background image

 

3-10

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 3      Using the VPN 3002 Hardware Client Manager for Quick Configuration

Configuring the Public Interface

Step 8

If you specify an IP address, in the Default Gateway field, enter the IP address or hostname of the system 
to which the VPN 3002 should forward packets that do not have a static route. The default gateway must 
be accessible from the VPN 3002 public network. If you are using DHCP to acquire the public IP 
address, DHCP usually supplies the default gateway, and you should leave this field blank.

To specify no default gateway—which means the VPN 3002 drops unrouted packets—leave this field at 
0.0.0.0.

Step 9

Click Continue to apply your choices to the interface and proceed. Click Back to return to the 
Configuration | Quick | Private Interface

 

screen.

See the sections that follow for more information about DHCP, PPPoE, and static addressing.

DHCP

Dynamic Host Configuration Protocol (DHCP) is a communications protocol that lets IP hosts in its 
network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or 
lease period. Using DHCP simplifies configuration since you can manage the assignment of IP addresses 
from a central point. You do not need to manually enter an IP address for the public interface, and you 
do not need to know what IP addresses are considered valid on a particular network.

The DHCP server for the Public interface resides on the public network. 

PPPoE

PPP over Ethernet (PPPoE) is a proposal that specifies how a network client interacts with a service 
provider’s equipment, such as a broadband modem—xDSL, cable, or wireless—to achieve access to 
high-speed data networks. It relies on the Ethernet and PPP standards. It includes an authentication 
strategy that requires a username and password to create a PPPoE session on the VPN 3002.

If a PPPoE session fails due to a PPP authentication failure, the VPN 3002 does not attempt a new session 
until 30 seconds have passed.

Specify an IP address

This option enables you to set a static IP address, subnet mask, and default gateway for the public 
interface.

Summary of Contents for 3002

Page 1: ...co Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 VPN 3002 Hardware Client Getting Started Release 3 6 August 2002 Text Part Number OL 2854 01 ...

Page 2: ...S INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES VPN 3002 Hardware Client Getting Started Copyright 2002 Cisco Systems Inc All rights reserved CCIP the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity Follow Me Browsin...

Page 3: ...ring Documentation xiv Documentation Feedback xiv Obtaining Technical Assistance xv Cisco com xv Technical Assistance Center xv Cisco TAC Web Site xvi Cisco TAC Escalation Center xvi C H A P T E R 1 Understanding the VPN 3002 Hardware Client 1 1 VPN 3002 Hardware Client or VPN Client Software 1 1 Hardware Features 1 1 Client Mode and Network Extension Mode 1 2 Online Technical Snapshot Explains PA...

Page 4: ...Injection RRI 1 12 AES with Diffie Hellman Group 5 1 13 Management Interfaces 1 13 VPN Software Features Summary 1 14 Physical Specifications 1 15 C H A P T E R 2 Installing and Powering Up the VPN 3002 2 1 Preparing to Install 2 1 Configuring and Managing the VPN 3002 2 1 Browser Requirements 2 1 JavaScript and Cookies 2 2 Navigation Toolbar 2 2 Recommended PC Monitor Display Settings 2 2 Unpacki...

Page 5: ...hot Explains PAT and Network Extension Modes 3 13 Client Mode PAT 3 13 Client Mode with Split Tunneling 3 14 VPN Concentrator Settings Required for PAT 3 14 Network Extension Mode 3 14 Network Extension Mode per Group 3 15 Network Extension Mode with Split Tunneling 3 15 VPN Concentrator Settings Required for Network Extension Mode 3 15 Tunnel Initiation 3 16 Tunnel Initiation with Interactive Uni...

Page 6: ...Concentrator Settings Required for Network Extension Mode 4 14 Enabling or Disabling PAT 4 14 Configuring DNS 4 15 Configuring Static Routes 4 15 Adding a Static Route 4 15 Deleting a Static Route 4 17 Changing admin Password 4 17 Completing Quick Configuration 4 18 What Next 4 18 A P P E N D I X A Troubleshooting and System Errors A 1 Files for Troubleshooting A 1 Event Logs A 1 Crash Dump File A...

Page 7: ... VPN 3002 Hardware Client Getting Started OL 2854 01 Not Allowed Message A 8 Not Found A 9 Microsoft Internet Explorer Script Error No such interface supported A 10 Command Line Interface Errors A 10 A 10 I N D E X ...

