CCNP Security VPN FAQ: Configuring the Cisco VPN Client Firewall Feature

CCNP Security VPN FAQ: Configuring the Cisco VPN Client Firewall Feature

Q1. You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?

Answer: No. The Firewall Required option cannot be used with the VPN 3002 Hardware Client.

Q2. How is the Always On option set on the VPN Client?

Answer: The Always On option is set under the Options pull-down menu. The default setting is to have Always On disabled.

Q3. In addition to IPSec, what tunneling protocols does the VPN Client support?

Answer: The VPN Client supports the tunneling protocols IPSec, PPTP, L2TP, and L2TP over IPSec.

Q4. How often does the VPN Client poll the personal firewall when using Are You There (AYT)?

Answer: The VPN Client polls the personal firewall every 30 seconds when using AYT.

Q5. You are using BlackICE as a client firewall. You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?

Answer: The answer depends on two configuration choices. The first choice is the Are You There (AYT) configuration. If AYT is off, no noticeable difference is seen.

If AYT is on, the connection reacts differently depending on other choices made. If you configure the Firewall setting as Firewall Optional or No Firewall, you do not see a noticeable difference during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With the Firewall Required option, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.

Q6. Which two products from Zone Labs work with the VPN Client to enable the Are You There (AYT) capability?

Answer: Zone Alarm and Zone AlarmPro are the personal firewalls that work with the Cisco VPN Client to enable the AYT capability. The other product that works with the VPN Client is BlackICE Defender from Network ICE.

Q7. What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?

Answer: Dynamic Host Control Protocol (DHCP) and Encapsulating Security Payload (ESP) are not automatically blocked when using the Stateful Firewall (Always On) feature. Additionally, traffic from the concentrator’s network is not blocked.

Q8. You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?

Answer: To enable split tunneling, you must disable the VPN Client’s Stateful Firewall feature. If enabled, the Stateful Firewall blocks all traffic coming from the Internet.

Q9. What is another name for the Stateful Firewall client that is a part of the Cisco VPN Client?

Answer: The Stateful Firewall client that is part of the Cisco VPN Client is also called the Cisco Integrated Client (CIC)

Q10. Where are the rules set for a client when using Central Protection Policy (CPP) with Zone AlarmPro?

Answer: Using Centralized Protection Policy (CPP) means that the concentrator controls all rules for the clients. This applies to CIC as well as Zone Alarm and Zone AlarmPro.

Q11. Why is CPP not used with the Tunnel Everything option?

Answer: CPP is designed to be used with split tunneling because the Tunnel Everything option already blocks all nontunneled traffic.

Q12. On what screen do you configure CPP?

Answer: CPP is configured on the Client FW tab of the Configuration | User Management | Groups | Modify screen within the VPN concentrator.
6-1

Q13. On the VPN Client, where do you see the current compression used for a VPN connection?

Answer: You see the current compression used for a VPN connection under the General tab of the Connection Status dialog box on the client software. You can also view the current compression method by using the client CLI command vpnclient stat.

Q14. From the VPN Client, where can you view the secured routes that are enabled to the client?

Answer: You can view a list of secured routes that are enabled to the VPN Client from the Statistics tab of the Connection Status screen.

Q15. What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?

Answer: The Packets bypassed field on the Statistics tab of the Connection Status screen shows the number of packets that did not need to be encrypted but which were still sent out over the wire in unencrypted form.

Q16. What debug classes do you use when creating a rule with the following options:
a. Drop
b. Drop and Log
c. Forward
d. Forward and Log
e. Apply IPSec
f. Apply IPSec and Log

Answer: The FILTERDBG event class is used with the Drop and Log option, Apply IPSec and Log option, and the Forward and Log option. The other three options do not use a debug class.

Q17. How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?

Answer: To allow clients to use either of two firewalls, choose the Custom Firewall option on the Client FW tab on the Configuration | User Management | Groups | Modify screen. Enter the Vendor ID and the Product IDs separated by commas. Because Zone Labs is the only vendor with more than one product, this vendor must be used.

Q18. On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from on the Client FW tab?

Answer: You can select to enable a Policy defined by remote firewall (AYT), a Policy Pushed (CPP), or a Policy from Server on the Client FW tab.

Q19. You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?

Answer: No. The Firewall Required option cannot be used with the VPN 3002 Hardware Client.

Q20. What firewalls can be used within the Custom Firewall option on the concentrator?

Answer: The acceptable firewalls are as follows:
a. CIC
b. Zone Alarm
c. Zone AlarmPro
d. Zone Labs Integrity
e. BlackICE Defender/Agent

Q21. Where are the rules set for a client when using CPP with Zone AlarmPro?

Answer: Using CPP means that the concentrator controls all rules for the clients. This applies to CIC as well as Zone Alarm and Zone AlarmPro.

Q22. What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?

