
Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
428 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
Notice that there are four steps in the automatic update process:
1First, the VPN 3002 Hardware Client recognizes that the versions do not match.
2Next, the update is started.
3Then, a notice informs you that the new file will be used.
4Finally, there is a log event showing that the current version is up to date.
Remember that configuring the wrong version number will cause an infinite loop attempting to upgrade. If you repeatedly see a message in the log that the current version does not match the new version but also see that the VPN 3002 Hardware Client will now be using a new file, the cause is almost certainly an incorrect version within the update screen.
A repeating attempt to update the firmware followed by a message indicating an inability to connect to the TFTP server may be explained by a few common issues, including the following:
•You do not have the correct IP address for the TFTP server.
•You do not have a route to the TFTP server.
•You do not have sufficient rights on the TFTP server.
•You do not have the ability to connect securely through a nontrusted interface to the server.

Backup Servers 429
Foundation Summary
The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those who are already comfortable with the topics in this chapter, this summary could help you recall a few details. For those who just read this chapter, this review should help solidify some key facts. For anyone doing final preparation before the exam, these tables and figures are a convenient way to review the day before the exam.
Table of RRI Configurations
Table 9-3 shows various RRI configurations.
Table 9-3 |
RRI Configurations |
|
|
|
|
|
|
|
RRI Type |
Setup Screen |
Things to Watch |
|
|
|
|
|
RIPv2 |
Configuration | Interfaces | RIP |
Outbound RIP is configured. |
|
|
|
|
|
OSPF |
Configuration | System | IP Routing | OSPF |
OSPF is defined as an |
|
|
|
autonomous system on the |
|
|
|
concentrator. |
|
|
|
ASBR is set correctly. |
|
|
|
|
|
LAN-to-LAN |
Configuration | System | Tunneling |
Use RIP or OSPF. |
|
|
Protocols | IPSec |
|
|
|
|
|
|
LAN-to-LAN |
Configuration | System | Tunneling |
Choose the Autodiscovery |
|
Autodiscovery |
Protocols | IPSec | LAN-to-LAN | Routing |
option. |
|
|
|
|
|
NEM RRI |
Configuration | System | IP Routing | |
Must have NEM enabled. |
|
|
Reverse Route Injection |
|
|
|
|
|
|
Client RRI |
Configuration | System | IP Routing | |
Select check box. |
|
|
Reverse Route Injection |
|
|
|
|
|
|
Hold Down Routes |
Configuration | System | IP Routing | |
Add network/subnet mask. |
|
|
Reverse Route Injection |
|
|
|
|
|
Backup Servers
There are nine items you need to remember regarding backup servers:
•A backup server list can only be downloaded from a primary VPN concentrator.
•A backup concentrator is contacted ONLY if the list already exists.
•The VPN 3002 Hardware Client must be connected to a primary VPN connector to know of changes.

430Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
•On a VPN 3002 Hardware Client, set the backup servers through Configuration | System | Tunneling Protocols | IPSec.
•On VPN concentrator, set through Configuration | User Management | Base Group | Mode Configuration or Configuration | User Management | Groups | Mode Configuration.
•The group name, username, and password must match on the primary and backup servers.
•In network extension mode, the VPN 3002 Hardware Client attempts connections after 4 seconds.
•In client mode, the VPN 3002 Hardware Client attempts connection when data is transferred or using Connect Now.
•VPN 3002 Hardware Clients have no knowledge of each other.
Load Balancing
The following three points summarize load balancing:
•Automatic for VPN 3002.
•Must be on same private network.
•One VPN 3000 Series Concentrator acts as the master concentrator for the load-balancing cluster.
Comparing NAT and PAT
Table 9-4 compares the characteristics of NAT and PAT.
Table 9-4 |
NAT and PAT |
|
|
|
|
|
NAT |
PAT |
|
|
|
|
Many-to-many relationship |
One-to-many relationship |
|
|
|
|
Changes source address outbound |
Changes source address and source port |
|
|
|
|
Changes destination address inbound |
Changes destination address and port inbound |
|
|
|
|
Works with almost any program |
May not work with some older programs |
|
|
|
IPSec Over TCP/IP
IPSec over TCP/IP has the following characteristics:
•Used with NAT and PAT
•Encapsulates IKE and IPSec in new TCP packet
•Must use version 3.5 or higher
•Both sides must use same port

Auto-Update 431
•Must be enabled through the Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP screen
•Will not work with proxy-based servers
IPSec Over UDP
IPSec over UDP has the following characteristics:
•Used with NAT and PAT
•Encapsulates IKE and IPSec in new UDP packet
•Must use version 3.0.3 or higher
•Both sides must use same port
•Default port is 10,000
•Decreased available bandwidth caused by the amount of bandwidth used by keepalives
•A single VPN device behind a NAT device
•You may create a problem if
—A group is deleted
—The last SA is deleted
—IPSec over UDP is disabled
Troubleshooting IPSec
Remember the following when troubleshooting IPSec:
•Ping the inside interface of the remote concentrator. If you can get there, IPSec works.
•Set the debug levels for 1-13 on both sides (IKE, IKEDBG, IPSEC, IPSECDBG).
•Read and understand the log. It will tell you where the problem is.
Auto-Update
Remember the following key points about auto-update:
•Pushes from central concentrator
•IPSec connection must exist
•Configure through Configuration | User Management | Groups
•Client type must be 3002
•The new version number must be precise
•Client is set up through Configuration | System | Events | Classes

432 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
Chapter Glossary
The following terms were introduced in this chapter or have special significance to the topics within this chapter.
Reverse Route Injection (RRI) A process by which routes are added to a VPN concentrator, and then these routes are advertised back out to remote clients.
head-end Endpoint of a broadband network. All stations transmit toward the head-end; the head-end then transmits toward the destination stations.
hold-down routes Routes used to make a remote VPN connection appear to be active even when there is no current tunnel established.
load balancing In routing, the capability of a router to distribute traffic over all of its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth.
Network Address Translation (NAT) Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. Also known as Network Address Translator.
Port Address Translation (PAT) Similar in nature to NAT. In PAT, the TCP or UDP port is translated in addition to the IP source or destination address. Also known as Port Address Translator.

Q&A 433
Q&A
As mentioned in Chapter 1, “All About the Cisco Certified Security Professional.” these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!
1What are the ramifications an administrator should consider when planning to use VRRP along with RRI?
2You wish to inject a route from the VPN concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?
3You wish to use RIPv1 with Reverse Route Injection. Can this be done?
4Which screen on the VPN concentrator is used to configure RRI with OSPF?

434 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
5You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?
6What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator.
7You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?
8What screen is used to configure backup servers on the VPN 3002 Hardware Client?
9You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?
10What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?

Q&A 435
11How is load balancing enabled on the VPN 3002 Hardware Client?
12What types of clients may use the auto-update feature?
13When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?
14What are two main differences between NAT and PAT?
15You are the administrator for a network using a single PAT address for connection to the Internet. You want to add two VPN 3002 Hardware Clients behind your PIX firewall. Which type of IPSec will you choose to use?
16What minimum version does the VPN concentrator have to be running in order to use IPSec over TCP/IP? What version is required on the VPN 3002 Hardware Client?

436 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
17What minimum version does the VPN concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?
18What is the default port for IPSec over UDP?
19You have an established tunnel between two sites. From the remote site you are able to ping the inside interface of the VPN concentrator. However, you are unable to ping anything that lies beyond that point. What is wrong?
20You are planning to upgrade your VPN 3002 Hardware Client. You have just received a file named vpn3002-3.0.3.A-k9.bin. What version is this?
21You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?
22Why will some applications not work with either NAT or PAT?

Q&A 437
23Why will PAT cause problems with some applications whereas NAT does not cause these problems?
24Which debug class or classes should you enable in order to debug an auto-update?
25On the VPN concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?
26You have configured auto-update to occur. Which device, the VPN concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?
27What client type(s) are permissible to be set on the VPN concentrator for upgrading clients when using the VPN 3002 Hardware Client?
28How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?