Cisco Archives

Trainsignal Vs CBT Nuggets Training

IT technology and computer/data networking are two hot career paths that many people get into hopping for a successful professional establishment. However, as technology demands get higher and higher, professional qualifications (such as technical certifications) are now a necessity for people trying to get a job in IT or networking. Most companies now require several professional certifications from candidate employees before even considering their application for employment.

Cisco and Microsoft are the two hottest and most prestigious companies that offer technical certification paths. Personally I pursued certifications from both companies, but my main focus is on Cisco (my Microsoft certifications have expired long time ago!!). I get a lot of questions from people seeking a Cisco certification regarding the best study and training option. I always tell them that their best option is first of all determination and discipline and then anything else. If certification candidates have those two characteristics then they only need a good training and study methodology to pass their exams guaranteed.

I have always liked CBT (Computer Based Training) style trainings because they combine both self-study and instructor based training methods. CBT is basically Video based training where you get high quality DVD video tutorials with an actual instructor teaching the course in the video. The two biggest companies in the industry offering CBT video trainings are TrainSignal and CBT Nuggets. They are both excellent options for using towards your certification exam preparation. They both offer trainings on Cisco, Microsoft, VMWare, CompTIA etc. I have read testimonials in various forums for both companies (regarding Cisco Trainings) and the conclusion is that TrainSignal offers the most complete exam coverage and details but CBT Nuggets is less boring but does not cover all exam topics. The instructor of Cisco trainings in Trainsignal is Chris Bryant who is more focused on teaching you all the details required to pass the exam, but he is not as exciting and “funny” as Jeremy Cioara (the instructor of CBT Nuggets). Anyhow, I have personally used TrainSignal training for passing my CCNP exams and was very satisfied with the quality of the training. Check out the following comparison table between Trainsignal Vs CBT Nuggets for CCNA Video Training to get a better picture of the two options and decide which one is best for you (in case you are studying for a CCNA certification).

Policy NAT on Cisco ASA Firewall

As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.

Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.

 So, to be clearer, the scenario is the following:

  • When internal host wants to communicate with external host, then the internal host must be translated to
  • When the internal host wants to communicate with external host, then the internal host must be translated to

 We can achieve the functionality above with Policy-Based NAT.

Configuration Example:

Assume that the internal host is connected to the inside interface of ASA. We have also in our possession the public IP range We will use the public IP range to translate our internal host according to the destination.

! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host host
ASA(config)# access-list POLICYNAT-B extended permit ip host host

! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) access-list POLICYNAT-A

! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) access-list POLICYNAT-B

The above commands will do the following: When source address is and destination address is, then change the source address to

Similarly, when source address is and destination is, then change the source address to

The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).

SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.

The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.

Configuring SNMP

 Step1: Enable the snmp server on the ASA

ASA(config)# snmp-server enable

Step2: Identify the NMS host that can connect to the ASA for SNMP management

ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]

Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.

Step3: Specify the ASA community string

 ASA(config)# snmp-server community [community string]

Step4: Enable the ASA to send snmp traps to the NMS

 ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.

Configuration Example:

ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart

Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool The internal ASA network will use subnet range

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range to 50 and he will be able to access resources in the internal LAN network

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ?
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool mask

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 object network VPN-HOSTS
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

How to Configure Clock and NTP on Cisco ASA 5500

The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory. Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting. If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections). Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.

Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers. The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year


ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]


ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]


ciscoasa(config)# ntp server source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]


ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server key 32 source inside

The convenience and advantages of secure VPNs has driven the specific technology to keep evolving continuously. Several years ago we only had the standardized IPSec VPN (which still strongly exists today). IPSec is a pure IP network VPN technology for connecting distant LAN networks over unsecured paths. Also, IPSec is used for client VPNs connecting remote teleworkers to their central site network. The characteristic of IPSec VPNs is that it provides FULL network connectivity between the VPN peers. That is, a remote access client IPSec VPN will connect the remote user to the central network just like the user would be locally connected.

After IPsec, the Web SSL VPN made its appearance. The remote user needs just a Web Browser with HTTPs to connect to the central site network. After authentication, the user is presented with a Web portal with links to the applications he is allowed to run. That is, the Web SSL VPN does not provide full network visibility to the remote user. The user has access only to specific applications (like internal email, internal files etc). Both IPSec VPNs and SSL VPNs are supported by Cisco ASA 5500 firewalls.

The newest generation of remote access VPNs is offered from Cisco AnyConnect SSL VPN client. This is supported by Cisco ASA 8.x. The AnyConnect SSL VPN provides the best features from both of the other VPN technologies (IPSec and Web SSL). With AnyConnect, the remote user has full network connectivity to the central site. Also, it offers the convenience of the Web SSL since there is no need to install an IPSec VPN client permanently to the user’s computer. Instead, there is an SSL client stored in the ASA flash memory which is downloaded to the remote user’s computer on demand.

How AnyConnect SSL VPN Client works

For first time user connection, the remote teleworker just opens a browser pointing to https://<ASA-outside-public-IP>. The browser connects to the ASA firewall and presents the user with a login screen. The user enters his credentials (username/password) and the ASA identifies that the user does not have the SSL client installed. Therefore it pushes the SSL client to the user’s computer. The client installs itself to the remote PC and establishes a secure SSL VPN connection between the remote user and the ASA. The user is also assigned an IP address from an address pool configured on the ASA and has full network access to the central site. When the SSL connection is stopped, the SSL client either uninstalls itself or remains on the user’s PC (depending on the configuration of the ASA).

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.

The AnyConnect SSL client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator.

In another post I will explain how to configure the AnyConnect SSL VPN on a Cisco ASA 5500 firewall.

Cisco ASA 5505 Basic Configuration Tutorial

The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks.

In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g as an example) and that our internal network range is We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and its the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let’s see the basic configuration setup of the most important steps that you need to configure. The diagram below illustrates the network topology for the configuration setup that we will describe. Notice from the diagram that port Ethernet0/0 connects to the Internet, and ports Ethernet0/1 to 7 connect to internal hosts (PC computers etc).

Step1: Configure the internal interface vlan

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address
ASA5505(config-if)# no shut

Step 2: Configure the external interface vlan (connected to Internet)

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address
ASA5505(config-if)# no shut

Step 3: Assign Ethernet 0/0 to Vlan 2

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

Step 4: Enable the rest interfaces with no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

Do the same for Ethernet0/1 to 0/7.

Step 5: Configure PAT on the outside interface

ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1

UPDATE for ASA Version 8.3

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

object network obj_any
nat (inside,outside) dynamic interface

Step 6: Configure default route towards the ISP (assume default gateway is

ASA5505(config)# route outside 1

The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

Download the best configuration tutorial for any Cisco ASA 5500 Firewall model HERE.

Cisco ASA 5580

Cisco ASA 5580 Features

The 5580 is the Flag-Ship Cisco ASA model. It comes as two versions, the ASA 5580-20 and the ASA 5580-40, which differ in the performance parameters. The ASA 5580 is basically an HP Server Chassis with 6 slots on the back for inserting interface card modules. The 5580 is designed for the largest and most traffic demanding network topologies. It is ideal for high-speed data centers and large campus networks. It supports the largest firewall throughput in the hardware firewall market, with 5 Gbps (5580-20) and 10 Gbps (5580-40) capacity. It is also the only model supporting 10Gbps interfaces. Like the 5550, it does not support an embedded Security Services Module (SSM), so you cannot integrate an IDS/IPS functionality inside the same chassis.
Let’s see the features of the ASA 5580 in more detail below: Read the rest of this entry

 Page 5 of 10  « First  ... « 3  4  5  6  7 » ...  Last »