
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary

310 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
Summary
You have to admit—this chapter really was easy and truly short. The Cisco Easy VPN solution that Cisco provides can be deployed in various ways, and the new Cisco features allow you to employ the Easy VPN Server to act as an IOS router and employ the Easy VPN Remote as the VPN 3.5 Client.
It is important to understand which features are supported and which features are not supported in the VPN 3.5 Client. For example, the Easy VPN Client supports 3DES, which is important, but it does not support DSS, Diffie-Hellman group 1 (DH1), and Authentication Header (AH).
It is important to understand the process of adding a connection to the VPN 3.5 Client, which was covered in detail in this chapter. If you have to, review the “Introduction to the Cisco VPN 3.5 Client” section until you really understand the process.
By truly understanding the process of adding a connection to the VPN 3.5 Client, you can then streamline the installation of the VPN Client, while ensuring that the ultimate control of your network remains where it should—in your trusty, capable hands!
Exam Essentials
Make sure to know the supported and unsupported IPSec features of the Easy VPN Server (see Table 9.1). DSS, DH group 1, and AH are not supported features.
Know which files are used for which functions when pre-configuring the VPN 3.5 Client.
The oem.ini file is used to install without user prompts, the vpnclient.ini file is used to preconfigure global parameters, and the .pcf files are used to configure connections (one .pcf file per connection).
Know which devices can act as Easy VPN Servers and which devices can act as Easy VPN Remotes. The Easy VPN Server can be an IOS router, PIX Firewall, or VPN Concentrator. The Easy VPN Remote can be an IOS router, PIX Firewall, VPN 3002 Hardware Client, or VPN 3.5 Client Software.
Know the seven tasks for Easy VPN Server configuration. The seven Easy VPN Server configuration tasks are
1.Enable policy lookup via AAA.
2.Define group policy for mode configuration push.
3.Apply mode configuration and Xauth to crypto maps.
4.Enable Reverse Route Injection (RRI) for the VPN Client (optional).
5.Enable IKE Dead Peer Detection (optional).
6.Configure RADIUS server support (optional).
7.Verify the Easy VPN Server.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Written Lab |
311 |
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
Cisco VPN 3.5 Client |
initial contact |
Easy VPN Remote |
oem.ini |
Easy VPN Server |
.pcf |
IKE Dead Peer Detection (DPD) |
|
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.List the two Diffie-Hellman groups supported by the Cisco Easy VPN.
2.Which file do you modify to remove user prompts when installing the Cisco VPN 3.5 Client?
3.List the encryption algorithms supported by the Cisco Easy VPN Server.
4.List the devices that can be an Easy VPN Server.
5.Which IPSec protocol mode is supported by the Cisco Easy VPN Server?
6.Which files do you modify to pre-configure connections when installing the Cisco VPN 3.5 Client?
7.List the IPSec protocol identifiers supported by the Cisco Easy VPN Server.
8.Which IPSec protocol mode is not supported by the Cisco Easy VPN Server?
9.Which operating systems are supported by the Cisco VPN 3.5 Client Software?
10.List the IPSec protocol identifiers not supported by the Cisco Easy VPN Server.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

312 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
Review Questions
1.Which IPSec authentication types are supported by the Cisco Easy VPN Server? (Choose all that apply.)
A.Pre-shared keys
B.RSA digital signatures
C.DSS
D.DES
E.3DES
2.Which IOS is the minimum required in order to run the IOS Easy VPN Server?
A.11.3(18)T
B.12.1(8)T
C.12.2(8)T
D.12.2(12)T
3.Which of the following are supported by the Cisco Easy VPN server? (Choose all that apply.)
A.Authentication using DSS
B.DH1
C.DH2
D.Manual keys
E.Perfect forward secrecy (PFS)
F.DH5
4.Which of the following can be used as a Cisco Easy VPN Server? (Choose all that apply.)
A.VPN 3.5 Client Software
B.IOS router
C.PIX Firewall
D.Cisco VPN Concentrator
E.All of the above
5.Which types of IPSec encryption algorithms are supported by the Cisco Easy VPN? (Choose all that apply.)
A.NULL
B.ESP
C.DES
D.3DES
E.HMAC-MD5
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
313 |
6.You want your remote users to send their Internet requests directly to the Internet and not through the VPN tunnel. Which of the following features enables this?
A.Xauth version 6
B.DPD
C.Split Tunneling
D.Initial contact
7.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to remove all user prompts and force the PC to reboot when the installation is finished. Which of the following files would you modify?
A.setup.exe
B.oem.ini
C.vpnclient.ini
D.*.pcf
8.Which of the following is the first task you need to perform when configuring the Easy VPN Server?
A.Verify Easy VPN Server.
B.Configure RADIUS server support (optional).
C.Apply mode configuration and Xauth to crypto maps.
D.Enable Reverse Route Injection for the VPN Client (optional).
E.Enable policy lookup via AAA.
F.Define group policy for mode configuration push.
G.Enable IKE Dead Peer Detection (optional).
9.Which of the following DH groups are supported by the Cisco Easy VPN Server? (Choose all that apply.)
A.DH1
B.DH2
C.DH3
D.DH4
E.DH5
F.DH6
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

314 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
10.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to add preconfigured connections to the pull-down menu. Which of the following files would you modify?
A.setup.exe
B.oem.ini
C.vpnclient.ini
D.*.pcf
11.Which IPSec protocol modes are supported by the Cisco Easy VPN Server?
A.Tunnel mode
B.Transport mode
C.Both A and B
D.Neither A nor B
12.When users get disconnected and then attempt to reconnect, they are denied because they have existing connections. Which of the following solves this problem?
A.Xauth version 6
B.DPD
C.Split Tunneling
D.Initial contact
13.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to preconfigure global profiles. Which of the following files would you modify?
A.setup.exe
B.oem.ini
C.vpnclient.ini
D.*.pcf
14.Which of the following DH groups is not supported by the Cisco Easy VPN Server?
A.DH1
B.DH2
C.DH3
D.DH4
E.DH5
F.DH6
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
315 |
15.Which of the following can be used as a Cisco Easy VPN Remote?
A.VPN 3.5 Client Software
B.IOS router
C.PIX Firewall
D.Cisco VPN 3002 Hardware Client
E.All of the above
16.Which operating systems are supported by the Cisco VPN 3.5 Client Software? (Choose all that apply.)
A.HP-UX
B.OS2
C.Linux (Intel)
D.Mac OS X
E.Palm OS
F.Windows
G.Solaris (Ultra-Sparc 32-bit)
17.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you have already configured the files you want to use for the pre-configuration. Which directory do you place them in for the install?
A./etc
B./windows/system
C.The same directory as the setup.exe for the VPN 3.5 Client
D./windows/bin
18.Which of the following DH groups are supported by the Cisco VPN 3.5 Client? (Choose all that apply.)
A.DH1
B.DH2
C.DH3
D.DH4
E.DH5
F.DH6
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

316 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
19.You have devices that lose connection, but their connections never seem to get cleaned up. Which of the following will help solve this problem?
A.Xauth version 6
B.DPD
C.Split Tunneling
D.Initial contact
20.Which IPSec protocol identifiers are supported by the Cisco Easy VPN Server? (Choose all that apply.)
A.DH2
B.DES
C.ESP
D.IPCOMP-LZS
E.IPSEC AH
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |