CCNP Security FIREWALL 642-618 Official Cert Guide
- By David Hucaby, Dave Garneau, Anthony J. Sequeira
- Published May 8, 2012 by Cisco Press.
eBook
- Sorry, this book is no longer in print.
- About Watermarked eBooks
This PDF will be accessible from your Account page after purchase and requires PDF reading software, such as Acrobat® Reader®.
The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
- Copyright 2012
- Dimensions: 7-3/8" x 9-1/8"
- Edition: 1st
- eBook
- ISBN-10: 0-13-297940-3
- ISBN-13: 978-0-13-297940-5
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.
- Master Cisco CCNP Security FIREWALL 642-618 exam topics
- Assess your knowledge with chapter-opening quizzes
- Review key concepts with exam preparation tasks
This is the eBook edition of the CCNP Security FIREWALL 642-618 Official Cert Guide. This eBook does not include the companion CD-ROM with practice exam that comes with the print edition.
CCNP Security FIREWALL 642-618 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
CCNP Security FIREWALL 642-618 Official Cert Guide, focuses specifically on the objectives for the Cisco CCNP Security FIREWALL exam. Expert networking consultants Dave Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
Well-regarded for its level of detail, assessment features, comprehensive design scenarios, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including:
- ASA interfaces
- IP connectivity
- ASA management
- Recording ASA activity
- Address translation
- Access control
- Proxy services
- Traffic inspection and handling
- Transparent firewall mode
- Virtual firewalls
- High availability
- ASA service modules
CCNP Security FIREWALL 642-618 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
Table of Contents
Introduction xxv
Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Firewall Overview 7
Firewall Techniques 11
Stateless Packet Filtering 11
Stateful Packet Filtering 12
Stateful Packet Filtering with Application Inspection and Control 12
Network Intrusion Prevention System 13
Network Behavior Analysis 14
Application Layer Gateway (Proxy) 14
Cisco ASA Features 15
Selecting a Cisco ASA Model 18
ASA 5505 18
ASA 5510, 5520, and 5540 19
ASA 5550 20
ASA 5580 21
Security Services Modules 22
Advanced Inspection and Prevention (AIP) SSM 22
Content Security and Control (CSC) SSM 23
4-port Gigabit Ethernet (4GE) SSM 24
ASA 5585-X 24
ASA Performance Breakdown 25
Selecting ASA Licenses 29
ASA Memory Requirements 31
Exam Preparation Tasks 33
Review All Key Topics 33
Define Key Terms 33
Chapter 2 Working with a Cisco ASA 35
“Do I Know This Already?” Quiz 35
Foundation Topics 40
Using the CLI 40
Entering Commands 41
Command Help 43
Searching and Filtering Command Output 45
Command History 45
Terminal Screen Format 47
Using Cisco ASDM 47
Understanding the Factory Default Configuration 52
Working with Configuration Files 54
Clearing an ASA Configuration 57
Working with the ASA File System 58
Navigating an ASA Flash File System 59
Working with Files in an ASA File System 60
Reloading an ASA 63
Upgrading the ASA Software at the Next Reload 65
Performing a Reload 66
Manually Upgrading the ASA Software During a Reload 67
Exam Preparation Tasks 71
Review All Key Topics 71
Define Key Terms 71
Command Reference to Check Your Memory 71
Chapter 3 Configuring ASA Interfaces 75
“Do I Know This Already?” Quiz 75
Foundation Topics 80
Configuring Physical Interfaces 80
Default Interface Configuration 82
Configuring Physical Interface Parameters 83
Mapping ASA 5505 Interfaces to VLANs 84
Configuring Interface Redundancy 84
Configuring an EtherChannel 87
Configuring VLAN Interfaces 95
VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 95
VLAN Interfaces and Trunks on an ASA 5505 97
Configuring Interface Security Parameters 98
Naming the Interface 98
Assigning an IP Address 99
Setting the Security Level 100
Interface Security Parameters Example 103
Configuring the Interface MTU 104
Verifying Interface Operation 107
Exam Preparation Tasks 109
Review All Key Topics 109
Define Key Terms 109
Command Reference to Check Your Memory 109
Chapter 4 Configuring IP Connectivity 113
