HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
CCNP Security FIREWALL 642-617
Official Cert Guide
David Hucaby, CCIE® No. 4594
Dave Garneau
Anthony Sequeira, CCIE No. 15626
Learn, prepare, and practice for exam success
CCNP Security FIREWALL 642-617 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNP Security FIREWALL exam. Senior security consultants and instructors David Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCNP Security FIREWALL 642-617 Official Cert Guide presents you with an organized test-preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
The companion CD-ROM contains the powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
CCNP Security FIREWALL 642-617 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including
Companion CD-ROM
The CD-ROM contains a free, complete practice exam.
Includes Exclusive Offer for 70% Off Premium Edition eBook and Practice Test
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7; Microsoft .NET Framework 4.0 Client; Microsoft SQL Server Compact 4.0; Pentium class 1GHz processor (or equivalent); 512 MB RAM; 650 MB disc space plus 50 MB for each downloaded practice exam
This volume is part of the Official Cert Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.
Category: Cisco Press—Cisco Certification
Covers: CCNP Security FIREWALL 642-617
CCNP Security: Security Contexts on the Cisco ASA
Exam Profile: Cisco Deploying ASA Firewall Solutions (Firewall v1.0), Exam 642-617
Quality of Service (QoS) on the Cisco ASA
The exciting new CCNP Security FIREWALL 642-617 Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with three full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Microsoft SQL Server Compact 4.0;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
About the Premium Edition eBook
CCNP Security FIREWALL 642-617 Official Cert Guide focuses specifically on the objectives for the CCNP Security FIREWALL exam. Senior security consultants and instructors David Hucaby, David Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCNP Security FIREWALL 642-617 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
This official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including
CCNP Security Firewall Cert Guide: Recording ASA Activity
Download the sample pages (includes Chapter 6 and Index)
Introduction xxiii
Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Firewall Overview 7
Firewall Techniques 11
Stateless Packet Filtering 11
Stateful Packet Filtering 12
Stateful Packet Filtering with Application Inspection and Control 12
Network Intrusion Prevention System 13
Network Behavior Analysis 14
Application Layer Gateway (Proxy) 14
Cisco ASA Features 15
Selecting a Cisco ASA Model 18
ASA 5505 18
ASA 5510, 5520, and 5540 19
ASA 5550 20
ASA 5580 21
Security Services Modules 22
Advanced Inspection and Prevention (AIP) SSM 22
Content Security and Control (CSC) SSM 23
4-Port Gigabit Ethernet (4GE) SSM 24
ASA 5585-X 24
ASA Performance Breakdown 25
Selecting ASA Licenses 28
Exam Preparation Tasks 31
Review All Key Topics 31
Define Key Terms 31
Chapter 2 Working with a Cisco ASA 33
“Do I Know This Already?” Quiz 33
Foundation Topics 38
Using the CLI 38
Entering Commands 39
Command Help 41
Command History 43
Searching and Filtering Command Output 43
Terminal Screen Format 45
Using Cisco ASDM 45
Understanding the Factory Default Configuration 50
Working with Configuration Files 52
Clearing an ASA Configuration 55
Working with the ASA File System 56
Navigating an ASA Flash File System 57
Working with Files in an ASA File System 58
Reloading an ASA 61
Upgrading the ASA Software at the Next Reload 63
Performing a Reload 64
Manually Upgrading the ASA Software During a Reload 65
Exam Preparation Tasks 69
