from the Inside PC to the
Outside server. The attempt should be successful.
Step 12
Return to the Cisco ASA security appliance CLI. Verify the content of the connection table and local host
state table.
Step 13
Return to the Inside PC and open a command prompt. Try to use Telnet to connect from the Inside PC to
the Outside server. The attempt will fail because the access list drops all traffic except ICMP, HTTP, and
FTP traffic.
Step 14
Try to establish an HTTP connection from the Inside PC to the DMZ server by using port 8080 (previously
configured). The attempt should be successful.
Step 15
Verify the current content of the connection table and the local host state table.
Step 16
Try to use Telnet to connect from the Inside PC to the DMZ server. The attempt will fail because the access
list drops all traffic except ICMP, HTTP, and FTP traffic.
Step 1
You verified the lack of HTTP connectivity from the Outside server to the DMZ server when the access list
is misconfigured.
Step 2
You verified HTTP connectivity from the Outside server to the DMZ server when the access list is
configured properly.
Lab Guide
L-49
Step 3
You verified the current content of the connection table and the local host state table.
Step 4
You verified the lack of Telnet connectivity from the Inside PC to the Outside server.
Step 5
You verified HTTP connectivity from the Inside PC to the DMZ server.
Step 6
You verified the lack of Telnet connectivity from the Inside PC to the DMZ server.

In this task, you will configure a public server. The public server will create a static translation for the
inside client to the outside interface and also allow access to the inside client for outside hosts.
Activity Procedure
Step 1
Return to the Cisco ASDM session that is running on the Inside PC.
Step 2
Remove the following configurations:
The access list that is applied to the outside interface
All NAT configurations that refer to the network object DMZ-SRV
The DMZ server from the object group SERVERS
The network object DMZ-SRV
Note
Some items may depend on each other. If you get a warning while attempting to delete some items,
remove the related dependency and attempt again.
Step 3
Access the Outside server and refresh the existing browser window that is connected to the DMZ server. If
needed, open a new browser window to access the DMZ server. Verify that access is now denied to the
DMZ server.
Step 4
Add a new public server. Use the DMZ interface for the private interface. Create a new network object that
is named DMZ_SERVER_PUB with the IP address 172.16.1.2 and use this as the private IP address. For
the private service, use the previously created HTTP_80. Use the outside interface as the public interface.
Use 209.165.201.22 as the public IP address.
Note
If needed, the new network object DMZ_SERVER_PUB may need to be created prior to configuring the
public server parameters.
Step 5
Return to the Outside server. Try to establish an HTTP connection from the server to the translated address
of the DMZ server (209.165.201.22) again. This attempt should be successful.
Step 6
Access the Cisco ASA security appliance CLI. Verify the content of the connection and local host state
tables.
Lab Guide
L-51
Step 7
Verify that the ACL and NAT entries were added for the public server.
Step 8
Return the input access list on the outside interface to the previous configuration by using the service object
group DMZ_SERVICES as the destination service.
Step 1
You verified the lack of HTTP connectivity from the Outside server to the DMZ server when the NAT and
access list configurations are not present.
Step 2
You verified HTTP connectivity from the Outside server to the DMZ server when the public server is
configured properly.
Step 3
You verified the current content of the connection table and the local host state table:
Px-ASA# show local-host
Interface outside: 1 active, 17 maximum active, 0 denied
local host: <209.165.202.130>,
Conn:
TCP outside 209.165.202.130:51547 dmz 172.16.1.2:80, idle 0:00:02, bytes 651,
flags UIOB
Px-ASA# show
4 in use, 26
TCP outside
TCP outside
UIOB
conn
most used
209.165.202.130:51550 dmz
209.165.202.130:51549 dmz
172.16.1.2:80, idle 0:00:02, bytes 0, flags UB

172.16.1.2:80, idle 0:00:02, bytes 651, flags

In this task, you will add a global ACL to control access through the Cisco ASA security appliance. This
global ACL should allow only ICMP traffic from the DMZ network to the inside network. This global ACL
should also allow any traffic to all networks except the inside network.
Activity Procedure
Step 1
From the DMZ server, try to ping the Inside PC at 192.168.1.3. This attempt should fail.
Step 2
Use the Cisco Packet Tracer to troubleshoot this event.
Step 3
Return to the Cisco ASDM. Add four rules to the global access list.
Permit traffic from DMZ_SERVER_PUB to the inside network with the destination service ICMP.
Deny all other traffic from the DMZ network to the 192.168.1.0/24 inside network. (Hint: You can use
the inside network object group.)
Permit all traffic from the DMZ network to any destination.
Deny all other traffic.
Lab Guide
L-53
Step 4
Add the new object DMZ_SERVER_PUB to the network object group SERVERS.
Step 5
Use both the command prompt on the DMZ server and the Cisco Packet Tracer to verify that the DMZ
server can now ping the Inside PC. Also, verify that the DMZ server cannot use Telnet to connect to the
Inside PC.
Step 6
From the DMZ server, check that you can still open a web page to the Outside server.
Step 1
You used the Cisco Packet Tracer to troubleshoot the failed ping.
Step 2
You verified that the ping from the DMZ server to the Inside PC works but that Telnet is still blocked after
the global access list creation.
Step 3
You verified that the DMZ server access to the Outside server web page is still available.
Task 6: (Optional) Configure Unicast Reverse

Path Forwarding Check
It can be a labor-intensive task to configure per-interface access rules on the Cisco ASA security appliance
to protect your network against source-spoofed packets. Because the Cisco ASA security appliance can
refer to its routing table to determine which networks are reachable through which interface, the Cisco ASA
security appliance can also use its routing table to validate the source address of incoming packets. This
technique is called uRPF. The Cisco ASA security appliance supports strict uRPF, which means that
packets must arrive over the correct interface to be accepted.
Activity Procedure
Step 1
Using either the CLI or Cisco ASDM, enable the uRPF check on the inside, outside, and DMZ interfaces.
Step 2
Access your pod Px-Rtr router console. Verify the presence of a loopback interface. If none is present,
create a loopback interface that is named loopback1xx on the Px-Rtr router with the 192.168.1.1xx/32 IP
address where xx is your pod number (xx = 01 to 16).
Px-Rtr(config)#interface loopback1xx
Px-Rtr(config-if)#ip address 192.168.1.1xx 255.255.255.255
Step 1
From the Px-Rtr router privileged EXEC mode, you pinged the outside interface (209.165.201.2) using a
source IP address of the loopback1xx interface. The pings failed due to the uRPF check.
Lab Guide
L-55
Px-Rtr# ping
Protocol [ip]:
Target IP address: 209.165.201.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loopback1xx
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds:
Step 2
Because the Px-Rtr router loopback interface is in the same subnet as the security inside interface, the uRPF
check failed and the ping packets are dropped. You should see a syslog message similar to the one shown
here using the ASA CLI console:
%ASA-1-106021: Deny ICMP reverse path check from 192.168.1.101 to 209.165.201.2 on interface
outside
Lab 4-1: Configuring MPF,

Basic Stateful Inspections,
and QoS
Activity Objective
Complete this lab activity to practice what you learned in the related module.
In this activity, you will configure and verify basic Cisco ASA Layer 3 and Layer 4 stateful inspection
options, and configure a priority queue using MPF. After completing this activity, you will be able to:
Configure ICMP and FTP inspection
Enable a TTL decrement and disable TCP initial sequence randomization for the specific traffic flow
Change TCP timeouts and TCP normalization and enable TCP DPD for the specific traffic flow
Configure a priority queue and policing
Visual Objective
Lab 4-1: Configuring MPF, Basic Stateful

Inspections, and QoS
Required Resources
These resources are the resources and equipment that are required to complete this activity:
Inside PC
DMZ server
Outside server
Cisco ISR router
Command List
Commands
Command
Description
priority-queue [interface]
This command creates a priority queue for an interface.
queue-limit
This command sets the maximum number of packets that are

queued in the priority queue.
Command
Description
show priority-queue statistics
This command displays the priority queue statistics.
show running-config
This command displays the configuration that is currently running

on the Cisco ASA security appliance.
show service-policy
This command displays service policy statistics.
show service-policy interface outside
This command displays the status and statistics of an interface

policy.
tx-ring-limit
This command sets the maximum number of packets queued at

the tx-ring for the priority queue.
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23

In this task, you will first edit the default inspection policy, enable ICMP inspection, and disable FTP
inspection. You will examine the results of enabled ICMP and disabled FTP inspection.
Activity Procedure
Step 1
Access the Cisco ASA security appliance CLI. Enter the privileged EXEC mode.
Step 2
Verify the default service policy. Answer the following questions:
1
What is the default class map name?
What is the matching criterion for this class?
What is the default policy map name?
Which class is referred to in this policy map?
Examine the protocols that are inspected by the Cisco ASA security appliance by default.
Lab Guide
L-59
Step 3
Access the Inside PC and open a command prompt window. From the command prompt, ping the Outside
server at 209.165.202.130. The ping should be unsuccessful because ICMP is not inspected by default.
Step 4
Open an FTP session to the Outside server at 209.165.202.130. Log in with the username anonymous and
the password cisco. List the files that are available on the FTP server by using the ls command. The listing
should be successful because FTP inspection is enabled by default.
Step 5
Access the Cisco ASDM. Enable ICMP inspection and disable FTP inspection by editing the default
inspection policy.
Step 6
Step 7
Ping the Outside server at 209.165.202.130 again. This time, the ping should be successful because ICMP
inspection is enabled and ICMP is treated statefully.
Step 8
Open an FTP session to the Outside server at 209.165.202.130. List the files that are available on the FTP
server. This time, you should not be successful because the FTP inspection is now disabled and the Cisco
ASA security appliance does not allow the dynamically negotiated sessions to pass from a less-secure
interface to a more-secure interface. Recall that, when active FTP is used, a data session is initiated by the
FTP server.
Step 9
Return to the Cisco ASDM session and re-enable FTP inspection.
Step 10
Access the Cisco ASA security appliance CLI and examine the statistics for the default global policy.
Step 1
You examined the statistics for the default global policy:
Lab Guide
L-61
Px-ASA# show service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 4837, lock fail 0, drop 0, reset-drop 0, v6fail-close 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop
0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop
0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0,
reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0,
v6-fail-close 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 8, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Task 2: Enable TTL Decrement and Disable TCP

Initial Sequence Randomization
By default, the Cisco ASA security appliance does not decrement TTL in packets traversing the Cisco ASA
security appliance. In this task, you will first configure the Cisco ASA security appliance to decrement TTL
for traffic flow from the Inside PC to the Outside server. The Cisco ASA security appliance also
randomizes the ISN of TCP segments going through the Cisco ASA security appliance. In some cases, this
setting is not desired. In this task, you will then disable TCP ISN randomization for traffic flow from the
Inside PC to the server.
Activity Procedure
Step 1
Open a command prompt on the Inside PC and ping the Outside server at 209.165.202.130 again. The ping
should be successful. Examine the TTL number that is reported by the ping. It should be 63.
Step 2
Return to the Cisco ASDM. Configure a new service policy and apply it to the inside interface. Inside the
new service policy, you will enable TTL decrement and disable TCP ISN randomization. Use the following
parameters for the service policy:
Name of the Service Policy: INSIDE-POLICY
Traffic Class Name: IN-TO-OUT-TRAFFIC
Traffic Classification: HTTP, FTP, and ICMP traffic from 192.168.1.0/24 to the 209.165.202.130
server
Apply these rule actions:
Decrement TTL for traffic flow.
Disable TCP ISN randomization.
Lab Guide
L-63
Step 3
Step 4
Ping the server at 209.165.202.130 again. The ping should be successful. Examine the TTL number that is
reported by the ping. It should now be 62 because the Cisco ASA security appliance also decremented the
TTL of packets.
Step 5
Examine the created service policy.
Step 1
You examined the created service policy:
Lab Guide
L-65

Global policy:
.
<output omitted>
.
Interface inside:
Service-policy: INSIDE-POLICY
Class-map: IN-TO-OUT-TRAFFIC
Set connection policy: random-sequence-number disable
current embryonic conns 0, current conns 0, drop 0
Set connection decrement-ttl
Task 3: Tune TCP Timeouts, Enable TCP DCD,

and Configure TCP Normalization
In this task, you will tune TCP timeouts for traffic from the outside server to the DMZ server. You will also
enable TCP DCD to enable the Cisco ASA security appliance to detect valid, but idle, TCP connections.
You will also enable TCP normalization by creating a TCP map and applying it to traffic from the outside
server to the DMZ server.
Activity Procedure
Step 1
Return to the Cisco ASDM. Create a TCP map with the following parameters:
Use OUT-TO-DMZ-TCP-MAP as the name of the TCP map.
Enable the dropping of TCP SYN packets with data.
Enable checking if retransmitted data is the same as the original.
Enable verification of TCP checksum.
Leave all other settings at their defaults.
Step 2
Step 3
Configure a new service policy and apply it to the outside interface. Inside the new service policy, you will
change the TCP timeouts and enable DCD and TCP normalization. Use the following parameters for the
service policy:
Name of the Service Policy: OUTSIDE-POLICY
Traffic Class Name: OUT-TO-DMZ-TRAFFIC
Traffic Classification: HTTP, FTP, TFTP, and ICMP traffic from the Outside server
(209.165.202.130) to the DMZ server (172.16.1.2)
Set the embryonic connection timeout to 10 seconds.
Set the half-closed connection timeout to 5 minutes.
Set the connection timeout to 10 minutes.
Enable DCD with default parameters.
Enable TCP normalization by appending the previously created TCP map (OUT-TO-DMZ-TCP-MAP)
to the traffic flow.
Lab Guide
L-67
Step 4
Step 5
Examine the created service policy.
Step 1
Px-ASA# show service-policy interface outside