Page 8: ...Contents viii VPN 3002 Hardware Client Getting Started OL 2854 01 ...

Page 9: ... private networks and VPN devices might be new to you You should be familiar with Windows system configuration and management and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers Organization This guide is organized as follows Chapter Title Description Chapter 1 Understanding the VPN 3002 Hardware Client Summarizes the hardware and software fea...

Page 10: ...s Concentrator Reference Volume I Configuration explains how to start and use the VPN Concentrator Manager It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring provides guidelines for administering and monitoring the VPN Conce...

Page 11: ... distribution CD ROM in PDF format The VPN Client documentation is included on the VPN Client software distribution CD ROM also in PDF format To view the latest versions on the Cisco web site click the Support icon on the toolbar at the top of the VPN Concentrator Manager Hardware Client Manager or Client window To open the documentation you need Acrobat Reader 3 0 or later version 4 5 is included...

Page 12: ...ul Cautions alert you to actions or conditions that could result in equipment damage or loss of data Convention Description boldface font Commands and keywords are in boldface italic font Arguments for which you supply values are in italics screen font Terminal sessions and information the system displays are in screen font boldface screen font Information you must enter is in boldface screen font...

Page 13: ... 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network hostname or end system name notation for example VPN01 Spaces are not allowed A hostname must uniquely identify a specific system on a network Text Strings Text strings use upper and lower case alphanumeric characters Most text strings are case sensitive for example simon and Simon represent diffe...

Page 14: ...ed Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl Registered Cisco com users can order the Documentation CD ROM through the online Subscription Store http www cisco com go subscription Nonregistered Cisco com users can order documentation through a local account representative by c...

Page 15: ...e Register for online skill assessment training and certification programs If you want to obtain customized information and service you can self register on Cisco com To access Cisco com go to this URL http www cisco com Technical Assistance Center The Cisco Technical Assistance Center TAC is available to all customers who need technical assistance with a Cisco product technology or solution Two l...

Page 16: ...C Web Site you can open a case online by using the TAC Case Open tool at this URL http www cisco com tac caseopen If you have Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation sig...

Page 17: ...e to PCs at remote locations Like the software client the VPN 3002 is located at a remote site and provides a secure connection to a VPN Concentrator at a central site It is important to understand that it is a hardware client and that you configure it as a client of the central site VPN Concentrator not as a site to site connection Reasons to use the VPN 3002 rather than the software client inclu...

Page 18: ...load index cgi P1_Prod_Version ShockwaveFlash Client Mode PAT Client mode also called Port Address Translation PAT mode isolates all devices on the VPN 3002 private network from those on the corporate network In PAT mode IPSec encapsulates all traffic going from the private network of the VPN 3002 to the network s behind the Internet Key Exchange IKE peer that is the central site VPN Concentrator ...

Page 19: ...ver the tunnel and only over the tunnel and vice versa The VPN 3002 must initiate the tunnel but after the tunnel is up either side can initiate data exchange In this mode the central site VPN Concentrator does not assign an IP address for tunneled traffic as it does in Client PAT mode The tunnel is terminated with the VPN 3002 private IP address the assigned IP address To use Network Extension mo...

Page 20: ...oth NAT and PAT devices and firewalls Note This feature does not work with proxy based firewalls The VPN 3002 Hardware Client which supports one tunnel at a time can connect using standard IPSec IPSec over NAT T IPSec over TCP or IPSec over UDP but only one for the same tunnel To use IPSec over TCP both the VPN 3002 and the VPN Concentrator to which it connects must Be running version 3 5 or later...

Page 21: ...o which the VPN 3002 belongs For an example refer to the VPN 3000 Concentrator Manager Configuration User Management Groups IPSec tab use the VPN Concentrator Manager Help or refer to VPN 3000 Concentrator Series Reference Volume I Configuration Note We do not currently support a topology with multiple VPN 3002 Hardware Clients behind one NAT device Additional Software Features The VPN 3002 softwa...

Page 22: ...dual user authentication protects the central site from access by unauthorized persons on the same private LAN as the VPN 3002 When you enable individual user authentication each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator even though the tunnel already exists The VPN 3002 directs t...

