CCIE Security Version 4 – The ASAs

My study of the ASAs is drawing to a close. My plan was to do a lot of posts regarding these studies, but as you might guess, it is too difficult to study and do a lot of blogging on the process when you are dealing with a fixed amount of time for actual study. Here is a recap of prep required on the ASAs.


The Hardware:

  • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
      • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
    • We can expect 4 of these devices

The Study Checklist:

  • Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.)
  • Understanding Security Levels (Same Security Interface)
  • Understanding Single vs. Multimode
  • Understanding Firewall vs. Transparent Mode
  • Understanding Multiple Security Contexts
  • Understanding Shared Resources for Multiple Contexts
  • Understanding Packet Classification in Multiple-Contexts Mode
  • VLAN Subinterfaces Using 802.1Q Trunking
  • Multiple-Mode Firewall with Outside Access
  • Single-Mode Firewall Using the Same Security Level
  • Multiple-Mode, Transparent Firewall
  • Single-Mode, Transparent Firewall with NAT
  • ACLs in Transparent Firewall (for Pass-Through Traffic)
  • Understanding How Routing Behaves on the Adaptive Security Appliance (Egress and Next-Hop Selection Process)
  • Understanding Static vs. Dynamic Routing
  • Static Routes
  • RIP with Authentication
  • OSPF with Authentication
  • EIGRP with Authentication
  • Managing Multiple Routing Instances
  • Redistribution Between Protocols
  • Route Summarization
  • Route Filtering
  • Static Route Tracking Using an SLA
  • Dual ISP Support Using Static Route Tracking
  • Redundant Interface Pair
  • LAN-Based Active/Standby Failover (Routed Mode)
  • LAN-Based Active/Active Failover (Routed Mode)
  • LAN-Based Active/Standby Failover (Transparent Mode)
  • LAN-Based Active/Active Failover (Transparent Mode)
  • Stateful Failover Link
  • Device Access Management
  • Enabling Telnet
  • Enabling SSH
  • The nat-control Command vs. no nat-control Command
  • Enabling Address Translation (NAT, Global, and Static) Pre & Post 8.4
  • NAT Objects
  • Context-Aware firewall
  • Identity Firewall
  • Using ASDM and Cisco Prime
  • Policy NAT
  • Destination NAT
  • Bypassing NAT When NAT Control Is Enabled Using Identity NAT
  • Bypassing NAT When NAT Control Is Enabled Using NAT Exemption
  • Port Redirection Using NAT
  • Tuning Default Connection Limits and Timeouts
  • Basic Interface Access Lists and Access Group (Inbound and Outbound)
  • Time-Based Access Lists
  • ICMP Commands
  • Enabling Syslog and Parameters
  • NTP with Authentication
  • Object Groups (Network, Protocol, ICMP, and Services)
  • Nested Object Groups
  • URL Filtering
  • Java Filtering
  • ActiveX Filtering
  • ARP Inspection
  • Modular Policy Framework (MPF)
  • Application-Aware Inspection
  • Identifying Injected Errors in Troubleshooting Scenarios
  • Understanding and Interpreting Adaptive Security Appliance show and debug Outputs
  • Understanding and Interpreting the packet-tracer and capture Commands
  • Cisco IOS Firewalls
  • Zone-Based Policy Firewall Using Multiple-Zone Scenarios
  • User-Based Firewall
  • Secure-Group Firewall
  • Transparent Cisco IOS Firewall (Layer 2)
  • Context-Based Access Control (CBAC)
  • Proxy Authentication (Auth Proxy)
  • Port-to-Application Mapping (PAM) Usage with ACLs
  • Use of PAM to Change System Default Ports
  • PAM Custom Ports for Specific Applications
  • Mapping Nonstandard Ports to Standard Applications
  • Performance Tuning
  • Tuning Half-Open Connections
  • Understanding and Interpreting the show ip port-map Commands
  • Understanding and Interpreting the show ip inspect Commands
  • Understanding and Interpreting the debug ip inspect Commands
  • Understanding and Interpreting the show zone|zone-pair Commands
  • Understanding and Interpreting the debug zone Commands
  • Cisco IOS Services
  • Marking Packets Using DSCP and IP Precedence and Other Values
  • Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)
  • RTBH Filtering (Remote Triggered Black Hole)
  • Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Named vs. Numbered ACLs)
  • Managing Time-Based Access Lists
  • Enabling NAT and PAT on a Router
  • Conditional NAT on a Router
  • Multihome NAT on a Router
  • CAR Rate Limiting with Traffic Classification Using ACLs
  • PBR (Policy-Based Routing) and Use of Route Maps
  • Traffic Policing on a Router
  • Traffic Characterization
  • Packet Classification
  • Packet-Marking Techniques

This list might seem overwhelming, but just remember to track your skills on each topic with a rating system. I had studied so much of this gearing up for my previous attempt that I noticed I did not have to restudy much of it at all!

7 thoughts on “CCIE Security Version 4 – The ASAs

  1. These videos are the newest right ? (350-018) CCIE Security(Wirtten)

    Wait soon reply from you 😉

    Best Regards,

Leave a Reply

Your email address will not be published. Required fields are marked *