Interface outside:
Service-policy: OUTSIDE-POLICY
Class-map: OUT-TO-DMZ-TRAFFIC
Set connection policy:
drop 0
Set connection timeout policy:
embryonic 0:00:10 half-closed 0:05:00 idle 0:10:00
DCD: enabled, retry-interval 0:15:00, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Set connection advanced-options: OUT-TO-DMZ-TCP-MAP
Retransmission drops: 0
TCP checksum drops : 0
Exceeded MSS drops : 0
SYN with data drops: 0
Invalid ACK drops
: 0
SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0
OoO no buffer drops: 0
OoO buffer timeout drops : 0
SEQ past window drops: 0
Reserved bit cleared: 0
Reserved bit drops : 0
IP TTL modified
: 0
Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Task 4: Configure a Priority Queue and Traffic

Policing
In this task, you will configure a priority queue on the outside interface. You will then send FTP traffic
from the Inside PC to the priority queue. You will then configure traffic policing on the outside interface for
all HTTP traffic to the Outside server.
Activity Procedure
Step 1
From either Cisco ASDM or the Cisco ASA CLI, create a priority queue on the outside interface with a
queue limit of 512 packets and a transmission ring limit of 256 packets.
priority-queue outside
queue-limit
512
tx-ring-limit 256
Lab Guide
L-69
Step 2
Return to the Cisco ASDM and configure a new service policy. Edit the policy that is configured on the
outside interface. Inside the new service policy, identify FTP traffic from the Inside PC to the Outside
server and send that traffic to the priority queue that is configured on the outside interface. Use the
following parameters for the service policy:
Traffic Class Name: CLIENT-TO-SERVER-FTP
Traffic Classification: FTP traffic from the Inside PC (192.168.1.3) to the Outside server
(209.165.202.130)
Apply this rule action:
Enable priority for this flow.
Step 3
Step 4
From the Inside PC, open an FTP session to the Outside server at 209.165.202.130. List the files that are
available on the FTP server. Log in with the username anonymous and the password cisco. Retrieve a list
of files with the ls command.
Step 5
From the Cisco ASA CLI command line, examine the modified service policy and the priority queue
statistics.
Step 6
Configure a new service policy and add it to the policy that is configured on the outside interface. Inside the
new service policy, you will identify HTTP traffic from all sources to the Outside server and police that
traffic in the outbound direction. Use the following parameters for the service policy:
Traffic Class Name: OUTBOUND-HTTP
Traffic Classification: HTTP traffic from anywhere to the Outside server (209.165.202.130)
Committed Rate: 1 Mbps
Burst Rate: 1500 B
Step 7
Lab Guide
L-71
Step 8
From the DMZ server, open a web page to the Outside server at 209.165.202.130.
Step 9
From the Cisco ASA CLI command line, examine the modified service policy.
Step 1
Px-ASA# show service-policy interface outside
Interface outside:
Service-policy: OUTSIDE-POLICY
Class-map: OUT-TO-DMZ-TRAFFI
Set connection policy:
drop 0
Set connection timeout policy:
embryonic 0:00:10 half-closed 0:05:00 idle 0:10:00
DCD: enabled, retry-interval 0:15:00, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Set connection advanced-options: OUT-TO-DMZ-TCP-MAP
Retransmission drops: 0
TCP checksum drops : 0
Exceeded MSS drops : 0
SYN with data drops: 0
Invalid ACK drops
: 0
SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0
OoO no buffer drops: 0
OoO buffer timeout drops : 0
SEQ past window drops: 0
Reserved bit cleared: 0
Reserved bit drops : 0
IP TTL modified
: 0
Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Class-map: CLIENT-TO-SERVER-FTP
Priority:
Interface outside: aggregate drop 0, aggregate transmit 13
Class-map: OUTBOUND-HTTP
Output police Interface outside:
cir 1000000 bps, bc 1500 bytes
conformed 19 packets, 2565 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 96 bps, exceed 0 bps
Class-map: class-default
Lab 4-2: Configuring MPF

Advanced Application
Inspections
Activity Objective
In this activity, you will configure and verify Cisco ASA advanced application inspections. After
completing this activity, you will be able to:
Configure HTTP inspection to verify conformance to the HTTP protocol and to prevent HTTP requests
containing certain file types
Protect the DMZ server by limiting FTP commands from the networks
Remove any user-configured inspection policies
Visual Objective
Lab 4-2: Configuring MPF Advanced

Application Inspections
Required Resources
Inside PC
DMZ server
Outside server
Cisco ISR router
Command List
Commands
Command
Description
clear service-policy
This command clears the service policy statistics.
show service-policy global inspect
This command displays the service policy statistics.
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/Ci5coAdmin
Cisco ASA username / password
student/C!sco!23
Task 1: Configure HTTP Inspection to Protect the

DMZ Server
In this task, you will create an application layer policy for HTTP traffic between the Outside server and the
DMZ server. You will configure the Cisco ASA security appliance to drop all requests that do not conform
to the HTTP protocol. You will also configure the Cisco ASA security appliance to drop traffic containing
certain file types by using regular expressions.
Activity Procedure
Step 1
Access the Cisco ASDM on the Inside PC.
Step 2
Delete all previous service policies for the outside interface.
Step 3
Create an HTTP inspection policy map that is named MY-HTTP-POLICY.
Lab Guide
L-75
Step 4
Enable HTTP protocol verification to drop and log all HTTP sessions that do not conform to the standard
protocol specification.
Step 5
Create a new service policy rule and apply it globally. Create a new traffic class inside the global policy
with the following parameters:
Traffic Class Name: WEB-SERVER-PROTECTION
Traffic Matching: HTTP traffic from the Outside PC (209.165.202.131) to the DMZ server
Action: Apply the configured MY-HTTP-POLICY HTTP inspection policy map
Lab Guide
L-77
Lab Guide
L-79
Step 6
Ensure that the configured service policy rule will be matched before the default service policy rule.
Step 7
Step 8
Access the Outside PC. Start PuTTY by double-clicking the PuTTY icon. Simulate a protocol violation by
using Telnet to connect from the Outside PC to the DMZ server public IP address (209.165.201.22) by
using port 80. Enter random data and press ENTER several times.
Step 9
Access the Inside PC and observe the logging messages on the Kiwi Syslog server regarding dropped
packets. The relevant logging message is 507003. (Alternately, view the real-time log viewer in Cisco
ASDM.)
Step 10
Access the Cisco ASA security appliance CLI. Verify the service policy statistics. Verify the packet
counters to see whether packets are being inspected and dropped by the inspector.
Step 11
Clear global service policy statistics.
Step 12
Return to the Outside PC. Verify HTTP connectivity from the Outside PC to the DMZ server at http://
209.165.201.22. This attempt should be successful.
Step 13
Verify HTTP connectivity from the Outside PC to the DMZ server at http://209.165.201.22/whatever.htm.
Note
The requested page will not be displayed because it does not exist. Nevertheless, you should receive an
error page from the DMZ server.
Step 14
Return to the Cisco ASDM session on the Inside PC.
Step 15
Create a regular expression class that is named DMZ-REGEX that will include the following parameters:
Create and match a regular expression that matches all .txt files
Create and match a regular expression that matches all .mp4 files
Step 16
Edit the MY-HTTP-POLICY inspection map to match the configured regular expressions inside the HTTP
request URI. You should reset and log attempts to access these URIs.
Step 17
Return to the Outside PC. Verify HTTP connectivity from the Outside PC to the DMZ server at http://
209.165.201.22. This attempt should be successful.
Step 18
Verify HTTP connectivity from the Outside PC to the DMZ server by clicking the Files tab from the DMZ
server web page. Try to open the .txt file shown; this attempt should be unsuccessful. Also try to open
the .mp4 file, which should also be unsuccessful.
Lab Guide
L-81
Note
You may have to clear your browser cache to get the desired result.
Step 19
Observe the logging messages on the Kiwi Syslog server about the DMZ server regarding the TCP flow
being reset. The relevant logging message is 507003.
Step 20
Return to the Cisco ASA security appliance CLI. Verify the service policy statistics. Verify the packet
Step 21
Clear the global service policy statistics.
Step 22
Return to the Cisco ASDM session on the Inside PC. Remove the service policy rule that applied the MYHTTP-POLICY inspection policy map.
Step 1
You observed the log on the Cisco ASDM real-time log viewer or the Kiwi Syslog server on the DMZ
server regarding dropped packets:
Step 2
You verified the service policy statistics.
Step 3
You verified HTTP connectivity from the Outside PC to the DMZ server before HTTP inspection is
configured.
Step 4
You verified HTTP connectivity from the Outside PC to the DMZ server after HTTP inspection is
configured.
Step 5
You verified HTTP connectivity from the Outside PC to the DMZ server after HTTP inspection is
configured so that .txt and .mp4 type files are not allowed. The resulting syslog messages are displayed in
the Kiwi Syslog server.
Step 6
You removed the service policy rule that applied the MY-HTTP-POLICY inspection policy map
Task 2: Configure FTP Inspection to Protect the

DMZ Server
In this task, you will create an application layer policy for FTP traffic between the Outside PC and the DMZ
server. You will configure the Cisco ASA security appliance to drop all commands except the get
command.
Activity Procedure
Step 1
Create an FTP inspection policy map that is named MY-FTP-POLICY. Configure the policy to drop and
log all commands with the exception of the get command.
Lab Guide
L-83
Step 2
Create a new service policy rule and apply it globally. Create a new traffic class inside the global policy
with the following parameters:
Traffic Class Name: FTP-SERVER-PROTECTION
Traffic Match Criteria: FTP traffic from the Outside PC (209.165.202.131) to the DMZ server public
address
Action: Apply the configured MY-FTP-POLICY FTP inspection policy map
Lab Guide
L-85
Step 3
Make sure that the configured service policy rule will be matched before the default service policy rule.
Step 4
Step 5
Access the Outside PC. Open a command prompt and use FTP to contact the DMZ server at
209.165.201.22. Log in with the username anonymous and the password cisco. List the contents of the
directory with the ls command.
Step 6
In the same FTP session, change to the files directory with the cd files command. Again list the contents of
the directory. Get the text file that is named ARTOFWAR.TXT by using the get command. The file download
should be successful.
Step 7
In the same FTP session, make a directory on the FTP server. Use the FTP command, mkd, and name the
directory ASA. The connection should be reset.
Step 8
Access the Inside PC. Observe the logging messages on the Kiwi Syslog server regarding dropped packets.
The relevant logging message is 507003. (Alternatively, view the real-time log viewer in Cisco ASDM.)
Step 9
Access the Cisco ASA security appliance CLI. Verify the service policy statistics. Verify the packet
Step 10
Return to the Outside PC and end the FTP session by using the quit command.
Step 1
You observed the log on the Cisco ASDM real-time log viewer or the Kiwi Syslog server on the Inside PC
regarding dropped packets.
Step 2
You verified the service policy statistics:
Px-ASA# show service-policy inspect ftp
Global policy:
Class-map: FTP-SERVER-PROTECTION
Inspect: ftp strict MY-FTP-POLICY, packet 192, lock fail 0, drop 1, reset-drop
3, v6-fail-close 0
Reply code invalid drop
1
mask-banner enabled
mask-syst-reply enabled
match request-command appe cdup help rnfr rnto put stou site dele mkd rmd
reset log, packet 3
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Lab Guide
L-87
Task 3: Return the Cisco ASA Security Appliance

to the Default Inspection Policies
In this task, you will remove any user-configured inspection policies. You will leave the default inspection
policy to ensure subsequent lab functioning.
Activity Procedure
Step 1
Remove all inspection policies that were configured during the lab.
Step 2
Verify that your service policy configuration is returned to the default setting.
Step 1
You verified that the default service policy is the only service policy applied.
Global policy:
<output omitted>
Lab 6-1: Implementing Basic

Clientless SSL VPN on the
Cisco ASA
Activity Objective
In this lab activity you will deploy basic clientless SSL VPNs on the Cisco ASA security appliance and
access the SSL VPN portal from the Outside PC. After initially enabling the clientless SSL VPN
connections, you will see that the client browser reports security problems with the server certificate. To
resolve the problem, you will enroll the Cisco ASA with the certificate authority that is running on the
Inside server. This will enable the browser on the Outside PC to trust the ASA certificate. You will then
configure user authentication for basic clientless SSL VPN, including creating a custom group policy and a
custom connection profile that uses local authentication. You will also configure an alias for the connection
profile and allow users to choose a connection profile at logon. Next, you will create a bookmark and a web
ACL and apply both to the custom group policy. Throughout the lab, you will verify the operations of your
configurations.
Upon completing this activity, you will be able to:
Enable clientless SSL VPN connections on the Cisco ASA
Provision an identity certificate for the Cisco ASA
Configure user authentication for basic clientless SSL VPN
Configure a bookmark and a web ACL and apply them to a group policy
Visual Objective
Lab 6-1: Implementing Basic Clientless SSL

VPN on the Cisco ASA
Required Resources
Inside PC
Inside server
Outside PC
Command List
No commands are needed for this lab exercise. All tasks are performed with the Cisco ASDM GUI
interface.
Job Aids
Pod number
Outside PC username/password
student/Ci5coAdmin
student/Ci5coAdmin
Inside server username/password
Administrator/Cisco123
student/C!sco!23

In this task, you will configure the Cisco ASA to use the DNS that is running on the inside server. This
configuration will enable you to use names instead of IP addresses to access resources on the protected
network. When a clientless SSL VPN user requests a resource by name, the ASA (acting as a proxy) uses
the DNS to resolve the name and makes a connection to the requested resource itself (if the web ACL
policy permits). The Cisco ASA then stitches the two connections (the connection between the client and
itself and the connection between itself and the requested resource) together.
Activity Procedure
Step 1
If Cisco ASDM is not already open on the Inside PC, launch Cisco ASDM on the Inside PC to access the
Cisco ASA at the IP address 192.168.1.1. Log in with the username student and the password C!sco!23.
Step 2
Configure the Cisco ASA to use the DNS on the Inside server.
A) Navigate to Configuration > Device Management > DNS > DNS Client. The DNS Client panel is
displayed.
B) Choose the Configure One DNS Server Group radio button.
C) Enter the IP address of the inside server, 192.168.1.2, in the Primary DNS Server field.
D) Verify that secure-x.local is displayed in the Domain Name field.
E) In the DNS Lookup area, choose True in the DNS Enabled column for the inside interface.
F) Click Apply in the DNS Client window.
G) Preview the commands to be sent to the Cisco ASA, and click the Send button.

In this task, you will enable clientless SSL VPN on the Cisco ASA.
Activity Procedure
Lab Guide
L-91
Step 1
In Cisco ASDM, navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access >
Connection Profiles and check the check box next to the outside interface.
Step 2
Click Apply.
Step 3
Preview the commands and click Send.
Note
In the verification procedure, you will use Internet Explorer. The verification procedure will not work as
expected if you use a Firefox browser because Firefox uses a different certificate store than Internet
Explorer does.
Step 1
On the Outside PC, add an entry for the outside interface of the Cisco ASA to the host file. (In a production
environment, the hostname should be resolved by a public DNS.)
A) Go to Start and type notepad in the search field.
B) Right-click Notepad and choose Run as Administrator.
C) Click File > Open and browse to C:\Windows\System32\drivers\etc\hosts.
Note
The hosts file will be displayed only if All Files is chosen in the Open window.
D) Open the hosts file.

E) Add an entry that maps 209.165.201.2 to Px-ASA.secure-x.public (where the first x = pod number).
F) Verify that you mapped 209.165.201.2 to Px-ASA.secure-x.public (where the first x = pod number),
not to Px-ASA.secure-x.local (where the first x = pod number).
G) Save the hosts file.
Step 2
From the Outside PC, open Internet Explorer and access https://Px-ASA.secure-x.public (where the first X
= pod number). You will see a security warning because the Outside PC browser cannot validate the VPN
server certificate. The VPN server (the Cisco ASA) has not yet been enrolled in the PKI.
Lab Guide
L-93
Step 3
Continue to this website and log in as the user student with the password C!sco!23. You will access the
SSL VPN portal.
Step 4
Click the Certificate Error field in the URL window and then click View Certificates. You will see the
certificate information. The ASA temporary self-signed certificate is not trusted. Do not install it. Instead of
installing the Cisco ASA self-signed certificate, you will enroll the Cisco ASA in the PKI.
Task 3: Provision an Identity Certificate for the

Cisco ASA
Having seen that the client receives a warning when connecting to the SSL VPN portal, you will now enroll
the Cisco ASA with the CA running on the inside server. To enroll the ASA with the PKI, you will install
the CA root certificate on the Cisco ASA, generate a certificate signing request on the Cisco ASA, issue the
identity certificate on the Inside server, and install the identity certificate on the Cisco ASA. The Outside
PC already has the Inside server root certificate in its certificate store and will use it to validate the Cisco
ASA certificate obtained from the Inside server.
Activity Procedure
Lab Guide
L-95
Step 1
Install the CA root certificate on the Cisco ASA:
A) In Cisco ASDM, navigate to Configuration > Remote Access VPN > Certificate Management > CA
Certificates. Add the CA root certificate by using the trustpoint name HQ-Srv.
B) Choose Install from a File and choose the CA root certificate file that is stored on the Inside PC (D:
\misc\HQ-SRV-CA.cer).
C) Click Install Certificate.
D) Preview the commands and send them to the Cisco ASA.

E) Click OK in the popup window about successful certified installation.
F) Examine the certificate by using the Edit and Show Details buttons.
Step 2
Generate a certificate signing request on the Cisco ASA. The request will contain the identity information
of the Cisco ASA and the public RSA key. You will later submit this request to the CA and the CA will
issue an identity certificate for the ASA.
A) In the Cisco ASDM, navigate to Configuration > Remote Access VPN > Certificate Management >
Identity Certificates.
B) Click Add. The Add Identity Certificate window opens.
C) Set the trustpoint name to HQ-Srv.
D) Choose Add a New Identity Certificate.
E) Click New to generate a new RSA key pair.
Note
The figure shows CN=P7-ASA in the Certificate Subject DN field instead of CN=Px-ASA because
the screen shot was taken on a live pod, Pod 7. Your pod number should be displayed instead of
the number 7.
F) In the Add Key Pair window, set the length to 2048 bits. Set the name to SSL-Keys. Click the
Generate Now button.
Lab Guide
L-97
Note
The minimum size for the web server certificate template that is configured on the Inside server CA
is 2048 b.
G) In the Add Identity Certificate window, enter CN=Px-ASA.secure-x.public (where the first x = pod
number) in the Certificate Subject DN field.
H) Click Advanced.
Note
I)
The figure shows CN=P7-ASA.secure-x.public in the Certificate Subject DN field instead of CN=PxASA.secure-x.public because the screen shot was taken on a live pod, Pod 7. Be sure to use your
pod number in the Certificate Subject DN field instead of the number 7.
In the Certificate Parameters tab of the Advanced Options window, change the FQDN from PxASA.secure-x.local to Px-ASA.secure-x.public (where the first x = pod number).
J)
Click OK.
Note
The figure shows P7-ASA.secure-x.public in the FQDN field instead of Px-ASA.secure-x.public

because the screen shot was taken on a live pod, Pod 7. Be sure to use your pod number in the
FQDN field instead of the number 7.
K) Click Add Certificate in the Add Identity Certificate window.

L) Preview the commands and send them to the Cisco ASA. The Identity Certificate Request window is
displayed.
M) Save the certificate signing request as asa-csr.pem on disk C:\.
N) Click OK.
Lab Guide
L-99
Step 3
Submit the request to the certificate authority:
A) On the Inside PC, open a web browser and connect to http://hq-srv:5080/certsrv. Log in with the
username Administrator and the password Cisco123.
B) Click Request a Certificate.
C) Choose Advanced Certificate Request.

D) Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file.
E) From the Certificate Template drop-down list, choose Web Server.
F) Open WordPad, open the C:\asa-csr.pem file, and copy the entire contents of the certificate signing
request and paste it into the text box in the Saved Request section.
G) Click Submit.
H) Click Download Certificate and save the certificate as C:\asa-cert.cer.
Step 4
Install the obtained identity certificate on the Cisco ASA:
A) In the Cisco ASDM, return to Configuration > Remote Access VPN > Certificate Management >
Identity Certificates. Click Install for the certificate that is now in the enrollment procedure.
B) Choose the Install from a File option.

C) Browse to choose the file (C:\asa-cert.cer) and then click Install Certificate.
D) Preview and send the commands to the Cisco ASA.
E) Click OK in the popup window about the successful certificate import.
F) Examine the installed identity certificate by clicking Show Details.
Lab Guide
L-101
Step 5
Configure the Cisco ASA to use the obtained identity certificate for SSL VPN. The certificate used in SSL
VPNs has several effects. First, the ASA will send this identity certificate in the initial SSL handshake with
the clients. Second, the clients will attempt to validate this certificate, possibly using the CA root certificate.
Third, the ASA will sign the VPN data using the generated ASA private key. Lastly, the clients will verify
the signatures using the corresponding ASA public key, which is embedded in the identity certificate.
A) In the Cisco ASDM, go to Configuration > Remote Access VPN > Clientless SSL VPN Access >
Connection Profiles, and click Device Certificate. The Specify Device Certificate window opens.
B) Choose the installed identity certificate from the Device Certificate drop-down list.
C) Click OK.
D) Click Apply in the Connection Profiles panel.

E) Preview the commands and send them to the Cisco ASA.
In this verification procedure, you will first verify that the SSL VPN client browser does not return any
security warnings when connecting to the SSL VPN portal. Then you will examine the certificate store in
Internet Explorer on the Outside PC and identify the CA root certificate used to validate the Cisco ASA
certificate. Finally, you will verify that the connections to the IP address of the ASA from other web
browsers still return the security errors.
Step 1
In Internet Explorer on the Outside PC, refresh the HTTPS session to Px-ASA.secure-x.public (where the
first x = pod number). There should be no warnings.
Step 2
Examine the certificate details by clicking the lock icon and the View Certificates link. In the Certification
Path tab, you will see that the the ASA identity certificate has been signed by HQ-SRV-CA.
Lab Guide
L-103
Step 3
Examine the certificate store in Internet Explorer on the Outside PC and identify the CA root certificate that
is used to validate the Cisco ASA certificate:
A) In Internet Explorer on the Outside PC, navigate to Tools > Internet Options > Content >
Certificates > Trusted Root Certification Authorities.
B) Search for the InsideServer CA certificate and optionally view it. This CA root certificate has been
preinstalled on the Outside PC and allows Internet Explorer to validate the ASA identity certificate
issued by the InsideServer CA.
Step 4
From the Outside PC, test other HTTPS connections to the VPN portal:
A) From Internet Explorer, connect via HTTPS to the ASA outside IP address (209.165.201.2). You will
get the security warning because the URL does not contain the FQDN embedded in the ASA identity
certificate.
B) From Mozilla Firefox, connect to https://Px-ASA.secure-x.public (where the first x = pod number).
You will get a security warning because Firefox uses a dedicated certificate store. The Firefox
certificate store does not contain the InsideServer-CA root certificate and therefore cannot validate the
ASA certificate.
C) From Google Chrome, connect to https://Px-ASA.secure-x.public (where the first x = pod number).
You will not get a security warning because Chrome uses the Microsoft certificate store.

In this task, you will create a user account in the local user database of the Cisco ASA, configure a group
policy for clientless SSL VPN, create a custom connection profile, and apply the group policy to connection
profile. While creating the connection profile, you will also define an alias for the connection profile and
allow users to choose the connection profile at logon.
Activity Procedure
Step 1
Create a user account in the local user database of the Cisco ASA.
A) Return to your Cisco ASDM session.
B) Go to Configuration > Remote Access VPN > AAA/Local Users > Local Users and click Add in the
Local Users panel. The Add User Account window opens.
C) Create a user account in the local database, using these parameters:
Username: clientlessuser
Password: cisco123
Access Restriction: No ASDM, SSH, Telnet or Console access
D) Click OK.
E) Click Apply in the Local Users panel.

F) Preview the commands and send them to the Cisco ASA.
Lab Guide
L-105
Step 2
Create a custom group policy for clientless SSL VPN.
A) In Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access >
Group Policies. The Group Policies panel is displayed.
B) Choose Add > Internal Group Policy. The Add Internal Group Policy window opens.
C) Name the policy BASIC-CLIENTLESS-GROUP-POLICY.
D) Enable only the clientless SSL VPN protocol for the group policy.
E) Click OK.
F) Click Apply in the Group Policies panel.

G) Preview the commands and send them to the Cisco ASA.
Step 3
Create a custom connection profile that uses local user authentication.
A) Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.
B) In the Connection Profiles area of the Connection Profiles panel, click Add. The Add Clientless SSL
VPN Connection Profile window opens.
C) Verify that AAA is chosen as the authentication method and that LOCAL is displayed in the AAA
Server Group drop-down list.
D) Verify that the Enable Clientless SSL VPN Protocol check box is checked.
E) Configure the connection profile with the following parameters:
Name: BASIC-CLIENTLESS-PROFILE
Alias: BASIC-PORTAL
Servers: 192.168.1.2
Note
The IP address 192.168.1.2 may be displayed by default in the Servers field (in the DNS
section). If it is not displayed, enter 192.168.1.2 in the Servers field.
Default Group Policy: BASIC-CLIENTLESS-GROUP-POLICY

F) Click OK.
Lab Guide
L-107
G) In the Connection Profiles panel, check the box to allow users to choose a connection profile on the
logon page.
H) Click Apply.
I)
Preview the commands and send them to the Cisco ASA.
Step 1
From Internet Explorer on the Outside PC, refresh your connection to https://Px-ASA.secure-x.public
(where the first x = pod number) or navigate to it.
Step 2
Log in to the SSL VPN portal by using the username clientlessuser and the password cisco123. You should
be able to access the SSL VPN portal.
Step 3
Verify that HTTP is chosen in the URL entry drop-down list. Enter hq-srv.secure-x.local in the address
field. Click Browse. You should see the Inside-SRV web page in your browser.
Step 4
Return to the clientless SSL VPN portal.
Step 5
Choose FTP from the URL entry drop-down list, and enter 172.16.1.2 (the IP address of the DMZ server) in
the Address field. Click Browse. FTP access to the DMZ server should be successful. You should see a list
of files and folders on the DMZ server.
Step 6
Return to your Cisco ASDM session.
Step 7
Choose Monitoring > VPN > VPN Statistics > Sessions to check for clientless SSL VPN remote access
sessions.
Lab Guide
L-109
Step 8
In the Sessions panel, choose Clientless SSL VPN from the Filter By drop-down list. You should see one
established VPN session.

In this task, you will configure a bookmark and a web ACL and apply them to your custom group policy,
BASIC-CLIENTLESS-GROUP-POLICY.
Activity Procedure
Step 1
Configure a bookmark list.
Portal > Bookmarks and click Add. The Add Bookmark List window opens.
B) Name the bookmark list MY-BOOKMARKS and click Add. The Select Bookmark Type window
opens.
C) Verify that the URL with GET or POST Method option is chosen, and click OK. The Add Bookmark
window opens.
D) Give the bookmark these parameters:
Bookmark Title: Inside server
URL: http://hq-srv.secure-x.local
E) Click OK.
F) Click Add again in the Add Bookmark List window to add another bookmark to the list.
G) Verify that the URL with GET or POST Method option is chosen, and click OK. The Add Bookmark
window opens.
H) Give the bookmark these parameters:
Bookmark Title: DMZ server
URL: ftp://172.16.1.2
I)
Click OK.
Lab Guide
L-111
J)
Click OK.
K) In the Bookmarks panel, choose the bookmark list that you just configured and click Assign.
L) Assign the bookmark list to the group policy named BASIC-CLIENTLESS-GROUP-POLICY.
M) Click OK.
N) Click Apply in the Bookmarks panel.

