Embed Size (px)
Citation preview
CCNP Security VPN 642-647Official Cert Guide
Howard Hooper, CCIE No. 23470
Cisco Press
800 East 96th Street
Indianapolis, IN 46240
Contents
Introduction xxiv
Part I ASA Architecture and Technologies Overview
Chapter 1 Evaluation of the ASA Architecture 3
"Do I Know This Already?" Quiz 3
Foundation Topics 6
Examining ASA Control Fundamentals 6
Interfaces, Security Levels, and EtherChannels 6
Security Levels 9
Same Security Interface and Intra-Interface Communication
EtherChannels 11
Access Control Lists 12
Modular Policy Framework 15
Routing the Environment 16
Address Translations and Your ASA 18
AAA for Network-Based Access 21
ASA VPN Technology Comparison 24
Managing Your ASA Device 27
Packet Processing 28
Controlling VPN Access 29
The Good, the Bad, and the Licensing 32
Time-Based Licenses 41
When Time-Based and Permanent Licenses Combine 42
Shared SSL VPN Licenses 43
Failover Licensing 43
Exam Preparation Tasks 44
Review All Key Topics 44
Complete Tables and Lists from Memory 44
Define Key Terms 44
Chapter 2 Configuring Policies, Inheritance, and Attributes 47
"Do I Know This Already?" Quiz 47
Foundation Topics 49
Policies and Their Relationships 49
Understanding Connection Profiles 50
Group URL 52
Group Alias 52
CCNP Security VPN 642-647 Official Cert Guide
Certificate to Connection Profile Mapping 53
Per-User Connection Profile Lock 54
Default Connection Profiles 55
Understanding Group Policies 56
Configure User Attributes 59
Using External Servers for AAA and Policies 60
Exam Preparation Tasks 70
Review All Key Topics 70
Complete Tables and Lists from Memory 70
Define Key Terms 70
Part II Cisco AnyConnect Remote-Access VPN Solutions
Chapter 3 Deploying an AnyConnect Remote-Access VPN Solution 73
"Do I Know This Already?" Quiz 73
Foundation Topics 76
Full SSL VPN Technology Overview 76
SSL/TLS 76
DTLS 80
IKEv2 81
Configuration Procedures, Deployment Strategies,and Information Gathering 83
AnyConnect Secure Mobility Client Installation 84
Deploying Your First Full-Tunnel AnyConnect SSL VPN Solution 85
IP Addressing 85
Hostname, Domain Name, and DNS 85
Enroll with a CA and Become a Member of a PKI 86
Add an Identity Certificate 87
Add the Signing Root CA Certificate 88
Enable the Interfaces for SSL/DTLS and AnyConnect Client Connections
Create a Connection Profile 89
Deploying Your First AnyConnect IKEv2 VPN Solution 92
Enable the Relevant Interfaces for IKEv2 and AnyConnectClient Access 93
Create a Connection Profile 94
Client IP Address Allocation 97
Connection Profile Address Assignment 98
Group Policy Address Assignment 100
Direct User Address Assignment 104
Advanced Controls for Your Environment 104
xi
ACLs and Downloadable ACLs 105
Split Tunneling 107
Access Hours/Time Range 110
Troubleshooting the AnyConnect Secure Mobility Client 111
Exam Preparation Tasks 117
Review All Key Topics 117
Complete Tables and Lists from Memory 117
Define Key Terms 117
Chapter 4 Advanced Authentication and Authorization of AnyConnect VPNs 119
"Do I Know This Already?" Quiz 119
Foundation Topics 121
Authentication Options and Strategies 121
Provisioning Certificates as a Local CA 126
Configuring Certificate Mappings 134
Certificate-to-Connection Profile Maps 135
Mapping Criteria 136
Provisioning Certificates from a Third-Party CA 139
Configure an XML Profile for Use by the AnyConnect Client 141
Configure a Dedicated Connection Profile for Enrollment 144
Enroll the AnyConnect Client into a PKI 145
Optionally, Configure Client Certificate Selection 147
Import the Issuing CA's Certificate into the ASA's 149
Create a Connection Profile Using Certificate-Based Authentication 150
Advanced PKI Deployment Strategies 151
CRLs 152