Review All Key Topics 69
Define Key Terms 69
Command Reference to Check Your Memory 69
Chapter 3 Configuring ASA Interfaces 73
“Do I Know This Already?” Quiz 73
Foundation Topics 77
Configuring Physical Interfaces 77
Default Interface Configuration 78
Configuring Physical Interface Parameters 80
Mapping ASA 5505 Interfaces to VLANs 80
Configuring Interface Redundancy 81
Configuring VLAN Interfaces 83
VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84
VLAN Interfaces and Trunks on an ASA 5505 86
Configuring Interface Security Parameters 88
Naming the Interface 88
Assigning an IP Address 89
Setting the Security Level 90
Interface Security Parameters Example 94
Configuring the Interface MTU 94
Verifying Interface Operation 96
Exam Preparation Tasks 99
Review All Key Topics 99
Define Key Terms 99
Command Reference to Check Your Memory 99
Chapter 4 Configuring IP Connectivity 103
“Do I Know This Already?” Quiz 103
Foundation Topics 107
Deploying DHCP Services 107
Configuring a DHCP Relay 107
Configuring a DHCP Server 108
Using Routing Information 111
Configuring Static Routing 115
Tracking a Static Route 117
Routing with RIPv2 122
Routing with EIGRP 125
Routing with OSPF 134
An Example OSPF Scenario 140
Verifying the ASA Routing Table 144
Exam Preparation Tasks 147
Review All Key Topics 147
Define Key Terms 147
Command Reference to Check Your Memory 148
Chapter 5 Managing a Cisco ASA 155
“Do I Know This Already?” Quiz 155
Foundation Topics 159
Basic Device Settings 159
Configuring Device Identity 159
Configuring Basic Authentication 160
Verifying Basic Device Settings 162
Configuring Name-to-Address Mappings 162
Configuring Local Name-to-Address Mappings 162
Configuring DNS Server Groups 164
Verifying Name-to-Address Mappings 166
File System Management 166
File System Management Using ASDM 166
File System Management Using the CLI 167
dir 168
more 168
copy 168
delete 168
rename 168
mkdir 169
rmdir 169
cd 170
pwd 170
fsck 170
format or erase 171
Managing Software and Feature Activation 171
Managing Cisco ASA Software and ASDM Images 171
Upgrading Files from a Local PC or Directly from Cisco.com 173
License Management 175
Upgrading the Image and Activation Key at the Same Time 176
Cisco ASA Software and License Verification 176
Configuring Management Access 179
Overview of Basic Procedures 179
Configuring Remote Management Access 181
Configuring an Out-of-Band Management Interface 182
Configuring Remote Access Using Telnet 182
Configuring Remote Access Using SSH 185
Configuring Remote Access Using HTTPS 187
Creating a Permanent Self-Signed Certificate 187
Obtaining an Identity Certificate by PKI Enrollment 189
Deploying an Identity Certificate 190
Configuring Management Access Banners 191
Controlling Management Access with AAA 194
Creating Users in the Local Database 196
Using Simple Password-Only Authentication 197
Configuring AAA Access Using the Local Database 198
Configuring AAA Access Using Remote AAA Server(s) 200
Step 1: Create an AAA Server Group and Configure How Servers in the Group Are Accessed 201
Step 2: Populate the Server Group with Member Servers 202
Step 3: Enable User Authentication for Each Remote Management Access Channel 203
Configuring Cisco Secure ACS for Remote Authentication 204
Configuring AAA Command Authorization 207
Configuring Local AAA Command Authorization 208
Configuring Remote AAA Command Authorization 211
Configuring Remote AAA Accounting 214
Verifying AAA for Management Access 215
Configuring Monitoring Using SNMP 216
Troubleshooting Remote Management Access 221
Cisco ASA Password Recovery 223
Performing Password Recovery 223
Enabling or Disabling Password Recovery 224
Exam Preparation Tasks 225
Review All Key Topics 225
Command Reference to Check Your Memory 225
