larger cover

Add To My Wish List

CCNP Security FIREWALL 642-617 Official Cert Guide, Rough Cuts

Rough Cuts

  • Available to Safari Subscribers
  • About Rough Cuts
  • Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.

Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2012
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 704
  • Edition: 1st
  • Rough Cuts
  • ISBN-10: 0-13-237864-7
  • ISBN-13: 978-0-13-237864-2

This is the Rough Cut version of the printed book.

CCNP Security FIREWALL 642-617

Official Cert Guide

David Hucaby, CCIE® No. 4594

Dave Garneau

Anthony Sequeira, CCIE No. 15626

Learn, prepare, and practice for exam success

  • Master CCNP Security FIREWALL 642-617 exam topics
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with exam preparation tasks
  • Practice with realistic exam questions on the CD-ROM

CCNP Security FIREWALL 642-617 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNP Security FIREWALL exam. Senior security consultants and instructors David Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNP Security FIREWALL 642-617 Official Cert Guide presents you with an organized test-preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

The companion CD-ROM contains the powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

CCNP Security FIREWALL 642-617 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including

  • ASA interfaces
  • IP connectivity
  • ASA management
  • Recording ASA activity
  • Address translation
  • Access control
  • Proxy services
  • Traffic inspection and handling
  • Transparent firewall mode
  • Virtual firewalls
  • High availability
  • ASA service modules

Companion CD-ROM

The CD-ROM contains a free, complete practice exam.

Includes Exclusive Offer for 70% Off Premium Edition eBook and Practice Test

Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), or Windows 7; Microsoft .NET Framework 4.0 Client; Microsoft SQL Server Compact 4.0; Pentium class 1GHz processor (or equivalent); 512 MB RAM; 650 MB disc space plus 50 MB for each downloaded practice exam

This volume is part of the Official Cert Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

Category: Cisco Press—Cisco Certification

Covers: CCNP Security FIREWALL 642-617

Table of Contents

Introduction xxiii

Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3

“Do I Know This Already?” Quiz 3

Foundation Topics 7

Firewall Overview 7

Firewall Techniques 11

    Stateless Packet Filtering 11

    Stateful Packet Filtering 12

    Stateful Packet Filtering with Application Inspection and Control 12

    Network Intrusion Prevention System 13

    Network Behavior Analysis 14

    Application Layer Gateway (Proxy) 14

Cisco ASA Features 15

Selecting a Cisco ASA Model 18

    ASA 5505 18

    ASA 5510, 5520, and 5540 19

    ASA 5550 20

    ASA 5580 21

    Security Services Modules 22

        Advanced Inspection and Prevention (AIP) SSM 22

        Content Security and Control (CSC) SSM 23

        4-Port Gigabit Ethernet (4GE) SSM 24

    ASA 5585-X 24

    ASA Performance Breakdown 25

Selecting ASA Licenses 28

Exam Preparation Tasks 31

    Review All Key Topics 31

    Define Key Terms 31

Chapter 2 Working with a Cisco ASA 33

“Do I Know This Already?” Quiz 33

Foundation Topics 38

Using the CLI 38

    Entering Commands 39

    Command Help 41

    Command History 43

    Searching and Filtering Command Output 43

    Terminal Screen Format 45

Using Cisco ASDM 45

Understanding the Factory Default Configuration 50

Working with Configuration Files 52

    Clearing an ASA Configuration 55

Working with the ASA File System 56

    Navigating an ASA Flash File System 57

    Working with Files in an ASA File System 58

Reloading an ASA 61

    Upgrading the ASA Software at the Next Reload 63

    Performing a Reload 64

    Manually Upgrading the ASA Software During a Reload 65

Exam Preparation Tasks 69

    Review All Key Topics 69

    Define Key Terms 69

    Command Reference to Check Your Memory 69

Chapter 3 Configuring ASA Interfaces 73

“Do I Know This Already?” Quiz 73

Foundation Topics 77

Configuring Physical Interfaces 77

    Default Interface Configuration 78

    Configuring Physical Interface Parameters 80

    Mapping ASA 5505 Interfaces to VLANs 80

    Configuring Interface Redundancy 81

Configuring VLAN Interfaces 83

    VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84

    VLAN Interfaces and Trunks on an ASA 5505 86

Configuring Interface Security Parameters 88

    Naming the Interface 88

    Assigning an IP Address 89

    Setting the Security Level 90

    Interface Security Parameters Example 94

Configuring the Interface MTU 94

Verifying Interface Operation 96

Exam Preparation Tasks 99

    Review All Key Topics 99

    Define Key Terms 99

    Command Reference to Check Your Memory 99

Chapter 4 Configuring IP Connectivity 103

“Do I Know This Already?” Quiz 103

Foundation Topics 107

Deploying DHCP Services 107

    Configuring a DHCP Relay 107

    Configuring a DHCP Server 108

Using Routing Information 111

Configuring Static Routing 115

    Tracking a Static Route 117

Routing with RIPv2 122

Routing with EIGRP 125

Routing with OSPF 134

    An Example OSPF Scenario 140

Verifying the ASA Routing Table 144

Exam Preparation Tasks 147

    Review All Key Topics 147

    Define Key Terms 147

    Command Reference to Check Your Memory 148

Chapter 5 Managing a Cisco ASA 155

“Do I Know This Already?” Quiz 155

Foundation Topics 159

Basic Device Settings 159

    Configuring Device Identity 159

    Configuring Basic Authentication 160

    Verifying Basic Device Settings 162

Configuring Name-to-Address Mappings 162

    Configuring Local Name-to-Address Mappings 162

    Configuring DNS Server Groups 164

    Verifying Name-to-Address Mappings 166

File System Management 166

    File System Management Using ASDM 166

    File System Management Using the CLI 167

        dir 168

        more 168

        copy 168

        delete 168

        rename 168

        mkdir 169

        rmdir 169

        cd 170

        pwd 170

        fsck 170

        format or erase 171

Managing Software and Feature Activation 171

    Managing Cisco ASA Software and ASDM Images 171

    Upgrading Files from a Local PC or Directly from 173

    License Management 175

    Upgrading the Image and Activation Key at the Same Time 176

    Cisco ASA Software and License Verification 176

Configuring Management Access 179

    Overview of Basic Procedures 179

    Configuring Remote Management Access 181

        Configuring an Out-of-Band Management Interface 182

    Configuring Remote Access Using Telnet 182

    Configuring Remote Access Using SSH 185

    Configuring Remote Access Using HTTPS 187

        Creating a Permanent Self-Signed Certificate 187

        Obtaining an Identity Certificate by PKI Enrollment 189

        Deploying an Identity Certificate 190

    Configuring Management Access Banners 191

Controlling Management Access with AAA 194

    Creating Users in the Local Database 196

    Using Simple Password-Only Authentication 197

    Configuring AAA Access Using the Local Database 198

    Configuring AAA Access Using Remote AAA Server(s) 200

        Step 1: Create an AAA Server Group and Configure How Servers in the Group Are Accessed 201