OCSP 152
Doubling Up on Client Authentication 155
Troubleshooting Your Advanced Configuration 161
Exam Preparation Tasks 163
Review All Key Topics 163
Complete Tables and Lists from Memory 163
Define Key Terms 163
Chapter 5 Advanced Deployment and Management of
the AnyConnect Client 165
"Do I Know This Already?" Quiz 165
Foundation Topics 167
Configuration Procedures, Deployment Strategies,and Information Gathering 167
xii CCNP Security VPN 642-647 Official Cert Guide
AnyConnect Installation Options 168
Manual Predeployment 168
Automatic Web Deployment 172
Managing AnyConnect Client Profiles 177
Advanced Profile Features 181
Start Before Login 182
Trusted Network Detection 182
Advanced AnyConnect Customization and Management 188
Exam Preparation Tasks 195
Review All Key Topics 195
Complete Tables and Lists from Memory 195
Define Key Terms 195
Chapter 6 Advanced Authorization Using AAA and DAPs 197
"Do I Know This Already?" Quiz 197
Foundation Topics 199
Configuration Procedures, Deployment Strategies,and Information Gathering 199
Configuring Local and Remote Group Policies 199
Full SSL VPN Accountability 209
Authorization Through Dynamic Access Policies 213
Troubleshooting Advanced Authorization Settings 216
Exam Preparation Tasks 219
Review All Key Topics 219
Complete Tables and Lists from Memory 219
Define Key Terms 219
Chapter 7 AnyConnect Integration with Cisco Secure Desktop
and Optional Modules 221
"Do I Know This Already?" Quiz 221
Foundation Topics 224
Cisco Secure Desktop Overview and Configuration 224
Host Scan 225
Prelogin Assessment 225
Secure Desktop (Vault) 226
Cache Cleaner 227
Keystroke Logger Detection 228
Integration with DAPs 228
Host Emulation Detection 228
Windows Mobile Device Management 228
xiii
Standalone Installation Packages 228
CSD Manual Launch 228
Prelogin Policies 229
Post-Login Policies 230
VPN Session Termination 231
AnyConnect Posture Assessment and Host Scan 231
AnyConnect Posture Assessment Module 231
Host Scan 232
Configure Prelogin Policies 234
AnyConnect Network Access, "Web Security, and Telemetry Modules 238
NAM Module 238
Web Security Module 241
Telemetry Module 243
Exam Preparation Tasks 246
Review All Key Topics 246
Complete Tables and Lists from Memory 246
Define Key Terms 246
Chapter 8 AnyConnect High Availability and Performance 249
"Do I Know This Already?" Quiz 249
Foundation Topics 251
Overview of High Availability and Redundancy Methods 251
Hardware-Based Failover 251
VPN Clustering (VPN Load Balancing) 252
Redundant VPN Peering 253
External Load Balancing 253
Deploying DTLS 255
Performance Assurance with QOS 256
Basic ASDM QoS Configuration 258
AnyConnect Redundant Peering and Failover 265
Hardware-Based Failover with VPNs 267
Configure LAN Failover Interfaces 269
Configure Standby Addresses on Interfaces Used for
Traffic Forwarding 270
Define Failover Criteria 270
Configure Nondefault MAC Addresses 270
Redundancy in the VPN Core 271
VPN Clustering 272
Load Balancing Using an External Load Balancer 274
CCNP Security VPN 642-647 Official Cert Guide
Exam Preparation Tasks 276
Review All Key Topics 276
Complete Tables and Lists from Memory 276
Define Key Terms 276
Part III Cisco Clientless Remote-Access VPN Solutions
Chapter 9 Deploying a Clientless SSL VPN Solution 279
"Do I Know This Already?" Quiz 279
Foundation Topics 282
Clientless SSL VPN Overview 282
SSL VPN Building Blocks 283
SSL/TLS Recap 283
SSL Tunnel Negotiation 285
Handshake 286
Deployment Procedures and Strategies 289
Physical Topology 289
Deploying Your First Clientless SSL VPN Solution 293
IP Addressing 293
Hostname, Domain Name, and DNS 293
Become a Member of a Public Key Infrastructure 294
Adding a CA Root Certificate 294
Certificate Revocation List 295
Revocation Check 296
CRL Retrieval Policy 297
CRL Retrieval Method 297
OCSP Rules 297
Advanced 301
Enable the Relevant Interfaces for SSL 311
Create Local User Accounts for Authentication 312
Create a Connection Profile (Optional) 315
Basic Access Control 319
Bookmarks 320
HTTP and HTTPS 320
CIFS 321
FTP 321
Group Policies 323
Content Transformation 327
Gateway Content Rewriting 327
Application Helper Profiles 329
XV
Java Code Signing 330
Troubleshooting a Basic Clientless SSL VPN 331
Troubleshooting Session Establishment 331
Troubleshooting Certificate Errors 333
Exam Preparation Tasks 33S
Review All Key Topics 335
Complete Tables and Lists from Memory 335
Define Key Terms 335
Chapter 10 Advanced Clientless SSL VPN Settings 337
"Do I Know This Already?" Quiz 337
Foundation Topics 340
Overview of Advanced Clientless SSL VPN Settings 340
Application Access Through Port Forwarding 343
Configuring Port Forwarding Using the ASDM 345
Application Access Using Client-Server Plug-Ins 349
Configuring Client-Server Plug-In Access Using the ASDM 350
Application Access Through Smart Tunnels 357
Configuring Smart Tunnel Access Using the ASDM 359
Configuring SSL/TLS Proxies 363
Email Proxy 363
Internal HTTP and HTTPS Proxy 365
Troubleshooting Advanced Application Access 366
Troubleshooting Application Access 366
Client 366
ASA/VPN Termination Appliance 367
Application/Web Server 369
Exam Preparation Tasks 370
Review All Key Topics 370
Complete Tables and Lists from Memory 370
Define Key Terms 370
Chapter 11 Customizing the Clientless Portal 373
"Do I Know This Already?" Quiz 373
Foundation Topics 375
Basic Portal Layout Configuration 375
Logon Page Customization 377
Portal Page Customization 379
Logout Page Customization 379
Outside-the-Box Portal Configuration 381
CCNP Security VPN 642-647 Official Cert Guide
Portal Localization 381
Getting Portal Help 386
AnyConnect Portal Integration 387
Clientless SSL VPN Advanced Authentication 389
Using an External and Internal CA for Clientless Access 391
Clientless SSL VPN Double Authentication 399
Deploying Clientless SSL VPN Single Sign-On 403
Troubleshooting PKI and SSO Integration 406
Exam Preparation Tasks 410
Review All Key Topics 410
Complete Tables and Lists from Memory 410
Define Key Terms 410
Chapter 12 Advanced Authorization Using Dynamic Access Policies 41
"Do I Know This Already?" Quiz 413
Foundation Topics 416
Configuration Procedures, Deployment Strategies,and Information Gathering 416
Create a DAP 419
Specify User AAA Attributes 419
Specify Endpoint Attributes 421
Configure Authorization Parameters 424
Configure Authorization Parameters for the Default DAP 426
DAP Record Aggregation 427
Troubleshooting DAP Deployment 432
ASDM Test Feature 432
ASA Logging 434
DAP Debugging 435
Exam Preparation Tasks 437
Review All Key Topics 437
Complete Tables and Lists from Memory 437
Define Key Terms 437
Chapter 13 Clientless SSL VPN with Cisco Secure Desktop 439
"Do I Know This Already?" Quiz 439
Foundation Topics 441
Cisco Secure Desktop Overview and Configuration 441
Prelogin Assessment 442
Host Scan 443
Secure Desktop (Vault) 443
xvil
Cache Cleaner 443
Keystroke Logger Detection 444
Integration with DAP 444
Host Emulation Detection 444
Windows Mobile Device Management 444
Standalone Installation Packages 444
CSD Manual Launch 444
Secure Desktop (Vault) 446
Cache Cleaner 446
CSD Supported Browsers, Operating Systems, and Credentials 447
Enabling Cisco Secure Desktop on the ASA 450
Configure Prelogin Criteria 452
Keystroke Logger and Safety Checks 457
Cache Cleaner 457
Secure Desktop (Vault) General 458
Secure Desktop (Vault) Settings 459
Secure Desktop (Vault) Browser 460
Host Endpoint Assessment 460
Authorization Through DAPs 461
Troubleshooting Cisco Secure Desktop 463
Exam Preparation Tasks 465
Review All Key Topics 465
Complete Tables and Lists from Memory 465
Define Key Terms 465
Chapter 14 Clientless SSL VPN High-Availability and Performance Options 467
"Do I Know This Already?" Quiz 467
Foundation Topics 469
High-Availability Deployment Information and Common Strategies 469
Failover 469
Active/Active 469
Active/Standby 469
VPN Load Balancing (Clustering) 470
External Load Balancing 470
Redundant VPN Peering 470
Content Caching for Optimization 472
Clientless SSL VPN Load Sharing Using an External Load Balancer 473
Clustering Configuration for Clientless SSL VPN 474
Troubleshooting Load Balancing and Clustering 477
xviii CCNP Security VPN 642-647 Official Cert Guide
Exam Preparation Tasks 479
Review All Key Topics 479
Complete Tables and Lists from Memory 479
Define Key Terms 479
Part IV Cisco IPsec Remote-Access Client Solutions
Chapter 15 Deploying and Managing the Cisco VPN Client 481
"Do I Know This Already?" Quiz 481
Foundation Topics 483
IPsec Review 483
IKEvl 483
AH and ESP 486
Cisco IPsec VPN Client Features 488
IPsec Client Software Installation and Basic Configuration 491
Connection Entries 495
Status 495
Certificates 495
Log 495
Options 495
Help 496
Create New VPN Connection Entry, Main Window 496
Authentication Tab 496
Transport Tab 497
Backup Servers Tab 497
Dial-Up Tab 497
Advanced Profile Settings 498
VPN Client Software GUI Customization 507
Troubleshooting VPN Client Connectivity 507
Exam Preparation Tasks 512
Review All Key Topics 512
Complete Tables and Lists from Memory 512
Define Key Terms 512
Part V Cisco Easy VPN Solutions
Chapter 16 Deploying Easy VPN Solutions 515
"Do I Know This Already?" Quiz 515
Foundation Topics 517
Configuration Procedures, Deployment Procedures, and Information
Gathering 517
xix
Easy VPN Basic Configuration 519
ASA IP Addresses 519
Configure Required Routing 519
Enable IPsec Connectivity 519
Configure Preferred IKEvl and IPsec Policies 522
Client IP Address Assignment 527
VPN Client Authentication Using Pre-Shared Keys 529
Using XAUTH for VPN Client Access 532
IP Address Allocation Using the VPN Client 533
DHCP Configuration 538
Controlling Your Environment with Advanced Features 539
ACL Bypass Configuration 540
Basic Interface ACL Configuration 540
Per-Group ACL Configuration 542
Per-User ACL Configuration 543
Split-Tunneling Configuration 545
Troubleshooting a Basic Easy VPN 546
Exam Preparation Tasks 548
Review All Key Topics 548
Complete Tables and Lists from Memory 548
Define Key Terms 548
Chapter 17 Advanced Authentication and Authorization Using Easy VPN 551
"Do I Know This Already?" Quiz 551
Foundation Topics 553
Authentication Options and Strategies 553
Configuring PKI with IPsec Easy VPNs 556
Configuring Mutual/Hybrid Authentication 561
Configuring Digital Certificate Mappings 562
Provisioning Certificates from a Third-Party CA 566
Advanced PKI Deployment Strategies 570
Troubleshooting Advanced Authentication for Easy VPN 575
Exam Preparation Tasks 577
Review All Key Topics 577
Complete Tables and Lists from Memory 577
Define Key Terms 577
Chapter 18 Advanced Easy VPN Authorization 579
"Do I Know This Already?" Quiz 579
Foundation Topics 581
xx CCNP Security VPN 642-647 Official Cert Guide
Configuration Procedures, Deployment Strategies,and Information Gathering 581
Configuring Local and Remote Group Policies 582
Assigning a Group Policy to a Local User Account 586
Assigning a Group Policy to a Connection Profile 586
Accounting Methods for Operational Information 588
NetFlow9 591
RADIUS VPN Accounting 593
SNMP 594
Exam Preparation Tasks 597
Review All Key Topics 597
Complete Tables and Lists from Memory 597
Define Key Terms 597
Chapter 19 High Availability and Performance for Easy VPN 599
"Do I Know This Already?" Quiz 599
Foundation Topics 602
Configuration Procedures, Deployment Strategies,and Information Gathering 602
Easy VPN Client HA and Failover 604
Hardware-Based Failover with VPNs 606
Configure Optional Active/Standby Failover Settings 610
Clustering Configuration for Easy VPN 612
Troubleshooting Device Failover and Clustering 615
Exam Preparation Tasks 619
Review All Key Topics 619
Complete Tables and Lists from Memory 619
Define Key Terms 619
Chapter 20 Easy VPN Operation Using the ASA 5505 as a Hardware Client 621
"Do I Know This Already?" Quiz 621
Foundation Topics 623
Easy VPN Remote Hardware Client Overview 623
Client Mode 623
Network Extension Mode 624
Configuring a Basic Easy VPN Remote Client Using the ASA 5505 625
Configuring Advanced Easy VPN Remote Client Settings for
the ASA 5505 627
X-Auth and Device Authentication 627
Remote Management 629
Enable Tunneled Management 630
xxi
Clear Tunneled Management 630
NAT Traversal 631
Device Pass-Through 632
Troubleshooting the ASA 5505 Easy VPN Remote Hardware Client 633
Exam Preparation Tasks 637
Review All Key Topics 637
Complete Tables and Lists from Memory 637
Define Key Terms 637
Part VI Cisco IPsec Site-to-Site VPN Solutions
Chapter 21 Deploying IPsec Site-to-Site VPNs 639
"Do I Know This Already?" Quiz 639
Foundation Topics 642
Configuration Procedures, Deployment Strategies,and Information Gathering 642
IKEvl Phase 1 644
IKEvl Phase 2 (Quick Mode) 645
Configuring a Basic IPsec Site-to-Site VPN 647
Configure Basic Peer Authentication 647
Enable IKEvl on the Interface 648
Configure IKEvl Policies 648
Configure Pre-Shared Keys 649
Configure Transmission Protection 650
Select Transform Set and VPN Peer 650
Define Interesting Traffic 652
Configure Advanced Authentication for IPsec Site-to-Site VPNs 656
Troubleshooting an IPsec Site-to-Site VPN Connection 661
Tunnel Not Establishing: Phase 1 662
Tunnel Not Establishing: Phase 2 662
Traffic Not Passing Through Your Tunnel 662
Exam Preparation Tasks 664
Review All Key Topics 664
Complete Tables and Lists from Memory 664
Define Key Terms 664
Chapter 22 High Availability and Performance Strategies for IPsec Site-to-Site
VPNs 667
"Do I Know This Already?" Quiz 667
Foundation Topics 669
Configuration Procedures, Deployment Strategies,and Information Gathering 669
xxii CCNP Security VPN 642-647 Official Cert Guide
High Assurance with QoS 670
Basic ASDM QoS Configuration 672
Deploying Redundant Peering for Site-to-Site VPNs 678
Site-to-Site VPN Redundancy Using Routing 679
Hardware-Based Failover with VPNs 683
Configure LAN Failover Interfaces 684
Configure Standby Addresses on Interfaces Used
for Traffic Forwarding 685
Define Failover Criteria 686
Configure Nondefault Mac Addresses 686
Troubleshooting HA Deployment 688
Exam Preparation Tasks 690
Review All Key Topics 690
Complete Tables and Lists from Memory 690
Define Key Terms 690
Part VII Exam Preparation
Chapter 23 Final Exam Preparation 693
Tools for Final Preparation 693
Pearson Cert Practice Test Engine and Questions on the CD 693
Install the Software from the CD 694
Activate and Download the Practice Exam 6 94
Activating Other Exams 695
Premium Edition 695
The Cisco Learning Network 695
Memory Tables 695
Suggested Plan for Final Review/Study 696
Using the Exam Engine 696
Summary 697
Part VIII Appendixes
Appendix A Answers to the "Do I Know This Already?" Quizzes 699
Appendix B 642-647 CCNP Security VPN Exam Updates, Version 1.0 703
Appendix C Memory Tables (CD only)
Appendix D Memory Tables Answer Key (CD only)
Glossary 707
Index 712
