ebook img

CCNP Security VPN PDF

821 Pages·2011·15.92 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview CCNP Security VPN

CCNP Security VPN 642-647 Official Cert Guide Howard Hooper, CCIE No. 23470 ptg Cisco Press 800 East 96th Street Indianapolis, IN 46240 ii CCNP Security VPN 642-647 Official Cert Guide CCNP Security VPN 642-647 Official Cert Guide Howard Hooper, CCIE No. 23470 Copyright © 2012 Pearson Education, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing July 2011 Library of Congress Cataloging-in-Publication data is on file. ISBN-13: 978-1-58714-256-7 ISBN-10: 1-58714-256-2 ptg Warning and Disclaimer This book is designed to provide information for the Cisco CCNP Security VPN 642-647 exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fit- ness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. iii Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or spe- cial sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact: International Sales 1-317-581-3793 international@pearson- techgroup.com We greatly appreciate your assistance. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriate- ly capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or spe- cial sales, which may include electronic versions and/or custom covers and content particular to your busi- ness, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the United States, please contact: International Sales [email protected] ptg Publisher: Paul Boger Manager, Global Certification: Erik Ullanderson Associate Publisher: Dave Dusthimer Business Operation Manager, Cisco Press: Anand Sundaram Managing Editor: Sandra Schroeder Technical Editors: James Risler, Cristian Matei Editorial Assistant: Vanessa Evans Compositor: Mark Shirar Executive Editor: Brett Bartow Development Editor: Kimberley Debus Book Designer: Gary Adair Proofreader: Water Crest Publishing, Inc. Indexer: Tim Wright Senior Project Editor: Tonya Simpson Copy Editor: Keith Cline iv CCNP Security VPN 642-647 Official Cert Guide About the Author Howard Hooper,CCIE No. 23470, CCNP, CCNA, CCDA, JNCIA, works as a network consultant for his companies SYNCom Ltd. and Transcend Networks Ltd., specializing in network design, installation, and automation for enterprise and government clients. He has worked in the network industry for 10 years, starting his career in the service provider field as a support engineer, before moving on to installations engineer and net- work architect roles, working on small, medium, enterprise, and service provider networks. About the Technical Reviewers James Risler, CCIE No. 15412, is a systems engineer education specialist for Cisco Systems. His focus is on security technology and training development. James has more than 18 years of experience in IP internetworking, including the design and implementa- tion of enterprise networks. Before joining Cisco Systems, James provided Cisco security training and consulting for Fortune 500 companies and government agencies. He holds two Bachelor degrees from University of South Florida and is currently working on his MBA at the University of Tampa. Cristian Matei, CCIE No. 23684, is a senior security consultant for Datanet Systems, Cisco Gold Partner in Romania. He has designed, implemented, and maintained multiple large enterprise networks covering the Cisco security, routing, switching, and wireless ptg portfolio of products. Cristian started this journey back in 2005 with Microsoft technol- ogy and finished MCSE Security and MCSE Messaging tracks. He then joined Datanet Systems, where he quickly obtained his Security CCIE among other certifications and specializations such as CCNP, CCSP, and CCDP. Since 2007, Cristian has been a Cisco Certified Systems Instructor (CCSI) teaching CCNA, CCNP, and CCSP curriculum cours- es. In 2009, he was awarded by Cisco with Cisco Trusted Technical Advisor (TTA) and got certified as Cisco IronPort Certified Security Professional on Email and Web (CICSP). That same year, he started his collaboration with Internetwork Expert as techni- cal editor on the CCIE Routing & Switching and Security Workbook series. In 2010, Cristian earned his ISACA Certified Information Security Manager (CISM) certification. He is currently preparing for Routing & Switching, Service Provider CCIE tracks and can be found as a regular active member on Internetwork Expert and Cisco forums. v Dedications I dedicate this book to my family, without whom I would not be in the position that I am and have the opportunities I currently enjoy. In particular, I want to say special thanks to the following: My grandfather, Geoffrey, for becoming my father figure and teaching me what I consider to be one of the most important lessons I received early on in my life: that you must work and work hard for what you want. You are forever missed and never forgotten. My mother, Sally, for providing me with the greatest example of personal strength and determination anyone could ever hope to possess. You scaled mountains to make sure we always had everything we needed and were