CCNP Security Virtual Private Networks Svpn 300-730 Official Cert Guide
Autor Joseph Muniz, Steven Chimes , James Risleren Limba Engleză Paperback – 21 dec 2021
Trust the best-selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide presents you with an organized test preparation routine using proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
* Master Implementing Secure Solutions with Virtual Private Networks (SVPN) 300-730 exam topics
* Assess your knowledge with chapter-opening quizzes
* Review key concepts with exam preparation tasks
* Practice with realistic exam questions in the practice test software
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide from Cisco Press enables you to succeed on the exam the first time and is the only self-study resource approved by Cisco. Three leading Cisco security technology experts share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.
This complete study package includes
* A test-preparation routine proven to help you pass the exams
* Do I Know This Already? quizzes, which enable you to decide how much time you need to spend on each section
* Chapter-ending exercises, which help you drill on key concepts you must know thoroughly
* The powerful Pearson Test Prep Practice Test software, with two full exams comprised of well-reviewed, exam-realistic questions, customization options, and detailed performance reports
* A final preparation chapter, which guides you through tools and resources to help you craft your review and test-taking strategies
* Study plan suggestions and templates to help you organize and optimize your study time
Well regarded for its level of detail, study plans, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that ensure your exam success.
This official study guide helps you master all the topics on the Implementing Secure Solutions with Virtual Private Networks (SVPN) 300-730 exam, deepening your knowledge of
* Site-to-site virtual private networks on routers and firewalls
* Remote access VPNs
* Troubleshooting using ASDM and CLI
* Secure communications architectures
Companion Website:
The companion website contains two full practice exams, an interactive Flash Cards application, a Study Planner, Glossary, and more.
Includes Exclusive Offers for Up to 80% Off Video Training, Practice Tests, and more
Pearson Test Prep online system requirements:
Browsers: Chrome version 73 and above, Safari version 12 and above, Microsoft Edge 44 and above.
Devices: Desktop and laptop computers, tablets running Android v8.0 and above or iPad OS v13 and above, smartphones running Android v8.0 and above or iOS v13 and above with a minimum screen size of 4.7.
Pearson Test Prep offline system requirements:
Windows 10, Windows 8.1; Microsoft .NET Framework 4.5 Client; Pentium-class 1 GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam; access to the Internet to register and download exam databases
Also available from Cisco Press for CCNP Security study is the CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson Test Prep Practice Test.
This integrated learning package
* Enables you to focus on individual topic areas or take complete, timed exams
* Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
* Provides unique sets of exam-realistic practice questions
* Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Preț: 416.06 lei
Preț vechi: 520.08 lei
-20% Nou
Puncte Express: 624
Preț estimativ în valută:
79.67€ • 82.18$ • 66.03£
79.67€ • 82.18$ • 66.03£
Carte indisponibilă temporar
Doresc să fiu notificat când acest titlu va fi disponibil:
Se trimite...
Preluare comenzi: 021 569.72.76
Specificații
ISBN-13: 9780136660606
ISBN-10: 0136660606
Pagini: 496
Dimensiuni: 193 x 236 x 35 mm
Greutate: 1.04 kg
Editura: Pearson Education
ISBN-10: 0136660606
Pagini: 496
Dimensiuni: 193 x 236 x 35 mm
Greutate: 1.04 kg
Editura: Pearson Education
Notă biografică
Joseph Muniz is an architect and security researcher in the Cisco Security Sales and Engineering organization. He is driven by making the world a safer place through education and adversary research. Joseph has extensive experience in designing security solutions and architectures as a trusted advisor for top Fortune 500 corporations and the U.S. government.
Joseph is a researcher and industry thought leader. He speaks regularly at international conferences, writes for technical magazines, and is involved with developing training for various industry certifications. He invented the fictitious character Emily Williams to create awareness around social engineering. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author of and contributor to several publications, including titles ranging from security best practices to exploitation tactics.
When Joseph is not using technology, you can find him on the futbal (soccer) field or raising the next generation of hackers, also known as his children. Follow Joseph at https://www.thesecurityblogger.com and @SecureBlogger.
Steven Chimes, CCIE No. 35525, is a security architect in the Security Sales Engineering organization at Cisco, focused on building cybersecurity solutions for Cisco's largest global customers. He has more than 15 years of experience in the networking and cybersecurity fields, specializing in cross-domain solutions and emerging technologies. He has led the technical design for projects across the IT spectrum, including networking, security, analytics, identity, collaboration, compute, data center, and cloud.
When not building solutions, Steven is either teaching or learning. He is a distinguished speaker at Cisco Live and has spoken at Cisco Live events all over the world. He is also a serial collector of certifications, including CCIE Security, CCNP Enterprise, DevNet Associate, CISSP-ISSAP, GMON, and GCIH, among many others. What Steven finds most fulfilling, though, is mentoring the next generation of inspired cybersecurity professionals through programs such as Cisco High. Follow Steven @StevenChimes on Twitter.James Risler, CCIE No. 15412, is a security training development manager in the Cisco Customer Experience organization. As senior manager of security content engineering at Cisco, he's constantly discovering and exploring the latest trends and issues in security, IT, and business. In his current role, he oversees teams responsible for both security and collaboration course development.
James is passionate about helping organizations understand the impact that security events can have on business and how to mitigate that risk. That's why he works to educate individuals and organizations in a variety of cybersecurity topics, including threat defense, virtual private networks, and firewall configuration, among others. Besides his work at Cisco, James works to help create the next generation of security defenders by holding training sessions and presentations for the University of Tampa Cybersecurity Club.
James is a distinguished speaker at Cisco Live; he holds Certified Information Systems Security Professional (CISSP) and Cisco Certified Internetwork Expert (CCIE) certifications; and he has earned a master's of business administration (MBA) from the University of Tampa. When he is not at work, he is either home brewing or cooking up a complex meal. Follow James @JimRisler on Twitter.Cuprins
Introduction xxxi Part I Virtual Private Networks (VPN) Chapter 1 Understanding the Implementing Secure Solutions with Virtual Private Networks SVPN 300-730 Exam 2 Why Learn VPN Technology 2 The Cisco Certification Program 6 The SVPN 300-730 Exam 8 Exam Preparation 13 Summary 13 Chapter 2 Introduction to Virtual Private Networks (VPN) 14 "Do I Know This Already?" Quiz 15 Foundation Topics 17 VPN Offerings 17 VPN Technologies vs. Services 17 Remote Access VPNs 18 Remote Access VPN Use Cases 19 Site-to-Site VPNs 20 Hub-and-Spoke Design 20 Spoke-to-Spoke Design 20 Full Mesh Design 21 Hybrid Design 21 Tiered Hub-and-Spoke Design 22 VPN Technology Components 23 Hardware VPN Support 23 Routers 23 Security Appliances 26 VPN Clients 28 Other VPN Clients 29 VPN Protocols 29 Point-to-Point Tunneling Protocol (PPTP) 30 PPTP Pitfalls 30 Secure Socket Tunneling Protocol (SSTP) 31 SSL/TLS 31 IPsec with IKE 31 IPsec with IKEv2 32 Easy VPN 32 L2TP 32 VPN Protocol Comparison 33 Cisco VPN Portfolio 33 DMVPN 33 DMVPN Use Cases 33 Group Encrypted Transport VPN (GETVPN) 33 FlexVPN 34 SSL VPN 34 SSL VPN Use Cases 34 Site-to-Site VPN Comparison 34 Cisco ASA Licensing 37 Time-Based License 37 Licensing Options 38 Cisco Secure Firewall Series for Site-to-Site VPNs 39 Cisco Secure Firewall Limitations 39 Cisco Meraki Licensing 40 Cisco Meraki VPN Options 40 Cisco Security Appliance Management 41 Cisco Security Management Options 41 VPN Logging 42 Logging Collection Points 42 ASA Logging 42 SIEM 43 VPN Client Logging 44 DART 44 Logging Challenges 45 Summary 47 References 47 Exam Preparation Tasks 48 Part II Site-to-Site VPN Chapter 3 Site-to-Site VPNs 50 "Do I Know This Already?" Quiz 51 Foundation Topics 53 Site-to-Site VPN Architecture 54 Site-to-Site Design Considerations 54 Scoping a Project 54 Site-to-Site Components 55 Routers vs. Security Appliances 55 Cisco Security Appliances for Site-to-Site VPNs 56 IPsec 56 Authentication Header 56 Encapsulating Security Payload 57 Comparing AH and ESP 57 ISAKMP 58 IKE Security Association 58 IKE Version 1 and 2 58 Key IKE Concepts 60 IKE Authentication 61 VPN Tunnel Concepts 62 IPsec Tunnel Mode 63 IPsec Transport Mode 63 Certificate Authorities 64 Crypto Map Concepts 64 GETVPN/DMVPN/FlexVPN 64 GETVPN 65 DMVPN 65 FlexVPN 65 Router Configuration with IKEv1 66 Planning the VPN 67 Configuring the Tunnel 68 Why Use GRE with IPsec? 68 Configuring a GRE Tunnel 68 Configuring Network Address Translation 70 NAT Example 71 Configuring Encryption and IPsec 72 IKE Policy Example 73 Authentication Options 73 Pre-shared Key Example 74 Digital Certificate Example 74 Configuring a Crypto Map 75 Crypto Map Example 76 Applying Crypto Maps 77 Configuring QoS 78 Router Configuration with IKEv2 78 Primary Router Configuration Example 78 Defining the IKEv2 Keyring 78 Defining the IKEv2 Proposal 79 Defining IKEv2 Policies 79 Defining a Crypto ACL for IPsec Secured Traffic 79 Defining a Transform Set 80 Defining an IKEv2 Profile 80 Defining Crypto Maps 80 Activating Crypto Maps 81 Repeating Similar Steps for the Other Router 81 Appliance Configuration 83 ASDM Example 83 ASA Command-Line Example 87 Cisco Secure Firewall Example 93 Cisco Meraki Example 97 High Availability 99 High Availability Options 100 High Availability Considerations 101 High Availability Costs 102 High Availability Technology Considerations 102 Bidirectional Forwarding Detection 103 IOS Failover Example 103 Summary 104 References 104 Exam Preparation Tasks 105 Chapter 4 Group Encrypted Transport VPN (GETVPN) 106 "Do I Know This Already?" Quiz 107 Foundation Topics 109 MPLS Security Challenges 109 GETVPN Overview 111 GDOI Protocol 111 GETVPN Benefit Summary 113 GETVPN Components 113 GETVPN Key Server 113 GETVPN Group Member 115 GETVPN GDOI Protocol 115 GETVPN Security Controls 115 Rekeying 115 TBAR 115 IP-D3P 116 GETVPN Design Considerations 116 GETVPN Fault Tolerance Considerations 116 Key GETVPN Considerations 117 GETVPN Implementation and Configuration 117 Configuring a Key Server 119 IKE Phase 1 Policy 119 Key Server PSK Authentication 120 IKE Phase 2 Policy 120 Key Server RSA Key 120 Key Server GDOI 120 Unicast Rekeying Parameters 120 Key Server Policy Access List 121 Configuring Group Members 121 Group Member IKE Phase 1 Policy 121 Group Member PSK Authentication 122 Group Member GDOI Information 122 Crypto Maps 123 GETVPN Status Commands 123 Group Member Show Commands 126 GETVPN Status Commands Summary 128 Summary 128 References 129 Exam Preparation Tasks 129 Chapter 5 Dynamic Multipoint Virtual Private Network (DMVPN) 130 "Do I Know This Already?" Quiz 131 Foundation Topics 134 DMVPN Overview 134 Legacy Crypto Map VPN Solutions 135 Modern VPN Needs 135 DMVPN Risks 136 DMVPN Core Concepts 136 DMVPN Example 136 DVMPN Network Components 137 mGRE 137 GRE and mGRE Advantages 138 NHRP 138 NHRP Example 139 Remaining DMVPN Components 139 Solution Breakdown 139 DMVPN Design Considerations 140 DMVPN Planning 140 DMVPN Fault Tolerance Considerations 141 Key DMVPN Considerations 141 DMVPN Phases 141 DMVPN Phase 1 141 DMVPN Phase 2 142 DMVPN Phase 3 143 DMVPN Phase 1 Hub-and-Spoke Implementation 144 Crypto IPsec Policy Configuration 145 Creating an IKE Policy 145 Creating Pre-shared Key Authentication Credentials 146 Creating a Profile 147 Creating a Transform Set 148 GRE Tunnel Configuration 148 Creating a Multipoint GRE Tunnel on the Hub 148 Creating a GRE Tunnel on the Spoke 149 NHRP Hub-and-Spoke Configuration 150 Configure NHRP on the Hub 150 Configure NHRP on the Spoke 150 Configure Tunnel Protection 151 Configure Tunnel Optional Parameters 152 Routing Protocol Configuration 152 Configure Routing on the Hub 152 Configure Routing on the Spoke Using IPV4 153 Configure Routing on the Spoke Using IPV6 153 DMVPN Phase 2 Spoke-to-Spoke Implementation 154 IPsec for Spoke-to-Spoke 154 Spoke-to-Spoke Routing 154 IPv6 Spoke-to-Spoke Routing Configuration 155 DMVPN Phase 3 Spoke-to-Spoke Implementation 155 Enable NHRP Redirects on the Hub 155 Enable NHRP Shortcuts on the Spoke 156 DMVPN Troubleshooting 156 Troubleshooting the Crypto IPsec Policy Configuration 156 Troubleshooting IKE Phase 2 157 Troubleshooting the GRE Tunnel Configuration 157 Validating the Tunnel 158 Troubleshooting the NHRP Hub-and-Spoke Configuration 158 NHRP Registration 158 Tunnel Configuration 158 Debugging 159 Troubleshoot the Routing Configuration 159 DMVPN Troubleshooting Summary 160 Summary 160 References 161 Exam Preparation Tasks 161 Chapter 6 FlexVPN Configuration and Troubleshooting 164 "Do I Know This Already?" Quiz 165 Foundation Topics 168 FlexVPN Overview 168 FlexVPN Advantages 169 Modular Framework 169 Configuring Service Parameters 169 IKEv2 Benefits Summarized 169 FlexVPN Versus Other Options 170 Benefits of IKEv2 171 FlexVPN Requirements 171 FlexVPN Components 172 FlexVPN Component Roles 173 FlexVPN Smart Defaults 173 Router Smart Defaults 174 FlexVPN Design Considerations 174 FlexVPN Planning 174 Key FlexVPN Consideration 175 FlexVPN Implementation: Hub-and-Spoke (IPv4/IPv6) 175 Hub-and-Spoke Configuration Summary 176 Step 1: IKEv2 Proposal and IKEv2 Policy Configuration 177 FlexVPN IKEv2 Proposal 177 FlexVPN Transform Set 178 Step 2: IKEv2 Authorization Policy Configuration 178 AAA 178 Hub Pool 179 ACL Permitting Traffic 179 Attach to Authorization Policy 180 Step 3: Keyring and IKEv2 Profile Configuration 180 Keyring 180 IKEv2 Profile 181 Step 4: IPsec Profile Configuration 182 Create Loopback Address 182 Virtual Template 183 Pre-shared IKEv2 Keyring 183 FlexVPN Spoke Configuration 183 Spoke AAA Configuration 183 Spoke Access List 184 Spoke Keyring 184 Spoke Authorization Policy 184 Spoke IKEv2 Profile 185 Spoke IPsec Profile 185 Spoke Tunnel Interface 186 FlexVPN Implementation: Spoke-to-Spoke (IPv4/IPv6) 186 FlexVPN NHRP 187 FlexVPN Spoke-to-Spoke Spoke Router 188 Spoke-to-Spoke Keyring 188 Spoke-to-Spoke Route Injection 188 Spoke-to-Spoke IKEv2 Profile 189 Spoke-to-Spoke Add NHRP 189 Spoke-to-Spoke Virtual Template 190 FlexVPN Troubleshooting 191 Connectivity Troubleshooting 192 Step 1: IKEv2 Proposal and IKEv2 Policy Troubleshooting 192 IKEv2 Debugging 193 Step 2: IKEv2 Authorization Policy Troubleshooting 193 Step 3: Keyring and IKEv2 Profile Troubleshooting 194 Step 4: IPsec Profile Troubleshooting 194 NHRP Troubleshooting 195 Summary 197 References 197 Exam Preparation Tasks 198 Part III Remote Access Virtual Private Network Chapter 7 Remote Access VPNs 200 "Do I Know This Already?" Quiz 202 Foundation Topics 204 Remote VPN Architecture 205 NAS and Client-Side Software 205 Remote Access Technology Considerations 206 Remote Access Components 207 Remote Access Capable Routers 207 Remote Access Capable Security Appliances 208 AnyConnect Secure Mobility Client 209 User Experience 209 AnyConnect Protocol Support 209 AnyConnect Security Capabilities 210 AnyConnect Platform Support 210 AnyConnect Profile Editor 211 AnyConnect VPN Profile Example 212 VPN Connection Profiles, Group Policies, and Users 214 Group Policies 214 Connection Profiles 214 Split Tunneling 215 Split Tunneling Configuration 216 SSL VPN/WebVPN 219 WebVPN Example 220 SSL VPN Options 221 SSL VPN Licensing 222 Encryption Algorithms 223 Encryption Trends 223 Encryption Algorithm Categories 223 Comparing Encryption Options 224 Elliptic Curve Cryptography Algorithms 225 ECC Threats 225 Encryption Algorithm Math 225 ECC Math 226 Combining ECC with Other Algorithms 227 Applying Elliptic Curve Cryptography to a VPN 227 Diffie Hellman Groups 228 High Availability 228 Load Balancing 229 Failover Design 229 Load Balancing