Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
Chapter Glossary 389
Chapter Glossary
The following terms were introduced in this chapter or have special significance to the topics within this chapter.
head-end End point of a broadband network. All stations transmit toward the head-end; the head-end then transmits toward the destination stations.
LAN Extension mode A mode used on a concentrator that does not rely upon NAT. Each individual device behind the VPN 3002 Hardware Client retains its IP address when seen at the head-end network. This is the opposite of PAT mode.
PAT mode A mode used on a concentrator where all the devices behind that concentrator have their IP addresses translated to the IP address of the outside interface of the VPN 3002 Hardware Client. This is the opposite of LAN Extension mode.
390 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
Q&A
As mentioned in Chapter 1, these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!
1What screen is used on the head-end concentrator to demand the use of preshared keys?
2Name five items to check when you are unable to connect a VPN tunnel and you are receiving IKE failures on Phase 1.
3You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?
4You need to have a device behind the head-end concentrator to send data as soon as the VPN tunnel is established. Which mode should you use? Can you use split tunneling under these circumstances?
Q&A 391
5What are the disadvantages in a large network (over 100 users) of using individual authentication with the internal server?
6You are using individual authentication in PAT mode. Your tunnel is established but the user cannot log in. What is the first item you should examine?
7What screen do you use on the VPN 3002 Hardware Client to configure preshared keys?
8You appear to be experiencing a DoS attack that is initiating from the IP address assigned to one of your VPN 3002 Hardware Clients. What is the problem?
9You need to allow the remote office to use PC Anywhere to connect to three separate machines at the main office over the VPN. What mode must you use?
10Some of your remote sites can use split tunneling and others cannot. How is this controlled?
392 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
11Your remote site has an ISDN connection to the Internet. You are charged on a per-minute basis for connecting to the Internet. Which mode should you use?
12What version of software must be running on the head-end concentrator to use PAT mode? What version is required for Network Extension mode?
13You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?
14You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?
15Where is interactive hardware client authentication configured?
16What authentication method is used for interactive hardware client authentication?
Q&A 393
17What must you configure on the VPN 3002 Hardware Client in order to use interactive hardware client authentication?
18The HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen is used to configure individual user authentication. What other two attributes for individual user authentication can you set on this screen?
19What is the default session idle timeout when using individual user authentication?
20When individual user authentication is enabled, what initial screen are you directed to when you first try to establish a browser connection to an address in the private network of the head-end concentrator?
21What VPN 3002 Hardware Client Manager screen can you use to quickly try to connect to the head-end concentrator?
22What VPN 3002 Hardware Client Manager screen can you use when you want to view IKE Phase 1 and IPSec Phase 2 connection statistics?
Scenario 8-1 395
Scenarios
Scenario 8-1
Your task in this scenario is to set up a VPN Concentrator and two VPN 3002 Hardware Clients as shown in Figure 8-22. Enable communications between the concentrators and the VPN 3002 Hardware Clients.
Figure 8-21 Remote Access VPN Network
IBM Compatible
VPN 3000 Series
Concentrator
Frame Relay
Cloud
3002A |
3002B |
VPN 3002 Hardware Client |
VPN 3002 Hardware Client |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM Compatible |
IBM Compatible |
||||||||||
After you enable communications between the devices, you have seven tasks:
Step 1 Set up 3002A to use Client mode. Set the timeout to a low value, such as 5 or 10 minutes.
Step 2 Set up 3002B to use LAN Extension mode.
Step 3 Initiate the tunnels on both networks.
Scenario 8-2 Answers 397
Scenario Answers
The following answers pertain to the tasks presented in the previous section.
Scenario 8-1 Answers
The PAT (Client mode) tunnel should have dropped because the timeout has expired (assuming you didn’t drink your coffee too fast). Because the LAN Extension mode always keeps the tunnel active, this tunnel will not drop.
You should be able to see individual devices at the head-end from each remote site. However, from the head-end, you should not be able to see any device on the site that is using PAT mode because the true IP address is hidden.
Scenario 8-2 Answers
From the head-end, you will not be able to see anything at the remotes sites. The remote sites “bring up” the tunnel, not the head-end site. Split tunneling will not change this behavior. It is only after the tunnel is established and data flows from the remote site that the head-end can see anything at the remote sites. The exception to this is when LAN extension mode is enabled and split tunneling is not enabled.
A user should not be able to see the head-end if individual authentication is enabled and they have not logged in. If you can see something at the head-end, you are not using individual authentication. Only after you have logged in will you be able to see any devices at the head-end.