IT Certification and Career Paths

642-648 VPN

Deploying Cisco ASA VPN Solutions (VPN)

Exam Number 642-648 VPN
Last day to test April 21, 2014
Associated Certifications CCNP Security
Cisco ASA Specialist
Cisco IPS Specialist
Cisco VPN Security Specialist
Duration 90 minutes (65-75 questions)
Available Languages English, Japanese
Register Pearson VUE
Exam Policies Read current policies and requirements
Exam Tutorial Review type of exam questions

Deploying Cisco ASA VPN Solutions (VPN) exam is associated with the CCSP, CCNP Security, Cisco ASA Specialist and Cisco IPS Specialist certifications. This exam tests a candidate's knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful candidates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions (VPN) course.

Exam Topics

The following topics are general guidelines for the content that is likely to be included on the practical exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the following guidelines may change at any time without notice. The exam is closed book and no outside reference materials are allowed.

  • 25%     1.0   ASA VPN Configuration Components

      • 1.1   Identify ASA VPN licensing requirements
                1.1.a AC Essential
                1.1.b AC Premium
                1.1.c AC premium shared license
                1.1.d AC Mobile
                1.1.e Advanced Endpoint Assessment
                1.1.f Flex license
                1.1.g WSA license for AC WSA Secure Mobility
         
      • 1.2   Identify the components and features of AnyConnect 3.0
                Mobility (VPN, NAM, Web Sec (ScanSafe), Telemetry)
                1.2.a VPN
                1.2.b NAM
                1.2.c Web Sec (ScanSafe/WSA)
                1.2.d Posture Module and Standalone Host Scan Package
                1.2.e Telemetry
         
      • 1.3   Implement ASA VPN Connection Profiles, Group Policies,
                and User Policies
                1.3.a Policy Hierarchy/Inheritance
                1.3.b Default Policies
                1.3.c Connection Profiles/Group Policies/User
                         Policies Configurations
                1.3.d Implement basic access control and
                         split tunneling using ASDM
                1.3.e Connection Profile Lock
         
      • 1.4   Implement SCEP proxy operations using ASDM
                1.4.a SCEP proxy solution components
                1.4.b ASA SCEP proxy
         
      • 1.5   Implement Local and External VPN authorization using ASDM
                1.5.a Local (ASA) VPN authorization
                1.5.b VPN authorization using external policy servers
                1.5.c ACL, Web ACL, Group Policy restriction authorization policy
         
      • 1.6   Implement VPN session accounting using ASDM
                1.6.a VPN accounting using external RADIUS and TACACS+
         
      • 1.7   Implement CSD and Independent Host Scan operations
                using ASDM
                1.7.a CSD features
                1.7.b CSD Installation and Configurations and Customizations
                1.7.c Pre-Login Policies, Vault, Cache Cleaner, Host
                         Emulation Detection, Key Logger Detection
                1.7.d Pre Anyconnect 3.0 Host Scan and Post
                         AnyConnect 3.0 Independent Host Scan
                1.7.e Endpoint Assessment
                1.7.f Advanced Endpoint Assessment
         
      • 1.8   Implement DAP operations using ASDM
                1.8.a Policy Hierarchy - DAP rules over user and group
                         policies
                1.8.b DAP features and operations
                1.8.c Default DAP Access Policy
                1.8.d DAP configurations (attributes matching and
                         authorization parameters)
                1.8.e DAP records aggregation
                1.8.f Integration CSD with DAP
         
      • 1.9   Implement LOCAL CA operations for SSL VPNs using ASDM
                1.9.a ASA Local CA feature and limitations
                1.9.b ASA Local CA Operations and Configurations
         
      • 1.10   Implement certificate maps using ASDM
                  1.10.a Configure certificate mappings to match users to
                             tunnel groups based on the certificate fields
         
      • 1.11   Identify the ASA IPv6 VPN capabilities
                  1.11.a IPv6 VPN support on the ASA (8.3 IPv6 support
                             for IKEv1 S2S VPN)
         
      • 1.12   Monitor and verify the resulting CLI commands resulting
                  from the various VPN configurations on the ASA
                  1.12.a Explain various VPN configurations CLI
                             commands and show outputs
         
  • 12%     2.0   ASA IP SEC S2S VPN

      • 2.1   Implement a security high level design according to policy and
                environmental requirements by identifying Cisco ASA
                IPSec S2S VPN features and supporting technologies
                2.1.a IKEv1 vs IKEv2
                2.1.b Authentication methods
         
      • 2.2   Implement basic IPSEC S2S VPN operations with PSK and digital
                certificates using ASDM
                2.2.a IPSec S2S VPN configuration using PSK authentication
                2.2.b IPSec S2S VPN configuration using certificate
                         based authentication
         
      • 2.3   Implement basic IKEv2 based IPSEC S2S VPN operations
                using ASDM
                2.3.a IPSec IKEv2 based S2S VPN configuration
                         using PSK authentication
         
      • 2.4   Troubleshoot the initial provisioning IPSec S2S VPN applications
                due to misconfiguration
                2.4.a Use ASDM, show and debug CLI commands
                         to verify and troubleshoot IPSec S2S VPN operations
         
  • 13%     3.0   ASA EZ VPN

      • 3.1   Implement a security high level design according to policy and
                environmental requirements by identifying Cisco ASA VPN
                client features and supporting technologies
                3.1.a IPSec Client
                3.1.b AnyConnect 3.0 IPSec Support
                3.1.c IKEv1 vs IKEv2
                3.1.d Authentication methods
                3.1.e EZVPN servers hardware
                3.1.f EZVPN remote hardware
         
