-
With the Firepower appliances and the Cisco Secure Firewall, Cisco offers a next-generation firewall that, in addition to standardized configuration via a policy model, continues to focus very strongly on protection against threats in the network environment.
In addition to the classic firewall functionalities, the various Firepower systems also offer application control, threat prevention and advanced malware protection and can also be used as a VPN gateway.
This course provides solid knowledge of the possible uses as a VPN gateway, teaches VPN basics and looks at both site-to-site VPNs (IPsec/IKEv1 and IKEv2) with crypto maps and VTIs as well as remote access VPNs (SSL/TLS and IPsec/IKEv2).
-
Course Contents
-
- VPN products from Cisco
- Basics of cryptographic procedures
- VPN basics
- IPsec Site-to-Site VPNs
- SSL VPNs
- IPsec remote access VPNs
- Redundancy and high availability
The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.
Premium Course Documents
In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.
- High-quality color prints of the ExperTeach documentation
- Exclusive folder in an elegant design
- Document pouch in backpack shape
- Elegant LAMY ballpoint pen
- Practical notepad
The Premium Print Package can be added during the ordering process for € 150,- plus VAT (only for classroom participation).
-
Target Group
-
The course is aimed at people in security and network administration who will be commissioning a Firepower appliance with Firepower Threat Defense (FTD) as a VPN gateway and managing it with the Firepower Management Center (FMC). If you are planning to replace the Cisco ASA in your network with FTD, this is also the right course for you.
-
Knowledge Prerequisites
-
This course requires basic, product-specific know-how of the Cisco IOS, knowledge of the TCP/IP protocol and its security risks as well as the basics of switching and routing. You should also be familiar with the operation of packet filters and firewalls. Basic knowledge of the Firepower Management System (FMC) and FTD's policy model is also required.
| 1 | VPN Produkte von Cisco |
| 1.1 | Überblick |
| 1.2 | Verschiedene Wege bei VPNs |
| 1.3 | Lizenzierung |
| 1.3.1 | VPN-Lizenzen |
| 1.4 | AnyConnect |
| 1.5 | Remote Management von FTD-Geräten |
| 2 | VPNs und Sicherheit |
| 2.1 | Angriffsarten |
| 2.2 | Kleines 1x1 der Kryptographie |
| 2.2.1 | Vertraulichkeit – Symmetrische Verschlüsselung |
| 2.2.2 | Diffie-Hellman – Erzeugen symmetrischer Schlüssel |
| 2.2.3 | RSA – Asymmetrische Verschlüsselung |
| 2.2.4 | Datenintegrität – Hashwerte |
| 2.2.5 | Authentisierung – Daten und Absender unverfälscht |
| 3 | VPN Grundlagen |
| 3.1 | Die Struktur von IPsec |
| 3.2 | IPsec – Die Betriebsarten |
| 3.3 | Der IPsec Header – Bestandteile von IPsec |
| 3.3.1 | Vertraulichkeit – ESP |
| 3.3.2 | Aushandlung mit ISAKMP und IKE |
| 3.4 | Security Associations |
| 3.5 | Die Authentisierung |
| 3.6 | Der Main Mode |
| 3.7 | Der Aggressive Mode |
| 3.8 | Der Quick Mode |
| 3.9 | IKEv2 |
| 3.10 | IKEv2 – der Ablauf |
| 3.10.1 | Option: Extensible Authentication Protocol |
| 3.10.2 | Option: Remote Access VPN |
| 3.11 | TLS – Transport Layer Security |
| 3.12 | Der TLS Verbindungsaufbau |
| 3.13 | Sichere Datenübertragung |
| 4 | IPsec Site-to-Site VPNs |
| 4.1 | Site-to-Site VPNs: Das Konzept |
| 4.1.1 | Performance |
| 4.2 | Die Topologie |
| 4.2.1 | Hub-and-Spoke und Full Mesh |
| 4.2.2 | IKE-Policies |
| 4.2.3 | IPsec-Proposals |
| 4.2.4 | IKE-Parameter in der Topologie |
| 4.2.5 | IPsec-Parameter in der Topologie |
| 4.2.6 | Weitere Topologie-Einstellungen: IKE |
| 4.2.7 | NAT und VPN |
| 4.3 | Kontrolle im FMC |
| 4.4 | Kontrolle via CLI |
| 4.5 | Debugging |
| 4.6 | Dynamic Crypto Map |
| 4.6.1 | Dynamic Crypto Map: Konfiguration |
| 4.7 | Authentisierung mit Zertifikaten |
| 4.7.1 | Installation des Zertifikats |
| 4.7.2 | Manual Enrollment |
| 4.7.3 | Zertifikate: Monitoring |
| 4.7.4 | IKE mit Zertifikaten |
| 4.8 | Die Konfiguration im CLI |
| 4.9 | Site-to-Site VPNs mit VTIs |
| 4.9.1 | Routing mit VTIs |
| 4.9.2 | Kontrolle per CLI |
| 5 | SSL VPNs |
| 5.1 | Der AnyConnect Client |
| 5.1.1 | Anpassung des AnyConnect |
| 5.1.2 | AnyConnect Client Profile |
| 5.2 | Das Konzept |
| 5.3 | Vorbereitende Konfiguration |
| 5.3.1 | Grundlegende SSL/TLS-Einstellungen |
| 5.4 | Benutzerauthentisierung per AAA |
| 5.4.1 | Active Directory als Realm |
| 5.4.2 | Lokale Benutzerdatenbank |
| 5.4.3 | AAA mit RADIUS |
| 5.4.4 | 2-Faktor-Authentisierung |
| 5.5 | Die VPN Policy |
| 5.5.1 | VPN Policy: Anpassungen |
| 5.6 | Das Connection Profile |
| 5.6.1 | Connection Profile: Details |
| 5.7 | Die Group Policy |
| 5.8 | Die Sicht des Benutzers |
| 5.8.1 | AnyConnect: Preferences |
| 5.8.2 | AnyConnect: Statistics |
| 5.8.3 | AnyConnect: Routen und Log |
| 5.9 | Kontrolle auf dem Gateway |
| 5.10 | Authentisierung mit Client-Zertifikat |
| 5.10.1 | Das Connection Profile |
| 5.10.2 | Authentisierung mit Zertifikat und AAA |
| 6 | IPsec Remote Access VPNs |
| 6.1 | Der AnyConnect Client und IPsec |
| 6.2 | Die VPN Policy |
| 6.2.1 | VPN Policy: Interface-Einstellungen |
| 6.2.2 | IKEv2-Parameter |
| 6.2.3 | VPN-Policy: Feintuning |
| 6.3 | Das AnyConnect Profile |
| 6.4 | Die Group Policy |
| 6.5 | Die Sicht des Benutzers |
| 6.6 | Kontrolle auf dem Gateway |
| 6.7 | Authentisierung mit Client-Zertifikat |
| 7 | Redundanz und Hochverfügbarkeit |
| 7.1 | VPNs und Redundanz |
| 7.1.1 | Backup Server |
| 7.1.2 | Stateful Failover |
| 7.1.3 | VPN Load Balancing |
| 7.1.4 | Cluster |
| A | Cisco Firepower VPN-Lösungen – Übungen |
| A.1 | Netzwerktopologie und Grundkonfiguration |
| A.2 | Site-to-Site VPN |
| A.2.1 | Authentisierung mit Zertifikaten |
| A.2.2 | Certificate Map |
| A.2.3 | Site-to-Site VPN mit VTI |
| A.3 | SSL VPN mit dem AnyConnect Client |
| A.3.1 | SSL VPN: Client Profile und NAT |
| A.3.2 | SSL VPN: VPN Policy |
| A.3.3 | Authentisierung mit Client-Zertifikat |
| A.3.4 | SSL VPN: Authentisierung per AAA und Zertifikat (Optional) |
| A.4 | IPsec VPN mit AnyConnect |
| A.5 | Redundanz mit Backup Server |
| A.6 | Redundanz mit HA |
| A.7 | Lösungsvorschläge |
| A.7.1 | Grundkonfiguration |
| A.7.2 | Site-to-Site VPN |
| A.7.3 | Authentisierung mit Zertifikaten |
| A.7.4 | Certificate Map |
| A.7.5 | SSL VPN mit AnyConnect |
| A.7.6 | SSL VPN mit AnyConnect |
| A.7.7 | SSL VPN: Authentisierung mit Zertifikat |
| A.7.8 | IPSec VPN mit AnyConnect |
-
Classroom training
- Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
-
Hybrid training
- Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
-
Online training
- You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
-
Tailor-made courses
-
You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
You can find the complete description of this course with dates and prices ready for download at as PDF.-
With the Firepower appliances and the Cisco Secure Firewall, Cisco offers a next-generation firewall that, in addition to standardized configuration via a policy model, continues to focus very strongly on protection against threats in the network environment.
In addition to the classic firewall functionalities, the various Firepower systems also offer application control, threat prevention and advanced malware protection and can also be used as a VPN gateway.
This course provides solid knowledge of the possible uses as a VPN gateway, teaches VPN basics and looks at both site-to-site VPNs (IPsec/IKEv1 and IKEv2) with crypto maps and VTIs as well as remote access VPNs (SSL/TLS and IPsec/IKEv2).
-
Course Contents
-
- VPN products from Cisco
- Basics of cryptographic procedures
- VPN basics
- IPsec Site-to-Site VPNs
- SSL VPNs
- IPsec remote access VPNs
- Redundancy and high availability
The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.
Premium Course Documents
In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.
- High-quality color prints of the ExperTeach documentation
- Exclusive folder in an elegant design
- Document pouch in backpack shape
- Elegant LAMY ballpoint pen
- Practical notepad
The Premium Print Package can be added during the ordering process for € 150,- plus VAT (only for classroom participation).
-
Target Group
-
The course is aimed at people in security and network administration who will be commissioning a Firepower appliance with Firepower Threat Defense (FTD) as a VPN gateway and managing it with the Firepower Management Center (FMC). If you are planning to replace the Cisco ASA in your network with FTD, this is also the right course for you.
-
Knowledge Prerequisites
-
This course requires basic, product-specific know-how of the Cisco IOS, knowledge of the TCP/IP protocol and its security risks as well as the basics of switching and routing. You should also be familiar with the operation of packet filters and firewalls. Basic knowledge of the Firepower Management System (FMC) and FTD's policy model is also required.
| 1 | VPN Produkte von Cisco |
| 1.1 | Überblick |
| 1.2 | Verschiedene Wege bei VPNs |
| 1.3 | Lizenzierung |
| 1.3.1 | VPN-Lizenzen |
| 1.4 | AnyConnect |
| 1.5 | Remote Management von FTD-Geräten |
| 2 | VPNs und Sicherheit |
| 2.1 | Angriffsarten |
| 2.2 | Kleines 1x1 der Kryptographie |
| 2.2.1 | Vertraulichkeit – Symmetrische Verschlüsselung |
| 2.2.2 | Diffie-Hellman – Erzeugen symmetrischer Schlüssel |
| 2.2.3 | RSA – Asymmetrische Verschlüsselung |
| 2.2.4 | Datenintegrität – Hashwerte |
| 2.2.5 | Authentisierung – Daten und Absender unverfälscht |
| 3 | VPN Grundlagen |
| 3.1 | Die Struktur von IPsec |
| 3.2 | IPsec – Die Betriebsarten |
| 3.3 | Der IPsec Header – Bestandteile von IPsec |
| 3.3.1 | Vertraulichkeit – ESP |
| 3.3.2 | Aushandlung mit ISAKMP und IKE |
| 3.4 | Security Associations |
| 3.5 | Die Authentisierung |
| 3.6 | Der Main Mode |
| 3.7 | Der Aggressive Mode |
| 3.8 | Der Quick Mode |
| 3.9 | IKEv2 |
| 3.10 | IKEv2 – der Ablauf |
| 3.10.1 | Option: Extensible Authentication Protocol |
| 3.10.2 | Option: Remote Access VPN |
| 3.11 | TLS – Transport Layer Security |
| 3.12 | Der TLS Verbindungsaufbau |
| 3.13 | Sichere Datenübertragung |
| 4 | IPsec Site-to-Site VPNs |
| 4.1 | Site-to-Site VPNs: Das Konzept |
| 4.1.1 | Performance |
| 4.2 | Die Topologie |
| 4.2.1 | Hub-and-Spoke und Full Mesh |
| 4.2.2 | IKE-Policies |
| 4.2.3 | IPsec-Proposals |
| 4.2.4 | IKE-Parameter in der Topologie |
| 4.2.5 | IPsec-Parameter in der Topologie |
| 4.2.6 | Weitere Topologie-Einstellungen: IKE |
| 4.2.7 | NAT und VPN |
| 4.3 | Kontrolle im FMC |
| 4.4 | Kontrolle via CLI |
| 4.5 | Debugging |
| 4.6 | Dynamic Crypto Map |
| 4.6.1 | Dynamic Crypto Map: Konfiguration |
| 4.7 | Authentisierung mit Zertifikaten |
| 4.7.1 | Installation des Zertifikats |
| 4.7.2 | Manual Enrollment |
| 4.7.3 | Zertifikate: Monitoring |
| 4.7.4 | IKE mit Zertifikaten |
| 4.8 | Die Konfiguration im CLI |
| 4.9 | Site-to-Site VPNs mit VTIs |
| 4.9.1 | Routing mit VTIs |
| 4.9.2 | Kontrolle per CLI |
| 5 | SSL VPNs |
| 5.1 | Der AnyConnect Client |
| 5.1.1 | Anpassung des AnyConnect |
| 5.1.2 | AnyConnect Client Profile |
| 5.2 | Das Konzept |
| 5.3 | Vorbereitende Konfiguration |
| 5.3.1 | Grundlegende SSL/TLS-Einstellungen |
| 5.4 | Benutzerauthentisierung per AAA |
| 5.4.1 | Active Directory als Realm |
| 5.4.2 | Lokale Benutzerdatenbank |
| 5.4.3 | AAA mit RADIUS |
| 5.4.4 | 2-Faktor-Authentisierung |
| 5.5 | Die VPN Policy |
| 5.5.1 | VPN Policy: Anpassungen |
| 5.6 | Das Connection Profile |
| 5.6.1 | Connection Profile: Details |
| 5.7 | Die Group Policy |
| 5.8 | Die Sicht des Benutzers |
| 5.8.1 | AnyConnect: Preferences |
| 5.8.2 | AnyConnect: Statistics |
| 5.8.3 | AnyConnect: Routen und Log |
| 5.9 | Kontrolle auf dem Gateway |
| 5.10 | Authentisierung mit Client-Zertifikat |
| 5.10.1 | Das Connection Profile |
| 5.10.2 | Authentisierung mit Zertifikat und AAA |
| 6 | IPsec Remote Access VPNs |
| 6.1 | Der AnyConnect Client und IPsec |
| 6.2 | Die VPN Policy |
| 6.2.1 | VPN Policy: Interface-Einstellungen |
| 6.2.2 | IKEv2-Parameter |
| 6.2.3 | VPN-Policy: Feintuning |
| 6.3 | Das AnyConnect Profile |
| 6.4 | Die Group Policy |
| 6.5 | Die Sicht des Benutzers |
| 6.6 | Kontrolle auf dem Gateway |
| 6.7 | Authentisierung mit Client-Zertifikat |
| 7 | Redundanz und Hochverfügbarkeit |
| 7.1 | VPNs und Redundanz |
| 7.1.1 | Backup Server |
| 7.1.2 | Stateful Failover |
| 7.1.3 | VPN Load Balancing |
| 7.1.4 | Cluster |
| A | Cisco Firepower VPN-Lösungen – Übungen |
| A.1 | Netzwerktopologie und Grundkonfiguration |
| A.2 | Site-to-Site VPN |
| A.2.1 | Authentisierung mit Zertifikaten |
| A.2.2 | Certificate Map |
| A.2.3 | Site-to-Site VPN mit VTI |
| A.3 | SSL VPN mit dem AnyConnect Client |
| A.3.1 | SSL VPN: Client Profile und NAT |
| A.3.2 | SSL VPN: VPN Policy |
| A.3.3 | Authentisierung mit Client-Zertifikat |
| A.3.4 | SSL VPN: Authentisierung per AAA und Zertifikat (Optional) |
| A.4 | IPsec VPN mit AnyConnect |
| A.5 | Redundanz mit Backup Server |
| A.6 | Redundanz mit HA |
| A.7 | Lösungsvorschläge |
| A.7.1 | Grundkonfiguration |
| A.7.2 | Site-to-Site VPN |
| A.7.3 | Authentisierung mit Zertifikaten |
| A.7.4 | Certificate Map |
| A.7.5 | SSL VPN mit AnyConnect |
| A.7.6 | SSL VPN mit AnyConnect |
| A.7.7 | SSL VPN: Authentisierung mit Zertifikat |
| A.7.8 | IPSec VPN mit AnyConnect |
-
Classroom training
- Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
-
Hybrid training
- Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
-
Online training
- You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
-
Tailor-made courses
-
You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
You can find the complete description of this course with dates and prices ready for download at as PDF.
Hybrid Training
Trainer language German