VPN 3000 Series Concentrator Getting Started Release 4.7 August 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface vii Audience vii Organization vii Related Documentation Conventions viii x Obtaining Documentation xi Documentation Feedback xiii Cisco Product Security Overview xiii Obtaining Technical Assistance xiv Obtaining Additional Publications and Information CHAPTER 1 Understanding the VPN 3000 Concentrator Hardware Features 1-2 Software Features 1-4 How the VPN Concentrator Works 1-1 1-7 Where the VPN Concentrator Fits in Your Network Physical Specifications CHAPTER 2
Contents Configuring Tunneling Protocols and Options Configuring Address Assignment Configuring Authentication 3-10 3-11 Configuring the Internal Server User Database Configuring the IPSec Group Setting Up the WebVPN Home Page 3-19 3-20 3-21 Finishing Quick Configuration 3-22 Saving the Active Configuration What Next? 3-17 3-18 Configuring WebVPN Remote Access Changing Admin Password 3-9 3-22 3-23 Using Other VPN Concentrator Manager Functions 3-23 Understanding the VPN Concentrator Manag
Contents APPENDIX A Troubleshooting and System Errors Files for Troubleshooting A-1 A-1 VPN Concentrator Manager Errors Command-line Interface Errors LED Indicators APPENDIX B A-2 A-5 A-5 Copyrights, Licenses, and Notices B-1 Software License Agreement of Cisco Systems, Inc.
Contents VPN 3000 Series Concentrator Getting Started vi 78-15733-03
Preface VPN 3000 Series Concentrator Getting Started provides information to take you from unpacking and installing the VPN 3000 Concentrator through quick configuration (configuring the minimal parameters to make it operational). You can perform quick configuration from a console with the menu-based command-line interface, or you can use the HTML-based VPN Concentrator Manager with a browser. This guide describes both methods, and we recommend the latter for ease of use.
Preface Related Documentation Chapter Title Description Chapter 5 Testing the VPN Concentrator Explains how to test the system by using Microsoft Dial-Up Networking on a PC with a modem, to connect to an ISP and use PPTP to create a VPN tunnel to your private corporate network. Appendix A Troubleshooting and System Errors Describes common errors that might occur while configuring or using the system, and how to correct them.
Preface Related Documentation VPN 3002 Hardware Client Documentation The VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN 3002 Hardware Client Manager. This manual is online only. The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). This manual is available only online.
Preface Conventions Conventions This document uses the following conventions: Convention Description boldface font Commands and keywords are in boldface. italic font Arguments for which you supply values are in italics. screen font boldface screen Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface screen font.
Preface Obtaining Documentation Data Formats As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise: Type of Data Format IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position. Subnet Masks and Wildcard Masks Subnet masks use 4-byte dotted decimal notation (for example, 255.255.255.0).
Preface Obtaining Documentation Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media.
Preface Documentation Feedback Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to bug-doc@cisco.com.
Preface Obtaining Technical Assistance Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.
Preface Obtaining Technical Assistance Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.
C H A P T E R 1 Understanding the VPN 3000 Concentrator The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.
Chapter 1 Understanding the VPN 3000 Concentrator Hardware Features Hardware Features Current VPN Concentrator Models: 3005, 3015, 3020, 3030, 3060, and 3080. Previous VPN Concentrator Models: C10, C20, and C50.
Chapter 1 Understanding the VPN 3000 Concentrator Hardware Features VPN Concentrator Model Model 3030 Hardware Features • One SEP-E module for hardware-based encryption • Single power supply • Expansion capabilities: – One additional SEP-E module for hardware-based encryption – Up to two additional SEP-E modules for redundancy – Optional redundant power supply Models 3060 • 512 MB memory • Two SEP-E modules for hardware-based encryption • Expansion capabilities: – Up to two additional SEP-E
Chapter 1 Understanding the VPN 3000 Concentrator Software Features Software Features The VPN Concentrator incorporates the following virtual private networking software features: VPN Feature Description Management Interfaces The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.
Chapter 1 Understanding the VPN 3000 Concentrator Software Features VPN Feature Network Addressing Support Description • DNS (Domain Name System) • Client address assignment: – DHCP (Dynamic Host Configuration Protocol), including DDNS host name population and configurable giaddr – Internally configured client IP address pools – RADIUS Authentication and Accounting Servers • Internal authentication server • Support for external authentication servers: – RADIUS – RADIUS with Password Expiration (
Chapter 1 Understanding the VPN 3000 Concentrator Software Features VPN Feature Routing Protocols Clustering System Administration Monitoring Description • IP • RIP v1, RIP v2 • OSPF • Static routes • Private network autodiscovery for LAN-to-LAN connections • Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network extension networks to be announced via RIPv2/OSPF • Load Balancing • System redundancy via VRRP • Session monitoring and management • Software image update •
Chapter 1 Understanding the VPN 3000 Concentrator How the VPN Concentrator Works VPN Feature Client Software Compatibility Description • Cisco VPN Client (IPSec): – Windows 98 and Windows ME – Windows NT® 4.0, Windows 2000, and Windows XP – Mac OS X 10.1 and 10.2 Jaguar – Linux Intel v2.2/v2.4 kernels and Solaris ULTRASparc 32-bit and 64-bit (command-line interfaces only) • Microsoft VPN Clients: – Windows® 95, Windows 98, Windows ME, Windows NT 4.
Chapter 1 Understanding the VPN 3000 Concentrator Where the VPN Concentrator Fits in Your Network Where the VPN Concentrator Fits in Your Network Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users.
Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications Power 100 to 240 VAC at 50/60 Hz (autosensing) • 3005 = maximum 25 W (0.2A @ 120 VAC) • 3015–3080 = maximum 50 W (0.42A @ 120 VAC) Cabling distances from an active network device Approx. 328 feet (100 meters) UL approved Electrical, mechanical, and construction Standards compliance FCC, E.U.
Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications VPN 3000 Series Concentrator Getting Started 1-10 78-15733-03
C H A P T E R 2 Installing and Powering Up the VPN Concentrator This chapter tells you how to prepare for, unpack, install, and power up the VPN Concentrator, and how to begin quick configuration. Preparing to Install Before you begin, ensure that you have the requisite skill set and that your physical environment and software preferences are properly set, as described in the following sections.
Chapter 2 Installing and Powering Up the VPN Concentrator Preparing to Install Access The VPN Concentrator requires access only to the front and back. Cables and Connectors The VPN Concentrator uses the following cables and connectors: • The VPN Concentrator Ethernet interfaces take standard UTP/STP twisted-pair network cables, Category 5, with RJ-45 8-pin modular connectors. Cisco supplies two with the system.
Chapter 2 Installing and Powering Up the VPN Concentrator Unpacking Browser JavaScript Internet Explorer 6.0 Netscape Navigator 7.2 and Mozilla 1.7 Cookies 1. On the Tools menu, choose Internet Options. 1. On the Tools menu, choose Internet Options. 2. On the Security tab, click Custom Level. 3. In the Security Settings window, scroll down to Scripting. 2. On the Privacy tab, set the slider at or below Medium High. 4. Click Enable under Active scripting. 5.
Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Table 2-1 Check VPN Concentrator Packing List (continued) Quantity Item 1 or 2 Power cords 1 Cisco VPN 3000 Series Concentrator CD 1 Cisco VPN Software Client CD 1 VPN 3000 Series Concentrator Getting Started (this manual) 1 VPN 3000 Series Concentrator Software License Agreement 1 Cisco VPN Client Software License Agreement 1 Export Compliance document 1 Cisco Product Warranty and Infor
Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware 63797 Models 3015 to 3080 Mount the VPN Concentrator in the rack as shown in Figure 2-2. Use screws or fasteners appropriate for your equipment rack.
Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Installing Rubber Feet To place the VPN Concentrator on a table or shelf, locate the four indentations on the bottom of the chassis. Peel the removable tape off each rubber foot, and place one foot in each indentation. (See Figure 2-3.) Some models of the VPN Concentrator use screws to attach the rubber feet.
Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Installing Rubber Feet with Screws 63800 Figure 2-4 Model 3005 63801 Model 3015 through 3080 VPN 3000 Series Concentrator Getting Started 78-15733-03 2-7
Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware Connecting Hardware Warning Be sure the console/PC is turned off before you connect cables to it. Do not connect power cables to the VPN Concentrator until instructed. Connecting the Console/PC Connect the RS-232 straight-through serial cable between the Console port on the back of the VPN Concentrator and the COM1 or serial port on the console/PC. See Figure 2-5.
Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware 63802 Model 3015 through 3080 Connecting Network Cables Connect network patch cables between the Ethernet interface jacks on the back of the VPN Concentrator and your network patch panel or device. See Figure 2-5.
Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware Note If you have a system with redundant power modules, make sure you connect power cables between both modules and appropriate power outlets.
Chapter 2 Installing and Powering Up the VPN Concentrator Powering Up Powering Up Power up the devices in this sequence: Step 1 Power up the console / PC. Step 2 Start a terminal emulator (e.g., HyperTerminal) on the console/PC. Configure a connection to COM1, with port settings of: • 9600 bits per second • 8 data bits • No parity • 1 stop bit • Hardware flow control. Set the emulator for VT100 emulation, or let it auto-detect the emulation type.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Beginning Quick Configuration You are now ready to begin quick configuration; that is, accepting default values when possible and configuring minimal parameters to make the VPN 3000 Concentrator operational. Note You can go through the steps of quick configuration only once, unless you reboot the system with the Reboot with Factory/Default configuration option.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Quick Configuration Using Non-default Values Although you can choose to accept the default values, where applicable, for many of the quick configuration parameters, you can instead specify particular values for one or more of these parameters. Table 2-2 lists the parameters you need for quick configuration and provides space for you to record the values you enter.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Table 2-2 Quick Configuration Parameters (continued) Screen | Parameter Name Parameter Description and Use Authentication Your choice here determines the parameters you see in the following screen. Possible values are: • Your Entry Internal Server – Choosing Internal Server, means using the internal VPN Concentrator user authentication server.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Using the Console You must use the console for the first part of quick configuration—setting the system time and date, and configuring the private Ethernet interface, as described in the following steps. Then you can use the HTML-based VPN Concentrator Manager from a browser to complete quick configuration. Refer to the data you recorded in Table 2-2.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Step 6 The system prompts you with a menu to enable DST (Daylight-Saving Time) support. During DST, clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time. If your system is in a time zone that uses DST, you must enable DST support.
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Step 10 The system prompts you with a menu to set the transmission mode for the Ethernet 1 interface. You can let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can configure the interface for full duplex (transmission in both directions at the same time) or half duplex (transmission in only one direction at a time).
Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Continue quick configuration with either the VPN Concentrator Manager or the command-line interface. • To continue with the VPN Concentrator Manager, see Chapter 3, “Using the VPN Concentrator Manager for Quick Configuration.” • To continue with the command-line interface, see Chapter 4, “Using the Command-Line Interface for Quick Configuration.
C H A P T E R 3 Using the VPN Concentrator Manager for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN Concentrator Manager. Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational, while the Main menu lets you configure all the features of the VPN 3000 Concentrator.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Logging in to the VPN Concentrator Manager Figure 3-1 Step 3 VPN Concentrator Manager Login Screen Log in. Entries are case-sensitive, so type them exactly as shown. With Microsoft Internet Explorer, you can press the Tab key to move from field to field; with other browsers, you might have to change fields with the mouse. If you make a mistake, click Clear and start over. a. Click in the Login field and type admin.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Starting Quick Configuration Starting Quick Configuration The VPN Concentrator Manager displays the initial configuration screen (see Figure 3-1). Figure 3-2 VPN Concentrator Manager Initial Configuration Screen To start quick configuration, click the highlighted link that says click here to start Quick Configuration.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces Configuring IP Interfaces The Manager displays the Configuration | Quick | IP Interfaces screen appropriate to the model you are configuring. Figure 3-3 Model 3005 Configuration | Quick | IP Interfaces Screen Models 3015 through 3080 This screen lets you configure the VPN Concentrator Ethernet interfaces. Model 3005 comes with two Ethernet interfaces. Models 3015–3080 come with three Ethernet interfaces.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces • Ethernet 1 (Private) is the interface to your private network (internal LAN). • Ethernet 2 (Public) is the interface to the public network. • Ethernet 3 (External), if present, is the interface to an additional LAN. For the VPN Concentrator to become fully operational, you must configure the two interfaces you physically connected to your network under Connecting Network Cables, page 2-9.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces Figure 3-4 Configuration | Quick | IP Interfaces | Ethernet Screen The screen displays the current parameters, if any, for an Ethernet interface. If you are modifying Ethernet 1, the Manager also displays a caution message.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces The MAC Address is the unique hardware MAC (Media Access Control) address for this interface, in 6-byte hexadecimal notation. The screen shows this address only after you first configure an interface, and you cannot change it. Step 3 Step 4 Step 5 In the Filter field, click the drop-down menu button and select the filter that applies to this interface.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring System Information Configuring System Information The Manager displays the Configuration | Quick | System Info screen. Figure 3-5 Configuration | Quick | System Info Screen To configure basic information that identifies your VPN Concentrator on the network, refer to the data you recorded in Table 2-2 as you follow these steps: Step 1 The system name you entered earlier appears in the System Name field.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Tunneling Protocols and Options Step 5 In the Default Gateway field, enter the IP address or hostname of the system to which the VPN Concentrator should route packets that are not explicitly routed. In other words, if the VPN Concentrator has no IP routing parameters (such as RIP, OSPF, or static routes) that specify where to send packets, it will send them to this gateway.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Address Assignment • Don’t Require Encryption—PPTP connections may use Microsoft encryption to encrypt data (the default). During connection setup, clients may or may not agree to use Microsoft encryption; they will be connected in either case. Step 3 Check L2TP to enable Layer 2 Tunneling Protocol. (This box is checked by default.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication Step 1 Check Client Specified to enable this method, which lets the client specify its own IP address. If you use IPSec, you must check additional boxes, since IPSec does not allow client-specified IP addresses. Step 2 Check Per User to enable this method, which assigns IP addresses on a per-user basis. If you use an authentication server that has IP addresses configured, we recommend using this method.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication You can choose how to authenticate users. You can select the VPN Concentrator internal server or one of three external server types. You must select one server type. You can configure additional authentication servers on the Configuration | System | Servers | Authentication screen using regular system configuration. Click the drop-down menu button and select the Server Type.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication Figure 3-9 Configuration | Quick | Authentication Screen, RADIUS Server We suggest you accept the default values where available. To configure these parameters for a RADIUS (Remote Authentication Dial-In User Service) authentication server, follow these steps: Step 1 In the Authentication Server field, enter the hostname or IP address of the external RADIUS server.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication NT Domain Server Type Configure these parameters for an external Windows NT Domain authentication server. We suggest you accept the default values. (See Figure 3-10.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication SDI Server Type Configure these parameters for an external SDI (RSA Security Inc. SecurID) authentication server. We suggest you accept the defaults. Figure 3-11 Configuration | Quick | Authentication Screen, SDI Server To configure the parameters for the SDI authentication server, follow these steps: Step 1 In the Authentication Server field, enter the hostname or IP address of the external SDI server.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication Kerberos/Active Directory Server Type Configure these parameters for an external Windows/Active Directory server or a UNIX/Lynx Kerberos server.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring the Internal Server User Database Configuring the Internal Server User Database The Manager displays the Configuration | Quick | User Database screen. This screen displays only when you select the internal authentication server. Figure 3-13 Configuration | Quick | User Database Screen This screen lets you add and remove users in the internal authentication server database.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring the IPSec Group Step 2 Click << Add. Step 3 Repeat Steps 1 and 2 for each user. The screen refreshes each time you add a user. Step 4 To remove a user, select the user in the Current Users list and click Remove >>. The screen refreshes each time you remove a user. There is no confirmation or undo; to reinstate a user, enter the data in Step 1. Step 5 When you have finished entering users, click Continue to proceed.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring WebVPN Remote Access Configuring WebVPN Remote Access The Manager displays the WebVPN Remote Access screen. WebVPN allows remote users to access the corporate network from any computer with an Internet connection to use e-mail, files, or internal websites. This screen allows you to: • Enable WebVPN (HTTPS) connections • Enable and configure POP3S, IMAP4S, and SMTPS sessions to use e-mail proxy.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Setting Up the WebVPN Home Page Setting Up the WebVPN Home Page The Manager displays the WebVPN Home Page screen. This screen allows you to customize the home page that WebVPN users will see when they log in. In this screen you can change the title, add a banner, and configure up to four URLs. This screen appears only if you enabled WebVPN on the Configuration | Quick | Tunneling screen.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Changing Admin Password Changing Admin Password The Manager displays the Configuration | Quick | Admin Password screen. Figure 3-17 Configuration | Quick | Admin Password Screen This screen lets you change the password for the admin administrator user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Finishing Quick Configuration Finishing Quick Configuration The Manager displays the Configuration | Quick | Done screen. Figure 3-18 Configuration | Quick | Done Screen You have finished quick configuration, and your entries constitute the active or running configuration. The VPN Concentrator now has enough information, and it is operational.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration What Next? Figure 3-19 Save Configuration Window Click OK to close the window. Should you need to restart the VPN Concentrator, it will then boot with your configured parameters. We strongly recommend that, as you configure the VPN Concentrator, you make it a habit to click Save Needed whenever you finish setting parameters on a Manager screen.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Understanding the VPN Concentrator Manager Window Understanding the VPN Concentrator Manager Window The VPN Concentrator Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Understanding the VPN Concentrator Manager Window Mouse pointer and tips As you move the mouse pointer over an active area, the pointer changes shape and icons change color. A description also appears in the status bar area. If you momentarily rest the pointer on an icon, a descriptive tip appears for that icon. Top frame (Manager toolbar) The Manager toolbar in the top frame provides quick access to Manager features.
Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Understanding the VPN Concentrator Manager Window Save Needed This reminder indicates that you have changed the active configuration. Click on the Save Needed icon to save the active configuration and make it the boot configuration. As you make configuration entries, they take effect immediately and are included in the active, or running, configuration.
C H A P T E R 4 Using the Command-Line Interface for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN 3000 Series command-line interface (CLI). Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Ethernet Interfaces Configuring Ethernet Interfaces This section describes how to configure the VPN Concentrator Ethernet interfaces. • Ethernet 1 (Private) is the interface to your private network (internal LAN). • Ethernet 2 (Public) is the interface to the public network. • Ethernet 3 (External), if present, is the interface to an additional LAN.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Ethernet Interfaces Step 3 The system prompts you for the subnet mask for the Ethernet 2 (Public) interface. The entry in brackets is the standard subnet mask for the IP address you entered above. For example, an IP address of 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. > Enter Subnet Mask for Ethernet 2 Quick -> [ 255.255.255.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring System Information 5) Save changes to Config file 6) Continue 7) Exit Quick -> _ At the cursor, enter the number for Save changes to Config file. Configuring System Information To configure basic information that identifies your VPN Concentrator on the network, follow these steps: Step 1 The system prompts you to assign a system name to the VPN Concentrator. -- : Assign a system name to this device.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Tunneling Protocols and Options At the cursor, enter the IP address of the default gateway (for example, 10.10.0.1). This address must not be the same as the IP address configured on any VPN Concentrator interface. To specify no default gateway—which means the VPN Concentrator drops unrouted packets—leave this entry blank.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Address Assignment Step 3 The system prompts you to enable or disable L2TP. 1) Enable L2TP 2) Disable L2TP Quick -> [ 1 ] At the cursor, enter 2 to disable L2TP, or press Enter to accept the default (1), which enables L2TP. Step 4 If you enable L2TP, the system prompts you to select the encryption option. • L2TP Encryption Required—L2TP connections must use Microsoft encryption to encrypt data.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Address Assignment • Per user—a server assigns IP addresses on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method. (You configure an authentication server in the next section.) • DHCP (Dynamic Host Configuration Protocol)—a DHCP server assigns IP addresses.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication At the cursor, enter 1 to enable configured pool assignment, or press Enter to accept the default (2), disabled. If you enable configured pool, continue with the next two steps; otherwise, skip them. Step 6 If you enable configured pool address assignment, the system prompts for the starting IP address available in the initial pool.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication To bypass this step and continue quick configuration, enter 6. If you enabled IPSec tunneling protocol, skip to the “Configuring the IPSec Group” section on page 4-14; otherwise skip to the “Changing the Admin Password” section on page 4-17.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication Step 5 If you specified per-user address assignment, the system prompts you to enter the IP address for this user. This is the IP address assigned to this user as a client. > User IP Address Quick -> [ 0.0.0.0 ] At the cursor, enter the user IP address in dotted decimal notation; for example, 10.10.1.35.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication Configuring RADIUS Authentication Server External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator; other authentication servers do not. The VPN Concentrator software CD-ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication Configuring NT Domain Authentication Server To configure an external Windows NT Domain user authentication server, follow these steps: Step 1 You selected the external Windows NT Domain authentication server, and the system prompts you to enter its IP address. > NT Domain Server Address Quick -> _ At the cursor, enter the NT Domain server IP address in dotted decimal notation; for example, 192.168.56.78.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication At the cursor, enter the SDI port number; for example, 5500. To have the system supply the default port number (5500), press Enter to accept 0 (the default). To continue quick configuration, proceed to the next section, “Configuring the IPSec Group,” or to the “Changing the Admin Password” section on page 4-17.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the IPSec Group Configuring the IPSec Group This section appears only if you enable the IPSec tunneling protocol. The remote-access IPSec client connects to the VPN Concentrator via this group name and password, which are automatically configured on the internal authentication server. This is the IPSec group that creates the tunnel. Users then log in, and are authenticated, by means of their usernames and passwords.
Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring WebVPN Remote Access Step 2 The system prompts you to enable or disable POP3S. 1) Enable POP3S 2) Disable POP3S Quick -> [ 2 ] At the cursor, enter 1 to enable POP3S, or press Enter to accept the default (2), which disables POP3S. If you enter 1, the system displays the following menu: > Set POP3S Default Server Quick ->_ Enter the IP address of the mail server.
Chapter 4 Using the Command-Line Interface for Quick Configuration Setting Up the WebVPN Home Page Setting Up the WebVPN Home Page The following prompts appear only if you enabled WebVPN. (See “Configuring Tunneling Protocols and Options.”) This section describes how to customize the home page that WebVPN users will see when they log in. You can change the title, add a banner, and configure up to four URLs. Step 1 Enter the title to appear on each WebVPN page, for example: My Company Remote Access.
Chapter 4 Using the Command-Line Interface for Quick Configuration Changing the Admin Password Changing the Admin Password You can change the password for the admin user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin. Since the admin user has full access to all management and administration functions on the device, we strongly recommend you change this password to improve device security.
Chapter 4 Using the Command-Line Interface for Quick Configuration Saving the Active Configuration Saving the Active Configuration The system displays the final quick configuration menu. 1) Goto Main Configuration Menu 2) Save changes to Config file 3) Exit Quick -> 2 At the cursor, enter 2 to save the active configuration in the system config file. Exiting the CLI You are now ready to exit the CLI. Step 1 The system redisplays the final quick configuration menu.
C H A P T E R 5 Testing the VPN Concentrator To test if you are able to connect to the VPN Concentrator and reach the private network, it is not necessary to install a software client. You can use either of the following methods. • On a remote PC, connect to an ISP and use PPTP to create a secure tunnel through the Internet to the VPN Concentrator’s public interface. • Connect a PC to the network on the public side of the VPN Concentrator.
Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Testing the VPN Concentrator Follow these steps to create and test a secure connection from a Windows 2000 PC client to the VPN Concentrator. Step 1 On the client PC, choose Start > Settings > Network and Dial-up Connections > Make a New Connection from the Windows 2000 Start menu. The Network Connection Wizard window appears. (See Figure 5-1.) Figure 5-1 Step 2 The Network Connection Wizard Window Click Next.
Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-3 Public Network Window Step 5 Choose Do Not Dial the Initial Connection. Step 6 Click Next. The Destination Address window appears. (See Figure 5-4.) Figure 5-4 Destination Address Window Step 7 Enter the public interface address of your VPN Concentrator. Step 8 Click Next. The Connection Availability window appears. (See Figure 5-5.
Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-5 Connection Availability Window Step 9 Choose For all Users. Step 10 Click Next. The Completing the Network Connection Wizard window appears. (See Figure 5-6.) Figure 5-6 Completing the Network Connection Wizard Window Step 11 Enter a name for the connection, for example: TestVPN. Step 12 Click Finish. The Connect window appears. (See Figure 5-7.
Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-7 Connect Window Step 13 Enter the username you previously added to the internal server user database. (See “Before You Begin.”) Step 14 Click the Properties button. The Properties dialog box appears. Step 15 Choose the Networking tab. Figure 5-8 Properties Dialog Box, Networking Tab Step 16 Select Point to Point Tunneling Protocol (PPTP) from the Type of VPN Server I am Calling drop-down menu. (See Figure 5-8.
Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-9 Step 19 Connection Complete Click OK to dismiss the window. If you receive an error message, check your connections and VPN Concentrator settings, then run the test again.
A P P E N D I X A Troubleshooting and System Errors Appendix A describes common errors that can occur while configuring and using the system, and how to correct them. It also describes LED indicators on the system and its expansion modules. Files for Troubleshooting The VPN 3000 Concentrator creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems: • Event log • SAVELOG.
Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Configuration Files The VPN Concentrator saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See Administration | File Management | Files for information on managing files in flash memory.
Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Table A-1 VPN Concentrator Manager Errors (continued) Symptom Problem The Manager displays The Manager session the Invalid Login or has been idle longer Session Timeout screen. than the configured timeout interval. Possible Cause Solution • On the Administration | Access Rights | Access No activity for (interval) seconds.
Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Table A-1 VPN Concentrator Manager Errors (continued) Symptom Problem The Manager displays a screen with the message, “Not Allowed/You do not have sufficient authorization to access the specified page.” You tried to access an area of the Manager that you do not have authorization to access. Possible Cause Solution You logged in using Log in using the system administrator login name and password.
Appendix A Troubleshooting and System Errors Command-line Interface Errors Command-line Interface Errors Table A-2 lists errors that might occur while using the menu-based Command-line Interface from a console or Telnet session. Table A-2 VPN 3000 Concentrator Command-Line Interface Errors Console Message Problem ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. The system expected a valid 4-byte dotted decimal entry, and the entry wasn’t in that format.
Appendix A Troubleshooting and System Errors LED Indicators VPN Concentrator (front) LEDs The LEDs on the front of the VPN 3000 Concentrator are as follows: LED Indicator Green Amber System Power on. Normal System has crashed and Power off. (All other halted. Error. LEDs are also off.) Blinking Green (Model 3005 only)—System is in a shutdown (halted) state, ready to power off. Off The LEDs below exist only on Models 3015–3080 Ethernet Link Status 123 Connected to network and enabled.
Appendix A Troubleshooting and System Errors LED Indicators VPN Concentrator Rear LEDs The LEDs on the rear of the VPN 3000 Concentrator are as follows: LED Indicator Green Amber Off Link Carrier detected. Normal. NA No carrier detected. Error. Tx Transmitting data. Normal. Intermittent on. NA Not transmitting data. Idle. Intermittent off. Coll NA Data collisions detected. No collisions. Normal. 100 Speed set at 100 Mbps. NA Speed set at 10 Mbps.
Appendix A Troubleshooting and System Errors LED Indicators VPN 3000 Series Concentrator Getting Started A-8 78-15733-03
A P P E N D I X B Copyrights, Licenses, and Notices Software License Agreement of Cisco Systems, Inc. CISCO SYSTEMS, INC. IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS IN THIS LICENSE AGREEMENT. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE, BY OPENING THE SEALED PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
Appendix B Copyrights, Licenses, and Notices Software License Agreement of Cisco Systems, Inc. 4. You may permanently transfer the Software and accompanying written materials (including the most recent update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement. Any transfer terminates your license.
Appendix B Copyrights, Licenses, and Notices Software License Agreement of Cisco Systems, Inc. Limited Warranty 11. Cisco Systems warrants that the Software will perform substantially in accordance with the accompanying written materials for a period of 90 days from the date of your receipt of the Software. Any implied warranties on the Software are limited to 90 days. Some states do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you. 12.
Appendix B Copyrights, Licenses, and Notices Other Licenses Other Licenses The VPN 3000 Concentrator Series contains and uses software from other firms, under license. Relevant copyright and license notices follow. BSD Software Copyright © 1990, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Appendix B Copyrights, Licenses, and Notices Other Licenses THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix B Copyrights, Licenses, and Notices Other Licenses THE SOFTWARE IS PROVIDED “AS IS” AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
Appendix B Copyrights, Licenses, and Notices Other Licenses NRL LICENSE NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the software and documentation created at NRL provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix B Copyrights, Licenses, and Notices Other Licenses MPPC-C v4 Copyright © 1996-1998 by Hi/fn, Inc. Includes one or more U.S. Patent numbers: 4701745, 5016009, 5126739, 5146221, 5414425, and 5463390. Other Patents Pending. Outline Style Table of Contents in JavaScript OUTLINE STYLE TABLE OF CONTENTS in JAVASCRIPT, Version 3.0 by Danny Goodman (dannyg@dannyg.
Appendix B Copyrights, Licenses, and Notices Other Licenses CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Modified for KA9Q Internet Software Package by Katie Stevens (dkstevens@ucdavis.edu) University of California, Davis Computing Services - 01-31-90initial adaptation (from 1.19) PPP.0502-15-90 [ks] PPP.0805-02-90 [ks]use PPP protocol field to signal compression PPP.1509-90 [ks]improve mbuf handling PPP.1611-02 [karn]substantially rewritten to use NOS facilities - Feb 1991Bill_Simpson@um.cc.umich.
Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Specification Description EMC FCC Part 15 (CFR 47) Class A ICES-003 Class A EN55022 Class A CISPR22 Class A AS/NZS 3548 Class A VCCI Class A EN55024 ETS300 386-2 EN50082-1 EN61000-3-2 EN61000-3-3 Telecom (E1) CTR 12/13 ACA TS016 Telecom (T1) US FCC Part 68 Canadian CS03 JATE Green Book FCC Part 68 Notice The equipment complies with Part 68 of the FCC rules.
Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance CS-03 Certification The equipment is CS-03 certified. Refer to Table B-1 for CS03 approval details for equipment. Observe the following general information and safety precautions: The industry Canada label identifies CS-03 certified equipment.
Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance EMC Environmental Conditions for Product to be Installed in the European Union This equipment is intended to operate under the following environmental conditions with respect to EMC: • A separate defined location under user’s control. • Earthing and bonding shall meet the requirements of ETS 300 253 or CCITT K27.
Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Japan (VCCI) Class A Warning Translation: This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.
INDEX bandwidth management Numerics 1-7 beginning quick configuration 100 LED (Ethernet) A-7 bootcode, upgrading viii boot messages at startup 2-11 brackets, default entries in A 2-12 4-1 browser access to device, physical Back or Forward button displays incorrect screen or incorrect data A-2, A-3 2-2 active configuration definition saving navigation toolbar, don’t use with Manager 3-3, 4-1 navigation toolbar not used with Manager 4-18 Active Sessions LED adding a user 2-3 Refresh /
Index See CLI saves log file compliance standards A-1 CRSHDUMP.
Index invalid login JavaScript clustering A-2, A-3 data compression A-3 messages no such interface supported (IE) encryption algorithms A-4 key management A-4 not found list of A-4 old browser out of range value passwords do not match recovering from 1-6 routing protocols split tunneling A-2 Ethernet interfaces 1-5 1-7 system administration 3-5 Ethernet Link Status LEDs 1-4 fields, moving between 3-3 finishing Quick Configuration A-6 event log formats, data saved at system
Index internal authentication server Tx (Ethernet) 3-12, 4-9 Internet Explorer, requirements usage gauge 2-2 Invalid Login or Session Timeout error A-2, A-3 A-7 A-6 licenses and copyrights B-1 IP interfaces, configuring 3-4 Link LED (Ethernet) IPSec Group, configuring 3-18, 4-14 logging in to the VPN Concentrator Manager A-7 J M JavaScript management interfaces, features error memory, upgrading A-3 requirements 1-4 viii mistakes, detecting and correcting 2-2 K Kerberos/Active
Index starting O from the console old browser (error) A-3 organization of manual OSPF with Manager vii steps in 3-9 testing Out of Range value (error) A-5 2-15 3-3 2-12 5-1 using nondefault values 2-13 using the VPN Concentrator Manager with Command Line Interface P parameters needed for quick configuration password admin, changing default login 4-17 per-user address assignment A-5 saves log file 3-17, 4-7 related documentation access to device 2-2 cables and connectors 2-2 remo
Index screen stopping the Command-Line Interface Address Assignment Admin Password Done system administration features 3-10 System LED 3-22 initial configuration IP Interfaces 3-4 IPSec Group 3-18 Main terminal emulator 3-8 User Database WebVPN 3-17 3-19 3-20 Session Timeout error size specifications 1-5 1-5 1-4 2-16, 3-8 2-15 2-15, 3-8 troubleshooting 2-4 A-1 files created for A-1 tunneling protocols cabling distances 1-9 configuring 1-8 features 1-8 tunnels 1-9 1-8 sta
Index user administrator requirements user database, configuring 2-1 4-9 using VPN Concentrator Manager functions 3-23 V VPN Concentrator configuration settings for testing functions 5-1 1-7 hardware features how it works 1-2 1-7 installing hardware 2-4 physical specifications picture of 1-8 1-1 software features 1-4 where it fits in your network 1-8 VPN Concentrator Manager errors A-2 logging in 3-1 logging out 3-23 starting Quick Configuration with using for Quick Configuration
Index VPN 3000 Series Concentrator Getting Started IN-8 78-15733-03
