Cisco CCNP Security Firewall

Deploying Cisco ASA Firewall Solutions v2.0

by Keith Barker

Total Videos : 18 Course Duration: 13:22:49
1. Firewall v2.0 Introduction (00:13:48)
2. Out of the Box (00:36:44)
3. ASA & ASDM Essentials (00:53:59)
4. NAT on the ASA, 8.2, 8.3 and beyond (01:11:23)
5. ACLs on the ASA (00:56:14)
6. Routing on the ASA (00:23:44)
7. MPF 101 (00:54:54)
8. TCP Advanced Options (00:39:34)
9. Layer 5-7 Advanced Inspection (00:43:02)
10. Interfaces: Sub, Ether-channel and Redundant (00:39:39)
11. Transparent Firewall (00:57:50)
12. AAA on the ASA (00:47:43)
13. Active/Standby Failover (00:50:47)
14. Virtual Firewalls (contexts) (00:51:16)
15. Active/Active Failover (01:06:28)
16. Botnet Filtering (00:17:05)
17. Management, Logging, Anti-spoofing and More... (00:46:47)
18. GNS3 and the ASA (00:31:52)
Firewalls have come a long way over the years, and the Cisco Adaptive Security Appliance (ASA) firewall has as well. In this "soup-to-dessert" video course, trainer Keith Barker walks you through the entire process of implementing the ASA on the network, beginning with bootstrapping the ASA so that it will allow basic management, all the way to configuring advanced features such as the new Network Address Translation (NAT, which changed between versions 8.2 and 8.3), redundant interfaces, etherchannel, transparent L2 firewall services, multiple-contexts (virtual firewalls), application layer inspection, failover for high availability (HA), and more. By the time you finish this course, you'll be able to return to your network with confidence in the care and feeding of the ASA.

This course addresses all the objectives for exam 642-618 (Firewall v2), which is part of the Cisco Firewall Specialist, ASA Specialist and CCNP Security certifications. Plus, a GNS3 Nugget covers how to create a complete ASA virtual lab environment, for hands-on practice.

Viewers who have taken the CCNA Security (or has the equivalent knowledge) will get the most out of this course. Exam 642-618 is one of the requirements for ASA Specialist, Firewall Specialist and CCNP Security certifications; pre-requisites for these three certifications include CCNA (RS) and CCNA Security. This course is also valuable if you're applying for network/security positions where the employer has ASAs in place and are looking for skilled ASA network technicians and engineers.

Firewall v2.0 Introduction

00:00:01 - Hello, and welcome to the ASA Firewall Video Series.
00:00:05 - I'm Keith Barker, and on behalf of the entire CBT
00:00:08 - Nuggets family, we'd like to thank you for joining us.
00:00:11 - We've put together this intro to give you an overview of
00:00:13 - what to expect from this brand new series.
00:00:16 - Let's jump in.
00:00:17 - Our objective in this video series is really simple.
00:00:20 - And that's to give you the skills and knowledge you need
00:00:23 - to not only survive, but to thrive when you've been given
00:00:26 - the responsibility for setting up or
00:00:28 - managing an ASA firewall.
00:00:29 - And I personally would like to apply for the job of being
00:00:33 - your tour guide and coach as we go through this video
00:00:35 - series together.
00:00:37 - So who exactly is this series for?
00:00:39 - We created this series for one person, and
00:00:42 - that is you, my friend.
00:00:44 - Every Nugget, every piece, every concept, we created as
00:00:47 - if I was sitting right next to you just having a
00:00:50 - conversation.
00:00:51 - Whether we're configuring the 5505 together, or
00:00:54 - bootstrapping it to get it out of the box and running, or
00:00:57 - working on a bigger appliance, like the 5540.
00:01:00 - Each and every step of the way, I did it as if you were
00:01:03 - sitting exactly right next to me.
00:01:05 - And I also understand that everybody comes from different
00:01:08 - walks of life and different experience levels.
00:01:10 - I've organized the Nuggets that you and I get to go
00:01:13 - through together in organized, logical,
00:01:15 - just makes sense fashion.
00:01:17 - For example, let's say somebody comes to us and says,
00:01:19 - hey, here's an ASA.
00:01:20 - Set it up.
00:01:21 - Well, let's say it's the first time we've seen an ASA.
00:01:23 - What are we going to do?
00:01:24 - Well that's where we start.
00:01:25 - You and I are going to take a look at getting an appliance
00:01:27 - and saying, wow, this has no operating system on the flash.
00:01:30 - How do we even get the operating system on the flash?
00:01:32 - How do we start the process?
00:01:34 - And then from there, we'll just logically take it one
00:01:36 - step at a time.
00:01:37 - The basics of how to work with ASDM, and how the ASA thinks.
00:01:41 - We're going to get inside of its head so that when it has a
00:01:43 - problem on our production network, we can think to
00:01:45 - ourselves, OK.
00:01:47 - I understand what it's thinking, why it
00:01:49 - would do what it does.
00:01:50 - And we can become better troubleshooters as well.
00:01:52 - We'll also take a look at NAT.
00:01:53 - That was huge.
00:01:54 - With 8.2 to 8.3, there was a significant change with how we
00:01:59 - implemented NAT.
00:02:00 - I'll tell you what, I was not a big fan.
00:02:02 - I am now.
00:02:03 - After I learned it, I thought, whoa, check this out.
00:02:06 - Here's how it works.
00:02:07 - And I actually deployed it with the new 8.3 and 8.4 code.
00:02:11 - It's fantastic.
00:02:12 - So we'll cover both how it used to work, how it works
00:02:15 - now, and you can love it too.
00:02:16 - And you can be really good at it as well.
00:02:19 - And we'll continue in that same orderly, makes sense,
00:02:21 - just in time pace all the way through every single one of
00:02:25 - our Nuggets together.
00:02:26 - As we go through these together, when we're done with
00:02:28 - the entire series and we look back on the series, we're
00:02:31 - going to be amazed with what we know.
00:02:33 - For example, we'll know how to do EtherChannel on an
00:02:36 - interface, if we want to, for fault tolerance and more
00:02:38 - throughput.
00:02:39 - We'll be able to make redundant
00:02:41 - interfaces if we want to.
00:02:42 - We could do whole boxes with something called failover,
00:02:45 - both active standby failover, and active active failover,
00:02:49 - where we have full system redundancy.
00:02:51 - We're going to play with virtual firewalls, with
00:02:53 - something called multiple mode, and
00:02:56 - with multiple context.
00:02:57 - And when we're all done, again, the goal is simple, is
00:03:00 - to make sure that you have the skills and knowledge and
00:03:03 - comfort level that you need to do extremely well when you're
00:03:07 - implementing and/or managing an ASA firewall.
00:03:10 - In addition to learning all the details regarding the ASA
00:03:14 - that we've put together in the series, we're also going to
00:03:16 - have some skills required for some certification, if we are
00:03:20 - pursuing that.
00:03:21 - So what I want to do for those interested in certification is
00:03:23 - give you a little road map of currently where things sit.
00:03:26 - This course, which is the Firewall version 2.0, is
00:03:30 - relevant for this exam here in red--
00:03:32 - 642-618, which is Firewall v2.0.
00:03:35 - How could we use that, or why would we use it?
00:03:37 - First of all, if you have no interest in certification,
00:03:40 - this course, from soup to dessert, is perfect for you if
00:03:43 - you really want to learn the ASA.
00:03:45 - That was my first and foremost priority.
00:03:47 - But I also addressed each and every single objective, the
00:03:51 - published objectives from Cisco, for this exam, which is
00:03:54 - 642-618 Firewall v2.0.
00:03:57 - Now, how could we use that?
00:03:59 - Well if you're pursuing a certification, here's
00:04:02 - how it plays out.
00:04:03 - If you're pursuing an ASA Specialist, let's focus on
00:04:06 - that one first.
00:04:07 - The ASA Specialist, to get that, it requires a CCNA
00:04:12 - Route/Switch.
00:04:13 - And when people talk about CCNA without any other things
00:04:16 - after it, they're referring to the traditional CCNA for
00:04:19 - routing and switching.
00:04:20 - To get that, you can get that in one of two ways.
00:04:22 - You can get a one exam approach, or
00:04:24 - the two exam approach.
00:04:26 - Either way works great.
00:04:27 - But you do need a CCNA.
00:04:30 - Why?
00:04:31 - Because a CCNA for route and switch is required, a
00:04:33 - prerequisite from Cisco, for the CCNA Security.
00:04:37 - Well, Keith, how does that relate to the firewall
00:04:39 - certification that we're taking a look at?
00:04:40 - Well, that also happens to be a prerequisite.
00:04:44 - CCNA Security is a prerequisite for the ASA
00:04:47 - Specialist.
00:04:49 - So in order to be an ASA Specialist, you'd have to be a
00:04:51 - CCNA, you'd have to be a CCNA Security.
00:04:54 - You'd have to take this exam, which is our focus point for
00:04:57 - this course as far as what it's relevant to.
00:04:59 - And you'd also have to take one additional exam, which is
00:05:02 - the 642-648 VPN.
00:05:04 - And so as you look up, the reason I built in this fashion
00:05:07 - is that everything that's stacked is required.
00:05:10 - So the prerequisite for the ASA Specialist is everything
00:05:14 - within this line.
00:05:15 - If you want to be a Firewall Specialist, everything in this
00:05:19 - line is required.
00:05:20 - So the CCNA Route/Switch, CCNA Security, this exam, and also
00:05:25 - the Secure exam, version 1.0.
00:05:27 - Now, if somebody is pursuing, which I hope you are, a CCNP
00:05:31 - Security, it requires everything below this line.
00:05:35 - That means you have to be a CCNA Security, it's a prereq.
00:05:39 - And a prereq for CCNA Security is CCNA Route/Switch.
00:05:42 - It requires the exams--
00:05:43 - the Firewall exam, the Secure exam, the VPN exam, and the
00:05:47 - IPS exam to be a CCNP Security.
00:05:51 - So you can see this guy right here in the middle, the
00:05:54 - firewall, is the core of everything.
00:05:56 - He's required.
00:05:57 - No matter which path or which option you're choosing.
00:06:00 - The Firewall v2 Certification exam is there.
00:06:02 - So I wanted to put this in a nice, logical, visual
00:06:06 - representation so you can know exactly where
00:06:09 - you are in your track.
00:06:09 - Now, for those of you who are thinking, wow, I have no
00:06:12 - knowledge of networking at all.
00:06:14 - I have basic Windows skills, Maybe.
00:06:16 - Some basic Linux skills, but I really don't know
00:06:18 - networking at all.
00:06:20 - How can I start?
00:06:21 - And the answer to that, my friend, is quite easy.
00:06:23 - I would recommend--
00:06:24 - it's not a prerequisite for CCNA, but if you're just brand
00:06:28 - new, I would recommend Network +.
00:06:32 - It's a CompTIA certification, CBT Nugget testing, great
00:06:34 - content on that as well.
00:06:36 - So if you're brand new, say, you know what.
00:06:37 - I'm not sure about the details of how networks operate, you
00:06:42 - can start here, and then work your way into CCNA
00:06:44 - Route/Switch.
00:06:45 - And then if you wanted to pursue security, go right into
00:06:47 - the Security CCNA, and then onto Firewall, which we're
00:06:50 - here in this course.
00:06:51 - And then onto your specializations, and then
00:06:53 - finally CCNP security.
00:06:55 - It's interesting to note that CCIE for security, which I
00:07:00 - happen to be one of those, it doesn't have any these
00:07:02 - prerequisites.
00:07:04 - So if you want to go get a CCIE in security, all you need
00:07:07 - to do is take a written exam for it, and then take the
00:07:10 - practical lab.
00:07:11 - One of the tips that I've learned over the years is
00:07:13 - that, let's say that this is our track, and we're going on
00:07:16 - to CCMP Security, and eventually maybe even CCIE.
00:07:20 - We want to make sure that while we're studying a topic,
00:07:22 - for example, the ASA Firewall, make sure we learn it.
00:07:26 - Don't just gloss over pieces.
00:07:28 - Make sure we really get every piece of it while we're
00:07:31 - studying it.
00:07:32 - Put your whole heart into it.
00:07:33 - And that way, as you proceed and you take that knowledge
00:07:36 - into your company, you take that knowledge into a job
00:07:39 - interview, you take that knowledge into production,
00:07:42 - you'll be a better technician.
00:07:43 - You'll be able to better implement the real hardware.
00:07:46 - You'll be able to troubleshoot it better.
00:07:47 - And you'll be an overall happier person, because it's
00:07:50 - not a mystery how this ASA right here is operating.
00:07:54 - So we've taken a look at exactly who
00:07:56 - this series is for.
00:07:57 - And do you remember exactly who that is?
00:07:59 - It's Y-O-U, my friend, you.
00:08:02 - It is for you, the person who is brand new to the ASA.
00:08:04 - Doesn't know it yet, but needs to know it.
00:08:06 - Or the person who has one in their network, or multiple ASA
00:08:09 - firewalls in your network, and simply want to become better
00:08:12 - at understanding it, configuring it, and
00:08:15 - troubleshooting it.
00:08:16 - We also took a look at Cisco's certification requirements, if
00:08:19 - you're going that direction, as far as what it takes to
00:08:21 - become an ASA Specialist, or a Firewall Specialist, or even
00:08:25 - the CCN piece, all of which are relevant for the content
00:08:29 - in this series.
00:08:30 - And then, I'd like to take a look, just for a moment with
00:08:32 - you, at some specific things that you and I can do to be
00:08:36 - successful with this content, and make it really ours.
00:08:38 - Number one, scheduling time.
00:08:41 - If we don't have time to take the actual videos and watch
00:08:44 - them, it's not very likely we're going
00:08:46 - to learn from them.
00:08:47 - So I'd like you to schedule time.
00:08:48 - What's realistic?
00:08:49 - What's realistic might be two to three vids a week.
00:08:56 - And that would be based on your schedule, family, your
00:08:58 - commitments, your job, everything else.
00:09:00 - So you want to commit to certain-- because that's
00:09:02 - measurable.
00:09:03 - I love it because it's measurable.
00:09:04 - So you can then commit to somebody else and say, OK, to
00:09:07 - a spouse, to a child, you can go up to a website and
00:09:11 - publicly say, I'm going to watch two to
00:09:13 - three videos a week.
00:09:15 - Maybe even pick the days.
00:09:17 - Last night, I didn't want to exercise.
00:09:19 - It was Saturday night.
00:09:20 - I didn't want to exercise because I was tired.
00:09:23 - So here's the deal.
00:09:24 - I'm committed to three days a week of exercising.
00:09:27 - So I thought to myself, if I don't exercise, I've got a lot
00:09:31 - of people on Facebook who are going to know that I didn't
00:09:33 - get my three for the week.
00:09:34 - That's my goal.
00:09:35 - So at 8:30 last night, I'm exercising for a half hour.
00:09:40 - So I finished and it felt great, but I did it because
00:09:43 - one, it's good for me.
00:09:44 - And secondly, I knew I had other people that I had
00:09:46 - committed to.
00:09:47 - So put a little bit of pressure on yourself to make
00:09:50 - sure that you're going to, in measurable terms, watch two or
00:09:52 - three a week.
00:09:53 - Two or three videos.
00:09:54 - Secondly, I'd like you to take notes.
00:09:56 - As we go through the concepts together, write out notes.
00:10:00 - You can use your computer if you want to, type out notes.
00:10:02 - I find for me, personally, if I write out notes and then
00:10:05 - read through those later, that's very helpful for me
00:10:08 - remembering the concepts that I've learned.
00:10:10 - I'd also like you to practice everything.
00:10:14 - Whoa, Keith.
00:10:15 - What do you mean practice everything?
00:10:16 - Let me tell you a little story about GNS3.
00:10:19 - I'm a huge fan of GNS3.
00:10:21 - It is free.
00:10:22 - GNS3 is a free tool that we can use to simulate.
00:10:26 - It's great for practicing.
00:10:27 - We can't use it for production, but we can use it
00:10:29 - for practicing.
00:10:30 - For many years, ever since the version 7 of the code came out
00:10:34 - for the ASA--
00:10:35 - when it was first brand new, came out with version seven--
00:10:38 - there was no really great GNS3 support for it.
00:10:41 - And that continued all the way to mid-2012.
00:10:46 - They finally came out with a version of GNS3 and some
00:10:50 - support from the community that allows version 8.4 to run
00:10:57 - well on GNS3.
00:11:00 - So I had fought it for years.
