manualshive.com logo in svg

Cisco VPN 3000, User Manual

Share
Download
Cisco VPN 3000 User Manual Download Page 236

12 

User Management

12-30

VPN 3000 Concentrator Series User Guide

and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This 
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). 
If you check 

Required

 under 

PPTP Encryption

 below, you must allow one or both 

MSCHAP

 protocols 

and no other.

MSCHAPv2

 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is 

even more secure than MSCHAPv1. It requires mutual client-server authentication, uses 
session-unique keys for data encryption by MPPE, and derives different encryption keys for the 
send and receive paths. The VPN Concentrator internal user authentication server supports this 
protocol, but external authentication servers do not. If you check 

Required

 under 

PPTP Encryption

 

below, you must allow one or both 

MSCHAP

 protocols and no other.

PPTP Encryption

Check the boxes for the data encryption options that apply to this group’s PPTP clients.

Required

 = During connection setup, this group’s PPTP clients must agree to use Microsoft 

encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must 
also allow only 

MSCHAPv1

 and/or 

MSCHAPv2

 under 

PPTP Authentication Protocols

 above, and you 

must also check 

40-bit

 and/or 

128-bit

 here.

Require Stateless

 = During connection setup, this group’s PPTP clients must agree to use stateless 

encryption to encrypt data or they will not be connected. With stateless encryption, the encryption 
keys are changed on every packet; otherwise, the keys are changed after some number of packets or 
whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. 
However, it might perform better in a lossy environment (where packets are lost), such as the 
Internet.

40-bit

 = This group’s PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 

40-bit key. This is significantly less secure than the 

128-bit

 option. Microsoft encryption (MPPE) 

uses this algorithm. If you check 

Required

, you must check this option and/or the 

128-bit

 option.

128-bit

 = This group’s PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 

128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check 

Required

, you must 

check this option and/or the 

40-bit

 option. The U.S. government restricts the distribution of 128-bit 

encryption software.

L2TP Authentication Protocols

Check the boxes for the authentication protocols that this group’s L2TP clients can use. To establish and 
use a VPN tunnel, users should be authenticated according to some protocol.
 

Caution

:

Unchecking 

all

 authentication options means that 

no

 authentication is required. That is, L2TP users can 

connect with 

no

 authentication. This configuration is allowed so you can test connections, but it is not 

secure.

 
These choices specify the allowable authentication protocols in order from least secure to most secure.

You can allow a group to use 

fewer

 protocols than the base group, but not more. You cannot allow a 

grayed-out protocol.

PAP

 = Password Authentication Protocol. This protocol passes cleartext username and password 

during authentication and is not secure. We strongly recommend that you 

not allow

 this protocol.

Summary of Contents for VPN 3000

Page 1: ...06 USA http www cisco com Cisco Systems Inc Corporate Headquarters Tel 800 553 NETS 6387 408 526 4000 Fax 408 526 4100 VPN 3000 Concentrator Series User Guide Release 2 5 July 2000 Customer Order Number DOC 7811137 Text Part Number 78 11137 01 ...

Page 2: ... AtmDirector Browse with Me CCDA CCDE CCDP CCIE CCNA CCNP CCSI CD PAC the Cisco logo Cisco Certified Internetwork Expert logo CiscoLink the Cisco Management Connection logo the Cisco NetWorks logo the Cisco Powered Network logo Cisco Systems Capital the Cisco Systems Capital logo Cisco Systems Networking Academy the Cisco Systems Networking Academy logo the Cisco Technologies logo Fast Step FireRu...

Page 3: ...olbar 1 2 Recommended PC monitor display settings 1 2 Connecting to the VPN Concentrator using HTTP 1 3 Installing the SSL certificate in your browser 1 3 Installing the SSL certificate with Internet Explorer 1 4 Viewing certificates with Internet Explorer 1 9 Installing the SSL certificate with Netscape 1 10 Reinstallation 1 10 First time installation 1 10 Viewing certificates with Netscape 1 15 ...

Page 4: ...er 1 24 2 Configuration Configuration 2 1 3 Interfaces Configuration Interfaces 3 2 Interface 3 3 Ethernet 1 Private Ethernet 2 Public Ethernet 3 External 3 4 WAN Interface in slot N Port A B 3 4 Status 3 4 IP Address 3 4 Subnet Mask 3 4 Power Supplies 3 5 Ethernet 1 Private Ethernet 2 Public Ethernet 3 External module in back panel image 3 5 WAN Card Slot N module in back panel image 3 5 Configur...

Page 5: ...Port A B Select T1 E1 3 15 T1 up to 24 64 Kbps channels 3 15 E1 up to 31 64 Kbps channels 3 16 Configuration Interfaces WAN Card in Slot N Port A B as T1 or E1 3 16 Using the tabs 3 16 IP Parameters tab 3 17 Enabled 3 17 IP Address 3 17 Subnet Mask 3 17 Public Interface 3 17 Filter 3 18 RIP Parameters tab 3 18 Inbound RIP 3 19 Outbound RIP 3 19 OSPF Parameters tab 3 20 OSPF Enabled 3 20 OSPF Area ...

Page 6: ...meout 5 4 Retries 5 4 Server Secret 5 5 Verify 5 5 Add or Apply Cancel 5 5 Server Type NT Domain 5 5 Authentication Server Address 5 5 Server Port 5 6 Timeout 5 6 Retries 5 6 Domain Controller Name 5 6 Add or Apply Cancel 5 6 Server Type SDI 5 6 Authentication Server 5 7 Server Port 5 7 Timeout 5 7 Retries 5 7 Add or Apply Cancel 5 7 Server Type Internal Server 5 8 Add Cancel 5 8 Configuration Sys...

