Introduction:
This book is designed to help you prepare for the Cisco VPN certification exam. The VPN exam is one in a series of exams required for the Cisco Certified Network Professional - Security (CCNP - Security) certification. This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and virtual private network (VPN) devices.
As a final exam preparation tool, the CCNP Security VPN 642-647 Quick Reference provides a concise review of all objectives on the new CCNP Security VPN exam (642-647). This eBook provides you with detailed, graphical-based information, highlighting only the key topics in cram-style format. With this document as your guide, you will review topics on deploying Cisco ASA-based VPN solutions. This fact-filled Quick Reference allows you to get all-important information at a glance, helping you to focus your study on areas of weakness and to enhance memory retention of essential exam concepts....
How to Use This Book
The book consists of 22 chapters. Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations.
The chapters of the book cover the following topics:
• Chapter 1, “Evaluation of the ASA Architecture”: This chapter reviews the ASA operation and architecture. It is this core of understanding that provides a good base for the other chapters.
• Chapter 2, “Configuring Policies, Inheritance and Attributes”: This chapter reviews the different methods used to apply policies and their contained attributes for controlling and ultimately securing our remote users. The Policy Inheritance Model is also introduced to help network security personnel understand the results of having multiple policy types configured.
• Chapter 3, “AnyConnect Remote Access VPN Solution”: This chapter introduces you to the Cisco AnyConnect remote access VPN configuration and client software; you learn how to configure a basic AnyConnect remote access connection, along with the configuration required basic remote user authentication.
• Chapter 4, “Advanced Authentication and Authorization of AnyConnect VPN’s”: This chapter reviews the available mechanisms that can be configured to successfully authenticate your remote users; we take a closer look at PKI technology and its implementation as a standalone authentication mechanism, along with the steps required for successful deployment of PKI and username/password-based authentication (doubling up on authentication).
• Chapter 5, “Advanced Deployment and Management of the AnyConnect client”: This chapter reviews the various methods of the AnyConnect client deployment and installation available; in addition, we will explore the various modules that are available, and their benefits.
• Chapter 6, “Advanced Authorization using AAA and DAPs”: This chapter describes the role and implementation of advanced authorization allowing us to maintain complete control over the resources our remote users can or can’t access before and during their connection to our VPN deployment, in addition we will also review the role of DAPs and how their configuration can be used to enhance the authorization process.
• Chapter 7, “AnyConnect Integration with Cisco Secure Desktop and Optional Modules” This chapter reviews the Cisco Secure Desktop environment and associated modules; we also introduce you to the optional AnyConnect modules that are available for installation either as standalone components or deployed through client profiles.
• Chapter 8, “AnyConnect High Availability and Performance”: This chapter reviews the different types of redundancy and high availability that can be deployed on the ASA device, through configuration of the AnyConnect client or with external hardware.
• Chapter 9, “Deploying a Clientless VPN Solution”: This chapter introduces you to the Cisco Clientless SSL VPN implementation; in addition, we take a look at the configuration required for a basic deployment of an SSL VPN.
• Chapter 10, “Advanced Clientless VPN Settings”: This chapter reviews the advanced settings that are available for our Clientless SSL VPN deployment as well as the available application access methods and their configuration.
• Chapter 11, “Customizing the Clientless Portal”: This chapter reviews the available customization options we have when approaching the task of customizing our Clientless SSL VPN environment for our remote users; we also discuss the implementation PKI and of double-authentication mechanisms.
• Chapter 12, “Advanced Authorization using AAA and DAP’s”: This chapter reviews the implementation and configuration of group policies and the available attributes contained within, we also discuss the available logging and accounting methods on the ASA.
• Chapter 13, “Clientless SSL VPN with Cisco Secure Desktop”: This chapter reviews the Cisco Secure Desktop environment and associated modules; additionally we take a look at the information specific to a deployment of the Cisco Secure Desktop with a Clientless SSL VPN solution.
• Chapter 14, “Clientless SSL VPN High Availability and Performance”: This chapter reviews the available HA and performance enhancements that can be deployed when working with Clientless SSL VPN solutions.
• Chapter 15, “Deploying and Managing the Cisco IPSec VPN Client”: This chapter introduces you to the Cisco IPSec VPN Client, its available methods of installation, configuration, and advanced customization.
• Chapter 16, “Deploying EzVPN Solutions”: This chapter introduces you to the Cisco EzVPN client and server architecture in addition we will review the configuration steps required for a basic EzVPN deployment, X-Auth configuration, IP Address assignment etc.
• Chapter 17, “Advanced Authentication and Authorization of the EzVPN”: In this chapter we review the configuration of PKI and its subsequent implementation with EzVPN deployments additionally we take a look at Certificate mappings and their role when used for advanced authentication purposes.
• Chapter 18, “Advanced EzVPN Authorization”: This chapter describes the implementation of group policies and the attributes that can be included to provide advanced authorization of our remote users; additionally we take a look at the available logging and accounting methods and their use with EzVPN deployments.
• Chapter 19, “High Availability and Performance for EzVPN”: This chapter describes the mechanisms that can be put in place to provide a high availability solution that will protect an organization from outages alongside an EzVPN deployment.
• Chapter 20, “EzVPN using the ASA 5505 as a Hardware Client”: In this chapter we introduce you to the EzVPN hardware client capabilities of the ASA 5505 device and the configuration required for successful deployment.
• Chapter 21, “Deploying IPSec Site to Site VPNs”: In this chapter we introduce you to the IPSec site to site VPN solution available on the ASA devices and the configuration procedures required for a successful deployment.
• Chapter 22, “High Availability and Performance Strategies for IPSec Site-to-Site VPNs”: In this chapter we discuss the available HA mechanisms for use when providing hardware and software level redundancy with an IPSec site-to-site VPN deployment; we also review the available QOS mechanisms on the ASA and their associated configuration.
This book is designed to help you prepare for the Cisco VPN certification exam. The VPN exam is one in a series of exams required for the Cisco Certified Network Professional - Security (CCNP - Security) certification. This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and virtual private network (VPN) devices.
As a final exam preparation tool, the CCNP Security VPN 642-647 Quick Reference provides a concise review of all objectives on the new CCNP Security VPN exam (642-647). This eBook provides you with detailed, graphical-based information, highlighting only the key topics in cram-style format. With this document as your guide, you will review topics on deploying Cisco ASA-based VPN solutions. This fact-filled Quick Reference allows you to get all-important information at a glance, helping you to focus your study on areas of weakness and to enhance memory retention of essential exam concepts....
How to Use This Book
The book consists of 22 chapters. Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations.
The chapters of the book cover the following topics:
• Chapter 1, “Evaluation of the ASA Architecture”: This chapter reviews the ASA operation and architecture. It is this core of understanding that provides a good base for the other chapters.
• Chapter 2, “Configuring Policies, Inheritance and Attributes”: This chapter reviews the different methods used to apply policies and their contained attributes for controlling and ultimately securing our remote users. The Policy Inheritance Model is also introduced to help network security personnel understand the results of having multiple policy types configured.
• Chapter 3, “AnyConnect Remote Access VPN Solution”: This chapter introduces you to the Cisco AnyConnect remote access VPN configuration and client software; you learn how to configure a basic AnyConnect remote access connection, along with the configuration required basic remote user authentication.
• Chapter 4, “Advanced Authentication and Authorization of AnyConnect VPN’s”: This chapter reviews the available mechanisms that can be configured to successfully authenticate your remote users; we take a closer look at PKI technology and its implementation as a standalone authentication mechanism, along with the steps required for successful deployment of PKI and username/password-based authentication (doubling up on authentication).
• Chapter 5, “Advanced Deployment and Management of the AnyConnect client”: This chapter reviews the various methods of the AnyConnect client deployment and installation available; in addition, we will explore the various modules that are available, and their benefits.
• Chapter 6, “Advanced Authorization using AAA and DAPs”: This chapter describes the role and implementation of advanced authorization allowing us to maintain complete control over the resources our remote users can or can’t access before and during their connection to our VPN deployment, in addition we will also review the role of DAPs and how their configuration can be used to enhance the authorization process.
• Chapter 7, “AnyConnect Integration with Cisco Secure Desktop and Optional Modules” This chapter reviews the Cisco Secure Desktop environment and associated modules; we also introduce you to the optional AnyConnect modules that are available for installation either as standalone components or deployed through client profiles.