      • 3.2   Implement basic EZVPN server operations on the ASA using ASDM
                3.2.a IKE and IPsec policy
                3.2.b Group PSK, Certificate based authentication,
                         Hybrid Authentication
                3.2.c Extended user authentication
                3.2.d Client network settings
                3.2.e Basic access control
         
      • 3.3   Implement basic EZVPN remote operations on the ASA 5505
                using ASDM
                3.3.a Client mode vs. Network Extension Mode
                3.3.b Group PSK, Certificate based authentication,
                         Hybrid Authentication
                3.3.c User authentication options
                3.3.d Remote management
                3.3.e Device Pass-Through
                3.3.f IPSec over TCP
         
      • 3.4   Implement AnyConnect 3.0 IKEv2 RA VPN operations
                3.4.a AnyConnect IKEv2 IPSec RA VPN configurations
                3.4.b AnyConnect Profile Editor (ASDM integrated
                         and Stand Alone)
         
      • 3.5   Implement Client Services Server (CSS) feature
                3.5.a List the features enabled with Client Services Server for
                         AnyConnect IPSec (IKEv2) VPN
         
      • 3.6   Troubleshoot the initial provisioning IPSec RA VPN
                applications due to misconfiguration
                3.6.a Use ASDM, show and debug CLI commands
                         to verify and troubleshoot IPSec EZVPN operations
         
  • 13%     4.0   ASA AnyConnect SSL VPNs

      • 4.1   Implement a security high level design according to policy and
                environmental requirements by identifying Cisco ASA AnyConnect
                client features and supporting technologies
                4.1.a Pre and Post AnyConnect 3.0 SSL VPN features
                4.1.b Web Launch vs Stand-Alone
         
      • 4.2   Implement DTLS operations using ASDM
                4.2.a DTLS benefits and configuration
         
      • 4.3   Implement basic AnyConnect 3.0 full tunnel SSL VPN operations
                4.3.a Basic AnyConnect SSL VPN configurations
                4.3.b Web Launch configurations
         
      • 4.4   Troubleshoot AnyConnect SSL VPN operations using DART
         
      • 4.5   Implement Anyconnect Profiles using ASDM
                4.5.a AnyConnect Profile Options and Parameters
                          for AnyConnect SSL VPN operations
                4.5.b AnyConnect Profile Editor (ASDM integrated
                          and Stand Alone)
         
      • 4.6   Implement advanced authentication in AnyConnect Full Tunnel SSL
                VPNs (certificate/multi authentication) using ASDM
                4.6.a External AAA Authentication
                4.6.b Certificate Based Authentication
                4.6.c Advanced PKI Integrations
                4.6.d Multi Authentications
         
      • 4.7   Troubleshoot the initial provisioning Client-based SSL VPN
                applications due to misconfiguration
                4.7.a Use ASDM, show and debug CLI commands to verify
                         and troubleshoot AnyConnect SSL VPN operations
         
  • 28%     5.0   ASA Clientless SSL VPNs

      • 5.1   Implement a security high level design according
                to policy and environmental requirements by
                identifying Cisco ASA clientless SSL
                VPN features and supporting technologies
         
      • 5.2   Implement basic Clientless SSL VPN operations using ASDM
                5.2.a Provision identity cert for ASA
                5.2.b Connection profile
                5.2.c Group policy
                5.2.d Optional DNS settings
                5.2.e Local user authentication
         
      • 5.3   Implement advanced applications access using ASDM
                5.3.a Advanced application deployment options
                5.3.b Application plugins
                5.3.c Smart tunnels
         
      • 5.4   Implement the SSO features on the ASA in a clientless
                SSL VPN environment
                5.4.a Basic HTTP, NTLM, and FTP SSO authentication
                5.4.b Dedicated SSO server
         
      • 5.5   Implement advanced authentication in
                clientless SSL VPNs (certificate/multi
                authentication) using ASDM
                5.5.a Certificates issued by external CA
                5.5.b External AAA database
                5.5.c Multiple sequential authentication
         
      • 5.6   Manage the Clientless SSL VPN user interface and
                portal using ASDM
                5.6.a URL entry, bookmarks, and web-type ACLs
                5.6.b File server entries, file server browsing,
                      hidden CIFS share access
                5.6.c Custom home page via Smart Tunnel
         
      • 5.7   Implement Basic portal customization
                5.7.a Login page
                5.7.b Portal page
                5.7.c Logout page
                5.7.d Assign customization object to a connection profile
         
      • 5.8   Troubleshoot the initial provisioning of Clientless SSL
                VPN applications due to misconfiguration
                5.8.a SSL/TLS session checking
                5.8.b User authentication checking
                5.8.c Connection and group profile checking
         
  •   8%     6.0   SSL VPN High Availability

      • 6.1   Implement SSL and IPSEC VPN High Availability features
                6.1.a Redundant peering
                6.1.b Cluster load balancing
                6.1.c Active Standby failover
         
  • The following course is the recommended training for this exam.

    • Deploying Cisco ASA VPN Solutions (VPN)

    Courses listed are offered by Cisco Learning Partners-the only authorized source for Cisco IT training delivered exclusively by Certified Cisco Instructors. Check the List of Learning Partners for a Cisco Learning Partner nearest you

    A variety of Cisco Press titles may be available for this exam. These titles can be purchased through the Cisco Marketplace Bookstore, directly from Cisco Press.

          Register at Pearson VUE      

    Cisco Learning Network

    Get valuable IT training resources for all Cisco certifications. Access study tools, CCNA practice tests, IT salaries, and find IT jobs.

    Go Now

    Cisco Training Tools

    Use the following tools to assist in your certification journey.

    Cisco Learning Locator Self Assessment Tool Certification Tracking System Certifications & Communities Online Support

    Cisco Learning Labs

    Get hands-on routing / switching lab experience using Cisco IOS on UNIX.

    Learn More