BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.

com

Table of Contents
Task 1 ................................................................................................................................................................................ 2
Task 2 ................................................................................................................................................................................ 3
Task 3 ................................................................................................................................................................................ 5
Task 4 ................................................................................................................................................................................ 6
Task 5 ................................................................................................................................................................................ 7
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Task 1
Configure ASA16 and ASA17 for Active-Standby Failover and Static routing as follows:

ASA16
Interface GigabitEthernet0/0:
IP address Primary – Standby: 100.1.16.1/24 – 100.1.16.2/24
Name: outside
Security Level: 0

Interface GigabitEthernet0/1:
IP address Primary – Standby: 10.1.16.1/24 – 10.1.16.2/24
Name: inside
Security Level: 100

Interface Management0/0:
IP address Primary – Standby: 150.1.1.16/24 – 150.1.1.17/24
Name: mgmt
Security Level: 0

Static Routing:
Server1 and Server2 host routes should be available via next hop R13
Server3 and Server4 network routes should be available via next hop R13

Failover:
Unit: Primary
Lan & Link Interfaces: GigabitEthernet0/2
IP address Primary – Standby: 10.1.216.1/24 – 10.1.216.2/24
Name: failover

ASA17
Failover:
Unit: Secondary
Lan & Link Interfaces: GigabitEthernet0/2
IP address Primary – Standby: 10.1.216.1/24 – 10.1.216.2/24
Name: failover

Note:
Make sure that all interfaces are being monitored for this failover implementation.

Points: 3
Next task >>
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Task 2
Configure ASA18 and ASA19 Clustering as follows:

NB: Do you not have Cluster enabled ASA’s, then configure Active-Standby Failover instead.

ASA18 Bootstrap
Interface Mode:
Spanned

Cluster Group: cluster1

Interface: GigabitEthernet0/2
IP address: 10.1.218.1/24
Unit Name: ASA18
Key: cisco
Role: Master

ASA18
Cluster Management Pool:
Name: mgmt-pool
IP range: 150.1.1.118-150.1.1.119

Management Interface:
Name: mgmt
IP address: 150.1.1.18/24
Security Level: 100

Interface GigabitEthernet0/0:
IP address: 10.1.18.1/24
Name: outside
Security Level: 0

Interface GigabitEthernet0/1:
IP address: 192.168.18.1/24
Name: inside
Security Level: 100

Network Address Translation:

Server1 should be accessible from interface inside via IP address 192.168.4.1
Objects used for the translation should be named “server1” and “server1_translated”

Server2 should be accessible from inside via IP address 2.5.168.192

Objects used for the translation should be named “server2” and “server2_translated”

Server3 should be accessible from inside via IP address 100.1.5.3

Objects used for the translation should be named “server3” and “server3_translated”

Server4 should be accessible from inside via IP address 4.1.9.100

Objects used for the translation should be named “server4” and “server4_translated”
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Hide NAT all traffic from interface inside to outside behind outside interface ip address

Traffic Filtering:
Server1 should be accessible only from security-group name “SGT1” for HTTP traffic at port 8080
Server2 should be accessible only from security-group name “SGT1” for TCP traffic at port 80
Server3 should be accessible only from security-group name “SGT2” for HTTP traffic at port 80
Server4 should be accessible only from security-group name “SGT2” for TCP traffic at port 8080
Access-list should be host specific only
Global access-list should be named “ACL-GLOBAL”

Static Routes:
Default route via next hop R13

ASA19 Bootstrap
Interface Mode:
Spanned

Cluster Group: cluster1

Interface: GigabitEthernet0/2
IP address: 10.1.218.2/24
Unit Name: ASA19
Key: cisco
Role: Slave

Note:
Any information not provided can be assumed by the candidate.

Points: 4
<< Previous task | Next task >>
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Task 3
Configure ASA20 and ASA21 for Active-Standby Failover and EIGRP routing as follows:

ASA20
Interface GigabitEthernet0/0:
IP address Primary – Standby: 100.1.20.1/24 – 100.1.20.2/24
Name: outside
Security Level: 0

Interface GigabitEthernet0/1:
IP address Primary – Standby: 10.1.20.1/24 – 10.1.20.2/24
Name: inside
Security Level: 100

Interface Management0/0:
IP address Primary – Standby: 150.1.1.20/24 – 150.1.1.21/24
Name: mgmt
Security Level: 50

EIGRP Routing:
AS number: 14
Network: 10.1.20.0/24

EIGRP Authentication:
Mode: md5
Key-id: 1
Password: cisco

Failover:
Unit: Primary
Lan & Link Interfaces: GigabitEthernet0/2
IP address Primary – Standby: 10.1.220.1/24 – 10.1.220.2/24
Name: failover

ASA21
Failover:
Unit: Secondary
Lan & Link Interfaces: GigabitEthernet0/2
IP address Primary – Standby: 10.1.220.1/24 – 10.1.220.2/24
Name: failover

Note:
Make sure that all interfaces are being monitored for this failover implementation.

Points: 3
<< Previous task | Next task >>
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Task 4
Configure Interfaces & Access Policy on NGIPSv1 as follows:

Interface Eth1:
Type: Inline
Security Zone: External

Interface Eth2:
Type: Inline
Security Zone: Internal

Rule #1:
Name: EIGRP
EIGRP AS 14 routing process should be trusted only between R13 and R14
Objects used for this rule should be named “obj-R13” and “obj-R14”
Enable logging at the beginning of the connection

Rule #2:
Name: HTTP8080
Allow only HTTP traffic on port 8080 from client network 10.1.18.0/24 to objects “obj-Server1” and “obj-Server4”
Client network should be in Security Zone External
Server1 and Server4 should be in Security Zone Internal
Enable logging at the beginning of the connection

Rule #3:
Name: TCP8080
Allow TCP port 8080 traffic from client network 172.16.16.0/24 to objects “obj-Server1” and “obj-Server4”
Client network should be in Security Zone External
Server1 and Server4 should be in Security Zone Internal
Enable logging at the beginning of the connection

Note:
Make sure you do not permit any unwanted traffic.
Any information not provided can be assumed by the candidate.

Points: 6
<< Previous task | Next task >>
BY HENRIK MEYER // draft 2018.04.05 // https://henrikmeyer.wordpress.com
Task 5
Configure Interfaces & Access Policy on NGIPSv2 as follows:

Interface Eth1:
Type: Inline
Security Zone: Internal

Interface Eth2:
Type: Inline
Security Zone: External

Rule #1:
Name: EIGRP
EIGRP AS 14 routing process should be trusted only between R15 and R14
Objects used for this rule should be named “obj-R15” and “obj-R14”
Enable logging at the beginning of the connection

Rule #2:
Name: HTTP80
Allow only HTTP traffic on port 80 from client network 10.1.20.0/24 to objects “obj-Server2” and “obj-Server3”
Client network should be in Security Zone External
Server2 and Server3 should be in Security Zone Internal
Enable logging at the beginning of the connection

Rule #3:
Name: TCP80
Allow TCP port 80 traffic from client network 192.168.1.0/24 to objects “obj-Server2” and “obj-Server3”
Client network should be in Security Zone External
Server2 and Server3 should be in Security Zone Internal
Enable logging at the beginning of the connection

Note:
Make sure you do not permit any unwanted traffic.
Any information not provided can be assumed by the candidate.

Points: 6
<< Previous task | Next task >>