Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf298 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
22What is another name for the Stateful Firewall client that is a part of the Cisco VPN Client?
23From the VPN Client, where can you view the secured routes that are enabled to the client?
24What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?
25On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from the Client FW tab?
Scenario 6-1 Answers 299
Scenarios
Scenario 6-1
In Scenario 6-1, you connect a VPN Client to the VPN concentrator. You do this with and without a firewall installed on the client.
Your tasks are as follows:
1Configure the concentrator to accept a VPN connection with an optional firewall on the client.
2Configure the client with the Stateful Firewall feature off and then connect. Did you get a message stating that a firewall should be used?
3Reconfigure the client with the Stateful Firewall feature on and retest the connection. Did you still get the message regarding the firewall usage? Why not?
4Configure a filter on the concentrator.
5Configure the concentrator to require a firewall and push the filter to the client. Test both configurations on the client. What happens? Why?
6Reconfigure the concentrator to use AYT. Test both configurations on the client. What happens? Why?
Scenario 6-1 Answers
The following answers pertain to the tasks presented in the previous section:
1Configure the concentrator to accept a VPN connection with an optional firewall on the client in accordance with the text. Choose the Custom Firewall option on the Client FW tab on the Configuration | User Management | Groups | Modify screen to set the firewall option.
2You should receive a message because the Firewall Optional configuration sends a message to the client stating that a firewall should be used if it is not there. However, you should be able to connect.
3Setting the Stateful Firewall (Always On) feature to be enabled should have eliminated the message received from the concentrator.
4See Number 5.
Exam Topics Discussed in This Chapter
This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:
25Monitoring the Cisco VPN 3000 Series Concentrator
26Administering the Cisco VPN 3000 Series Concentrator
C H A P T E R 7
Monitoring and Administering the
VPN 3000 Series Concentrator
This chapter deals with administering and monitoring the VPN 3000 Series Concentrator. Among these tasks are using preshared keys, configuring policies, and automatically updating the client, which are all tasks that you should master in order to pass the exam.
This text will guide you through most of the administering and monitoring options on the 3000 concentrators. Although every single screen is not examined, the vast majority of the screens and options are shown within this chapter. What have been skipped are those items with other screens that are so similar that their inclusion becomes redundant or of little value. One example of this is within the statistics section, where only a sample of the statistics screens available is shown; however, it will still benefit you in your daily activities to familiarize yourself with all of the available screens and options. The more thorough your knowledge of the system, the easier it becomes to use.
How Best to Use This Chapter
By taking the following steps, you can make better use of your time:
•Keep your notes and answers for all your work with this book in one place for easy reference.
•Take the “Do I Know This Already?” quiz, and write down your answers. Studies show retention is significantly increased through writing facts and concepts down, even if you never look at the information again.
•Use the diagram in Figure 7-1 to guide you to the next step.
“Do I Know This Already?” Quiz 305
Table 7-1 |
Score Sheet for Quiz and Quizlets |
|
|
|
|
|
|
|
|
|
|
Foundations Topics Section Covering These |
|
|
|
Quizlet Number |
Questions |
Question |
Score |
|
|
|
|
|
|
1 |
Administering the Cisco VPN 3000 Series |
1–5 |
|
|
|
Concentrator |
|
|
|
|
|
|
|
|
2 |
Monitoring the Cisco VPN 3000 Series |
6–10 |
|
|
|
Concentrator |
|
|
|
|
|
|
|
|
All questions |
|
1–10 |
|
|
|
|
|
|
1What screen is used to set the password for the administrator?
2You wish to limit HTTP access to the concentrator to hosts on the same subnet as the inside interface of the concentrator. What is the format of the access control list?
3What types of AAA servers can the VPN 3000 Series Concentrator use for authenticating management sessions?
4What is the upper limit for a management session timeout?
5What form of encryption may be used on a configuration file?
306 Chapter 7: Monitoring and Administering the VPN 3000 Series Concentrator
6On what screen can routes be cleared?
7Where can you see the CPU utilization on a Cisco 3000 Series Concentrator?
8Where can you troubleshoot an IPSec connection?
9Where can you troubleshoot TCP/IP connections?
10Where can you see the number of collisions on an Ethernet interface?
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows:
•6 or less overall score—Read the entire chapter, including the “Foundation Topics” and “Foundation Summary” sections, and the “Q&A” section.
•7–8 overall score—Begin with the “Foundation Summary” section, and continue with the “Q&A” section. If you are having difficulty with a particular subject area, read the appropriate section in “Foundation Topics” section.
•9–10 overall score—If you feel you need more review on these topics, go to the “Foundation Summary” section, and then to the “Q&A” section. Otherwise, skip this chapter and go to the next chapter.
Administering the Cisco VPN 3000 Series Concentrator 307
Administering the Cisco VPN 3000 Series Concentrator
26 Administering the Cisco VPN 3000 Series Concentrator
To administer the Cisco VPN Concentrator, set the URL of your web browser to the IP address of your concentrator. Alternatively, if your DNS server will resolve the host name, you may enter the host name of the concentrator. You will see a screen similar to that shown in Figure 7-2. Once this screen is shown, enter a username and password. Later in this chapter you learn how to administer users and passwords. Click the Login button to continue.
Figure 7-2 Concentrator Login
Once you have logged into the concentrator, you will be presented with the main screen, as shown in Figure 7-3. This screen allows you to configure, administrate, or monitor the
concentrator. For purposes of this chapter, you will focus on the Administration and Monitoring options. Click the Administration link to start administering the concentrator.
Figure 7-3 Main Screen