Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:

Cisco Secure VPN Exam Certification Guide - Cisco press

.pdf
Скачиваний:
63
Добавлен:
24.05.2014
Размер:
19.64 Mб
Скачать

428 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

Notice that there are four steps in the automatic update process:

1First, the VPN 3002 Hardware Client recognizes that the versions do not match.

2Next, the update is started.

3Then, a notice informs you that the new file will be used.

4Finally, there is a log event showing that the current version is up to date.

Remember that configuring the wrong version number will cause an infinite loop attempting to upgrade. If you repeatedly see a message in the log that the current version does not match the new version but also see that the VPN 3002 Hardware Client will now be using a new file, the cause is almost certainly an incorrect version within the update screen.

A repeating attempt to update the firmware followed by a message indicating an inability to connect to the TFTP server may be explained by a few common issues, including the following:

You do not have the correct IP address for the TFTP server.

You do not have a route to the TFTP server.

You do not have sufficient rights on the TFTP server.

You do not have the ability to connect securely through a nontrusted interface to the server.

Backup Servers 429

Foundation Summary

The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those who are already comfortable with the topics in this chapter, this summary could help you recall a few details. For those who just read this chapter, this review should help solidify some key facts. For anyone doing final preparation before the exam, these tables and figures are a convenient way to review the day before the exam.

Table of RRI Configurations

Table 9-3 shows various RRI configurations.

Table 9-3

RRI Configurations

 

 

 

 

 

 

 

RRI Type

Setup Screen

Things to Watch

 

 

 

 

 

RIPv2

Configuration | Interfaces | RIP

Outbound RIP is configured.

 

 

 

 

 

OSPF

Configuration | System | IP Routing | OSPF

OSPF is defined as an

 

 

 

autonomous system on the

 

 

 

concentrator.

 

 

 

ASBR is set correctly.

 

 

 

 

 

LAN-to-LAN

Configuration | System | Tunneling

Use RIP or OSPF.

 

 

Protocols | IPSec

 

 

 

 

 

 

LAN-to-LAN

Configuration | System | Tunneling

Choose the Autodiscovery

 

Autodiscovery

Protocols | IPSec | LAN-to-LAN | Routing

option.

 

 

 

 

 

NEM RRI

Configuration | System | IP Routing |

Must have NEM enabled.

 

 

Reverse Route Injection

 

 

 

 

 

 

Client RRI

Configuration | System | IP Routing |

Select check box.

 

 

Reverse Route Injection

 

 

 

 

 

 

Hold Down Routes

Configuration | System | IP Routing |

Add network/subnet mask.

 

 

Reverse Route Injection

 

 

 

 

 

Backup Servers

There are nine items you need to remember regarding backup servers:

A backup server list can only be downloaded from a primary VPN concentrator.

A backup concentrator is contacted ONLY if the list already exists.

The VPN 3002 Hardware Client must be connected to a primary VPN connector to know of changes.

430Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

On a VPN 3002 Hardware Client, set the backup servers through Configuration | System | Tunneling Protocols | IPSec.

On VPN concentrator, set through Configuration | User Management | Base Group | Mode Configuration or Configuration | User Management | Groups | Mode Configuration.

The group name, username, and password must match on the primary and backup servers.

In network extension mode, the VPN 3002 Hardware Client attempts connections after 4 seconds.

In client mode, the VPN 3002 Hardware Client attempts connection when data is transferred or using Connect Now.

VPN 3002 Hardware Clients have no knowledge of each other.

Load Balancing

The following three points summarize load balancing:

Automatic for VPN 3002.

Must be on same private network.

One VPN 3000 Series Concentrator acts as the master concentrator for the load-balancing cluster.

Comparing NAT and PAT

Table 9-4 compares the characteristics of NAT and PAT.

Table 9-4

NAT and PAT

 

 

 

 

 

NAT

PAT

 

 

 

 

Many-to-many relationship

One-to-many relationship

 

 

 

 

Changes source address outbound

Changes source address and source port

 

 

 

 

Changes destination address inbound

Changes destination address and port inbound

 

 

 

 

Works with almost any program

May not work with some older programs

 

 

 

IPSec Over TCP/IP

IPSec over TCP/IP has the following characteristics:

Used with NAT and PAT

Encapsulates IKE and IPSec in new TCP packet

Must use version 3.5 or higher

Both sides must use same port

Auto-Update 431

Must be enabled through the Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP screen

Will not work with proxy-based servers

IPSec Over UDP

IPSec over UDP has the following characteristics:

Used with NAT and PAT

Encapsulates IKE and IPSec in new UDP packet

Must use version 3.0.3 or higher

Both sides must use same port

Default port is 10,000

Decreased available bandwidth caused by the amount of bandwidth used by keepalives

A single VPN device behind a NAT device

You may create a problem if

A group is deleted

The last SA is deleted

IPSec over UDP is disabled

Troubleshooting IPSec

Remember the following when troubleshooting IPSec:

Ping the inside interface of the remote concentrator. If you can get there, IPSec works.

Set the debug levels for 1-13 on both sides (IKE, IKEDBG, IPSEC, IPSECDBG).

Read and understand the log. It will tell you where the problem is.

Auto-Update

Remember the following key points about auto-update:

Pushes from central concentrator

IPSec connection must exist

Configure through Configuration | User Management | Groups

Client type must be 3002

The new version number must be precise

Client is set up through Configuration | System | Events | Classes

432 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

Chapter Glossary

The following terms were introduced in this chapter or have special significance to the topics within this chapter.

Reverse Route Injection (RRI) A process by which routes are added to a VPN concentrator, and then these routes are advertised back out to remote clients.

head-end Endpoint of a broadband network. All stations transmit toward the head-end; the head-end then transmits toward the destination stations.

hold-down routes Routes used to make a remote VPN connection appear to be active even when there is no current tunnel established.

load balancing In routing, the capability of a router to distribute traffic over all of its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth.

Network Address Translation (NAT) Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. Also known as Network Address Translator.

Port Address Translation (PAT) Similar in nature to NAT. In PAT, the TCP or UDP port is translated in addition to the IP source or destination address. Also known as Port Address Translator.

Q&A 433

Q&A

As mentioned in Chapter 1, “All About the Cisco Certified Security Professional.” these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!

1What are the ramifications an administrator should consider when planning to use VRRP along with RRI?

2You wish to inject a route from the VPN concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?

3You wish to use RIPv1 with Reverse Route Injection. Can this be done?

4Which screen on the VPN concentrator is used to configure RRI with OSPF?

434 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

5You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

6What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator.

7You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?

8What screen is used to configure backup servers on the VPN 3002 Hardware Client?

9You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

10What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?

Q&A 435

11How is load balancing enabled on the VPN 3002 Hardware Client?

12What types of clients may use the auto-update feature?

13When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?

14What are two main differences between NAT and PAT?

15You are the administrator for a network using a single PAT address for connection to the Internet. You want to add two VPN 3002 Hardware Clients behind your PIX firewall. Which type of IPSec will you choose to use?

16What minimum version does the VPN concentrator have to be running in order to use IPSec over TCP/IP? What version is required on the VPN 3002 Hardware Client?

436 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

17What minimum version does the VPN concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?

18What is the default port for IPSec over UDP?

19You have an established tunnel between two sites. From the remote site you are able to ping the inside interface of the VPN concentrator. However, you are unable to ping anything that lies beyond that point. What is wrong?

20You are planning to upgrade your VPN 3002 Hardware Client. You have just received a file named vpn3002-3.0.3.A-k9.bin. What version is this?

21You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

22Why will some applications not work with either NAT or PAT?

Q&A 437

23Why will PAT cause problems with some applications whereas NAT does not cause these problems?

24Which debug class or classes should you enable in order to debug an auto-update?

25On the VPN concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?

26You have configured auto-update to occur. Which device, the VPN concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?

27What client type(s) are permissible to be set on the VPN concentrator for upgrading clients when using the VPN 3002 Hardware Client?

28How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?