O) Review the commands and send them to the Cisco ASA.
P) If you are logged in to the clientless SSL VPN portal from Internet Explorer on the Outside PC, log out
and then log back in as clientlessuser with the password cisco123. Otherwise, from Internet Explorer
on the Outside PC, navigate to https://Px-ASA.secure-x.public (where the first x = pod number), and
log in as clientlessuser with the password cisco123. You should be able to access the SSL VPN portal.
Q) Test the bookmarks. You should be able to access the web page of the Inside server by clicking the
Inside Server bookmark. You should be able to access files and folders on the DMZ server by clicking
the DMZ Server bookmark.
R) Log out of the portal.
Lab Guide
L-113
Step 2
Configure a web ACL.
Advanced > Web ACLs.
B) Click Add > Add ACL in the Web ACLs panel. The Add ACL dialog box is displayed.
C) In the ACL Name field, enter the name BASIC-CLIENTLESS-ACL.
D) Click OK. The new web ACL is displayed in the Web ACLs panel.
E) Choose the newly created ACL in the Web ACLs panel, and choose Add > Add ACE to add an ACE
to the new web ACL. The Add ACE window opens.
F) In the Add ACE window, configure the ACE to permit FTP access to the DMZ server.
G) Click OK.
H) Click Apply in the Web ACLs panel.

I)
Review the commands and send them to the Cisco ASA.
J)
To apply the web ACL to the custom group policy, first choose Configuration > Remote Access VPN
> Clientless SSL VPN Access > Group Policies. The Group Policies panel is displayed.
Note
You could also apply the web ACL to the group policy in the same way you assigned your
bookmark to the group policy, by choosing the web ACL in the Web ACLs panel, clicking Assign,
and checking the appropriate box in the Assign Web ACL window.
K) Choose the group policy named BASIC-CLIENTLESS-GROUP-POLICY and click Edit. The Edit
Internal Group Policy window opens.
L) Expand the More Options area. Uncheck the Inherit check box next to Web ACL, and verify that the
web ACL that is named BASIC-CLIENTLESS-ACL is chosen from the Web ACL drop-down list.
Note
You could also apply the bookmark to the group policy in this manner, by choosing the Portal option
in the navigation pane, unchecking the Inherit check box next to Bookmark List, and choosing the
configured bookmark from the drop-down list.
M) Click OK.
N) Click Apply in the Group Policies panel.

O) Review the commands and send them to the Cisco ASA.
Lab Guide
L-115
Step 1
If you are logged in to the clientless SSL VPN portal (https://Px-ASA.secure-x.public, where the first x =
pod number) from Internet Explorer on the Outside PC, log out and then log back in with the username
clientlessuser and the password cisco123. You should be able to access the SSL VPN portal. Notice that
the Inside server bookmark is greyed out and not operational. The web ACL permits access to only the
DMZ server.
Step 2
Click the DMZ Server link to verify that the bookmark is still operational. You should still be able to see
the files and folders on the DMZ server.
Lab 6-2: Configuring

Application Access for
Clientless SSL VPN on the
Cisco ASA
Activity Objective
In this lab activity, you will deploy application plug-ins, such as the SSH plug-in, for clientless SSL VPNs
on the Cisco ASA security appliance in order to enable access to internal applications. You will also
implement smart tunnels for clientless SSL VPNs on the Cisco ASA in order to enable RDP connections to
the Inside server.
Deploy application plug-ins in the clientless SSL VPNs
Deploy smart tunnels in the clientless SSL VPNs
Visual Objective
Lab 6-2: Configuring Application Access for

Clientless SSL VPN on the Cisco ASA
Required Resources
Inside PC
Inside server
Outside PC
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Task 1: Configure Application Access Using Plugins

In this task you will configure application access using plug-ins. You will configure a custom group policy
and connection profile for that purpose.
Activity Procedure
Step 1
Import the SSH/Telnet plug-in to the Cisco ASA security appliance:
A) From the Inside PC, log in to Cisco ASDM, and choose Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Client-Server Plug-ins.
B) Click Import and choose ssh,telnet from the Plug-in Name (Protocol) drop-down list.
C) Browse to the plug-in file (D:\Plugins\ssh-plugin.120911.jar) on the Inside PC.
D) Click Import Now to import the plug-in.
After you click Import Now, the plug-in should display in the Client-Server Plug-ins panel.
Lab Guide
L-119
Step 2
Add an SSH URL to the existing bookmark list MY-BOOKMARKS. Bookmarks provide the easiest
method to define accessible resources.
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access >
Portal > Bookmarks. Choose MY-BOOKMARKS and click Edit. The Edit Bookmark List window
opens.
B) Click Add to define a new bookmark. The Select Bookmark Type window opens.
C) Verify that URL with GET or POST Method is chosen as the bookmark type, and click OK.
D) Add a bookmark that is named SSH to DMZ server with the URL ssh://172.16.1.2 and click OK.
E) Click the OK button in the Edit Bookmark List window and apply the configuration.
Step 3
Add an ACE to your web ACL to permit SSH access to the DMZ server:
B) In the Web ACLs panel, choose BASIC-CLIENTLESS-ACL and choose Add > Add ACE. The Add
ACE window opens.
C) In the Add ACE window, configure the ACE to permit SSH access to the IP address of the DMZ server
(172.16.1.2).
D) Click OK.
E) Click Apply in the Web ACLs panel.
F) Review the commands and send them to the Cisco ASA.
Step 4
Configure a group policy to include the new bookmark on the portal page when members of the group
establish clientless SSL VPN connections to the Cisco ASA. Also apply the web ACL to the group policy.
Group Policies.
B) Choose Add > Internal Group Policy and enter the name SSH-RDP-POLICY for the group policy.
Note
This group policy will be used in this exercise instead of the default group policy. Alternatively you
may tune the default group policy to achieve the same result.
C) Expand the More Options area, uncheck the Inherit check box next to Web ACL, and verify that
BASIC-CLIENTLESS-ACL is chosen in the Web ACL drop-down list.
D) Choose the Portal page. Uncheck the Inherit check box next to Bookmark List, and verify that MYBOOKMARKS is chosen in the drop-down list. Have all other attributes inherited from the default
group policy.
E) Click OK.
F) Click Apply in the Group Policies panel.
G) Review the commands and send them to the Cisco ASA.
Lab Guide
L-121
Step 5
Configure a connection profile that points to your new group policy. In this step, you will also configure an
alias for the custom connection profile. Another connection profile will be provided for users to choose at
logon.
Connection Profiles. The Connection Profiles panel is displayed.
B) Click Add and create a connection profile that is named ADVANCED-CONNECTION-PROFILE with
these attributes:
Alias: ADVANCED-PROFILE
Authentication Method: AAA > LOCAL
DNS Server Group: DefaultDNS (192.168.1.2)
Group Policy: SSH-RDP-POLICY
C) Click OK.
D) Click Apply in the Connection Profiles panel.

E) Review the commands and send them to the Cisco ASA.
Step 1
From the Outside PC, connect to the VPN portal page at https://Px-ASA.secure-x.public (where the first x =
pod number). There should be two connection profiles in the Group drop-down list in the login window.
Step 2
Log in to the ADVANCED-PROFILE connection profile as the local user clientlessuser with the password
cisco123. You should see the new bookmark you created along with those you created in the previous lab
exercise.
Lab Guide
L-123
Step 3
Test the SSH to DMZ Server bookmark:
A) Click the SSH to DMZ Server bookmark. Depending on your browser and your certificate store
configuration, you may get a warning or the plug-in may not start. Do not update Java if prompted.
B) If you get a warning, accept it and run the application. Do not update Java.
Note
If the application does not start, try another browser, such as Firefox. If the application still does not
work, lower your Java security level by going to Start > Control Panel > Java > Security and
setting the security level to Medium. After changing the security level, you may also need to restart
your browser.
C) Log in as root with the password Ci5coAdmin.
D) Verify that you are connected to the DMZ server via SSH.
Step 4
Log out of the portal.
Task 2: Configure Application Access Using

Smart Tunnels
In this task, you will configure application access using the smart tunnel feature.
Activity Procedure
Lab Guide
L-125
Step 1
Configure a smart tunnel application list:
Portal > Smart Tunnels. The Smart Tunnels panel is displayed.
B) In the Smart Tunnel Application List area, click Add to create a list that is named MY-SMARTTUNNEL-LIST.
C) Click Add to create a smart tunnel entry with these attributes:
Application ID: Microsoft-RDP-Client
OS: Windows
Process Name: mstsc.exe
D) Click OK.
E) Click OK in the Add Smart Tunnel List window.

F) Click Apply in the Smart Tunnels panel.
G) Review the commands and send them to the Cisco ASA.
Step 2
Add an ACE to your web ACL to permit smart tunnel access to the Inside server:
B) In the Web ACLs panel, choose BASIC-CLIENTLESS-ACL and choose Add > Add ACE. The Add
ACE window opens.
C) In the Add ACE window, configure the ACE to permit smart tunnel access to the IP address of the
Inside server (192.168.1.2).
D) Click OK.
E) Click Apply in the Web ACLs panel.
Lab Guide
L-127
Step 3
Apply the smart tunnel list to a group policy:
Group Policies.
B) Choose the custom group policy that is named SSH-RDP-Policy and click Edit.
C) In the Portal page, apply the smart tunnel application list to the policy group.
D) Click OK.
E) Click Apply in the Group Policies panel.

Step 1
On the Outside PC, start the MS Terminal Services client by invoking mstsc from the Start menu. Verify
that a connection to the Inside server IP address (192.168.1.2) fails.
Step 2
From Internet Explorer on the Outside PC, reconnect to the SSL VPN portal (https://Px-ASA.securex.public, where the first x = pod number) using the ADVANCED-PROFILE connection profile with the
username clientlessuser and the password cisco123.
Step 3
Click Application Access and then click the Start Smart Tunnel button. Accept the prompts to run the
application, allow the data to pass through the VPN, and do not block any potentially unsafe components.
Lab Guide
L-129
Step 4
After the smart tunnel is up, the portal displays the message "Smart Tunnel has been started."
Step 5
Using the MS Terminal Services client, connect to the Inside server by using its internal IP address
(192.168.1.2). Accept all warnings. Log in as Administrator with the password Cisco123. You should see
the desktop of the Inside server.
Step 6
Log out of the portal. Notice that the RDP session has been interrupted.
Lab 6-3: Implementing

External Authentication and
Authorization for Clientless
SSL VPNs
Activity Objective
In this lab activity you will enhance the clientless SSL VPNs by configuring the Cisco ASA to use an
LDAP server for authentication and authorization of clientless SSL VPN users. The LDAP server in this
activity is Microsoft Active Directory.
Configure the Cisco ASA to use a Microsoft Active Directory LDAP server for user authentication
Configure the Cisco ASA to use a Microsoft Active Directory LDAP server for user authorization
Visual Objective
Lab 6-3: Implementing External Authentication

and Authorization for Clientless SSL VPNs
Required Resources
Inside PC
Inside server
Outside PC
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Task 1: Configure External Authentication Using

Microsoft Active Directory
In this task you will enhance the client SSL VPN scenario by configuring the Cisco ASA to communicate
with the LDAP server that is running on the Inside server to authenticate clientless SSL VPN users.
Activity Procedure
Lab Guide
L-133
Step 1
Configure the Cisco ASA to communicate with the LDAP server that is running on the Inside server:
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA
Server Groups. The AAA Server Groups panel is displayed.
B) In the AAA Server Groups area, click Add.
C) Enter the name LDAP-AD in the AAA Server Group field, and choose LDAP from the Protocol dropdown list.
D) Click OK.
E) Choose your new group in the AAA Server Groups area of the AAA Server Groups panel.
F) In the Servers in the Selected Group area, click Add. The Add AAA Server window opens.
G) Use the following information to configure an LDAP AAA server:
Interface Name: inside
Server Name or IP Address: 192.168.1.2
Server Type: Microsoft
Base DN: DC=secure-x,DC=local
Scope: All levels beneath the base DN
Naming Attribute: sAMAccountName
Login DN: CN=Administrator,CN=Users,DC=secure-x,DC=local
Login Password: Cisco123
H) Click OK.
I)
Click Apply in the AAA Server Groups panel.
Step 2
Configure a connection profile to use the new AAA configuration:
Connection Profiles. The Connection Profiles panel is displayed.
B) Choose the connection profile that is named ADVANCED-CONNECTION-PROFILE and click Edit.
The Edit Clientless SSL VPN Connection Profile window opens.
C) In the Authentication area, choose LDAP-AD from the AAA Server Group drop-down list.
D) Click OK.
E) Click Apply in the Connection Profiles panel.
Use the Test functionality in Cisco ASDM to verify your LDAP configuration.
Note
This activity only verifies that the Cisco ASA can use the Active Directory on the Inside server to
authenticate a user.
Lab Guide
L-135
Step 1
In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server
Groups. The AAA Server Groups panel is displayed.
Step 2
In the AAA Server Groups area, choose the LDAP-AD server group.
Step 3
In the Servers in the Selected Group area, choose the AAA server 192.168.1.2.
Step 4
Click Test.
Step 5
In the Test AAA Server window, click the Authentication radio button and log in with the username it1
and the password cisco. This user account exists in the Active Directory but not in the Cisco ASA local user
database.
Step 6
Click OK. A new window should open and display a message indicating that the authentication test was
successful.
Task 2: Configure External Authorization Using

In this task, you will configure the Cisco ASA to use the Active Directory service that is running on the
Inside server to provide authorization by assigning group policies to users.
Activity Procedure
Lab Guide
L-137
Step 1
On the Cisco ASA, configure an LDAP map that maps the AD attribute memberOf to the IETF-RadiusClass attribute that is understood by the Cisco ASA.
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > LDAP
Attribute Map. The LDAP Attribute Map panel is displayed.
B) Click Add.
C) Assign the name MY-ATTRIBUTE-MAP to the map.
D) In the LDAP Attribute Name field, enter memberOf.
E) From the Cisco Attribute Name drop-down list, choose IETF-Radius-Class.
F) Click Add.
G) Click the Mapping of Attribute Value tab.

H) Click Add to create a value mapping. The Add Mapping of Attribute Value window opens.
I)
Enter CN=IT,OU=DomainGroups,DC=secure-x,DC=local in the LDAP Attribute Value field.
J)
Enter SSH-RDP-POLICY in the Cisco Attribute Value field.
K) Click Add.
L) Click OK.
M) Click OK in the Add LDAP Attribute Map window.
N) Click Apply in the LDAP Attribute Map panel.
Step 2
Assign the LDAP map to the server that is configured for LDAP authentication:
A) Choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. The
AAA Server Groups panel is displayed.
B) Choose the AAA server that is configured for LDAP, and click Edit. The Edit AAA Server window
opens.
C) From the LDAP Attribute Map drop-down list, choose MY-ATTRIBUTE-MAP.
D) Click OK.
E) Click Apply in the AAA Server Groups panel.
Step 3
Turn off the option to allow the user to choose a connection profile on login, and set the
DefaultWEBVPNGroup Connection profile to use LDAP for AAA.
Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.
The Connection Profiles panel is displayed.
Uncheck the Allow User to Select Connection Profile on the Login Page check box.
Choose the DefaultWEBVPNGroup Connection Profile and click Edit. The Edit Clientless SSL VPN
Connection Profile window opens.
From the AAA Server Group drop-down list, choose LDAP-AD.
Click OK.
Click Apply in the Connection Profiles window.
Lab Guide
L-139
Step 1
On the Outside PC, connect to the VPN portal page at https://Px-ASA.secure-x.public (where the first x =
pod number).
Step 2
Notice that there is no longer an option to choose a connection profile. Simply log in as the user it1 with the
password cisco.
Step 3
Verify that it1 logs in successfully and has the group policy SSH-RDP-POLICY applied. When this group
policy is applied, the user should be able to do the following:
See the grayed-out Inside server bookmark. It is grayed out because the web ACL does not permit
access to the Inside server.
Use the SSH to DMZ Server bookmark to access the DMZ server via SSH (login credentials: root/
Ci5coAdmin).
Start a smart tunnel and then use the MS Terminal Services client to connect to 192.168.1.2, the IP
address of the Inside server. You can start the MS Terminal Services client by invoking mstsc from the
Start menu (login credentials: Administrator/Cisco123).
Step 4
Return to the Inside PC, and check the results in Cisco ASDM by navigating to Monitoring > VPN > VPN
Statistics > Sessions and verifying the connection profile and group policy.
Step 5
Log out of the clientless SSL VPN portal.
Lab Guide
L-141
Lab 7-1: Implementing Basic

Cisco AnyConnect SSL VPN
on the Cisco ASA
Activity Objective
In this lab activity you will deploy basic Cisco AnyConnect SSL VPNs on the Cisco ASA security
appliance. In the first task you will prepare the Outside PC for a later certificate-based user authentication.
You will join the Outside PC to Microsoft Active Directory, install a user certificate in its certificate store,
and then initiate a VPN connection. You will enable Cisco AnyConnect SSL VPN connections, configure a
local VPN user, create an IP address pool, configure NAT exemption, and configure split tunneling. When
all components, including a connection profile and group policy, have been configured, you will test the
VPN connectivity and access to internal resources.
Enable Cisco AnyConnect SSL VPN connections
Configure the VPN IP address pool and identity NAT
Define a VPN user and create a connection profile
Configure split tunneling, a connection profile, and a group policy
Test Cisco AnyConnect SSL VPNs
Visual Objective
Lab 7-1: Implementing Basic Cisco

AnyConnect SSL VPN on the Cisco ASA
Required Resources
Inside PC
Inside server
Outside PC
Command List
No commands are needed for this lab exercise. All tasks are performed with the Cisco ASDM GUI
interface.
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Task 1: Enable Cisco AnyConnect SSL VPN

Connections
In this task, you will enable Cisco AnyConnect SSL VPN connections.
Activity Procedure
Step 1
From the Inside PC use Cisco ASDM to access the Cisco ASA at the IP address 192.168.1.1.
Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection
Profiles. Enable Cisco AnyConnect VPN client access on the outside interface.
The Cisco ASDM will ask you to designate a Cisco AnyConnect image. Click Yes and proceed to the next
step.
Lab Guide
L-145
Step 2
In the Add AnyConnect Client Image window, click Browser Flash and choose the Cisco AnyConnect
client image that is named anyconnect-win-3.1.04059-k9.pkg on disk0.
Click OK and apply the changes.

Step 3
Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection
Profiles. Ensure that the Allow User to Select Connection Profile on the Login Page option is enabled.
Apply the changes to the Cisco ASA.
Task 2: Configure the VPN IP Address Pool and

Identity NAT
In this task, you will configure an IP address pool for the VPN clients and configure identity NAT to keep
the IP addresses unchanged during communication through the VPN tunnel.
Activity Procedure
Step 1
In the Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > Address
Assignment > Address Pools. Add a new address pool that is named vpnpool. The pool should start with
the IP address 192.168.1.10 and end with the IP address 192.168.1.15. Choose the subnet mask
255.255.255.0.
Lab Guide
L-147
Step 2
Configure identity NAT for VPN clients:
A) Choose Configuration > Firewall > NAT Rules.
B) Click Add to create a rule before the Network Object NAT rules.
C) Choose Outside as the destination interface, and click the destination address selection button. Click
Add and create a network object.
D) Configure a network object that is named VPN-clients that defines the VPN client address range
(192.168.1.10 to 192.168.1.15).
E) Click OK. Choose the network object (VPN-clients) as the destination address.
F) Click OK. In the NAT rule configuration, verify that the network object (VPN-clients) is defined as the
destination address. For the translated packet, keep the static translation with the original addresses.
G) Click OK. Accept the popup window about identity NAT and proxy ARP. Apply the configuration.
Preview and send the commands.
Lab Guide
L-149
Task 3: Configure a VPN User and Create a

Connection Profile
In this task, you will create a user account in the local user database of the Cisco ASA, configure a group
policy for a Cisco AnyConnect VPN, create a custom connection profile, and apply the group policy to the
connection profile. While creating the connection profile, you will also define an alias for the connection
profile and allow users to choose the connection profile at logon.
Activity Procedure
Step 1
Create a user account in the local user database of the Cisco ASA.
A) Choose Configuration > Remote Access VPN > AAA/Local Users > Local Users. Add a new user
that is named vpnuser with the password cisco with an access restriction of No ASDM, SSH, Telnet or
Console access.
B) Apply changes to the Cisco ASA.
Step 2
Create a custom group policy for the Cisco AnyConnect VPN.
A
In the Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access >
Group Policies.
Choose Add > Internal Group Policy. Name the policy asa-group-policy, uncheck the banner Inherit
box and enter the Welcome! message in the Banner field. Click More Options and enable the
Clientless SSL VPN and SSL VPN Client protocols for the group policy.
Apply the changes to the Cisco ASA.
Lab Guide
L-151
Step 3
Configure a new connection profile (asa-connection-profile) for DNS and IP address assignment:
A) Add a new connection profile (asa-connection-profile) in the Configuration > Remote Access VPN >
Network (Client) Access > AnyConnect Connection Profiles menu. Using a custom connection
profile is one possible approach. You could also implement the Cisco AnyConnect VPN by using the
default profile.
B) In the Aliases field, enter asa. The alias name will appear in the drop-down box when users connect.
C) Configure the IP address assignment based on the address pool (vpnpool).
D) Under Default Group Policy, choose asa-group-policy.
E) Enable the SSL VPN client protocol. It is a setting of the group policy attached to the connection
profile. You can, however, enable it in the connection profile configuration. Uncheck the Enable
IPsec(IKEv2) Client Protocol check box.
F) Set the DNS server address to 192.168.1.2 and the domain name to secure-x.local.
G) Leave all other settings at the previously configured values.

H) Accept and apply the configuration. Preview and send the commands.
Task 4: Configure Group Policy: IP Pool, DNS,

and Split Tunneling
In this task, you will configure the IP pool assignment, DNS, and split tunneling at the default group policy
level. Split tunneling defines which traffic will be routed through the tunnel toward the VPN head-end. In
this scenario the VPN client should be able to reach internal resources through the VPN tunnel and still
retain connectivity to external destinations. You will configure the DNS and split tunneling information in
the default group policy. These settings will be automatically inherited by default by any custom group
policies.
Activity Procedure
Step 1
Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Edit the the
default group policy (DfltGrpPolicy). Configuring global settings in the default group policy and having
them inherited by the custom group policies will simplify the manageability.
Step 2
On the General page, choose vpnpool as the address pool. Although you previously set the address pool in
the connection profile, this group policy setting will be inherited by all custom group policies by default.
Step 3
Choose the Servers page and set the DNS server address to 192.168.1.2. Although you previously set the
DNS server address in the connection profile, this group policy setting will be inherited by all custom group
policies by default.
Lab Guide
L-153
Step 4
Configure split tunneling. Split tunneling defines which traffic will be routed through the tunnel toward the
VPN head-end. In this scenario you will specify the internal subnets that are reachable through the VPN
tunnel. This setting will allow connectivity to external destinations.
A) Choose Advanced > Split Tunneling.
B) Set the policy to the Tunnel Network List Below option.
C) Click Manage near the Network List drop-down list. Create a standard ACL (internal-subnets) with
ACEs that permit the inside network (192.168.1.0/24) and the DMZ network (172.16.1.0/24).
D) Click OK. Make sure that the traffic to the internal-subnets list will be tunneled.
E) Click OK and apply the configuration.

Step 5
Examine your custom group policy (asa-group-policy). Verify that the custom policy setting is configured
to inherit the values from the default group policy.

In this task, you will test the Cisco AnyConnect SSL VPN.
Activity Procedure
Lab Guide
L-155
Step 1
Connect to the VPN portal from Internet Explorer on the Outside PC to https://Px-ASA.secure-x.public
(where the first x = pod number). Choose the asa group. Log in as vpnuser with the password cisco. Accept
the Welcome! banner about the asa group policy. Choose AnyConnect from the SSL VPN Service menu
and click the Start AnyConnect link.
Step 2
Accept the Microsoft ActiveX popup to install the Cisco AnyConnect client. Perform the installation. The
Cisco AnyConnect client will auto-install and establish the VPN connection to the Cisco ASA. You will see
the Cisco AnyConnect icon in the system tray.
Step 3
Disconnect from the VPN by choosing the VPN Disconnect option at the Cisco AnyConnect icon.
Reconnect by choosing the asa group (vpnuser/cisco) to test the connection by using the Cisco AnyConnect
GUI. Accept the banner about the asa group policy.
Step 4
With the VPN connection established, click the Cisco AnyConnect icon in the system tray to open the GUI.
Click the wheel icon in the left bottom corner of the GUI to open the Cisco AnyConnect Secure Mobility
Client window. Choose the Route Details tab to examine the secured routes. The secured routes result from
the split tunneling configuration.
Lab Guide
L-157
Step 5
In the Cisco ASDM on the Inside PC, choose Monitoring > VPN > VPN Connection Graphs > Sessions.
Choose SSL VPN Client Active Sessions and add it to the Selected Graphs window.
Click Show Graphs. You should see the Sessions, SSL VPN Client Active Sessions graph showing one
active session.
Step 6
In a web browser on the Outside PC, verify that you can access internal resources, such as http://
192.168.1.2 (http://inside-srv, http://inside-srv.secure-x.local), ftp://192.168.1.2 (ftp://inside-srv.securex.local), and http://172.16.1.2 (http://dmz-srv.secure-x.local and ftp://dmz-srv.secure-x.local).
Step 7
On the Outside PC, disconnect from the VPN by choosing the VPN Disconnect option at the Cisco
AnyConnect icon. Verify that you cannot connect to the internal resources when the VPN tunnel is
disconnected.
Lab Guide
L-159
Step 8
In the Cisco ASDM examine the Sessions, SSL VPN Client Active Sessions graph once again.
The Sessions, SSL VPN Client Active Sessions graph should show zero active sessions.
Lab 7-2: Configuring

Advanced Authentication for
Cisco AnyConnect SSL VPNs
Activity Objective
In this lab activity you will enhance the Cisco AnyConnect VPNs by configuring the Cisco ASA to use an
LDAP server for authentication and authorization of clientless SSL VPN users. The LDAP server in this
activity is Microsoft Active Directory. Finally you will deploy the Cisco AnyConnect Secure Mobility
Client profile via the predeployment method as compared to the web deployment in the previous lab
exercise.
Deploy external authentication by using Microsoft Active Directory
Deploy local authorization for local VPN users
Deploy external authorization by using Microsoft Active Directory
Deploy the Cisco AnyConnect Mobility profiles with the predeployment method
Visual Objective
Lab 7-2: Configuring Advanced Authentication

for Cisco AnyConnect SSL VPNs
Required Resources
Inside PC
Inside server
Outside PC
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Task 1: Review LDAP and Active Directory Server

Settings on the Cisco ASA
In this task you will review LDAP and Active Directory server settings on the Cisco ASA.
Activity Procedure
Lab Guide
L-163
Step 1
Verify that the Cisco ASA is configured to communicate with the LDAP server running on the Inside
server:
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA
Server Groups. The AAA Server Groups panel is displayed.
B) Choose LDAP-AD in the AAA Server Groups area of the AAA Server Groups panel.
C) In the Servers in the Selected Group area, click Edit. The Edit AAA Server window opens.
D) Use the following information to verify an LDAP AAA server:
Interface Name: inside
Server Name or IP Address: 192.168.1.2
Server Type: Microsoft
Base DN: DC=secure-x,DC=local
Scope: All levels beneath the base DN
Naming Attribute: sAMAccountName
Login DN: CN=Administrator,CN=Users,DC=secure-x,DC=local
Login Password: Cisco123
E) Click OK and then apply the changes.
Lab Guide
L-165
Step 2
Configure a connection profile to use the new AAA configuration:
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access >
AnyConnect Connection Profiles. The Connection Profiles panel is displayed.
B) Choose the connection profile that is named asa-connection-profile and click Edit. The Edit
AnyConnect Connection Profile window opens.
D) Click OK.
Use the test functionality in the Cisco ASDM to verify your LDAP configuration.
Note
This activity only verifies that the Cisco ASA can use Active Directory on the Inside server to
authenticate a user.
Step 1
In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server
Groups. The AAA Server Groups panel is displayed.
Step 2
In the AAA Server Groups area, choose the LDAP-AD server group.
Step 3
In the Servers in the Selected Group area, choose the AAA server 192.168.1.2.
Step 4
Click Test. The Test AAA Server window opens.
Step 5
Click the Authentication radio button and log in with the username it1 and the password cisco. This user
account exists in Active Directory but not in the Cisco ASA local user database.
Step 6
Click OK. A new window should open and display a message indicating that the authentication test was
successful between the Cisco ASA and Active Directory.
Step 7
To test Cisco AnyConnect VPN authentication using the Active Directory server, connect to the VPN portal
in Internet Explorer on the Outside PC to https://Px-ASA.secure-x.public (where the first x = pod number).
Choose the asa group. Log in as it1 with the password cisco. Accept the Welcome! banner about the asa
group policy and click Continue. The Cisco AnyConnect client will auto-install and establish the VPN
connection to the Cisco ASA. You will see the Cisco AnyConnect icon in the system tray.
Step 8
Disconnect the Cisco AnyConnect connection and log out of the SSL VPN portal.
Lab Guide
L-167
Task 2: Deploy Local Authorization for Local VPN

