CCNP Security FIREWALL 642-618 Official Cert Guide

Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.   Master Cisco CCNP Security FIREWALL 642-618 exam topics Assess your knowledge with chapter-opening quizzes Review key concepts with exam preparation tasks This is the eBook edition of the CCNP Security FIREWALL 642-618 Official Cert Guide.  This eBook does not include the companion CD-ROM with practice exam that comes with the print edition.   CCNP Security FIREWALL 642-618 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. CCNP Security FIREWALL 642-618 Official Cert Guide, focuses specifically on the objectives for the Cisco CCNP Security FIREWALL exam. Expert networking consultants Dave Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. Well-regarded for its level of detail, assessment features, comprehensive design scenarios, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.   The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including: ASA interfaces IP connectivity ASA management Recording ASA activity Address translation Access control Proxy services Traffic inspection and handling Transparent firewall mode Virtual firewalls High availability ASA service modules CCNP Security FIREWALL 642-618 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

Table of Contents:
    Introduction xxv Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3     “Do I Know This Already?” Quiz 3     Foundation Topics 7     Firewall Overview 7     Firewall Techniques 11         Stateless Packet Filtering 11         Stateful Packet Filtering 12         Stateful Packet Filtering with Application Inspection and Control 12         Network Intrusion Prevention System 13         Network Behavior Analysis 14         Application Layer Gateway (Proxy) 14     Cisco ASA Features 15     Selecting a Cisco ASA Model 18         ASA 5505 18         ASA 5510, 5520, and 5540 19         ASA 5550 20         ASA 5580 21         Security Services Modules 22         Advanced Inspection and Prevention (AIP) SSM 22         Content Security and Control (CSC) SSM 23         4-port Gigabit Ethernet (4GE) SSM 24         ASA 5585-X 24         ASA Performance Breakdown 25     Selecting ASA Licenses 29     ASA Memory Requirements 31     Exam Preparation Tasks 33     Review All Key Topics 33     Define Key Terms 33 Chapter 2 Working with a Cisco ASA 35     “Do I Know This Already?” Quiz 35     Foundation Topics 40     Using the CLI 40         Entering Commands 41         Command Help 43         Searching and Filtering Command Output 45         Command History 45         Terminal Screen Format 47     Using Cisco ASDM 47     Understanding the Factory Default Configuration 52     Working with Configuration Files 54         Clearing an ASA Configuration 57     Working with the ASA File System 58         Navigating an ASA Flash File System 59         Working with Files in an ASA File System 60     Reloading an ASA 63         Upgrading the ASA Software at the Next Reload 65         Performing a Reload 66         Manually Upgrading the ASA Software During a Reload 67     Exam Preparation Tasks 71     Review All Key Topics 71     Define Key Terms 71     Command Reference to Check Your Memory 71 Chapter 3 Configuring ASA Interfaces 75     “Do I Know This Already?” Quiz 75     Foundation Topics 80     Configuring Physical Interfaces 80         Default Interface Configuration 82         Configuring Physical Interface Parameters 83         Mapping ASA 5505 Interfaces to VLANs 84         Configuring Interface Redundancy 84         Configuring an EtherChannel 87     Configuring VLAN Interfaces 95         VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 95         VLAN Interfaces and Trunks on an ASA 5505 97     Configuring Interface Security Parameters 98         Naming the Interface 98         Assigning an IP Address 99         Setting the Security Level 100         Interface Security Parameters Example 103     Configuring the Interface MTU 104     Verifying Interface Operation 107     Exam Preparation Tasks 109     Review All Key Topics 109     Define Key Terms 109     Command Reference to Check Your Memory 109 Chapter 4 Configuring IP Connectivity 113     “Do I Know This Already?” Quiz 113     Foundation Topics 117     Deploying DHCP Services 117         Configuring a DHCP Relay 117         Configuring a DHCP Server 119     Using Routing Information 122     Configuring Static Routing 124         Tracking a Static Route 126     Routing with RIPv2 132     Routing with EIGRP 135     Routing with OSPF 142         An Example OSPF Scenario 142     Verifying the ASA Routing Table 151     Exam Preparation Tasks 154     Review All Key Topics 154     Define Key Terms 154     Command Reference to Check Your Memory 154 Chapter 5 Managing a Cisco ASA 161     “Do I Know This Already?” Quiz 161     Foundation Topics 165     Basic Device Settings 165         Configuring Device Identity 165         Configuring Basic Authentication 166     