Chapter 6 Recording ASA Activity 233
“Do I Know This Already?” Quiz 233
Foundation Topics 237
System Time 237
NTP 237
Verifying System Time Settings 241
Managing Event and Session Logging 242
NetFlow Support 243
Logging Message Format 244
Message Severity 244
Configuring Event and Session Logging 245
Configuring Global Logging Properties 245
Altering Settings of Specific Messages 247
Configuring Event Filters 250
Configuring Individual Event Destinations 252
Internal Buffer 252
ASDM 253
Syslog Server(s) 255
Email 257
NetFlow 259
Telnet or SSH Sessions 260
Verifying Event and Session Logging 261
Implementation Guidelines 262
Troubleshooting Event and Session Logging 263
Troubleshooting Commands 263
Exam Preparation Tasks 265
Review All Key Topics 265
Command Reference to Check Your Memory 265
Chapter 7 Using Address Translation 269
“Do I Know This Already?” Quiz 270
Foundation Topics 277
Understanding How NAT Works 277
Enforcing NAT 279
Address Translation Deployment Options 280
NAT Versus PAT 281
Input Parameters 283
Deployment Choices 283
NAT Exemption 284
Configuring NAT Control 285
Configuring Dynamic Inside NAT 287
Configuring Dynamic Inside PAT 292
Configuring Dynamic Inside Policy NAT 297
Verifying Dynamic Inside NAT and PAT 300
Configuring Static Inside NAT 301
Configuring Network Static Inside NAT 304
Configuring Static Inside PAT 307
Configuring Static Inside Policy NAT 310
Verifying Static Inside NAT and PAT 313
Configuring No-Translation Rules 313
Configuring Dynamic Identity NAT 314
Configuring Static Identity NAT 316
Configuring NAT Bypass (NAT Exemption) 318
NAT Rule Priority with NAT Control Enabled 319
Configuring Outside NAT 320
Other NAT Considerations 323
DNS Rewrite (Also Known as DNS Doctoring) 323
Integrating NAT with ASA Access Control 325
Integrating NAT with MPF 326
Integrating NAT with AAA (Cut-Through Proxy) 326
Troubleshooting Address Translation 326
Improper Translation 327
Protocols Incompatible with NAT or PAT 327
Proxy ARP 327
NAT-Related Syslog Messages 328
Exam Preparation Tasks 329
Review All Key Topics 329
Define Key Terms 330
Command Reference to Check Your Memory 330
Chapter 8 Controlling Access Through the ASA 333
“Do I Know This Already?” Quiz 333
Foundation Topics 338
Understanding How Access Control Works 338
State Tables 338
Connection Table 339
TCP Connection Flags 342
Inside and Outside, Inbound and Outbound 343
Local Host Table 344
State Table Logging 345
Understanding Interface Access Rules 346
Stateful Filtering 347
Interface Access Rules and Interface Security Levels 349
Interface Access Rules Direction 349
Configuring Interface Access Rules 350
Access Rule Logging 356
Cisco ASDM Public Server Wizard 363
Configuring Access Control Lists from the CLI 364
Implementation Guidelines 365
Time-Based Access Rules 366
Configuring Time Ranges from the CLI 370
Verifying Interface Access Rules 371
Managing Rules in Cisco ASDM 372
Managing Access Rules from the CLI 375
Organizing Access Rules Using Object Groups 376
Verifying Object Groups 387
Configuring and Verifying Other Basic Access Controls 390
uRPF 390
Shunning 392
Troubleshooting Basic Access Control 393
Examining Syslog Messages 393
Packet Capture 395
Packet Tracer 397
Suggested Approach to Access Control Troubleshooting 399
Exam Preparation Tasks 400
Review All Key Topics 400
Command Reference to Check Your Memory 401
Chapter 9 Inspecting Traffic 409
“Do I Know This Already?” Quiz 409
Foundation Topics 415
Understanding the Modular Policy Framework 415
Configuring the MPF 418
Configuring a Policy for Inspecting OSI Layers 3 and 4 420
Step 1: Define a Layer 3—4 Class Map 421
Step 2: Define a Layer 3—4 Policy Map 423
Step 3: Apply the Policy Map to the Appropriate Interfaces 426
Creating a Security Policy in ASDM 427
Tuning Basic Layer 3—4 Connection Limits 431
Inspecting TCP Parameters with the TCP Normalizer 435
Configuring ICMP Inspection 441
Configuring Dynamic Protocol Inspection 441
Configuring Custom Protocol Inspection 450
Configuring a Policy for Inspecting OSI Layers 5—7 451
Configuring HTTP Inspection 452
Configuring HTTP Inspection Policy Maps Using the CLI 454
Configuring HTTP Inspection Policy Maps Using ASDM 461
Configuring FTP Inspection 473
Configuring FTP Inspection Using the CLI 474
Configuring FTP Inspection Using ASDM 476
Configuring DNS Inspection 479
Creating and Applying a DNS Inspection Policy Map Using the CLI 480
Creating and Applying a DNS Inspection Policy Map Using ASDM 482
Configuring ESMTP Inspection 487
Configuring an ESMTP Inspection with the CLI 487
Configuring an ESMTP Inspection with ASDM 489
Configuring a Policy for ASA Management Traffic 492
Detecting and Filtering Botnet Traffic 497
Configuring Botnet Traffic Filtering with the CLI 498
Step 1: Configure the Dynamic Database 498
Step 2: Configure the Static Database 499
Step 3: Enable DNS Snooping 499
Step 4: Enable the Botnet Traffic Filter 499
Configuring Botnet Traffic Filtering with ASDM 501
Step 1: Configure the Dynamic Database 501
Step 2: Configure the Static Database 501
Step 3: Enable DNS Snooping 502
Step 4: Enable the Botnet Traffic Filter 502
Using Threat Detection 503
Configuring Threat Detection with the CLI 504
Step 1: Configure Basic Threat Detection 504
Step 2: Configure Advanced Threat Detection 506
Step 3: Configure Scanning Threat Detection 507
Configuring Threat Detection in ASDM 509
Step 1: Configure Basic Threat Detection 509
Step 2: Configure Advanced Threat Detection 509
Step 3: Configure Scanning Threat Detection 510
Exam Preparation Tasks 512
Review All Key Topics 512
Define Key Terms 513
Command Reference to Check Your Memory 513
Chapter 10 Using Proxy Services to Control Access 515
“Do I Know This Already?” Quiz 515
Foundation Topics 518
User-Based (Cut-Through) Proxy Overview 518
User Authentication 518
AAA on the ASA 519
AAA Deployment Options 519
User-Based Proxy Preconfiguration Steps and Deployment Guidelines 520
User-Based Proxy Preconfiguration Steps 520
User-Based Proxy Deployment Guidelines 520
Direct HTTP Authentication with the Cisco ASA 521
HTTP Redirection 521
Virtual HTTP 522
Direct Telnet Authentication 522
Configuration Steps of User-Based Proxy 522
Configuring User Authentication 522
Configuring an AAA Group 523
Configuring an AAA Server 524
Configuring the Authentication Rules 524
Verifying User Authentication 526
Configuring HTTP Redirection 527
Configuring the Virtual HTTP Server 527
Configuring Direct Telnet 528
Configuring Authentication Prompts and Timeouts 528
Configuring Authentication Prompts 529
Configuring Authentication Timeouts 529
Configuring User Authorization 530
Configuring Downloadable ACLs 531
Configuring User Session Accounting 531
Using Proxy for IP Telephony and Unified TelePresence 532
Exam Preparation Tasks 534
Review All Key Topics 534
Define Key Terms 534
Command Reference to Check Your Memory 534
Chapter 11 Handling Traffic 537
“Do I Know This Already?” Quiz 537
Foundation Topics 541
Handling Fragmented Traffic 541
Prioritizing Traffic 543
Controlling Traffic Bandwidth 547
Configuring Traffic Policing Parameters 550
Configuring Traffic Shaping Parameters 553
Exam Preparation Tasks 557
Review All Key Topics 557
Define Key Terms 557
Command Reference to Check Your Memory 557
Chapter 12 Using Transparent Firewall Mode 561
“Do I Know This Already?” Quiz 561
Foundation Topics 564
Firewall Mode Overview 564
Configuring Transparent Firewall Mode 567
Controlling Traffic in Transparent Firewall Mode 569
