Cisco Secure VPN Exam Certification Guide - Cisco press

Exam Topics Discussed in This Chapter

This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Specialist:

32Overview of the VPN 3002 Reverse Route Injection feature

33Configuring the VPN 3002 backup server feature

34Configuring the VPN 3002 load balancing feature

35Overview of the VPN 3002 Auto-Update Feature

36Configuring the VPN 3002 Auto-Update Feature

37Monitoring VPN 3002 Auto-Update Events

38Overview of Port Address Translation

39Configuring IPSec over UDP

40Configuring IPSec over TCP

C H A P T E R 9

Configuring Scalability Features

of the VPN 3002 Hardware Client

A major issue on any network design is planning for the ability of the network to grow as the needs of the company grow. This chapter deals with some of the issues you will face when planning and implementing networks using the Cisco VPN 3002 Hardware Client.

By combining hardware and software, the VPN 3002 Hardware Client provides for the scalability of software while the hardware provides stability and reliability. This combination makes the VPN 3002 Hardware Client an ideal solution that will fit in environments where a large number of remote sites exist. The VPN 3002 Hardware Client has the capability to provide for 56-bit DES encryption or 168-bit 3DES (triple DES) encryption, also known as IPSec.

Reverse Route Injection, backup servers, load balancing and auto-update are all features that help you to easily administer large sites with the least amount of intervention. This chapter discusses these features.

How to Best Use This Chapter

By taking the following steps, you can make better use of your time:

•Keep your notes and answers for all your work with this book in one place for easy reference.

•Take the “Do I Know This Already?” quiz, and write down your answers. Studies show retention is significantly increased through writing facts and concepts down, even if you never look at the information again.

•Use the diagram in Figure 9-1 to guide you to the next step.

“Do I Know This Already?” Quiz 401

1What are the ramifications an administrator should consider when planning to use Virtual Router Redundancy Protocol (VRRP) along with Reverse Route Injection (RRI)?

2You wish to inject a route from the VPN concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?

3You wish to use RIPv1 with Reverse Route Injection. Can this be done?

402 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

4You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

5What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator?

6You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?

7How is load balancing enabled on the VPN 3002 Hardware Client?

8You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

9What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?

“Do I Know This Already?” Quiz 403

10Which debug class or classes should you enable in order to debug an auto-update?

11What types of clients may use the auto-update feature?

12When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?

13What client type(s) are permissible to be set on the VPN concentrator for upgrading clients when using the VPN 3002 Hardware Client?

14On the VPN concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?

15You have configured auto-update to occur. Which device, the VPN concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?

404 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

16How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?

17Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

18You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

19Why will some applications not work with either NAT or PAT?

20Why will PAT cause problems with some applications whereas NAT does not cause these problems?

21What are two main differences between NAT and PAT?

“Do I Know This Already?” Quiz 405

22Why is UDP Transparent IPSec (IPSec over UDP) usable with either NAT or PAT when IPSec over TCP is not usable over PAT?

23You are using UDP Transparent IPSec on your VPN 3002 Hardware Client. How are filters applied to inbound traffic? How are filters applied to outbound traffic?

24What minimum version does the VPN concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?

25What is the default port for IPSec over UDP?

26When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?

27You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?

VPN 3002 Hardware Client Reverse Route Injection 407

Foundation Topics

VPN 3002 Hardware Client Reverse Route Injection

32 Overview of the VPN 3002 Reverse Route Injection feature

Reverse Route Injection (RRI) is the process by which routes are added to a VPN concentrator and these routes are then advertised to remote clients, such as the VPN 3002 Hardware Client. Using either RIP or Open Shortest Path First (OSPF) while in network extension mode, the VPN 3002 Hardware Client automatically adds hosts on the private network to the VPN concentrator’s routing table for redistribution. It is important to understand that, because the VPN 3002 Hardware Client is considered a client, it cannot advertise RRI, but it can inject network extensible routes back to the concentrator. The only device that can advertise RRI is the VPN concentrator.

There is no configuration requirement, other than being in Network Extension mode (NEM), on the VPN 3002 Hardware Client for RRI to occur. Therefore, this section will cover the configurations necessary on the VPN concentrator.

RRI will work only with RIP and OSPF. Using Virtual Routing Redundancy Protocol (VRRP) with RRI will probably cause routing loops because both the primary and the backup servers will advertise the same routes.

Setting Up the VPN Concentrator Using RIPv2

In order for the VPN concentrator to advertise the routes learned through RRI, there must be at least outbound RIP (version 2) configured on the private interface. When using Autodiscovery, both inbound and outbound RIP will need to be configured. This is done through the Configuration | Interfaces screen (see Figure 9-2). Note that client RRI can be used by all VPN devices connected to the VPN concentrator.