怀孕后可以化妆吗

ptg6899256 ptg6899256 Cisco Press 800 East 96th Street Indianapolis, IN 46240 CCNP Security FIREWALL 642-617 Official Cert Guide David Hucaby Dave Garneau Anthony Sequeira ptg6899256 CCNP Security FIREWALL 642-617 Official Cert Guide David Hucaby Dave Garneau Anthony Sequeira Copyright © 2012 Pearson Education, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing September 2011 Library of Congress Cataloging-in-Publication Data is on file. ISBN-13: 978-1-58714-279-6 ISBN-10: 1-58714-279-1 Warning and Disclaimer This book is designed to provide information for the Cisco CCNP Security 642-617 FIREWALL v1.0 exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc. ii CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriate- ly capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher: Paul Boger Manager, Global Certification: Erik Ullanderson Associate Publisher: Dave Dusthimer Business Operation Manager, Cisco Press: Anand Sundaram Executive Editor: Brett Bartow Senior Development Editor: Christopher Cleveland Managing Editor: Sandra Schroeder Technical Editors: Doug McKillip, Martin Walshaw Senior Project Editor: Tonya Simpson Copy Editor: Bill McManus Editorial Assistant: Vanessa Evans Book Designer: Gary Adair Composition: Mark Shirar Indexer: Tim Wright Proofreader: Sarah Kearns iii ptg6899256 About the Authors David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and Unified Wireless product lines. David has a bachelor of science degree and master of sci- ence degree in electrical engineering from the University of Kentucky. He is the author of several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor; and CCNP SWITCH Exam Certification Guide. David lives in Kentucky with his wife, Marci, and two daughters. Dave Garneau is a senior member of the Network Security team at Rackspace Hosting, Inc., a role he started during the creation of this book. Before that, he was the principal consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave trained more than 3000 students in nine countries on Cisco technologies, mostly focus- ing on the Cisco security products line, and worked closely with Cisco in establishing the new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave has a bachelor of science degree in mathematics from Metropolitan State College of Denver (now being renamed Denver State University). Dave lives in San Antonio, Texas with his wife, Vicki. Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion—teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next generation of KnowledgeNet, StormWind Live. iv CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 About the Technical Reviewers Doug McKillip, P.E., CCIE No. 1851, is an independent consultant specializing in Cisco Certified Training in association with Global Knowledge, a Training Partner of Cisco Systems. He has more than 20 years of experience in computer networking and security. Doug provided both instructional and technical assistance during the initial deployment of MCNS Version 1.0, the first Cisco Security training class, which debuted in early 1998, and has been a lead instructor for the security curriculum ever since. He holds bachelor’s and master’s degrees in chemical engineering from MIT and a master’s degree in computer and information sciences from the University of Delaware. He resides in Wilmington, Delaware. Martin Walshaw, CCIE No. 5629, CISSP, is a senior systems engineer working for F5 Networks in South Africa. His areas of expertise span multiple different areas, but over the past few years he has focused specifically on security and application delivery. During the past 20 years or so, Martin has dabbled in many different areas of IT, ranging from RPG III to PC sales. When Martin is not working or doing sports, he likes to spend all of his available time with his extremely patient wife, Val, and his two awesome sons, Joshua and Callum. Without their support, patience, and understanding, projects such as this would not be possible. v ptg6899256 Dedications From David Hucaby: As always, this book is dedicated to the most important people in my life: my wife, Marci, and my two daughters, Lauren and Kara. Their love, encouragement, and support carry me along. I’m so grateful to God, who gives endurance and encouragement (Romans 15:5), and who has allowed me to work on projects like this. From Dave Garneau: I am also dedicating this book to the most important person in my life: my wife, Vicki. Without her love and support, I doubt I would succeed in any major endeavor, much less one of this magnitude. Additionally, I want to dedicate this book to my mother, Marian, who almost 40 years ago believed a very young version of myself when he declared he would one day grow up and write a book. I am glad I was finally able to live up to that promise. From Anthony Sequeira: This book is dedicated to the many, many students I have had the privilege of teaching over the past several decades. I hope that my passion for technology and learning has conveyed itself and helped to motivate, and perhaps even inspire. vi CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 Acknowledgments It has been my great pleasure to work on another Cisco Press project. I enjoy the net- working field very much, and technical writing even more. And more than that, I’m thankful for the joy and inner peace that Jesus Christ gives, making everything more abundant and worthwhile. I’ve now been writing Cisco Press titles continuously for over 10 years. I always find it to be quite fun, but other demands seem to be making writing more difficult and time con- suming. That’s why I am so grateful that Dave Garneau and Anthony Sequeira came along to help tote the load. It’s also been a great pleasure to work with Brett Bartow and Chris Cleveland. I’m glad they put up with me yet again, especially considering how much I let the schedule slip. I am very grateful for the insight, suggestions, and helpful comments that the technical editors contributed. Each one offered a different perspective, which helped make this a more well-rounded book and me a more educated author. —David Hucaby The creation of this book has certainly been a maelstrom of activity. I was originally slated to be one of the technical reviewers, but became a coauthor at David Hucaby’s request. Right after accepting that challenge, I started a new job, moved to a new city, and built a new house. Throughout all the resulting chaos, Brett Bartow and Christopher Cleveland demonstrated the patience of Job, while somehow keeping this project on track. Hopefully, their patience was not exhausted, and I look forward to working with them again on future projects. I am also thankful to our technical reviewers for their meticulous attention to detail. Doug McKillip, whom I count as a close friend, was able to step into the role I left to become a coauthor. The extremely thorough reviews provided by Doug and Martin definitely improved the quality of the material for the end readers. —Dave Garneau Brett Bartow is a great friend, and I am so incredibly thankful to him for the awesome opportunities he has helped me to achieve with the most respected line of IT texts in the world, Cisco Press. I am also really thankful that he continues to permit me to participate in his fantasy baseball league. It was such an honor to help on this text with the incredible David Hucaby and Dave Garneau. While they sought out a third author named David, it was so kind of them to make a concession for an Anthony. I cannot thank David Hucaby enough for the assistance he provided me in accessing the latest and greatest Cisco ASAs for the lab work and experimentation that was required for my chapters of this text. Finally, thanks to my family, Joette and Annabella and the dog Sweetie, for understanding all of the hours I needed to spend hunched over a keyboard. And that reminds me, thanks also to my chiropractor, Dr. Paton. —Anthony Sequeira vii ptg6899256 Contents at a Glance Introduction xxiii Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3 Chapter 2 Working with a Cisco ASA 33 Chapter 3 Configuring ASA Interfaces 73 Chapter 4 Configuring IP Connectivity 103 Chapter 5 Managing a Cisco ASA 155 Chapter 6 Recording ASA Activity 233 Chapter 7 Using Address Translation 269 Chapter 8 Controlling Access Through the ASA 333 Chapter 9 Inspecting Traffic 409 Chapter 10 Using Proxy Services to Control Access 515 Chapter 11 Handling Traffic 537 Chapter 12 Using Transparent Firewall Mode 561 Chapter 13 Creating Virtual Firewalls on the ASA 583 Chapter 14 Deploying High Availability Features 601 Chapter 15 Integrating ASA Service Modules 645 Chapter 16 Final Preparation 659 Appendix A Answers to the “Do I Know This Already?” Quizzes 665 Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671 Appendix C Traffic Analysis Tools 675 Glossary 707 Index 717 viii CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 Contents Introduction xxiii Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3 “Do I Know This Already?” Quiz 3 Foundation Topics 7 Firewall Overview 7 Firewall Techniques 11 Stateless Packet Filtering 11 Stateful Packet Filtering 12 Stateful Packet Filtering with Application Inspection and Control 12 Network Intrusion Prevention System 13 Network Behavior Analysis 14 Application Layer Gateway (Proxy) 14 Cisco ASA Features 15 Selecting a Cisco ASA Model 18 ASA 5505 18 ASA 5510, 5520, and 5540 19 ASA 5550 20 ASA 5580 21 Security Services Modules 22 Advanced Inspection and Prevention (AIP) SSM 22 Content Security and Control (CSC) SSM 23 4-Port Gigabit Ethernet (4GE) SSM 24 ASA 5585-X 24 ASA Performance Breakdown 25 Selecting ASA Licenses 28 Exam Preparation Tasks 31 Review All Key Topics 31 Define Key Terms 31 Chapter 2 Working with a Cisco ASA 33 “Do I Know This Already?” Quiz 33 Foundation Topics 38 Using the CLI 38 Entering Commands 39 Command Help 41 ix ptg6899256 Command History 43 Searching and Filtering Command Output 43 Terminal Screen Format 45 Using Cisco ASDM 45 Understanding the Factory Default Configuration 50 Working with Configuration Files 52 Clearing an ASA Configuration 55 Working with the ASA File System 56 Navigating an ASA Flash File System 57 Working with Files in an ASA File System 58 Reloading an ASA 61 Upgrading the ASA Software at the Next Reload 63 Performing a Reload 64 Manually Upgrading the ASA Software During a Reload 65 Exam Preparation Tasks 69 Review All Key Topics 69 Define Key Terms 69 Command Reference to Check Your Memory 69 Chapter 3 Configuring ASA Interfaces 73 “Do I Know This Already?” Quiz 73 Foundation Topics 77 Configuring Physical Interfaces 77 Default Interface Configuration 78 Configuring Physical Interface Parameters 80 Mapping ASA 5505 Interfaces to VLANs 80 Configuring Interface Redundancy 81 Configuring VLAN Interfaces 83 VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84 VLAN Interfaces and Trunks on an ASA 5505 86 Configuring Interface Security Parameters 88 Naming the Interface 88 Assigning an IP Address 89 Setting the Security Level 90 Interface Security Parameters Example 94 Configuring the Interface MTU 94 Verifying Interface Operation 96 Exam Preparation Tasks 99 x CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 Review All Key Topics 99 Define Key Terms 99 Command Reference to Check Your Memory 99 Chapter 4 Configuring IP Connectivity 103 “Do I Know This Already?” Quiz 103 Foundation Topics 107 Deploying DHCP Services 107 Configuring a DHCP Relay 107 Configuring a DHCP Server 108 Using Routing Information 111 Configuring Static Routing 115 Tracking a Static Route 117 Routing with RIPv2 122 Routing with EIGRP 125 Routing with OSPF 134 An Example OSPF Scenario 140 Verifying the ASA Routing Table 144 Exam Preparation Tasks 147 Review All Key Topics 147 Define Key Terms 147 Command Reference to Check Your Memory 148 Chapter 5 Managing a Cisco ASA 155 “Do I Know This Already?” Quiz 155 Foundation Topics 159 Basic Device Settings 159 Configuring Device Identity 159 Configuring Basic Authentication 160 Verifying Basic Device Settings 162 Configuring Name-to-Address Mappings 162 Configuring Local Name-to-Address Mappings 162 Configuring DNS Server Groups 164 Verifying Name-to-Address Mappings 166 File System Management 166 File System Management Using ASDM 166 File System Management Using the CLI 167 dir 168 more 168 xi ptg6899256 copy 168 delete 168 rename 168 mkdir 169 rmdir 169 cd 170 pwd 170 fsck 170 format or erase 171 Managing Software and Feature Activation 171 Managing Cisco ASA Software and ASDM Images 171 Upgrading Files from a Local PC or Directly from Cisco.com 173 License Management 175 Upgrading the Image and Activation Key at the Same Time 176 Cisco ASA Software and License Verification 176 Configuring Management Access 179 Overview of Basic Procedures 179 Configuring Remote Management Access 181 Configuring an Out-of-Band Management Interface 182 Configuring Remote Access Using Telnet 182 Configuring Remote Access Using SSH 185 Configuring Remote Access Using HTTPS 187 Creating a Permanent Self-Signed Certificate 187 Obtaining an Identity Certificate by PKI Enrollment 189 Deploying an Identity Certificate 190 Configuring Management Access Banners 191 Controlling Management Access with AAA 194 Creating Users in the Local Database 196 Using Simple Password-Only Authentication 197 Configuring AAA Access Using the Local Database 198 Configuring AAA Access Using Remote AAA Server(s) 200 Step 1: Create an AAA Server Group and Configure How Servers in the Group Are Accessed 201 Step 2: Populate the Server Group with Member Servers 202 Step 3: Enable User Authentication for Each Remote Management Access Channel 203 Configuring Cisco Secure ACS for Remote Authentication 204 Configuring AAA Command Authorization 207 xii CCNP Security FIREWALL 642-617 Official Cert Guide ptg6899256 Configuring Local AAA Command Authorization 208 Configuring Remote AAA Command Authorization 211 Configuring Remote AAA Accounting 214 Verifying AAA for Management Access 215 Configuring Monitoring Using SNMP 216 Troubleshooting Remote Management Access 221 Cisco ASA Password Recovery 223 Performing Password Recovery 223 Enabling or Disabling Password Recovery 224 Exam Preparation Tasks 225 Review All Key Topics 225 Command Reference to Check Your Memory 225 Chapter 6 Recording ASA Activity 233 “Do I Know This Already?” Quiz 233 Foundation Topics 237 System Time 237 NTP 237 Verifying System Time Settings 241 Managing Event and Session Logging 242 NetFlow Support 243 Logging Message Format 244 Message Severity 244 Configuring Event and Session Logging 245 Configuring Global Logging Properties 245 Altering Settings of Specific Messages 247 Configuring Event Filters 250 Configuring Individual Event Destinations 252 Internal Buffer 252 ASDM 253 Syslog Server(s) 255 Email 257 NetFlow 259 Telnet or SSH Sessions 260 Verifying Event and Session Logging 261 Implementation Guidelines 262 Troubleshooting Event and Session Logging 263 Troubleshooting Commands 263 xiii ptg6899256 Exam Preparation Tasks 265 Review All Key Topics 265 Command Reference to Check Your Memory 265 Chapter 7 Using Address Translation 269 “Do I Know This Already?” Quiz 270 Foundation Topics 277 Understanding How NAT Works 277 Enforcing NAT 279 Address Translation Deployment Options 280 NAT Versus PAT 281 Input Parameters 283 Deployment Choices 283 NAT Exemption 284 Configuring NAT Control 285 Configuring Dynamic Inside NAT 287 Configuring Dynamic Inside PAT 292 Configuring Dynamic Inside Policy NAT 297 Verifying Dynamic Inside NAT and PAT 300 Configuring Static Inside NAT 301 Configuring Network Static Inside NAT 304 Configuring Static Inside PAT 307 Configuring Static Inside Policy NAT 310 Verifying Static Inside NAT and PAT 313 Configuring No-Translation Rules 313 Configuring Dynamic Identity NAT 314 Configuring Static Identity NAT 316 Configuring NAT Bypass (NAT Exemption) 318 NAT Rule Priority with NAT Control Enabled 319 Configuring Outside NAT 320 Other NAT Considerations 323 DNS Rewrite (Also Known as DNS Doctoring) 323 Integrating NAT with ASA Access Control 325 Integrating NAT with MPF 326 Integrating NAT with AAA (Cut-Through Proxy) 326 Troubleshoo