- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam. CCNP Security FIREWALL 642-618 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. "Do I Know This Already?" quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. * Master Cisco CCNP Security FIREWALL exam topics * Assess your knowledge with chapter-opening quizzes* Review key concepts with exam preparation tasks* Practice with realistic exam questions on the CD-ROM CCNP Security FIREWALL 642-618 Official Cert Guide, focuses specifically on the objectives for the CCNP Security FIREWALL exam. Expert networking consultants Dave Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. Well-regarded for its level of detail, assessment features, comprehensive design scenarios, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time. The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including:ASA interfaces IP connectivity ASA management Recording ASA activity Address translation Access control Proxy services Traffic inspection and handling Transparent firewall mode Virtual firewalls High availability ASA service modulesCCNP Security FIREWALL 642-618 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining. The print edition of the CCNP Security FIREWALL 642-618 Official Cert Guide contains a free, complete practice exam. Also available from Cisco Press for Cisco CCNP Security study is the CCNP Security FIREWALL 642-618 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson IT Certification Practice Test. This integrated learning package: * Allows you to focus on individual topic areas or take complete, timed exams* Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions* Provides unique sets of exam-realistic practice questions* Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Contents
Introduction xxvChapter 1 Cisco ASA Adaptive Security Appliance Overview 3 "Do I Know This Already?" Quiz 3 Foundation Topics 7 Firewall Overview 7 Firewall Techniques 11 Stateless Packet Filtering 11 Stateful Packet Filtering 12 Stateful Packet Filtering with Application Inspection and Control 12 Network Intrusion Prevention System 13 Network Behavior Analysis 14 Application Layer Gateway (Proxy) 14 Cisco ASA Features 15 Selecting a Cisco ASA Model 18 ASA 5505 18 ASA 5510, 5520, and 5540 19 ASA 5550 20 ASA 5580 21 Security Services Modules 22 Advanced Inspection and Prevention (AIP) SSM 22 Content Security and Control (CSC) SSM 23 4-port Gigabit Ethernet (4GE) SSM 24 ASA 5585-X 24 ASA Performance Breakdown 25 Selecting ASA Licenses 29 ASA Memory Requirements 31 Exam Preparation Tasks 33 Review All Key Topics 33 Define Key Terms 33Chapter 2 Working with a Cisco ASA 35 "Do I Know This Already?" Quiz 35 Foundation Topics 40 Using the CLI 40 Entering Commands 41 Command Help 43 Searching and Filtering Command Output 45 Command History 45 Terminal Screen Format 47 Using Cisco ASDM 47 Understanding the Factory Default Configuration 52 Working with Configuration Files 54 Clearing an ASA Configuration 57 Working with the ASA File System 58 Navigating an ASA Flash File System 59 Working with Files in an ASA File System 60 Reloading an ASA 63 Upgrading the ASA Software at the Next Reload 65 Performing a Reload 66 Manually Upgrading the ASA Software During a Reload 67 Exam Preparation Tasks 71 Review All Key Topics 71 Define Key Terms 71 Command Reference to Check Your Memory 71Chapter 3 Configuring ASA Interfaces 75 "Do I Know This Already?" Quiz 75 Foundation Topics 80 Configuring Physical Interfaces 80 Default Interface Configuration 82 Configuring Physical Interface Parameters 83 Mapping ASA 5505 Interfaces to VLANs 84 Configuring Interface Redundancy 84 Configuring an EtherChannel 87 Configuring VLAN Interfaces 95 VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 95 VLAN Interfaces and Trunks on an ASA 5505 97 Configuring Interface Security Parameters 98 Naming the Interface 98 Assigning an IP Address 99 Setting the Security Level 100 Interface Security Parameters Example 103 Configuring the Interface MTU 104 Verifying Interface Operation 107 Exam Preparation Tasks 109 Review All Key Topics 109 Define Key Terms 109 Command Reference to Check Your Memory 109Chapter 4 Configuring IP Connectivity 113 "Do I Know This Already?" Quiz 113 Foundation Topics 117 Deploying DHCP Services 117 Configuring a DHCP Relay 117 Configuring a DHCP Server 119 Using Routing Information 122 Configuring Static Routing 124 Tracking a Static Route 126 Routing with RIPv2 132 Routing with EIGRP 135 Routing with OSPF 142 An Example OSPF Scenario 142 Verifying the ASA Routing Table 151 Exam Preparation Tasks 154 Review All Key Topics 154 Define Key Terms 154 Command Reference to Check Your Memory 154Chapter 5 Managing a Cisco ASA 161 "Do I Know This Already?" Quiz 161 Foundation Topics 165 Basic Device Settings 165 Configuring Device Identity 165 Configuring Basic Authentication 166 Configuring DNS Resolution 168 Configuring DNS Server Groups 168 Verifying Basic Device Settings 168 Verifying DNS Resolution 170 File System Management 171 File System Management Using ASDM 171 File System Management Using the CLI 172 dir 172 more 173 copy 173 delete 173 rename 173 mkdir 174 cd 174 rmdir 174 fsck 175 pwd 175 format or erase 176 Managing Software and Feature Activation 176 Managing Cisco ASA Software and ASDM Images 177 Upgrading Files from a Local PC or Directly from Cisco.com 179 Considerations When Upgrading from OS Version 8.2 to 8.3 or Higher 181 License Management 182 Upgrading the Image and Activation Key at the Same Time 183 Cisco ASA Software and License Verification 183 Configuring Management Access 186 Overview of Basic Procedures 186 Configuring Remote Management Access 188 Configuring an Out-of-Band Management Interface 189 Configuring Remote Access Using Telnet 190 Configuring Remote Access Using SSH 192 Configuring Remote Access Using HTTPS 194 Creating a Permanent Self-Signed Certificate 194 Obtaining an Identity Certificate by PKI Enrollment 196 Deploying an Identity Certificate 197 Configuring Management Access Banners 199 Controlling Management Access with AAA 201 Creating Users in the Local Database 203 Using Simple Password-Only Authentication 205 Configuring AAA Access Using the Local Database 205 Configuring AAA Access Using Remote AAA Server(s) 208 Step 1: Create a AAA Server Group and Configure How Servers in the Group Are Accessed 208 Step 2: Populate the Server Group with Member Servers 209 Step 3: Enable User Authentication for Each Remote Management Access Channel 210 Configuring Cisco Secure ACS for Remote Authentication 211 Configuring AAA Command Authorization 214 Configuring Local AAA Command Authorization 215 Configuring Remote AAA Command Authorization 219 Configuring Remote AAA Accounting 222 Verifying AAA for Management Access 223 Configuring Monitoring Using SNMP 225 Troubleshooting Remote Management Access 230 Unlocking Locked and Disabled User Accounts 231 Cisco ASA Password Recovery 232 Performing Password Recovery 232 Enabling or Disabling Password Recovery 233 Exam Preparation Tasks 235 Review All Key Topics 235 Command Reference to Check Your Memory 235Chapter 6 Recording ASA Activity 243 "Do I Know This Already?" Quiz 243 Foundation Topics 247 System Time 247 NTP 249 Verifying System Time Settings 251 Managing Event and Session Logging 252 NetFlow Support 254 Logging Message Format 254 Message Severity 255 Configuring Event and Session Logging 255 Configuring Global Logging Properties 256 Altering Settings of Specific Messages 258 Configuring Event Filters 261 Configuring Individual Event Destinations 262 Internal Buffer 262 ASDM 264 Syslog Server(s) 265 Email 267 NetFlow 269 Telnet or SSH Sessions 271 Verifying Event and Session Logging 271 Implementation Guidelines 272 Troubleshooting Event and Session Logging 273 Troubleshooting Commands 273 Exam Preparation Tasks 275 Review All Key Topics 275 Command Reference to Check Your Memory 275Chapter 7 Using Address Translation 279 "Do I Know This Already?" Quiz 281 Foundation Topics 288 Understanding How NAT Works 288 Implementing NAT in ASA Software Versions 8.2 and Earlier 290 Enforcing NAT 290 Address Translation Deployment Options 291 NAT Versus PAT 292 Input Parameters 293 Deployment Choices 295 NAT Exemption 296 Configuring NAT Control 296 Configuring Dynamic Inside NAT 298 Configuring Dynamic Inside PAT 304 Configuring Dynamic Inside Policy NAT 308 Verifying Dynamic Inside NAT and PAT 311 Configuring Static Inside NAT 312 Configuring Network Static Inside NAT 315 Configuring Static Inside PAT 317 Configuring Static Inside Policy NAT 320 Verifying Static Inside NAT and PAT 323 Configuring No-Translation Rules 324 Configuring Dynamic Identity NAT 325 Configuring Static Identity NAT 326 Configuring NAT Bypass (NAT Exemption) 328 NAT Rule Priority 330 Configuring Outside NAT 330 Other NAT Considerations 333 DNS Rewrite (Also Known as DNS Doctoring) 333 Integrating NAT with ASA Access Control 335 Integrating NAT with MPF 336 Integrating NAT with AAA (Cut-Through Proxy) 337 Troubleshooting Address Translation 337 Improper Translation 337 Protocols Incompatible with NAT or PAT 337 Proxy ARP 338 NAT-Related Syslog Messages 338 Implementing NAT in ASA Software Versions 8.3 and Later 339 Major Differences in NAT Beginning in Software Version 8.3 339 Network Objects 339 NAT Control 340 Integrating NAT with Other ASA Functions 340 NAT "Direction" 340 NAT Rule Priority 340 New NAT Options in OS Versions 8.3 and Later 340 NAT Table 341 Configuring Auto (Object) NAT 343 Configuring Static Translations Using Auto NAT 344 Configuring Static Port Translations Using Auto NAT 349 Comparing Static NAT Configurations from OS Versions 8.2 and 8.3 351 Configuring Dynamic Translations Using Auto NAT 352 Using Object Groups in NAT Rules 357 Comparing Dynamic NAT Configurations from OS Versions 8.2 and 8.3 360 Verifying Auto (Object) NAT 361 Configuring Manual NAT 363 Examining the Syntax of the Manual NAT Command 368 Configuring a NAT Exemption Using Manual NAT 369 Configuring Twice NAT 370 Configuring Translations Using Manual NAT After Auto NAT 373 Configuring a Unidirectional Manual Static NAT Rule 376 Inserting a Manual NAT Rule in a Specific Location 377 Comparing Manual NAT Configurations from OS versions 8.2 and 8.3 378 When Not to Use NAT 380 Tuning NAT 380 Troubleshooting NAT 382 Improper Translation 382 Proxy ARP and Syslog Messages 384 Egress Interface Selection 384 Exam Preparation Tasks 385 Review All Key Topics 385 Define Key Terms 386 Command Reference to Check Your Memory 386Chapter 8 Controlling Access Through the ASA 391 "Do I Know This Already?" Quiz 392 Foundation Topics 397 Understanding How Access Control Works 397 State Tables 397 Connection Table 398 TCP Connection Flags 401 Inside and Outside, Inbound and Outbound 403 Local Host Table 403 State Table Logging 405 Understanding Interface Access Rules 405 Stateful Filtering 406 Interface Access Rules and Interface Security Levels 408 Interface Access Rules Direction 408 Default Access Rules 410 The Global ACL 411 Configuring Interface Access Rules 412 Access Rule Logging 417 Configuring the Global ACL 421 Cisco ASDM Public Server Wizard 424 Configuring Access Control Lists from the CLI 425 Implementation Guidelines 426 Time-Based Access Rules 427 Configuring Time Ranges from the CLI 432 Verifying Interface Access Rules 432 Managing Rules in Cisco ASDM 434 Managing Access Rules from the CLI 437 Organizing Access Rules Using Object Groups 438 Verifying Object Groups 450 Configuring and Verifying Other Basic Access Controls 454 Shunning 455 Troubleshooting Basic Access Control 457 Examining Syslog Messages 457 Packet Capture 459 Packet Tracer 460 Suggested Approach to Access Control Troubleshooting 462 Exam Preparation Tasks 464 Review All Key Topics 464 Command Reference to Check Your Memory 465Chapter 9 Inspecting Traffic 473 "Do I Know This Already?" Quiz 473 Foundation Topics 479 Understanding the Modular Policy Framework 479 Configuring the MPF 482 Configuring a Policy for Inspecting OSI Layers 3 and 4 484 Step 1: Define a Layers 3-4 Class Map 484 Step 2: Define a Layers 3-4 Policy Map 486 Step 3: Apply the Policy Map to the Appropriate Interfaces 490 Creating a Security Policy in ASDM 490 Tuning Basic Layers 3-4 Connection Limits 495 Inspecting TCP Parameters with the TCP Normalizer 499 Configuring