+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member dover's Avatar
    Join Date
    Jul 2011
    Location
    dom0
    Posts
    182

    Certifications
    B.Sc. Information System Security, CISA, CISM, CISSP, CCNP:Security, GISP, GCIA, VCP v4, CCNA R/S, MCITP:EA, MCSE NT,2K,2k3
    #1

    Default Firewall v2 642-618

    Not too much activity on this board but I thought I'd post my firewall v.2 exam experience anyway. Took the 642-618 exam last Thursday and passed with a 915. I really lived this material everyday for the last 5 months.

    Study materials:
    CCNP Security Firewall Official Cert Guide both version 1 (for NAT) and version 2
    Cisco Firewalls (Networking Technology: Security)
    Cisco ASDM 6.4 Config Guide
    Cisco CLI 8.4 Guide
    Cisco CLI 8.2 Guide (for pre 8.3 NAT)


    Background: I've worked with (installed, maintained, etc) older model PIX and newer ASA' for a few years but not as in-depth as I'd like: initial setups, determining requirements and testing/making changes.

    I bought an ASA 5505 and set it up between my workstation and the rest of my employer's network. Every day I would wipe the configuration on my way out so I would have to come in and reconfigure the thing from scratch. One day it would be command-line only, the next ASDM only. Couple weeks at version 8.2 then a couple of weeks running 8.4. I have some downtime at work and a boss who encourages education so I took full advantage to make the most of the situation.

    GNS3 - one word-AWESOME.

    I used MS OneNote and made chapter by chapter notes of the Official Cert Guide. I ended up with about 100 pages of study notes I used for review. I also created mini-labs from each covered topic (requirements, topology and IP schemes, etc.) so I could come back and do the labs : NAT (8.2 and 8.4), active-active/active-standby failover, LACP etherchannel, multiple context, logging, redundant interfaces....


    Exam review - much easier than I thought it would be. I was expecting tons of do-it-yourself GUI or CLI simlets. I really kind of wished it had been but I guess that is too much to both design and properly grade. I thought it focused on the GUI too much, but in retrospect I think it is fairly evenly spread between knowing the GUI and the cli commands.

    On to VPN.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,424

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #2
    Nice work! Thank you for the write up.
    Reply With Quote Quote  

  4. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,676

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #3
    Congrats!
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  5. Grind time, gotta eat MrBrian's Avatar
    Join Date
    Jul 2011
    Location
    Seattle
    Posts
    517

    Certifications
    CCNP, JNCIA, CCNA, Net+, AAS in Networking
    #4
    Thanks for the write-up and congrats!
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Nov 2010
    Location
    Maryland
    Posts
    781

    Certifications
    A+, Net+, Sec+, CCNA, CCNP, CCDP, CISSP, CISM, CISA, CEH, MCSE 2003, MCTIP 2008, Bachelor of Science IT
    #5
    I want to obtain the CCNP Security after I finish my BS at WGU (and then start my Master's). When you studied for this exam, did you mostly use GNS3? I was thinking of buying the 5505 (possibly two), but I hear there are some shortcomings for studying for certain exams. Also, I just saw Cisco has the new line of firewalls like the 5515X. I'd like one of those, since they have all Ge ports, but they're a bit to rich for my blood. It would be cool if they came out with a 5505X with four Ge ports for the same price as the 5505. But for Cisco now a days, it's about the hardware profit and software profit (one of the few companies like that).
    Reply With Quote Quote  

  7. Senior Member BroadcastStorm's Avatar
    Join Date
    Mar 2009
    Posts
    486

    Certifications
    CCNP/CCNA: R&S | MCSE 2003 | MCTS | BSCS
    #6
    What's the complete lab recomened for CCNP Security?

    I have 2 asa 5505 with security license, I heard about a key generator...