protected; we are only here because of you. My son, Ridley, for giving me the reason I need at times to carry on and the drive to become better at everything I do. Even though I cannot be there all the time, Daddy loves you very much. I hope I have and will always go on to make you proud of me. I would not be the man I am today without you, for that I thank you. ptg vi CCNP Security VPN 642-647 Official Cert Guide Acknowledgments When writing a book, a small army of people back you up and undertake a huge amount of work behind the scenes. I want to thank everyone involved who helped with the writ- ing, reviewing, editing, and production of this book. In particular, I want to acknowledge Brett Bartow for giving me this fantastic opportunity and for his help with the many deadline extensions and obstacles that presented themselves along the way. I also want to acknowledge and thank Kimberley Debus, who transformed my words into human-read- able form and kept me on track. I know she worked many late nights and weekends to help complete this book, and I shall miss our “conversations through the comments.” I will be forever grateful to both of you. Thanks must also go out to the two technical reviewers, Cristian Matei and James Risler. Your comments and suggestions have been brilliant throughout the entire book. Your help and input has definitely made this book better. Last, but by no means least, I want thank my family and co-workers for their support during the writing of this book. Without that support, this would not have been possible, and as soon as I have caught up on sleep again, I will be conscious enough to thank you personally. ptg vii Contents at a Glance Introduction xxiv Part I ASA Architecture and Technologies Overview Chapter 1 Evaluation of the ASA Architecture 3 Chapter 2 Configuring Policies, Inheritance, and Attributes 47 Part II Cisco AnyConnect Remote-Access VPN Solutions Chapter 3 Deploying an AnyConnect Remote-Access VPN Solution 73 Chapter 4 Advanced Authentication and Authorization of AnyConnect VPNs 119 Chapter 5 Advanced Deployment and Management of the AnyConnect Client 165 Chapter 6 Advanced Authorization Using AAA and DAPs 197 Chapter 7 AnyConnect Integration with Cisco Secure Desktop and Optional Modules 221 ptg Chapter 8 AnyConnect High Availability and Performance 249 Part III Cisco Clientless Remote-Access VPN Solutions Chapter 9 Deploying a Clientless SSL VPN Solution 279 Chapter 10 Advanced Clientless SSL VPN Settings 337 Chapter 11 Customizing the Clientless Portal 373 Chapter 12 Advanced Authorization Using Dynamic Access Policies 413 Chapter 13 Clientless SSL VPN with Cisco Secure Desktop 439 Chapter 14 Clientless SSL VPN High-Availability and Performance Options 467 Part IV Cisco IPsec Remote-Access Client Solutions Chapter 15 Deploying and Managing the Cisco VPN Client 481 Part V Cisco Easy VPN Solutions Chapter 16 Deploying Easy VPN Solutions 515 Chapter 17 Advanced Authentication and Authorization Using Easy VPN 551 Chapter 18 Advanced Easy VPN Authorization 579 viii CCNP Security VPN 642-647 Official Cert Guide Chapter 19 High Availability and Performance for Easy VPN 599 Chapter 20 Easy VPN Operation Using the ASA 5505 as a Hardware Client 621 Part VI Cisco IPsec Site-to-Site VPN Solutions Chapter 21 Deploying IPsec Site-to-Site VPNs 639 Chapter 22 High Availability and Performance Strategies for IPsec Site-to-Site VPNs 667 Part VII Exam Preparation Chapter 23 Final Exam Preparation 693 Part VIII Appendixes Appendix A Answers to the “Do I Know This Already?” Quizzes 699 Appendix B 642-647 CCNP Security VPN Exam Updates, Version 1.0 703 Appendix C Memory Tables (CD only) Appendix D Memory Tables Answer Key (CD only) ptg Glossary 707 Index 712 ix Contents Introduction xxiv Part I ASA Architecture and Technologies Overview Chapter 1 Evaluation of the ASA Architecture 3 “Do I Know This Already?” Quiz 3 Foundation Topics 6 Examining ASA Control Fundamentals 6 Interfaces, Security Levels, and EtherChannels 6 Security Levels 9 Same Security Interface and Intra-Interface Communication 10 EtherChannels 11 Access Control Lists 12 Modular Policy Framework 15 Routing the Environment 16 Address Translations and Your ASA 18 AAA for Network-Based Access 21 ptg ASA VPN Technology Comparison 24 Managing Your ASA Device 27 Packet Processing 28 Controlling VPN Access 29 The Good, the Bad, and the Licensing 32 Time-Based Licenses 41 When Time-Based and Permanent Licenses Combine 42 Shared SSL VPN Licenses 43 Failover Licensing 43 Exam Preparation Tasks 44 Review All Key Topics 44 Complete Tables and Lists from Memory 44 Define Key Terms 44 Chapter 2 Configuring Policies, Inheritance, and Attributes 47 “Do I Know This Already?” Quiz 47 Foundation Topics 49 Policies and Their Relationships 49 Understanding Connection Profiles 50 Group URL 52 Group Alias 52

Description:
This book is designed to provide information for the Cisco CCNP Security will find in PDF form on the CD accompanying this book, provides the
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.