Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
Exam Topics Discussed in This Chapter
This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:
27Cisco VPN 3002 Hardware Client remote access with preshared keys
28Overview of VPN 3002 interactive unit and user authentication feature
29Configuring VPN 3002 integrated unit authentication feature
30Configuring VPN 3002 user authentication
31Monitoring VPN 3002 user statistics
C H A P T E R 8
Configuring Cisco 3002 Hardware Client for Remote Access
This chapter deals with configuring the VPN 3002 Hardware Client for remote access. These configuration tasks include using preshared keys, setting the VPN 3002 Hardware Client to use client and LAN Extension modes, and setting up individual authentication.
Chapter 3, “Cisco VPN 3000 Concentrator Series Hardware Overview,” gave a brief overview of Cisco’s VPN 3002 Hardware Client. From that discussion, you might remember that the VPN 3002 Hardware Client is a full-featured VPN client designed for a small office/home office (SOHO) environment, supports a single IPSec tunnel from its public interface, and can be purchased with an integral 8-port 10/100-Mbps auto-sensing switch.
The private interface supports standard Ethernet and Fast Ethernet and does not require a VPN software client on connecting user devices such as workstations and printers. That means that almost any device running any operating system that supports Ethernet can be used to connect to the VPN 3002 Hardware Client. This permits a small office to use a mixture of operating systems, such as Windows, MAC, Linux, Solaris, NetWare, or others, through a common Ethernet interface to transmit across a secure VPN tunnel. The VPN
3002 Hardware Client can support up to 253 concurrent users across the single VPN tunnel.
The VPN 3002 Hardware Client establishes the VPN tunnel with the head-end concentrator and performs all IPSec functions, relieving attached PCs of that processing load. This configuration simplifies administrative functions at the remote site because the individual user workstations do not need to be high-end machines and do not require an IPSec client. IPSec software or hardware updates need only to be accomplished on the VPN 3002 Hardware Client.
You can configure the VPN 3002 Hardware Client in one of two different operating modes: Client and Network Extension modes. In Client mode, all the end-user devices connecting to the VPN 3002 Hardware Client are invisible to the public network because their DHCPacquired IP addresses are converted to a single IP address with Port Address Translation (PAT). The VPN 3002 Hardware Client acts as a software client when operating in Client mode.
“Do I Know This Already?” Quiz 361
Figure 8-1 How To Use This Chapter
|
|
|
|
|
|
|
|
|
Take |
|
|
|
|
|||||
|
|
|
|
"Do I Know This Already?" |
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
Quiz |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Low |
|
|
|
|
|
|
|
|
|
|
|
High |
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
Score? |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
Medium |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Read |
|
|
|
|
|
|
|
Review |
|
|
|
|
||||||
|
|
|
|
|
|
Chapter |
|
|
|
|
||||||||
Foundation |
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
Using |
|
|
|
|
||||||||
Topics |
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
Charts and Tables |
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Want |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Review |
|
|
Yes |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
Foundation |
|
|
More |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
Summary |
|
|
|
|
Review? |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
No |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Perform |
|
|
|
|
|||||
|
|
|
|
|
|
|
End-of-Chapter |
|
|
|
|
|||||||
|
|
|
|
|
|
Q&A and Scenarios |
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
Go To |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Next |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Chapter |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide what parts of the chapter to use. If you already intend to read the entire chapter, you do not need to answer these questions now.
This 15-question quiz helps you determine how to spend your limited study time. The quiz is sectioned into six smaller “quizlets,” which correspond to the six major topic headings in this chapter. Figure 8-1 outlines suggestions on how to spend your time in this chapter based on your quiz score. Use Table 8-1 to record your scores.
362 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
Table 8-1 |
Score Sheet for Quiz and Quizlets |
|
|
|
|
|
|
|
|
|
|
Foundations Topics Section Covering These |
|
|
|
Quizlet Number |
Questions |
Questions |
Score |
|
|
|
|
|
|
1 |
Cisco VPN 3002 Hardware Client remote access |
1–3 |
|
|
|
with preshared keys |
|
|
|
|
|
|
|
|
2 |
Overview of VPN 3002 interactive unit and user |
4–6 |
|
|
|
authentication feature |
|
|
|
|
|
|
|
|
3 |
Configuring VPN 3002 integrated unit |
7–9 |
|
|
|
authentication feature |
|
|
|
|
|
|
|
|
4 |
Configuring VPN 3002 user authentication |
10–12 |
|
|
|
|
|
|
|
5 |
Monitoring VPN 3002 user statistics |
13–15 |
|
|
|
|
|
|
|
All questions |
|
1–15 |
|
|
|
|
|
|
1What screen is used on the head-end concentrator to demand the use of preshared keys?
2You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?
3You are using individual authentication in PAT mode. Your tunnel is established but the user cannot log in. What is the first item you should examine?
4What are the disadvantages in a large network (over 100 users) of using individual authentication with the internal authentication server in a VPN 3005 Concentrator?
“Do I Know This Already?” Quiz 363
5You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?
6You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?
7Where is interactive hardware client authentication configured?
8What authentication method is used for interactive hardware client authentication?
9What must you configure on the VPN 3002 Hardware Client in order to use interactive hardware client authentication?
10The HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen is used to configure individual user authentication. What other two attributes for individual user authentication can you set on this screen?
364 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
11What is the default session idle timeout when using individual user authentication?
12When individual user authentication is enabled, what initial screen are you directed to when you first try to establish a browser connection to an address in the private network of the head-end concentrator?
13What VPN 3002 Hardware Client Manager screen can you use to quickly try to connect to the head-end concentrator?
14What VPN 3002 Hardware Client Manager screen can you use when you want to view IKE Phase 1 and IPSec Phase 2 connection statistics?
15What VPN 3002 Hardware Client Manager screen can you use if you suspect that DNS problems are interfering with user communications?
“Do I Know This Already?” Quiz 365
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows:
•9 or less overall score—Read the entire chapter, including the “Foundation Topics” and “Foundation Summary” sections, the “Q&A” section, and the scenarios at the end of the chapter.
•10–11 overall score—Begin with the “Foundation Summary” section, continue with the “Q&A” section, and then the scenarios. If you are having difficulty with a particular subject area, read the appropriate section in “Foundation Topics” section.
•12–15 overall score—If you feel you need more review on these topics, go to the “Foundation Summary” section, the “Q&A” section, and then the scenarios. Otherwise, skip this chapter and go to the next chapter.
366 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
Foundation Topics
Configure Preshared Keys
27 Cisco VPN 3002 Hardware Client remote access with preshared keys
31 Monitoring VPN 3002 user statistics
Setting the head-end concentrator and the VPN 3002 Hardware Client to use preshared keys is easy. Preshared keys must be at least 4 characters and no more than 32 characters in length and can contain a combination of letters and numbers, but not special characters. Start on the headend concentrator. Navigate to the Configuration | System | Tunneling Protocols | IPSec LAN- to-LAN | Add screen, as shown in Figure 8-2. (Actually, you will go to either the Modify or the Add screen depending on whether you are modifying or creating a new connection. Both screens are identical except for the title.)
On this screen, name the connection to_seattle. Then, choose the interface, set the IP address of the peer, and choose to use preshared keys. Set the preshared key to mysharedkey. Choose to use ESP/MD5/HMAC-128 packet authorization and set the encryption to 168-bit 3DES.
On the VPN 3002 Hardware Client, navigate to the Configuration | System | Tunneling Protocols | IPSec screen, as shown in Figure 8-3. Here, you enter the remote server IP address and whether to use IPSec over TCP and the port to use. The default is to use IPSec over UDP. Make sure that the Use Certificate box is not checked, because you will be using preshared keys. The Certificate Transmission choices do not matter because you are not using certificates. Enter the group, password for the group, and verify the password. Next, enter the user, user password, and verify the password. This completes the configuration process.
Configure Preshared Keys 367
Figure 8-2 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add