Page 7: ...DHCP Servers 5 17 Add Modify Delete Move 5 17 Configuration System Servers DHCP Add or Modify 5 18 DHCP Server 5 18 Server Port 5 18 Add or Apply Cancel 5 18 Configuration System Servers NTP 5 18 Configuration System Servers NTP Parameters 5 19 Sync Frequency 5 19 Apply Cancel 5 19 Configuration System Servers NTP Hosts 5 20 NTP Hosts 5 20 Add Modify Delete 5 20 Configuration System Servers NTP Ho...

Page 8: ... Protocols L2TP 7 5 Enabled 7 6 Maximum Tunnel Idle Time 7 6 Control Window Size 7 6 Control Retransmit Interval 7 6 Control Retransmit Limit 7 6 Max Tunnels 7 6 Max Sessions Tunnel 7 6 Hello Interval 7 7 Apply Cancel 7 7 Configuration System Tunneling Protocols IPSec 7 7 Configuration System Tunneling Protocols IPSec LAN to LAN 7 8 LAN to LAN Connection 7 9 Add Modify Delete 7 9 Configuration Sys...

Page 9: ...e Down 7 21 Add 7 21 Modify 7 22 Copy 7 22 Delete 7 22 Configuration System Tunneling Protocols IPSec IKE Proposals Add Modify or Copy 7 22 Proposal Name 7 23 Authentication Mode 7 23 Authentication Algorithm 7 24 Encryption Algorithm 7 24 Diffie Hellman Group 7 24 Lifetime Measurement 7 24 Data Lifetime 7 25 Time Lifetime 7 25 Add or Apply Cancel 7 25 8 IP Routing Configuration System IP Routing ...

Page 10: ...10 Enabled 8 10 Lease Timeout 8 11 Listen Port 8 11 Timeout Period 8 11 Apply Cancel 8 11 Configuration System IP Routing Redundancy 8 12 Enable VRRP 8 13 Group ID 8 13 Group Password 8 13 Role 8 13 Advertisement Interval 8 13 Group Shared Addresses 8 13 1 Private 8 13 2 Public 8 14 3 External 8 14 Apply Cancel 8 14 9 Management Protocols Configuration System Management Protocols 9 1 Configuration...

Page 11: ... 9 9 Configuration System Management Protocols SNMP Communities Add or Modify 9 10 Community String 9 10 Add or Apply Cancel 9 10 Configuration System Management Protocols SSL 9 10 Encryption Protocols 9 12 Client Authentication 9 12 SSL Version 9 12 Generated Certificate Key Size 9 13 Apply Cancel 9 13 10 Events Event class 10 1 Event severity level 10 4 Event log 10 5 Event log data 10 5 Configu...

Page 12: ... Delete 10 14 Configuration System Events Trap Destinations Add or Modify 10 15 Destination 10 15 SNMP Version 10 15 Community 10 15 Port 10 16 Add or Apply Cancel 10 16 Configuration System Events Syslog Servers 10 16 Syslog Servers 10 17 Add Modify Delete 10 17 Configuration System Events Syslog Servers Add or Modify 10 17 Syslog Server 10 17 Port 10 18 Facility 10 18 Add or Apply Cancel 10 18 C...

Page 13: ... 5 Allow Alphabetic Only Passwords 12 5 Idle Timeout 12 5 Maximum Connect Time 12 5 Filter 12 5 Primary DNS 12 6 Secondary DNS 12 6 Primary WINS 12 6 Secondary WINS 12 6 SEP Card Assignment 12 6 Tunneling Protocols 12 6 IPSec Parameters tab 12 7 IPSec SA 12 7 Tunnel Type 12 8 Remote Access Parameters 12 8 Group Lock 12 8 Authentication 12 9 Mode Configuration 12 9 Mode Configuration Parameters 12 ...

Page 14: ... Filter 12 22 Primary DNS 12 22 Secondary DNS 12 22 Primary WINS 12 23 Secondary WINS 12 23 SEP Card Assignment 12 23 Tunneling Protocols 12 23 IPSec Parameters tab 12 24 Value Inherit 12 25 IPSec SA 12 25 Tunnel Type 12 26 Remote Access Parameters 12 26 Group Lock 12 26 Authentication 12 26 Mode Configuration 12 26 Mode Configuration Parameters 12 27 Banner 12 27 Allow Password Storage on Client ...

Page 15: ...aximum Connect Time 12 38 Filter 12 38 SEP Card Assignment 12 38 Tunneling Protocols 12 38 IPSec Parameters tab 12 39 Value Inherit 12 39 IPSec SA 12 40 Store Password on Client 12 40 PPTP L2TP Parameters tab 12 41 Value Inherit 12 41 Use Client Address 12 42 PPTP Authentication Protocols 12 42 L2TP Authentication Protocols 12 43 Add or Apply Cancel 12 43 13 Policy Management Configuration Policy ...

Page 16: ...Source Port 13 16 Port or Range 13 17 TCP UDP Destination Port 13 18 Port or Range 13 18 ICMP Packet Type 13 18 Add or Apply Cancel 13 18 Configuration Policy Management Traffic Management Rules Delete 13 19 Yes No 13 19 Configuration Policy Management Traffic Management Security Associations 13 19 IPSec SAs 13 21 Add Modify Delete 13 21 Configuration Policy Management Traffic Management Security ...

Page 17: ...o Rule 13 36 Done 13 36 Configuration Policy Management Traffic Management Assign Rules to Filter Add SA to Rule 13 36 Add SA to Rule on Filter 13 37 IPSec SAs 13 37 Apply 13 37 Configuration Policy Management Traffic Management Assign Rules to Filter Change SA on Rule 13 37 Change SA on Rule in Filter 13 38 IPSec SAs 13 38 Apply Cancel 13 38 Configuration Policy Management Traffic Management NAT ...

Page 18: ...ssions Management Sessions 14 6 Username 14 6 Public IP Address 14 6 Assigned IP Address 14 6 Protocol Encryption Login Time Duration Actions 14 6 Management Sessions table 14 6 LAN to LAN Sessions Remote Access Sessions 14 6 Administrator 14 6 IP Address 14 7 Protocol Encryption Login Time Duration Actions 14 7 Configuration locked by 14 7 Administration Sessions Detail 14 8 Refresh 14 12 Back to...

Page 19: ...y Default Cancel 14 25 Administration Access Rights Access Control List 14 26 Manager Workstations 14 26 Add Modify Delete Move 14 26 Administration Access Rights Access Control List Add or Modify 14 27 Priority Modify screen only 14 27 IP Address 14 27 IP Mask 14 28 Access Group 14 28 Add or Apply Cancel 14 28 Administration Access Rights Access Settings 14 28 Session Idle Timeout 14 28 Session L...

Page 20: ...Key Size 14 38 Apply Cancel 14 38 Administration Certificate Management Enrollment Request Generated 14 39 Enrolling with a Certificate Authority 14 40 Administration Certificate Management Installation 14 40 Certificate Type 14 41 Certificate Password 14 41 Verify 14 41 Local File Browse 14 42 Apply Cancel 14 42 Administration Certificate Management Certificates 14 42 Certificate Authorities 14 4...

Page 21: ...ration Certificate Management Certificates Delete 14 49 Yes No 14 49 15 Monitoring Monitor 15 1 Monitor Routing Table 15 2 Refresh 15 2 Valid Routes 15 3 Address 15 3 Mask 15 3 Next Hop 15 3 Interface 15 3 Protocol 15 3 Age 15 4 Metric 15 4 Monitor Event Log 15 4 Select Filter Options 15 5 Event Class 15 5 Severities 15 5 Client IP Address 15 5 Events Page 15 5 Direction 15 5 First Page 15 6 Previ...

Page 22: ... 12 Status 15 12 Rx Unicast 15 13 Tx Unicast 15 13 Rx Multicast 15 13 Tx Multicast 15 13 Rx Broadcast 15 13 Tx Broadcast 15 13 Monitor System Status Dual T1 E1 WAN Slot N 15 14 Refresh 15 14 Back 15 14 T1 E1 Statistics 15 14 Slot 15 14 Port 15 15 Status 15 15 Up Time Seconds 15 15 Errored Seconds 15 15 Severely Errored Seconds 15 15 Bursty Errored Seconds 15 15 Severely Errored Framing Seconds 15 ...

Page 23: ...dancy 15 20 Refresh 15 21 Back 15 21 SEP 15 21 Status 15 22 DSP Code Version 15 22 Inbound Hash Octets Packets 15 22 Outbound Hash Octets Packets 15 22 Encrypted Octets Packets 15 22 Decrypted Octets Packets 15 22 Hash Encrypted Packets 15 22 Hash Decrypted Packets 15 23 Drops Packets 15 23 Random Requests 15 23 Random Replenishments 15 23 Random Bytes Available 15 23 Random Cache Empty 15 23 DH K...

Page 24: ...28 Username 15 28 Public IP Address 15 28 Assigned IP Address 15 28 Protocol Encryption Login Time Duration Bytes Tx Bytes Rx 15 28 Management Sessions table 15 29 LAN to LAN Sessions Remote Access Sessions 15 29 Administrator 15 29 IP Address 15 29 Protocol Encryption Login Time Duration 15 29 Monitor Sessions Detail 15 30 Refresh 15 34 Back to Sessions 15 34 Monitor Sessions Detail parameters 15...

Page 25: ...efresh 15 45 Username 15 45 IP Address 15 45 Protocol 15 45 Encryption 15 46 Login Time 15 46 Avg Throughput bytes sec 15 46 Monitor Statistics 15 47 Monitor Statistics PPTP 15 48 Refresh 15 48 Total Tunnels 15 48 Active Tunnels 15 48 Maximum Tunnels 15 48 Total Sessions 15 49 Active Sessions 15 49 Maximum Sessions 15 49 Rx Octets Control Data 15 49 Rx Packets Control Data 15 49 Rx Discards Contro...

Page 26: ...ansmit Packets 15 54 Transmit ZLB 15 54 Monitor Statistics IPSec 15 55 Refresh 15 55 IKE Phase 1 Statistics 15 56 Active Tunnels 15 56 Total Tunnels 15 56 Received Bytes 15 56 Sent Bytes 15 56 Received Packets 15 56 Sent Packets 15 56 Received Packets Dropped 15 56 Sent Packets Dropped 15 56 Received Notifies 15 57 Sent Notifies 15 57 Received Phase 2 Exchanges 15 57 Sent Phase 2 Exchanges 15 57 I...

Page 27: ... Failed Encryptions 15 60 System Capability Failures 15 61 No SA Failures 15 61 Protocol Use Failures 15 61 Monitor Statistics HTTP 15 61 Refresh 15 61 Octets Sent 15 61 Octets Received 15 61 Packets Sent 15 62 Packets Received 15 62 Active Connections 15 62 Max Connections 15 62 Monitor Statistics Events 15 62 Refresh 15 63 Event Class 15 63 Event Number 15 63 Count of Events 15 63 Monitor Statis...

Page 28: ...s 15 68 Bad Authenticators 15 69 Pending Requests 15 69 Timeouts 15 69 Unknown Type 15 69 Monitor Statistics Filtering 15 69 Refresh 15 69 Interface 15 70 Inbound Packets Pre Filter 15 70 Inbound Packets Filtered 15 70 Inbound Packets Post Filter 15 70 Outbound Packets Pre Filter 15 70 Outbound Packets Filtered 15 70 Outbound Packets Post Filter 15 70 Monitor Statistics VRRP 15 71 Refresh 15 71 Ch...

