Product Cover Image

CCNP Security VPN 642-648 Official Cert Guide, CourseSmart eTextbook, 2nd Edition

By Howard Hooper

Published by Cisco Press

Published Date: Jun 22, 2012

More Product Info

Description

This is Cisco's official, comprehensive self-study resource for the new Deploying Cisco ASA VPN Solutions (VPN v1.0) exam, required for CCNP Security certification. Designed for beginning-to-intermediate level readers, it covers every objective concisely and logically, with extensive teaching features that promote retention and understanding. Readers will find: * Pre-chapter quizzes to assess knowledge upfront and focus study more efficiently * Foundation topics sections that explain concepts and configurations, and link theory to actual configuration commands * Key topics sections calling attention to every figure, table, and list that candidates must know * Exam Preparation sections with additional chapter review features * Final preparation chapter providing tools and a complete final study plan * Customizable practice test library on CD-ROM This book's comprehensive coverage includes: * ASA architecture * Configuring policies, inheritance, and attributes * Deploying clientless VPN solutions, including advanced techniques * Customizing clientless portals * Using and optimizing clientless SSL * Securely deploying AnyConnect Remote Access VPNs * Deploying Easy VPN from start to finish * Deploying and optimizing IPSec site-to-site VPNs * And much more This edition has been fully updated for the latest exam objectives, including new IPv6 coverage and integrated CLI configuration examples alongside ASDM configurations throughout.

Table of Contents

Introduction

Part I ASA Architecture and Technologies Overview

Chapter 1 Examining the Role of VPNs and the Technologies Supported by the ASA

“Do I Know This Already?” Quiz

Foundation Topics

Introducing the Virtual Private Network

    VPN Termination Device (ASA) Placement

Meet the Protocols

    Symmetric and Asymmetric Key Algorithms

    IPsec

    IKEv1

    Authentication Header and Encapsulating Security Payload

    IKEv2

    SSL/TLS

    SSL Tunnel Negotiation

    Handshake

    DTLS

ASA Packet Processing

The Good, the Bad, and the Licensing

    Time-Based Licenses

        When Time-Based and Permanent Licenses Combine

    Shared SSL VPN Licenses

        Failover Licensing

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 2 Configuring Policies, Inheritance, and Attributes

“Do I Know This Already?” Quiz

Foundation Topics

Policies and Their Relationships

Understanding Connection Profiles

    Group URL

    Group Alias

    Certificate-to-Connection Profile Mapping

    Per-User Connection Profile Lock

    Default Connection Profiles

Understanding Group Policies

Configure User Attributes

Using External Servers for AAA and Policies

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part II Cisco Clientless Remote-Access VPN Solutions

Chapter 3 Deploying a Clientless SSL VPN Solution

“Do I Know This Already?” Quiz

Foundation Topics

Clientless SSL VPN Overview

Deployment Procedures and Strategies

Deploying Your First Clientless SSL VPN Solution

    IP Addressing

    Hostname, Domain Name, and DNS

    Become a Member of a Public Key Infrastructure

    Adding a CA Root Certificate

    Certificate Revocation List

    Revocation Check

    CRL Retrieval Policy

    CRL Retrieval Method

    OCSP Rules

    Advanced

    Enable the Relevant Interfaces for SSL

    Create Local User Accounts for Authentication

    Create a Connection Profile (Optional)

Basic Access Control

    Bookmarks

    HTTP and HTTPS

    CIFS

    FTP

    Group Policies

Content Transformation

    Gateway Content Rewriting

    Application Helper Profiles

    Java Code Signing

Troubleshooting a Basic Clientless SSL VPN

    Troubleshooting Session Establishment

    Troubleshooting Certificate Errors

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 4 Advanced Clientless SSL VPN Settings

“Do I Know This Already?” Quiz

Foundation Topics

Overview of Advanced Clientless SSL VPN Settings

Application Access Through Port Forwarding

    Configuring Port Forwarding

Application Access Using Client-Server Plug-Ins

    Configuring Client-Server Plug-In Access

Application Access Through Smart Tunnels

    Configuring Smart Tunnel Access

Configuring SSL/TLS Proxies

    Email Proxy

    Internal HTTP and HTTPS Proxy

Troubleshooting Advanced Application Access

    Troubleshooting Application Access

    Client

    ASA/VPN Termination Appliance

    Application/Web Server

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 5 Customizing the Clientless Portal

“Do I Know This Already?” Quiz

Foundation Topics

Basic Portal Layout Configuration

    Logon Page Customization

    Portal Page Customization

    Logout Page Customization

Outside-the-Box Portal Configuration

Portal Language Localization

Getting Portal Help

AnyConnect Portal Integration

Clientless SSL VPN Advanced Authentication

Using an External and Internal CA for Clientless Access

Clientless SSL VPN Double Authentication

Deploying Clientless SSL VPN Single Signon

Troubleshooting PKI and SSO Integration

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 6 Clientless SSL VPN Advanced Authentication and Authorization

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

    Create a DAP

    Specify User AAA Attributes

    Specify Endpoint Attributes

    Configure Authorization Parameters

    Configure Authorization Parameters for the Default DAP

DAP Record Aggregation

Troubleshooting DAP Deployment

    ASDM Test Feature

    ASA Logging

    DAP Debugging

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 7 Clientless SSL High Availability and Performance

“Do I Know This Already?” Quiz

Foundation Topics

High-Availability Deployment Information and Common Strategies

    Failover

    Active/Active

    Active/Standby

    VPN Load Balancing (Clustering)

    External Load Balancing

    Redundant VPN Peering

Content Caching for Optimization

Clientless SSL VPN Load Sharing Using an External Load Balancer

Clustering Configuration for Clientless SSL VPN

Troubleshooting Load Balancing and Clustering

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part III Cisco AnyConnect Remote-Access VPN Solutions

Chapter 8 Deploying an AnyConnect Remote-Access VPN Solution

“Do I Know This Already?” Quiz

Foundation Topics

AnyConnect Full-Tunnel SSL VPN Overview

Configuration Procedures, Deployment Strategies, and Information Gathering

    AnyConnect Secure Mobility Client Installation

Deploying Your First Full-Tunnel AnyConnect SSL VPN Solution

    IP Addressing

    Enable IPv6 Access

    Hostname, Domain Name, and DNS

    Enroll with a CA and Become a Member of a PKI

    Add an Identity Certificate

    Add the Signing Root CA Certificate

    Enable the Interfaces for SSL/DTLS and AnyConnect Client Connections

    Create a Connection Profile

Deploying Your First AnyConnect IKEv2 VPN Solution

    Enable the Relevant Interfaces for IKEv2 and AnyConnect Client Access

    Create Your IKEv2 Policies

    Create a Connection Profile

Client IP Address Allocation

    Connection Profile Address Assignment

    Group Policy Address Assignment

    Direct User Address Assignment

Advanced Controls for Your Environment

    ACLs and Downloadable ACLs

    Split Tunneling

    Access Hours/Time Range

Troubleshooting the AnyConnect Secure Mobility Client

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 9 Advanced Authentication and Authorization of AnyConnect VPNs

“Do I Know This Already?” Quiz

Foundation Topics

Authentication Options and Strategies

Provisioning Certificates as a Local CA

Configuring Certificate Mappings

    Certificate-to-Connection Profile Maps

    Mapping Criteria

Provisioning Certificates from a Third-Party CA

    Configure an XML Profile for Use by the AnyConnect Client

    Configure a Dedicated Connection Profile for Enrollment

    Enroll the AnyConnect Client into a PKI

    Optionally, Configure Client Certificate Selection

    Import the Issuing CA’s Certificate into the ASA

    Create a Connection Profile Using Certificate-Based Authentication

Advanced PKI Deployment Strategies

Doubling Up on Client Authentication

Troubleshooting Your Advanced Configuration

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 10 Advanced Deployment and Management of the AnyConnect Client

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

AnyConnect Installation Options

    Manual Predeployment

    Automatic Web Deployment

Managing AnyConnect Client Profiles

Advanced Profile Features

    Start Before Login

    Trusted Network Detection

Advanced AnyConnect Customization and Management

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 11 AnyConnect Advanced Authorization Using AAA and DAPs

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

Configuring Local and Remote Group Policies

Full SSL VPN Accountability

Authorization Through Dynamic Access Policies

Troubleshooting Advanced Authorization Settings

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 12 AnyConnect High Availability and Performance

“Do I Know This Already?” Quiz

Foundation Topics

Overview of High Availability and Redundancy Methods  

    Hardware-Based Failover

    VPN Clustering (VPN Load Balancing)

    Redundant VPN Peering

    External Load Balancing

Deploying DTLS

Performance Assurance with QOS

    Basic ASDM QoS Configuration

    Basic CLI QoS Configuration

AnyConnect Redundant Peering and Failover

Hardware-Based Failover with VPNs

    Configure LAN Failover Interfaces

    Configure Standby Addresses on Interfaces Used for Traffic Forwarding

    Define Failover Criteria

    Configure Nondefault MAC Addresses

Redundancy in the VPN Core

    VPN Clustering

    Load Balancing Using an External Load Balancer

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part IV Cisco Secure Desktop

Chapter 13 Cisco Secure Desktop

“Do I Know This Already?” Quiz

Foundation Topics

Cisco Secure Desktop Overview and Configuration

    Prelogin Assessment

    Host Scan

    Secure Desktop (Vault)

    Cache Cleaner

    Keystroke Logger

    Integration with DAP

    Host Emulation Detection

    Windows Mobile Device Management

    Standalone Installation Packages

    CSD Manual Launch

CSD Order of Operations

    Prelogin Phase

    Post-Login Phase

    Session-Termination Phase

    CSD Supported Browsers, Operating Systems, and Credentials

    Enabling Cisco Secure Desktop on the ASA

Configure Prelogin Criteria

    Keystroke Logger and Safety Checks

    Cache Cleaner

    Secure Desktop (Vault) General

    Secure Desktop (Vault) Settings

    Secure Desktop (Vault) Browser

Host Endpoint Assessment

Authorization Using DAPs

Troubleshooting Cisco Secure Desktop

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part V Cisco IPsec Remote-Access Client Solutions

Chapter 14 Deploying and Managing the Cisco VPN Client

“Do I Know This Already?” Quiz

Foundation Topics

Cisco IPsec VPN Client Features

Cisco ASA Basic Remote IPsec Client Configuration

IPsec Client Software Installation and Basic Configuration

    Create New VPN Connection Entry, Main Window

    Authentication Tab

    Transport Tab

    Backup Servers Tab

    Dial-Up Tab

Advanced Profile Settings

VPN Client Software GUI Customization

Troubleshooting VPN Client Connectivity

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part VI Cisco Easy VPN Solutions

Chapter 15 Deploying Easy VPN Solutions

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Procedures, and Information Gathering

Easy VPN Basic Configuration

    ASA IP Addresses

    Configure Required Routing

    Enable IPsec Connectivity

    Configure Preferred IKEv1 and IPsec Policies

    Client IP Address Assignment

    VPN Client Authentication Using Pre-Shared Keys

    Using XAUTH for VPN Client Access

    IP Address Allocation Using the VPN Client

    DHCP Configuration

Controlling Your Environment with Advanced Features

    ACL Bypass Configuration

    Basic Interface ACL Configuration

    Per-Group ACL Configuration

    Per-User ACL Configuration

    Split-Tunneling Configuration

Troubleshooting a Basic Easy VPN

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 16 Advanced Authentication and Authorization Using Easy VPN

“Do I Know This Already?” Quiz

Foundation Topics

Authentication Options and Strategies

Configuring PKI for Use with Easy VPN

Configuring Mutual/Hybrid Authentication

Configuring Digital Certificate Mappings

Provisioning Certificates from a Third-Party CA

Advanced PKI Deployment Strategies

    CRLs

    OCSP

    AAA

Troubleshooting Advanced Authentication for Easy VPN

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 17 Advanced Easy VPN Authorization

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

Configuring Local and Remote Group Policies

    Assigning a Group Policy to a Local User Account

    Assigning a Group Policy to a Connection Profile

Accounting Methods for Operational Information

    NetFlow 9

    RADIUS VPN Accounting

    SNMP

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 18 High Availability and Performance for Easy VPN

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

VPN Client HA and Failover

Hardware-Based Failover with VPNs

    Configure Optional Active/Standby Failover Settings

Clustering Configuration for Easy VPN

Troubleshooting Device Failover and Clustering

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 19 Easy VPN Operation Using the ASA 5505 as a Hardware Client

“Do I Know This Already?” Quiz

Foundation Topics

Easy VPN Remote Hardware Client Overview

    Client Mode

    Network Extension Mode

Configuring a Basic Easy VPN Remote Client Using the ASA 5505

Configuring Advanced Easy VPN Remote Client Settings for the ASA 5505

    X-Auth and Device Authentication

    Remote Management

    Tunneled Management

    Clear Tunneled Management

    NAT Traversal

    Device Pass-Through

Troubleshooting the ASA 5505 Easy VPN Remote Hardware Client

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part VII Cisco IPsec Site-to-Site VPN Solutions

Chapter 20 Deploying IPsec Site-to-Site VPNs

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

IKEv1

    Phase 1

    Phase 2 (Quick Mode)

IKEv2

    Phase 1

    Phase 2

Configuring a Basic IKEv1 IPsec Site-to-Site VPN

    Configure Basic Peer Authentication

        Enable IKEv1 on the Interface

        Configure IKEv1 Policies

        Configure Pre-Shared Keys

    Configure Transmission Protection

        Select Transform Set and VPN Peer

        Define Interesting Traffic

Configuring a Basic IKEv2 IPsec Site-to-Site VPN

Configure Advanced Authentication for IKEv1 IPsec Site-to-Site VPNs

Troubleshooting an IPsec Site-to-Site VPN Connection

    Tunnel Not Establishing: Phase 1

    Tunnel Not Establishing: Phase 2

    Traffic Not Passing Through Your Tunnel

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Chapter 21 High Availability and Performance Strategies for IPsec Site-to-Site VPNs

“Do I Know This Already?” Quiz

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

High Assurance with QoS

    Basic QoS Configuration

Deploying Redundant Peering for Site-to-Site VPNs

Site-to-Site VPN Redundancy Using Routing

Hardware-Based Failover with VPNs

    Configure LAN Failover Interfaces

    Configure Standby Addresses on Interfaces Used for Traffic Forwarding

    Define Failover Criteria

    Configure Nondefault Mac Addresses

Troubleshooting HA Deployment

Exam Preparation Tasks

Review All Key Topics

Complete Tables and Lists from Memory

Define Key Terms

Part VIII Exam Preparation

Chapter 22 Final Exam Preparation

Tools for Final Preparation

    Pearson Cert Practice Test Engine and Questions on the CD

        Install the Software from the CD

        Activate and Download the Practice Exam

        Activating Other Exams

        Premium Edition

    The Cisco Learning Network

Memory Tables

Suggested Plan for Final Review/Study

    Using the Exam Engine

Summary

Part IX Appendixes

Appendix A Answers to the “Do I Know This Already?” Quizzes

Appendix B 642-648 CCNP Security VPN Exam Updates, Version 1.0

Appendix C Memory Tables (CD-only) 3

Appendix D Memory Tables Answer Key (CD-only) 19

Glossary

 

9781587204470   TOC   5/21/2012

 

Purchase Info ?

With CourseSmart eTextbooks and eResources, you save up to 60% off the price of new print textbooks, and can switch between studying online or offline to suit your needs.

Once you have purchased your eTextbooks and added them to your CourseSmart bookshelf, you can access them anytime, anywhere.

Buy Access

CCNP Security VPN 642-648 Official Cert Guide, CourseSmart eTextbook, 2nd Edition
Format: Safari Book

$36.49 | ISBN-13: 978-0-13-296642-9