Cisco CCNP Security: SIMOS eLearning

Start Date: January 01, 1970 – 12:00 AM (Pacific Time)

End Date: January 01, 1970 – 12:00 AM (Pacific Time)


Student financing options are available.

Transitioning military and Veterans, please contact us to sign up for a free consultation on training and hiring options.

Download PDF of Course Details

Course Description:

Cisco CCNP Security: SIMOS is an online training course that is part of the curriculum path leading to the Cisco Certified Network Professional Security (CCNP Security) certification. This course is designed to prepare network security engineers with the knowledge and skills they need to protect data traversing a public or shared infrastructure such as the Internet by implementing and maintaining Cisco VPN solutions. Students will gain hands-on experience with configuring and troubleshooting remote access and site-to-site VPN solutions, using Cisco ASA adaptive security appliances and Cisco IOS routers.

Exam Number: 300-209 SIMOS

Course Outline

Fundamentals of VPN Technologies and Cryptography

VPN Definition
Key Threats to WANs and Remote Access
Cisco Modular Network Architecture and VPNs
VPN Types
VPN Components
Secure Communication and Cryptographic Services
Cryptographic Algorithms
Cryptography and Confidentiality
Cryptography and Integrity
Cryptography and Authentication
Cryptography and Nonrepudiation
Keys in Cryptography
Public Key Infrastructure
Next-Generation Encryption
Dependencies in Cryptographic Services
Cryptographic Controls Guidelines
Deploying Secure Site-to-Site Connectivity Solutions

Site-to-Site VPN Topologies
Site-to-Site VPN Technologies
IPsec VPN Overview
Internet Key Exchange v1 and v2
Encapsulating Security Payload
IPsec Virtual Tunnel Interface
Dynamic Multipoint VPN
Cisco IOS FlexVPN
Overview of Point-to-Point IPsec VPNs on the Cisco ASA
Configuration Tasks for Basic Point-to-Point Tunnels on the Cisco ASA
Enable IKE on an Interface
Configure IKE Policy
Configure PSKs
Choose Transform Set and VPN Peer
Choose Traffic for VPN
Configuring Site-to-Site VPN with Connection Profiles Menu
Verify and Troubleshoot Basic Point-to-Point Tunnels on the Cisco ASA
Overview of Cisco IOS VTIs
Configure Static VTI Point-to-Point Tunnels
Verify Static VTI Point-to-Point Tunnels
Configure Dynamic VTI Point-to-Point Tunnels
Verify Dynamic VTI Point-to-Point Tunnels
Overview of Cisco IOS DMVPN
DMVPN Solution Components
DMVPN Operations
Types of Authentication
Configure DMVPN on Hub
Configure DMVPN on Spoke
Configure Routing in DMVPN
Verify DMVPN
Deploying Cisco IOS Site-to-Site FlexVPN Solutions

FlexVPN Overview
Public Key Infrastructure (PKI)
Site-to-Site VPN Topologies
FlexVPN Architecture
FlexVPN Configuration Overview
FlexVPN Capabilities
IKEv2 vs. IKEv1 Overview
IKEv2 Message Exchange
IKEv2 DoS Prevention
IKEv1 and IKEv2 Comparison
FlexVPN Use Cases
Point-to-Point FlexVPN
FlexVPN Configuration Blocks
IKEv2 Profile
Smart Defaults
Manipulating Default Values
Negotiating IKEv2 Proposals
Point-to-Point VPN Scenario with IPv4 Static Routes
Configure and Verify Point-to-Point VPN with IPv4 Static Routes
Point-to-Point VPN Scenario with OSPFv3
Configure and Verify Point-to-Point VPN with OSPFv3
Enroll Devices to ECDSA PKI
Configure Router for ECDSA
Configure ASA for ECDSA
Verify EC Key Pairs and Certificates
Verify IKEv2 SA
Verify IPsec SA
Verify Point-to-Point FlexVPN
Cisco IOS FlexVPN
IKEv2 Configuration Payload
Locally Managed Hub-and-Spoke Scenario
Configure a Spoke in a Hub-and-Spoke Scenario
Configure a Hub in a Hub-and-Spoke Scenario
Configuration Exchange
Verify and Troubleshoot Hub-and-Spoke FlexVPN
Spoke-to-Spoke Shortcut Scenario
Configure and Verify a Spoke in a Spoke-to-Spoke Shortcut Scenario
Configure and Verify a Hub in a Spoke-to-Spoke Shortcut Scenario
RADIUS-Managed FlexVPN Scenario
Verify Spoke-to-Spoke Shortcut Switching
Troubleshoot Spoke-to-Spoke Shortcut Switching
Deploying Client-less SSL VPN -Deploying AnyConnect VPN for Remote Access

SSL VPN Components
Overview of group policies and connection profiles
Basic Cisco Clientless SSL VPN
Solution Components
Configure ASA gateway
Configure basic authentication
Configure access control
Verify basic clientless SSL VPN
Troubleshoot basic clientless SSL VPN
Deploying Application Access options (plug-ins, smart tunnels)
Configure and verify plugins
Configure and verify smart tunnels
Troubleshoot plugins and smart tunnel
Advanced Authentication in Cisco Clientless SSL VPN Solution Components
Configure and verify Certificate based Authentication
Configure and Verify External Authentication
Troubleshoot Advanced Authentication in Clientless SSL VPN
Deploying Endpoint Security and Dynamic Access Policies

IP Address assignment
Split Tunneling
Basic Cisco AnyConnect SSL VPN
Solution Components
SSL VPN Server Authentication
SSL VPN Clients Authentication
SSL VPN Clients IP Address Assignment
SSL VPN Split Tunneling
Configure ASA for Basic AnyConnect SSL VPN
Configure Basic Cisco Authentication
Configure Access Control
Verify and Troubleshoot Basic Cisco AnyConnect SSL VPN
DTLS Overview
Parallel DTLS and TLS Tunnels
Configure DTLS
Verify DTLS
Cisco AnyConnect Client Configuration Management
Cisco AnyConnect Client Operating System Integration Options
Cisco AnyConnect Start Before Logon
Cisco AnyConnect Trusted Network Detection
Configure, Verify, and Troubleshoot Cisco AnyConnect Start Before Logon and Cisco AnyConnect Trusted Network Detection
AnyConnect Support for IPSec/IKEv2
Configure a Cisco AnyConnect IPsec/IKEv2 VPNs on a Cisco ASA Adaptive Security Appliance
Verify and Troubleshoot Cisco AnyConnect IPsec/IKEv2 VPNs on Cisco ASA
Cisco AnyConnect Advanced Authentication Scenarios
External Authentication
Certificate-Based Server Authentication
Configure and Verify Certificate-Based Client Authentication
SCEP Proxy Overview
SCEP Proxy Connection Flow
SCEP Proxy Configuration Procedure
Configure SCEP Proxy
Verify SCEP Proxy
Local Authorization Overview
Local Authorization Scenario
Local Authorization Configuration Procedure
Configure Local Authorization
External Authentication and Authorization Scenario
Configure External Authentication and Authorization
Troubleshoot Advanced Authentication and Authorization in Cisco AnyConnect VPNs
Endpoint Security and Dynamic Access Policies

Cisco HostScan Overview
Cisco HostScan Prelogin Assessment
Install Cisco HostScan
Configure Prelogin Criteria and Prelogin Policy
Configure Host Scan Endpoint Assessment
Configure Host Scan Advanced Endpoint Assessment
DAP Overview
Integrating DAP with Host Scan
Configuring DAP
Verifying and Troubleshooting DAP

Skills Learned

Describe the various VPN technologies and deployments as well as the cryptographic algorithms and protocols that provide VPN security.
Implement and maintain Cisco site-to-site VPN solutions.
Implement and maintain Cisco FlexVPN in point-to-point, hub-and-spoke, and spoke-to-spoke IPsec VPNs.
Implement and maintain Cisco clientless SSL VPNs.
Implement and maintain Cisco AnyConnect SSL and IPsec VPNs.
Implement and maintain endpoint security and dynamic access policies (DAP).

Who Should Attend This Course

Network security engineers
Individuals seeking the Cisco Certified Network Professional Security (CCNP Security) certification


Cisco Certified Entry Networking Technician (CCENT) certification
Cisco Certified Network Associate Security (CCNA Security) certification
Working knowledge of the Microsoft Windows operating system

Hands-On Labs

The following is a proposed list of labs. A final list will be published once the course is completed.

Lab 1: Configuring Configure Cisco Policy Protection (CPP) and Management Plane Protection (MPP)
Lab 2: Configure Traffic Telemetry Methods
Lab 3: Configure Layer 2 Data Plan Security
Lab 4: Configure Layer 2 Data Plan Security
Lab 5: Configure NAT on Cisco Adaptive Security Appliance (ASA) Firewall
Lab 6: Configure NAT on Cisco IOS Software
Lab 7: Configure Cisco ASA Access Policy
Lab 8: Configure Cisco ASA Application Inspection Policy
Lab 9: Configure Cisco ASA Botnet Traffic Filter
Lab 10: Configure Cisco ASA Identity Based Firewall
Lab 11: Configure Cisco IOS Software Zone-Based Firewall (ZBFW)
Lab 12: Configure Cisco IOS Software ZBFW Application Inspection Policy Lab Activity Solutions


  • Accessible 24x7x365 both from your PC and Mobile Device
  • Enjoy job placement assistance for the first 12 months after course completion.
  • This course is eligible for CCS Learning Academy’s Learn and Earn Program: get a tuition fee refund of up to 50% if you are placed in a job through CCS Global Tech’s Placement Division*
  • Government and Private pricing available.*

*For more details call: 858-208-4141 or email:;

NOTE: These are our Partner Delivered eLearning.