Deploying Cisco ASA VPN Solutions (VPN 2.0)
Request a Quote for this class
About this Course
The Deploying Cisco ASA VPN Solutions (VPN) v2.0 course is part of the curriculum path that leads to the Cisco CCNP Security certification. This five-day instructor-led course is aimed at providing network security engineers with the knowledge and skills that they need to implement and maintain Cisco ASA adaptive security appliance-based perimeter solutions. Successful graduates will be able to use Cisco ASA features to reduce the risk to the IT infrastructure and applications and to provide detailed operations support for the Cisco ASA security appliance.
To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:
- We recommend using at least a Pentium 4 or better and 1 GB of RAM or more.
- We recommend running Windows XP Professional SP3 or greater (Vista & Windows 7/8). Mac & Linux machines are also supported.
- All PCs require Internet Explorer 7 or greater, Mozilla FireFox, or Google Chrome. Note: When testing connectivity, Mozilla & Chrome may not be able to fully complete the tests as intended.
- All students should have administrator rights to their PCs. If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Active-X controls in Internet Explorer or Cisco Any Connect Client.
- If you are participating in a WebEx event, you should have internet access served by at least a 512K link, a full T1 Connection is recommended.
- All PCs require the latest Java Runtime Environment, which can be downloaded from www.java.com.
If you have any questions or issues with meeting the recommended requirements, please contact us at rlt@skyline-ats.com to discuss.
Audience Profile
The primary audience for this course is as follows:
- Network security engineers
At Course Completion
Upon completing this course, the learner will be able to meet these overall objectives:
- Describe the general properties of the Cisco ASA security appliance VPN subsystem
- Implement and maintain Cisco clientless remote access Secure Sockets Layer (SSL) VPNs on the Cisco ASA security appliance VPN gateway
- Implement and maintain Cisco AnyConnect client-based remote access SSL VPNs on the Cisco ASA security appliance VPN gateway, according to policies and environmental requirements
- Implement and maintain Cisco remote access IP Security (IPsec) VPNs on the Cisco ASA VPN gateway, according to policies and environmental requirements
- Implement and maintain site-to-site VPN solutions on the Cisco ASA security appliance VPN gateway, according to policies and environmental requirements
- Deploy endpoint security with Cisco Secure Desktop and dynamic access policy (DAP), and deploy and manage high-availability and high-performance features of the Cisco ASA security appliance
Prerequisites
The knowledge and skills that a learner must have before attending this course are as follows:
- Cisco CCNA certification
- Cisco CCNA Security certification
- Completion of the course Deploying Cisco ASA Firewall Solutions (FIREWALL)
- Working knowledge of the Microsoft Windows operating system
Course Outline
Module 1: Cisco ASA Adaptive Security Appliance VPN Architecture and Common Components
-
Lesson 1: Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture
- Identify the various VPN topologies and identify the correct topology to use for a given scenario
- Identify the Cisco ASA security appliance IPv6 VPN capabilities
- Identify the components of the Cisco AnyConnect Secure Mobility Client 3.0
- Identify the available VPN licensing options and choose the appropriate licensing option for your network
-
Lesson 2: Evaluating the Cisco ASA Adaptive Security Appliance Software Architecture
- Describe the principles of the Cisco ASA security appliance access control model
- Evaluate Cisco ASA security appliance VPN-related routing features
- Evaluate Cisco ASA security appliance VPN-related NAT features
- Evaluate Cisco ASA security appliance VPN-related AAA features
-
Lesson 3: Implementing Profiles, Group Policies, and User Policies
- Describe the components of Cisco ASA security appliance VPN policy configuration
- Configure Cisco ASA security appliance connection profiles
- Configure Cisco ASA security appliance group policies
- Describe AAA functions that are available in remote access VPNs
- Configure Cisco ASA security appliance user attributes
- Identify access control methods for VPN users
- Implement VPN accounting to external RADIUS and TACACS+ servers
- Identify Cisco Secure Desktop and DAP features
-
Lesson 4: Implementing PKI Services
- Evaluate PKI services for IPsec and SSL VPN configurations
