Cisco Secure VPN Exam Certification Guide - Cisco press

Chapter 9— Do I Know This Already? 539

17Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

The two most likely causes are that your VPN 3002 Hardware Client either cannot connect to the TFTP server or the Client does not have sufficient permissions on the server to download the software.

18You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

The problem is that you have entered an incorrect version number in the VPN Concentrator. If you can see that the file has been downloaded but it still tries to update the software, this is the only explanation.

19Why will some applications not work with either NAT or PAT?

Some applications, especially very old DOS applications, were written before the OSI model was fully accepted. These applications embed the workstation address within the data instead of relying on TCP/IP to carry the IP address. These programs will fail using either NAT or PAT because the message will be sent back to the workstation address within the data, not the workstation address that was translated.

20Why will PAT cause problems with some applications whereas NAT does not cause these problems?

Some applications expect to use specific ports. Because PAT changes the ports used, this can cause problems with this type of application.

21What are two main differences between NAT and PAT?

The first difference between NAT and PAT is that NAT is a one-to-one translation while PAT is a one-to-many translation. The second major difference is that PAT translates ports (either TCP or UDP) as well as source or destination addresses.

22Why is UDP Transparent IPSec (IPSec over UDP) usable with either NAT or PAT when IPSec over TCP is not usable over PAT?

UDP Transparent IPSec bypasses the effects of NAT and PAT by encapsulating the data traffic within new UDP packets.

23You are using UDP Transparent IPSec on your VPN 3002 Hardware Client. How are filters applied to inbound traffic? How are filters applied to outbound traffic?

Traffic inbound is decrypted before routing. Traffic outbound is routed and then encrypted.

Chapter 9— Q&A 541

5You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

The connection to the primary server will only be reestablished after a connection to the backup server is terminated.

6What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator.

The timeout period is 8 seconds.

7You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?

Once a VPN 3002 Hardware Client goes through its list of backup concentrators, it will not attempt any more connections until the Connect Now button on the Monitoring | System Status screen is clicked.

8What screen is used to configure backup servers on the VPN 3002 Hardware Client?

The Configuration | System | Tunneling Protocols | IPSec screen is used to configure backup servers on the VPN 3002 Hardware Client.

9You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

The first VPN 3015 Concentrator on the network will balance the load.

10What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?

Total number of connections, the number of connections on each VPN concentrator, and the total number of connecting clients are the factors considered during load balancing.

11How is load balancing enabled on the VPN 3002 Hardware Client?

The load-balancing feature is automatic on the VPN 3002 Hardware Client.

12What types of clients may use the auto-update feature?

Only Windows-based VPN Clients and the VPN 3002 Hardware Client can use the auto-update feature.

13When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?

This is an ISAKMP message.

Chapter 9— Q&A 543

21You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

The problem is that you have entered an incorrect version number in the VPN Concentrator. If you can see that the file has been downloaded but it still tries to update the software, this is the only explanation.

22Why will some applications not work with either NAT or PAT?

Some applications, especially very old DOS applications, were written before the OSI model was fully accepted. These applications embed the workstation address within the data instead of relying on TCP/IP to carry the IP address. These programs will fail using either NAT or PAT because the message will be sent back to the workstation address within the data, not the workstation address that was translated.

23Why will PAT cause problems with some applications whereas NAT does not cause these problems?

Some applications expect to use specific ports. Because PAT changes the ports used, this can cause problems with this type of application.

24Which debug class or classes should you enable in order to debug an auto-update?

The AUTOUPDATE class is all that is necessary for debugging an auto-update.

25On the VPN Concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?

The syntax is tftp://{IP address of server}/{filename}.

26You have configured auto-update to occur. Which device, the VPN Concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?

The VPN 3002 Hardware Client recognizes that the software needs to be updated and starts the update process.

27What client type(s) are permissible to be set on the VPN Concentrator for upgrading clients when using the VPN 3002 Hardware Client?

Because only the VPN 3002 Hardware Client is able to be upgraded, the only permissible value is vpn3002.

28How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?

Using the GUI, go to Administration | Software Update | Clients Choose the group

Select Upgrade Clients Now.

544 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

29Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

The two most likely causes are that your VPN 3002 Hardware Client either cannot connect to the TFTP server or the Client does not have sufficient permissions on the server to download the software.

30In Network Extension mode, how long will the VPN 3002 Hardware Client wait before attempting to connect to a backup server if a connection to the primary server fails?

In Network Extension mode, the VPN 3002 Hardware Client will wait 4 seconds before attempting to connect to a backup server.

31Will a VPN 3002 Hardware Client connected to a backup server recognize that the primary server has added a new backup server?

No. The VPN 3002 Hardware Client will only recognize a new backup server if it is connected to the primary server.

32Does the VPN 3002 Hardware Client send keepalives to other VPN 3002 Hardware Clients connected to the same primary or backup server?

No. VPN 3002 Hardware Clients have no knowledge of other VPN 3002 Hardware Clients unless their inside interfaces are on the same LAN. In this case, this is only used for load balancing.

33Where are hold-down routes configured?

Hold-down routes are configured on the concentrator from the Configuration | System | IP Routing | Reverse Route Injection screen.

34What protocols may be used with LAN-to-LAN Autodiscovery?

RIP is the only protocol currently available for use with LAN-to-LAN autodiscovery.

35When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?

The entire packet is encapsulated within a new IP packet. This allows the new packet to have its source address changed by NAT and the source address and port changed by PAT without worrying about encryption or decryption of the original data.

36You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?

You must use UDP NAT Transparent IPSec because IPSec over TCP will not work with a proxy server

Chapter 10— Do I Know This Already? 545

Chapter 10—Do I Know This Already?

1What is a LAN-to-LAN connection?

A LAN-to-LAN connection is a secure connection between two LANs.

2What equipment is required for a LAN-to-LAN connection?

A LAN-to-LAN connection requires any combination of concentrators, routers and firewalls.

3Where can a LAN-to-LAN connection be used?

You can use a LAN-to-LAN connection

•Across the Internet

•Between two networks connected through a trusted network

•Between two networks connected through a non-trusted network

4When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other?

They must be reflective of each other. The network lists reflect the networks that are coming into the concentrator therefore referencing the network on the opposite side of where the network list is configured.

5You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem?

Most likely, the network is missing from the network list on one of the concentrators.

6What routing protocol is used for Autodiscovery?

RIP is used for Autodiscovery.

7What is an identity certificate?

The identity certificate is used to uniquely identify a specific network device.

8What is the advantage of using SCEP?

SCEP simplifies the process of obtaining and installing certificates.

9What are critical items when using any certificates?

The date and time on the device are the most critical items when using any certificates.

10Order the steps for using a certificate:

1.Issue an enrollment request

2.Enroll with the CA

546Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

3.The enrollment request is accepted

4.Install the Certificate

5.Configure the concentrator to use the Certificate

2, 1, 3, 4, 5

11You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

The CA certificate must be obtained using SCEP.

12What are the default directory and filename for the DLL used with SCEP?

The default filename is mscep.dll; The default directory is certserv.

13What are the three major steps involved in using digital certificates for a LAN-to-LAN connection?

Configure the LAN-to-LAN connection to use the identity certificate. Configure the LAN-to-LAN connection to use the IKE proposal. Activate the IKE proposal.

14When using an identity certificate, what is the affect of entering an incorrect name in the OU field?

The group will have no access.

15What three key sizes may be used with DSA when installing certificates using SCEP?

512 bits; 1024 bits; 768 bits.

Chapter 10—Q&A

1What is a LAN-to-LAN connection?

A LAN-to-LAN connection is a secure connection between two LANs.

2What equipment is required for a LAN-to-LAN connection?

A LAN-to-LAN connection requires any combination of concentrators, routers and firewalls.

3Where can a LAN-to-LAN connection be used?

You can use a LAN-to-LAN connection

•Across the Internet

•Between two networks connected through a trusted network

•Between two networks connected through a non-trusted network

Chapter 10— Q&A 547

4When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other?

They must be reflective of each other. The network lists reflect the networks that are coming into the concentrator therefore referencing the network on the opposite side of where the network list is configured.

5You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem?

Most likely, the network is missing from the network list on one of the concentrators.

6What routing protocol is used for Autodiscovery?

RIP is used for Autodiscovery.

7What is an identity certificate?

The identity certificate is used to uniquely identify a specific network device.

8What is the advantage of using SCEP?

SCEP simplifies the process of obtaining and installing certificates.

9What are critical items when using any certificates?

The date and time on the device are the most critical items when using any certificates.

10Order the steps for using a certificate:

1.Issue an enrollment request

2.Enroll with the CA

3.The enrollment request is accepted

4.Install the Certificate

5.Configure the concentrator to use the Certificate

2, 1, 3, 4, 5

11You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

The CA certificate must be obtained using SCEP.

12What are the default directory and filename for the DLL used with SCEP?

The default filename is mscep.dll; The default directory is certserv.