With each passing day, I get further and further from where I need/want to be with my security studies. There was a point in April when I managed to get some practice lab time in my schedule. I can only blame myself for the lack of focus. For here I am at another point in my life and I’m conflicted with continuing my pursuit of the security lab. The reason for this misdirection is quite simple – work has taken over my life. While it may sound harsh, the reality of becoming an IE has drastically changed my life for the better.

During these harsh economic times, I still find companies are looking to contract or employ an IE. Contract work is usually long and tedious for most consultants. For me, I’ve had to adjust and reorganize my daily priorities to accommodate the contract work hours in the evenings and on the weekends. There just aren’t enough hours in the day to do everything, so I basically had to sacrifice my security studies in order to keep up with the chaos. I’m not giving up on the track but merely postponing lab studies until October or November. From the time when you pass your written exam, you have 18 months until your passing result has expired. Basically I have until February 2010 to complete or make an attempt at the lab. This year doesn’t have to be a complete wash. I am, however, going to continue to read all the Cisco Press security books to prep for the OEQ since it takes me awhile to absorb some of the material.

The 2 main drawbacks about my contract is the distance from my house and the current security products that they have in-house. Firstly, I can no longer take the train since the contract is located in another area of SoCal. This just means that I lose the ability to read an hour in the mornings and need to find some time in the evening – for most of you who attempt to read at night now you already know how difficult that task may be with family and other activities (i.e. social life, sports, fitness, etc.). Secondly, my new has no use for any of the Cisco security products. The company uses CheckPoint firewall and McAfee’s Intrusion Prevention products. Cisco isn’t the right solution all the time, but I have stated my case with the current products to senior management, so let’s leave it at that.

There is a plus to all of this in that my contract relies heavily on MPLS. Prior to announcing a few months ago that I was going to focus my time on the security track, I had just walked away from my Service Provider studies. In order to properly support my new environment, I’ve had to read and familiarize myself with ATM, MPLS, L2/L3 VPN, SP QoS, BGP, IS-IS, and Management. Guess what, that’s more than half of the topics on the SP lab. At the moment, I’m far from committing to the track at all, but I have been keeping track of my progress and found that I’m not too far off either. I know for a fact that the amount of work is steady enough where I’ll be busy until the end of the year.

We’ll just have to wait and see.

When configuring EIGRP on the firewall, keep in mind to omit the word ip from the commands.

Prerequisites:

-Refer to my Basic ASA - VLANs and IP Addresses posting

Mini-lab Requirement:

Your ASA needs to be aware of the DMZ network behind R2.  Make sure R2 is the only device that can securely send or receive routing updates with the firewall.

Here’s the video:

bbb-basic-asa-eigrp

Notes:

-EIGRP is not supported in multi-context mode.

-When configuring the network command on a PIX or ASA, you will need to define the subnet mask and not the wildcard.

-The passive-interface command for EIGRP is supported on the firewall unlike OSPF.

A few weeks ago, Cisco released version 8.2 for the ASA, which you can read more about the updated features here.  For me, one of the most appealing features that stands out the most is the NetFlow Secure Event Logging feature (NSEL).   Originally this feature was only made available on version 8.1 specifically for the 5580 models in January of this year.  Now it’s available from the 5505 models up to the 5580.

What’s the big deal?  Currently I’m dealing with a configuration where an Internet connection terminates directly on an ASA 5520.  Every month I have to deal with senior management inquiring about which department is consuming the most bandwidth so that finance can appropriately charge back the usage internally.  In order to appropriately collect this data, I had proposed to place a router in front of the ASA so that I could collect NetFlow statistics and report the information properly.  With NSEL on the ASA, I’d be able to collect the information directly without any additional equipment.

Hmm, if everything works as planned, I’ll have to figure out what to do with all these spare 3845 edge routers. 

This is very similar to the last lab that I posted.  When configuring OSPF on the firewall, keep in mind to omit the word ip from the commands.

Prerequisites:

-Refer to my Basic ASA - VLANs and IP Addresses posting

Mini-lab Requirement:

Your ASA needs to be aware of the DMZ network behind R2.  Make sure R2 is the only device that can securely send or receive routing updates with the firewall.

Here’s the video:

bbb-basic-asa-ospf

Notes:

-OSPF is not supported in multi-context mode.

-When configuring the network command on a PIX or ASA, you will need to define the subnet mask and not the wildcard.

-The passive-interface command is unsupported on the firewall.  You will need to depend on the neighboring router to control sending/receiving of updates.

-If you would like to verify that you didn’t fat finger the password on the ASA, you can use the more system:running-config | i md5 command to see what you typed.