Page 29: ...Server Address 15 76 Monitor Statistics Address Pools 15 76 Refresh 15 76 IP Address Range Start End 15 76 Total Addresses 15 76 Available Addresses 15 76 Allocated Addresses 15 76 Max Allocated Addresses 15 77 Monitor Statistics MIB II 15 77 Monitor Statistics MIB II Interfaces 15 78 Refresh 15 78 Interface 15 78 Status 15 78 Unicast In 15 79 Unicast Out 15 79 Multicast In 15 79 Multicast Out 15 ...

Page 30: ...eassembly Successes 15 84 Reassembly Failures 15 84 Fragmentation Successes 15 84 Fragmentation Failures 15 84 Fragments Created 15 84 Monitor Statistics MIB II RIP 15 85 Refresh 15 85 Global Route Changes 15 85 Global Queries 15 85 Interfaces 15 85 Interface Address 15 85 Received Bad Packets 15 85 Received Bad Routes 15 86 Sent Updates 15 86 Monitor Statistics MIB II OSPF 15 87 Refresh 15 87 Rou...

Page 31: ...ceived Transmitted 15 93 Echo Replies PINGs Received Transmitted 15 93 Timestamp Requests Received Transmitted 15 93 Timestamp Replies Received Transmitted 15 93 Address Mask Requests Received Transmitted 15 94 Address Mask Replies Received Transmitted 15 94 Monitor Statistics MIB II ARP Table 15 94 Refresh 15 94 Interface 15 95 Physical Address 15 95 IP Address 15 95 Mapping Type 15 95 Action Del...

Page 32: ...re Power Supplies 16 9 1 1 3 Configuration Interface Configuration Configure Power Supplies 16 10 1 1 5 Configuration Interface Configuration Configure Expansion Cards 16 10 1 1 4 Configuration Interface Configuration Configure Expansion Cards 16 10 1 2 Configuration System Management 16 10 1 2 1 Configuration System Management Servers 16 11 1 2 2 Configuration System Management Address Management...

Page 33: ...istics 16 20 3 4 2 Monitoring Sessions View Top Ten Lists 16 20 3 4 3 Monitoring Sessions View Session Protocols 16 20 3 4 4 Monitoring Sessions View Session SEPs 16 21 3 4 5 Monitoring Sessions View Session Encryption 16 21 3 5 Monitoring General Statistics 16 21 3 5 1 Monitoring General Statistics Protocol Statistics 16 21 3 5 2 Monitoring General Statistics Server Statistics 16 22 3 5 3 Monitor...

Page 34: ...ear A 11 SEP Scalable Encryption Processing Module LEDs Model 3015 3080 only A 11 WAN Interface Module LEDs A 12 B Copyrights licenses and notices Software License Agreement of Cisco Systems Inc B 1 Other licenses B 3 Regulatory Agency Notices B 9 Notice to Users of T1 Service B 9 Notice to Users of Certified Component Devices B 10 Affidavit Appendix A B 11 Index ...

Page 35: ...8 Table 13 1 Cisco supplied default filter rules 13 10 Table 13 2 Cisco supplied default Security Associations 13 21 Table 13 3 Cisco supplied default filters 13 30 Table 14 1 Parameter definitions for Administration Sessions screen 14 7 Table 14 2 Parameter definitions for Administration Sessions Detail screens 14 12 Table 14 3 Cisco supplied default administrator rights 14 24 Table 15 1 Paramete...

Page 36: ......

Page 37: ...iar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers Organization This manual is organized by the order in which sections appear in the VPN Concentrator Manager table of contents the left frame of the Manager browser window see Figure 1 30 in Chapter 1 Chapter 1 Using the VPN 3000 Concentrator Series Manager explains how to log in navigate and use the VPN Concentrato...

Page 38: ...ply them to groups users and interfaces This chapter also describes NAT configuration Chapter 14 Administration explains how to configure and use high level VPN Concentrator administrator activities such as who is allowed to configure the system what software runs on it rebooting and shutting down the system managing its files and managing X 509 digital certificates Chapter 15 Monitoring explains ...

Page 39: ...m Kosiur Dave Building and Managing Virtual Private Networks Wiley 1998 Sheldon Tom Encyclopedia of Networking Osborne McGraw Hill 1998 Stallings William Data and Computer Communications 5th ed Prentice Hall 1997 Understanding Point to Point Tunneling Protocol PPTP Microsoft Corporation 1997 Available from Microsoft web site Virtual Private Networking An Overview Microsoft Corporation 1999 Availab...

Page 40: ... for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network host or end system name notation for example VPN01 Spaces are not allowed A hostname must uniquely identify a specific system on a network Text strings Text strings use alphanumeric characters upper and lower case Most text strings are case sensitive for example simon and Simon represent different usernames The maximum lengt...

Page 41: ...ents If you have questions we suggest you first try the Cisco Web site at www cisco com and go to the Service Support section From there you can go to additional support areas such as the Technical Assistance Center TAC software updates technical documentation and service and support solutions To phone the North America Technical Assistance Center call 800 553 2447 or 1 408 526 7209 End of Preface...

Page 42: ......

Page 43: ...L HTTPS with the Manager 1 The first time connect to the Manager using HTTP and 2 Install an SSL certificate in the browser see Installing the SSL certificate in your browser on page 1 3 Once the SSL certificate is installed you can connect directly using HTTPS see Connecting to the VPN Concentrator using HTTPS on page 1 17 Browser requirements The VPN Concentrator Manager requires either Microsof...

Page 44: ...s window scroll down to Cookies Click Enable under Allow cookies that are stored on your computer Click Enable under Allow per session cookies not stored Navigator Communicator 4 5 On the Edit menu select Preferences On the Advanced screen click one of the Accept cookies choices and do not check Warn me before accepting a cookie Navigation toolbar Do not use the browser navigation toolbar buttons ...

Page 45: ...ager login screen To continue using HTTP for the whole session skip to Logging in the VPN Concentrator Manager on page 1 18 Installing the SSL certificate in your browser The VPN Concentrator Manager provides the option of using HTTP over SSL with the browser SSL creates a secure session between your browser client and the VPN Concentrator server This protocol is known as HTTPS and uses the https ...

Page 46: ...d automatically begins to download and install its SSL certificate in your browser Figure 1 2 Install SSL Certificate screen The installation sequence now differs depending on the browser Continue below for Internet Explorer or skip to Installing the SSL certificate with Netscape on page 1 10 Installing the SSL certificate with Internet Explorer This section describes SSL certificate installation ...

Page 47: ...current location radio button then click OK The browser displays the Certificate dialog box with information about the certificate You must now install the certificate Figure 1 4 Internet Explorer Certificate dialog box 4 Click Install Certificate The browser starts a wizard to install the certificate The certificate store is where such certificates are stored in Internet Explorer ...

Page 48: ...ger Import Wizard dialog box 5 Click Next to continue The wizard opens the next dialog box asking you to select a certificate store Figure 1 6 Internet Explorer Certificate Manager Import Wizard dialog box 6 Let the wizard Automatically select the certificate store and click Next The wizard opens a dialog box to complete the installation ...

Page 49: ...This dialog box closes and a final wizard confirmation dialog box opens Figure 1 9 Internet Explorer Certificate Manager Import Wizard final dialog box 9 Click OK to close this dialog box and click OK on the Certificate dialog box Figure 1 4 to close it You can now connect to the VPN Concentrator using HTTP over SSL HTTPS 10 On the Manager SSL screen Figure 1 2 click the link that says After insta...

Page 50: ... Concentrator displays the HTTPS version of the Manager login screen Figure 1 11 VPN Concentrator Manager login screen using HTTPS Internet Explorer The browser maintains the HTTPS state until you close it or access an unsecure site in the latter case you may see a Security Alert screen Proceed to Logging in the VPN Concentrator Manager on page 1 18 to log in as usual ...

Page 51: ...ose when finished Second you can view all the certificates that are stored in Internet Explorer 4 0 Click the browser View menu and select Internet Options Click the Content tab then click Authorities in the Certificates section In Internet Explorer 5 0 click the browser Tools menu and select Internet Options Click the Content tab then click Certificates in the Certificates section On the Certific...

Page 52: ...s the note in Figure 1 14 Click OK and just connect to the VPN Concentrator using SSL see Step 7 on page 1 13 Figure 1 14 Netscape reinstallation note First time installation The instructions below follow from Step 2 on page 1 4 and describe first time certificate installation A few seconds after the VPN Concentrator Manager SSL screen appears Netscape displays a New Certificate Authority screen F...

Page 53: ...ext to proceed Netscape displays the next New Certificate Authority screen which lets you examine details of the VPN Concentrator SSL certificate Figure 1 17 Netscape New Certificate Authority screen 3 3 Click Next to proceed Netscape displays the next New Certificate Authority screen with choices for using the certificate No choices are checked by default ...

Page 54: ...w Certificate Authority screen which lets you choose to have the browser warn you about sending data to the VPN Concentrator Figure 1 19 Netscape New Certificate Authority screen 5 5 Checking the box is optional Doing so means that you get a warning whenever you apply settings on a Manager screen so it s probably less intrusive to manage the VPN Concentrator without those warnings Click Next to pr...

Page 55: ...he list of installed certificates see Viewing certificates with Netscape below Click Finish You can now connect to the VPN Concentrator using HTTP over SSL HTTPS 7 On the Manager SSL screen Figure 1 2 click the link that says After installing the SSL certificate click here to connect to the VPN Concentrator using SSL Depending on how your browser is configured you may see a Security Information Al...

Page 56: ... 1 22 VPN Concentrator Manager login screen using HTTPS Netscape The browser maintains the HTTPS state until you close it or access an unsecure site in the latter case you may see a Security Information Alert dialog box Proceed to Logging in the VPN Concentrator Manager on page 1 18 to log in as usual ...

Page 57: ... opens a Security Info window You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window Figure 1 23 Netscape Security Info window Click View Certificate to see details of the specific certificate in use Figure 1 24 Netscape View Certificate screen Click OK when finished Second you can view all the certificates that are stored in Netscape On the S...

Page 58: ...the VPN 3000 Concentrator Series Manager 1 16 VPN 3000 Concentrator Series User Guide Figure 1 25 Netscape Certificates Signers list Select a certificate then click Edit Verify or Delete Click OK when finished ...

Page 59: ...ng HTTPS 1 Bring up the browser 2 In the browser Address or Location field enter https plus the VPN Concentrator private interface IP address for example https 10 10 147 2 The browser displays the VPN Concentrator Manager HTTPS login screen A locked padlock icon on the browser status bar indicates an HTTPS session Also this login screen does not include the Install SSL Certificate link Figure 1 26...

Page 60: ... to field other browsers may work differently If you make a mistake click the Clear button and start over The entries that follow are the factory supplied default entries If you have changed them use your entries 1 Click in the Login field and type admin Do not press Enter 2 Click in the Password field and type admin The field shows 3 Click the Login button The Manager displays the main welcome sc...

Page 61: ...Understanding the VPN Concentrator Manager window The VPN Concentrator Manager window on your browser consists of three frames top left and main and it provides helpful messages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 1 28 VPN Concentrator Manager window Title bar The title bar at the top of the browser window inc...

Page 62: ...ou wish Close the help window when you are finished Support tab Click to open a Manager screen with links to Cisco support and documentation resources Figure 1 29 Support screen Documentation Click this link to open a browser window on the Cisco Technical Documentation Web page for Virtual Private Networks That page has links to VPN 3000 Concentrator Series documentation in PDF format To view the ...

