Cisco Press
201 West 103rd Street
Indianapolis, IN 46290 USA

Cisco Press

CCSP Self-Study

CCSP Cisco Secure VPN
Exam Certification Guide

John F. Roland
Mark J. Newcomb

CCSP.book Page i Friday, February 28, 2003 3:43 PM

ii

CCSP Self-Study

CCSP Cisco Secure VPN Exam Certification Guide

John F. Roland and Mark J. Newcomb
Copyright © 2003 Cisco Systems, Inc.
Published by:
Cisco Press
201 West 103rd Street
Indianapolis, IN 46290 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or

We greatly appreciate your assistance.

CCSP.book Page ii Friday, February 28, 2003 3:43 PM

iii

Publisher John Wait
Editor-In-Chief John Kane
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Sonia Torres Chavez
Manager, Marketing Communications, Cisco Systems Scott Miller
Cisco Marketing Program Manager Edie Quiroz
Executive Editor Brett Bartow
Acquisitions Editor Michelle Grandin
Production Manager Patrick Kanouse
Development Editor Dayna Isley
Senior Editor Sheri Cain
Copy Editor PIT, John Edwards
Technical Editors Scott Chen, Gert Schauwers, Thomas Scire
Team Coordinator Tammi Ross
Book Designer Gina Rexrode
Cover Designer Louisa Adair
Composition Octal Publishing, Inc.
Indexer Tim Wright
Media Developer Jay Payne
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA

Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on
the Cisco Web site at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa
Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong
Hungary • India • Indonesia • Ireland • Israel • Italy
•
Japan • Korea • Luxembourg • Malaysia • Mexico
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland
•
Portugal • Puerto Rico • Romania
Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Swede
n
Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam
Zimbabwe
Copyright © 2000, Cisco Systems, Inc. All rights reserved. Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA,
CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing,
FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The
iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX,
ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,
Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are
service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX,
LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems,
Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (0010R)

CCSP.book Page iii Friday, February 28, 2003 3:43 PM

iv


has worked in the IT field for the past seven years holding various positions, including senior NT engineer,
senior network engineer, and lead network engineer/network manager. Scott is currently a lead network engineer/net-
work manager at Triad Financial Corporation, which is a wholly owned subsidiary of Ford Motor. He has implemented
VPN solutions for remote access and LAN-to-LAN for several enterprises. Scott has extensive experience designing,
implementing, and supporting enterprise networks and working with various technologies that Cisco offers, including
routing, switching, security, content switching, wireless, BGP, EIGRP, and NAT. Scott graduated from the University of
California, Irvine, with a bachelor’s degree. He also holds several certifications, including MCSE, CCNA, CCNP, and
CCIE Written/Qualification. Scott can be reached through e-mail at [email protected].

Gert Schauwers

is a triple Cisco Certified Internet Expert (CCIE No. 6942)—Routing and Switching, Security, and
Communication and Services. He has more than four years experience in internetworking and holds an Engineering
degree in Electronics/Communication. Gert is currently working in the Brussels CCIE lab where he’s a proctor and
content engineer for the Routing and Switching, Security, and Communication and Services exams.

Thomas Scire

has been working in the network infrastructure industry since 1996. Thomas specializes in LAN, WAN,
security, and multiservice infrastructure from Cisco Systems, Checkpoint, and Nokia. Thomas works for Accudata Sys-
tems, Inc., an independent IT professional services and solutions firm that specializes in enterprise network and security
infrastructure. Some of his more notable projects include enterprise VPN and IP telephony deployments and an interna-
tional Voice over Frame Relay network deployment. Thomas holds a bachelor’s degree in Computer Engineering from
Polytechnic University and holds several certifications, including Cisco CCNA/CCDA, Cisco IP Telephony Design
Specialist, Checkpoint Certified Security Engineer, Checkpoint Certified Security Instructor, and Nokia Security
Administrator.

CCSP.book Page iv Friday, February 28, 2003 3:43 PM


her for turning the work into a professional document. It has been a real pleasure to work with you three over these
several months.
Next, I would like to thank my co-author, Mark Newcomb, for stepping in to author half of this book when personal
problems brought me to a standstill. Thank you, Mark, for your professionalism and expertise and for helping to bring
this project to fruition.
I would also like to thank the technical reviewers, Gert Schauwers, Scott Chen, and Thomas Scire for their comments,
suggestions, and careful attention to detail. Without their help, this book would not be the valuable resource that it
has become. Thank you all.

From Mark Newcomb:

I heartily acknowledge John Roland’s contribution to this effort and thank him for inviting me to assist in this endeavor.
No text of any size is ever truly a work of just the authors. After nearly five years of writing, technical editing, and work-
ing with a variety of publishers, I commend every employee of Cisco Press. Michelle Grandin, Dayna Isley, John Kane,
and Brett Bartow are people at Cisco Press I have come to know and respect for their professional efforts. I also want to
give special thanks to Tammi Ross. Within any organization, there is one individual that seems to be able to solve any
unsolvable problem. Tammi has proven herself to be that person at Cisco Press.
The technical reviewers working with Cisco Press are world class. Technical reviewers are the most valuable assets a
good publisher can have. They do not receive the recognition or compensation that they so richly deserve. I thank Gert
Schauwers, Scott Chen, and Thomas Scire for their efforts to make this work what it is today.