    I also have a full blown CCNP lab at home, I am currently using my 5505 as my FIOS router facing to cloud.
    Last edited by BroadcastStorm; 08-15-2012 at 12:28 AM.
    Reply With Quote Quote  

  8. Senior Member dover's Avatar
    Join Date
    Jul 2011
    Location
    dom0
    Posts
    182

    Certifications
    B.Sc. Information System Security, CISA, CISM, CISSP, CCNP:Security, GISP, GCIA, VCP v4, CCNA R/S, MCITP:EA, MCSE NT,2K,2k3
    #7
    Spiderjericho,

    I used GNS3 quite a bit. When I first started I thought I'd get a couple ASA 5505's and be able to do everything except active/active failover and multiple contexts. I ended up buying one NEW ASA 5505 with a base license (and an active -personal- smartnet agreement). The device itself is very cool and I'm using it as at home to be my main firewall, switch, SSL vpn...all that good stuff - but from a certification point of view you have to have something much better - and with Cisco that means much more expensive. The 5505 is great for the routine things but for most of the time having

    Buying a pair of 5510's with Sec plus licenses - way too expensive; rack rental time - too inconvenient for my hit and miss opportunities to sit down and lab (I have a job -or two - and a little one running amok).

    I'm hoping one day Cisco will recognize that there is a legitimate need (and potentially lucrative market) for certification training resources - emulators, simulators, etc. - for their more advanced certifications and equipment. Hell, I'm IN THE FIELD and do hands on work with their expensive equipment everyday but my employer (like most) can't justify the cost of full blown labs or allow employees to learn on whatever spare equipment they may have. I do have access to some 5510's and 20's at work but they tend to frown on people using corporate equipment to lab....can't understand that

    Yeah I'm looking forward to playing with their X series ASA's too. I'm sure it'll be a little while until the certification exams cover it (since they just did a refresh on the Firewall and VPN certs) but it looks interesting!
    Reply With Quote Quote  

  9. Senior Member BroadcastStorm's Avatar
    Join Date
    Mar 2009
    Posts
    486

    Certifications
    CCNP/CCNA: R&S | MCSE 2003 | MCTS | BSCS
    #8
    Are there a huge gap as far as studying with a 5505 (security license) vs. 5510? the 5510 is just too expensive for an average joe.
    Reply With Quote Quote  

  10. Senior Member dover's Avatar
    Join Date
    Jul 2011
    Location
    dom0
    Posts
    182

    Certifications
    B.Sc. Information System Security, CISA, CISM, CISSP, CCNP:Security, GISP, GCIA, VCP v4, CCNA R/S, MCITP:EA, MCSE NT,2K,2k3
    #9
    Yeah, there are quite a few things you would not be able to do with the 5505 even with a Security Plus license. Off the top of my head you wouldn't be able to configure LACP etherchannels, do active/active failover (or active/standby i don't think) and definitely no multiple contexts. If you have the Sec plus license on a 5505 you can do trunking and support for 20 vlans but a base model can not be configured for trunking and it can have 3 vlans (2 full vlans and 1 restricted vlan). Plus everything interface oriented on the 5505s is based on VLAN interfaces....so you assign one (or more) of the 8 switchports to a particular vlan and then configure ip info on the vlan interfaces.
    Reply With Quote Quote  

  11. Senior Member BroadcastStorm's Avatar
    Join Date
    Mar 2009
    Posts
    486

    Certifications
    CCNP/CCNA: R&S | MCSE 2003 | MCTS | BSCS
    #10
    Quote Originally Posted by dover View Post
    Yeah, there are quite a few things you would not be able to do with the 5505 even with a Security Plus license. Off the top of my head you wouldn't be able to configure LACP etherchannels, do active/active failover (or active/standby i don't think) and definitely no multiple contexts. If you have the Sec plus license on a 5505 you can do trunking and support for 20 vlans but a base model can not be configured for trunking and it can have 3 vlans (2 full vlans and 1 restricted vlan). Plus everything interface oriented on the 5505s is based on VLAN interfaces....so you assign one (or more) of the 8 switchports to a particular vlan and then configure ip info on the vlan interfaces.
    You can do HA Failover on a paired ASA 5505 (security license)

    : Active/Standby perpetual

    But not active/active, there's always GNS3 for this.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks