Cisco Secure VPN Exam Certification Guide - Cisco press

Chapter 7— Q&A 529

Chapter 7—Q&A

1What screen is used to set the password for the administrator?

Administration | Access Rights | Administrators

2You wish to limit HTTP access to the concentrator to hosts on the same subnet as the inside interface of the concentrator. What is the format of the Access Control List?

Use the network IP address of the interface’s base network and the proper subnet mask.

3What types of AAA servers can the VPN 3000 Series Concentrator use for authenticating management sessions?

TACACS+

4What is the upper limit for a management session timeout?

30 minutes

5What form of encryption may be used on a configuration file?

RC4

6On what screen can routes be cleared?

Monitoring | Routing Table

7Where can you see the CPU utilization on a Cisco 3000 Series Concentrator?

Monitoring | System Status

8Where can you troubleshoot an IPSec connection?

Monitoring | Statistics | IPSec

9Where can you troubleshoot TCP/IP connections?

(Note that the keyword in this question is “connection,” which requires TCP):

Monitoring | Statistics | MIB II | TCP/UDP

10Where can you see the number of collisions on an Ethernet Interface?

Monitoring | Statistics | Interface | MIB II-> | Statistics

11What is the major difference between the Monitoring | Statistics and the Monitoring | Statistics | MIB II sections?

The MIB II section works on the first four layers of the OSI model, while the Statistics section works at higher levels.

530 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

12You wish to limit the number of concurrent management connections. Where is this done?

To limit the number of concurrent management connections, go to the Administration | Access Rights | Access Settings screen.

13You wish to use a AAA server to authenticate management access to the concentrator. What must you use?

You must use a TACACS+ server. Also, you will need connectivity to the server.

14What are the differences between the Filterable Event Log screen and the Live Event Log screen?

There are two major differences between the Filterable Event Log screen and the Live Event Log screen. First, the Filterable Event Log screen allows you to limit logs seen. Second, the Live Event Log updates as events occur instead of by the refresh value set in the Administration | Monitoring Refresh screen.

15On what screen can you see if a certificate has been requested but has not yet been received?

The Administration | Certificate Management screen is used to see certificates that have been requested, but have not yet been received.

16What section should you look in if you want to see the number of pings sent and received? From where on the concentrator do you send a ping?

The number of pings sent and received is shown under the Monitoring | Statistics | MIB II | ICMP screen. Pings are sent from the Administration | Ping screen.

17Name two places that you can see the current software version on a concentrator.

The current software in use can be seen on the Monitoring | System Status and the Administration | Software Update | Concentrator screens.

18What are the access control lists as defined in the Administration | Access Rights | Access Control Lists screen used for?

These access control lists are only used for access to the concentrator for management purposes.

19You find out that your assistant has changed the configuration and saved that new configuration. However, something was configured incorrectly. None of remote sites or remote users can connect to the concentrator. What is the quickest way to resolve the issue?

The quickest way to resolve this is to go to the Administration | File Management | Swap Config File screen and swap the backup configuration with the current configuration. Then, go to the Administration | System Reboot screen and reboot the concentrator. Because no users are connected, the reboot may be set to happen immediately.

Chapter 8— Do I Know This Already? 531

20A remote client with a VPN 3002 hardware client calls you on the phone saying that he is unable to connect to your network. He says that he may have incorrectly configured the preshared key on his end. You have access through HTTP to your concentrator. Where is the first place you look to see if this is a preshared key issue?

The first place you should look is on the Monitoring | Statistics | IPSec screen. This screen will quickly show whether the issue is with an incorrect preshared key.

Chapter 8—Do I Know This Already?

1What screen is used on the head-end concentrator to demand the use of preshared keys?

The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen is used to demand preshared keys from a VPN 3000 Series Concentrator.

2You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?

You must use Network Extension mode because all the machines at the remote office will appear as a single IP address at the corporate office if you use Port Address Translation (PAT) mode.

3You are using individual authentication in PAT mode. Your tunnel is established but the user cannot log in. What is the first item you should examine?

First, check if the username and password are correct. You know that PAT mode only connects when data is sent to the head-end. If the tunnel is up, but the user cannot connect, this is usually an issue caused by an incorrect password or username.

4What are the disadvantages in a large network (over 100 users) of using individual authentication with the internal authentication server in a VPN 3005 Concentrator?

There are two main disadvantages to using individual authentication in a large network. The first issue is that each user must be individually assigned a username and password. This takes a large amount of time. The second issue is that an external authentication server must be used because the internal database on a VPN 3005 Concentrator only allows a maximum of 100 combined users and groups.

5You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?

You will only be required to enter your individual username and password. The VPN tunnel would have already been established by the previous user who would have been required to enter the hardware client’s username and password, as well as the individual username and password.

532 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

6You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?

Interactive hardware client authentication provides another layer of security to the system. The device authentication username and password are not stored on the VPN 3002 Hardware Client but are entered by the first user that brings up the VPN connection. The password can be quickly changed on the head-end device and communicated to the users connecting to the VPN 3002 Hardware Client. The headend concentrator pushes the policies you set for authentication out to the VPN 3002 Hardware Client. You can also use both individual user and interactive hardware client authentication simultaneously.

7Where is interactive hardware client authentication configured?

You configure interactive hardware client authentication on the head-end VPN 3000 Series Concentrator on the HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen.

8What authentication method is used for interactive hardware client authentication?

The authentication method used is governed by the method you selected to use for the VPN group. You can use either internal or external authentication.

9What must you configure on the VPN 3002 Hardware Client in order to use interactive hardware client authentication?

There are no special configuration steps required on the VPN 3002 Hardware Client to enable interactive hardware client authentication. This function is driven completely from the head-end concentrator.

10The HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen is used to configure individual user authentication. What other two attributes for individual user authentication can you set on this screen?

Along with enabling individual user authentication, the HW Client tab lets you establish User Idle Timeout and Cisco IP Phone Bypass.

11What is the default session idle timeout when using individual user authentication?

The default session idle timeout for individual user authentication is 30 minutes.

12When individual user authentication is enabled, what initial screen are you directed to when you first try to establish a browser connection to an address in the private network of the head-end concentrator?

You will be redirected to the VPN 3002 Hardware Client Manager login screen. From this screen you will select the Connection/Login Status hotlink, which will permit you to log in to the network.

Chapter 8— Q&A 533

13What VPN 3002 Hardware Client Manager screen can you use to quickly try to connect to the head-end concentrator?

The Monitoring | System Status screen of the VPN 3002 Hardware Client Manager has two buttons: Disconnect Now and Connect Now. Simply click the Connect Now button to try to establish the connection.

14What VPN 3002 Hardware Client Manager screen can you use when you want to view IKE Phase 1 and IPSec Phase 2 connection statistics?

The Monitoring | Statistics | IPSec screen of the VPN 3002 Hardware Client Manager provides information on IKE and IPSec connections.

15What VPN 3002 Hardware Client Manager screen can you use if you suspect that DNS problems are interfering with user communications?

The Monitoring | Statistics | DNS screen of the VPN 3002 Hardware Client Manager provides information DNS requests, responses, timeouts, and other data that may help you diagnose a DNS problem on your system.

Chapter 8—Q&A

1What screen is used on the head-end concentrator to demand the use of preshared keys?

The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen is used to demand preshared keys from the VPN 3002 Hardware Client.

2Name five items to check when you are unable to connect a VPN tunnel and you are receiving IKE failures on Phase 1.

The five items to check when receiving Phase 1 errors are

•Xauth is required, but the proposal does not support Xauth.

•Check the priorities of IKE Xauth proposals in the IKE proposal list.

•Check the VPN 3002 Hardware Client group.

•Check the group on the VPN Concentrator.

•Check that all SA proposals are acceptable.

3You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?

You must use Network Extension mode because all the machines at the remote office will appear as a single IP address at the corporate office if you use PAT mode.

Chapter 8— Q&A 535

11Your remote site has an ISDN connection to the Internet. You are charged on a per-minute basis for connecting to the Internet. Which mode should you use?

Other than changing ISPs, the best move here is to use PAT mode because the tunnel will disconnect after a specified amount of time, reducing the charges for your connection. Using Network Extension mode means that the tunnel is always active.

12What version of software must be running on the head-end concentrator to use PAT mode? What version is required for Network Extension mode?

Both require version 3.x.

13You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?

You will only be required to enter your individual username and password. The VPN tunnel would have already been established by the previous user who would have been required to enter the hardware client’s username and password, as well as their individual username and password.

14You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?

Interactive hardware client authentication provides another layer of security to the system. The device authentication username and password are not stored on the VPN 3002 Hardware Client but are entered by the first user that brings up the VPN connection. The password can be quickly changed on the head-end device and communicated to the users connecting to the VPN 3002 Hardware Client. The headend concentrator pushes the policies you set for authentication out to the VPN 3002 Hardware Client. You can also use both individual user and interactive hardware client authentication simultaneously.

15Where is interactive hardware client authentication configured?

You configure interactive hardware client authentication on the head-end VPN 3000 Series Concentrator on the HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen.

16What authentication method is used for interactive hardware client authentication?

The authentication method used is governed by the method you selected to use for the VPN group. You can use either internal or external authentication.

Chapter 9— Do I Know This Already? 537

Chapter 9—Do I Know This Already?

1What are the ramifications an administrator should consider when planning to use Virtual Router Redundancy Protocol (VRRP) along with reverse route injection (RRI)?

VRRP (Virtual Router Redundancy Protocol) and RRI (Reverse Route Injection) are incompatible and should not be used together.

2You wish to inject a route from the VPN Concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?

You must use OSPF if you wish to use the VPN Concentrator to advertise a route to the VPN 3002 Hardware Client.

3You wish to use RIPv1 with Reverse Route Injection. Can this be done?

You must use RIPV2.

4You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

The connection to the primary server will only be reestablished after a connection to the backup server is terminated.

5What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator?

The timeout period is 8 seconds.

6You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware client try again?

Once a VPN 3002 Hardware Client goes through its list of backup concentrators, it will not attempt any more connections until the Connect Now button on the Monitoring | System Status screen is clicked.

7How is load balancing enabled on the VPN 3002 Hardware Client?

The load-balancing feature is automatic on the VPN 3002 Hardware Client.

8You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

The first VPN 3015 Concentrators on the network will balance the load.