        Step 2: Populate the Server Group with Member Servers 202

        Step 3: Enable User Authentication for Each Remote Management Access Channel 203

    Configuring Cisco Secure ACS for Remote Authentication 204

    Configuring AAA Command Authorization 207

    Configuring Local AAA Command Authorization 208

    Configuring Remote AAA Command Authorization 211

    Configuring Remote AAA Accounting 214

    Verifying AAA for Management Access 215

Configuring Monitoring Using SNMP 216

Troubleshooting Remote Management Access 221

Cisco ASA Password Recovery 223

    Performing Password Recovery 223

    Enabling or Disabling Password Recovery 224

Exam Preparation Tasks 225

    Review All Key Topics 225

    Command Reference to Check Your Memory 225

Chapter 6 Recording ASA Activity 233

“Do I Know This Already?” Quiz 233

Foundation Topics 237

System Time 237

    NTP 237

    Verifying System Time Settings 241

Managing Event and Session Logging 242

    NetFlow Support 243

    Logging Message Format 244

    Message Severity 244

Configuring Event and Session Logging 245

    Configuring Global Logging Properties 245

    Altering Settings of Specific Messages 247

    Configuring Event Filters 250

    Configuring Individual Event Destinations 252

        Internal Buffer 252

        ASDM 253

        Syslog Server(s) 255

        Email 257

        NetFlow 259

        Telnet or SSH Sessions 260

Verifying Event and Session Logging 261

    Implementation Guidelines 262

Troubleshooting Event and Session Logging 263

    Troubleshooting Commands 263

Exam Preparation Tasks 265

    Review All Key Topics 265

    Command Reference to Check Your Memory 265

Chapter 7 Using Address Translation 269

“Do I Know This Already?” Quiz 270

Foundation Topics 277

Understanding How NAT Works 277

Enforcing NAT 279

Address Translation Deployment Options 280

    NAT Versus PAT 281

    Input Parameters 283

    Deployment Choices 283

    NAT Exemption 284

Configuring NAT Control 285

Configuring Dynamic Inside NAT 287

Configuring Dynamic Inside PAT 292

Configuring Dynamic Inside Policy NAT 297

Verifying Dynamic Inside NAT and PAT 300

Configuring Static Inside NAT 301

Configuring Network Static Inside NAT 304

Configuring Static Inside PAT 307

Configuring Static Inside Policy NAT 310

Verifying Static Inside NAT and PAT 313

Configuring No-Translation Rules 313

    Configuring Dynamic Identity NAT 314

    Configuring Static Identity NAT 316

    Configuring NAT Bypass (NAT Exemption) 318

NAT Rule Priority with NAT Control Enabled 319

Configuring Outside NAT 320

Other NAT Considerations 323

    DNS Rewrite (Also Known as DNS Doctoring) 323

    Integrating NAT with ASA Access Control 325

    Integrating NAT with MPF 326

    Integrating NAT with AAA (Cut-Through Proxy) 326

Troubleshooting Address Translation 326

    Improper Translation 327

    Protocols Incompatible with NAT or PAT 327

    Proxy ARP 327

    NAT-Related Syslog Messages 328

Exam Preparation Tasks 329

    Review All Key Topics 329

    Define Key Terms 330

    Command Reference to Check Your Memory 330

Chapter 8 Controlling Access Through the ASA 333

“Do I Know This Already?” Quiz 333

Foundation Topics 338

Understanding How Access Control Works 338

State Tables 338

    Connection Table 339

    TCP Connection Flags 342

    Inside and Outside, Inbound and Outbound 343

    Local Host Table 344

    State Table Logging 345

Understanding Interface Access Rules 346

    Stateful Filtering 347

    Interface Access Rules and Interface Security Levels 349

    Interface Access Rules Direction 349

Configuring Interface Access Rules 350

    Access Rule Logging 356

    Cisco ASDM Public Server Wizard 363

    Configuring Access Control Lists from the CLI 364

    Implementation Guidelines 365

Time-Based Access Rules 366

    Configuring Time Ranges from the CLI 370

Verifying Interface Access Rules 371

    Managing Rules in Cisco ASDM 372

    Managing Access Rules from the CLI 375

Organizing Access Rules Using Object Groups 376

Verifying Object Groups 387

Configuring and Verifying Other Basic Access Controls 390

    uRPF 390

    Shunning 392

Troubleshooting Basic Access Control 393

    Examining Syslog Messages 393

    Packet Capture 395

    Packet Tracer 397

    Suggested Approach to Access Control Troubleshooting 399

Exam Preparation Tasks 400

    Review All Key Topics 400

    Command Reference to Check Your Memory 401

Chapter 9 Inspecting Traffic 409

“Do I Know This Already?” Quiz 409

Foundation Topics 415

Understanding the Modular Policy Framework 415

Configuring the MPF 418

Configuring a Policy for Inspecting OSI Layers 3 and 4 420

    Step 1: Define a Layer 3—4 Class Map 421

    Step 2: Define a Layer 3—4 Policy Map 423

    Step 3: Apply the Policy Map to the Appropriate Interfaces 426

    Creating a Security Policy in ASDM 427

    Tuning Basic Layer 3—4 Connection Limits 431

    Inspecting TCP Parameters with the TCP Normalizer 435

    Configuring ICMP Inspection 441

Configuring Dynamic Protocol Inspection 441

    Configuring Custom Protocol Inspection 450

Configuring a Policy for Inspecting OSI Layers 5—7 451

    Configuring HTTP Inspection 452

        Configuring HTTP Inspection Policy Maps Using the CLI 454

        Configuring HTTP Inspection Policy Maps Using ASDM 461

    Configuring FTP Inspection 473

        Configuring FTP Inspection Using the CLI 474

        Configuring FTP Inspection Using ASDM 476

    Configuring DNS Inspection 479

        Creating and Applying a DNS Inspection Policy Map Using the CLI 480

        Creating and Applying a DNS Inspection Policy Map Using ASDM 482

    Configuring ESMTP Inspection 487

        Configuring an ESMTP Inspection with the CLI 487

        Configuring an ESMTP Inspection with ASDM 489

    Configuring a Policy for ASA Management Traffic 492

Detecting and Filtering Botnet Traffic 497

    Configuring Botnet Traffic Filtering with the CLI 498

        Step 1: Configure the Dynamic Database 498

        Step 2: Configure the Static Database 499

        Step 3: Enable DNS Snooping 499

        Step 4: Enable the Botnet Traffic Filter 499

    Configuring Botnet Traffic Filtering with ASDM 501

        Step 1: Configure the Dynamic Database 501

        Step 2: Configure the Static Database 501

        Step 3: Enable DNS Snooping 502

        Step 4: Enable the Botnet Traffic Filter 502

Using Threat Detection 503

    Configuring Threat Detection with the CLI 504

        Step 1: Configure Basic Threat Detection 504

        Step 2: Configure Advanced Threat Detection 506

        Step 3: Configure Scanning Threat Detection 507

    Configuring Threat Detection in ASDM 509

        Step 1: Configure Basic Threat Detection 509

        Step 2: Configure Advanced Threat Detection 509

        Step 3: Configure Scanning Threat Detection 510

Exam Preparation Tasks 512

    Review All Key Topics 512

    Define Key Terms 513

    Command Reference to Check Your Memory 513

Chapter 10 Using Proxy Services to Control Access 515

“Do I Know This Already?” Quiz 515

Foundation Topics 518

User-Based (Cut-Through) Proxy Overview 518

    User Authentication 518

AAA on the ASA 519

    AAA Deployment Options 519

User-Based Proxy Preconfiguration Steps and Deployment Guidelines 520

    User-Based Proxy Preconfiguration Steps 520

    User-Based Proxy Deployment Guidelines 520

Direct HTTP Authentication with the Cisco ASA 521

    HTTP Redirection 521

    Virtual HTTP 522

Direct Telnet Authentication 522

Configuration Steps of User-Based Proxy 522

Configuring User Authentication 522

    Configuring an AAA Group 523

    Configuring an AAA Server 524

    Configuring the Authentication Rules 524

    Verifying User Authentication 526

    Configuring HTTP Redirection 527

    Configuring the Virtual HTTP Server 527

    Configuring Direct Telnet 528

Configuring Authentication Prompts and Timeouts 528

    Configuring Authentication Prompts 529

    Configuring Authentication Timeouts 529

Configuring User Authorization 530

    Configuring Downloadable ACLs 531

Configuring User Session Accounting 531

Using Proxy for IP Telephony and Unified TelePresence 532

Exam Preparation Tasks 534

    Review All Key Topics 534

    Define Key Terms 534

    Command Reference to Check Your Memory 534

Chapter 11 Handling Traffic 537

“Do I Know This Already?” Quiz 537

Foundation Topics 541

Handling Fragmented Traffic 541

Prioritizing Traffic 543

Controlling Traffic Bandwidth 547

    Configuring Traffic Policing Parameters 550

    Configuring Traffic Shaping Parameters 553

Exam Preparation Tasks 557

    Review All Key Topics 557

    Define Key Terms 557

    Command Reference to Check Your Memory 557

Chapter 12 Using Transparent Firewall Mode 561

“Do I Know This Already?” Quiz 561

Foundation Topics 564

Firewall Mode Overview 564

Configuring Transparent Firewall Mode 567

Controlling Traffic in Transparent Firewall Mode 569

Using ARP Inspection 571

Disabling MAC Address Learning 575

Exam Preparation Tasks 579

    Review All Key Topics 579

    Define Key Terms 579

    Command Reference to Check Your Memory 580

Chapter 13 Creating Virtual Firewalls on the ASA 583

“Do I Know This Already?” Quiz 583

Foundation Topics 586

Cisco ASA Virtualization Overview 586

    The System Configuration, the System Context, and Other Security Contexts 586

Virtual Firewall Deployment Guidelines 587

    Deployment Choices 587

    Deployment Guidelines 588

    Limitations 588

Configuration Tasks Overview 589

Configuring Security Contexts 589

    The Admin Context 590

    Configuring Multiple Mode 590

    Creating a Security Context 590

Verifying Security Contexts 592

Managing Security Contexts 592

    Packet Classification 592

    Changing the Admin Context 593

Configuring Resource Management 594

    The Default Class 594

    Creating a New Resource Class 594

Verifying Resource Management 596

Troubleshooting Security Contexts 596

Exam Preparation Tasks 598

    Review All Key Topics 598

    Define Key Terms 598

    Command Reference to Check Your Memory 598

Chapter 14 Deploying High Availability Features 601

“Do I Know This Already?” Quiz 601

Foundation Topics 605

ASA Failover Overview 605

    Failover Roles 605

    Detecting an ASA Failure 611

Configuring Active-Standby Failover Mode 612

    Step 1: Configure the Primary Failover Unit 613

    Step 2: Configure Failover on the Secondary Device 614

    Scenario for Configuring Active-Standby Failover Mode 614

    Configuring Active-Standby Failover with the ASDM Wizard 616

    Configuring Active-Standby Failover Manually in ASDM 618

Configuring Active-Active Failover Mode 621

    Step 1: Configure the Primary ASA Unit 622

    Step 2: Configure the Secondary ASA Unit 623

    Scenario for Configuring Active-Active Failover Mode 623

Tuning Failover Operation 630

    Configuring Failover Timers 630

    Configuring Failover Health Monitoring 631

    Detecting Asymmetric Routing 632

    Administering Failover 634

Verifying Failover Operation 635

Leveraging Failover for a Zero Downtime Upgrade 637

Exam Preparation Tasks 639

    Review All Key Topics 639

    Define Key Terms 639

    Command Reference to Check Your Memory 639

Chapter 15 Integrating ASA Service Modules 645

“Do I Know This Already?” Quiz 645

Foundation Topics 648

Cisco ASA Security Services Modules Overview 648

    Module Components 648

        General Deployment Guidelines 649

        Overview of the Cisco ASA Content Security and Control SSM 649

        Cisco Content Security and Control SSM Licensing 649

        Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 649

        Inline Operation 650

        Promiscuous Operation 650

        Supported Cisco IPS Software Features 650

Installing the ASA AIP-SSM and AIP-SSC 651

    The Cisco AIP-SSM and AIP-SSC Ethernet Connections 651

    Failure Management Modes 652

    Managing Basic Features 652

    Initializing the AIP-SSM and AIP-SSC 653

    Configuring the AIP-SSM and AIP-SSC 653

Integrating the ASA CSC-SSM 653

    Installing the CSC-SSM 653

    Ethernet Connections 654

    Managing the Basic Features 654

    Initializing the Cisco CSC-SSM 654

    Configuring the CSC-SSM 655

Exam Preparation Tasks 656

    Review All Key Topics 656

    Definitions of Key Terms 656

    Command Reference to Check Your Memory 656

Chapter 16 Final Preparation 659

Tools for Final Preparation 659

    Pearson Cert Practice Test Engine and Questions on the CD 659

        Install the Software from the CD 659

        Activate and Download the Practice Exam 660

        Activating Other Exams 660

        Premium Edition 660

    The Cisco Learning Network 661

    Chapter-Ending Review Tools 661

Suggested Plan for Final Review/Study 661

    Using the Exam Engine 662

Summary 663

Appendix A Answers to the “Do I Know This Already?” Quizzes 665

Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671

Appendix C Traffic Analysis Tools 675

Glossary 707

9781587142796   TOC   8/25/2011

Other Things You Might Like