Page 23: ...r policy to the VPN 3002 hardware clients in the group Figure 1 1 illustrates how the backup server feature works Figure 1 1 Backup Server Implementation XYZ corporation has large sites in three cities San Jose California Austin Texas and Boston Massachusetts They just opened a regional sales office in Fargo North Dakota To provide access to the corporate network from Fargo they use a VPN 3002 tha...

Page 24: ... of each other If you change the configuration of backup servers or delete a backup server during an active session between a VPN 3002 and a backup server the session continues without adopting that change New settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002 From th...

Page 25: ...ns use this standard to effect real time audio video and data communications It lets the VPN 3002 support Microsoft NetMeeting Figure 1 2 is a network diagram that illustrates H 323 services the VPN 3002 supports H 323 requires no configuration on the VPN 3002 Figure 1 2 H 323 Network Example 78453 Corporate Network GateKeeper A Zone 2 GateKeeper B Zone 1 ILS PC 5 Gateway POTS_1 POTS_2 VPN 3000 Co...

Page 26: ...ous calls between two or more endpoints For example PC 1 can call PC3 at the same time that a call from PC 2 to PC 4 and PC 5 is in progress ILS Internet Locator Directory Services Microsoft software that uses the LDAP protocol to provide registration and status management for H 323 endpoints ILS services must reside on the corporate network Multiple PCs behind the same VPN 3002 cannot register to...

Page 27: ... value to a shorter time period We recommend 15 minutes Use the endpoint ttl command on the Cisco GateKeeper to set this value RADIUS with Password Expiry RADIUS with password expiry is an IPSec authentication method that you configure for a VPN 3002 on on the VPN Concentrator to which it connects This option lets the VPN Concentrator that is attempting to authenticate an IPSec client to an extern...

Page 28: ... and restore statistical data to better note changes in that data When you click Reset on a monitoring or administration screen the system temporarily resets a counter for the chosen statistics without affecting the operation of the VPN 3002 You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that o...

Page 29: ...figuration on the VPN Concentrator Management Interfaces The VPN 3002 offers multiple management interfaces You can use each of these interfaces to fully configure administer and monitor the device The VPN 3002 Hardware Client Manager is an HTML based interface that lets you manage the system remotely with a standard web browser using one of the following HTTP connections HTTPS HTTP over SSL secur...

Page 30: ...ect to the VPN Concentrator using standard IPSec NAT T IPSec over TCP or IPSec over UDP Encryption algorithms 56 bit DES Data Encryption Standard 168 bit Triple DES 128 192 and 256 bit AES Authentication algorithms HMAC hashed message authentication coding with MD5 message digest 5 HMAC with SHA 1 secure hash algorithm Key management IKE Internet Key Exchange formerly called ISAKMP Oakley with Dif...

Page 31: ...ng Event logging and notification via system console syslog and SNMP traps SNMP MIB II support System status Session data Extensive statistics VPN Feature Description Width 8 85 inches 22 48 cm Depth 7 inches 17 78 cm Height 2 12 inches 5 38 cm Weight 2 25 lbs 1 02 kg External power supply Input 100 to 240 VAC at 50 60 Hz autosensing Output 3 3 v 4 amps Temperature Normal operating environment 32o...

Page 32: ...1 16 VPN 3002 Hardware Client Getting Started OL 2854 01 Chapter 1 Understanding the VPN 3002 Hardware Client Physical Specifications ...

Page 33: ... the sides and top Standard UTP STP twisted pair network cables Category 5 with RJ 45 8 pin modular connectors Cisco supplies two with the system A standard straight through RJ 45 serial cable with a female DB 9 connector which Cisco supplies with the system Configuring and Managing the VPN 3002 You can configure and manage the VPN 3002 using the command line interface from the console or a Telnet...

Page 34: ...r Display Settings For ease of use we recommend setting your monitor or display Desktop area 1024 x 768 pixels or greater Minimum 800 x 600 pixels Color palette 256 colors or higher Unpacking The VPN 3002 Hardware Client ships with the listed in Table 2 1 Carefully unpack your device and check your contents against this list Table 2 1 VPN 3002 Hardware Client Packing List Quantity Item 1 CVPN 3002...

Page 35: ...e on the back of the VPN 3002 and their respective public and private network hub switch or device The interfaces are left to right Public the VPN 3002 interface to the public network Private the VPN 3002 interface to your private network internal LAN Powering Up Power up the PC console and the VPN 3002 in the following sequence Step 1 Turn on the PC console Step 2 If you want to use the command l...