ICMP Inspection 505 Configuring Dynamic Protocol Inspection 507 Configuring Custom Protocol Inspection 514 Configuring a Policy for Inspecting OSI Layers 5-7 517 Configuring HTTP Inspection 518 Configuring HTTP Inspection Policy Maps Using the CLI 519 Configuring HTTP Inspection Policy Maps Using ASDM 527 Configuring FTP Inspection 539 Configuring FTP Inspection Using the CLI 540 Configuring FTP Inspection Using ASDM 542 Configuring DNS Inspection 546 Creating and Applying a DNS Inspection Policy Map Using the CLI 546 Creating and Applying a DNS Inspection Policy Map Using ASDM 549 Configuring ESMTP Inspection 552 Configuring an ESMTP Inspection with the CLI 553 Configuring an ESMTP Inspection with ASDM 556 Configuring a Policy for ASA Management Traffic 559 Detecting and Filtering Botnet Traffic 561 Configuring Botnet Traffic Filtering with ASDM 564 Step 1: Configure the Dynamic Database 565 Step 2: Configure the Static Database 565 Step 3: Enable DNS Snooping 566 Step 4: Enable the Botnet Traffic Filter 566 Configuring Botnet Traffic Filtering with the CLI 568 Step 1: Configure the Dynamic Database 568 Step 2: Configure the Static Database 568 Step 3: Enable DNS Snooping 568 Step 4: Enable the Botnet Traffic Filter 569 Using Threat Detection 570 Configuring Threat Detection in ASDM 571 Step 1: Configure Basic Threat Detection 571 Step 2: Configure Advanced Threat Detection 571 Step 3: Configure Scanning Threat Detection 572 Configuring Threat Detection with the CLI 572 Step 1: Configure Basic Threat Detection 573 Step 2: Configure Advanced Threat Detection 576 Step 3: Configure Scanning Threat Detection 577 Exam Preparation Tasks 579 Review All Key Topics 579 Define Key Terms 580 Command Reference to Check Your Memory 580Chapter 10 Using Proxy Services to Control Access 583 "Do I Know This Already?" Quiz 583 Foundation Topics 586 User-Based (Cut-Through) Proxy Overview 586 User Authentication 586 User Authentication and Access Control 587 Implementation Examples 587 AAA on the ASA 587 AAA Deployment Options 587 User-Based Proxy Preconfiguration Steps and Deployment Guidelines 588 User-Based Proxy Preconfiguration Steps 588 User-Based Proxy Deployment Guidelines 589 Direct HTTP Authentication with the Cisco ASA 589 HTTP Redirection 590 Virtual HTTP 590 Direct Telnet Authentication 590 Configuration Steps of User-Based Proxy 591 Configuring User Authentication 591 Configuring an AAA Group 591 Configuring an AAA Server 592 Configuring the Authentication Rules 593 Verifying User Authentication 595 Configuring HTTP Redirection 595 Configuring the Virtual HTTP Server 596 Configuring Direct Telnet 596 Configuring Authentication Prompts and Timeouts 596 Configuring Authentication Prompts 597 Configuring Authentication Timeouts 598 Configuring User Authorization 598 Per-User Override 599 Configuring Downloadable ACLs 600 Configuring Per-User Override 600 Verification 600 Configuring User Session Accounting 601 Configuring User Session Accounting 601 Verification 602 Troubleshooting Cut-Through Proxy Operations 602 A Structured Approach 602 System Messages 602 Using Proxy for IP Telephony and Unified TelePresence 603 Exam Preparation Tasks 604 Review All Key Topics 604 Define Key Terms 604 Command Reference to Check Your Memory 604Chapter 11 Handling Traffic 607 "Do I Know This Already?" Quiz 607 Foundation Topics 610 Handling Fragmented Traffic 610 Prioritizing Traffic 612 Controlling Traffic Bandwidth 616 Configuring a Traffic Policer 618 Configuring Traffic Shaping 621 Exam Preparation Tasks 625 Review All Key Topics 625 Define Key Terms 625 Command Reference to Check Your Memory 625Chapter 12 Using Transparent Firewall Mode 629 "Do I Know This Already?" Quiz 629 Foundation Topics 632 Firewall Mode Overview 632 Configuring Transparent Firewall Mode 635 Controlling Traffic in Transparent Firewall Mode 639 Using ARP Inspection 642 Disabling MAC Address Learning 645 Exam Preparation Tasks 648 Review All Key Topics 648 Define Key Terms 648 Command Reference to Check Your Memory 648Chapter 13 Creating Virtual Firewalls on the ASA 651 "Do I Know This Already?" Quiz 