CCNP Security VPN FAQ: Configuring Cisco 3002 Hardware Client for Remote Access

CCNP Security VPN FAQ: Configuring Cisco 3002 Hardware Client for Remote Access

Q1. What screen is used on the head-end concentrator to demand the use of preshared keys?

Answer: The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen is used to demand preshared keys from a VPN 3000 Series Concentrator.

Q2. You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?

Answer: You must use Network Extension mode because all the machines at the remote office will appear as a single IP address at the corporate office if you use Port Address Translation (PAT) mode.

Q3. You are using individual authentication in PAT mode. Your tunnel is established but the user cannot log in. What is the first item you should examine?

Answer: First, check if the username and password are correct. You know that PAT mode only connects when data is sent to the head-end. If the tunnel is up, but the user cannot connect, this is usually an issue caused by an incorrect password or username.

Q4. What are the disadvantages in a large network (over 100 users) of using individual authentication with the internal authentication server in a VPN 3005 Concentrator?

Answer: There are two main disadvantages to using individual authentication in a large network. The first issue is that each user must be individually assigned a username and password. This takes a large amount of time. The second issue is that an external authentication server must be used because the internal database on a VPN 3005 Concentrator only allows a maximum of 100 combined users and groups.

Q5. You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?

Answer: You will only be required to enter your individual username and password. The VPN tunnel would have already been established by the previous user who would have been required to enter the hardware client’s username and password, as well as the individual username and password.

Q6. You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?

Answer: Interactive hardware client authentication provides another layer of security to the system. The device authentication username and password are not stored on the VPN 3002 Hardware Client but are entered by the first user that brings up the VPN connection. The password can be quickly changed on the head-end device and communicated to the users connecting to the VPN 3002 Hardware Client. The headend concentrator pushes the policies you set for authentication out to the VPN 3002 Hardware Client. You can also use both individual user and interactive hardware client authentication simultaneously.

Q7. Where is interactive hardware client authentication configured?

Answer: You configure interactive hardware client authentication on the head-end VPN 3000 Series Concentrator on the HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen.
8-1

Q8. What authentication method is used for interactive hardware client authentication?

Answer: The authentication method used is governed by the method you selected to use for the VPN group. You can use either internal or external authentication.

Q9. What must you configure on the VPN 3002 Hardware Client in order to use interactive hardware client authentication?

Answer: There are no special configuration steps required on the VPN 3002 Hardware Client to enable interactive hardware client authentication. This function is driven completely from the head-end concentrator.

Q10. The HW Client tab of the Configuration | User Management | Groups | Modify (or Add)screen is used to configure individual user authentication. What other two attributes for individual user authentication can you set on this screen?

Answer: Along with enabling individual user authentication, the HW Client tab lets you establish User Idle Timeout and Cisco IP Phone Bypass.

Q11. What is the default session idle timeout when using individual user authentication?

Answer: The default session idle timeout for individual user authentication is 30 minutes.

Q12. When individual user authentication is enabled, what initial screen are you directed to when you first try to establish a browser connection to an address in the private network of the head-end concentrator?

Answer: You will be redirected to the VPN 3002 Hardware Client Manager login screen. From this screen you will select the Connection/Login Status hotlink, which will permit you to log in to the network.

Q13. What VPN 3002 Hardware Client Manager screen can you use to quickly try to connect to the head-end concentrator?

Answer: The Monitoring | System Status screen of the VPN 3002 Hardware Client Manager has two buttons: Disconnect Now and Connect Now. Simply click the Connect Now button to try to establish the connection.

Q14. What VPN 3002 Hardware Client Manager screen can you use when you want to view IKE Phase 1 and IPSec Phase 2 connection statistics?

Answer: The Monitoring | Statistics | IPSec screen of the VPN 3002 Hardware Client Manager provides information on IKE and IPSec connections.

Q15. What VPN 3002 Hardware Client Manager screen can you use if you suspect that DNS problems are interfering with user communications?

Answer: The Monitoring | Statistics | DNS screen of the VPN 3002 Hardware Client Manager provides information DNS requests, responses, timeouts, and other data that may help you diagnose a DNS problem on your system.

Q16. What screen is used on the head-end concentrator to demand the use of preshared keys?

Answer: The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen is used to demand preshared keys from the VPN 3002 Hardware Client.

Q17. Name five items to check when you are unable to connect a VPN tunnel and you are receiving IKE failures on Phase 1.

Answer: The five items to check when receiving Phase 1 errors are

  • Xauth is required, but the proposal does not support Xauth.
  • Check the priorities of IKE Xauth proposals in the IKE proposal list.
  • Check the VPN 3002 Hardware Client group.
  • Check the group on the VPN Concentrator.
  • Check that all SA proposals are acceptable

Q18. You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use?

Answer: You must use Network Extension mode because all the machines at the remote office will appear as a single IP address at the corporate office if you use PAT mode.

Q19. You need to have a device behind the head-end concentrator to send data as soon as the VPN tunnel is established. Which mode should you use? Can you use split tunneling under these circumstances?

Answer: You must use Network Extension mode. You cannot use split tunneling. In Network Extension mode without split tunneling, a device at the head-end can initiate data transfer. In either PAT mode or Network Extension mode without split tunneling the VPN 3002 Hardware Client’s network must initiate data transfer.

Q20. What are the disadvantages in a large network (over 100 users) of using individual authentication with the internal server?

Answer: There are two main disadvantages to using individual authentication in a large network. The first issue is that each user must be individually assigned a username and password. This takes a large amount of time. The second issue is that an external authentication server must be used because the internal database only allows 100 users.

Q21. You are using individual authentication in PAT mode. Your tunnel is established but the user cannot log in. What is the first item you should examine?

Answer: First, check if the username and password are correct. You know that PAT mode only connects when data is sent to the head-end. If the tunnel is up, but the user cannot connect, this is usually an issue caused by an incorrect password or username.

Q22. What screen do you use on the VPN 3002 Hardware Client to configure preshared keys?

Answer: You use the Configuration | System | Tunneling Protocols | IPSec screen on the VPN 3002 Hardware Client to configure preshared keys.

Q23. You appear to be experiencing a DoS attack that is initiating from the IP address assigned to one of your VPN 3002 Hardware Clients. What is the problem?

Answer: The problem is that the VPN 3002 Hardware Client has been set to Network Extension mode but the head-end concentrator has not been changed from the default PAT mode.

Q24. You need to allow the remote office to use PC Anywhere to connect to three separate machines at the main office over the VPN. What mode must you use?

Answer: You can use either PAT or Network Extension mode. It is only when going from the main office to the remote office that there is an issue of whether to use Network Extension or PAT mode.

Q25. Some of your remote sites can use split tunneling and others cannot. How is this
controlled?

Answer: The decision to allow split tunneling is controlled on a group-by-group basis by the VPN 3002 Hardware Client.

Q26. Your remote site has an ISDN connection to the Internet. You are charged on a per-minute basis for connecting to the Internet. Which mode should you use?

Answer: Other than changing ISPs, the best move here is to use PAT mode because the tunnel will disconnect after a specified amount of time, reducing the charges for your connection. Using Network Extension mode means that the tunnel is always active.

Q27. What version of software must be running on the head-end concentrator to use PAT mode? What version is required for Network Extension mode?

Answer: Both require version 3.x.

Q28. You are the second user to connect through a VPN 3002 Hardware Client for which interactive hardware client and individual user authentication have been configured. What authentication information will you be required to enter?

Answer: You will only be required to enter your individual username and password. The VPN tunnel would have already been established by the previous user who would have been required to enter the hardware client’s username and password, as well as their individual username and password.

Q29. You can use a static configuration for authenticating the VPN 3002 Hardware Client with the head-end concentrator. Why would you want to use interactive hardware client authentication?

Answer: Interactive hardware client authentication provides another layer of security to the system. The device authentication username and password are not stored on the VPN 3002 Hardware Client but are entered by the first user that brings up the VPN connection. The password can be quickly changed on the head-end device and communicated to the users connecting to the VPN 3002 Hardware Client. The headend concentrator pushes the policies you set for authentication out to the VPN 3002 Hardware Client. You can also use both individual user and interactive hardware client authentication simultaneously.

Q30. Where is interactive hardware client authentication configured?

Answer: You configure interactive hardware client authentication on the head-end VPN 3000 Series Concentrator on the HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen.

Q31. What authentication method is used for interactive hardware client authentication?

Answer: The authentication method used is governed by the method you selected to use for the VPN group. You can use either internal or external authentication.

Q32. What must you configure on the VPN 3002 Hardware Client in order to use interactive hardware client authentication?

Answer: There are no special configuration steps required on the VPN 3002 Hardware Client to enable interactive hardware client authentication. This function is driven completely from the head-end concentrator

Q33. The HW Client tab of the Configuration | User Management | Groups | Modify (or Add) screen is used to configure individual user authentication. What other two attributes for
individual user authentication can you set on this screen?

Answer: Along with enabling individual user authentication, the HW Client tab lets you establish User Idle Timeout and Cisco IP Phone Bypass.

Q34. What is the default session idle timeout when using individual user authentication?

Answer: The default session idle timeout for individual user authentication is 30 minutes.

Q35. When individual user authentication is enabled, what initial screen are you directed to when you first try to establish a browser connection to an address in the private network of the head-end concentrator?

Answer: You will be redirected to the VPN 3002 Hardware Client Manager login screen. From this screen you will select the Connection/Login Status hotlink, which will permit you to log in to the network.

Q36. What VPN 3002 Hardware Client Manager screen can you use to quickly try to connect to the head-end concentrator?

Answer: The Monitoring | System Status screen of the VPN 3002 Hardware Client Manager has two buttons: Disconnect Now and Connect Now. Simply click the Connect Now button to try to establish the connection.

Q37. What VPN 3002 Hardware Client Manager screen can you use when you want to view IKE Phase 1 and IPSec Phase 2 connection statistics?

Answer: The Monitoring | Statistics | IPSec screen of the VPN 3002 Hardware Client Manager provides information on IKE and IPSec connections.

Q38. What VPN 3002 Hardware Client Manager screen can you use if you suspect that DNS problems are interfering with user communications?

Answer: The Monitoring | Statistics | DNS screen of the VPN 3002 Hardware Client Manager provides information DNS requests, responses, timeouts, and other data that might help you diagnose a DNS problem on your system.

About the author

Scott

Leave a Comment