• Chapter 8, “AnyConnect High Availability and Performance”: This chapter reviews the different types of redundancy and high availability that can be deployed on the ASA device, through configuration of the AnyConnect client or with external hardware.
• Chapter 9, “Deploying a Clientless VPN Solution”: This chapter introduces you to the Cisco Clientless SSL VPN implementation; in addition, we take a look at the configuration required for a basic deployment of an SSL VPN.
• Chapter 10, “Advanced Clientless VPN Settings”: This chapter reviews the advanced settings that are available for our Clientless SSL VPN deployment as well as the available application access methods and their configuration.
• Chapter 11, “Customizing the Clientless Portal”: This chapter reviews the available customization options we have when approaching the task of customizing our Clientless SSL VPN environment for our remote users; we also discuss the implementation PKI and of double-authentication mechanisms.
• Chapter 12, “Advanced Authorization using AAA and DAP’s”: This chapter reviews the implementation and configuration of group policies and the available attributes contained within, we also discuss the available logging and accounting methods on the ASA.
• Chapter 13, “Clientless SSL VPN with Cisco Secure Desktop”: This chapter reviews the Cisco Secure Desktop environment and associated modules; additionally we take a look at the information specific to a deployment of the Cisco Secure Desktop with a Clientless SSL VPN solution.
• Chapter 14, “Clientless SSL VPN High Availability and Performance”: This chapter reviews the available HA and performance enhancements that can be deployed when working with Clientless SSL VPN solutions.
• Chapter 15, “Deploying and Managing the Cisco IPSec VPN Client”: This chapter introduces you to the Cisco IPSec VPN Client, its available methods of installation, configuration, and advanced customization.
• Chapter 16, “Deploying EzVPN Solutions”: This chapter introduces you to the Cisco EzVPN client and server architecture in addition we will review the configuration steps required for a basic EzVPN deployment, X-Auth configuration, IP Address assignment etc.
• Chapter 17, “Advanced Authentication and Authorization of the EzVPN”: In this chapter we review the configuration of PKI and its subsequent implementation with EzVPN deployments additionally we take a look at Certificate mappings and their role when used for advanced authentication purposes.
• Chapter 18, “Advanced EzVPN Authorization”: This chapter describes the implementation of group policies and the attributes that can be included to provide advanced authorization of our remote users; additionally we take a look at the available logging and accounting methods and their use with EzVPN deployments.
• Chapter 19, “High Availability and Performance for EzVPN”: This chapter describes the mechanisms that can be put in place to provide a high availability solution that will protect an organization from outages alongside an EzVPN deployment.
• Chapter 20, “EzVPN using the ASA 5505 as a Hardware Client”: In this chapter we introduce you to the EzVPN hardware client capabilities of the ASA 5505 device and the configuration required for successful deployment.
• Chapter 21, “Deploying IPSec Site to Site VPNs”: In this chapter we introduce you to the IPSec site to site VPN solution available on the ASA devices and the configuration procedures required for a successful deployment.
• Chapter 22, “High Availability and Performance Strategies for IPSec Site-to-Site VPNs”: In this chapter we discuss the available HA mechanisms for use when providing hardware and software level redundancy with an IPSec site-to-site VPN deployment; we also review the available QOS mechanisms on the ASA and their associated configuration.
• Chapter 23, “Final Exam Preparation”: This short chapter lists the exam preparation tools useful at this point in the study process and provides a suggested study plan now that you have completed all the earlier chapters in this book.
642-647 VPN v1.0 Exam Topics (Blueprint)
Exam Description
Deploying Cisco ASA VPN Solutions (VPN v1.0) exam is associated with the CCSP, CCNP Security and Cisco VPN Specialist certifications. This exam tests a candidate's knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
- Choose ASA VPN technologies to implement HLD based on given requirements
- Choose the correct ASA model and license to implement HLD based on given performance requirements
- Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements
- Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.)
Complex Operations Support
- Optimize ASA VPN performance, functions, and configurations
- Configure and verify complex ASA VPN networks using features such as DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements.
- Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy
Advanced Troubleshooting
Perform advanced ASA VPN configuration and troubleshooting
1 comments
Nice post! These days I am trying to find out the best free vpn service for my android. I don’t have any experience with any VPN for phone so finding it hard to decide on a service. I wonder if you know about a good one. If yes, please let me know.
Post a Comment