chpt_04.
chpt_04.fm Page 125 Friday, April 4, 2003 9:19 AM CHAPTER 4 Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys From a procedural perspective, it is easier to configure the Cisco VPN 3000 Concentrator Series for remote access using preshared keys. While the alternative method is to use the services of a Certificate Authority (CA), that method entails additional steps. Using preshared keys, the client only needs to know the address of the VPN concentrator and the shared secret key.
chpt_04.
chpt_04.
chpt_04.
chpt_04.
chpt_04.
chpt_04.fm Page 131 Friday, April 4, 2003 9:19 AM “Do I Know This Already?” Quiz 131 The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows: • 2 or less score on any quizlet—Review the appropriate parts of the “Foundation Topics” section of this chapter, based on Table 4-1.
chpt_04.fm Page 132 Friday, April 4, 2003 9:19 AM 132 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Foundation Topics Using VPNs for Remote Access with Preshared Keys 9 Overview of remote access using preshared keys For site-to-site VPN connections, peer devices must authenticate one another before IPSec communications can occur.
chpt_04.fm Page 133 Friday, April 4, 2003 9:19 AM Using VPNs for Remote Access with Preshared Keys 133 While this type of preshared key is the most secure of the three types, it is not practical for remote access applications, where users are typically connecting through a commercial Internet service provider (ISP).
chpt_04.
chpt_04.fm Page 135 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 135 Cisco VPN 3000 Concentrator Configuration Requirements Figure 4-2 shows a typical VPN concentrator configuration using a Cisco VPN 3005 Concentrator. The Public interface connects to the Internet through a security device such as a firewall or border router (not shown in this diagram).
chpt_04.fm Page 136 Friday, April 4, 2003 9:19 AM 136 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys following is a list of the data values you need to obtain to completely configure your Cisco VPN 3000 Series Concentrator: • • • • • • • • • Private interface IP address, subnet mask, speed, and duplex mode. • (Optional) IP address or host name of your DHCP server, if your concentrator will be using DHCP to assign addresses to remote users.
chpt_04.fm Page 137 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 137 The Quick Configuration can be accomplished from the CLI, but the HTML version of the concentrator manager provides a more intuitive tool for performing the essential configuration of the concentrator. The Quick Configuration steps are as follows: Step 1 CLI: Set the system time, date, and time zone.
chpt_04.fm Page 138 Friday, April 4, 2003 9:19 AM 138 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Once you have entered the correct login name and password, the concentrator displays a welcome screen, as shown in Example 4-1. Example 4-1 Quick Configuration Welcome Screen Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2001 Cisco Systems, Inc. -- : Set the time on your device.
chpt_04.fm Page 139 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 139 Example 4-2 Setting the System Time and Date (Continued) ----- : 0 : +4 : +8 : +12 : : : : GMT +1 : Paris Abu Dhabi +5 : Karachi Singapore +9 : Tokyo Marshall Is. +2 : Cairo +6 : Almaty +10 : Sydney +3 : Kuwait +7 : Bangkok +11 : Solomon Is.
chpt_04.
chpt_04.fm Page 141 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 141 Example 4-4 Saving Configuration Settings and Exiting the CLI (Continued) 2) 3) 4) 5) Modify Ethernet 2 IP Address (Public) Save changes to Config file Continue Exit Quick -> 5 The concentrator only presents the Quick Configuration process upon initial bootup using the default configuration.
chpt_04.fm Page 142 Friday, April 4, 2003 9:19 AM 142 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-3 HTTP Addressing for VPN 3000 Concentrator Series Manager The browser connects to the VPN concentrator and presents the initial login screen, as shown in Figure 4-4. Figure 4-4 VPN 3000 Concentrator Series Manager Login Screen Notice the hotlink option on the screen labeled Install SSL Certificate.
chpt_04.fm Page 143 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 143 Clicking the Install SSL Certificate hotlink takes you to the browser’s certificate installation wizard. Netscape and Microsoft browsers have slightly different installation routines, but in either case, accept the default settings presented, supply a nickname for the certificate if requested, and continue through the installation process by clicking Next or Finish.
chpt_04.fm Page 144 Friday, April 4, 2003 9:19 AM 144 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys The top portion of the screen is the application toolbar, and it is displayed on every other manager screen. Because this is a consistent header, it is not shown in subsequent screen displays.
chpt_04.fm Page 145 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration Figure 4-6 145 3005 Concentrator—Configuration | Quick | IP Interfaces Figure 4-7 shows the IP Interfaces screen for the Model 3015–3080 VPN Concentrator. This system has two unconfigured Ethernet interfaces and two unconfigured WAN interfaces. The listings in the Interface column are hotlinks to the configuration screen for each of the interfaces.
chpt_04.fm Page 146 Friday, April 4, 2003 9:19 AM 146 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-8 Configuration | Quick | IP Interfaces | Ethernet 1 NOTE If you disable the Private interface, you lose your browser connection to the concentrator. The Speed and Duplex settings were configured from the CLI in this example. The default settings for these two fields are 10/100 Auto and Auto, respectively, allowing the systems to negotiate speed and duplex mode.
chpt_04.fm Page 147 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration Figure 4-9 147 Configuration | Quick | System Info Configuring the Tunneling Protocol Clicking the Continue button takes you to the Protocols screen, as shown in Figure 4-10. You can select all protocols, if you like. The configuration described in this chapter works with IPSec only, so that is the only protocol selected on this screen.
chpt_04.fm Page 148 Friday, April 4, 2003 9:19 AM 148 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-11 Configuration | Quick | Address Assignment Configuring User Authentication Method Next, you determine how users connecting over the VPN tunnel are to be authenticated. Figure 4-12 shows the selection screen. Users can be authenticated from RADIUS servers, NT Domain controllers, external SDI servers, and the concentrator’s internal server.
chpt_04.fm Page 149 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 149 Figure 4-13 Configuration | Quick | User Database There is a maximum combined number of groups and users that you can configure on a VPN 3000 Concentrator. The number varies by concentrator model, as shown in Table 4-2.
chpt_04.fm Page 150 Friday, April 4, 2003 9:19 AM 150 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-14 Configuration | Quick | IPSec Group Configuring the Admin Password The final setting that you should configure during the Quick Configuration is the password for the admin user. Figure 4-15 shows the Quick Configuration screen for completing this task and displays the message that strongly recommends changing the admin password.
chpt_04.fm Page 151 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 151 Figure 4-16 Configuration | Quick | Done Notice the Save Needed icon in the upper-right corner of the main screen. Click that icon to save the active configuration changes you have made to the boot configuration. As you continue with additional configuration steps, this icon appears from time to time.
chpt_04.fm Page 152 Friday, April 4, 2003 9:19 AM 152 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys the plus sign indicates that the indicated function has subfunctions. Clicking the plus sign displays an indented list of the subfunctions, and clicking the option takes you to the window for that function.
chpt_04.fm Page 153 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 153 Figure 4-18 IPSec Configuration The interfaces have already been configured using the Quick Configuration option. If you chose to use internal authentication, the Quick Configuration wizard then asked you to enter usernames and passwords and then requested a group name to use for IPSec traffic. Recall from previous chapters that there is a hierarchy to the way groups are used on the Cisco VPN 3000 Concentrator.
chpt_04.fm Page 154 Friday, April 4, 2003 9:19 AM 154 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Because the Base Group had not been modified before Quick Configuration set up the new group for IPSec use, that new group has default settings that it inherited from the Base Group. Additionally, all the users that you created were placed in this single group. That might be adequate for your organization.
chpt_04.fm Page 155 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 155 Modify Groups—Identity Tab To modify the group, click the group to highlight it, and then click the Modify Group button. The screen shown in Figure 4-20 shows the Modify screen for an internal group. Internal groups have multiple tabs. External groups only have the Identity tab. The information in this screen should match the data you entered during Quick Configuration. If not, you can correct it here.
chpt_04.fm Page 156 Friday, April 4, 2003 9:19 AM 156 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • Maximum Connect Time—0 disables maximum connect time. The range here is again 1 minute to over 4000 years. • Filter—Filters determine whether IPSec traffic is permitted or denied for this group. There are three default filters: Public, Private, and External. You can select from those or from any that you can define in the drop-down box.
chpt_04.fm Page 157 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 157 Modify Groups—IPSec Tab Clicking the IPSec tab brings up the screen shown in Figure 4-22. The attributes on this screen are as follows: • IPSec SA—For remote access clients, you must select an IPSec Security Association (SA) from this list of available combinations. If you have created additional SA types, those are also displayed here as selection options.
chpt_04.fm Page 158 Friday, April 4, 2003 9:19 AM 158 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • IKE Keepalives—Monitors the continued presence of a remote peer and notifies the remote peer that the concentrator is still active. If a peer no longer responds to the keepalives, the concentrator drops the connection, preventing hung connections that could clutter the concentrator. • Tunnel Type—You can select either LAN-to-LAN or Remote Access as the tunnel type.
