+ Reply to Thread
Results 1 to 22 of 22
  1. Member
    Join Date
    Sep 2015
    Location
    UK
    Posts
    74

    Certifications
    CCNA R&S
    #1

    Default LAB equipment for CCNA security

    Hi Guys,

    Could anyone suggest lab equipment for studying for the CCNA security.

    I currectly have 2 catalyst switches and 3 routers, I assume I need an ASA firewall, can anyone suggest one, budget is not an issue but ideally something I can get second hand thats good value for money.

    Thanks
    Pujan
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Sep 2014
    Location
    Minnesota
    Posts
    757

    Certifications
    CCNA:R&S, VCA6-DCV, Sec+
    #2
    You can probably get by with an asa5505. it would be best for the exam to have a software version of 9.1 for asa and 7.3 for asdm or better.
    older asa5505's came with only 256mb of ram. These versions of the software require 512mb of ram.
    Upgrading the ram is no big deal as the ram is pretty standard and quite old so quite cheap to get.
    upgrading the software is easy also. That is, if you have it. and be sure to get the power adapter also.

    an asa5510 will also work. A few dollars more expensive.

    an asa5506 would be nice to get, but that will be a few hundred dollars more.
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #3
    @clarson - Actually, you can get an ASA 5506 for about $300 on Amazon or Ebay. Load that bad boy up with a firepower 45 day eval license that you can get on Cisco.com and you're ready to rock and roll.

    I would NOT suggest getting the 5505 or 5510. Go ASAv if you had to instead of buying hardware that can't use current code at all
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. /threadkiller ande0255's Avatar
    Join Date
    Sep 2013
    Location
    Around
    Posts
    1,160

    Certifications
    CCNA R&S, Voice, Security
    #4
    I'd personally recommend (for the sake of knowledge) working with both Cisco 5505 running IOS code 8.2, and like Iris suggested a 5506 and throw Firepower on it when your ready to hit that subject.

    I am seeing 8.2 slowly go away, but some of our SMB customers at my MSP have 5520's running code 8.2, and you just have to know the differences with NAT operations in my opinion.

    For exam purposes the latest and greatest is always the best option, but for real world purposes, I might load 8.2(x) on a 5506 then once configured make use of the upgrade wizard to migrate to 8.3+ images to practice migrating customers off 8.2 code - this I think would be the optimal situation if your new to ASA's.
    Reply With Quote Quote  

  6. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #5
    Makes me sad when people are running 8.2 or bragging about the *years* of uptime on their firewall. Makes me shake my head and wonder how many 5+ year old exploits they are vulnerable to because they didn't want to update or because they like high uptime.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  7. /threadkiller ande0255's Avatar
    Join Date
    Sep 2013
    Location
    Around
    Posts
    1,160

    Certifications
    CCNA R&S, Voice, Security
    #6
    Yes, a lot of "if it's not broken don't fix it" kind of thinking, gotta love it.
    Reply With Quote Quote  

  8. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #7
    I can understand that for switches and routers to some degree. It's not like Windows where you want to patch it regularly but your edge security? Yikes!
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  9. Junior Member
    Join Date
    Oct 2012
    Posts
    10
    #8

    Default Use GNS

    User GNS is a great tool to implementation.
    Reply With Quote Quote  

  10. /threadkiller ande0255's Avatar
    Join Date
    Sep 2013
    Location
    Around
    Posts
    1,160

    Certifications
    CCNA R&S, Voice, Security
    #9
    Quote Originally Posted by Iristheangel View Post
    I can understand that for switches and routers to some degree. It's not like Windows where you want to patch it regularly but your edge security? Yikes!

    Edge security for SMB customers at my MSP, some places are stubborn about replacing their Sonicwall TZ-200 series firewalls and ASA 5505's at the cost of newer and more secure technologies, my job is just to support them the best I can (and make recommendations for upgrades where I see them).

    I think a new wave of edge security hardening is upon us though, over the last year or so the ransomware I see out in the wild encrypting customer servers is growing exponentially to customers on older edge device security platforms, costing them thousands of dollars to pay the ransom and unlock their files, than it would have to upgrade to Next-Gen firewall with Firepower and a good user policy.

    I suppose there is always that one user who will click on the "You have won a million dollars" link in emails, but unless non-IT people have just gotten dumber over the years to these tricks (which wouldn't surprise me), I don't think security should stop at the edge of a network.
    Reply With Quote Quote  

  11. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #10
    Completely agree. I more point out the edge because it's what's getting slammed most of the time. I've set up Netflow on the edge and its always fun to see every weird country that's scanning you.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #11
    It comes down to the IT guyand/or the company if security is a priority. I found a lot of SMB don't care to spend more if it is already working and they have not got any attacks then its hard to push upgrades. Checking the log viewer on the ASA to see how many denys for telnet or other common port numbers from different IP's or port scanning from different IPs its just all types of scary.

    Yup ransomware is definitely becoming more rampant the cyber ops team at my place keeps flagging users for ransomware and the it becomes a fire drill when multiple teams have to work to shut down services to that machine.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  13. Junior Member
    Join Date
    Apr 2017
    Location
    ocean island
    Posts
    27
    #12
    what's wrong with Asav ? everyone is recommending buying an old Asa but I think that everything can be done in GNS3 except the hardware dependent features.
    Reply With Quote Quote  

  14. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #13
    @Boby - Nothing at all wrong with it. My recommendation was to get a 5506 for the Firepower features that aren't on the ASAv. The 5505 is just a paperweight at this point :P
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  15. Senior Member craigaaron's Avatar
    Join Date
    Sep 2011
    Location
    UK, Hampshire
    Posts
    131

    Certifications
    CCENT, CCNA R&S/S, ITIL V3(2011), CompTIA Green IT, VCA-DCV
    #14
    Quote Originally Posted by Iristheangel View Post
    @Boby - Nothing at all wrong with it. My recommendation was to get a 5506 for the Firepower features that aren't on the ASAv. The 5505 is just a paperweight at this point :P
    I am still getting plenty of knowledge from myasa5505 :P I would love a 5506 though
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Feb 2011
    Location
    Denver, CO
    Posts
    274

    Certifications
    CCNA, CCENT, Network+
    #15
    How much longer will the 5506 be relevant for?
    Bit much to invest in if it is going to be obsolete by next exam.
    Reply With Quote Quote  

  17. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,677

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #16
    @blatini - The 5506 is only about a year and a half old. I don't think you run any risk of it going away anytime soon.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Feb 2011
    Location
    Denver, CO
    Posts
    274

    Certifications
    CCNA, CCENT, Network+
    #17
    Roger - thanks for the info!
    Reply With Quote Quote  

  19. Member
    Join Date
    Aug 2016
    Location
    Richmond, VA
    Posts
    59

    Certifications
    A+, Net+, Sec+, Project+, Linux+/LPIC-1, CCNA Sec,R&S
    #18
    I did all of my labbing through GNS3. I passed by the skin of my teeth, but I didn't have to shell out a bunch of $$ for hardware.
    Reply With Quote Quote  

  20. Senior Member pogue's Avatar
    Join Date
    Mar 2005
    Location
    Westminster, CO
    Posts
    210

    Certifications
    CCNA, CCNP, MCITP:SA 2008, ITILv3 Foundations, Network+, Security+, CISSP pending endorsement
    #19
    Iris,

    Can you clarify what is needed beyond the actual physical 5506? I am not quite clear on how the Firepower licensing works... I would like to run a 5506 as the border security device for my home network, leveraging VPN capabilities + whatever license would be most applicable to CCNP-Security studies. It seems like the full gamut license subscription runs like $170.00 a year? Pretty expensive.... Is there another option that pretty much covers the bases for CCNP Security, but isn't limited to a 45-day trial period?

    Thanks,

    Russ
    Reply With Quote Quote  

  21. Junior Member
    Join Date
    Dec 2014
    Posts
    17
    #20
    Quote Originally Posted by Iristheangel View Post
    Makes me sad when people are running 8.2 or bragging about the *years* of uptime on their firewall. Makes me shake my head and wonder how many 5+ year old exploits they are vulnerable to because they didn't want to update or because they like high uptime.
    Probably just as many as the zero-day exploits the new versions have

    5505 is perfectly fine for the CCNA Security, after all the test is on the 5505. Considering you can have it for under $100, it's a no-brainer.
    Reply With Quote Quote  

  22. Member maelstrom3530's Avatar
    Join Date
    Dec 2014
    Location
    NC
    Posts
    40

    Certifications
    A+, N+, S+, CCNA R&S, MCP, MCSA: Win7 / 2012R2, MCITP: EDST, MCTS: 70-640, A.A.S. Network Administration and Support
    #21
    Like the above poster asked, what else, beyond an ASA 5506, would be required in preparation for the CCNA Security exam?

    Thanks!

    I have some equipment already:

    1x 2600XM
    1x 2801
    1x 2821

    2x 2950's
    1x 2960

    I also have an HP DL380 G6.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Sep 2014
    Location
    Minnesota
    Posts
    757

    Certifications
    CCNA:R&S, VCA6-DCV, Sec+
    #22
    pretty much you do security on a switch, router, and a firewall.

    the model of the switch isn't so important. but the 2960 could run version 15 of the ios. get the best ios you can

    for the router, you need version 15 of the ios so you can run CCP, cisco configuraton professional. And, of course, the advsecurity or better feature set.

    and the firewall has been talked about already.

    and the G6 can be used to virtualize what you can find.

    looks like you have everything you need as far as hardware
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks