Cisco Archives

How to Pass Your CCNA Exam

If you really want to know how to pass you CCNA (Cisco Certified Network Associate) exam then you’ll want to read every word of this article. There are several key areas that you need to master in order for your best chance of success to pass the CCNA test.

You will want to get comfortable with all the different realms of information. Like anything else that you want to achieve, the true keys is not whether you can gather a multitude of books, manuals or other learning materials, it’s whether you have the determination and drive to get the job done.

There are so many types of learning guides and materials out there, so many in fact that sometimes you can be burdened down with information overload. This is where you continually seek out new material, and there is a ton of it out there, you have so much that it all becomes very confusing instead of easier. Many of the so called ‘can’t miss’ study courses that are offered only give you a false sense of knowledge.

Once you realize that in order to pass your CCNA exam, it will take some hard work and dedication on your part, as it is a very difficult test to pass, will your journey get better.

Once you decide that you are ready to embark on the journey of passing the CCNA exam, the next step is to set out a realistic time frame to do so. When you set this time frame, be honest with yourself. There’s nothing worse then trying to complete the Cisco certification in less time than you are physically or mentally able to handle.
 
Once a realistic time frame is in place, it is nice to have a calendar with your time schedule in front of you to keep you focused and determined to meet your schedule. Also, a weekend excursion away, a bottle of finely aged wine, or anything that will keep you going when the times get tough are all recommended.

Now, the CCNA exam is one of those certifications that a proper training is required to pass it. You can go for an instructor class-based training (usually 5-day boot camp) and get the required training. However this option is very expensive and study intensive since you are not studying on your own pace. The other great option is to get a computer based training (usually video training style) where you get videos plus audio plus many practice questions and instructor notes for a complete training in your home. What I used personally and passed my Cisco exams (CCNA, CCNP, CCSP) is the Trainsignal Video Training packages which offer excellent value and in-depth training to pass the CCNA or any other Cisco exam. Check out Trainsignal Website for more information.  

In addition to the training I suggest above, I also recommend you to get some tangible book study material that others have used and been successful with. Here are some books that you should look into:

  1. Cisco Press CCNA Study Guide
  2. Jeremy Cioara’s Exam Cram and Prep Guide
  3. Any books on the subject by Todd Lammle.

I highly recommend the Cisco Press books. These books are usually the best because they come from the actual exam giver, Cisco. Therefore, the exercises and test questions will be very relevant to what you’ll see on the exam. Moreover, a Cisco Press book will be a great reference even after you pass your CCNA exam.

Having some highlighters and a note pad is a must in order to go back for easy review of any of the topic that you studied. When ever you have some extra time, even just five or ten minutes, you can whip out your study notes and do a quick review. This will keep you sharp, and get you into some good study habits.

Perhaps the best resource that you can find is the actual people that have gone through and passed their CCNA exam. You don’t have to have a face to face with them. Because of the speed and convenience of the Internet, you can search them online and seek any and all information you need.

Talking with these people that have gone through and learned how to pass the CCNA exam is an easier way to learn then any book or course that you could buy. Real life experience is better then any book ever printed. Good luck for your CCNA certification efforts.

Trainsignal Vs CBT Nuggets Training

IT technology and computer/data networking are two hot career paths that many people get into hopping for a successful professional establishment. However, as technology demands get higher and higher, professional qualifications (such as technical certifications) are now a necessity for people trying to get a job in IT or networking. Most companies now require several professional certifications from candidate employees before even considering their application for employment.

Cisco and Microsoft are the two hottest and most prestigious companies that offer technical certification paths. Personally I pursued certifications from both companies, but my main focus is on Cisco (my Microsoft certifications have expired long time ago!!). I get a lot of questions from people seeking a Cisco certification regarding the best study and training option. I always tell them that their best option is first of all determination and discipline and then anything else. If certification candidates have those two characteristics then they only need a good training and study methodology to pass their exams guaranteed.

I have always liked CBT (Computer Based Training) style trainings because they combine both self-study and instructor based training methods. CBT is basically Video based training where you get high quality DVD video tutorials with an actual instructor teaching the course in the video. The two biggest companies in the industry offering CBT video trainings are TrainSignal and CBT Nuggets. They are both excellent options for using towards your certification exam preparation. They both offer trainings on Cisco, Microsoft, VMWare, CompTIA etc. I have read testimonials in various forums for both companies (regarding Cisco Trainings) and the conclusion is that TrainSignal offers the most complete exam coverage and details but CBT Nuggets is less boring but does not cover all exam topics. The instructor of Cisco trainings in Trainsignal is Chris Bryant who is more focused on teaching you all the details required to pass the exam, but he is not as exciting and “funny” as Jeremy Cioara (the instructor of CBT Nuggets). Anyhow, I have personally used TrainSignal training for passing my CCNP exams and was very satisfied with the quality of the training. Check out the following comparison table between Trainsignal Vs CBT Nuggets for CCNA Video Training to get a better picture of the two options and decide which one is best for you (in case you are studying for a CCNA certification).

Policy NAT on Cisco ASA Firewall

As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.

Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.

 So, to be clearer, the scenario is the following:
 

  • When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
  • When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2

 We can achieve the functionality above with Policy-Based NAT.

Configuration Example:

Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.

! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1

! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A

! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B

The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.

Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.

The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).

SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.

The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.

Configuring SNMP

 Step1: Enable the snmp server on the ASA

ASA(config)# snmp-server enable
 

Step2: Identify the NMS host that can connect to the ASA for SNMP management

ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]

Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.

Step3: Specify the ASA community string

 ASA(config)# snmp-server community [community string]
 

Step4: Enable the ASA to send snmp traps to the NMS

 ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.

Configuration Example:

ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart

Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range 192.168.100.1 to 50 and he will be able to access resources in the internal LAN network 192.168.5.0/24.

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ? 192.168.5.10
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://192.168.5.10/anyconnect-win-2.0.0343-k9.pkg…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config)#webvpn
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable
ASA(config-webvpn)#exit

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
 !
 object network VPN-HOSTS
 subnet 192.168.100.0 255.255.255.0
 !
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

OPTION 1
ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

OPTION 2
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory. Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting. If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections). Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.

Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers. The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year

Example:

ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

Example:

ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]

Example:

ciscoasa(config)# ntp server 10.1.23.45 source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]

Example:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside

 Page 6 of 13  « First  ... « 4  5  6  7  8 » ...  Last »