“Do I Know This Already?” Quiz 113
Foundation Topics 117
Deploying DHCP Services 117
Configuring a DHCP Relay 117
Configuring a DHCP Server 119
Using Routing Information 122
Configuring Static Routing 124
Tracking a Static Route 126
Routing with RIPv2 132
Routing with EIGRP 135
Routing with OSPF 142
An Example OSPF Scenario 142
Verifying the ASA Routing Table 151
Exam Preparation Tasks 154
Review All Key Topics 154
Define Key Terms 154
Command Reference to Check Your Memory 154
Chapter 5 Managing a Cisco ASA 161
“Do I Know This Already?” Quiz 161
Foundation Topics 165
Basic Device Settings 165
Configuring Device Identity 165
Configuring Basic Authentication 166
Configuring DNS Resolution 168
Configuring DNS Server Groups 168
Verifying Basic Device Settings 168
Verifying DNS Resolution 170
File System Management 171
File System Management Using ASDM 171
File System Management Using the CLI 172
dir 172
more 173
copy 173
delete 173
rename 173
mkdir 174
cd 174
rmdir 174
fsck 175
pwd 175
format or erase 176
Managing Software and Feature Activation 176
Managing Cisco ASA Software and ASDM Images 177
Upgrading Files from a Local PC or Directly from Cisco.com 179
Considerations When Upgrading from OS Version 8.2 to 8.3 or Higher 181
License Management 182
Upgrading the Image and Activation Key at the Same Time 183
Cisco ASA Software and License Verification 183
Configuring Management Access 186
Overview of Basic Procedures 186
Configuring Remote Management Access 188
Configuring an Out-of-Band Management Interface 189
Configuring Remote Access Using Telnet 190
Configuring Remote Access Using SSH 192
Configuring Remote Access Using HTTPS 194
Creating a Permanent Self-Signed Certificate 194
Obtaining an Identity Certificate by PKI Enrollment 196
Deploying an Identity Certificate 197
Configuring Management Access Banners 199
Controlling Management Access with AAA 201
Creating Users in the Local Database 203
Using Simple Password-Only Authentication 205
Configuring AAA Access Using the Local Database 205
Configuring AAA Access Using Remote AAA Server(s) 208
Step 1: Create a AAA Server Group and Configure How Servers in the Group Are Accessed 208
Step 2: Populate the Server Group with Member Servers 209
Step 3: Enable User Authentication for Each Remote Management Access Channel 210
Configuring Cisco Secure ACS for Remote Authentication 211
Configuring AAA Command Authorization 214
Configuring Local AAA Command Authorization 215
Configuring Remote AAA Command Authorization 219
Configuring Remote AAA Accounting 222
Verifying AAA for Management Access 223
Configuring Monitoring Using SNMP 225
Troubleshooting Remote Management Access 230
Unlocking Locked and Disabled User Accounts 231
Cisco ASA Password Recovery 232
Performing Password Recovery 232
Enabling or Disabling Password Recovery 233
Exam Preparation Tasks 235
Review All Key Topics 235
Command Reference to Check Your Memory 235
Chapter 6 Recording ASA Activity 243
“Do I Know This Already?” Quiz 243
Foundation Topics 247
System Time 247
NTP 249
Verifying System Time Settings 251
Managing Event and Session Logging 252
NetFlow Support 254
Logging Message Format 254
Message Severity 255
Configuring Event and Session Logging 255
Configuring Global Logging Properties 256
Altering Settings of Specific Messages 258
Configuring Event Filters 261
Configuring Individual Event Destinations 262
Internal Buffer 262
ASDM 264
Syslog Server(s) 265
Email 267
NetFlow 269
Telnet or SSH Sessions 271
Verifying Event and Session Logging 271
Implementation Guidelines 272
Troubleshooting Event and Session Logging 273
Troubleshooting Commands 273
Exam Preparation Tasks 275
Review All Key Topics 275
Command Reference to Check Your Memory 275
Chapter 7 Using Address Translation 279
“Do I Know This Already?” Quiz 281
Foundation Topics 288
Understanding How NAT Works 288
Implementing NAT in ASA Software Versions 8.2 and Earlier 290
Enforcing NAT 290
Address Translation Deployment Options 291
NAT Versus PAT 292
Input Parameters 293
Deployment Choices 295
NAT Exemption 296
Configuring NAT Control 296
Configuring Dynamic Inside NAT 298
Configuring Dynamic Inside PAT 304
