Hello everybody,

as promised before, we posted the initial update to our Security Workbook VOL1 matching new new CCIE Security v3.0 blueprint. It covers the “ASA Firewall” section of the lab exam blueprint and contains 50 technology focused mini-scenarios. All customers with active subscription to the existing version of IEWB-SC VOL1 should see the new material under their members site accounts. The new content has been rewritten from scratch, with the task wording changed along with breakdowns, comments and explanatins added. You will see the mini-labs presented in “challenging” format, matching our new philosophy for the updated line of CCIE products. Of course, there are new scenarios covering the updated CCIE Security lab blueprint. If you are wondering why we jumped from version 3.2 to v5.0, there are few good reasons. Firstly, it symbolizes the unified design philosophy of our RS and SC products as the most recent version of RS products is v5.0. Secondly, you should remember how they jumped to IPv6 from IPv4. We thought that’s a good idea too. And last, but not least – Cisco did the same trick to their line of unified communication products! ;)

Finally, Here is the list of topics covered in this update. The highlighted topics correspond to the completely new scenarios added to the section. Notice however, that all other tasks have been completely updated as well! Happy studying!

ASA Firewall
VLANs and IP Addressing
Advanced Routing
IP Access-Lists
Object Groups
Administrative Access
ICMP Traffic
URL Filtering
Dynamic NAT and PAT
Static NAT and PAT
Dynamic Policy NAT
Static Policy NAT and PAT
Identity NAT and NAT Exemption
Outside Dynamic NAT
DNS Doctoring using “Alias”
DNS Doctoring using “Static”
Fragmented Traffic
IDENT Issues
BGP across the Firewall
Stub Multicast Routing
PIM Multicast Routing
Network Time Protocol
System Logging
Filtering System Logs
SNMP Monitoring
DHCP Server
HTTP Traffic Inspection
FTP Traffic Inspection
SMTP Traffic Inspection
TCP Inspection
Management Traffic Inspection
ICMP Traffic Inspection
Threat Detection
Un-Stealthing the Firewall
Traffic Policing
Low Latency Queuing
Traffic Shaping
Hierarchical Queuing
Transparent Firewall
ARP Inspection
Ethertype Access-Lists
Transparent Firewall NAT
Firewall Contexts
Firewall Contexts Routing
Firewall Contexts Classification
Resource Management
Active/Standby Failover
Active/Active Failover

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website

You can leave a response, or trackback from your own site.

29 Responses to “IEWB-SC VOL1 v5.0: new “ASA Firewall” section posted!”

  1. adrian says:

    great news Petr!

  2. rowan says:

    I am unable to download the file, I also cannot download the hardware specs. Just times out. Any ideas?

  3. Rizzo says:


    That’s great news for us.

    Just check pulling ASA section from member area and will give try in Lab. Why is it BETA? Are you missing or adding more stuff to it? When will whole pdf be released?

    I love your explanation for version 5.0 jump. LOL. Nice one mate :)

    Thanks a lot

    • To: Rizzo,

      “Beta” simply means we keep updating the content and fixing any bugs/typos that could possibly be there. For example, there might be one or two more labs added to the ASA section. We think adding small updates in shorter period of time is better than keeping content up to the moment till “everything is done”. Of course, there are going to be more sections added with time, including IOS Firewall, VPN, IPS, Identity Management and so on.

  4. Faisal Habib says:

    DO you have any rough dates when you are going to upload the remaining sections such as IOS Firewall, VPN, IPS etc. Also do you have any approximate date for Work book 2.

    • To: Faisal Habib

      We schedule to deliver the next VOL1 update (“IOS Firewall”) on approximately 2nd-3rd week of April. Additionally, VOL2 updates are to be delivered in parallel with VOL1, starting 2nd week of April – one or two labs every week. More VOL1 sections are to be posted in May (VPN and Identity Management) with IPS and Advanced Security labs delivered in June. We plan to finish with all updates (both VOL1 and VOL2) by late June/early July.

  5. SickMonkey says:

    It would also be really great if you identify release numbers so we can keep track and use the correct materials at all times!

    • To: SickMonkey

      The content management engine displays the latest modification time next to every workbook file. In addition to that, we are going to configure the engine so that every time a new update is posted, you receive an e-mail notification.

  6. Yanchong says:

    Very glad to hear the release date for VOL2,even if it is approximately. For I formerly plan to give my second try of security Lab by the end of June, and I thought July is okay for me.

  7. Ajay says:

    Workbooks are refering to “ASA routing files” and some initial configurations. Where are all these configurations listed. I could not find them in workbook.

    These were in the Note section:

    “Load the ASA routing files to initialize your rack”

    ” Load the Access control initial configurations”

  8. kaveh says:


    Unable to download the ASA firewall.Any ideas?

  9. Ryan says:

    Hi Petr,

    I am also unable to download the new version 5 ASA file.

    I click the link (ASA firewall (BETA)) and it stalls out after 30 seconds. There is a popup that comes up (pushfile.php from and then it shows an error (in IE 8) – the requested site is either unavailable or cannot be found.

    This also occurs on the hardware specs link located just above the ASA Firewall (BETA) link.


  10. Josep says:


    its nice to see new ASA volumen but, when we will have the full Volumen 2 ready to practice?


  11. Leet Man says:

    What about the COD? When will the COD be updated?
    class on demand

  12. Yanchong says:

    It seems that download the pdf from your website has problem if the browser is Internet Explore,please download/open it with Googles Chrome.

  13. berrouz says:

    Petr, can you explain how can i use Modular policy framework effectively?
    I am confused with class-map, class-map type, policy-map and policy-map type! If you can, it would be immense!
    Заранее спасибо! Привет из Украины!

  14. Jesse says:

    OK, I just took a look at this, and this looks MUCH better than the previous IEWB-SC-VOL1 content. (EXPLANATIONS!!!!!!) KEEP UP THE GOOD WORK!

    I am getting motivated!
    Thank You,

  15. David Koppenaal says:

    Is the ASA section also doable with a PIX 8 imaga running in PEMU?

    Thanks, David

  16. Dave Burns says:

    Hey Peter… I’ve been walking through this new section you posted specifically on ASA Firewall. I noticed a typo while walking through section 1.44 in the solutions. You have “ip route″ on R3, but it should be “ip route″ given that .3 is R3′s own address. I wasn’t sure where to post this, thus thought this was the most appropriate place. On another note, from the labs I’ve walked through this is very good/thorough… I especially like the notes in the solutions section as it discusses ‘gotchas’ and why you chose to use the solution you chose.

    Note: I’ll post this in the ‘technical forum’ for CCIE Security too just to advise anyone else that walks through the labs as I have.

    Thanks Again… Dave

  17. Steve says:

    Does anyone know if it’s possible to configure/test SSL VPN on IOS using dynamips/GNS3?

  18. Piotrek_ says:

    When will the CoD (Class-on-Demand) be updated?

  19. Yanchong says:

    It’s so good that I feel I was lucky to fail my first try, or I will not read it seriously:)

  20. Yanchong says:

    May I have two advice regarding the structure of Security volume I Workbook:
    1).Why not move IOS firewall section that currently under VPN part to ASA Firewall Section?
    2).Have you missed the Advanced firewall topic that planed to place under PIX/ASA Firewall part?

  21. Yanchong says:

    Sorry,my second advice should be: Maybe there still some other material that could be in the Advanced firewall topic.(Compared with the outline you mentioned in previous blogs)
    I’ve always been very appreciated by your excellent workbook.


Leave a Reply


CCIE Bloggers