Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
81828384858687888990
210 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys
Scenario Answers
The answers provided in this section are not necessarily the only correct answers. They merely
represent one possibility for each scenario. The intention is to test your base knowledge and
understanding of the concepts discussed in this chapter.
Should your answers be different (as they likely will be), consider the differences. Are your
answers in line with the concepts of the answers provided and explained here? If not, reread the
chapter, focusing on the sections that are related to the problem scenario.
Scenario 4-1 Answers
1 Concentrator model? The Cisco VPN 3005 Concentrator is probably adequate for this
installation. If your company were growing quickly, you might opt for the 3015. It has
about the same capabilities but is expandable, all the way to a 3080, if you ever needed
the additional capacity.
2 Type of device authentication? Because this is a chapter on preshared keys, you would opt
to use preshared keys. For this small user base, the maintenance for preshared keys should
not be a big concern.
3 Authentication? Internal authentication was one of the reasons for choosing the
concentrator over the router. The internal database keeps authentication on the same
device and is flexible enough to meet the needs of this application.
4 Address assignment? Set aside a pool of 100 IP addresses and let the VPN concentrator
assign the IP addresses from the pool. You could use DHCP, but that brings another
network device into the picture. Keep it simple.
5 Split tunneling? Yes. The R&D group is going to need the Internet for research and the
56-kbps modems are going to be killers. Eliminate the need for encryption on trivial traffic
to help this group out.
6 Multiple IPSec groups? It would make sense to use multiple IPSec groups. Some of your
users might not need split tunneling, and you could use different rules for access time, idle
timeout, or maximum connect times. You might want to set up functional groups such as
R&D, Sales, Engineering, Accounting, Execs, and so on. You are only constrained by the
100 combined users and groups limitation on the concentrator.
7 IPSec protocol? ESP. AH is authentication only with no encryption. You would want to
encrypt some of these data, especially for the R&D group.
8 Encryption? Probably Triple-DES. You could choose DES, but the extra security does not
cost that much more in performance.
chpt_04.fm Page 210 Friday, April 4, 2003 9:19 AM