« HA Features on ASA - Part 2 Security Contexts | Main | HA Features on ASA - Part 3 Reference »

Building Lab 1

This will be an adventure! What I'm going to do is build the lab I want out of the INE v4 racks available. Then I'm going to practice the tasks that I want to practice for v5.

Let's start with the hardware - you're going to just use ASA3 and ASA4. These are the 5515-X running 8.6 code.
Then take a look at the hardware diagram. Rearranging the diagram for your focus, it would look like this:

And the physical connections look like this:

This is the basic hardware and connections that are already available in INE Sec Rack V4 using the Firewall Services Module.

Then you need to load the Section 5 Initial Configs. When I went to the Workbooks and Rack Rentals areas, I could not find the configs for ASA3 and ASA4. [It's never easy, is it?] The download consisted of a very bare-bones ASA1 and ASA2 configs along with R1, R2, R3 and SW1, SW2 initial configs.

So the best we can do at this point is assume that ASA3 and ASA4 are at their default configuration (they are listed in the diagram, so they should be accessible). It would also be wise to review the little config that is on those devices to make sure they don't conflict with what you're doing.

That means that Task 1 is going to be to set up the environment for the lab. Start with Layer 2 and configure the switchports to only use the ones you need. Set up R1 and R2 to represent the inside and outside networks. Since the labs connect you to the console of each device, you can come up with your own IP addressing scheme. So you're setting up your own Layer 2 and Layer 3 infrastructure. Don't forget to do your own routing - the packets won't magically get there just because there's a cable. These are packets, not water in a hose.

There's always a bright light at the end of the tunnel. Once you get this set up the way you want, you can save the configs through the INE control panel. Give them a good, distinctive name so you can reuse them later.

Once you get that set up, configure ASA3 and ASA4 using a single interface. Make it simple. Shut the other interface and configure the inside and outside. Configure one firewall at a time. Shut the other interfaces on the other firewall while you are configuring. Create access rules that allow "test" traffic between R1 and R2. Validate that you have connectivity between R1 and R2 - only for the traffic that you allowed.

Then save the config in your rack. Note that you will have a whole hour. If you script this ahead of time, you probably won't take an entire hour to set this up. Have the practice steps ready so that you can use the rest of the time to actually practice. If you run into trouble, this is your chance to troubleshoot. If you don't have any issues, and you complete the rack config and practice, load one of the INE modules and do that exercise. Always have more than an hour of work to do for each rack hour.

One of the shortcomings that I'm seeing so far is that all this is CLI. You really need to know both CLI and ASDM for the exam (and real life). And (most obviously) the 5.0 exam is going to focus on Firepower, Firepower, Firepower - which was not in the 4.0 blueprint.

Cisco used to have some really nice training in the Partner area. However, last time I looked (since the re-org of that section), the partner training was really thin. But Cisco has some subscription-based training which may be worth review. If you look at the "Study Materials" - some of them require a "Premium" membership. There are 2 types of premium - one for video and the other for "practice" access. From the site, it looks like all the materials are oriented towards R/S at the CCNA and CCNP level. But the Study Materials list some premium access for a few of the video series. I will explore and then keep looking. Maybe some of this study has to be done out of order while waiting for everyone to catch up to the new version.


Powered by
Movable Type 3.2