Users
In this task you will use local authorization with ACLs that are deployed on the adaptive security appliance.
This method is not recommended for authentication against remote user databases. In a large deployment
with multiple VPN servers, the ACLs would need to be configured on every Cisco ASA.
Activity Procedure
Step 1
Choose a local connection profile to use local authentication:
C) In the Authentication area, choose LOCAL from the AAA Server Group drop-down list.
D) Click OK.
Step 2
To test ICMP traffic to inside hosts from the Outside PC, connect to the VPN portal at https://PxASA.secure-x.public (where the first x = pod number). Choose the asa group. Log in as vpnuser with the
password cisco.
A) Open the command prompt and ping the Inside server (192.168.1.2) and Inside PC (192.168.1.3). The
ping should be successful.
B) Disconnect the Cisco AnyConnect connection and log out of the SSL VPN portal.
Step 3
Configure an ACL that denies ICMP traffic to the inside network (192.168.1.0):
Advanced > ACL Manager.
B) Configure an ACL (Block-ICMP-to-Inside-Network) and add ACEs to the ACL that denies ICMPv4 to
the inside network object group and permits all other traffic.
C) Accept and apply the configuration.
Lab Guide
L-169
Step 4
Apply the ACL (Block-ICMP-to-Inside-Network) to the asa-group-policy. This group policy will be applied
when you connect to the VPN as vpnuser.
A) Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies.
B) Edit the group policy that is named asa-group-policy. On the General page, click More Options.
C) In the Tunneling Protocols section, uncheck the Clientless SSL VPN option.
D) Uncheck Inherit and then choose the ACL (Block-ICMP-to-Inside-Network) from the Filter dropdown box.
E) Accept and apply the changes.
Step 5
Test local authorization:
A) From the Outside PC, reconnect to the VPN portal at https://Px-ASA.secure-x.public (where the first x
= pod number). Choose the asa alias. Authenticate as vpnuser with the password cisco.
B) From the Inside PC, go to Cisco ASDM and choose Monitoring > VPN > VPN Statistics > Sessions.
In the Sessions window, choose AnyConnect Client in the Filter By drop-down list, and click Details.
On the ACL tab, examine the ACL that is applied to the session (click Details and then choose the
ACL tab). You will see that the local ACL has been applied to the session.
C) On the Outside PC, recheck the ICMP traffic by doing ping tests to the Inside server (192.168.1.2) and
the Inside PC (192.168.1.3). The ping test should fail because the ACL on the Cisco ASA denies ICMP
traffic to inside traffic.
Lab Guide
L-171
D) Disconnect the VPN session and log out of the SSL VPN portal.
Task 3: Deploy External Authorization Using

In this task, you will configure the Cisco ASA to use the Active Directory service running on the Inside
server to provide authorization by assigning group policies to users.
Activity Procedure
Step 1
Configure the Cisco AnyConnect connection profile to use the LDAP-AD server group for AAA:
D) Click OK.
Lab Guide
L-173
Step 2
On the Cisco ASA, verify an LDAP map that maps the Active Directory attribute that is named memberOf
to the IETF-Radius-Class attribute that is understood by the Cisco ASA.
A) In the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > LDAP
Attribute Map >My-Attribute-Map. Click Edit. The Edit LDAP Attribute Map panel is displayed.
B) Verify that the Mapping of Attribute Name and Mapping of Attribute Value fields are assigned to MyAttribute-Map.
C) Click OK.
Step 3
Verify that the LDAP is mapped to the server and is configured for LDAP authentication:
A) Choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. The
AAA Server Groups panel is displayed.
B) Choose LDAP-AD in the AAA Server Groups window and click Edit in the Servers in the Selected
Group. The Edit AAA Server window opens.
C) In the LDAP Attribute Map drop-down list, verify that My-Attribute-Map is chosen.
D) Click OK.
Step 1
From the Outside PC, open Internet Explorer and connect to the VPN portal page at https://Px-ASA.securex.public (where the first x = pod number).
Step 2
In the login window, choose the asa connection profile and log in as it1 with the password cisco.
Lab Guide
L-175
Step 3
Verify that it1 logs in successfully and has the group policy SSH-RDP-POLICY applied. When this group
policy, with the SSL VPN client enabled, is applied, the user should be able to do the following:
A) Use PuTTY to establish an SSH connection to the DMZ server (172.16.1.2) (login credentials: root/
Ci5coAdmin).
B) Establish a Remote Desktop Connection to the Inside server (192.168.1.2). You can start the MS
Terminal Services client by invoking mstsc from the Start menu (login credentials: administrator/
Cisco123).
Step 4
Disconnect the VPN session and log out of the SSL VPN portal.
Task 4: Deploy a Standalone Cisco AnyConnect

Client on the Outside PC
In this task, you will predeploy the Cisco AnyConnect Mobility client and profile by using the standalone
installation. The standalone Cisco AnyConnect Mobility Client installation is also referred to as a
predeployment. With this method the users do not need to connect via clientless SSL VPNs to download the
client software.
Activity Procedure
Step 1
Connect to the Outside PC and uninstall the Cisco AnyConnect Mobility client that was installed via the
web deployment:
A) Choose Start > All Programs > Control Panel > Programs and Features. Choose Cisco
AnyConnect Secure Mobility Client. Click Uninstall and then click Yes.
B) Restart the Outside PC.
Lab Guide
L-177
Step 2
On the Outside PC, install the Cisco AnyConnect Secure Mobility Client as a standalone or predeployment
application:
A) Go to D:\AnyConnect\anyconnect-win-3.1.04059-pre-deploy-k9 folder. Launch Setup.exe. The
Cisco AnyConnect Secure Mobility Client Install Selector window opens.
B) Check Select All and click Install Selected.

C) Reboot the Outside PC for your installed changes to take effect.
Step 3
Verify the presence of the Cisco AnyConnect profile:
A) Display hidden folders and files:
On the Outside PC, open a Windows Explorer window. Choose Organize > Folder and Search
Options > View.
Click the Show Hidden Files, Folders, and Drives radio button. Apply it to all folders and click
OK.
B) View the content of the folder that is located at C:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\Profile. You should see a file that is named AnyConnectProfile.xsd.
Step 4
Configure the VPN to start when Cisco AnyConnect is started:
A) Click the Cisco AnyConnect icon in the system tray to open the GUI. Notice that the standalone or
predeployment version of Cisco AnyConnect Secure Mobility Client looks different from the webinstalled client. It shows attributes like Network and Web Security that we chose during installation as
well as the preconfigured VPN profile of px-asa.secure-x.public (where the first x = pod number).
B) Click the wheel icon in the left bottom corner of the GUI to open the Cisco AnyConnect Secure
Mobility Client window. Choose Start VPN When AnyConnect Is Started.
Lab Guide
L-179
C) Reboot the Outside PC for your changes to take effect.

Step 5
Launch the Cisco AnyConnect client with the asa connection alias. Log in as it1 with the password cisco.
Step 6
Disconnect the VPN session and log out of the SSL VPN portal.
Lab Guide
L-181
Lab 7-3: Implementing Cisco

AnyConnect IPsec/IKEv2
VPNs
Activity Objective
In this lab activity you will deploy Cisco AnyConnect IPsec/IKEv2 VPNs on the Cisco ASA security
appliance.
Implement Cisco AnyConnect IPsec/IKEv2 VPNs by using the WebLaunch method
Visual Objective
Lab 7-3: Implementing Cisco AnyConnect

IPsec/IKEv2 VPNs
Required Resources
Inside PC
Inside server
Outside PC
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Task 1: Deploy Cisco AnyConnect IPsec/IKEv2

VPN with WebLaunch
In this task you will deploy the Cisco AnyConnect IPsec/IKEv2 VPN on the Outside PC by using the
WebLaunch method. The Cisco AnyConnect IPsec VPN requires the setting of the primary protocol as
IPsec in the Cisco AnyConnect profile. You will configure a new group policy (ipsec-weblaunch-policy),
Cisco AnyConnect profile (IPsec), and connection profile (ipsec-weblaunch) by using the Cisco ASDM.
The VPN clients will download the Cisco AnyConnect profile when the appropriate connection profile is
chosen.
Activity Procedure
Step 1
Allow IPsec VPN access via the outside interface of the Cisco ASA:
A) In the Cisco ASDM on the Inside PC, choose Configuration > Remote Access VPN > Network
(Client) Access > AnyConnect Connection Profiles.
B) Check the appropriate check box for IPsec/IKEv2 access via the outside interface.
Lab Guide
L-185
Step 2
Create a custom group policy (ipsec-weblaunch-policy) that allows Cisco AnyConnect SSL and IPsec:
A) In the Cisco ASDM on the Inside PC, choose Configuration > Remote Access VPN > Network
(Client) Access > Group Policies.
B) Add an internal group policy (ipsec-weblaunch-policy). Choose General > More Options >
Tunneling Protocols. Enable the SSL VPN client and IPsec IKEv2.
Note
The SSL VPN client protocol needs to be enabled along with IPsec IKEv2 because the initial
connection to the VPN server uses SSL/DTLS.
Step 3
Create a new Cisco AnyConnect profile (Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile) for IPsec access with these settings:
A) Name: ipsec
B) Profile Usage: AnyConnect VPN Profile (default)
C) Profile Location: disk0:/ipsec.xml (default)
D) Group Policy: ipsec-weblaunch-policy
E) Click OK and then edit the ipsec profile with the Edit button. In the server list, create an entry with
these attributes:
Host Display Name: IPsec VPN
FQDN: px-asa.secure-x.public (where the first x = pod number)
Primary Protocol: IPsec
Lab Guide
L-187
F) Leave the other settings at their default values. Accept and apply the configuration.
Step 4
Create a new connection profile (Configuration > Remote Access VPN > Network (Client) Access >
AnyConnect Connection Profiles) for IPsec access with these attributes:
A) Name: ipsec-weblaunch
B) Alias: ipsec-weblaunch
C) Group Policy: ipsec-weblaunch-policy
D) Leave the other settings at their default values. The missing values, such as the address pool, will be
inherited from the default group policy.
E) Accept and apply the configuration.
Lab Guide
L-189
Step 5
On the Outside PC establish a connection to https://px-asa.secure-x.public (where the first x = pod number).
Choose the group alias that is named ipsec-weblaunch. Log in as vpnuser with the password cisco.
Step 6
Verify the Cisco AnyConnect status after the first connection with the connection profile and group policy
that are configured for IPsec/IKEv2:
A) Click the wheel symbol in the GUI. Go to the Statistics tab and examine the details in the Transport
Information section. You will see that the transport protocol for the first connection is DTLS. DTLS is
used for the initial Cisco AnyConnect session, during which the Cisco AnyConnect profile is
downloaded from the Cisco ASA.
B) In the Cisco ASDM, choose Monitoring and verify that the VPN server also reports the connection as
a DTLS session.
C) On the Outside PC, view the content of the folder that is located at C:\ProgramData\Cisco\Cisco
AnyConnect Secure Mobility Client\Profile. You should see that the ipsec.xml file has been
successfully downloaded from the VPN server.
Note
If the folder is hidden, choose Organize > Folder and Search Options > View. Click the Show
Hidden Files, Folders, and Drives radio button. Apply it to all folders and click OK.
Lab Guide
L-191
Step 7
Examine the transport of the subsequent Cisco AnyConnect connections:
A) On the Outside PC, disconnect and restart the Cisco AnyConnect connection. The Cisco AnyConnect
GUI should display IPsec VPN, the VPN server ID from the received Cisco AnyConnect profile.
Connect by using the ipsec-weblaunch profile. Log in as vpnuser with the password cisco.
B) Click the wheel symbol in the GUI. Go to the Statistics tab and examine the details in the Transport
Information section. You should see that the transport protocol for the subsequent connections is
IKEv2/IPsec.
C) In ASDM monitoring, verify that the transport protocol of the VPN connection is IKEv2/IPsec.
Disconnect the session.
Step 8
Configure the Cisco AnyConnect profile (ipsec) for the automatic choice of the group alias:
A) Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client
Profile.
B) Edit the profile that is named ipsec.
C) In the Server List Entry window, click IPsec VPN to edit the VPN server entry. Set the user group to
the connection profile name (ipsec-weblaunch).
D) Click OK and apply the changes.
Lab Guide
L-193
Step 9
From the Outside PC, reconnect to the IPsec VPN by using the same method and then disconnect. As a
result of this connection, the updated Cisco AnyConnect profile will be downloaded to the Outside PC.
Open the ipsec.xml file in the folder that is located at C:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\Profile. You should see that the VPN server entry has been updated with the user group.
Step 10
From the Outside PC, reconnect to the IPsec VPN by using the IPsec VPN entry. You will not need to
choose the connection profile because this information has been retrieved from the downloaded Cisco
AnyConnect profile. Log in as vpnuser.
Step 11
From the Outside PC, verify that you can access internal resources. For example use ping, FTP, and HTTP
connections to 192.168.1.2 (inside-srv.secure-x.local) or 172.16.1.2 (dmz-srv.secure-x.local). The group
policy that is named ipsec-policy does not require any local or external authorization. You could enhance
the scenario by using the mechanisms demonstrated for the client access. Disconnect the session.
Lab Guide
L-195
Lab 8-1: Configuring Active/

Standby High Availability
Activity Objective
In this activity, you will configure and verify Cisco ASA active-standby stateful failover. After completing
this activity, you will be able to:
Prepare the secondary Cisco ASA security appliance for active/standby high availability
Configure active/standby failover on the primary and secondary Cisco ASA security appliances
Configure standby IP addresses on the active security appliance
Tune failover timers to achieve subsecond failover
Enable stateful active/standby failover on the Cisco ASA security appliance
Visual Objective
In this lab, two pods will work together to form an active/standby configuration. Please coordinate the
activities between the team members of the two pods.
In this lab, you will partner with another pod to configure a two-unit failover in which the following occurs:
Pod 1 and Pod 2 will form a two-unit configuration: Pod 1 = Pod x, and Pod 2 = Pod x+1.
Lab 8-1: Configuring Active/Standby High

Availability
Required Resources
Inside PC
Two Cisco ASA 5512 Adaptive Security Appliances (one is a security appliance from a peer pod)
DMZ server
Outside server
Shared (core) Cisco Catalyst switch (not shown)
Shared (core) Cisco ISR router

Your instructor will configure the pod switch to support this active/standby failover lab.
Your instructor will reconfigure the Px+1 Inside PC IP address and move it to the Px inside subnet.
Command List
Commands
Command
Description
clear configure failover
This command removes the failover configuration.
configure terminal
This command enters the configuration mode.
copy running-config startup-config
This command saves the running configuration to the startup

configuration.
failover active
This command forces the security appliance to assume the active role.
http ip_address subnet_mask

interface_name
This command specifies the hosts that can access the HTTP server
internal to the security appliance.
http server enable
This command enables the security appliance HTTP server.
ip address ip_address subnet_mask
This command sets interface primary and standby IP addresses.
nameif if_name
This command assigns an interface name.
prompt hostname priority state
This command customizes the CLI prompt to show the hostname,

priority, and state.
reload
This command reloads the security appliance.
show failover
This command displays information about the failover status of the unit.
Job Aids
Pod number
student/Ci5coAdmin
student/Ci5coAdmin
student/Ci5coAdmin
student/C!sco!23
Cisco ASA enable password
C!sco!23
Lab Guide
L-199
Task 1: Prepare the Secondary Appliance for

Failover Configuration via the CLI and Cisco
ASDM
In this task, you will configure basic settings on the secondary appliance to prepare it for configuration via
the CLI and Cisco ASDM.
Activity Procedure
Step 1
Access the CLI of the secondary Cisco ASA security appliance (Px+1). Enter privileged EXEC mode. Your
instructor will provide access information for the secondary security appliance.
Step 2
From the Px+1 Inside PC, by using the Cisco ASA CLI, reconfigure the IP address of the
GigabitEthernet0/1 interface of the Cisco ASA. This interface connects the secondary ASA security
appliance to the inside network. Reconfigure the interface with the following network parameter:
IP Address: 192.168.1.12/24
Step 3
Using the Cisco ASA CLI, view the running configuration and verify that Cisco ASDM has access to the
secondary appliance from the Px+1 Inside PC.
<output omitted>
<output omitted>
http server enable
http 192.168.1.0 255.255.255.0 inside
<output omitted>
Step 4
Access the Px+1 Inside PC. Verify Cisco ASDM connectivity from the Inside PC to Px+1 ASA by
launching the Cisco ASDM-IDM launcher. Enter 192.168.1.12 as the device IP address. Use the ID of
student and the password of C!sco!23. This login should be successful.
Step 5
Return to the Px+1 ASA CLI. To verify connectivity from Px+1 ASA to the Px ASA, ping the Px ASA
inside interface (192.168.1.1). The ping should be successful.
Step 1
You verified connectivity from the Px+1 ASA to the Px ASA inside interface:
Px+1-ASA# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

In this task, you will configure active/standby failover on the primary Cisco ASA security appliance (PxASA). You will also let the Cisco ASDM automatically configure the secondary appliance (Px+1-ASA)
with the appropriate settings.
Activity Procedure
Step 1
Access the Px-ASA and Px+1-ASA CLIs. Leave both windows open so that you can observe them.
Step 2
Access the Px Inside PC and start Cisco ASDM to the Px-ASA by using the Cisco ASDM-IDM launcher
from the desktop. Access the Px-ASA with the IP address 192.168.1.1. Log in as student with the password
of C!sco!23.
Step 3
Enable failover on the primary appliance. Use cisco123 as the shared key for failover message
authentication and encryption.
Note
Do not use the High Availability and Scalability wizard to configure active/standby failover.
Lab Guide
L-201
Step 4
Use the following parameters for the LAN failover interface:
Interface: GigabitEthernet0/3
Active IP Address: 1.1.1.1
Standby IP Address: 1.1.1.12
Subnet Mask: 255.255.255.0
Logical Name: FAILOVER
Step 5
Assign the primary role to the Px-ASA security appliance.
Step 6
Step 7
When you are asked to configure the failover peer firewall, click No.
Step 8
From the peer Px+1 Inside PC, open a Cisco ASDM session to the secondary Cisco ASA security appliance
at 192.168.1.12.
Step 9
Repeat Steps 3 and 4 on the secondary security appliance.
Step 10
Assign the secondary role to the secondary security appliance.
Step 11
When you are asked to configure the failover peer firewall, click No.
Step 12
Click Apply, and then click Save. Close the Cisco ASDM window for the secondary security appliance.
Step 13
Observe the CLIs for the primary and secondary security appliances. You should see that both security
appliances detected each other and that the configuration has been replicated from the primary security
appliance (Px-ASA) to the secondary security appliance (Px+1-ASA).
Px-ASA#
No Active mate detected
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Px+1-ASA#
Detected an Active mate
Beginning configuration replication from mate.
WARNING: Failover is enabled but standby IP address is not
interface.
interface.
interface.
WARNING: This command will not take effect until interface
an IPv4 address
WARNING: This command will not take effect until interface
an IP address
End configuration replication from mate.
Px-ASA#
configured for this

configured for this
configured for this
'inside' has been assigned
'inside' has been assigned
Lab Guide
L-203
Note
Notice the device hostname change on the secondary appliance. This change is due to the replication of
the configuration from the primary security appliance. You will change the hostname prompt in the next
step.
Step 14
Access the CLI of the primary (active) appliance and configure the command-line prompt to show the
hostname, state, and priority of the appliance.
Px-ASA(config)# prompt hostname state priority
Px-ASA/act/pri(config)#
Step 15
Save the configuration.
Step 16
Display and examine the failover status on the primary appliance. Answer the following questions:
1
Checking the interface status, is the hardware failover configuration operational?
If not, what is missing in the hardware failover configuration?
Step 1
You observed the primary ASA CLI:
Px-ASA# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Step 2
You observed the secondary ASA CLI:
Px+1-ASA# Detected an Active mate
End configuration replication from mate.
Step 3
You displayed and examined the failover status:
Px-ASA/act/pri# show failover

Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 07:32:19 pst Sep 19 2013
This host: Primary - Active
Active time: 1008 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (209.165.201.2): Unknown (Waiting)
Interface inside (192.168.1.1): Unknown (Waiting)
Interface dmz (172.16.1.1): Unknown (Waiting)
slot 1: CXSC5512 hw/sw rev (N/A/9.1.2) status (Up/Up)
ASA CX, 9.1.2, Up
Other host: Secondary - Standby Ready
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Interface dmz (0.0.0.0): Unknown (Waiting)
ASA CX, 9.1.2, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
Task 3: Configure Standby IP Addresses on the

Active Appliance and Test Failover
In this task, you will configure standby IP addresses on the active security appliance to complete the
failover configuration. Then you will test and verify hardware failover by reloading the currently active
security appliance to simulate a failed device.
Activity Procedure
Step 1
Return to the Cisco ASDM for Px-ASA, which is running on the Px Inside PC.
Step 2
Configure standby IP addresses on Px-ASA for the following interfaces. Ensure that the interfaces are
monitored:
Inside: 192.168.1.12/24
Outside: 209.165.201.12/27
DMZ: 172.16.1.12/24
Lab Guide
L-205
Step 3
Step 4
Access the CLI of the active Cisco ASA security appliance.
Step 5
Display and examine the failover status. You should see that the primary appliance is active and the
secondary appliance is standby. All interfaces should be in a normal state. Hardware failover should be
operational now.
Step 6
Return to the Px Inside PC and open a command prompt. Ping the Outside server at 209.165.202.130
continuously (use the t option). The ping should be successful. Leave the window open.
Step 7
Open a new command prompt. Open an FTP session to the Outside server at 209.165.202.130. Log in with
the username anonymous and the password cisco. Use the ls command to list the files that are available on
the server. You should be successful. Leave the window open.
Note
Ensure that you have saved the configuration to the active appliance before proceeding to the next step.
Step 8
Access the active CLI of the Cisco ASA security appliance and reload the Cisco ASA security appliance.
Access the CLI of the standby security appliance and observe the standby Cisco ASA security appliance.
The standby appliance should become active after the hold time expires.
How long did it take for the secondary Cisco ASA security appliance to take over?
Step 9
Return to the Px Inside PC and observe pings to the server at 209.165.202.130. After you reload the primary
Cisco ASA security appliance, the pings should stop flowing. When the secondary appliance became active,
pings should start to flow again.
Step 10
Return to the FTP session to the server. Try to list the files again by using the ls command.
Can you list the files over the FTP session? Why or why not?
Step 11
Access the CLI of the secondary (now active) Cisco ASA security appliance and examine the failover
status. You should see that the secondary appliance is now active and the primary appliance is standby. All
interfaces should be in a normal state.
Step 12
Close all command prompts on the Px Inside PC.
Step 13
Access the CLI of the primary Cisco ASA security appliance (Px-ASA). Return the original active Cisco
ASA security appliance to the active unit role with the failover active command.
Step 1
You pinged the Outside server:
C:\>ping 209.165.202.130 -t
Pinging 209.165.202.130 with 32 bytes of data:
Reply from 209.165.202.130: bytes=32 time=1ms TTL=126
<output omitted>
Step 2
You successfully opened an FTP session to the Outside server and listed the files.
Lab Guide
L-207
Step 3
You observed the pings to the Outside server during failover:
C:\>ping 209.165.202.130 -t
<output omitted>
Reply from 209.165.202.130:
Reply from 209.165.202.130:
Reply from 209.165.202.130:
Request timed out.
Request timed out.
Request timed out.
Reply from 209.165.202.130:
Reply from 209.165.202.130:
<output omitted>
bytes=32 time=1ms TTL=126


Step 4
You tried to list the files on the FTP server after failover, which should be unsuccessful.
Step 5
You displayed and examined the failover status after the switchover occurred:
Px-ASA/act/sec# show failover
Failover On
Failover unit Secondary
Interface Policy 1
This host: Secondary - Active
Interface outside (209.165.201.2): Normal (Monitored)
Interface inside (192.168.1.1): Normal (Monitored)
Interface dmz (172.16.1.1): Normal (Monitored)
ASA CX, 9.1.2, Up
Other host: Primary - Standby Ready
ASA CX, 9.1.2, Up
Px-ASA/stby/pri# show failover

Failover On
Interface Policy 1
This host: Primary - Standby Ready
ASA CX, 9.1.2, Up
Other host: Secondary - Active
ASA CX, 9.1.2, Up
Step 6
You returned the original Cisco ASA security appliance to the active unit role.

In this task, you will enable the active/standby failover to achieve subsecond failover.
Activity Procedure
Step 1
Return to the Cisco ASDM for the active security appliance (Px-ASA) that is running on the Px Inside PC.
Step 2
Change the failover criteria to achieve subsecond failover. Set the following timers:
Unit Failover: 300 ms
Unit Hold Time: 900 ms
Lab Guide
L-209
Step 3
Step 4
Access the CLIs for both Cisco ASA security appliances. Examine the failover status. You should see the
unit poll frequency and hold timers.
Px-ASA/act/pri# show failover
Failover On
Unit Poll frequency 300 milliseconds, holdtime 900 milliseconds
Px-ASA/stby/sec# show failover
Failover On
Step 5
Return to the Px Inside PC and open a command prompt. Ping the Outside server at 209.165.202.130
continuously (use the t option). You should be successful. Leave the window open.
Note
Ensure that you have saved the configuration to the active appliance before proceeding to the next step.
Step 6
Reload the active Cisco ASA security appliance. Access the CLI of the standby appliance and observe the
standby security appliance. The standby Cisco ASA security appliance should become active after the hold
time expires.
How long did it take the secondary appliance to take over this time?
Step 7
Return to the client PC and observe the pings to the Outside server at 209.165.202.130. After you reloaded
the primary Cisco ASA security appliance, the traffic should stop flowing. When the secondary appliance
became active, traffic should start to flow again. However, this time you should lose no more than one ping
packet during the switchover.
Step 8
Close the command prompt on the Inside PC.
Step 9
Return the original active Cisco ASA security appliance (Px-ASA) to the active unit role with the failover
active command.
Step 1
You pinged the Outside server:
C:\>ping 209.165.202.130 -t
Pinging 209.165.202.130 with 32 bytes of data:
<output omitted>
Step 2
You observed the standby security appliance CLI:
Px-ASA/stby/sec#
Switching to Active
Px-ASA/act/sec#
Step 3
You observed the pings to the Outside server during failover:
Lab Guide
L-211
C:\>ping 209.165.202.130 -t
<output omitted>
Reply from 209.165.202.130:
Reply from 209.165.202.130:
Reply from 209.165.202.130:
Request timed out.
Reply from 209.165.202.130:
Reply from 209.165.202.130:
<output omitted>

Step 4
You returned the original Cisco ASA security appliance to the active unit role.

In this task, you will configure and verify stateful active/standby failover.
Activity Procedure
Step 1
Return to the Cisco ASDM for the active security appliance (Px-ASA) that is running on the Px Inside PC.
Step 2
Enable stateful failover. Use the following parameters for the State Failover link:
Interface: GigabitEthernet 0/4
Active IP: 2.2.2.2/24
Standby IP: 2.2.2.12
Logical Name: STATE_FAILOVER
Step 3
Step 4
Access the CLI of the active Cisco ASA security appliance and examine the failover status. You should see
stateful failover update statistics, which indicate that state information is exchanged between both security
appliances
Step 5
Return to the Px Inside PC and open a command prompt. Open an FTP session to the Outside server at
209.165.202.130. Log in with the username anonymous and the password cisco. Use the ls command to list
the files that are available on the server. This attempt should be successful. Leave the window open.
Note
Make sure that you have saved the configuration to the active appliance before proceeding to the next
step.
Step 6
Access the CLI of the active Cisco ASA security appliance and reload the Cisco ASA security appliance.
Access the CLI of the standby appliance and observe the standby Cisco ASA security appliance. The
standby Cisco ASA security appliance should become active after the hold time expires.
Lab Guide
L-213
Step 7
Return to the FTP session on the Inside PC. Try to list the files again.
Can you list the files over the FTP session after the failover? Why?
Step 8
Close all command prompts on the Inside PC.
Step 9
Return the original active Cisco ASA security appliance (Px-ASA) to the active unit role with the failover
active command.
Step 10
Remove all failover configurations, including standby IP addresses, from both appliances.
Step 1
You examined the failover status:
Px-ASA/act/sec# show failover

Failover On
Interface Policy 1
This host: Secondary - Active
ASA CX, 9.1.2, Up
Other host: Primary - Standby Ready
slot 1: CXSC5512 hw/sw rev (N/A/) status (Unresponsive/Up)
Link : STATE_FAILOVER GigabitEthernet0/4 (up)
Stateful Obj
xmit
xerr
rcv
rerr
General
186
0
531
19
sys cmd
174
0
174
0
up time
0
0
0
0
RPC services
0
0
0
0
TCP conn
0
0
148
0
UDP conn
0
0
175
0
ARP tbl
9
0
33
0
Xlate_Timeout
0
0
0
0
IPv6 ND tbl
0
0
0
0
VPN IKEv1 SA
0
0
0
0
VPN IKEv1 P2
0
0
0
0
VPN IKEv2 SA
0
0
0
0
VPN IKEv2 P2
0
0
0
0
VPN CTCP upd
0
0
0
0
VPN SDI upd
0
0
0
0
VPN DHCP upd
0
0
0
0
SIP Session
0
0
0
0
Route Session
2
0
0
19
User-Identity
1
0
1
0
CTS SGTNAME
0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP
0
0
0
0
IPv6 Route
0
0
0
0
Logical Update Queue Information
Cur
Max
Total
Recv Q:
0
17
5450
Xmit Q:
0
30
271
Step 2
You successfully opened an FTP session to the Outside server and listed the files.
Lab Guide
L-215
Step 3
You observed the standby ASA CLI:
Px-ASA/stby/sec#
Switching to Active:
Px-ASA/act/sec#
Step 4
You successfully listed the files on the FTP server after the failover.
Step 5
You removed all failover configurations, including standby IP addresses, from both security appliances.
Lab Answer Keys

Task 1: Access the Learning@Cisco-Hosted ASA Remote Lab
Step 1
There are no solutions for this lab.
Lab 2-1: Configuring the Cisco ASA Adaptive

Security Appliance
Task 1: Verify Cisco ASA Adaptive Security Appliance and
Cisco ASDM Versions
Step 2
Erase the default configuration:
Px-ASA# write erase
Step 3
Reload the security appliance:
Px-ASA# reload
Step 6
Verify the running image and Cisco ASDM image:
Px-ASA# show version
Task 2: Initialize the Cisco ASA Adaptive Security Appliance

from the CLI
Step 2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
Step 3
Configure the device settings:
Hostname Px-ASA
Domain-name secure-x.local
Enable password C!sco!23
Step 4
Enable SSH and the HTTP server. Grant access for the administrators on the inside 192.168.1.0/24 network:
http server enable
http 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
Step 5
Create the user in the LOCAL database:
username student password C!sco!23 encrypted privilege 15
Step 6
Enable ASDM and SSH authentication:

Task 3: Launch Cisco ASDM and Test SSH Access

Step 1
This task is verified in the end-of-task verification.

Step 2
Enable the Gigabit Ethernet0/0 interface:
Configuration > Device Setup > Interfaces > Edit
Task 5: Configure System Management Parameters

Step 1

Task 1: Configure Object NAT for the Client Network and DMZ
Server
Step 2
Add a network object for the DMZ server:
Lab Guide
L-219
Step 3
Expand the NAT section and check the Add Automatic Address Translation Rules check box:
Step 4
Enter the advanced NAT settings:
Lab Guide
L-221
Step 6
Add a network object for the inside network:
Step 7
Expand the NAT section and set the parameters:
Lab Guide
L-223
Step 8
Enter the advanced NAT settings:
Task 2: Configure Manual NAT for the DMZ Server and Client
Network
Step 1
Add a NAT rule before the Network Object NAT rule for traffic from the DMZ server to the outside
network:
Lab Guide
L-225
Step 7
Add a NAT rule before the Network Object NAT rule for the traffic from the inside network to the DMZ
server:
Lab 3-2: Configuring Basic Cisco Access Control

Features
Step 1
Enable the capturing of packets with the capture command:
Px-ASA# capture CAPTURE type asp-drop acl-drop
Lab Guide
L-227
Task 2: Configure Network and Service Object Groups

Step 1
Create a service group that is named DMZ_SERVICES:
Step 3
Create another service group that is named OUTSIDE_SERVICES:
Step 5
Create a network object group that is named SERVERS:
Lab Guide
L-229

Step 5
Reconfigure the access list on the outside interface:
Step 10
Configure an input access list on the inside interface:
Lab Guide
L-231

Step 4
Add a new public server:
Step 8
Return the public server to its previous configuration:
Lab Guide
L-233

Step 3
Add four rules to the global access list:
Step 4
Add the new object to the SERVERS object group:
Task 6: (Optional) Configure Unicast Reverse Path Forwarding

Check
Step 1
Enable the uRPF check with the CLI or Cisco ASDM:
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface outside
Lab Guide
L-235
Lab 4-1: Configuring MPF, Basic Stateful

Inspections, and QoS
Step 2
Verify the default service policy:
1
inspection_default
default-inspection-traffic
global_policy
inspection_default
inspect dns preset_dns_map

inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
ftp
h323 h225
h323 ras
rsh
rtsp
esmtp
sqlnet
skinny
sunrpc
xdmcp
sip
netbios
tftp
ip-options
Step 5
Enable ICMP and disable FTP:
Task 2: Enable TTL Decrement and Disable TCP Initial

Sequence Randomization
Step 2
Configure a new service policy that is named INSIDE-POLICY:
Lab Guide
L-237
Task 3: Tune TCP Timeouts, Enable TCP DCD, and Configure

TCP Normalization
Step 1
Create a TCP map:
Step 3
Create a new service policy (OUTSIDE-POLICY) and change the rule actions:
Lab Guide
L-239
Task 4: Configure a Priority Queue and Traffic Policing

Step 1
Create a priority queue:
priority-queue outside
queue-limit
512
tx-ring-limit 256
Step 2
Create a new service policy (OUTSIDE-POLICY):
Step 6
Create a new service policy (OUTSIDE-POLICY):
Lab Guide
L-241
Lab 4-2: Configuring MPF Advanced Application

Inspections
Task 1: Configure HTTP Inspection to Protect the DMZ Server
Step 3
Create an HTTP inspection policy map:
Lab Guide
L-243
Step 4
Enable HTTP protocol verification:
Step 5
Create a new service policy rule (WEB-SERVER-PROTECTION):
Lab Guide
L-245
Step 15
Create a regular expression class:
Step 20
Verify the service policy statistics:
Px-ASA# show service-policy inspect http
Global policy:
Class-map: WEB-SERVER-PROTECTION
Inspect: http MY-HTTP-POLICY, packet 4, lock fail 0, drop 1, reset-drop 1, v6fail-close 0
protocol violations
log, packet 0
match request uri regex class DMZ-REGEX
reset log, packet 1
Task 2: Configure FTP Inspection to Protect the DMZ Server

Step 1
Create an FTP inspection policy map:
Lab Guide
L-247
Step 2
Create a new service policy rule:
Step 3
Make sure that the configured service policy rule will be matched before the default service policy rule:
Lab Guide
L-249
Lab 6-1: Implementing Basic Clientless SSL VPN

on the Cisco ASA
Step 1

Step 1
Task 3: Provision an Identity Certificate for the Cisco ASA

Step 1

Step 1

Step 1
Lab 6-2: Configuring Application Access for

Clientless SSL VPN on the Cisco ASA
Task 1: Configure Application Access Using Plug-ins
Step 1
Task 2: Configure Application Access Using Smart Tunnels

Step 1
Lab 6-3: Implementing External Authentication

and Authorization for Clientless SSL VPNs
Task 1: Configure External Authentication Using Microsoft
Active Directory
Step 1
Task 2: Configure External Authorization Using Microsoft

Active Directory
Step 1
Lab 7-1: Implementing Basic Cisco AnyConnect

SSL VPN on the Cisco ASA
Task 1: Enable Cisco AnyConnect SSL VPN Connections
Step 1
Lab Guide
L-251
Task 2: Configure the VPN IP Address Pool and Identity NAT

Step 1
Task 3: Configure a VPN User and Create a Connection Profile

Step 1
Task 4: Configure Group Policy: IP Pool, DNS, and Split

Tunneling
Step 1

Step 1
Lab 7-2: Configuring Advanced Authentication for

Cisco AnyConnect SSL VPNs
Task 1: Review LDAP and Active Directory Server Settings on
the Cisco ASA
Step 1
Task 2: Deploy Local Authorization for Local VPN Users

Step 1
Task 3: Deploy External Authorization Using Microsoft Active

Directory
Step 1
Task 4: Deploy a Standalone Cisco AnyConnect Client on the

Outside PC
Step 1
Lab 7-3: Implementing Cisco AnyConnect IPsec/

IKEv2 VPNs
Task 1: Deploy Cisco AnyConnect IPsec/IKEv2 VPN with
WebLaunch
Step 1
Lab 8-1: Configuring Active/Standby High

Availability
Task 1: Prepare the Secondary Appliance for Failover
Configuration via the CLI and Cisco ASDM
Step 2
Reconfigure the secondary (Px+1) ASA inside interface IP address:
nameif inside
security-level 100
ip address 192.168.1.12 255.255.255.0
Lab Guide
L-253

Step 3
Enable failover, configure the LAN failover interface, and make Px-ASA the primary appliance. (The
screen shot shows solutions for Steps 3, 4, and 5.)
Step 9
Configure the secondary appliance (Px+1-ASA) for failover:
Step 14
Configure the command-line prompt to show the name, state, and priority of the appliance:
Px-ASA(config)# prompt hostname state priority
Px-ASA/act/pri(config)#
Step 16
Display and examine the failover status on the primary appliance. Answer the following questions:
1
No.
Standby IP addresses are missing.
Task 3: Configure Standby IP Addresses on the Active

Appliance and Test Failover
Step 2
Configure the standby IP addresses:
Lab Guide
L-255
Step 8
How long did it take for the secondary Cisco ASA security appliance to take over?
It took approximately 15 seconds.
Step 10
Can you list the files over the FTP session? Why or why not?
No. The connection was reset.

Step 2
Configure the failover criteria:
Step 6
How long did it take the secondary appliance to take over?
It took less than 1 second.

Step 2
Enable stateful failover:
Step 7
Can you list the files over the FTP session after the failover? Why?
Yes. State information is exchanged between the appliances.
Lab Guide
L-257

SASAC10LG

Uploaded by

Copyright:

Available Formats

SASAC10LG

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SASAC10LG

Uploaded by

Copyright:

Available Formats

SASAC

Part Number: 97-3369-01

Asia Pacific Headquarters

2014 Cisco Systems, Inc.

Lab 2-1: Configuring the Cisco ASA Adaptive Security Appliance

Lab 3-1: Configuring NAT

Lab 3-2: Configuring Basic Cisco Access Control Features

Lab 4-1: Configuring MPF, Basic Stateful Inspections, and QoS

Lab 4-2: Configuring MPF Advanced Application Inspections

Lab 6-3: Implementing External Authentication and Authorization for

Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

Task 2: Configure the VPN IP Address Pool and Identity NAT

Lab 7-2: Configuring Advanced Authentication for Cisco AnyConnect

Lab 7-3: Implementing Cisco AnyConnect IPsec/IKEv2 VPNs

Lab 8-1: Configuring Active/Standby High Availability

Lab Answer Keys

Lab 1-1: Accessing the Remote Lab Environment

Lab 3-2: Configuring Basic Cisco Access Control Features

2014 Cisco Systems, Inc.

Lab 8-1: Configuring Active/Standby High Availability

Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

Lab 1-1: Accessing the

Lab 1-1: Accessing the Remote Lab

Inside-SRV (Win 2008 R2) AD/DNS

2014 Cisco Systems, Inc.

Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

2014 Cisco Systems, Inc.

Task 1: Access the Learning@Cisco-Hosted ASA

Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

2014 Cisco Systems, Inc.

L-10 Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

2014 Cisco Systems, Inc.

L-12 Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

2014 Cisco Systems, Inc.

L-14 Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

Lab 2-1: Configuring the

Lab 2-1: Configuring the Cisco ASA Adaptive

2014 Cisco Systems, Inc.

This command enters configuration mode.

This command configures the domain name.

This command enters privileged EXEC mode.

L-16 Implementing Core Cisco ASA Security

2014 Cisco Systems, Inc.

This command exits current configuration mode.

HTTP server enable

This command enables the HTTP server process.

http x.x.x.x/x.x.x.x interface

This command defines allowed host or network management access.

This command enters interface configuration mode.

This command assigns a name to the interface.

This command reboots the Cisco ASA security appliance.

This command displays the contents of the internal flash memory.

This command displays the configuration that is currently running on the