Page 36: ...itializing Decompressing loading image Verifying image checksum Active image loaded and verified Starting loaded image Starting power up diagnostics pSH Copyright c Integrated Systems Inc 1992 Cisco Systems Inc VPN 3002 Hardware Client Version 3 0 REL Feb 02 2001 09 53 35 Features Initializing VPN 3002 Hardware Client Initialization Complete Waiting for Network Login _ Beginning Quick Configuratio...

Page 37: ... VPN 3002 is to accept default values for all parameters that have default values The next sections on PAT mode and Network Extension mode list the information you need if you use default values for quick configuration PAT Mode For PAT mode if you accept default values for all parameters you need The IKE peer address which is the public IP address of the VPN Concentrator to which this VPN 3002 con...

Page 38: ... default is Private IP address 1 to Private IP address 127 Public Interface One of the following If statically assigned the IP address subnet mask and default gateway for the VPN 3002 interface to the public network If you use DHCP to obtain an IP address a system name also called a hostname If you use PPPoE to connect to a public network a PPPoE username and password IPSec If you use digital cert...

Page 39: ... figures that follow show only the main frame of the Manager window To use features in the other frames see the Understanding the VPN 3002 Hardware Client Manager Window section Logging into the VPN 3002 Hardware Client Manager Access and log into the VPN 3002 Hardware Client Manager using these steps Step 1 Start the browser See the Browser Requirements section We recommend using Microsoft Intern...

Page 40: ...reen Step 3 Log in Entries are case sensitive so type them exactly as shown With Microsoft Internet Explorer you can click the Tab key to move from field to field with other browsers you may have to change fields with the mouse If you make a mistake click the Clear button and start over Click in the Login field and type admin Do not press Enter Click in the Password field and type admin The field ...

Page 41: ...ss the Tab key to move from field to field other browsers may work differently On any screen where it appears click the Back button to return to the previous screen Configuration entries take effect as soon as you click the Apply or Continue button and they constitute the active or running configuration The banner across the top of the screen indicates the parameter currently displayed both by sho...

Page 42: ...olbar to prevent mistakes while using the VPN Hardware Client Manager Setting the Time and Date The Manager displays the Configuration Quick Time and Date screen Figure 3 3 VPN 3002 Configuration Quick Time and Date Screen This screen lets you set the time and date on this device Step 1 The screen shows the current time and date on the device The values in the New Time fields are the time on the b...

Page 43: ...stem accessible to your PC to the VPN 3002 flash memory Step 1 If you do not want to upload a configuration file click No and continue to the next section Step 2 To upload an already existing configuration file click Yes The Manager displays the Configuration Quick Upload Config Browse screen Figure 3 5 VPN 3002 Configuration Quick Upload Config Browse Screen Step 1 In the Config File field either...

Page 44: ...erface that you are currently using to connect to the VPN 3002 you will break the connection and you will have to restart the Manager and quick configuration from the login screen Step 1 To reconfigure the IP address for the private interface select Yes The Manager displays the Configuration Quick Private Interface Address screen See Figure 3 7 and perform the steps in that section Step 2 To use t...

Page 45: ... address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it Step 3 Click Continue to save your changes You must now restart the Manager and quick configuration from the login screen Click Back if you don t want to save your changes You return to the Configuration Quick Private Interface screen Configuration Quick Private Interface DHCP Server The Configuration Qui...

Page 46: ...of IP addresses that this DHCP server can assign using dotted decimal notation for example 10 10 99 51 10 10 99 178 Be sure no other device is using these addresses on the network The default address pool is 127 IP addresses and the start of the range is next IP address after that of the private interface You can configure another range of IP addresses for the pool but in no case can the pool have...

Page 47: ...e Point to Point Protocol over Ethernet PPPoE establish the connection between the VPN 3002 and the central site VPN Concentrator select Use PPPoE to connect to a public network Step 4 For a PPPoE connection enter the PPPoE username and password Verify the password by reentering it The maximum number of characters for either username or password is 64 Step 5 To assign a static IP address subnet ma...

Page 48: ...ommunications protocol that lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time or lease period Using DHCP simplifies configuration since you can manage the assignment of IP addresses from a central point You do not need to manually enter an IP address for the public interface and you do not need to know what IP addresses are c...