CCSP.book Page vi Friday, February 28, 2003 3:43 PM

vii

Contents at a Glance

Introduction xvii

Chapter 1

Configuring Cisco 3002 Hardware Client for Remote Access 359

Chapter 9

Configuring Scalability Features of the VPN 3002 Hardware Client 399

Chapter 10

Cisco VPN 3000 LAN-to-LAN with Preshared Keys 443

Chapter 11

Scenarios 473

Appendix A

Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 489

Index

551

CCSP.book Page vii Friday, February 28, 2003 3:43 PM

viii

Table of Contents

Introduction xvii


Step 2: Authenticate Peers and Establish IKE SAs 61
Step 3: Establish IPSec SAs 61
Step 4: Allow Secured Communications 61
Step 5: Terminate VPN 62
Table of Protocols Used with IPSec 63
IPSec Preconfiguration Processes 65
Creating VPNs with IPSec 65

CCSP.book Page viii Friday, February 28, 2003 3:43 PM

ix

Chapter 3

Cisco VPN 3000 Concentrator Series Hardware Overview 79

How to Best Use This Chapter 79
“Do I Know This Already?” Quiz 80
Major Advantages of Cisco VPN 3000 Series Concentrators 85
Ease of Deployment and Use 87
Performance and Scalability 87
Security 90
Fault Tolerance 94
Management Interface 94
Ease of Upgrades 99
Cisco Secure VPN Concentrators: Comparison and Features 100
Cisco VPN 3005 Concentrator 101
Cisco VPN 3015 Concentrator 102
Cisco VPN 3030 Concentrator 103
Cisco VPN 3060 Concentrator 104

Overview of the VPN Client 174
VPN Client Features 175
VPN Client Installation 177
VPN Client Configuration 181
Types of Preshared Keys 186
VPN 3000 Concentrator CLI Quick Configuration Steps 186
VPN 3000 Concentrator Browser-Based Manager Quick Configuration Steps 187
VPN Client Installation Steps 187
VPN Client Configuration Steps 188
VPN Client Program Options 188
Limits for Number of Groups and Users 189
Complete Configuration Table of Contents 189
Complete Administration Table of Contents 192
Complete Monitoring Table of Contents 193
Scenario 4-1 207
Scenario 4-2 208
Scenario 4-1 Answers 210
Scenario 4-2 Answers 211

Chapter 5

Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates 215

How to Best Use This Chapter 216
“Do I Know This Already?” Quiz 217
Digital Certificates and Certificate Authorities 221
The CA Architecture 221
Simple Certificate Enrollment Process Authentication Methods 228
CA Vendors and Products that Support Cisco VPN Products 231
Digital Certificate Support Through the VPN 3000 Concentrator Series Manager 232

The Stateful Firewall (Always On) Feature 267
The Are You There Feature 269
Configuring Firewall Filter Rules 269
Name, Direction, and Action 273
Protocol and TCP Connection 273
Source Address and Destination Address 274
TCP/UDP Source and Destination Ports 274
ICMP Packet Type 276
Configuring the Stateful Firewall 276
Configuring the VPN Concentrator for Firewall Usage 277
Firewall Setting 278
Firewall 279
Custom Firewall 279
Firewall Policy 280

CCSP.book Page xi Friday, February 28, 2003 3:43 PM

xii

Monitoring VPN Client Firewall Statistics 281
Enabling Automatic Client Update Through the Cisco VPN 3000 Concentrator Series
Manager 283
Cisco VPN Client Firewall Feature Overview 285
Stateful Firewall (Always On) Feature 287
Cisco Integrated Client 288
Centralized Protection Policy 288
Are You There Feature 288
Configuring Firewall Filter Rules 288
Action 289
Configuring the Stateful Firewall 290


Sessions 328
Statistics 330
Administering the Cisco VPN 3000 Series Concentrator 338
Administer Sessions 340
Software Update 341
Concentrator 342
Clients 342
System Reboot 343
Ping 344
Monitoring Refresh 344
Access Rights 345
Administrators 345
Access Control List 346
Access Settings 347
AAA Servers 347
Authentication 347
File Management 347
Certificate Manager 347
Monitoring the Cisco VPN 3000 Series Concentrator 348
System Status 349
Sessions 349
Top Ten Lists 350
Statistics 351
MIB II Statistics 352

Chapter 8

Configuring Cisco 3002 Hardware Client for Remote Access 359


How to Best Use This Chapter 399
“Do I Know This Already?” Quiz 400
VPN 3002 Hardware Client Reverse Route Injection 407
Setting Up the VPN Concentrator Using RIPv2 407
Setting Up the VPN Concentrator Using OSPF 408
Configuring VPN 3002 Hardware Client Reverse Route Injection 409
VPN 3002 Hardware Client Backup Servers 412
VPN 3002 Hardware Client Load Balancing 414
Overview of Port Address Translation 416
IPSec on the VPN 3002 Hardware Client 418
IPSec Over TCP/IP 418
UDP NAT Transparent IPSec (IPSec Over UDP) 419
Troubleshooting a VPN 3002 Hardware Client IPSec Connection 420
Configuring Auto-Update for the VPN 3002 Hardware Client 423
Monitoring Auto-Update Events 426
Table of RRI Configurations 429
Backup Servers 429
Load Balancing 430

CCSP.book Page xiv Friday, February 28, 2003 3:43 PM

xv

Comparing NAT and PAT 430
IPSec Over TCP/IP 430
IPSec Over UDP 431
Troubleshooting IPSec 431
Auto-Update 431
Scenario 9-1 440
Scenario 9-1 Answers 441

IKE Policy 475
IPSec Policy 476
Scenario 11-2—Portland 476

CCSP.book Page xv Friday, February 28, 2003 3:43 PM