Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
478 Chapter 11: Scenarios
Scenario Answers
The answers provided in this section are not necessarily the only correct answers. They merely represent one possibility for each scenario. The intention is to test your basic knowledge and understanding of the concepts that were discussed in this chapter.
Should your answers be different (as they likely will be), consider the differences. Are your answers in line with the concepts of the answers provided and explained here? If not, reread the chapter, focusing on the sections that are related to the problem scenario.
Scenario 11-1 Answers
The additional information that you need to configure the systems is described in the following sections.
IKE Policy
The parameters that are needed to configure the IKE policy required for each site and user type are as follows:
•3DES—168-bit encryption
•MD5—128-bit hashing algorithm (use the HMAC variant)
•VPN peer and user authentication as described for each branch or user:
—Portland—RSA signatures for VPN peer authentication and VPN 3030 internal authentication for users
—Seattle—Preshared keys for VPN peer authentication and VPN 3030 internal authentication for users
—Memphis—RSA signatures for VPN peer authentication and NT Domain for user authentication
—Richmond—Preshared keys for VPN peer authentication and NT Domain for user authentication
—Terry—RSA signatures for VPN peer authentication and NT Domain for user authentication
—Carol—Preshared keys for VPN peer authentication and VPN 3030 internal authentication for users
•Diffie-Hellman 2—1024-bit key exchange
•86,400 seconds for IKE SA lifetime
Scenario 11-2 Answers 479
IPSec Policy
The parameters needed to configure the IPSec policy required for each site and user type are as follows:
•ESP—The IPSec protocol that provides encryption
•MD5—128-bit hashing algorithm
•3DES—168-bit encryption
•SA established by IKE
•Traffic to be protected for each site:
—Portland—Only traffic destined for internal network addresses
—Seattle—All traffic
—Memphis—All traffic except HTTP
—Richmond—All traffic except HTTP
—Terry—Only traffic destined for internal network addresses
—Carol—Only traffic destined for internal network addresses
•Possible unique IP address subnets for each site for DHCP address assignment are as follows:
—Portland—192.168.20.1 to 192.168.20.20
—Seattle—192.168.30.1 to 192.168.30.20
—Memphis—192.168.40.1 to 192.168.40.200
—Richmond—192.168.50.1 to 192.168.50.200
—Terry and other digital certificate users—192.168.60.1 to 192.168.60.50
—Carol and other preshared key users—192.168.70.1 to 192.168.70.50
Scenario 11-2 Answers
The configurations required to support the Portland users are described in the following sections.
Detroit VPN 3030 Concentrator and Router (Generic for All)
Configure the following settings and attributes on the Detroit router and VPN 3030 Concentrator to support all the sites and users:
1On the Detroit Bastion router, configure an ACL that permits the IPSec ports and protocols, specifically UDP port 500 for ISAKMP, protocol 50 for ESP, and protocol 51 for AH.
480 Chapter 11: Scenarios
2On the 3030, obtain the root CA certificate from the Detroit CA using SCEP. Remember that you must install the root CA certificate first and that you must use SCEP to do that if you want to use SCEP for subsequent identity or SSL certificates from that CA.
3Enroll the 3030 with the Detroit CA server using SCEP to install the 3030’s identity certificate.
4On the Configuration | System | Servers | Authentication screen, add Internal and SDI server types, using the IP address of Detroit’s CA server for the address of the SDI server.
5On the Configuration | System | Address Management | Assignment screen, select Use DHCP for client IP address assignment.
6Change the password for the admin user.
7Configure the 3030’s base group as follows:
—No restrictions on access hours.
—1 simultaneous login.
—8 characters for a minimum password length.
—Disable alphabetic-only passwords.
—Establish 60 minutes as the idle timeout.
—Enter the DNS and WINS servers’ IP addresses.
—Select IPSec for the tunneling protocol.
—If the VPN 3030 Concentrator has SEP modules (not specified for these scenarios), identify which SEP modules this group can use.
—Select ESP/IKE-3DES-MD5 for the IPSEC SA.
—Ensure that IKE Keepalives are enabled.
—Select Required for IKE Peer Identity Validation.
Detroit VPN 3030 Concentrator for Portland
Configure these attributes on Detroit’s VPN 3030 Concentrator to support the Portland users:
1Create a new group specifically for Portland:
—Use a descriptive name for the group such as Portland-LAN-to-LAN.
—Use a generic password.
—Select Internal authentication for remote access users.
—Select tunnel type Remote Access.
—Enable split tunneling and only tunnel addresses in the Detroit network.
Scenario 11-2 Answers 481
2Add Portland’s users to the internal database. All of these users should be in the Portland- LAN-to-LAN group.
3Configure a static route to point 192.168.20.0 toward the Portland VPN 3002 Hardware Client.
Portland VPN 3002 Hardware Client
Configure the following attributes on Portland’s VPN 3002 Hardware Client to support the Portland users:
1Configure the public interface for a static address or a DHCP address, depending on the requirements of the Portland ISP.
2Because Portland uses a digital subscriber line (DSL) modem, configure the Point-to- Point Protocol (PPP) over Ethernet (PPPoE) username and password on the public interface. You can obtain these from the Portland ISP.
3Configure a default route from the 3002 to the 3030. This can be the same address as the default gateway for the VPN 3002 Hardware Client.
4Change the default IP address of the private interface from 192.168.10.1 to 192.168.20.100 (or some other address outside of the DHCP range of addresses for this subnet).
5Disable PAT under Configuration | Policy Management. Disabling PAT enables Network Extension mode. You cannot disable PAT until you have changed the IP address of the private interface.
6On the Configuration | System | IP Routing | DHCP screen, verify that DHCP is disabled on the private interface.
7On the Configuration | System | Tunneling Protocols | IPSec screen, enter the IP address of Detroit’s VPN 3030 Concentrator. Check the Use Certificate box. You only need to send the identity certificate because both VPN devices use the same root CA server. You do not need to enter a group or username because you will be using digital certificates for authentication.
8Install root and identity certificates from Detroit’s CA server (after you have configured the public interface on the VPN 3002 Hardware Client).
9Because the 3002 has an internal switch, you do not need to do anything to share the local printer.
10Change the password for the admin user.
482 Chapter 11: Scenarios
Scenario 11-3 Answers
The configurations required to support the Seattle users are described in the following sections.
Detroit VPN 3030 Concentrator for Seattle
Configure these attributes on Detroit’s VPN 3030 Concentrator to support the Seattle users:
1Create a new group specifically for Seattle, as follows:
—Use a descriptive name for the group, such as Seattle-LAN-to-LAN.
—Use a generic password.
—Select Internal Authentication.
—Select tunnel type Remote Access.
—Enable split tunneling and only tunnel addresses in the Detroit network.
2Add Seattle’s users to the internal database. All of these users should be in the Seattle- LAN-to-LAN group.
3Create a separate user to be used by the VPN 3002 Hardware Client during IKE Phase 1 negotiations with the VPN 3030 Concentrator. This user should also be in the Seattle- LAN-to-LAN group.
4Configure a static route to point 192.168.30.0 toward the Seattle VPN 3002 Hardware Client.
Seattle VPN 3002 Hardware Client
Configure the following attributes on Seattle’s VPN 3002 Hardware Client to support the Seattle users:
1Configure the public interface for a static address or a DHCP address, depending on the requirements of the Seattle ISP.
2Because Seattle uses a DSL modem, configure the Point-to-Point Protocol over Ethernet (PPPoE) username and password on the public interface. You can obtain these from the Seattle ISP.
3Configure a default route from the 3002 to the 3030. This can be the same address as the default gateway for the VPN 3002 Hardware Client.
4Change the default IP address of the private interface from 192.168.10.1 to 192.168.30.100 (or some other address outside of the DHCP range of addresses for this subnet).
5Enable PAT under Configuration | Policy Management. Enabling PAT enables Client Extension mode.
Scenario 11-4 Answers 483
6On the Configuration | System | IP Routing | DHCP screen, verify that DHCP is disabled on the private interface.
7On the Configuration | System | Tunneling Protocols | IPSec screen, enter the IP address of Detroit’s VPN 3030 Concentrator. Be sure to uncheck the Use Certificate box. Enter the Seattle-LAN-to-LAN group name and password (this combination becomes the preshared key for authentication purposes). Enter the username and password of the unique user you created on the VPN 3030 Concentrator for IKE Phase 1 negotiations.
8Because the 3002 has an internal switch, you do not need to do anything to share the local printer.
9Change the password for the admin user.
Scenario 11-4 Answers
The configurations required to support the Memphis users are described in the following sections.
Detroit VPN 3030 Concentrator for Memphis
Configure the following attributes on Detroit’s VPN 3030 Concentrator to support the Memphis users:
1Assign a static IP for the Memphis 3005 Concentrator.
2On the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen, add a connection to Memphis using the IP address of the Memphis VPN 3005 Concentrator. Select to use digital certificates, and select the VPN 3030’s identity certificate to use for authentication.
3Configure a static route to point 192.168.40.0 toward the Memphis VPN 3005 Concentrator.
Memphis VPN 3005 Concentrator and Router
Configure the following attributes on Memphis’s VPN 3005 Concentrator and router to support the Memphis users:
1On the Memphis router, configure an ACL that permits the IPSec ports and protocols, specifically UDP port 500 for ISAKMP, protocol 50 for ESP, and protocol 51 for AH.
2On the Memphis VPN 3005 Concentrator, install root and identity certificates.
3Assign a static IP for Detroit’s 3030 Concentrator.
Scenario 11-6 Answers 485
Detroit VPN 3030 Concentrator for Terry and Similar Users
Configure the following attributes on Detroit’s VPN 3030 Concentrator to support Terry and similar users:
1Create a new group for users like Terry who will be using digital certificates.
—Use a descriptive name for the group, such as Remote-Digital-Certificates.
—Use a generic password.
—Select NT Domain authentication.
2Select tunnel type Remote Access.Select Firewall Required, and select Zone Labs ZoneAlarm Pro as the firewall type.
3Select AYT firewall policy.
4Create a floppy disk for Terry with root and identity certificates. (You must enroll Terry’s system.)
5Configure a static route to point 192.168.60.0 out toward the Internet cloud.
Terry VPN Client and Browser
Configure the following attributes on Terry’s VPN Client and browser:
1Install the root and identity certificates into the browser.
2Configure the connection to Detroit to use the newly installed identity certificate.
Detroit VPN 3030 Concentrator for Carol and Similar Users
Configure the following attributes on Detroit’s VPN 3030 Concentrator to support Carol and similar users:
1Create a new group for users like Carol, who will be using preshared keys.
—Use a descriptive name for the group, such as Remote-Preshared-Keys.
—Use a generic password.
—Select Internal authentication.
2Select tunnel type Remote Access. Select Firewall Required, and select Cisco Client Integrated Firewall as the firewall type.
3Select CPP firewall policy and define the policy.
4Add Carol as a user to the internal authentication database by supplying a username and password. You must do this for all users like Carol.
5Configure a static route to point 192.168.70.0 out toward the Internet cloud.
