ptg6899256
ptg6899256
Cisco Press
800 East 96th Street
Indianapolis, IN 46240
CCNP Security
FIREWALL 642-617
Official Cert Guide
David Hucaby
Dave Garneau
Anthony Sequeira
ptg6899256
CCNP Security FIREWALL 642-617 Official Cert Guide
David Hucaby
Dave Garneau
Anthony Sequeira
Copyright © 2012 Pearson Education, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.
Printed in the United States of America
First Printing September 2011
Library of Congress Cataloging-in-Publication Data is on file.
ISBN-13: 978-1-58714-279-6
ISBN-10: 1-58714-279-1
Warning and Disclaimer
This book is designed to provide information for the Cisco CCNP Security 642-617 FIREWALL v1.0
exam. Every effort has been made to make this book as complete and as accurate as possible, but no
warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have
neither liability nor responsibility to any person or entity with respect to any loss or damages arising from
the information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.
ii CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriate-
ly capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of
a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or
special sales, which may include electronic versions and/or custom covers and content particular to your
business, training goals, marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com
For sales outside the United States, please contact: International Sales international@pearsoned.com
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Publisher: Paul Boger Manager, Global Certification: Erik Ullanderson
Associate Publisher: Dave Dusthimer Business Operation Manager, Cisco Press: Anand Sundaram
Executive Editor: Brett Bartow Senior Development Editor: Christopher Cleveland
Managing Editor: Sandra Schroeder Technical Editors: Doug McKillip, Martin Walshaw
Senior Project Editor: Tonya Simpson Copy Editor: Bill McManus
Editorial Assistant: Vanessa Evans Book Designer: Gary Adair
Composition: Mark Shirar Indexer: Tim Wright
Proofreader: Sarah Kearns
iii
ptg6899256
About the Authors
David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky,
where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and
Unified Wireless product lines. David has a bachelor of science degree and master of sci-
ence degree in electrical engineering from the University of Kentucky. He is the author of
several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook,
Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor;
and CCNP SWITCH Exam Certification Guide.
David lives in Kentucky with his wife, Marci, and two daughters.
Dave Garneau is a senior member of the Network Security team at Rackspace Hosting,
Inc., a role he started during the creation of this book. Before that, he was the principal
consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave
trained more than 3000 students in nine countries on Cisco technologies, mostly focus-
ing on the Cisco security products line, and worked closely with Cisco in establishing the
new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave
has a bachelor of science degree in mathematics from Metropolitan State College of
Denver (now being renamed Denver State University). Dave lives in San Antonio, Texas
with his wife, Vicki.
Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor and author
regarding all levels and tracks of Cisco Certification. Anthony formally began his career
in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly
formed his own computer consultancy, Computer Solutions, and then discovered his true
passion—teaching and writing about Microsoft and Cisco technologies. Anthony joined
Mastering Computers in 1996 and lectured to massive audiences around the world about
the latest in computer technologies. Mastering Computers became the revolutionary
online training company KnowledgeNet, and Anthony trained there for many years.
Anthony is currently pursuing his second CCIE in the area of Security and is a full-time
instructor for the next generation of KnowledgeNet, StormWind Live.
iv CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
About the Technical Reviewers
Doug McKillip, P.E., CCIE No. 1851, is an independent consultant specializing in Cisco
Certified Training in association with Global Knowledge, a Training Partner of Cisco
Systems. He has more than 20 years of experience in computer networking and security.
Doug provided both instructional and technical assistance during the initial deployment
of MCNS Version 1.0, the first Cisco Security training class, which debuted in early
1998, and has been a lead instructor for the security curriculum ever since. He holds
bachelor’s and master’s degrees in chemical engineering from MIT and a master’s degree
in computer and information sciences from the University of Delaware. He resides in
Wilmington, Delaware.
Martin Walshaw, CCIE No. 5629, CISSP, is a senior systems engineer working for F5
Networks in South Africa. His areas of expertise span multiple different areas, but over
the past few years he has focused specifically on security and application delivery.