Page 49: ...on the VPN Concentrator to which this VPN 3002 connects Step 3 Enter the IPSec over TCP port number You can enter only one port The port that you configure on this VPN 3002 must also be configured on the VPN Concentrator to which this VPN 3002 connects Note If you enter a well known port for example port 80 HTTP or port 443 HTTPS the system displays a warning to notify you that the protocol associ...

Page 50: ...or the user in this group maximum is 32 characters case sensitive This is the same username that you configure for this VPN 3002 on the central site VPN Concentrator Step 10 In the User Password field enter the password for this user maximum is 32 characters This is the same user password that you configure for the VPN 3002 on the central site VPN Concentrator Step 11 In the User Verify field reen...

Page 51: ...r more information about PAT and Network Extension mode Online Technical Snapshot Explains PAT and Network Extension Modes To view a brief interactive multimedia piece that explains the differences between the two modes go to this url http www cisco com mm techsnap VPN3002_techsnap html Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content If y...

Page 52: ...cted to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps track of these mappings so that it can forward replies to the correct device The network and addresses on the private side of the VPN 3002 are hidden and cannot be accessed directly VPN Concentrator Settings Required for PAT For the VPN 3002 to use PAT you must meet these requirements for the c...

Page 53: ...llow network extension mode which is the default setting on the VPN Concentrator the VPN 3002 can connect to that VPN Concentrator in PAT mode only In this case be careful that all VPN 3002s in the group are configured for PAT mode If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode the VPN 3002 will attempt to co...

Page 54: ...rypted data streams to the internet In PAT mode the tunnel establishes when data passes to the VPN Concentrator or when you click Connect Now in the Monitoring System Status screen In Network Extension mode the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator Tunnel Initiation with Interactive Unit Authentication In either Client or Network Extension mode when you enab...

Page 55: ...nfigure and manage the VPN 3002 While hostnames are easier to remember using IP addresses avoids problems that might occur with the DNS server offline or congested If you use a hostname to identify the central site VPN Concentrator you must configure a DNS server on the VPN 3002 see Configuration System Servers DNS Step 1 In the DNS Server field enter the IP address of your local DNS server using ...

Page 56: ...s that have been configured The format is destination network address subnet mask outbound destination Figure 3 14 Configuration Quick Static Routes Screen You use this screen to add or delete static routes for IP routing Step 1 Click Add to add a route to the routing table The Manager displays the Configuration Quick Static Routes Add screen Step 2 To delete a route select it and click Delete The...

Page 57: ...pt this entry or change it Step 3 In the Metric field enter the cost for this route Use a number from 1 to 16 where 1 is the lowest cost The routing subsystem always tries to use the least costly route For example if a route uses a low speed line you might assign a high metric so the system will use it only if all high speed routes are unavailable Step 4 In the Destination Router Address or Interf...

Page 58: ...lso admin Since the admin user has full access to all management and administration functions on the device we strongly recommend you change this password to improve device security You can further configure all administrator users on the regular Administration Access Rights Administrators Manager screen Step 1 In the Password field enter a new password For maximum security the password should be ...

Page 59: ...e active or running configuration This configuration has now been saved as the boot configuration The VPN 3002 now has enough information and it is operational The VPN 3002 can now establish a secure VPN tunnel to the central site VPN Concentrator What Next Now that the VPN 3002 is operational you can Explore the Manager window and other VPN 3002 functions see the Using Other VPN 3002 Hardware Cli...

Page 60: ... event logs on this device Save Save Needed Saves the active configuration and makes it the boot configuration Main Returns to the main Manager screen Help Opens another browser window and lets you view online help for the current Manager screen Support Opens a Manager screen with links to Cisco support and documentation resources Logout Logs out of this Manager session and returns to the login sc...

Page 61: ...rovides helpful messages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 3 18 VPN 3002 Hardware Client Manager Window Title bar Top frame Manager toolbar Left frame Table of contents Main frame Manager screen Status bar Title bar The title bar at the top of the browser window includes the VPN 3002 device name or IP addres...

Page 62: ...k the Logout tab to log out of the Manager and return to the login screen Logged in username The administrator username you used to log in to this Manager session Click the Configuration tab to go to the main Configuration screen to open the first level of subordinate Configuration pages in the left frame if they are not already open and to close any open Administration or Monitoring pages in the ...

Page 63: ... in the Monitoring section Restore Click the Restore icon to restore the screen contents to their status prior to when you last clicked the Reset icon Click the Cisco Systems logo to open a browser and go to the Cisco com web site www cisco com Left frame Table of Contents On Manager screens the left frame provides a table of contents The table of contents uses the familiar Windows Explorer metaph...

Page 64: ...3 26 VPN 3002 Hardware Client Getting Started OL 2854 01 Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Understanding the VPN 3002 Hardware Client Manager Window ...

Page 65: ...est to configure its parameters in sequence you can set and revisit parameters in whatever order you choose Entries are case sensitive for example admin and ADMIN are different passwords The system displays more tips and examples than appear in the dialog here The system shows current or default entries in brackets for example 10 10 4 6 After each entry press the Enter key on the console keyboard ...

Page 66: ...ading image Verifying image checksum Active image loaded and verified Starting loaded image Starting power up diagnostics pSH Copyright c Integrated Systems Inc 1992 Cisco Systems Inc VPN 3002 Hardware Client Version 3 0 REL Feb 02 2001 09 53 35 Features Initializing VPN 3002 Hardware Client Initialization Complete Waiting for Network Login _ Step 2 At the cursor enter the login name admin At the ...

Page 67: ... 24 p m as 16 24 00 Step 2 The system prompts you to set the date The number in brackets is the current device date Enter the date in the following format MM DD YYYY Example 06 12 1999 for June 12th 1999 Date Quick 01 18 2001 _ At the cursor enter the correct date in the format MM DD YYYY Use four digits to enter the year For example enter June 12 2001 as 06 12 2001 Step 3 The system prompts you t...

Page 68: ...nue to the next section Uploading Configuration To use the local console PC terminal emulation package to transfer upload configuration files from your PC or from a system accessible to your PC to the VPN 3002 flash memory Step 1 The system prompts you to choose whether or not to upload a configuration file 1 Upload Config File 2 Do Not Upload Config File 3 Back Quick 2 At the cursor enter 1 Uploa...

Page 69: ...nt to change the private interface IP address or subnet mask If you do not want to change the private interface address accept the default 2 to continue with quick configuration We assume that you enter 1 Step 2 The system prompts you to enter an IP address This table shows current IP addresses Intf Status IP Address Subnet Mask MAC Address Pri Intf UP 192 168 10 1 255 255 255 0 00 90 A4 00 25 A8 ...

Page 70: ... want to disable the DHCP server at the prompt enter 1 Disable DHCP Server and continue with quick configuration If you want to enable and configure the DHCP server at the prompt enter 2 Enable and Configure DHCP Server and follow Steps 6 through 9 below If you want to enable the DHCP server with existing parameters at the prompt enter 3 Step 5 If you choose 2 Enable and Configure DHCP server the ...

Page 71: ... dotted decimal notation or accept the default in brackets and press Enter The System displays the DHCP Pool End field DHCP Pool End Quick 192 168 10 128 Enter the IP address you want as the starting address in the pool using dotted decimal notation or accept the default in brackets and press Enter Step 9 The System redisplays the list of DHCP parameters 1 Enable Disable DHCP 2 Set DHCP Lease Time...

Page 72: ... a system name to the VPN 3002 at the prompt enter 1 The system displays the System Name field Assign a System Name hostname to this device This may be required for DHCP System Name Quick _ Step 2 At the cursor enter a name such as VPN01 This name must uniquely identify this device on your network Press Enter The system redisplays the table of current IP addresses and the current menu options Conf...

Page 73: ...The system proceeds to the IPSec parameters see the section Configuring IPSec Configuring PPPoE This table shows current IP addresses Intf Status IP Address Subnet Mask MAC Address Pri Intf UP 10 10 99 50 255 255 0 0 00 90 A4 00 25 A8 Pub Intf Disabled 0 0 0 0 0 0 0 0 00 90 A4 00 25 A9 DNS Server s DNS Server Not Configured DNS Domain Name ispdomain com Default Gateway 130 0 0 1 1 Configure System...

Page 74: ... s DNS Server Not Configured DNS Domain Name ispdomain com Default Gateway 130 0 0 1 1 Configure System Name hostname 2 Obtain address via DHCP for the Public Interface 3 Use PPPoE to Connect to a Public Network 4 Configure the Public Interface 5 Back Quick To configure the VPN 3002 public interface with a static IP address subnet mask and default gateway for the public interface follow these step...

Page 75: ...prompts you to specify a default gateway which is the system to which the VPN 3002 should forward packets In other words if the VPN 3002 has no configured static routes that specify where to send packets it sends them to this gateway When you first start the VPN 3002 it has no static routes Default Gateway Quick _ At the cursor enter the IP address of the default gateway for example 10 10 0 1 This...

Page 76: ...Quick 130 0 0 1 Step 2 The system prompts you to enable or disable IPSec over TCP 1 Enable IPSec over TCP 2 Disable IPSec over TCP Quick 2 At the cursor enter 1 to enable IPSec over TCP or accept the default 2 to disable IPSec over TCP Step 3 The system prompts you to enter the IPSec group name IPSec Group Name Quick _ At the cursor enter a unique name for this group Maximum is 32 characters case ...

Page 77: ...VPN Concentrator PAT includes NAT Network Address Translation NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the VPN Concentrator assigned IP address on the public interface and also keeps track of these mappings so that it can forward replies to the correct device All traffic from the private network appears on the network behind the central sit...

Page 78: ... 1 and disable PAT VPN 3000 Concentrator Settings Required for Network Extension Mode For the VPN 3002 to use Network Extension mode these are the requirements for the central site VPN Concentrator 1 The VPN Concentrator at the central site must be running Software version 3 0 or later 2 Configure a group to which you assign this VPN 3002 This includes assigning a group name and password See Chapt...

Page 79: ...S server Specify a local DNS server which lets you enter hostnames rather than IP addresses while configuring DNS Server Quick 0 0 0 0 At the cursor enter the IP address of your local DNS server in dotted decimal notation for example 10 10 0 11 Step 2 The system prompts you to enter the registered Internet domain name in which the VPN 3002 is located sometimes called the domain name suffix or subd...

Page 80: ...nter 1 To select one for the VPN 3002 interfaces at the prompt enter 2 Enter destination address Step 4 In either case the system prompts you for the destination address If you selected Router the system prompts for the router address Router Address Quick _ Enter the IP address of the router gateway outbound destination Step 5 If you selected Interface the system prompts you to choose either the p...

Page 81: ...r the IP address of the network address for the route you want to delete The menu displays again with the route you deleted no longer present To continue with quick configuration at the prompt enter 4 Changing admin Password You can change the password for the admin administrator user For ease of use during startup the default admin password supplied with the VPN 3002 is also admin Since the admin...

Page 82: ...te the active or running configuration The VPN 3002 now has enough information and it is operational The system has saved your changes to the active configuration in the system configuration file as you have made them The system now displays the final quick configuration menu 1 Goto Main Configuration Menu 2 Exit Quick _ Step 1 At the cursor enter 2 to exit quick configuration The system displays ...

Page 83: ...matically saved when the system crashes and when it is rebooted CRSHDUMP TXT Internal system data file that is written when the system crashes CONFIG Normal configuration file used to boot the system CONFIG BAK Backup configuration file Event Logs The VPN 3002 records system events in the event log which is stored in nonvolatile memory NVRAM To troubleshoot operational problems we recommend that y...

Page 84: ...h Dump File Configuration Files The VPN 3002 saves the current boot configuration file CONFIG and its predecessor CONFIG BAK as files in flash memory These files might be useful for troubleshooting See Administration File Management for information on managing files in flash memory LED Indicators LED indicators on the VPN 3002 are normally green or flashing amber LEDs that are solid amber or off m...

Page 85: ...s Problem or Symptom Possible Solution Tunnel is not up or not passing data PWR LED is off Make sure that the power cable is plugged into the VPN 3002 and a power outlet SYS LED is solid amber Unit has failed diagnostics Contact Cisco Support immediately You see this LED display PWR green SYS LED green VPN LED off 1 Verify that the VPN Concentrator to which this VPN 3002 connects is running versio...

Page 86: ...ord are correct Username and password are correct 2 Make sure the group and usernames and passwords match those set for the VPN 3002 on the central site VPN Concentrator 3 After you make any changes navigate to Monitoring System Status and click Connect Now 4 Study the event log files To capture more events and to interpret events see Chapter 9 Events in the VPN 3002 Hardware Client Reference My P...

Page 87: ...ries Concentrator Series Reference Volume 1 Configuration Step 5 Check the Event log Refer to Chapter 10 Events in the VPN 3000 Series Concentrator Series Reference Volume 1 Configuration VPN 3002 Hardware Client Manager Errors The following sections describe errors that might occur while using the HTML based VPN 3002 Hardware Client Manager with a browser Invalid Login or Session Timeout The Mana...

Page 88: ...only when you click an action button such as Apply Add or Cancel or a link on a screen that invokes a different screen Entering values or setting parameters on a given screen does not reset the timer The timeout interval is set too low for normal use On the Administration Access Rights Access Settings screen change the Session Timeout interval to a larger value and click Apply Table A 3 Browser Re...

Page 89: ...or incorrect data To protect security and the integrity of data entries clicking on Back or Forward on the browser toolbar deletes pointers and values within the Manager Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager Navigate using the location bar at the top of the Manager window the table of contents in the left frame or links on Manager screens We re...

Page 90: ...ed to access an area of the Manager that you do not have authorization to access You logged in using an administrator login name that has limited privileges You logged in from a workstation that has limited access privileges Log in using the system administrator login name and password Defaults are admin admin Log in from a workstation with greater access privileges Have the system administrator c...

Page 91: ...ormation that identifies system activity and parameters Figure A 4 Not Found Screen Table A 7 Not Found Message Displays Problem Possible cause Solution The Manager could not find a screen You updated the software image and did not clear the browser s cache Clear the browser s cache delete its temporary internet files history files and location bar references Then try again There is an internal Ma...

Page 92: ...face Errors Error Problem Possible Cause Solution ERROR Bad IP Address Subnet Mask Wildcard Mask Area ID The system expected a valid 4 byte dotted decimal entry and the entry was not in that format You entered something other than a 4 byte dotted decimal number You might have omitted a byte position or entered a number greater than 255 in a byte position You entered 0 0 0 0 instead of an appropria...

Page 93: ...ivity 3 3 4 1 changing admin password 3 20 changing admin password CLI 4 17 CLI errors A 10 using for Quick Configuration 4 1 Client PAT mode configuing with CLI 4 13 configuring with Manager 3 13 description 1 2 interactive multimedia explanation 1 2 3 13 command line interface exiting 4 18 using for Quick Configuration 4 1 completing Quick Configuration with command line interface 4 1 with Manag...

Page 94: ... A 7 errors CLI A 10 recovering from 3 4 VPN 3002 Hardware Client Manager A 5 event log saved at system reboot A 1 saved if system crashes A 1 exiting the command line interface 4 18 F features hardware 1 1 software management interfaces 1 13 monitoring 1 15 fields moving between 3 3 finishing Quick Configuration 3 21 4 18 formats data xiii IP addresses xiv G GateKeeper for H 323 1 10 Group Name f...

Page 95: ...ment interfaces features 1 13 Manager window title bar 3 23 mistakes 3 4 monitor display settings 2 2 monitoring features 1 15 moving from field to field 3 3 N NAT T NAT Traversal defined 1 4 NetMeeting H 323 support for 1 9 Netscape Navigator requirements 2 1 network cables connecting 2 3 Network Extension mode 3 14 changing the default IP address for the Private interface 3 6 configuring with CL...

Page 96: ...og file A 1 requirements Internet Explorer 2 1 JavaScript 2 2 Netscape Navigator 2 1 reset and restore statistical data 1 12 reverse route injection RRI 1 12 RRI reverse route injection 1 12 running configuration 3 3 4 1 S SAVELOG TXT file A 1 SCEP Simple Certificate Enrollment Protocol 1 12 screen Admin Password 3 20 Done 3 21 initial configuration 3 3 welcome 3 3 Session Timeout error A 5 A 7 Si...

Page 97: ... VPN 3002 Hardware Client Manager window 3 23 unpacking 2 2 upload configuration file 3 5 Use Certificate box IPSec 3 11 user authentication 1 6 User Name field IPSec 3 12 User Password field IPSec 3 12 using VPN 3002 Hardware Client Manager functions 3 22 V VPN 3000 Concentrator settings required for PAT mode Network Extension mode 3 14 VPN 3002 Hardware Client Manager errors A 5 understanding th...

Page 98: ...Index IN 6 VPN 3002 Hardware Client Getting Started OL 2854 01 ...

Reviews: