Qualified PIC Ver 7.5 Fast Track

Page 1
I
I
n
n
t
t
e
e
r
r
n
n
e
e
t
t


L
L
e
e
a
a
r
r
n
n

i
i
n
n
g
g


S
S
o
o
l
l
u
u
t
t
i
i
o
o
n
n
s
s


G
G

r
r
o
o
u
u
p
p


F
F
a
a
s
s
t
t


T
T
r
r
a
a
c
c
k
k



P
P
r
r
o
o
d
d
u
u
c
c
t
t


I
I
n
n
f
f
o
o
r
r
m
m

a
a
t
t
i
i
o
o
n
n


C
C
h
h
e
e
c
c
k
k
l
l
i
i
s
s
t
t



F
F
a
a
s
s
t
t


T
T
r
r
a
a
c
c
k
k
:
:


Q
Q
u
u

a
a
l
l
i
i
f
f
i
i
e
e
d
d




P
P
r
r
o
o
d
d
u
u
c
c

t
t


I
I
n
n
f
f
o
o
r
r
m
m
a
a
t
t
i
i
o
o
n
n


(
(

B
B
u
u
s
s
i
i
n
n
e
e
s
s
s
s


U
U
n
n
i
i
t
t
)
)



Name of course or offering: Cisco Secure PIX Firewall Advanced
Course acronym (must be unique, up to 5 letters, no #s): CSPFA
Version: 2.1
FCS Date (PLM-PM): January 7, 2002
LOB: Enterprise BU: VPN & SECURITY SERVICES
Estimated product life:
Revisions required during product life:
Offering type: course If other, please specify:
Delivery method: ILT WBT/e-learning Other:
Duration if WBT in hours:
Duration if ILT in days 4 and hours: 32
E
E
n
n
d
d


O
O
f
f


L
L
i
i
f

f
e
e


(
(
B
B
u
u
s
s
i
i
n
n
e
e
s
s
s
s


U
U
n
n
i

i
t
t
)
)


Does course replace existing one?: Yes No
If yes, provide course name and acronym: CSPFA 2.0 and EOL date: February 28, 2002
If this is a new version, what are the differences? The CSPFA 2.1 course is a revision to the existing Cisco
Secure PIX Firewall Advanced 2.0 course. It includes coverage of new features of PIX Firewall Releases
6.0 and 6.1 and corrections to errata in the CSPFA 2.0 course. New features include the following:
PIX Firewall 501
PAT port redirection
Converting conduits to ACLs
CPU utilization monitoring
Cisco VPN Client 3.1 support
Copy tftp flash command
Skinny fixup command
SIP fixup enhancements
T
T
a
a
r
r
g
g
e
e

t
t


A
A
u
u
d
d
i
i
e
e
n
n
c
c
e
e


(
(
B
B
u
u
s
s

i
i
n
n
e
e
s
s
s
s


U
U
n
n
i
i
t
t
)
)


System Engineers Account Managers Channel Partners/Resellers Customers
Who should attend this course? The target audience for this course is as follows:
Cisco customers who implement and maintain Cisco Secure PIX Firewalls
Cisco Channel Partners who sell, implement and maintain Cisco Secure PIX Firewalls
Cisco System engineers who support sales of Cisco Secure PIX Firewall and security product
solutions.

T
T
r
r
a
a
i
i
n
n


t
t
h
h
e
e


T
T
r
r
a
a
i
i
n
n

e
e
r
r


(
(
B
B
u
u
s
s
i
i
n
n
e
e
s
s
s
s


U
U
n
n

i
i
t
t


–
–


I
I
L
L
S
S
G
G


I
I
R
R
P
P
)
)



Train the Trainer Required? Yes No
If yes, TTT date:
TTT registration information:
Instructor prerequisites (including certifications and background knowledge) to attend TTT:
To become certified to teach this course, the instructor must
- be a Certified Cisco Systems Instructors (CCSI) in good standing, and
- either
a) have been previously certified to teach CSPFF or CSPFA, or
b) attend a CSPFA course and pass the CSPFA certification Exam 9E0-571

Qualified PIC Ver 7.5 Fast Track

Page 2
S
S
t
t
u
u
d
d
e
e
n
n
t
t


P

P
r
r
e
e
r
r
e
e
q
q
u
u
i
i
s
s
i
i
t
t
e
e
s
s


(
(
B

B
u
u
s
s
i
i
n
n
e
e
s
s
s
s


U
U
n
n
i
i
t
t
)
)


(Note: This field has a limit of 2000 characters.)

A CSPFA student should
possess Cisco Certified Network Associate (CCNA) certification or the equivalent knowledge
(working knowledge of basic network security and a solid grasp of TCP/IP and fundamental networking
concepts),
be familiar with encryption technologies: DES, 3DES, RSA, hashing algorithms (MD5/SHA), and
IPSec, and
have a basic knowledge of the Windows operating system.
C
C
o
o
u
u
r
r
s
s
e
e


O
O
b
b
j
j
e
e
c

c
t
t
i
i
v
v
e
e
s
s


(
(
B
B
u
u
s
s
i
i
n
n
e
e
s
s
s

s


U
U
n
n
i
i
t
t
)
)


After completing this course, the student should be able to:
Students will be able to perform the following tasks upon completion of this course:
Identify PIX Firewall features, models, components and benefits
Describe PIX Firewall installation procedures
Upgrade software images
Configure inbound and outbound access through the PIX Firewall
Configure multiple interfaces on the PIX Firewall
Configure the PIX Firewall as a DHCP server
Configure the PIX Firewall as a DHCP client
Configure the PIX Firewall to send messages to a syslog server
Perform password recovery
Configure access control and content filtering on the PIX Firewall
Configure special protocol handling on the PIX Firewall
Configure attack guards and SSH
Configure AAA on the PIX Firewall

Configure and test failover using the PIX Firewall
Configure the IDS feature set
Configure a site-to-site VPN utilizing the PIX Firewall
Configure a VPN Client-to-PIX Firewall VPN
Install PIX Device Manager and use it to configure the PIX Firewall
Test and verify PIX Firewall operations
Configure Cisco IOS Firewall Context-based Access Control
C
C
o
o
u
u
r
r
s
s
e
e


D
D
e
e
s
s
c
c
r

r
i
i
p
p
t
t
i
i
o
o
n
n


(
(
B
B
u
u
s
s
i
i
n
n
e
e
s

s
s
s


U
U
n
n
i
i
t
t
)
)


(Note: This field has a limit of 2000 characters.)
The CSPFA course is a four-day, leader-led, lab-intensive course. The CSPFA course is designed for
delivery by Cisco Learning Partners. This task-oriented course teaches the knowledge and skill needed to
describe, configure, verify and manage the PIX Firewall product family and the Cisco IOS Firewall feature
set.
C
C
o
o
u
u
r
r

s
s
e
e


O
O
u
u
t
t
l
l
i
i
n
n
e
e


(
(
B
B
u
u
s
s

i
i
n
n
e
e
s
s
s
s


U
U
n
n
i
i
t
t
)
)


The following is an outline of the course chapters:
Chapter 1: Course Introduction
Chapter 2: Network Security and the Cisco PIX Firewall
Reasons for securing network
The four primary types of threats
The three primary methods of attack

The Security Wheel
Cisco AVVID and SAFE overview
Chapter 3: Cisco PIX Firewall Technology
Firewalls and firewall technologies
The PIX Firewall family
The finesse OS
Qualified PIC Ver 7.5 Fast Track

Page 3
ASA and ASA Security Levels
Cut-through proxy
Chapter 4: Identifying the Cisco PIX Firewall
PIX Firewall 501, 506, 515, 520, 525, and 535 controls, connectors, and LED’s
Proper location for the various perimeter network cables
Chapter 5: Basic Configuration of the PIX Firewall
General maintenance commands
ASA security levels
The six primary commands (nameif, interface, ip address, route, nat, global)
Lab exercise: Configure the PIX Firewall and execute general maintenance commands
Chapter 6: PIX Firewall Translations
Transport protocols
PIX Firewall translations
Access through the PIX Firewall
Lab exercise: Configuring access through the PIX Firewall
Chapter 7: Configuring Multiple Interfaces
Configuring additional interfaces
Lab exercise: Configuring multiple interfaces
Chapter 8: DHCP Support
Dynamic Host Configuration Protocol
PIX Firewall as DHCP Server

PIX Firewall as DHCP Client
Lab exercise: Configure the PIX Firewall's DHCP server and client features
Chapter 9: Configuring Syslog
Syslog messages
Lab exercise: Configuring syslog
Chapter 10: Access Control Configuration and Content Filtering
Access control lists
Converting conduits to access control lists
Configuring access control
Malicious active code filtering
Url filtering
Lab Exercise: Configure ACLs in the PIX Firewall
Chapter 11: Advanced Protocol Handling
Advanced protocols
Multimedia support
Lab exercise: Configure and test advanced protocol handling
Chapter 12: Attack Guards and Intrusion Detection
Attack guards
Intrusion Detection
Lab exercise: Configure the PIX Firewall to use IDS signatures
Chapter 13: AAA Configuration on the Cisco PIX Firewall
Introduction to AAA
Installation of Cisco Secure ACS for Windows NT
Authentication configuration
Authorization configuration
Accounting configuration
Troubleshooting the AAA configuration
Lab Exercise: Configure AAA on the PIX Firewall using CSACS for Windows NT
Chapter 14: Failover
Understanding failover

Configuring failover
Qualified PIC Ver 7.5 Fast Track

Page 4
Lab exercise: Configure failover
Chapter 15: VPN Configuration
Explanation of IPSec
Configure PIX Firewall IPSec
Scale PIX Firewall VPNs
Create a VPN with the Cisco VPN Client 3.1
Lab exercise: Configure a PIX Firewall VPN
Chapter 16: System Maintenance
Password recovery
Image upgrade
Lab exercise: Upgrade the PIX Firewall image
Chapter 17: Cisco PIX Device Manager
PDM overview
PDM operating requirements
Prepare for PDM
Using PDM
Lab exercise: Install and configure PDM
Chapter 18: The Cisco IOS Firewall Context-Based Access Control Configuration
Introduction to Cisco IOS Firewall
How CBAC works
Alerts and audit trails
Global timeouts and thresholds
Port-to-application mapping
Defining inspection rules
Applying inspection rules and ACLs to router interfaces
Testing and verifying CBAC

Lab exercise: Configure IOS Firewall on a Cisco router
Chapter 19: The Cisco IOS Firewall Authentication Proxy Configuration
Introduction to the Cisco IOS Firewall Authentication proxy
AAA server configuration
AAA configuration
Authentication proxy configuration
Testing and verification of the configuration
Lab exercise: Configure authentication proxy on a Cisco router
K
K
e
e
y
y
w
w
o
o
r
r
d
d
s
s


(
(
B
B

u
u
s
s
i
i
n
n
e
e
s
s
s
s


U
U
n
n
i
i
t
t
)
)


(Maximum of 7):
PIX

E
E
q
q
u
u
i
i
p
p
m
m
e
e
n
n
t
t


R
R
e
e
q
q
u
u
i
i

r
r
e
e
m
m
e
e
n
n
t
t
s
s


Resources needed / Quantities / Comments:
(Note: If the equipment list is already formatted, you may include it in a separate document. Please list the name of the file here.)
The following lab equipment is required for delivery of this course:
Common equipment shared by all pods:
– Cisco 2621 router: Dual 10/100 Ethernet Router with 2 WIC slots, 1 NM slot, and the
following:
IP SW 2600 SF26C - IP SOFTWARE
S26C-12106 Cisco 2600 Series IOS IP
32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series
8 to 16 MB Flash Factory Upgrade for the Cisco 2600
32 port Asynchronous Module
8 Lead Octal Cable (68 pin to 8 Male RJ-45's)
– Multi-VLAN Server with the following:
Qualified PIC Ver 7.5 Fast Track


Page 5
Windows 2000 Server software
Intel Pentium III 800 MHz processor
256 MB RAM
8 GB HD
CD-ROM/Floppy Drive
Intel PRO/100 S Server Adapter (part number PILA8470C3)
– Five Cisco 2924 XL 10/100 switches for VLANs
(WS-C2924-XL-EN)
– Cisco Secure Access Control Server 2.6
– Kiwi’s Syslog Daemon Freeware Rel.
– VPN Client Software for Win9x-XP 3.1

Equipment required for each pod:
– Cisco 2611 router: Dual Ethernet Modular Router with Cisco IOS IP software and the
following:
IP SW 2600 SF26C - IP SOFTWARE
S26C-12103T Cisco 2600 Series IOS IP
32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series
8 to 16 MB Flash Factory Upgrade for the Cisco 2600 Series
– Primary PIX Firewall: PIX 515FO Bundle (Chassis, failover SW, 2 FE ports) with the
following:
56-bit DES IPSec software license
PIX v6.1 software
PIX four-port 10/100 Ethernet interface
– Secondary PIX Firewall: PIX 515FO Bundle (Chassis, failover SW, 2 FE ports) with the
following:
56-bit DES IPSec software license
PIX v6.1 software

PIX four-port 10/100 Ethernet interface
– Dell latitude laptop with the following:
Windows 2000 Server software
Internet Explorer 5.5
Internet Information Services 5.0
Pentium III 800 MHz
256 MB RAM
8 GB HD (or better) -- NTFS partitioned –
CD-ROM/Floppy Drive
10/100 Ethernet NIC
S
S
K
K
U
U


N
N
u
u
m
m
b
b
e
e
r
r

s
s


f
f
o
o
r
r


C
C
o
o
u
u
r
r
s
s
e
e


M
M
a
a

t
t
e
e
r
r
i
i
a
a
l
l
s
s


(
(
B
B
u
u
s
s
i
i
n
n
e
e

s
s
s
s


U
U
n
n
i
i
t
t
:
:


C
C
h
h
e
e
c
c
k
k



n
n
e
e
e
e
d
d
e
e
d
d


b
b
o
o
x
x
e
e
s
s
,
,


P
P

L
L
M
M


D
D
e
e
p
p
l
l
o
o
y
y
m
m
e
e
n
n
t
t
:
:



P
P
r
r
o
o
v
v
i
i
d
d
e
e


S
S
K
K
U
U
s
s
)
)


ILT Student Kit includes: Student Guide (SG), Other: SK SKU:
ILT Instructor Kit includes: SG, Course Management Guide, Slides, Other: IK SKU:

ILT Employee Brown Bag SKU:
WBT/e-learning SKU:
Self Study: CD: Book: Tape: Video: Other:
Self Study CD Packaging: Jewel Case or Sleeve?
If Jewel Case: Front Tray Card Booklet Back Tray Card