00:11:01 - I took out like a half day or a full day a couple times a
00:11:05 - year previously, and tried to get it working.
00:11:07 - And interfaces wouldn't come up.
00:11:09 - And it was frustrating.
00:11:09 - This feature didn't work, that feature didn't work.
00:11:11 - But now, 8.4, it works like a champ.
00:11:15 - And there's tons of documentation.
00:11:16 - So I've got a GNS3 Nugget in this video series.
00:11:20 - If you've already got it running, you probably don't
00:11:22 - need to go watch it.
00:11:23 - But if you want to find the components that I use to
00:11:25 - implement a virtualized environment for practice
00:11:28 - purposes, check out that video as well.
00:11:30 - And I'll just walk you through the resources that I used,
00:11:32 - including Virtual Box, which also is free, and GNS3 to go
00:11:36 - ahead and support practicing with 8.4
00:11:39 - including ASDM support.
00:11:41 - So practice everything.
00:11:42 - So that means you're watching a video, you're watching us
00:11:45 - configure, for example, maybe it's multiple context mode.
00:11:48 - Or together we're configuring network address translation.
00:11:51 - Or we're doing access control list.
00:11:53 - Or we're doing modular policy framework, whatever it is.
00:11:56 - I want you to do it as well along with me.
00:11:59 - Build the environment in GNS3, and then practice it.
00:12:02 - Practice, practice, practice everything.
00:12:05 - That's the secret to getting really good with the ASA is to
00:12:08 - practice it and make that knowledge yours.
00:12:11 - Then teach it to somebody else.
00:12:12 - Maybe you don't have to teach the graphical user interface
00:12:14 - to somebody else, like ASDM, but you do you definitely want
00:12:17 - to make sure you share information with others.
00:12:19 - Take a spouse, a loved one, a child, what have you, a
00:12:22 - co-worker, and say, hey, let me teach you all about
00:12:24 - application layer inspection and what it does.
00:12:27 - Let me tell you why FTP doesn't work traditionally if
00:12:30 - we don't have inspection on it.
00:12:32 - Let me tell you about ICMP, and whether it's inspected or
00:12:35 - not by default.
00:12:36 - Let me tell you how to set up the stateful failover.
00:12:40 - Or whatever the topic is, find somebody and explain it to
00:12:44 - them, because that'll help embed in your mind even
00:12:46 - better, giving you that deep, deep level of knowledge that
00:12:49 - you need in today's competitive environment to be
00:12:52 - very competent with an ASA.
00:12:54 - And last but not least, have fun.
00:12:56 - Every single step of the way, have a blast.
00:12:59 - I have fun creating every single Nugget that I create.
00:13:02 - And that's because I'm doing it thinking, hey, I'm going to
00:13:04 - be teaching this to you.
00:13:06 - You and I are going through this content together.
00:13:08 - It's important.
00:13:09 - Let's keep it fun and let's keep it real.
00:13:11 - So not only did I cover all the objectives that are
00:13:13 - published from Cisco for their certification for this
00:13:16 - Firewall version 2.0, I've also included a lot of real
00:13:19 - world, good to know features and functions that you'd also
00:13:23 - come across on a daily basis as you work in
00:13:26 - a production network.
00:13:27 - So I'm going to keep this intro fairly brief so we can
00:13:30 - get right into our very first Nugget, and that's taking a
00:13:33 - brand new ASA, pulling it out of the box, and getting the
00:13:36 - operating system on it so we can start to use it.
00:13:39 - I am so looking forward to spending time with you in this
00:13:42 - video series.
00:13:43 - I hope this has been informative for you.
00:13:45 - And I'd like to thank you for viewing.

Out of the Box

ASA & ASDM Essentials

NAT on the ASA, 8.2, 8.3 and beyond

ACLs on the ASA

Routing on the ASA

MPF 101

TCP Advanced Options

Layer 5-7 Advanced Inspection

Interfaces: Sub, Ether-channel and Redundant

Transparent Firewall

AAA on the ASA

Active/Standby Failover

Virtual Firewalls (contexts)

Active/Active Failover

Botnet Filtering

Management, Logging, Anti-spoofing and More...

GNS3 and the ASA

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Keith Barker

Keith Barker

CBT Nuggets Trainer

Cisco CCIE Routing and Switching, Cisco CCIE Security, Cisco CCDP, HP-MASE, Brocade BCNP, (ISC)2 CISSSP, CompTIA’s Network+ and Security+, VMware VCP5-DCV, Palo Alto CNSE, Check Point CCSA

Area Of Expertise:
Cisco, security, networking, bitcoin. Author or coauthor of: CCNA Security 640-554 Official Cert Guide; CCNP Security IPS 642-627 Official Cert Guide; CCNA Security 640-554 Official Cert Guide, and many more.

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.


Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS