Deploying Cisco ASA VPN Solutions (VPN)

Course Length: 5 Days

Course Content: The Deploying Cisco ASA VPN Solutions (VPN) v2.0 course is part of the curriculum path that leads
to the Cisco CCNP Security certification. This five-day instructor-led course is aimed at providing network security
engineers with the knowledge and skills that they need to implement and maintain Cisco ASA adaptive security
appliance-based perimeter solutions. Successful graduates will be able to use Cisco ASA features to reduce the risk
to the IT infrastructure and applications and to provide detailed operations support for the Cisco ASA security
appliance.
Course Objectives: Upon completion of this course, the student should be able to:

Describe the general properties of the Cisco ASA security appliance VPN subsystem
Implement and maintain Cisco clientless remote access Secure Sockets Layer (SSL) VPNs on the Cisco ASA
security appliance VPN gateway
Implement and maintain Cisco AnyConnect client-based remote access SSL VPNs on the Cisco ASA security
appliance VPN gateway, according to policies and environmental requirements
Implement and maintain Cisco remote access IP Security (IPsec) VPNs on the Cisco ASA VPN gateway,
according to policies and environmental requirements
Implement and maintain site-to-site VPN solutions on the Cisco ASA security appliance VPN gateway,
according to policies and environmental requirements
Deploy endpoint security with Cisco Secure Desktop and dynamic access policy (DAP), and deploy and
manage high-availability and high-performance features of the Cisco ASA security appliance

Prerequisites:

Cisco CCNA certification

Cisco CCNA Security certification
Completion of the course Deploying Cisco ASA Firewall Solutions (FIREWALL)
Working knowledge of the Microsoft Windows operating system

Course Outline:

Module 1: Cisco ASA Adaptive Security Appliance VPN Architecture and Common Components
o Lesson 1: Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture
Identify the various VPN topologies and identify the correct topology to use for a given
scenario
Identify the Cisco ASA security appliance IPv6 VPN capabilities
Identify the components of the Cisco AnyConnect Secure Mobility Client 3.0
Identify the available VPN licensing options and choose the appropriate licensing option
for your network
o Lesson 2: Evaluating the Cisco ASA Adaptive Security Appliance Software Architecture

World Wide Technology, Inc. | 60 Weldon Parkway | Maryland Heights, MO 63043

Describe the principles of the Cisco ASA security appliance access control model
Evaluate Cisco ASA security appliance VPN-related routing features
Evaluate Cisco ASA security appliance VPN-related NAT features
Evaluate Cisco ASA security appliance VPN-related AAA features
o Lesson 3: Implementing Profiles, Group Policies, and User Policies
Describe the components of Cisco ASA security appliance VPN policy configuration
Configure Cisco ASA security appliance connection profiles
Configure Cisco ASA security appliance group policies
Describe AAA functions that are available in remote access VPNs
Configure Cisco ASA security appliance user attributes
Identify access control methods for VPN users
Implement VPN accounting to external RADIUS and TACACS+ servers
Identify Cisco Secure Desktop and DAP features
o Lesson 4: Implementing PKI Services
Evaluate PKI services for IPsec and SSL VPN configurations
Evaluate methods of deploying server-side certificates on the Cisco ASA security
appliance
Choose the appropriate CA server for your design
Describe methods for deploying a client certificate to use with Cisco VPN deployments
Configure and verify the local CA on the Cisco ASA security appliance and the Cisco
AnyConnect client using client certificates that are provisioned by a Cisco ASA security
appliance
Configure and verify certificate-to-connection-profile mapping on the Cisco ASA security
appliance
Describe SCEP proxy operations
Module 2: Cisco ASA Adaptive Security Appliance Clientless Remote Access SSL VPN Solutions
o Lesson 1: Deploying Basic Clientless VPN Solutions
Describe the building blocks of, and use cases for, the Cisco ASA clientless SSL VPN
solution
Plan the configuration of a clientless SSL VPN solution
Configure and verify basic Cisco ASA security appliance gateway features and gateway
authentication for a clientless SSL VPN
Configure and verify password-based local user authentication in a clientless SSL VPN
Configure and verify basic access control in a clientless SSL VPN
Tune and verify the gateway content-rewriting features
Troubleshoot VPN session establishment between a browser client and a Cisco ASA
security appliance gateway
o Lesson 2: Deploying Advanced Application Access for Clientless SSL VPNs
Plan the deployment of clientless SSL VPN application-access features
Configure and verify application plug-ins
Configure and verify smart tunnels in clientless SSL VPNs
Troubleshoot advanced application access in clientless SSL VPNs
o Lesson 3: Deploying Advanced Authentication and SSO for Clientless SSL VPNs
Design clientless SSL VPN authentication
Deploy client-side certificate-based authentication

World Wide Technology, Inc. | 60 Weldon Parkway | Maryland Heights, MO 63043

Configure and verify multiple client authentications

Troubleshoot the integration of a clientless SSL VPN with PKI
Configure and verify clientless VPN SSO methods
Troubleshoot clientless VPN SSO methods
o Lesson 4: Customizing the Clientless SSL VPN User Interface and Portal
Configure and verify basic customization of the VPN portal navigation pages
Configure and verify complete portal HTML customization
Configure and verify portal localization
Configure and verify portal help customization
Configure and verify application-integration customization
Module 3: Cisco AnyConnect Remote Access SSL Solutions
o Lesson 1: Deploying a Basic Cisco AnyConnect Full-Tunnel SSL VPN Solution
Describe the operation of full-tunnel SSL VPN technology
Plan, configure, and verify the gateway features of the Cisco ASA security appliance for a
Cisco AnyConnect full-tunnel SSL VPN solution
Configure and verify password-based local user authentication and client IP address
assignment for a full-tunnel SSL VPN
Configure basic access control and split tunneling for a full-tunnel SSL VPN
Install, configure, and verify Cisco AnyConnect 3.0 using the predeployment method
Troubleshoot VPN session establishment between a Cisco AnyConnect client and a Cisco
ASA security appliance gateway
o Lesson 2: Deploying an Advanced Cisco AnyConnect Full-Tunnel SSL VPN Solution
Describe the tasks that you use to configure centrally controlled client functions in for
Cisco AnyConnect clients
Deploy DTLS on the Cisco ASA security appliance
Deploy and upgrade Cisco AnyConnect from a Cisco ASA gateway
Configure and verify Cisco AnyConnect XML profiles
Configure and verify the Cisco AnyConnect Trusted Network Detection, scripting, and
SBL feature
Customize and verify the Cisco AnyConnect user interface
o Lesson 3: Deploying Advanced Authentication, Authorization, and Accounting in Cisco Full-Tunnel
VPNs
Choose a gateway and user authentication method in Cisco AnyConnect full-tunnel SSL
VPNs
Plan the deployment of advanced client authentication
Configure and verify the local CA on the Cisco ASA security appliance and the Cisco
AnyConnect client with client certificates that are provisioned by the Cisco ASA security
appliance
Configure and verify the Cisco ASA security appliance and Cisco AnyConnect client to use
an external CA and provision client certificates
Configure SCEP proxy for Cisco AnyConnect
Configure and verify integration with supporting PKI entities
Configure multiple client authentication
Troubleshoot advanced client authentication in full-tunnel SSL VPNs

World Wide Technology, Inc. | 60 Weldon Parkway | Maryland Heights, MO 63043

Configure and verify local and remote group policy authorization in a Cisco full-tunnel
SSL VPN
Configure and verify local and remote group policy accounting in a Cisco full-tunnel SSL
VPN
Module 4: Cisco ASA Adaptive Security Appliance Remote Access IPsec VPNs
o Lesson 1: Deploying Cisco Remote Access VPN Clients
Describe the operation of IPsec VPN technology
Choose the appropriate Cisco VPN Client product
Install, configure, and verify the installation of the legacy Cisco IPsec VPN Client
Configure and verify the legacy Cisco IPsec VPN Client profiles
Configure and verify advanced the legacy Cisco IPsec VPN Client profile settings
Install, configure, and verify the installation of Cisco AnyConnect 3.0
Configure and verify the auto-initiation feature of Cisco AnyConnect 3.0
Troubleshoot Cisco remote access VPN session establishment
Lesson 2: Deploying Basic Cisco Remote Access IPsec VPN Solutions
Plan the configuration of a Cisco remote access IPsec VPN gateway
Configure and verify basic Cisco ASA gateway features and gateway authentication in a
Cisco for remote access IPsec VPNs
Configure and verify Cisco remote access VPN PSK-based peer authentication
Configure and verify Cisco remote access VPN extended authentication
Configure and verify Cisco remote access VPN hybrid authentication
Configure and verify Cisco remote access VPN local IP address management
Configure and verify Cisco remote access VPN basic access control and split tunneling
Configure IKEv2 support for remote access IPsec VPN solutions
Troubleshoot Cisco remote access VPN session establishment between a Cisco VPN
client and a Cisco ASA gateway
Module 5: Cisco ASA Adaptive Security Appliance Site-to-Site IPsec VPN Solutions
o Lesson 1: Deploying Basic Site-to-Site IPsec VPNs
Plan a Cisco ASA security appliance site-to-site VPN
Configure and verify basic peer authentication in a Cisco ASA security appliance site-tosite VPN
Configure and verify transmission protection in a Cisco ASA security appliance site-tosite VPN
Troubleshoot the operation of a Cisco ASA security appliance site-to-site VPN
o Lesson 2: Deploying Advanced Site-to-Site IPsec VPNs
Plan a Cisco ASA security appliance site-to-site VPN using PKI- based authentication
Configure and verify PKI-based peer authentication in a Cisco ASA security appliance
site-to-site VPN
Troubleshoot the operation of a PKI-based Cisco ASA security appliance site-to-site VPN
Module 6: Endpoint Security and High Availability for Cisco ASA VPNs
o Lesson 1: Implementing Cisco Secure Desktop and DAP for SSL VPNs
Choose network admission features for Cisco AnyConnect full-tunnel SSL VPNs
Install, enable, and verify Cisco Secure Desktop on a Cisco ASA security appliance SSL
VPN gateway

World Wide Technology, Inc. | 60 Weldon Parkway | Maryland Heights, MO 63043

Labs:

Configure and verify Cisco Secure Desktop prelogin criteria on a Cisco ASA security
appliance SSL VPN gateway
Configure and verify Cisco Secure Desktop prelogin policies on a Cisco ASA security
appliance SSL VPN gateway
Configure and verify basic Cisco Secure Desktop Advanced Endpoint Assessment
features on a Cisco ASA security appliance SSL VPN gateway
Configure and verify DAPs that are enabled for Cisco Secure Desktop on a Cisco ASA
security appliance SSL VPN gateway
Troubleshoot Cisco Secure Desktop operations on a Cisco ASA security appliance SSL
VPN gateway
Lesson 2: Deploying High-Availability Features in Cisco ASA Adaptive Security Appliance VPNs
Choose VPN high-availability and high-performance features
Configure and verify redundant peering with Cisco AnyConnect and IPsec client
Deploy active/standby failover for SSL and IPsec VPNs
Implement dynamic routing to achieve IPsec site-to-site VPN high availability
Describe the deployment of VPN load-balancing clusters
Provide high availability and high performance using an external SLB appliance
Troubleshoot Cisco ASA security appliance failover and VPN clustering functions

Lab 2-1: Configuring Basic Clientless VPN Access on the Cisco ASA Security Appliance
Lab 2-2: Configuring Advanced Application Access for Clientless SSL VPNs
Lab 2-3: Customizing the SSL VPN Portal on the Cisco ASA Security Appliance
Lab 3-1: Configuring Basic Cisco AnyConnect Client Full-Tunnel SSL VPNs Using Local Password
Authentication
Lab 3-2: Deploying the Cisco AnyConnect Client with Centralized Management
Lab 3-3: Configuring Basic Cisco AnyConnect Full-Tunnel SSL VPNs Using Local CA and SCEP Proxy
Lab 4-1: Deploying Basic Remote Access IPsec VPN with IKEv2
Lab 5-1: Deploying a Basic Cisco ASA Security Appliance IPsec IKEv1 Site-to-Site VPN
Lab 6-1: Deploying Cisco Secure Desktop in Cisco SSL VPNs
Lab 6-2: Configuring a Load-Balancing SSL VPN Cluster

World Wide Technology, Inc. | 60 Weldon Parkway | Maryland Heights, MO 63043