chpt_04.fm Page 159 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 159 Figure 4-22 Configuration | User Management | Groups | Modify > IPSec Modify Groups—Client Config Tab The Client Config tab screen is shown in Figure 4-23. Configuration of the attributes on this screen is only necessary if you selected Mode Configuration from the IPSec tab screen.
chpt_04.fm Page 160 Friday, April 4, 2003 9:19 AM 160 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • IPSec Backup Servers—This attribute is used on Cisco VPN 3002 Hardware Clients and is not required for remote access users. • Intercept DHCP Configure Message—Enable DHCP intercept to permit Microsoft Windows XP clients to perform split tunneling with the VPN concentrator.
chpt_04.
chpt_04.fm Page 162 Friday, April 4, 2003 9:19 AM 162 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys That is all that you need to configure on the VPN concentrator. Click the Modify button to save your work to the active configuration and return to the Groups screen shown in Figure 4-19. Be sure to click the Save Needed icon to save your configuration changes to the boot configuration.
chpt_04.fm Page 163 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration • Firewall—Select the firewall that members of the group are to use. The available options are as follows: — Cisco Integrated Client Firewall—The stateful firewall built into the VPN Client. — Network ICE BlackICE Defender—The Network ICE BlackICE Agent or Defender personal firewall. — Zone Labs ZoneAlarm—The Zone Labs ZoneAlarm personal firewall. — Zone Labs ZoneAlarm Pro—The Zone Labs ZoneAlarm Pro personal firewall.
chpt_04.fm Page 164 Friday, April 4, 2003 9:19 AM 164 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • Firewall Policy—You can select from three different methods for administering the firewall policy for your VPN Client systems. Those methods are as follows: — Policy Defined by Remote Firewall (AYT)—The user of the VPN Client system has established firewall policy settings for a personalized firewall that runs on the user’s system.
chpt_04.fm Page 165 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 165 Figure 4-24 Configuration | User Management | Groups | Modify > Client FW When you configure the VPN 3002 Hardware Client for the IPSec tunneling protocol, you enter the IPSec group name and password that you configured on the VPN concentrator onto the Configuration | System | Tunneling Protocols | IPSec screen of the VPN 3002 Hardware Client.
chpt_04.fm Page 166 Friday, April 4, 2003 9:19 AM 166 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • Require Individual User Authentication—You can also require all other users connected to the VPN 3002 Hardware Client to authenticate before using the IPSec tunnel by checking this attribute box. Each user is prompted for a username and password and is authenticated using whatever method the IPSec group requires.
chpt_04.fm Page 167 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 167 enabling this capability. The default mode for this attribute is disabled, forcing the VPN concentrator to supply the address through one of the various means available to the concentrator. • PPTP Authentication Protocols—During tunnel negotiation, prospective peers generally authenticate one another through some mechanism.
chpt_04.fm Page 168 Friday, April 4, 2003 9:19 AM 168 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys — 40-bit—Clients can use the RSA RC4 encryption algorithm using a 40-bit key when this option is checked. — 128-bit—Clients can use the RSA RC4 encryption algorithm using a 128-bit key when this option is checked.
chpt_04.fm Page 169 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 169 Advanced Configuration of the VPN Concentrator The previous sections of this chapter looked at a small part of the Configuration portion of the VPN Manager. There is much more to the Manager than installing groups, users, or system identification. This section looks at the other aspects of the Configuration portion of the VPN Manager.
chpt_04.fm Page 170 Friday, April 4, 2003 9:19 AM 170 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys • NTP Servers—Network Time Protocol to ensure that all systems use the same time for ease of synchronizing log entries • Internal Authentication—Used for user authentication Configuration | System | Address Management When an IPSec tunnel is established between a VPN concentrator and client, a new set of IP addresses is required to identify the endpoints of the tunnel.
chpt_04.fm Page 171 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration • • 171 Redundancy—Virtual Router Redundancy Protocol parameters Reverse Route Injection—Reverse Route Injection global parameters Routing Information Protocol (RIP) and interface-specific OSPF parameters are configured on the network interfaces. You access the interfaces to make those configurations through the Configuration | Interfaces screen.
chpt_04.
chpt_04.fm Page 173 Friday, April 4, 2003 9:19 AM VPN Concentrator Configuration 173 Configuration | User Management Configuration | User Management is the section that you used in the “Configuring IPSec with Preshared Keys Through the VPN 3000 Concentrator Series Manager” section of this chapter to configure the group for remote access with preshared keys.
chpt_04.fm Page 174 Friday, April 4, 2003 9:19 AM 174 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Installing and Configuring the VPN Client 14 Configuring the IPSec Windows Client The Cisco VPN Client is packaged with every VPN concentrator sold by Cisco. The VPN Client can be installed on several different operating systems, including Linux, Sun Solaris, Apple MAC OS X, and Microsoft Windows. This section looks at the Microsoft Windows version of the VPN Client.
chpt_04.fm Page 175 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client 175 • Uninstall VPN Client—Uninstall the application. You can choose to retain connection and certificate information. • VPN Dialer—Manage connection information and start a connection with a VPN host device. This poorly named function is the main functional area of the VPN Client. You can use the VPN Client with dial-up, ISDN, cable, or DSL modems as well as with direct LAN connections.
chpt_04.
chpt_04.fm Page 177 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client • 177 Encryption algorithms: — 56-bit DES — 168-bit Triple-DES • • • • Extended Authentication (XAUTH) Mode Configuration (also known as ISAKMP Configuration Method) Tunnel Encapsulation Mode IP compression (IPCOMP) using LZS VPN Client Installation Installing the VPN Client is a simple task. System requirements call for 10 MB of hard drive space and up to 64 MB of RAM for Windows 2000 systems.
chpt_04.fm Page 178 Friday, April 4, 2003 9:19 AM 178 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys The Welcome screen appears, as shown in Figure 4-29. Click Next to continue. Figure 4-29 VPN Client Install Setup Welcome Figure 4-30 shows the next screen to be displayed, the license agreement screen. Scroll down through the agreement, and then click Yes to continue if you agree to the terms of the license agreement.
chpt_04.fm Page 179 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client 179 The file location screen is displayed, as shown in Figure 4-31. To accept the default location, click Next. If not, click Browse to select the folder where the installation wizard is to install the client application. Figure 4-31 VPN Client Install File Location The next screen to be displayed, shown in Figure 4-32, asks you to select the Windows folder for the application.
chpt_04.fm Page 180 Friday, April 4, 2003 9:19 AM 180 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys The installation wizard then copies the files from the CD to your system, as shown in Figure 4-33. This portion of the installation takes less than a minute. Figure 4-33 Cisco VPN Client Installation The installation wizard then updates the Windows Registry settings. While it does this, the wizard presents the message shown in Figure 4-34.
chpt_04.fm Page 181 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client 181 Figure 4-35 VPN Client Installation Complete VPN Client Configuration The configuration process is almost as easy as the installation process. The user must enter several pieces of information. Your installation instructions should provide all the entries that your users must make. To start the configuration process, start the VPN Client application.
chpt_04.fm Page 182 Friday, April 4, 2003 9:19 AM 182 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-37 Connection Entry Screen The first screen of the creation process is shown in Figure 4-38. On this screen, you identify the connection by supplying a name and a brief description. The screen is initially blank. The name CorpConnect and the description Connection to the Corporate Network via VPN were added to describe the connection.
chpt_04.fm Page 183 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client 183 VPN 3000 Concentrator Series Manager” section of this chapter. Enter either the IP address of the device or the fully qualified domain name (FQDN), if you know it. The public IP address of the VPN concentrator is required, so enter 172.16.1.3 to reach the concentrator you configured earlier. Click Next after you have identified the host server.
chpt_04.fm Page 184 Friday, April 4, 2003 9:19 AM 184 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys The group name that you established earlier was vpngroup02. Enter that in the Name field and the associated password into the Password and Confirm Password fields. The password for the IPSec group is the preshared key for the IPSec connection authentication. Click Next to continue. That’s all there is to it.
chpt_04.fm Page 185 Friday, April 4, 2003 9:19 AM Installing and Configuring the VPN Client 185 Figure 4-42 Using the New VPN Connection To connect to the VPN 3000 Concentrator, simply click the Connect button. The client attempts to negotiate IKE and IPSec SAs with the concentrator. If that is successful, the IPSec tunnel is created and the client prompts you for your username and password.
chpt_04.fm Page 186 Friday, April 4, 2003 9:19 AM 186 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Foundation Summary The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those of you already comfortable with the topics in this chapter, this summary could help you recall a few details. For those of you who just read this chapter, this review should help solidify some key facts.
chpt_04.fm Page 187 Friday, April 4, 2003 9:19 AM VPN Client Installation Steps 187 VPN 3000 Concentrator Browser-Based Manager Quick Configuration Steps The steps to the VPN 3000 Concentrator browser-based Manager Quick Configuration are as follows: Step 1 Ping the VPN concentrator from the administrator PC to verify connectivity. Step 2 Start the web browser.
chpt_04.fm Page 188 Friday, April 4, 2003 9:19 AM 188 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Step 4 Click Yes to permit disabling IPSec Policy Agent (if asked). Step 5 Click Next on the Welcome screen. Step 6 Read and accept the license agreement. Step 7 Click Next to accept the default file location. Step 8 Click Next to accept the default application location. Step 9 Select the reboot option (now or later) and click Finish.
chpt_04.fm Page 189 Friday, April 4, 2003 9:19 AM Complete Configuration Table of Contents 189 Limits for Number of Groups and Users Table 4-4 shows the maximum number of groups and users. Table 4-4 Maximum Combined Groups and Users per VPN Model Model Maximum Combined Number of Groups and Users 3005 100 3015 100 3030 500 3060 1000 3080 1000 Complete Configuration Table of Contents Table 4-5 shows the complete configuration table of contents (TOC).
chpt_04.
chpt_04.
chpt_04.fm Page 192 Friday, April 4, 2003 9:19 AM 192 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Table 4-5 Complete Expansion of the Configuration TOC (Continued) Configuration (Continued) > Policy Management (Continued) > Traffic Management (Continued) > Filters > NAT Complete Administration Table of Contents Table 4-6 shows the complete administration table of contents (TOC).
chpt_04.fm Page 193 Friday, April 4, 2003 9:19 AM Complete Monitoring Table of Contents Table 4-6 193 Complete Expansion of the Administration TOC (Continued) Administration (Continued) > Certificate Management > Enrollment > Installation Complete Monitoring Table of Contents Table 4-7 shows the complete monitoring table of contents (TOC).
chpt_04.
chpt_04.fm Page 195 Friday, April 4, 2003 9:19 AM Chapter Glossary 195 Chapter Glossary The following terms were introduced in this chapter or have special significance to the topics within this chapter. cookie A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server. Extensible Markup Language (XML) A standard maintained by the World Wide Web Consortium (W3C).
chpt_04.fm Page 196 Friday, April 4, 2003 9:19 AM 196 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Q&A As mentioned in Chapter 1, “All About the Cisco Certified Security Professional,” these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer.
chpt_04.
chpt_04.
chpt_04.
chpt_04.fm Page 200 Friday, April 4, 2003 9:19 AM 200 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys 23 You would like to be able to pass DNS and WINS information from the VPN concentrator to the VPN Client.
chpt_04.fm Page 201 Friday, April 4, 2003 9:19 AM Q&A 201 29 When you boot up a Cisco VPN 3000 Concentrator with the default factory configuration, what happens? 30 If you supply an address of 144.50.30.24 and want to use a 24-bit subnet mask for the Private interface on a VPN concentrator, are you able to accept the default subnet mask offered by the VPN Manager? 31 What are the three major sections of the VPN Manager system? 32 The Quick Configuration system has displayed the System Info screen.
chpt_04.
chpt_04.
chpt_04.
chpt_04.
chpt_04.
chpt_04.fm Page 207 Friday, April 4, 2003 9:19 AM Scenario 4-1 207 Scenarios The following scenarios and questions are designed to draw together the content of the chapter and exercise your understanding of the concepts. There might be more than one correct answer. The thought process and practice in manipulating each concept in the scenario are the goals of this section.
chpt_04.fm Page 208 Friday, April 4, 2003 9:19 AM 208 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Scenario 4-2 Your company sells donuts and has 60 shops located in a three-state area. These shops are each connected to the Internet using DSL circuits. You want to establish IPSec VPN connections from each shop through the Internet to the corporate network for sending/receiving e-mail, reporting sales, and ordering supplies.
chpt_04.
chpt_04.fm Page 210 Friday, April 4, 2003 9:19 AM 210 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Scenario Answers The answers provided in this section are not necessarily the only correct answers. They merely represent one possibility for each scenario. The intention is to test your base knowledge and understanding of the concepts discussed in this chapter. Should your answers be different (as they likely will be), consider the differences.
chpt_04.fm Page 211 Friday, April 4, 2003 9:19 AM Scenario 4-2 Answers 211 9 Unlimited access? This would be a group-by-group decision. Does the R&D team work around the clock or just during business hours? Do you need to set aside a regular maintenance window for network upgrades? Do the execs need unlimited access? 10 Idle timeout and maximum connect time? You probably want to drop connections after they have been idle for 20 to 30 minutes.
chpt_04.
chpt_04.