- Evaluate methods of deploying server-side certificates on the Cisco ASA security appliance
- Choose the appropriate CA server for your design
- Describe methods for deploying a client certificate to use with Cisco VPN deployments
- Configure and verify the local CA on the Cisco ASA security appliance and the Cisco AnyConnect client using client certificates that are provisioned by a Cisco ASA security appliance
- Configure and verify certificate-to-connection-profile mapping on the Cisco ASA security appliance
- Describe SCEP proxy operations
Module 2: Cisco ASA Adaptive Security Appliance Clientless Remote Access SSL VPN Solutions
-
Lesson 1: Deploying Basic Clientless VPN Solutions
- Describe the building blocks of, and use cases for, the Cisco ASA clientless SSL VPN solution
- Plan the configuration of a clientless SSL VPN solution
- Configure and verify basic Cisco ASA security appliance gateway features and gateway authentication for a clientless SSL VPN
- Configure and verify password-based local user authentication in a clientless SSL VPN
- Configure and verify basic access control in a clientless SSL VPN
- Tune and verify the gateway content-rewriting features
- Troubleshoot VPN session establishment between a browser client and a Cisco ASA security appliance gateway
-
Lesson 2: Deploying Advanced Application Access for Clientless SSL VPNs
- Plan the deployment of clientless SSL VPN application-access features
- Configure and verify application plug-ins
- Configure and verify smart tunnels in clientless SSL VPNs
- Troubleshoot advanced application access in clientless SSL VPNs
-
Lesson 3: Deploying Advanced Authentication and SSO for Clientless SSL VPNs
- Design clientless SSL VPN authentication
- Deploy client-side certificate-based authentication
- Configure and verify multiple client authentications
- Troubleshoot the integration of a clientless SSL VPN with PKI
- Configure and verify clientless VPN SSO methods
- Troubleshoot clientless VPN SSO methods
-
Lesson 4: Customizing the Clientless SSL VPN User Interface and Portal
- Configure and verify basic customization of the VPN portal navigation pages
- Configure and verify complete portal HTML customization
- Configure and verify portal localization
- Configure and verify portal help customization
- Configure and verify application-integration customization
Module 3: Cisco AnyConnect Remote Access SSL Solutions
-
Lesson 1: Deploying a Basic Cisco AnyConnect Full-Tunnel SSL VPN Solution
- Describe the operation of full-tunnel SSL VPN technology
- Plan, configure, and verify the gateway features of the Cisco ASA security appliance for a Cisco AnyConnect full-tunnel SSL VPN solution
- Configure and verify password-based local user authentication and client IP address assignment for a full-tunnel SSL VPN
- Configure basic access control and split tunneling for a full-tunnel SSL VPN
- Install, configure, and verify Cisco AnyConnect 3.0 using the predeployment method
- Troubleshoot VPN session establishment between a Cisco AnyConnect client and a Cisco ASA security appliance gateway
-
Lesson 2: Deploying an Advanced Cisco AnyConnect Full-Tunnel SSL VPN Solution
- Describe the tasks that you use to configure centrally controlled client functions in for Cisco AnyConnect clients
- Deploy DTLS on the Cisco ASA security appliance
- Deploy and upgrade Cisco AnyConnect from a Cisco ASA gateway
- Configure and verify Cisco AnyConnect XML profiles
- Configure and verify the Cisco AnyConnect Trusted Network Detection, scripting, and SBL feature
- Customize and verify the Cisco AnyConnect user interface
-
Lesson 3: Deploying Advanced Authentication, Authorization, and Accounting in Cisco Full-Tunnel VPNs
- Choose a gateway and user authentication method in Cisco AnyConnect full-tunnel SSL VPNs
- Plan the deployment of advanced client authentication
- Configure and verify the local CA on the Cisco ASA security appliance and the Cisco AnyConnect client with client certificates that are provisioned by the Cisco ASA security appliance
- Configure and verify the Cisco ASA security appliance and Cisco AnyConnect client to use an external CA and provision client certificates
- Configure SCEP proxy for Cisco AnyConnect
- Configure and verify integration with supporting PKI entities
- Configure multiple client authentication
- Troubleshoot advanced client authentication in full-tunnel SSL VPNs
- Configure and verify local and remote group policy authorization in a Cisco full-tunnel SSL VPN
- Configure and verify local and remote group policy accounting in a Cisco full-tunnel SSL VPN
Module 4: Cisco ASA Adaptive Security Appliance Remote Access IPsec VPNs
-
Lesson 1: Deploying Cisco Remote Access VPN Clients
- Describe the operation of IPsec VPN technology
- Choose the appropriate Cisco VPN Client product
- Install, configure, and verify the installation of the legacy Cisco IPsec VPN Client
- Configure and verify the legacy Cisco IPsec VPN Client profiles
- Configure and verify advanced the legacy Cisco IPsec VPN Client profile settings
- Install, configure, and verify the installation of Cisco AnyConnect 3.0
- Configure and verify the auto-initiation feature of Cisco AnyConnect 3.0
- Troubleshoot Cisco remote access VPN session establishment
-
Lesson 2: Deploying Basic Cisco Remote Access IPsec VPN Solutions
- Plan the configuration of a Cisco remote access IPsec VPN gateway
- Configure and verify basic Cisco ASA gateway features and gateway authentication in a Cisco for remote access IPsec VPNs
- Configure and verify Cisco remote access VPN PSK-based peer authentication
- Configure and verify Cisco remote access VPN extended authentication
- Configure and verify Cisco remote access VPN hybrid authentication
- Configure and verify Cisco remote access VPN local IP address management
- Configure and verify Cisco remote access VPN basic access control and split tunneling
- Configure IKEv2 support for remote access IPsec VPN solutions
- Troubleshoot Cisco remote access VPN session establishment between a Cisco VPN client and a Cisco ASA gateway
Module 5: Cisco ASA Adaptive Security Appliance Site-to-Site IPsec VPN Solutions
-
Lesson 1: Deploying Basic Site-to-Site IPsec VPNs
- Plan a Cisco ASA security appliance site-to-site VPN
- Configure and verify basic peer authentication in a Cisco ASA security appliance site-to-site VPN
- Configure and verify transmission protection in a Cisco ASA security appliance site-to-site VPN
- Troubleshoot the operation of a Cisco ASA security appliance site-to-site VPN
-
Lesson 2: Deploying Advanced Site-to-Site IPsec VPNs
- Plan a Cisco ASA security appliance site-to-site VPN using PKI- based authentication
- Configure and verify PKI-based peer authentication in a Cisco ASA security appliance site-to-site VPN
- Troubleshoot the operation of a PKI-based Cisco ASA security appliance site-to-site VPN
Module 6: Endpoint Security and High Availability for Cisco ASA VPNs
-
Lesson 1: Implementing Cisco Secure Desktop and DAP for SSL VPNs
- Choose network admission features for Cisco AnyConnect full-tunnel SSL VPNs
- Install, enable, and verify Cisco Secure Desktop on a Cisco ASA security appliance SSL VPN gateway
- Configure and verify Cisco Secure Desktop prelogin criteria on a Cisco ASA security appliance SSL VPN gateway
- Configure and verify Cisco Secure Desktop prelogin policies on a Cisco ASA security appliance SSL VPN gateway
- Configure and verify basic Cisco Secure Desktop Advanced Endpoint Assessment features on a Cisco ASA security appliance SSL VPN gateway
- Configure and verify DAPs that are enabled for Cisco Secure Desktop on a Cisco ASA security appliance SSL VPN gateway
- Troubleshoot Cisco Secure Desktop operations on a Cisco ASA security appliance SSL VPN gateway
-
Lesson 2: Deploying High-Availability Features in Cisco ASA Adaptive Security Appliance VPNs
- Choose VPN high-availability and high-performance features
- Configure and verify redundant peering with Cisco AnyConnect and IPsec client
- Deploy active/standby failover for SSL and IPsec VPNs
- Implement dynamic routing to achieve IPsec site-to-site VPN high availability
- Describe the deployment of VPN load-balancing clusters
- Provide high availability and high performance using an external SLB appliance
- Troubleshoot Cisco ASA security appliance failover and VPN clustering functions
Lab Outline
- Lab 2-1: Configuring Basic Clientless VPN Access on the Cisco ASA Security Appliance
- Lab 2-2: Configuring Advanced Application Access for Clientless SSL VPNs
- Lab 2-3: Customizing the SSL VPN Portal on the Cisco ASA Security Appliance
- Lab 3-1: Configuring Basic Cisco AnyConnect Client Full-Tunnel SSL VPNs Using Local Password Authentication
- Lab 3-2: Deploying the Cisco AnyConnect Client with Centralized Management
- Lab 3-3: Configuring Basic Cisco AnyConnect Full-Tunnel SSL VPNs Using Local CA and SCEP Proxy
- Lab 4-1: Deploying Basic Remote Access IPsec VPN with IKEv2
- Lab 5-1: Deploying a Basic Cisco ASA Security Appliance IPsec IKEv1 Site-to-Site VPN
- Lab 6-1: Deploying Cisco Secure Desktop in Cisco SSL VPNs
- Lab 6-2: Configuring a Load-Balancing SSL VPN Cluster