Configuring Dynamic Inside Policy NAT 308
Verifying Dynamic Inside NAT and PAT 311
Configuring Static Inside NAT 312
Configuring Network Static Inside NAT 315
Configuring Static Inside PAT 317
Configuring Static Inside Policy NAT 320
Verifying Static Inside NAT and PAT 323
Configuring No-Translation Rules 324
Configuring Dynamic Identity NAT 325
Configuring Static Identity NAT 326
Configuring NAT Bypass (NAT Exemption) 328
NAT Rule Priority 330
Configuring Outside NAT 330
Other NAT Considerations 333
DNS Rewrite (Also Known as DNS Doctoring) 333
Integrating NAT with ASA Access Control 335
Integrating NAT with MPF 336
Integrating NAT with AAA (Cut-Through Proxy) 337
Troubleshooting Address Translation 337
Improper Translation 337
Protocols Incompatible with NAT or PAT 337
Proxy ARP 338
NAT-Related Syslog Messages 338
Implementing NAT in ASA Software Versions 8.3 and Later 339
Major Differences in NAT Beginning in Software Version 8.3 339
Network Objects 339
NAT Control 340
Integrating NAT with Other ASA Functions 340
NAT “Direction” 340
NAT Rule Priority 340
New NAT Options in OS Versions 8.3 and Later 340
NAT Table 341
Configuring Auto (Object) NAT 343
Configuring Static Translations Using Auto NAT 344
Configuring Static Port Translations Using Auto NAT 349
Comparing Static NAT Configurations from OS Versions 8.2 and 8.3 351
Configuring Dynamic Translations Using Auto NAT 352
Using Object Groups in NAT Rules 357
Comparing Dynamic NAT Configurations from OS Versions 8.2 and 8.3 360
Verifying Auto (Object) NAT 361
Configuring Manual NAT 363
Examining the Syntax of the Manual NAT Command 368
Configuring a NAT Exemption Using Manual NAT 369
Configuring Twice NAT 370
Configuring Translations Using Manual NAT After Auto NAT 373
Configuring a Unidirectional Manual Static NAT Rule 376
Inserting a Manual NAT Rule in a Specific Location 377
Comparing Manual NAT Configurations from OS versions 8.2 and 8.3 378
When Not to Use NAT 380
Tuning NAT 380
Troubleshooting NAT 382
Improper Translation 382
Proxy ARP and Syslog Messages 384
Egress Interface Selection 384
Exam Preparation Tasks 385
Review All Key Topics 385
Define Key Terms 386
Command Reference to Check Your Memory 386
Chapter 8 Controlling Access Through the ASA 391
“Do I Know This Already?” Quiz 392
Foundation Topics 397
Understanding How Access Control Works 397
State Tables 397
Connection Table 398
TCP Connection Flags 401
Inside and Outside, Inbound and Outbound 403
Local Host Table 403
State Table Logging 405
Understanding Interface Access Rules 405
Stateful Filtering 406
Interface Access Rules and Interface Security Levels 408
Interface Access Rules Direction 408
Default Access Rules 410
The Global ACL 411
Configuring Interface Access Rules 412
Access Rule Logging 417
Configuring the Global ACL 421
Cisco ASDM Public Server Wizard 424
Configuring Access Control Lists from the CLI 425
Implementation Guidelines 426
Time-Based Access Rules 427
Configuring Time Ranges from the CLI 432
Verifying Interface Access Rules 432
Managing Rules in Cisco ASDM 434
Managing Access Rules from the CLI 437
Organizing Access Rules Using Object Groups 438
Verifying Object Groups 450
Configuring and Verifying Other Basic Access Controls 454
Shunning 455
Troubleshooting Basic Access Control 457
Examining Syslog Messages 457
Packet Capture 459
Packet Tracer 460
Suggested Approach to Access Control Troubleshooting 462
Exam Preparation Tasks 464
Review All Key Topics 464
Command Reference to Check Your Memory 465
Chapter 9 Inspecting Traffic 473
“Do I Know This Already?” Quiz 473
Foundation Topics 479
Understanding the Modular Policy Framework 479
Configuring the MPF 482
Configuring a Policy for Inspecting OSI Layers 3 and 4 484
Step 1: Define a Layers 3–4 Class Map 484
Step 2: Define a Layers 3–4 Policy Map 486
Step 3: Apply the Policy Map to the Appropriate Interfaces 490
Creating a Security Policy in ASDM 490
Tuning Basic Layers 3–4 Connection Limits 495
Inspecting TCP Parameters with the TCP Normalizer 499
Configuring ICMP Inspection 505
Configuring Dynamic Protocol Inspection 507
Configuring Custom Protocol Inspection 514
Configuring a Policy for Inspecting OSI Layers 5–7 517
Configuring HTTP Inspection 518
Configuring HTTP Inspection Policy Maps Using the CLI 519
Configuring HTTP Inspection Policy Maps
Using ASDM 527
Configuring FTP Inspection 539
Configuring FTP Inspection Using the CLI 540
Configuring FTP Inspection Using ASDM 542
Configuring DNS Inspection 546
Creating and Applying a DNS Inspection Policy Map Using the CLI 546
Creating and Applying a DNS Inspection Policy Map
Using ASDM 549
Configuring ESMTP Inspection 552
Configuring an ESMTP Inspection with the CLI 553
Configuring an ESMTP Inspection with ASDM 556
Configuring a Policy for ASA Management Traffic 559
Detecting and Filtering Botnet Traffic 561
Configuring Botnet Traffic Filtering with ASDM 564
Step 1: Configure the Dynamic Database 565
Step 2: Configure the Static Database 565
Step 3: Enable DNS Snooping 566
Step 4: Enable the Botnet Traffic Filter 566
Configuring Botnet Traffic Filtering with the CLI 568
Step 1: Configure the Dynamic Database 568
Step 2: Configure the Static Database 568
Step 3: Enable DNS Snooping 568
Step 4: Enable the Botnet Traffic Filter 569
Using Threat Detection 570
Configuring Threat Detection in ASDM 571
Step 1: Configure Basic Threat Detection 571
Step 2: Configure Advanced Threat Detection 571
Step 3: Configure Scanning Threat Detection 572
Configuring Threat Detection with the CLI 572
Step 1: Configure Basic Threat Detection 573
Step 2: Configure Advanced Threat Detection 576
Step 3: Configure Scanning Threat Detection 577
Exam Preparation Tasks 579
Review All Key Topics 579
Define Key Terms 580
Command Reference to Check Your Memory 580
Chapter 10 Using Proxy Services to Control Access 583
“Do I Know This Already?” Quiz 583
Foundation Topics 586
User-Based (Cut-Through) Proxy Overview 586
User Authentication 586
User Authentication and Access Control 587
Implementation Examples 587
AAA on the ASA 587
AAA Deployment Options 587
User-Based Proxy Preconfiguration Steps and Deployment Guidelines 588
User-Based Proxy Preconfiguration Steps 588
User-Based Proxy Deployment Guidelines 589
Direct HTTP Authentication with the Cisco ASA 589
HTTP Redirection 590
Virtual HTTP 590
Direct Telnet Authentication 590
Configuration Steps of User-Based Proxy 591
Configuring User Authentication 591
Configuring an AAA Group 591
Configuring an AAA Server 592
Configuring the Authentication Rules 593
Verifying User Authentication 595
Configuring HTTP Redirection 595
Configuring the Virtual HTTP Server 596
Configuring Direct Telnet 596
Configuring Authentication Prompts and Timeouts 596
Configuring Authentication Prompts 597
Configuring Authentication Timeouts 598
Configuring User Authorization 598
Per-User Override 599
Configuring Downloadable ACLs 600
Configuring Per-User Override 600
Verification 600
Configuring User Session Accounting 601
Configuring User Session Accounting 601
Verification 602
Troubleshooting Cut-Through Proxy Operations 602
A Structured Approach 602
System Messages 602
Using Proxy for IP Telephony and Unified TelePresence 603
Exam Preparation Tasks 604
Review All Key Topics 604
Define Key Terms 604
Command Reference to Check Your Memory 604
Chapter 11 Handling Traffic 607
“Do I Know This Already?” Quiz 607
Foundation Topics 610
Handling Fragmented Traffic 610
Prioritizing Traffic 612
Controlling Traffic Bandwidth 616
Configuring a Traffic Policer 618
Configuring Traffic Shaping 621
Exam Preparation Tasks 625
Review All Key Topics 625
Define Key Terms 625
Command Reference to Check Your Memory 625
Chapter 12 Using Transparent Firewall Mode 629
“Do I Know This Already?” Quiz 629
Foundation Topics 632
Firewall Mode Overview 632
Configuring Transparent Firewall Mode 635
Controlling Traffic in Transparent Firewall Mode 639
Using ARP Inspection 642
Disabling MAC Address Learning 645
Exam Preparation Tasks 648
Review All Key Topics 648
Define Key Terms 648
Command Reference to Check Your Memory 648
Chapter 13 Creating Virtual Firewalls on the ASA 651
“Do I Know This Already?” Quiz 651
Foundation Topics 654
Cisco ASA Virtualization Overview 654
A High-Level Examination of a Virtual Firewall’s Configuration 654
The System Configuration, System Context, and Other Security Contexts 655
Packet Classification 655
Virtual Firewall Deployment Guidelines 656
Deployment Choices 657
Deployment Guidelines 657
Limitations 658
Configuration Tasks Overview 658
Configuring Security Contexts 658
The Admin Context 659
Configuring Multiple Mode 659
Creating a Security Context 659
Verifying Security Contexts 661
Managing Security Contexts 661
Packet Classification Configuration 662
Changing the Admin Context 662
Editing and Removing Contexts 663
Configuring Resource Management 663
The Default Class 663
Creating a New Resource Class 663
Verifying Resource Management 665
Troubleshooting Security Contexts 665
Exam Preparation Tasks 667
Review All Key Topics 667
Define Key Terms 667
Command Reference to Check Your Memory 667
Chapter 14 Deploying High Availability Features 671
“Do I Know This Already?” Quiz 671
Foundation Topics 675
ASA Failover Overview 675
Failover Roles 675
Detecting an ASA Failure 681
Configuring Active-Standby Failover Mode 683
Configuring Active-Standby Failover with the ASDM Wizard 683
Configuring Active-Standby Failover Manually in ASDM 687
Configuring Active-Standby Failover with the CLI 689
Step 1: Configure the Primary Failover Unit 689
Step 2: Configure Failover on the Secondary Device 690
Configuring Active-Active Failover Mode 692
Configuring Active-Active Failover in ASDM 692
Configuring Active-Active Failover with the CLI 696
Step 1: Configure the Primary ASA Unit 696
Step 2: Configure the Secondary ASA Unit 697
Tuning Failover Operation 701
Configuring Failover Timers 701
Configuring Failover Health Monitoring 702
Detecting Asymmetric Routing 703
Administering Failover 705
Verifying Failover Operation 706
Leveraging Failover for a Zero Downtime Upgrade 708
Exam Preparation Tasks 710
Review All Key Topics 710
Define Key Terms 710
Command Reference to Check Your Memory 710
Chapter 15 Integrating ASA Service Modules 715
“Do I Know This Already?” Quiz 715
Foundation Topics 718
Cisco ASA Security Services Modules Overview 718
Module Components 718
General Deployment Guidelines 719
Overview of the Cisco ASA Content Security and Control SSM 719
Cisco Content Security and Control SSM Licensing 720
Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 720
Inline Operation 720
Promiscuous Operation 721
Supported Cisco IPS Software Features 721
Installing the ASA AIP-SSM and AIP-SSC 721
The Cisco AIP-SSM and AIP-SSC Ethernet Connections 722
Failure Management Modes 722
Managing Basic Features 722
Initializing the AIP-SSM and AIP-SSC 723
Configuring the AIP-SSM and AIP-SSC 723
Integrating the ASA CSC-SSM 724
Installing the CSC-SSM 724
Ethernet Connections 724
Managing the Basic Features 724
Initializing the Cisco CSC-SSM 725
Configuring the CSC-SSM 725
Exam Preparation Tasks 726
Review All Key Topics 726
Define Key Terms 726
Command Reference to Check Your Memory 726
Chapter 16 Traffic Analysis Tools 729
“Do I Know This Already?” Quiz 729
Foundation Topics 733
Testing Network Connectivity 733
Using Packet Tracer 737
Using Packet Capture 742
Using the Packet Capture Wizard in ASDM 742
Capturing Packets from the CLI 746
Controlling a Capture Session 751
Copying Capture Buffer Contents 751
Capturing Dropped Packets 752
Combining Packet Tracer and Packet Capture 760
Summary 761
Exam Preparation Tasks 762
Review All Key Topics 762
Command Reference to Check Your Memory 762
Chapter 17 Final Preparation 765
Tools for Final Preparation 765
Pearson Cert Practice Test Engine and Questions on the CD 765
Install the Software from the CD 766
Activate and Download the Practice Exam 766
Activating Other Exams 767
Premium Edition 767
Cisco Learning Network 767
Chapter-Ending Review Tools 767
Suggested Plan for Final Review/Study 768
Using the Exam Engine 768
Summary 769
Appendix A Answers to the “Do I Know This Already?” Quizzes 771
Appendix B CCNP Security 642-618 FIREWALL Exam Updates: Version 1.0 777
Glossary of Key Terms 779
9781587142710, TOC, 4/25/2012
Other Things You Might Like
- CCNA 200-301 Hands-on Mastery with Packet Tracer
- Book $39.99
- CCNA 200-301 Hands-on Mastery with Packet Tracer
- eBook $38.39