Configuring DNS Resolution 168         Configuring DNS Server Groups 168         Verifying Basic Device Settings 168         Verifying DNS Resolution 170     File System Management 171         File System Management Using ASDM 171         File System Management Using the CLI 172         dir 172         more 173         copy 173         delete 173         rename 173         mkdir 174         cd 174         rmdir 174         fsck 175         pwd 175         format or erase 176     Managing Software and Feature Activation 176         Managing Cisco ASA Software and ASDM Images 177         Upgrading Files from a Local PC or Directly from Cisco.com 179         Considerations When Upgrading from OS Version 8.2 to 8.3 or Higher 181         License Management 182         Upgrading the Image and Activation Key at the Same Time 183         Cisco ASA Software and License Verification 183     Configuring Management Access 186         Overview of Basic Procedures 186         Configuring Remote Management Access 188         Configuring an Out-of-Band Management Interface 189         Configuring Remote Access Using Telnet 190         Configuring Remote Access Using SSH 192         Configuring Remote Access Using HTTPS 194         Creating a Permanent Self-Signed Certificate 194         Obtaining an Identity Certificate by PKI Enrollment 196         Deploying an Identity Certificate 197         Configuring Management Access Banners 199     Controlling Management Access with AAA 201         Creating Users in the Local Database 203         Using Simple Password-Only Authentication 205         Configuring AAA Access Using the Local Database 205         Configuring AAA Access Using Remote AAA Server(s) 208         Step 1: Create a AAA Server Group and Configure How Servers in the Group Are Accessed 208         Step 2: Populate the Server Group with Member Servers 209         Step 3: Enable User Authentication for Each Remote Management Access Channel 210         Configuring Cisco Secure ACS for Remote Authentication 211         Configuring AAA Command Authorization 214         Configuring Local AAA Command Authorization 215         Configuring Remote AAA Command Authorization 219         Configuring Remote AAA Accounting 222         Verifying AAA for Management Access 223     Configuring Monitoring Using SNMP 225     Troubleshooting Remote Management Access 230         Unlocking Locked and Disabled User Accounts 231     Cisco ASA Password Recovery 232         Performing Password Recovery 232         Enabling or Disabling Password Recovery 233     Exam Preparation Tasks 235     Review All Key Topics 235     Command Reference to Check Your Memory 235 Chapter 6 Recording ASA Activity 243     “Do I Know This Already?” Quiz 243     Foundation Topics 247     System Time 247         NTP 249         Verifying System Time Settings 251     Managing Event and Session Logging 252         NetFlow Support 254         Logging Message Format 254         Message Severity 255     Configuring Event and Session Logging 255         Configuring Global Logging Properties 256         Altering Settings of Specific Messages 258         Configuring Event Filters 261         Configuring Individual Event Destinations 262         Internal Buffer 262         ASDM 264         Syslog Server(s) 265         Email 267         NetFlow 269         Telnet or SSH Sessions 271     Verifying Event and Session Logging 271         Implementation Guidelines 272     Troubleshooting Event and Session Logging 273         Troubleshooting Commands 273     Exam Preparation Tasks 275     Review All Key Topics 275     Command Reference to Check Your Memory 275 Chapter 7 Using Address Translation 279     “Do I Know This Already?” Quiz 281     Foundation Topics 288     Understanding How NAT Works 288     Implementing NAT in ASA Software Versions 8.2 and Earlier 290         Enforcing NAT 290         Address Translation Deployment Options 291         NAT Versus PAT 292         Input Parameters 293         Deployment Choices 295         NAT Exemption 296         Configuring NAT Control 296         Configuring Dynamic Inside NAT 298         Configuring Dynamic Inside PAT 304         Configuring Dynamic Inside Policy NAT 308         Verifying Dynamic Inside NAT and PAT 311         Configuring Static Inside NAT 312         Configuring Network Static Inside NAT 315         Configuring Static Inside PAT 317         Configuring Static Inside Policy NAT 320         Verifying Static Inside NAT and PAT 323         Configuring No-Translation Rules 324         Configuring Dynamic Identity NAT 325         Configuring Static Identity NAT 326         Configuring NAT Bypass (NAT Exemption) 328         NAT Rule Priority 330         Configuring Outside NAT 330         Other NAT Considerations 333         DNS Rewrite (Also Known as DNS Doctoring) 333         Integrating NAT with ASA Access Control 335         Integrating NAT with MPF 336         Integrating NAT with AAA (Cut-Through Proxy) 337         Troubleshooting Address Translation 337         Improper Translation 337         Protocols Incompatible with NAT or PAT 337         Proxy ARP 338         NAT-Related Syslog Messages 338     Implementing NAT in ASA Software Versions 8.3 and Later 339         Major Differences in NAT Beginning in Software Version 8.3 339         Network Objects 339         NAT Control 340         Integrating NAT with Other ASA Functions 340         NAT “Direction” 340         NAT Rule Priority 340         New NAT Options in OS Versions 8.3 and Later 340         NAT Table 341         Configuring Auto (Object) NAT 343         Configuring Static Translations Using Auto NAT 344         Configuring Static Port Translations Using Auto NAT 349         Comparing Static NAT Configurations from OS Versions 8.2 and 8.3 351         Configuring Dynamic Translations Using Auto NAT 352         Using Object Groups in NAT Rules 357         Comparing Dynamic NAT Configurations from OS Versions 8.2 and 8.3 360         Verifying Auto (Object) NAT 361         Configuring Manual NAT 363         Examining the Syntax of the Manual NAT Command 368         Configuring a NAT Exemption Using Manual NAT 369         Configuring Twice NAT 370         Configuring Translations Using Manual NAT After Auto NAT 373         Configuring a Unidirectional Manual Static NAT Rule 376         Inserting a Manual NAT Rule in a Specific Location 377         Comparing Manual NAT Configurations from OS versions 8.2 and 8.3 378         When Not to Use NAT 380         Tuning NAT 380         Troubleshooting NAT 382         Improper Translation 382         Proxy ARP and Syslog Messages 384         Egress Interface Selection 384     Exam Preparation Tasks 385     Review All Key Topics 385     Define Key Terms 386     Command Reference to Check Your Memory 386 Chapter 8 Controlling Access Through the ASA 391     “Do I Know This Already?” Quiz 392     Foundation Topics 397     Understanding How Access Control Works 397     State Tables 397         Connection Table 398         TCP Connection Flags 401         Inside and Outside, Inbound and Outbound 403         Local Host Table 403         State Table Logging 405     Understanding Interface Access Rules 405         Stateful Filtering 406         Interface Access Rules and Interface Security Levels 408         Interface Access Rules Direction 408     Default Access Rules 410     The Global ACL 411     Configuring Interface Access Rules 412         Access Rule Logging 417         Configuring the Global ACL 421         Cisco ASDM Public Server Wizard 424         Configuring Access Control Lists from the CLI 425         Implementation Guidelines 426     Time-Based Access Rules 427         Configuring Time Ranges from the CLI 432     Verifying Interface Access Rules 432         Managing Rules in Cisco ASDM 434         Managing Access Rules from the CLI 437     Organizing Access Rules Using Object Groups 438     Verifying Object Groups 450     Configuring and Verifying Other Basic Access Controls 454         Shunning 455     Troubleshooting Basic Access Control 457         Examining Syslog Messages 457         Packet Capture 459         Packet Tracer 460         Suggested Approach to Access Control Troubleshooting 462     Exam Preparation Tasks 464     Review All Key Topics 464     Command Reference to Check Your Memory 465 Chapter 9 Inspecting Traffic 473     “Do I Know This Already?” Quiz 473     Foundation Topics 479     Understanding the Modular Policy Framework 479     Configuring the MPF 482     Configuring a Policy for Inspecting OSI Layers 3 and 4 484         Step 1: Define a Layers 3–4 Class Map 484         Step 2: Define a Layers 3–4 Policy Map 486         Step 3: Apply the Policy Map to the Appropriate Interfaces 490         Creating a Security Policy in ASDM 490         Tuning Basic Layers 3–4 Connection Limits 495         Inspecting TCP Parameters with the TCP Normalizer 499         Configuring ICMP Inspection 505     Configuring Dynamic Protocol Inspection 507         Configuring Custom Protocol Inspection 514     Configuring a Policy for Inspecting OSI Layers 5–7 517         Configuring HTTP Inspection 518         Configuring HTTP Inspection Policy Maps Using the CLI 519         Configuring HTTP Inspection Policy Maps         Using ASDM 527         Configuring FTP Inspection 539         Configuring FTP Inspection Using the CLI 540         Configuring FTP Inspection Using ASDM 542         Configuring DNS Inspection 546         Creating and Applying a DNS Inspection Policy Map Using the CLI 546         Creating and Applying a DNS Inspection Policy Map         Using ASDM 549         Configuring ESMTP Inspection 552         Configuring an ESMTP Inspection with the CLI 553         Configuring an ESMTP Inspection with ASDM 556         Configuring a Policy for ASA Management Traffic 559     Detecting and Filtering Botnet Traffic 561         Configuring Botnet Traffic Filtering with ASDM 564         Step 1: Configure the Dynamic Database 565         Step 2: Configure the Static Database 565         Step 3: Enable DNS Snooping 566         Step 4: Enable the Botnet Traffic Filter 566         Configuring Botnet Traffic Filtering with the CLI 568         Step 1: Configure the Dynamic Database 568         Step 2: Configure the Static Database 568         Step 3: Enable DNS Snooping 568         Step 4: Enable the Botnet Traffic Filter 569     Using Threat Detection 570         Configuring Threat Detection in ASDM 571         Step 1: Configure Basic Threat Detection 571         Step 2: Configure Advanced Threat Detection 571         Step 3: Configure Scanning Threat Detection 572         Configuring Threat Detection with the CLI 572         Step 1: Configure Basic Threat Detection 573         Step 2: Configure Advanced Threat Detection 576         Step 3: Configure Scanning Threat Detection 577     Exam Preparation Tasks 579     Review All Key Topics 579     Define Key Terms 580     Command Reference to Check Your Memory 580 Chapter 10 Using Proxy Services to Control Access 583     “Do I Know This Already?” Quiz 583     Foundation Topics 586     User-Based (Cut-Through) Proxy Overview 586         User Authentication 586         User Authentication and Access Control 587         Implementation Examples 587     AAA on the ASA 587         AAA Deployment Options 587     User-Based Proxy Preconfiguration Steps and Deployment Guidelines 588         User-Based Proxy Preconfiguration Steps 588         User-Based Proxy Deployment Guidelines 589     Direct HTTP Authentication with the Cisco ASA 589         HTTP Redirection 590         Virtual HTTP 590     Direct Telnet Authentication 590     Configuration Steps of User-Based Proxy 591     Configuring User Authentication 591         Configuring an AAA Group 591         Configuring an AAA Server 592         Configuring the Authentication Rules 593         Verifying User Authentication 595         Configuring HTTP Redirection 595         Configuring the Virtual HTTP Server 596         Configuring Direct Telnet 596     Configuring Authentication Prompts and Timeouts 596         Configuring Authentication Prompts 597         Configuring Authentication Timeouts 598     Configuring User Authorization 598         Per-User Override 599         Configuring Downloadable ACLs 600         Configuring Per-User Override 600         Verification 600     Configuring User Session Accounting 601         Configuring User Session Accounting 601         Verification 602     Troubleshooting Cut-Through Proxy Operations 602         A Structured Approach 602         System Messages 602     Using Proxy for IP Telephony and Unified TelePresence 603     Exam Preparation Tasks 604     Review All Key Topics 604     Define Key Terms 604     Command Reference to Check Your Memory 604 Chapter 11 Handling Traffic 607     “Do I Know This Already?” Quiz 607     Foundation Topics 610     Handling Fragmented Traffic 610     Prioritizing Traffic 612     Controlling Traffic Bandwidth 616         Configuring a Traffic Policer 618         Configuring Traffic Shaping 621     Exam Preparation Tasks 625     Review All Key Topics 625     Define Key Terms 625     Command Reference to Check Your Memory 625 Chapter 12 Using Transparent Firewall Mode 629     “Do I Know This Already?” Quiz 629     Foundation Topics 632     Firewall Mode Overview 632     Configuring Transparent Firewall Mode 635     Controlling Traffic in Transparent Firewall Mode 639     Using ARP Inspection 642     Disabling MAC Address Learning 645     Exam Preparation Tasks 648     Review All Key Topics 648     Define Key Terms 648     Command Reference to Check Your Memory 648 Chapter 13 Creating Virtual Firewalls on the ASA 651     “Do I Know This Already?” Quiz 651     Foundation Topics 654     Cisco ASA Virtualization Overview 654         A High-Level Examination of a Virtual Firewall’s Configuration 654         The System Configuration, System Context, and Other Security Contexts 655         Packet Classification 655     Virtual Firewall Deployment Guidelines 656         Deployment Choices 657         Deployment Guidelines 657         Limitations 658     Configuration Tasks Overview 658     Configuring Security Contexts 658         The Admin Context 659         Configuring Multiple Mode 659         Creating a Security Context 659     Verifying Security Contexts 661     Managing Security Contexts 661         Packet Classification Configuration 662         Changing the Admin Context 662         Editing and Removing Contexts 663     Configuring Resource Management 663         The Default Class 663         Creating a New Resource Class 663     Verifying Resource Management 665     Troubleshooting Security Contexts 665     Exam Preparation Tasks 667     Review All Key Topics 667     Define Key Terms 667     Command Reference to Check Your Memory 667 Chapter 14 Deploying High Availability Features 671     “Do I Know This Already?” Quiz 671     Foundation Topics 675     ASA Failover Overview 675         Failover Roles 675         Detecting an ASA Failure 681     Configuring Active-Standby Failover Mode 683         Configuring Active-Standby Failover with the ASDM Wizard 683         Configuring Active-Standby Failover Manually in ASDM 687         Configuring Active-Standby Failover with the CLI 689         Step 1: Configure the Primary Failover Unit 689         Step 2: Configure Failover on the Secondary Device 690     Configuring Active-Active Failover Mode 692         Configuring Active-Active Failover in ASDM 692         Configuring Active-Active Failover with the CLI 696         Step 1: Configure the Primary ASA Unit 696         Step 2: Configure the Secondary ASA Unit 697     Tuning Failover Operation 701         Configuring Failover Timers 701         Configuring Failover Health Monitoring 702         Detecting Asymmetric Routing 703         Administering Failover 705     Verifying Failover Operation 706     Leveraging Failover for a Zero Downtime Upgrade 708     Exam Preparation Tasks 710     Review All Key Topics 710     Define Key Terms 710     Command Reference to Check Your Memory 710 Chapter 15 Integrating ASA Service Modules 715     “Do I Know This Already?” Quiz 715     Foundation Topics 718     Cisco ASA Security Services Modules Overview 718         Module Components 718         General Deployment Guidelines 719         Overview of the Cisco ASA Content Security and Control SSM 719         Cisco Content Security and Control SSM Licensing 720         Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 720         Inline Operation 720         Promiscuous Operation 721         Supported Cisco IPS Software Features 721     Installing the ASA AIP-SSM and AIP-SSC 721         The Cisco AIP-SSM and AIP-SSC Ethernet Connections 722         Failure Management Modes 722         Managing Basic Features 722         Initializing the AIP-SSM and AIP-SSC 723         Configuring the AIP-SSM and AIP-SSC 723     Integrating the ASA CSC-SSM 724         Installing the CSC-SSM 724         Ethernet Connections 724         Managing the Basic Features 724         Initializing the Cisco CSC-SSM 725         Configuring the CSC-SSM 725     Exam Preparation Tasks 726     Review All Key Topics 726     Define Key Terms 726     Command Reference to Check Your Memory 726 Chapter 16 Traffic Analysis Tools 729     “Do I Know This Already?” Quiz 729     Foundation Topics 733     Testing Network Connectivity 733     Using Packet Tracer 737     Using Packet Capture 742         Using the Packet Capture Wizard in ASDM 742         Capturing Packets from the CLI 746         Controlling a Capture Session 751     Copying Capture Buffer Contents 751         Capturing Dropped Packets 752         Combining Packet Tracer and Packet Capture 760     Summary 761     Exam Preparation Tasks 762     Review All Key Topics 762     Command Reference to Check Your Memory 762 Chapter 17 Final Preparation 765     Tools for Final Preparation 765         Pearson Cert Practice Test Engine and Questions on the CD 765         Install the Software from the CD 766         Activate and Download the Practice Exam 766         Activating Other Exams 767         Premium Edition 767         Cisco Learning Network 767         Chapter-Ending Review Tools 767     Suggested Plan for Final Review/Study 768         Using the Exam Engine 768     Summary 769 Appendix A Answers to the “Do I Know This Already?” Quizzes 771 Appendix B CCNP Security 642-618 FIREWALL Exam Updates: Version 1.0 777 Glossary of Key Terms 779 9781587142710, TOC, 4/25/2012  

About the Author :
David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and Unified Wireless product lines. David has a bachelor of science degree and master of science degree in electrical engineering from the University of Kentucky. He is the author of several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor; and CCNP SWITCH Exam Certification Guide. David lives in Kentucky with his wife, Marci, and two daughters.   Dave Garneau is a senior member of the Network Security team at Rackspace Hosting, Inc. Before that, he was the principal consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave trained more than 3,000 students in nine countries on Cisco technologies, mostly focusing on the Cisco security products line, and worked closely with Cisco in establishing the new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave has a bachelor of science degree in mathematics from Metropolitan State College of Denver. Dave lives in San Antonio, Texas, with his wife, Vicki, and their two brand new baby girls, Elise and Lauren.   Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor (CCSI) and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion—teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company, KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next-generation of KnowledgeNet, StormWind Live. Anthony is also a VMware Certified Professional.