During the past 20 years or so, Martin has dabbled in many different areas of IT, ranging
from RPG III to PC sales. When Martin is not working or doing sports, he likes to spend
all of his available time with his extremely patient wife, Val, and his two awesome sons,
Joshua and Callum. Without their support, patience, and understanding, projects such as
this would not be possible.
v
ptg6899256
Dedications
From David Hucaby:
As always, this book is dedicated to the most important people in my life: my wife,
Marci, and my two daughters, Lauren and Kara. Their love, encouragement, and support
carry me along. I’m so grateful to God, who gives endurance and encouragement
(Romans 15:5), and who has allowed me to work on projects like this.
From Dave Garneau:
I am also dedicating this book to the most important person in my life: my wife, Vicki.
Without her love and support, I doubt I would succeed in any major endeavor, much less
one of this magnitude. Additionally, I want to dedicate this book to my mother, Marian,
who almost 40 years ago believed a very young version of myself when he declared he
would one day grow up and write a book. I am glad I was finally able to live up to that
promise.
From Anthony Sequeira:
This book is dedicated to the many, many students I have had the privilege of teaching
over the past several decades. I hope that my passion for technology and learning has
conveyed itself and helped to motivate, and perhaps even inspire.
vi CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
Acknowledgments
It has been my great pleasure to work on another Cisco Press project. I enjoy the net-
working field very much, and technical writing even more. And more than that, I’m
thankful for the joy and inner peace that Jesus Christ gives, making everything more
abundant and worthwhile.
I’ve now been writing Cisco Press titles continuously for over 10 years. I always find it to
be quite fun, but other demands seem to be making writing more difficult and time con-
suming. That’s why I am so grateful that Dave Garneau and Anthony Sequeira came along
to help tote the load. It’s also been a great pleasure to work with Brett Bartow and Chris
Cleveland. I’m glad they put up with me yet again, especially considering how much I let
the schedule slip.
I am very grateful for the insight, suggestions, and helpful comments that the technical
editors contributed. Each one offered a different perspective, which helped make this a
more well-rounded book and me a more educated author.
—David Hucaby
The creation of this book has certainly been a maelstrom of activity. I was originally slated
to be one of the technical reviewers, but became a coauthor at David Hucaby’s request.
Right after accepting that challenge, I started a new job, moved to a new city, and built a
new house. Throughout all the resulting chaos, Brett Bartow and Christopher Cleveland
demonstrated the patience of Job, while somehow keeping this project on track.
Hopefully, their patience was not exhausted, and I look forward to working with them
again on future projects.
I am also thankful to our technical reviewers for their meticulous attention to detail.
Doug McKillip, whom I count as a close friend, was able to step into the role I left to
become a coauthor. The extremely thorough reviews provided by Doug and Martin
definitely improved the quality of the material for the end readers.
—Dave Garneau
Brett Bartow is a great friend, and I am so incredibly thankful to him for the awesome
opportunities he has helped me to achieve with the most respected line of IT texts in the
world, Cisco Press. I am also really thankful that he continues to permit me to participate
in his fantasy baseball league.
It was such an honor to help on this text with the incredible David Hucaby and Dave
Garneau. While they sought out a third author named David, it was so kind of them to
make a concession for an Anthony.
I cannot thank David Hucaby enough for the assistance he provided me in accessing the
latest and greatest Cisco ASAs for the lab work and experimentation that was required
for my chapters of this text.
Finally, thanks to my family, Joette and Annabella and the dog Sweetie, for understanding
all of the hours I needed to spend hunched over a keyboard. And that reminds me, thanks
also to my chiropractor, Dr. Paton.
—Anthony Sequeira
vii
ptg6899256
Contents at a Glance
Introduction xxiii
Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3
Chapter 2 Working with a Cisco ASA 33
Chapter 3 Configuring ASA Interfaces 73
Chapter 4 Configuring IP Connectivity 103
Chapter 5 Managing a Cisco ASA 155
Chapter 6 Recording ASA Activity 233
Chapter 7 Using Address Translation 269
Chapter 8 Controlling Access Through the ASA 333
Chapter 9 Inspecting Traffic 409
Chapter 10 Using Proxy Services to Control Access 515
Chapter 11 Handling Traffic 537
Chapter 12 Using Transparent Firewall Mode 561
Chapter 13 Creating Virtual Firewalls on the ASA 583
Chapter 14 Deploying High Availability Features 601
Chapter 15 Integrating ASA Service Modules 645
Chapter 16 Final Preparation 659
Appendix A Answers to the “Do I Know This Already?” Quizzes 665
Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671
Appendix C Traffic Analysis Tools 675
Glossary 707
Index 717
viii CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
Contents
Introduction xxiii
Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Firewall Overview 7
Firewall Techniques 11
Stateless Packet Filtering 11
Stateful Packet Filtering 12
Stateful Packet Filtering with Application Inspection and Control 12
Network Intrusion Prevention System 13
Network Behavior Analysis 14
Application Layer Gateway (Proxy) 14
Cisco ASA Features 15
Selecting a Cisco ASA Model 18
ASA 5505 18
ASA 5510, 5520, and 5540 19
ASA 5550 20
ASA 5580 21
Security Services Modules 22
Advanced Inspection and Prevention (AIP) SSM 22
Content Security and Control (CSC) SSM 23
4-Port Gigabit Ethernet (4GE) SSM 24
ASA 5585-X 24
ASA Performance Breakdown 25
Selecting ASA Licenses 28
Exam Preparation Tasks 31
Review All Key Topics 31
Define Key Terms 31
Chapter 2 Working with a Cisco ASA 33
“Do I Know This Already?” Quiz 33
Foundation Topics 38
Using the CLI 38
Entering Commands 39
Command Help 41
ix
ptg6899256
Command History 43
Searching and Filtering Command Output 43
Terminal Screen Format 45
Using Cisco ASDM 45
Understanding the Factory Default Configuration 50
Working with Configuration Files 52
Clearing an ASA Configuration 55
Working with the ASA File System 56
Navigating an ASA Flash File System 57
Working with Files in an ASA File System 58
Reloading an ASA 61
Upgrading the ASA Software at the Next Reload 63
Performing a Reload 64
Manually Upgrading the ASA Software During a Reload 65
Exam Preparation Tasks 69
Review All Key Topics 69
Define Key Terms 69
Command Reference to Check Your Memory 69
Chapter 3 Configuring ASA Interfaces 73
“Do I Know This Already?” Quiz 73
Foundation Topics 77
Configuring Physical Interfaces 77
Default Interface Configuration 78
Configuring Physical Interface Parameters 80
Mapping ASA 5505 Interfaces to VLANs 80
Configuring Interface Redundancy 81
Configuring VLAN Interfaces 83
VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84
VLAN Interfaces and Trunks on an ASA 5505 86
Configuring Interface Security Parameters 88
Naming the Interface 88
Assigning an IP Address 89
Setting the Security Level 90
Interface Security Parameters Example 94
Configuring the Interface MTU 94
Verifying Interface Operation 96
Exam Preparation Tasks 99
x CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
Review All Key Topics 99
Define Key Terms 99
Command Reference to Check Your Memory 99
Chapter 4 Configuring IP Connectivity 103
“Do I Know This Already?” Quiz 103
Foundation Topics 107
Deploying DHCP Services 107
Configuring a DHCP Relay 107
Configuring a DHCP Server 108
Using Routing Information 111
Configuring Static Routing 115
Tracking a Static Route 117
Routing with RIPv2 122
Routing with EIGRP 125
Routing with OSPF 134
An Example OSPF Scenario 140
Verifying the ASA Routing Table 144
Exam Preparation Tasks 147
Review All Key Topics 147
Define Key Terms 147
Command Reference to Check Your Memory 148
Chapter 5 Managing a Cisco ASA 155
“Do I Know This Already?” Quiz 155
Foundation Topics 159
Basic Device Settings 159
Configuring Device Identity 159
Configuring Basic Authentication 160
Verifying Basic Device Settings 162
Configuring Name-to-Address Mappings 162
Configuring Local Name-to-Address Mappings 162
Configuring DNS Server Groups 164
Verifying Name-to-Address Mappings 166
File System Management 166
File System Management Using ASDM 166
File System Management Using the CLI 167
dir 168
more 168
xi
ptg6899256
copy 168
delete 168
rename 168
mkdir 169
rmdir 169
cd 170
pwd 170
fsck 170
format or erase 171
Managing Software and Feature Activation 171
Managing Cisco ASA Software and ASDM Images 171
Upgrading Files from a Local PC or Directly from Cisco.com 173
License Management 175
Upgrading the Image and Activation Key at the Same Time 176
Cisco ASA Software and License Verification 176
Configuring Management Access 179
Overview of Basic Procedures 179
Configuring Remote Management Access 181
Configuring an Out-of-Band Management Interface 182
Configuring Remote Access Using Telnet 182
Configuring Remote Access Using SSH 185
Configuring Remote Access Using HTTPS 187
Creating a Permanent Self-Signed Certificate 187
Obtaining an Identity Certificate by PKI Enrollment 189
Deploying an Identity Certificate 190
Configuring Management Access Banners 191
Controlling Management Access with AAA 194
Creating Users in the Local Database 196
Using Simple Password-Only Authentication 197
Configuring AAA Access Using the Local Database 198
Configuring AAA Access Using Remote AAA Server(s) 200
Step 1: Create an AAA Server Group and Configure How Servers in the
Group Are Accessed 201
Step 2: Populate the Server Group with Member Servers 202
Step 3: Enable User Authentication for Each Remote Management
Access Channel 203
Configuring Cisco Secure ACS for Remote Authentication 204
Configuring AAA Command Authorization 207
xii CCNP Security FIREWALL 642-617 Official Cert Guide
ptg6899256
Configuring Local AAA Command Authorization 208
Configuring Remote AAA Command Authorization 211
Configuring Remote AAA Accounting 214
Verifying AAA for Management Access 215
Configuring Monitoring Using SNMP 216
Troubleshooting Remote Management Access 221
Cisco ASA Password Recovery 223
Performing Password Recovery 223
Enabling or Disabling Password Recovery 224
Exam Preparation Tasks 225
Review All Key Topics 225
Command Reference to Check Your Memory 225
Chapter 6 Recording ASA Activity 233
“Do I Know This Already?” Quiz 233
Foundation Topics 237
System Time 237
NTP 237
Verifying System Time Settings 241
Managing Event and Session Logging 242
NetFlow Support 243
Logging Message Format 244
Message Severity 244
Configuring Event and Session Logging 245
Configuring Global Logging Properties 245
Altering Settings of Specific Messages 247
Configuring Event Filters 250
Configuring Individual Event Destinations 252
Internal Buffer 252
ASDM 253
Syslog Server(s) 255
Email 257
NetFlow 259
Telnet or SSH Sessions 260
Verifying Event and Session Logging 261
Implementation Guidelines 262
Troubleshooting Event and Session Logging 263
Troubleshooting Commands 263
xiii
ptg6899256
Exam Preparation Tasks 265
Review All Key Topics 265
Command Reference to Check Your Memory 265
Chapter 7 Using Address Translation 269
“Do I Know This Already?” Quiz 270
Foundation Topics 277
Understanding How NAT Works 277
Enforcing NAT 279
Address Translation Deployment Options 280
NAT Versus PAT 281
Input Parameters 283
Deployment Choices 283
NAT Exemption 284
Configuring NAT Control 285
Configuring Dynamic Inside NAT 287
Configuring Dynamic Inside PAT 292
Configuring Dynamic Inside Policy NAT 297
Verifying Dynamic Inside NAT and PAT 300
Configuring Static Inside NAT 301
Configuring Network Static Inside NAT 304
Configuring Static Inside PAT 307
Configuring Static Inside Policy NAT 310
Verifying Static Inside NAT and PAT 313
Configuring No-Translation Rules 313
Configuring Dynamic Identity NAT 314
Configuring Static Identity NAT 316
Configuring NAT Bypass (NAT Exemption) 318
NAT Rule Priority with NAT Control Enabled 319
Configuring Outside NAT 320
Other NAT Considerations 323
DNS Rewrite (Also Known as DNS Doctoring) 323
Integrating NAT with ASA Access Control 325
Integrating NAT with MPF 326
Integrating NAT with AAA (Cut-Through Proxy) 326
Troubleshoo