Файловый архив студентов. Файловый архив студентов.
1306 вузов, 5175 предметов.
/ Регистрация
FAQ Обратная связь Вопросы и предложения
Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Таврический Национальный Университет им. В.И. Вернадского
Предмет:
Сети и Телекоммуникации 
Файл:

Cisco Secure VPN Exam Certification Guide - Cisco press

.pdf
Скачиваний:
66
Добавлен:
24.05.2014
Размер:
19.64 Mб
Скачать

468 Chapter 10: Cisco VPN 3000 LAN-to-LAN with Preshared Keys

6What routing protocol is used for Autodiscovery?

7What is an identity certificate?

8What is the advantage of using SCEP?

9What are critical items when using any certificates?

10Order the steps for using a certificate:

1.Issue an enrollment request.

2.Enroll with the CA.

3.The enrollment request is accepted.

4.Install the certificate.

5.Configure the concentrator to use the certificate.

11You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

Q&A 469

12What are the default directory and file name for the DLL used with SCEP?

13What are the three major steps involved in using digital certificates for a LAN-to-LAN connection?

14When using an identity certificate, what is the affect of entering an incorrect name in the OU field?

15What three key sizes may be used with DSA when installing certificates using SCEP?

16What screen is used to configure Network Autodiscovery?

17You have two VPN Concentrators—one in Seattle, the other in London—used for connecting the two offices through VPNs. The Seattle office cannot reach one subnet attached to the London office. You have checked your network lists on the Seattle concentrator. You are sure that the “missing” network is properly configured. What is the most likely problem?

470 Chapter 10: Cisco VPN 3000 LAN-to-LAN with Preshared Keys

18You are using Network Autodiscovery. You do not see a single remote network that is connected through a series of routers to your remote concentrator. Where should your troubleshooting efforts be directed?

19You are using SCEP. Your junior assistant has configured the system. You have established a VPN connection to the remote site, but your remote group does not have access to your network. What is a probable cause?

20You are using SCEP. You are trying to enroll a certificate. Your concentrator shows that it is polling. It has been in this state for over an hour. What is the most likely cause?

21What screen is used to determine the IKE proposal used for a LAN-to-LAN connection?

22What is the purpose of the challenge password on the Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen?

23You wish to use Network Autodiscovery because it sounds easier. How are the networks learned and how do you ensure that only specific networks are included?

Q&A 471

24What are the differences between a root certificate, a subordinate certificate, and an identity certificate?

25What are the maximum numbers of certificates that may be used on concentrators?

C H A P T E R 11

Scenarios

The following scenarios and questions are designed to draw together the content of the book and exercise your understanding of the concepts. There might be more than one correct answer. The thought process and practice in manipulating each concept in the scenario are the goals of this chapter.

Example Corporation

The Value-Packed Nutrition Corporation has a growing VPN infrastructure, as shown in Figure 11-1. The scenarios in this chapter are based on the elements shown in this diagram.

Figure 11-1 Value-Packed Nutrition Corporation

 

 

Portland

 

 

 

 

 

 

User

User

User

User

Printer

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Detroit

 

 

 

 

 

 

 

 

 

Bastion

Access

 

 

 

 

 

 

 

Server

 

 

 

 

 

 

 

Router

 

 

 

 

 

 

 

 

 

 

 

 

 

Internet

 

 

 

 

 

VPN 3002

DSL Modem

 

 

 

 

VPN

 

 

 

 

 

 

 

DMZ

 

 

 

 

 

 

Firewall

3030

 

 

 

 

 

 

Switch

 

 

 

 

 

 

 

 

VPN 3002

 

 

 

 

 

 

 

 

 

 

 

DSL Modem

 

 

 

 

 

User

User

User

User

Printer

 

 

Internet

 

 

 

Seattle

 

 

 

 

Intranet

 

 

 

 

 

 

Server

Server

 

 

 

 

 

 

 

 

 

 

 

Terry

 

Private

 

 

 

 

 

 

 

 

Network

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Carol

 

Internal

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

VPN

VPN

LAN

 

 

NT

 

 

 

 

 

 

 

DC

 

 

 

 

3005

3005

CA

 

 

 

 

 

 

WINS

DNS

DHCP

 

 

 

 

 

 

 

 

 

 

Memphis

Richmond

Server

 

 

 

 

 

 

 

 

 

 

 

474 Chapter 11: Scenarios

Site Descriptions

The following sections describe the characteristics of the VPN environment at the Detroit, Portland, Seattle, Memphis, and Richmond sites and for the two user types represented by Terry and Carol.

Detroit

Detroit is the central headquarters for Value-Packed Nutrition Corporation. All IPSec connections from branch offices and mobile users are through the Cisco VPN 3030 Concentrator in Detroit. VPN IPSec tunnels from remote sites and users all connect to the VPN 3030 Concentrator. A variety of corporate resources are available in Detroit’s private network, including DHCP, DNS, CA (SCEP support), and Windows 2000 Directory Services. An access server is available to support employees when they come to Detroit for business meetings. DHCP is to be used to assign all IPSec endpoint IP addresses, with unique address ranges being used for each location. Detroit’s private network IP addresses fall within the 172.16.0.0 subnet.

Portland

Portland’s four users connect to the network through a Cisco VPN 3002 Hardware Client equipped with an internal Ethernet 8-port switch. These users require numerous resources on the Internet as well as a local connection to a shared network printer. The VPN connection to Detroit is a remote access connection using digital signatures. Detroit has chosen to perform user authentication for the Portland office using the 3030’s internal authentication server. Set up the 3002 for Network Extension mode.

Seattle

Seattle is much like Portland, except that the users in Seattle do not use resources on the Internet. The users also require access to local LAN resources. The 3002 Hardware Client here also has an internal 8-port switch, but the remote access connection is authenticated using preshared keys. Seattle users are also authenticated using the 3030’s internal server. Set up the 3002 for Client Extension mode.

Memphis

The network at Memphis is more robust than that at Portland or Seattle. Users require use of the Internet and must be authenticated using NT Domain authentication. The VPN 3005 Concentrator at Memphis uses a LAN-to-LAN connection and is authenticated with digital certificates. Secure all traffic except HTTP traffic through the IPSec tunnel.

Scenario 11-1— The Basics 475

Richmond

Richmond is the same as Memphis, with the exception that the LAN-to-LAN connection’s authentication is through preshared keys.

Terry and Carol

Terry and Carol represent 30 salespeople that connect through a national ISP. These salespersons use the Cisco VPN Client, and a mixture of digital certificates and preshared keys is used for device authentication. User authentication for the preshared key users is through the 3030’s internal authentication server. Detroit is converting these users to digital certificates, Zone Labs’ ZoneAlarm Pro client firewall, and NT Domain authentication; to date, 20 users have been converted, including Terry. Original system users, such as Carol, are currently using the Cisco Integrated Client (CIC) firewall. Terry will use Are You There (AYT) firewall policy. Carol will use Central Protection Policy (CPP) firewall policy.

Use the information contained in the descriptions of the various locations and users to complete the requirements of the following scenarios.

Scenario 11-1—The Basics

Determine the additional information that you need to configure the systems based on the information provided in the following sections.

IKE Policy

Identify the parameters that you need to configure the IKE policy required for each site and user type. These parameters are as follows:

168-bit encryption

128-bit hashing algorithm

VPN peer and user authentication as described for each branch or user:

Portland

Seattle

Memphis

Richmond

Terry

Carol

1024-bit key exchange

Default IKE SA lifetime

476 Chapter 11: Scenarios

IPSec Policy

Identify the parameters that you need to configure the IPSec policy required for each site and user type. These parameters are as follows:

The IPSec protocol, which provides encryption

128-bit hashing algorithm

168-bit encryption

SA to be established by IKE

Identify the traffic to be protected for each site:

Portland

Seattle

Memphis

Richmond

Terry

Carol

Select a unique IP address subnet for each site for DHCP address assignment:

Portland

Seattle

Memphis

Richmond

Terry and other digital certificate users

Carol and other preshared key users

Scenario 11-2—Portland

Configure the Detroit VPN 3030 Concentrator and the Portland VPN 3002 Hardware Client to support the Portland users.

Scenario 11-3—Seattle

Configure the Detroit VPN 3030 Concentrator and the Seattle VPN 3002 Hardware Client to support the Seattle users.

Scenario 11-4—Memphis

Configure the Detroit and Memphis VPN concentrators to support the Memphis users.

Scenario 11-6— Terry and Carol 477

Scenario 11-5—Richmond

Configure the Detroit and Richmond VPN concentrators to support the Richmond users.

Scenario 11-6—Terry and Carol

Configure the Detroit VPN concentrator and Terry and Carol’s VPN Client to provide the required access.

Соседние файлы в предмете Сети и Телекоммуникации 
Помощь Обратная связь Вопросы и предложения Пользовательское соглашение Политика конфиденциальности