Using ARP Inspection 571
Disabling MAC Address Learning 575
Exam Preparation Tasks 579
Review All Key Topics 579
Define Key Terms 579
Command Reference to Check Your Memory 580
Chapter 13 Creating Virtual Firewalls on the ASA 583
“Do I Know This Already?” Quiz 583
Foundation Topics 586
Cisco ASA Virtualization Overview 586
The System Configuration, the System Context, and Other Security Contexts 586
Virtual Firewall Deployment Guidelines 587
Deployment Choices 587
Deployment Guidelines 588
Limitations 588
Configuration Tasks Overview 589
Configuring Security Contexts 589
The Admin Context 590
Configuring Multiple Mode 590
Creating a Security Context 590
Verifying Security Contexts 592
Managing Security Contexts 592
Packet Classification 592
Changing the Admin Context 593
Configuring Resource Management 594
The Default Class 594
Creating a New Resource Class 594
Verifying Resource Management 596
Troubleshooting Security Contexts 596
Exam Preparation Tasks 598
Review All Key Topics 598
Define Key Terms 598
Command Reference to Check Your Memory 598
Chapter 14 Deploying High Availability Features 601
“Do I Know This Already?” Quiz 601
Foundation Topics 605
ASA Failover Overview 605
Failover Roles 605
Detecting an ASA Failure 611
Configuring Active-Standby Failover Mode 612
Step 1: Configure the Primary Failover Unit 613
Step 2: Configure Failover on the Secondary Device 614
Scenario for Configuring Active-Standby Failover Mode 614
Configuring Active-Standby Failover with the ASDM Wizard 616
Configuring Active-Standby Failover Manually in ASDM 618
Configuring Active-Active Failover Mode 621
Step 1: Configure the Primary ASA Unit 622
Step 2: Configure the Secondary ASA Unit 623
Scenario for Configuring Active-Active Failover Mode 623
Tuning Failover Operation 630
Configuring Failover Timers 630
Configuring Failover Health Monitoring 631
Detecting Asymmetric Routing 632
Administering Failover 634
Verifying Failover Operation 635
Leveraging Failover for a Zero Downtime Upgrade 637
Exam Preparation Tasks 639
Review All Key Topics 639
Define Key Terms 639
Command Reference to Check Your Memory 639
Chapter 15 Integrating ASA Service Modules 645
“Do I Know This Already?” Quiz 645
Foundation Topics 648
Cisco ASA Security Services Modules Overview 648
Module Components 648
General Deployment Guidelines 649
Overview of the Cisco ASA Content Security and Control SSM 649
Cisco Content Security and Control SSM Licensing 649
Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 649
Inline Operation 650
Promiscuous Operation 650
Supported Cisco IPS Software Features 650
Installing the ASA AIP-SSM and AIP-SSC 651
The Cisco AIP-SSM and AIP-SSC Ethernet Connections 651
Failure Management Modes 652
Managing Basic Features 652
Initializing the AIP-SSM and AIP-SSC 653
Configuring the AIP-SSM and AIP-SSC 653
Integrating the ASA CSC-SSM 653
Installing the CSC-SSM 653
Ethernet Connections 654
Managing the Basic Features 654
Initializing the Cisco CSC-SSM 654
Configuring the CSC-SSM 655
Exam Preparation Tasks 656
Review All Key Topics 656
Definitions of Key Terms 656
Command Reference to Check Your Memory 656
Chapter 16 Final Preparation 659
Tools for Final Preparation 659
Pearson Cert Practice Test Engine and Questions on the CD 659
Install the Software from the CD 659
Activate and Download the Practice Exam 660
Activating Other Exams 660
Premium Edition 660
The Cisco Learning Network 661
Chapter-Ending Review Tools 661
Suggested Plan for Final Review/Study 661
Using the Exam Engine 662
Summary 663
Appendix A Answers to the “Do I Know This Already?” Quizzes 665
Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671
Appendix C Traffic Analysis Tools 675
Glossary 707
9781587142796 TOC 8/25/2011