Cisco Secure VPN Exam Certification Guide - Cisco press

ii

CCSP Self-Study

CCSP Cisco Secure VPN Exam Certification Guide

John F. Roland and Mark J. Newcomb

Copyright © 2003 Cisco Systems, Inc.

Published by: Cisco Press

201 West 103rd Street Indianapolis, IN 46290 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing April 2003

Library of Congress Cataloging-in-Publication Number: 2002108141

ISBN: 1-58720-070-8

Warning and Disclaimer

This book is designed to provide information about selected topics for the CCSP Cisco Secure VPN exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

iii

Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices

Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam Zimbabwe

Copyright © 2000, Cisco Systems, Inc. All rights reserved. Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.

All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0010R)

iv

About the Authors

John F. Roland, CCNA, CCDA, CCNP, CCDP, CSS-1, MCSE, is a security specialist who works for Ajilon Consulting. John has worked in the IT field for more than 22 years, from COBOL programming on IBM mainframes to LAN/WAN design and implementation on United States military networks and, more recently, to the development of Cisco and Microsoft certification training materials. John’s current assignment has him designing and implementing enterprise network certification testing at one of the largest banks in America.

John holds a bachelor’s degree in accounting from Tiffin University, Tiffin, Ohio, with minors in math and electrical engineering from General Motors Institute, Flint, Michigan.

Mark J. Newcomb is the owner and lead security engineer for Secure Networks in Spokane, Washington. Mark has over 20 years of experience in the networking industry, focusing on the financial and medical industries. The last six years have been devoted to designing security solutions for a wide variety of clients throughout the Pacific Northwest. Mark was one of the first people to obtain the CCNA certification from Cisco and has since obtained CCDA, CCNP, and CCDP certifications. He is the co-author of Cisco Secure Internet Security Solutions, published by Cisco Press, and two other networking books. He has been a technical reviewer on over 20 texts regarding networking for a variety of publishers. He can be reached by e-mail at mnewcomb@wanlansecurity.com.

About the Technical Reviewers

Scott Chen has worked in the IT field for the past seven years holding various positions, including senior NT engineer, senior network engineer, and lead network engineer/network manager. Scott is currently a lead network engineer/network manager at Triad Financial Corporation, which is a wholly owned subsidiary of Ford Motor. He has implemented VPN solutions for remote access and LAN-to-LAN for several enterprises. Scott has extensive experience designing, implementing, and supporting enterprise networks and working with various technologies that Cisco offers, including routing, switching, security, content switching, wireless, BGP, EIGRP, and NAT. Scott graduated from the University of California, Irvine, with a bachelor’s degree. He also holds several certifications, including MCSE, CCNA, CCNP, and CCIE Written/Qualification. Scott can be reached through e-mail at scottchen@cox.net.

Gert Schauwers is a triple Cisco Certified Internet Expert (CCIE No. 6942)—Routing and Switching, Security, and Communication and Services. He has more than four years experience in internetworking and holds an Engineering degree in Electronics/Communication. Gert is currently working in the Brussels CCIE lab where he’s a proctor and content engineer for the Routing and Switching, Security, and Communication and Services exams.

Thomas Scire has been working in the network infrastructure industry since 1996. Thomas specializes in LAN, WAN, security, and multiservice infrastructure from Cisco Systems, Checkpoint, and Nokia. Thomas works for Accudata Systems, Inc., an independent IT professional services and solutions firm that specializes in enterprise network and security infrastructure. Some of his more notable projects include enterprise VPN and IP telephony deployments and an international Voice over Frame Relay network deployment. Thomas holds a bachelor’s degree in Computer Engineering from Polytechnic University and holds several certifications, including Cisco CCNA/CCDA, Cisco IP Telephony Design Specialist, Checkpoint Certified Security Engineer, Checkpoint Certified Security Instructor, and Nokia Security Administrator.

v

Dedications

From John Roland:

This book is dedicated to my wife of 28 years, Mariko, and to our son, Michael, for their understanding and support. Their steady love and encouragement has kept me on target through some trying times during the development of this book. You’re the greatest! I further dedicate this book to my late parents, Hazel and Forrest Roland, for nurturing me, teaching me right from wrong, setting a shining example of a loving partnership, and showing me the benefits of a good day’s work. I like to believe that they will be kicking up their heels together throughout eternity.

From Mark Newcomb:

This book is dedicated to my wife, Jacqueline, and my daughter, Isabella Rumiana. Jacqueline’s patience and understanding while I am in the process of writing never fails to amaze me.

vi

Acknowledgments

From John Roland:

Writing this book has provided me with an opportunity to work with some very fine individuals. I want to thank Brett Bartow from Cisco Press for believing in the project and for getting the ball rolling. I would also like to thank him for turning this project over to Michelle Grandin, Cisco Press, for editorial support. Michelle helped me in many ways during this project and was always there to lend an encouraging word or a guiding hand. Dayna Isley, Cisco Press, provided developmental guidance and feedback and was way too easy on my less-than-perfect submissions, and I want to thank her for turning the work into a professional document. It has been a real pleasure to work with you three over these several months.

Next, I would like to thank my co-author, Mark Newcomb, for stepping in to author half of this book when personal problems brought me to a standstill. Thank you, Mark, for your professionalism and expertise and for helping to bring this project to fruition.

I would also like to thank the technical reviewers, Gert Schauwers, Scott Chen, and Thomas Scire for their comments, suggestions, and careful attention to detail. Without their help, this book would not be the valuable resource that it has become. Thank you all.

From Mark Newcomb:

I heartily acknowledge John Roland’s contribution to this effort and thank him for inviting me to assist in this endeavor.

No text of any size is ever truly a work of just the authors. After nearly five years of writing, technical editing, and working with a variety of publishers, I commend every employee of Cisco Press. Michelle Grandin, Dayna Isley, John Kane, and Brett Bartow are people at Cisco Press I have come to know and respect for their professional efforts. I also want to give special thanks to Tammi Ross. Within any organization, there is one individual that seems to be able to solve any unsolvable problem. Tammi has proven herself to be that person at Cisco Press.

The technical reviewers working with Cisco Press are world class. Technical reviewers are the most valuable assets a good publisher can have. They do not receive the recognition or compensation that they so richly deserve. I thank Gert Schauwers, Scott Chen, and Thomas Scire for their efforts to make this work what it is today.

vii

Contents at a Glance

viii

Table of Contents

Introduction xvii

ix

Chapter 4 Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys 125

Configuring IPSec with Preshared Keys Through the VPN 3000 Concentrator Series Manager 152

Advanced Configuration of the VPN Concentrator 169