CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide (CCSP Self-Study) (2nd Edition)

If you have no experience with a Cisco PIX this book is a good start. It can help you select the proper model for your needs. Each model has different features that may or may not be important to your use. The differences are outline in a model by model summary followed by a complete comparison chart of the all the models.

Once you select your model you will need the basics to get going. The authors do a great job of covering the commands that you will need to get started. Examples highlight the usage, which helps when there are multiple arguments available for a single command.

As you progress through the book the subject matter increases in complexity, but the authors keep you informed. Cicso has built in the power to their operating system, but unleashing that power needs some explaining. The advanced commands are helpful since there are times when difficult configurations push us to the test. Having the insight to the power and proper use of certain commands and configurations help us overcome these obstacles.

I was impressed with the scenarios provided in the end. I like the way that the authors challenged me with their configurations and tested my skill and understanding. Their explanations have helped me to reconsider and change my configuration and setup to provide for a more secure network, which is something that we all need these days.

On the book's negative side I found quite a few errors in spelling and grammar. It seems to have been poorly proofread. I found the word "network" spelled "netowrk." How does that get by? My spellchecker corrected it for me, but somehow this made it passed the spellchecker used by the authors and was not caught by the proofreaders.

There are a few sections where I found some copy and paste errors. For example in the section regarding the Cisco 520, the body text reads "Cisco 515" in error. This leads to some confusion if you are not alert. It could easily lead you to believe the Cisco 515 can function the same as a Cisco 520, which is not always the case.

Another annoyance is the fact that some of the figures in the book do not use the same IP scheme as what is written in the text. It is as if the scenario or configuration was written and the figure was not updated to correspond, or vise versa. This makes it a little hard to follow along. I found it easier to correct the figure with a pen then to change the text.

Overall I feel that the book is a good reference guide, but does not make the cut for a study guide. There are too many errors that are distractions while studying. I should not need to hold a pen in my hand as I read along to make corrections. That is the job of proofreading.

Rating:
Summary: Don't waste your time
Review: I can't add much to the comments already posted here, except to support the view that this book is a waste of time and money. It will NOT help you pass the exam. Even if it covered all the material (in my estimation, it omits ~20% of the required curriculum), it still simply copies or paraphrases the (free) Cisco Configuration and Command Reference guides.

At best it's a waste of money, at worst it will give you a false sense of what is required for the exam.

Rating:
Summary: Worst Cisco Press Book
Review: I have been using Cisco Press books since 1998. I have achieved CCNA, CCDA, CCNP, CCDP all by self study using Cisco Press books combined with field experience and lab work. Prior to this book, I was overall satisfied with Cisco Press books and recommended others to use them. When I read this book, I was totally frustrated by the volume of incorrect information and syntax errors. This book was written by authors who are inexperienced with PIX product line. The technical reviewers have done a poor job too. Cisco Press should recall this book until a revised version is released.

The cover says this book is for 9E0-111 (expired) and 642-521. However, the book does not address FWSM and Pix Firewall MC at all. Both of these are 642-521 exam objective. Most command syntax are incorrect. Go to www.cisco.com, on the search engine type "Cisco PIX Firewall Command Reference". Pick the Version 6.2 command reference. Commands are listed by alphabetic order. Check the syntax there. In some sections, the book does not give enough information to get the job done. The list of errors is too long to put here but following is a sampler:

Chapter 4:
Page 49 under "Accessing the Cisco PIX Firewall with Secure Shell" it must be mentioned that the user needs to generate an RSA key pair before attempting to use an SSH client. Setup PIX hostname and domain-name and use "ca generate rsa key" followed by "ca save all", in addition to what has been said under this section otherwise SSH will fail.
Chapter 5:
Page 69, Sentence before the numbered items (1,2,3,4) says "The connection requires four different..." It should be "The connection requires three different..." TCP connection establishment is a 3-way handshake: SYN, ACK+SYN, ACK. So the fourth list should be merged to item 3 above. Also it uses starting TCP sequence number of 125 and 388. Note that this is an example and could be any other number (system dependent).
Page 73, Table 5-1 lists "Translations Commands". This table should be entirely re-written. Only the first 3 are the commands. Rest are argument keywords and variables (user specified values). All three commands (nat, global, and static) should be re-written separately with their own arguments or remove the table entirely.
Page 74, syntax for "global" command has "[global_ip]" indicating a single IP (as in PAT). The syntax should be corrected to indicate a range for NAT pool. The example below is correct, however.
Page 76, syntax for "static" command is wrong and incomplete. Why is the "static" command in "[]" to start with?
Page 77, syntax for "static" for port redirection is wrong.
Page 78, Example 5-1, access-list 101 line 1 and 3 has "[specific source]". I can understand this type of thing in syntax, but when output of a config is given, where did this come from? Mind replacing this with "any" or something more specific??
Chapter 6:
Page 101 lists 6 steps to enable DHCP Server on PIX. What is listed as "Step 1" should be the last step. If you try to do "Step 1" without doing "Step 2", PIX gives error "need to define address pool range first"
Chapter 7:
Page 115, under "nat 0 Command", it mentions the use of nat 0 but fails to mention one of the most important use of it, i.e., VPN configuration.
Page 121, Example 7-6, shows "object-group protocol_grp_citrix" it should be "object-group protocol protocol_grp_citrix" or "object-group protocol grp_citrix". It should be "protocol" keyword followed by protocol object group name.
Chapter 9:
Page 145, under "What is Required for a Failover Configuration", the sentence before the bullets say "Both must be the same for" and the last bullet says "Activation key". How can the activation key be the same on two PIX units? The activation key is unique to each individual unit. It should read "Activation key type" (e.g., both DES or 3DES). One important information that is missing is, one unit must have unrestricted license (UR) while the other unit can have failover license (FO) or restricted license (R) or yet another UR license. UR+FO is the most practical choice (cost wise).
Page 151, "Step 1" should be after "Step 6".
Chapter 10:
Page 162-163, Figure 10-3, 10-4 shows ESP and AH but neglects to mention that the packet format shown are for IPSec transport mode. PIX supports both transport and tunnel mode but tunnel mode is the default and is used mostly.
Page 163, under "NOTE" not sure what is implied. If it means you need DES/3DES, PIX 6.2 came with DES and can now be freely upgraded to 3DES by visiting cisco.com
Page 164, under "Internet Key Exchange (IKE)" the second sentence says "IKE is the short name for ISAKMP/Oakley". This is wrong. IKE is a combination of three different protocols: ISAKMP, Oakley, and SKEME
Page 165, under "NOTE" editors comment can be seen "Please change this sentence to read:". Way to go Cisco Press.
Page 177, all keywords "crypto-map" should be replaced with "crypto map" those are 2 separate keywords.
Page 177, before the "crypto map" command syntax the paragraph says "Normally you have at least 5 crypto-map entries with the same name". It should be 4 crypto map entries and the 5th one is to apply to the interface. As always syntax error on the 5th command syntax. There is no "seq-num" when applying to an interface.
NOTE: None of the configs in this chapter will work until you use the "nat 0" command to bypass IPSec traffic from being natted.
Page 184, "Cisco VPN Client" is misleading and incomplete.
Page 185, Table 10-8 should be frustrating to anybody new to PIX. You have to use "vpngroup group_name" and a space and one of the others in the following list, e.g., "vpngroup my_group_name address-pool my_pool_name"
** Word count of 1000 limits me from adding more to this list

Shamim Khan, BSEE, MSCS
NetPlus, Inc.

Rating:
Summary: This in no way gets you ready for the exam.
Review: I originally purchased this book with the intention of completing the 642-521 exam and earning my certification. As a command reference, this book is worthless. As for a certification study guide, many commands are not covered in the level of detail required to really understand them; some exam topics (such as AUS and the PIX Management Console) are not covered at all (much to my surprise when I took the exam). Like many of the other reviewers, I noticed several syntax errors throughout this book, which, rather than prepare me for the exam, only served to make me more confused. The Practice Exam questions that are on the included CD-ROM are just as bad as the book -- several questions respond incorrectly to the correct input (i.e. if you click on "none of the above", and the answer is "none of the above", you will still be marked incorrect even though the summary says that the answer was "none of the above"); other commands are listed with critical information (such as NAT or Global ID numbers) missing; other information is just flat-out wrong (they didn't seem to know the proper sequence of events for a TCP 3-way handshake!!!!). As for the topics that are covered, the authors only seem to cover enough to make the PIX work (that is, when the commands are syntactically correct) -- they do not go into much background information about what the commands are actually doing nor do they discuss much of the theory or implementation behind how the PIX actually handles traffic.

The only reason I can think of for publication of a book that is this bad is to increase revenue from test-takers -- since you WILL be taking the test more than once if you rely solely on this book.

All in all, I was very disappointed in this book and would not recommend it at all to other readers. I have had good luck with Sybex study material in the past and will be picking up their study guide shortly for my second attempt at the 642-521 exam.

Rating:
Summary: Decent book, but many errors.
Review: I used to work for the Cisco TAC supporting the PIX Firewall and am in the process of getting my CCSP. This book has been OK, but I have seen some pretty blatant errors. ... I've been gone from TAC for 3 years now and much of the bad information in this book was wrong even then. It's not like they made mistakes on new technology.

In any case, if you have experience with the PIX Firewalls, this will give you a good idea of what is going to be on the test. But don't use it as your sole resource. I've been using the Boson practice tests and they seem very solid so far.

If you don't have any experience with the PIX, BE CAREFUL and find other resources in addition to this. I haven't read any other current books on the PIX, so you may want to read the official documentation on Cisco's web site instead.

A couple of notes to add after taking the test. One big thing that is missing from this book and the exam outline from Cisco is that you will get questions about the PIX-specific CiscoWorks components. The PIX AUS and the PIX MC. Look for documentation on those on CCO and get the basics of what you can do with them before you take the exam.

Rating:
Summary: Not worth the money by a long shot
Review: The stated target audience of this book is the individual pursuing the CSPFA exam. Beyond the CSPFA exam, it is one of the CCSP Self-Study series titles suggested, by Cisco, to propel a person toward full CCSP certification. The text hits the bull's eye and fulfills its promise of test preparation. It addresses each topic of the exam at an in-depth level in a manner designed to empower the reader on exam day. Although it is a test preparation guide, the text also performs well as a practical guide. The authors provide several practical examples and even a sample firewall configuration for study and use. The reader will need at least a basic understanding of network routing concepts with a rudimentary network security knowledge base to fully utilize the text. The reader, who is seriously pursing a successful passing mark on the CSPFA exam, will find this book to be an invaluable resource.
As the authors, Greg Bastien and Christian Degu, build upon each paragraph and chapter, the configuration examples prove to be accurate and relevant. The illustrations enhance the learning experience, by conceptually cementing the topic through visual examples, where appropriate. As with any technical publication, a few examples may be worded incorrectly or even misapplied. However, even the typographical and editing mistakes will provide the reader with an opportunity to deepen knowledge, especially when the corrections necessary to give relevance are considered.
The Exam Certification Guide Companion CD-ROM includes the Exam Gear test, an electronic text of the book, and Internet links pulled directly from the text. Through the use of two separate modes for exam preparation, the Exam Gear test will prove to be very helpful to the reader. The PDF version of the book is convenient for study via workstation or PDA. Whether in written or electronic format, the authors perform wonderfully in their treatment of the subject. The reader should be on the look-out for other texts written by either author for both practical application and certification test study.
This title should be used to further the pursuit of the CCSP certification. The text plus exam preparation software will be most helpful in preparation for test day. Furthermore, this text has proven to aid in the field implementation of Cisco PIX units. A total of five successful PIX unit installations have been aided with the knowledge gleaned from the authors. The illustrations and practical applications are equally valuable both in the configuration of production Cisco PIX units and test preparation.
To either novice or expert, the printed text and companion CD will prove to be indispensable in CSPFA exam preparation and in practical implementation scenarios. The authors work is highly readable with an easy flowing writing style. The attention to technical detail is exacting with the written and electronic test review aids instructionally relevant. This title is strongly recommended for CSPF exam candidates and would rate a 5 of 5 score in value for the reader. The CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide is published by Cisco Press with ISBN number 1-58720-067-8.

Tim Feathers
CCNA, CCDA, CCNP, CCDP, MCSE

Rating:
Summary: Fair at best, very poor practice exam
Review: The study guide is only moderately valuable, and sometimes confusing. Worse, the practice exam is sometimes blatantly incorrect.

Example: What kind of protocol is easiest to spoof?
Possible answers: UDP, TCP, ICMP, All protocols, or DNS
The "correct" answer is "TCP is the more difficult to spoof..."

I've found a few other errors, making the practice test virtually useless. In the example, the given answer is correct for a different question. In some cases, the answer is actually wrong for the question.

I'm disappointed that an "official" study guide from Cisco Press has so many issues.

Rating:
Summary: Fair at best, very poor practice exam
Review: The study guide is only moderately valuable, and sometimes confusing. Worse, the practice exam is sometimes blatantly incorrect.

Example: What kind of protocol is easiest to spoof?
Possible answers: UDP, TCP, ICMP, All protocols, or DNS
The "correct" answer is "TCP is the more difficult to spoof..."

I've found a few other errors, making the practice test virtually useless. In the example, the given answer is correct for a different question. In some cases, the answer is actually wrong for the question.

I'm disappointed that an "official" study guide from Cisco Press has so many issues.

Rating:
Summary: Not worth the money by a long shot
Review: This book did not even come close to covering all the objectives on the exam. The book briefly mentions the topics of the Auto-update server, the Pix Management Console, and the FWSM.... and when I say briefly, I mean a single paragraph and that's it. Make sure you know these objectives before taking the test! I failed the test by less than 50 pts, I am pretty sure had I known these items I would have passed easily. Search on Cisco's site for the documentation on these topics and make sure you know how to configure them and what tabs do what. I have over a year configuring dozens of Pix's for customers and have to say I was pretty dissapointed that I failed not from the cabability of installing and configuring Pix's, but because I didn't know what the support tab in the Pix MC did etc. Hope you have better luck than me!