CCNP Security VPN FAQ: Configuring the Cisco VPN Client Firewall Feature
Q1. You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?
Q2. How is the Always On option set on the VPN Client?
Q3. In addition to IPSec, what tunneling protocols does the VPN Client support?
Q4. How often does the VPN Client poll the personal firewall when using Are You There (AYT)?
Q5. You are using BlackICE as a client firewall. You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?
Answer: The answer depends on two configuration choices. The first choice is the Are You There (AYT) configuration. If AYT is off, no noticeable difference is seen.
If AYT is on, the connection reacts differently depending on other choices made. If you configure the Firewall setting as Firewall Optional or No Firewall, you do not see a noticeable difference during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With the Firewall Required option, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.
Q6. Which two products from Zone Labs work with the VPN Client to enable the Are You There (AYT) capability?
Q7. What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?
Q8. You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?
Q9. What is another name for the Stateful Firewall client that is a part of the Cisco VPN Client?
Q10. Where are the rules set for a client when using Central Protection Policy (CPP) with Zone AlarmPro?
Q11. Why is CPP not used with the Tunnel Everything option?
Q12. On what screen do you configure CPP?
Q13. On the VPN Client, where do you see the current compression used for a VPN connection?
Q14. From the VPN Client, where can you view the secured routes that are enabled to the client?
Q15. What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?
Q16. What debug classes do you use when creating a rule with the following options:
a. Drop
b. Drop and Log
c. Forward
d. Forward and Log
e. Apply IPSec
f. Apply IPSec and Log
Q17. How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?
Q18. On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from on the Client FW tab?
Q19. You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?
Q20. What firewalls can be used within the Custom Firewall option on the concentrator?
a. CIC
b. Zone Alarm
c. Zone AlarmPro
d. Zone Labs Integrity
e. BlackICE Defender/Agent
Q21. Where are the rules set for a client when using CPP with Zone AlarmPro?
Q22. What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?
Q23. Why is CPP not used with the Tunnel Everything option?
Q24. How often does the VPN Client poll the personal firewall when using AYT?
Q25. How is the Always On option set on the VPN Client?
Q26. Where is CPP configured?
Q27. What debug classes are used when creating a rule with the following options:
a. Drop
b. Drop and Log
c. Forward
d. Forward and Log
e. Apply IPSec
f. Apply IPSec and Log
Q28. By default, what IP address and wildcard mask does VRRP use?
Q29. How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?
Q30. You are using CPP and pushing a policy to a firewall at the client.The client’s firewall allows FTP access.The concentrator’s policy does not allow FTP access. Is FTP access allowed?
Q31. You are using BlackICE as a client firewall.You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?
If AYT is on, the connection reacts differently depending on other choices made. If you configured the firewall setting as Firewall Optional or No Firewall, no noticeable difference is seen during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With Firewall Required, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.
Q32. On the VPN Client, where do you see the current compression used for a VPN connection?
Q33. While configuring a filter, you want to apply this filter to all protocols. What number do you use?
Q34. When using the VPN Client, what ICMP should be set?
Q35. What authentication methods are allowed with the VPN Client?
a. XAUTH (eXtended AUTHentication)
b. RADIUS with:
- MSCHAPv2
- State/Reply message attributes (token cards)
- RSA SecurID
- Windows NT Domain Authentication
- MX.509v3 digital certificates
Q36. What types of key management can the VPN Client use?
a. XAUTH
b. IKE—Aggressive and Main mode (digital certificates)
c. Diffie-Hellman Groups 1, 2, and 5
d. PFS
e. Rekeying
Q37. In addition to IPSec, what tunneling protocols does the VPN Client support?
Q38. Which two products from Zone Labs work with the VPN Client to enable the Are You
There (AYT) capability?
Q39. You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?
Q40. What is another name for the Stateful Firewall client that is a part of the Cisco VPN
Client?
Q41. From the VPN Client, where can you view the secured routes that are enabled to the
client?
Q42. What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?
Q43. On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from the Client FW tab?