Answer: DHCP and ESP are not automatically blocked when using the Stateful Firewall (Always On) feature. Additionally, traffic from the concentrator’s network is not blocked.

Q23. Why is CPP not used with the Tunnel Everything option?

Answer: CPP is designed to be used with split tunneling because the Tunnel Everything option already blocks all nontunneled traffic.

Q24. How often does the VPN Client poll the personal firewall when using AYT?

Answer: The VPN Client polls the personal firewall every 30 seconds.

Q25. How is the Always On option set on the VPN Client?

Answer: The Always On option is set in the Options pull-down menu. The default setting is to have Always On disabled.

Q26. Where is CPP configured?

Answer: CPP is configured on the Client FW tab of the Configuration | User Management | Groups | Modify screen within the VPN concentrator.

Q27. What debug classes are used when creating a rule with the following options:
a. Drop
b. Drop and Log
c. Forward
d. Forward and Log
e. Apply IPSec
f. Apply IPSec and Log

Answer: The FILTERDBG event class is used with the Drop and Log option, the Apply IPSec and Log option, and the Forward and Log option. The other three options do not use a debug class.

Q28. By default, what IP address and wildcard mask does VRRP use?

Answer: By default, VRRP uses 224.0.0.18/0.0.0.0.

Q29. How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?

Answer: To allow clients to use either of two firewalls, choose the Custom Firewall option on the Client FW tab on the Configuration | User Management | Groups | Modify screen. Enter the Vendor ID and the Product IDs separated by commas. Because Zone Labs is the only vendor with more than one product, this vendor must be used.

Q30. You are using CPP and pushing a policy to a firewall at the client.The client’s firewall allows FTP access.The concentrator’s policy does not allow FTP access. Is FTP access allowed?

Answer: No, FTP access is not allowed. When using CPP and pushing to a firewall, the more restrictive of the policies pertains. Therefore, because one of these limits FTP traffic, the FTP traffic is limited.

Q31. You are using BlackICE as a client firewall.You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?

Answer: The answer depends on two configuration choices. The first choice is the Are You There (AYT) configuration. If AYT is off, no noticeable difference is seen.
If AYT is on, the connection reacts differently depending on other choices made. If you configured the firewall setting as Firewall Optional or No Firewall, no noticeable difference is seen during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With Firewall Required, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.

Q32. On the VPN Client, where do you see the current compression used for a VPN connection?

Answer: You see the current compression used for a VPN connection under the General tab of the Connection Status dialog box on the client software. You can also view the current compression method by using the client CLI command vpnclient stat.

Q33. While configuring a filter, you want to apply this filter to all protocols. What number do you use?

Answer: Using 255 applies the filter to all protocols.

Q34. When using the VPN Client, what ICMP should be set?

Answer: None. The VPN Client cannot be filtered based on the ICMP protocol.

Q35. What authentication methods are allowed with the VPN Client?

Answer: The following authentication methods are allowed with the VPN Client:
a. XAUTH (eXtended AUTHentication)
b. RADIUS with:
  • MSCHAPv2
  • State/Reply message attributes (token cards)
  • RSA SecurID
  • Windows NT Domain Authentication
  • MX.509v3 digital certificates

Q36. What types of key management can the VPN Client use?

Answer: The VPN Client can use the following types of key management:
a. XAUTH
b. IKE—Aggressive and Main mode (digital certificates)
c. Diffie-Hellman Groups 1, 2, and 5
d. PFS
e. Rekeying

Q37. In addition to IPSec, what tunneling protocols does the VPN Client support?

Answer: The VPN Client supports the tunneling protocols IPSec, PPTP, L2TP, and L2TP over IPSec.

Q38. Which two products from Zone Labs work with the VPN Client to enable the Are You
There (AYT) capability?

Answer: Zone Alarm and Zone AlarmPro are the personal firewalls that work with the Cisco VPN Client to enable the AYT capability. The other product that works with the VPN Client is BlackICE Defender from Network ICE.

Q39. You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?

Answer: To enable split tunneling, you must disable the VPN Client’s Stateful Firewall feature. If enabled, the Stateful Firewall blocks all traffic coming from the Internet.

Q40. What is another name for the Stateful Firewall client that is a part of the Cisco VPN
Client?

Answer: The Stateful Firewall client that is part of the Cisco VPN Client is also called the Cisco Integrated Client (CIC)

Q41. From the VPN Client, where can you view the secured routes that are enabled to the
client?

Answer: You can view a list of secured routes that are enabled to the VPN Client from the Statistics tab of the Connection Status screen.

Q42. What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?

Answer: The Packets bypassed field on the Statistics tab of the Connection Status screen shows the number of packets that did not need to be encrypted but which were still sent out over the wire in unencrypted form.

Q43. On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from the Client FW tab?

Answer: You can select to enable a Policy defined by remote firewall (AYT), a Policy Pushed (CPP), or a Policy from Server on the Client FW tab.

About the author

Scott

Leave a Comment