651 Foundation Topics 654 Cisco ASA Virtualization Overview 654 A High-Level Examination of a Virtual Firewall's Configuration 654 The System Configuration, System Context, and Other Security Contexts 655 Packet Classification 655 Virtual Firewall Deployment Guidelines 656 Deployment Choices 657 Deployment Guidelines 657 Limitations 658 Configuration Tasks Overview 658 Configuring Security Contexts 658 The Admin Context 659 Configuring Multiple Mode 659 Creating a Security Context 659 Verifying Security Contexts 661 Managing Security Contexts 661 Packet Classification Configuration 662 Changing the Admin Context 662 Editing and Removing Contexts 663 Configuring Resource Management 663 The Default Class 663 Creating a New Resource Class 663 Verifying Resource Management 665 Troubleshooting Security Contexts 665 Exam Preparation Tasks 667 Review All Key Topics 667 Define Key Terms 667 Command Reference to Check Your Memory 667Chapter 14 Deploying High Availability Features 671 "Do I Know This Already?" Quiz 671 Foundation Topics 675 ASA Failover Overview 675 Failover Roles 675 Detecting an ASA Failure 681 Configuring Active-Standby Failover Mode 683 Configuring Active-Standby Failover with the ASDM Wizard 683 Configuring Active-Standby Failover Manually in ASDM 687 Configuring Active-Standby Failover with the CLI 689 Step 1: Configure the Primary Failover Unit 689 Step 2: Configure Failover on the Secondary Device 690 Configuring Active-Active Failover Mode 692 Configuring Active-Active Failover in ASDM 692 Configuring Active-Active Failover with the CLI 696 Step 1: Configure the Primary ASA Unit 696 Step 2: Configure the Secondary ASA Unit 697 Tuning Failover Operation 701 Configuring Failover Timers 701 Configuring Failover Health Monitoring 702 Detecting Asymmetric Routing 703 Administering Failover 705 Verifying Failover Operation 706 Leveraging Failover for a Zero Downtime Upgrade 708 Exam Preparation Tasks 710 Review All Key Topics 710 Define Key Terms 710 Command Reference to Check Your Memory 710Chapter 15 Integrating ASA Service Modules 715 "Do I Know This Already?" Quiz 715 Foundation Topics 718 Cisco ASA Security Services Modules Overview 718 Module Components 718 General Deployment Guidelines 719 Overview of the Cisco ASA Content Security and Control SSM 719 Cisco Content Security and Control SSM Licensing 720 Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 720 Inline Operation 720 Promiscuous Operation 721 Supported Cisco IPS Software Features 721 Installing the ASA AIP-SSM and AIP-SSC 721 The Cisco AIP-SSM and AIP-SSC Ethernet Connections 722 Failure Management Modes 722 Managing Basic Features 722 Initializing the AIP-SSM and AIP-SSC 723 Configuring the AIP-SSM and AIP-SSC 723 Integrating the ASA CSC-SSM 724 Installing the CSC-SSM 724 Ethernet Connections 724 Managing the Basic Features 724 Initializing the Cisco CSC-SSM 725 Configuring the CSC-SSM 725 Exam Preparation Tasks 726 Review All Key Topics 726 Define Key Terms 726 Command Reference to Check Your Memory 726Chapter 16 Traffic Analysis Tools 729 "Do I Know This Already?" Quiz 729 Foundation Topics 733 Testing Network Connectivity 733 Using Packet Tracer 737 Using Packet Capture 742 Using the Packet Capture Wizard in ASDM 742 Capturing Packets from the CLI 746 Controlling a Capture Session 751 Copying Capture Buffer Contents 751 Capturing Dropped Packets 752 Combining Packet Tracer and Packet Capture 760 Summary 761 Exam Preparation Tasks 762 Review All Key Topics 762 Command Reference to Check Your Memory 762Chapter 17 Final Preparation 765 Tools for Final Preparation 765 Pearson Cert Practice Test Engine and Questions on the CD 765 Install the Software from the CD 766 Activate and Download the Practice Exam 766 Activating Other Exams 767 Premium Edition 767 Cisco Learning Network 767 Chapter-Ending Review Tools 767 Suggested Plan for Final Review/Study 768 Using the Exam Engine 768 Summary 769Appendix A Answers to the "Do I Know This Already?" Quizzes 771Appendix B CCNP Security 642-618 FIREWALL Exam Updates: Version 1.0 777Glossary of Key Terms 7799781587142710, TOC, 4/25/2012