Considerations 229 Cisco ASDM Remote Access Configuration 230 Cisco ASA CLI Remote Access Configuration 237 Default Tunnel Groups 239 Cisco Secure Firewall Remote Access VPN 241 Cisco Secure Firewall Features 241 Cisco Meraki Remote Access VPN 248 Meraki Remote Access Configuration Example 249 Router Configuration 250 Key Concepts for Remote Access on Routers 251 Remote Access on Router Configuration Example 251 Summary 255 References 256 Exam Preparation Tasks 257 Chapter 8 Clientless Remote Access SSL VPNs on the ASA 258 "Do I Know This Already?" Quiz 259 Foundation Topics 260 Clientless SSL VPN Overview 261 ASA as a Proxy 262 Cisco VPN Options 262 Clientless SSL VPN Prerequisites 263 Software Licenses 263 License Options 264 AnyConnect Plus Subscription and Perpetual 264 AnyConnect Apex Subscription 264 AnyConnect VPN Only Perpetual License 264 License Option Summary 265 Software Support Requirements 266 Clientless SSL VPN Prerequisites Summary 267 Basic Clientless SSL VPN Configuration 267 Step 1: Installing an Identity Certificate 268 Generating a New RSA Key Pair Using ASDM 268 Generating a New RSA Key Pair Using CLI 269 Creating an Identity Certificate Request Using ASDM 269 Creating an Identity Certificate Request Using CLI 270 Installing a Signed Identity Certificate Using ASDM 271 Installing a Signed Identity Certificate Using CLI 272 Step 2: Applying an Identity Certificate to the Interface(s) 273 Applying the Identity Certificate Using ASDM 273 Applying the Identity Certificate Using CLI 274 Step 3: Enabling Clientless SSL VPN on an Interface 274 Enable Clientless SSL VPN Interface Using ASDM 274 Enable Clientless SSL VPN Interface Using CLI 275 Step 4: Configuring Group Policies 276 Group Policy Selection 276 Creating Group Policies Using ASDM 277 Creating Group Policies Using CLI 277 Group Policy Attributes for Clientless SSL VPNs 278 WebVPN Group Policy Attributes 279 WebVPN Group Policy vs. Group Policy Attributes 280 Step 5: Configuring Connection Profiles 280 Default Connect Profiles 281 Creating a Connection Profile Using ASDM 281 Creating a Connection Profile Using CLI 282 Connection Profile General Attributes 283 Connection Profile WebVPN Attributes 283 Step 6: Configuring User Authentication 284 Authentication Servers 285 Configuring Authentication Using ASDM 286 Configuring Local Authentication Using CLI 287 Extended Clientless SSL VPN Configuration Options 287 Configuring Bookmarks 287 Bookmark Support 288 Creating a Bookmark List 289 Applying the Bookmark List to a Group Policy Using ASDM 290 Applying the Bookmark List to a Group Policy Using CLI 291 Configuring Web ACLs 291 Web ACL Support 291 Creating a Web ACL Using ASDM 292 Creating a Web ACL Using CLI 293 Applying a Web ACL to a Group Policy Using ASDM 293 Applying a Web ACL to a Group Policy Using CLI 294 Configuring Application Access via Port Forwarding 294 Creating a Port Forwarding List Using ASDM 295 Creating a Port Forwarding List Using CLI 295 Applying a Port Forwarding List to a Group Policy Using ASDM 296 Applying a Port Forwarding List to a Group Policy Using ASDM 296 Configuring Application Access via Smart Tunnels 297 Smart Tunnel Requirements 297 Smart Tunnel Benefits 298 Creating a Smart Tunnel List Using ASDM 298 Creating a Smart Tunnel List Using ASDM 299 Applying the Smart Tunnel List to a Group Policy Using ASDM 300 Applying the Smart Tunnel List to a Group Policy Using CLI 300 Configuring Client/Server Plug-ins 301 Obtaining Plug-ins 301 Summary 302 References 302 Exam Preparation Tasks 303 Chapter 9 AnyConnect VPNs on the ASA and IOS 306 "Do I Know This Already?" Quiz 307 Foundation Topics 309 AnyConnect VPN Review 310 SSL VPN Versus IKEv2 310 AnyConnect SSL VPN Prerequisites on ASA 310 AnyConnect Licenses 311 Supported Operating Systems 311 Compatible Browsers 311 Administrative Privileges 311 Basic AnyConnect SSL VPN Configuration on ASA 312 Step 1: Installing an Identity Certificate 312 Step 2: Loading an AnyConnect Package 312 Loading an AnyConnect Package Using ASDM 313 Loading an AnyConnect Package Using CLI 314 Step 3: Enabling AnyConnect VPN Client SSL Access 315 Enabling AnyConnect VPN Using ASDM 315 Enabling AnyConnect VPN Using CLI 315 Step 4: Configuring a Group Policy 316 Configure Group Policy Using ASDM 317 Configure Group Policy Using CLI 318 Step 5: Configuring an AnyConnect Connection Profile 319 Configuring an AnyConnect Connection Profile Using ASDM 319 Configuring an AnyConnect Connection Profile Using CLI 320 Configuring a Group URL for an AnyConnect Connection Profile Using ASDM 322 Configuring a Group URL for an AnyConnect Connection Profile Using CLI 323 Step 6: Configuring User Authentication 324 Creating a AAA Server Group Using ASDM 324 Creating a AAA Server Group Using CLI 325 Adding RADIUS Servers to a AAA Server Group Using ASDM 325 Adding RADIUS Servers to a AAA Server Group Using CLI 326 Configuring a Connection Profile to Use the RADIUS Server Group Using ASDM 326 Configuring a Connection Profile to Use the RADIUS Server Group Using CLI 327 Step 7: Defining an Address Pool 328 Creating an Address Pool Using ASDM 328 Creating an Address Pool Using CLI 328 Applying the Address Pool to a Group Policy Using ASDM 329 Applying the Address Pool to a Group Policy Using CLI 330 AnyConnect Installation 330 Connecting from the AnyConnect Client 331 Extended AnyConnect SSL VPN Configuration on ASA 331 Configuring DNS and WINS Using ASDM 332 Configuring DNS and WINS Using CLI 332 Configuring Split Tunneling Using ASDM 333 Configuring Split Tunneling Using CLI 335 Configuring a Traffic Filter Using ASDM 335 Configuring a Traffic Filter Using CLI 336 AnyConnect IKEv2 VPN on ASA 337 Step 1: Enabling IPsec (IKEv2) 337 Configuring IPsec (IKEv2) Using ASDM 337 Configuring IPsec (IKEv2) Using CLI 338 Step 2: Configuring an AnyConnect Client Profile for IKEv2 340 Profile Storage 340 Creating AnyConnect Client Profile for IKEv2 Using ASDM 341 AnyConnect IKEv2 VPN on Routers 342 Step 1: Configuring PKI 343 Generating a Key Pair 343 Creating a Trustpoint 344 Trust Point Policy 344 Configuring a Trustpoint 345 Define Trust Policy 345 Disable FQDN 345 Importing the Root CA Certificate 345 Generating a Certificate Signing Request (CSR) 346 Importing the Signed Server Certificate 347 Step 2: Disabling the HTTP and HTTPS Servers on the Router 349 Step 3: Configuring AAA 349 Step 4: Creating an IKEv2 Authorization Policy 349 Step 5: Creating an IKEv2 Profile 350 Create New IKEv2 Profile 350 Identifying Match Criteria 350 RSA Certificate Authentication 351 Authenticating Remote Users 351 Authentication List 351 Virtual Template 351 AnyConnect Client Profile 351 Configuration Summary 351 Step 6: Creating a Virtual Template 352 Creating the AnyConnect Client Profile 353 AnyConnect Profile Editor 354 Copying to the Router 355 Reboot 356 Configuring Split Tunneling 357 Summary 357 References 358 Exam Preparation Tasks 358 Chapter 10 Troubleshooting Remote Access VPNs 362 "Do I Know This Already?" Quiz 363 Foundation Topics 365 Troubleshooting Clientless SSL VPNs on the ASA 366 Troubleshooting Categories 366 Step 0: SSL VPN Components 367 Step 1: Connectivity Troubleshooting 368 Troubleshooting Questions 368 Exam-Focused Connectivity Troubleshooting 368 ASA WebVPN Service 370 Troubleshooting Certificates 370 Applied Certificates 371 Full Certificate Chain 371 Correct Certificate 371 Certificate Debug Commands 371 The capture Command 372 Connectivity Troubleshooting Summary 372 Step 2: Login Troubleshooting 372 Connection Profile Group URL 373 Viewing Group URLs 373 Profile Selection 373 &nb