Page 63: ...en and to close Configuration or Monitoring pages in the left frame Monitoring tab Click to go to the main Monitoring screen to open the first level of subordinate Monitoring pages in the left frame if they are not already open and to close Configuration or Administration pages in the left frame Save Click to save the active configuration and make it the boot configuration In this state the remind...

Page 64: ...tries Main section titles Configuration Administration Monitoring Click a title to open subordinate sections and titles and to go to that Manager screen in the main frame Closed or collapsed Click the closed collapsed icon to open subordinate sections and titles Clicking this icon does not change the screen in the main frame Open or expanded Click the open expanded icon to close subordinate sectio...

Page 65: ...event handling and system identification User Management attributes for groups and users that determine their access to and use of the VPN Policy Management policies that control access times and data traffic through the VPN via filters rules and IPSec Security Associations Administration managing higher level functions that keep the VPN Concentrator operational and secure such as who is allowed t...

Page 66: ...tool for navigating the VPN Concentrator Manager is the table of contents in the left frame Figure 1 30 shows all its entries completely expanded The figure shows the frame in multiple columns but the actual frame is a single column Use the scroll controls to move up and down the frame Figure 1 30 Complete Manager Table of Contents End of Chapter ...

Page 67: ...r features and functions Interfaces parameters specific to the Ethernet interfaces public private and external WAN interfaces ports A and B plus power supply and voltage sensor alarms System parameters for system wide functions server access address assignment tunneling protocols IP routing built in management servers system events and system identification User Management attributes for groups an...

Page 68: ......

Page 69: ... to interfaces and to groups and users Group and user filters govern tunneled group and user data traffic interface filters govern all data traffic Network interfaces usually connect to a router that routes data traffic to other networks The VPN Concentrator includes IP routing functions static routes RIP Routing Information Protocol and OSPF Open Shortest Path First You configure RIP and interfac...

Page 70: ...ort B is a T1 E1 interface usually to the public network Configuring an Ethernet interface includes supplying an IP address applying a traffic management filter setting speed and transmission mode and configuring RIP and OSPF routing protocols Configuring a WAN interface includes selecting the interface type T1 or E1 supplying an IP address applying a traffic management filter configuring RIP and ...

Page 71: ...re a module either click the appropriate link in the status table or use the mouse pointer to select the module on the back panel image and click anywhere in the highlighted area Interface The VPN Concentrator interface installed in the system To configure an interface click the appropriate link Model 3005 Model 3015 3080 ...

Page 72: ... In test mode no regular data traffic can pass Dormant Red Configured and enabled but waiting for an external action such as an incoming connection Not Present Red Missing hardware components Lower Layer Down Red Not operational because a lower layer interface is down Unknown Red Not configured or not able to determine status Not Configured Present but not configured Red Red WAN only Red alarm Lin...

Page 73: ...WAN card module in the back panel image and see Configuration Interfaces WAN Card in Slot N Configuration Interfaces Power This screen lets you configure alarm thresholds for voltages in the system power supplies CPU and main circuit board On this screen you set high and low thresholds for the voltages When the system detects a voltage outside a threshold value it generates a HARDWAREMON hardware ...

Page 74: ...tered value The fields show the actual thresholds and the values may differ from your entries CPU High and low thresholds for the voltage sensors on the CPU chip The value is system dependent either 2 5 or 1 9 volts Power Supply A B High and low thresholds for the 3 3 and 5 volt outputs from the power supplies You can enter values for the second power supply on Models 3015 3080 even if it is not i...

Page 75: ...current parameters if any Configuring an Ethernet interface includes supplying an IP address identifying it as a public interface applying a traffic management filter setting speed and transmission mode and configuring RIP and OSPF routing protocols To apply a custom filter you must configure the filter first see Configuration Policy Management Traffic Management Caution If you modify any paramete...

Page 76: ... front panel IP Address Enter the IP address for this interface using dotted decimal notation e g 192 168 12 34 Note that 0 0 0 0 is not allowed Be sure no other device is using this address on the network Subnet Mask Enter the subnet mask for this interface using dotted decimal notation e g 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you ...

Page 77: ...isco supplies this default filter for Ethernet 3 but it is not selected by default None No filter applied to the interface which means there are no restrictions on data packets This is the default selection for Ethernet 1 and 3 Other filters that you have configured also appear in this menu Speed Click the drop down menu button and select the interface speed 10 Mbps Fix the speed at 10 megabits pe...

Page 78: ...must enable Inbound RIPv2 v1 on Ethernet 1 It is enabled by default Inbound RIP This parameter applies to RIP messages coming into the VPN Concentrator It configures the system to listen for RIP messages on this interface Click the drop down menu button and select the inbound RIP function Disabled No inbound RIP functions i e the system does not listen for any RIP messages on this interface defaul...

Page 79: ...ovides faster routing updates but it requires more processing power than RIP The VPN Concentrator includes IP routing functions that support OSPF version 2 RFC 2328 OSPF involves interface specific parameters that you configure here and system wide parameters that you configure on the Configuration System IP Routing screens OSPF Enabled To enable OSPF routing on this interface check the box By def...

Page 80: ... the number of seconds between OSPF Link State Advertisements LSAs from this interface which are messages that the router sends to describe its current state Enter the interval as a number from 0 to 3600 seconds The default is 5 seconds which is a typical value for LANs OSPF Hello Interval This entry is the number of seconds between Hello packets that the router sends to announce its presence join...

Page 81: ...gorithm with a shared key to generate an encrypted message digest for authentication This key must be the same for all routers on a common network If you select this method enter the key in the OSPF Password field below OSPF Password If you selected Simple Password or MD5 for OSPF Authentication above enter the appropriate password or key in this field Otherwise leave the field blank For Simple Pa...

Page 82: ...he Configuration Interfaces WAN Card in Slot N Port A B Select T1 E1 screen Otherwise see the Configuration Interfaces WAN Card in Slot N Port A B as T1 or E1 screen Interface The interface port on this WAN module Status The operational status of this interface If the interface is configured the status includes a prefix if PPP Multilink is enabled and the interface type T1 or E1 Up Green Configure...

Page 83: ...t this port to a WAN you must supply an IP address IP Address The IP address configured on this interface port Subnet Mask The subnet mask configured on this interface port Configuration Interfaces WAN Card in Slot N Port A B Select T1 E1 This screen lets you choose either T1 or E1 interface type for the WAN module and it appears only when you configure the WAN module for the first time Once chose...

Page 84: ...configure independent WAN connections on Port A and Port B The WAN module supports complete T1 E1 interfaces and fractional T1 E1 interfaces You can select T1 E1 bandwidth by configuring specific DS0 Digital Signal 0 channels See the Timeslots parameter on the WAN Parameters tab You set the interface type T1 or E1 on the Configuration Interfaces WAN Card in Slot N Port A B Select T1 E1 screen Once...

Page 85: ...cimal notation e g 192 168 12 34 Note that 0 0 0 0 is not allowed Be sure no other device is using this address on the network Subnet Mask Enter the subnet mask for this interface using dotted decimal notation e g 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For example the IP address 192 168 12 34 is a Class C address and ...

Page 86: ... Default filter with all its parameters and rules except any Apply IPSec LAN to LAN rules See Configuration Policy Management Traffic Management Filters Other filters that you have configured also appear in this menu We recommend that you accept the default Make copy of filter 2 public especially when you initially configure this interface You can select this option only when you initially configu...

Page 87: ... this interface RIPv2 Only Listen for and interpret only RIPv2 messages on this interface RIPv2 v1 Listen for and interpret either RIPv1 or RIPv2 messages on this interface Outbound RIP This parameter applies to RIP messages going out of the VPN Concentrator that is it configures the system to send RIP messages on this interface Click the drop down menu button and select the outbound RIP function ...

Page 88: ... version 2 RFC 2328 OSPF involves interface specific parameters that you configure here and system wide parameters that you configure on the Configuration System IP Routing screens OSPF Enabled To enable OSPF routing on this interface check the box By default it is not checked To activate the OSPF system you must also configure and enable OSPF on the Configuration System IP Routing OSPF screen OSP...

Page 89: ...ce which are messages that the router sends to describe its current state Enter the interval as a number from 0 to 3600 seconds The default is 5 seconds which is a typical value OSPF Hello Interval This entry is the number of seconds between Hello packets that the router sends to announce its presence join the OSPF routing area and maintain neighbor relationships This interval must be the same for...

Page 90: ...t this method enter the password in the OSPF Password field below MD5 Use the MD5 hashing algorithm with a shared key to generate an encrypted message digest for authentication This key must be the same for all routers on a common network If you select this method enter the key in the OSPF Password field below OSPF Password If you selected Simple Password or MD5 for OSPF Authentication above enter...

Page 91: ...preceding ones CCITT Recommendation G 703 governs HDB3 coding This is the default selection for E1 and it is not available for T1 AMI Alternative Mark Inversion AMI is a bipolar line code that transmits binary zero as zero volts and binary one as either positive or negative depending on the previous pulse each pulse transmitted is opposite the one before it If you choose this type you must also en...

Page 92: ... using SF D4 line framing If you enable data inversion here be sure the other side of the WAN connection is also using data inversion Loopback Loopback testing is used to diagnose problems in the network a device transmits a signal that passes through the network and returns to the device that sent it This selection sets the WAN port to respond appropriately to the transmitted signal Click the dro...

Page 93: ...hem At the destination MP reassembles the packets in the correct order RFC 1990 describes PPP Multilink Enable PPP Multilink To enable PPP Multilink MP on this interface check this box The box is not checked by default If you enable MP the system automatically assigns the IP address on this port to the other port Verify that the correct same IP address is on both ports If you disable MP verify tha...

Page 94: ......

Page 95: ...ddresses to clients as a tunnel is established Tunneling Protocols configuring PPTP L2TP IPSec LAN to LAN connections and IKE proposals IP Routing configuring static routes default gateways OSPF global DHCP and redundancy VRRP Management Protocols configuring and enabling built in servers for FTP HTTP HTTPS TFTP Telnet SNMP and SSL Events handling system events via logs FTP backup SNMP traps syslo...

Page 96: ......

Page 97: ...tor functions as a client of these servers Configuration System Servers This section of the Manager lets you configure the VPN Concentrator to communicate with servers for various functions Authentication Servers user authentication Accounting Servers RADIUS user accounting DNS Servers Domain Name System DHCP Servers Dynamic Host Configuration Protocol NTP Servers Network Time Protocol You can als...

Page 98: ...ddress or hostname TCP UDP port secret password etc The VPN Concentrator functions as the client of these servers The Cisco software CD ROM includes a 30 day evaluation copy of Funk Software s Steel Belted RADIUS authentication server and instructions for using it with the VPN Concentrator After you have configured an external authentication server you can also test it Testing sends a username and...

Page 99: ...will no longer be able to access the VPN unless another configured server can authenticate them To change the priority order for configured servers select the entry from the list and click Move or Move The Manager refreshes the screen and shows the reordered Authentication Servers list To test a configured external user authentication server select the server from the list and click Test The Manag...

Page 100: ...in this field otherwise enter an IP address Server Port Enter the UDP port number by which you access the server Enter 0 the default to have the system supply the default port number 1645 Timeout Enter the time in seconds to wait after sending a query to the server and receiving no response before trying again Minimum is 1 second default is 4 seconds maximum is 30 seconds Retries Enter the number ...

Page 101: ...Manager returns to the Configuration System Servers Authentication screen Any new server appears at the bottom of the Authentication Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System Servers Authentication screen an...

Page 102: ...g PDC01 Maximum 16 characters You must enter this name and it must be the correct hostname for the server whose IP address you entered in Authentication Server Address above if it is incorrect authentication will fail Add or Apply Cancel To add the new server to the list of configured user authentication servers click Add Or to apply your changes to the configured server click Apply Both actions i...

Page 103: ... of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list Minimum is 0 default is 2 maximum is 10 retries Add or Apply Cancel To add the new server to the list of configured user authentication servers click Add Or ...

Page 104: ... to include the entry in the active configuration click Add The Manager returns to the Configuration System Servers Authentication screen The new server appears at the bottom of the Authentication Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry click Cancel The Manager return...

Page 105: ...Test This screen let you test a configured external user authentication server to determine that The VPN Concentrator is communicating properly with the authentication server The server correctly authenticates a valid user The server correctly rejects an invalid user Figure 5 8 Configuration System Servers Authentication Test screen User Name To test connectivity and valid authentication enter the...

Page 106: ...e Manager table of contents Authentication Server Test Authentication Rejected Error If the VPN Concentrator communicates correctly with the authentication server and the server correctly rejects an invalid user the Manager displays an Authentication Rejected Error screen Figure 5 10 Authentication Server Test Authentication Rejected Error screen To return to the Configuration System Servers Authe...

Page 107: ...main menu Configuration System Servers Accounting This section lets you configure external RADIUS user accounting servers which collect data on user connect time packets transmitted etc under the VPN tunneling protocols PPTP L2TP and IPSec You can configure and prioritize up to 10 accounting servers The first server is the primary and the rest are backup servers in case the primary is inoperative ...

Page 108: ... Add The Manager opens the Configuration System Servers Accounting Add screen To modify a configured user accounting server select the server from the list and click Modify The Manager opens the Configuration System Servers Accounting Modify screen Table 5 1 RADIUS accounting record attributes Start Record Stop Record User Name User Name Acct Status Type Acct Status Type Class Class Service Type S...

Page 109: ...ot configuration click the Save Needed icon at the top of the Manager window Configuration System Servers Accounting Add or Modify These screens let you Add Configure and add a new RADIUS user accounting server Modify Modify parameters for a configured RADIUS user accounting server Figure 5 13 Configuration System Servers Accounting Add or Modify screen Accounting Server Enter the IP address or ho...

Page 110: ...counting server click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Servers Accounting screen Any new server appears at the bottom of the Accounting Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Can...

Page 111: ...before sending them to a DNS server for resolution Primary DNS Server Enter the IP address of the primary DNS server using dotted decimal notation e g 192 168 12 34 Be sure this entry is correct to avoid DNS resolution delays Secondary DNS Server Enter the IP address of the secondary first backup DNS server using dotted decimal notation If the primary DNS server doesn t respond to a query within t...

Page 112: ...minder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Servers screen Configuration System Servers DHCP This section of the Manager lets you configure Dynamic Host Configuration Protocol DHCP servers that assign IP addresses to client...

Page 113: ...lick Modify The Manager opens the Configuration System Servers DHCP Modify screen To remove a configured DHCP server select the server from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the DHCP Servers list Note If you delete a DHCP server any IP addresses obtained from that server will eventually time out and the as...

Page 114: ...ick Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Servers DHCP screen Any new server appears at the bottom of the DHCP Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the...

Page 115: ...VPN Concentrator queries NTP servers to synchronize its clock with network time Figure 5 18 Configuration System Servers NTP Parameters screen Sync Frequency Enter the synchronization frequency in minutes Minimum is 0 which disables the NTP function default is 60 maximum is 10080 minutes 1 week Apply Cancel To apply your NTP parameter setting and include the setting in the active configuration cli...

Page 116: ...a hostname e g 192 168 12 34 If no servers have been configured the list shows Empty Add Modify Delete To configure a new NTP host server click Add The Manager opens the Configuration System Servers NTP Hosts Add screen To modify a configured NTP host select the host from the list and click Modify The Manager opens the Configuration System Servers NTP Hosts Modify screen To remove a configured NTP...

Page 117: ... this field otherwise enter an IP address Add or Apply Cancel To add this host to the list of configured NTP hosts click Add Or to apply your changes to a configured NTP host click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Servers NTP Hosts screen Any new host appears at the bottom of the NTP Hosts list Reminder To save the ac...

Page 118: ......

Page 119: ... to the private network Furthermore we are dealing only with the private IP addresses that get assigned to clients The IP addresses assigned to other resources on your private network are part of your network administration responsibilities not part of VPN Concentrator management Therefore when we discuss IP addresses here we mean those IP addresses available in your private network addressing sch...

Page 120: ...ing here is consistent with the setting for Use Client Address on the PPTP L2TP Parameters tab on the Configuration User Management Base Group screen A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen See the Configuration User Management screens Use Address from Authentication Server Check this box to assign IP addresses re...

Page 121: ...rns to the Configuration Address Management screen Configuration System Address Management Pools This section of the Manager lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients If you check Use Address Pools on the Configuration System Address Management Assignment screen above you must configure at least one address pool The IP addresses in the pools m...

Page 122: ...he Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration System Address Management Pools Add or Modify These screens let you Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients Modify an IP address pool...

Page 123: ... entry in the active configuration The Manager returns to the Configuration System Address Management Pools screen Any new pool appears at the end of the IP Pool Entry list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System Addre...

Page 124: ......

Page 125: ...ncapsulate them create a tunnel and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination or it can receive encapsulated packets from the public network unencapsulate them and send them to their final destination on the private network The VPN Concentrator supports the three most popular VPN tunneling protocols PPTP Point to Point Tunneling Prot...

Page 126: ...P This screen lets you configure system wide PPTP Point to Point Tunneling Protocol parameters The PPTP protocol defines mechanisms for establishing and controlling the tunnel but uses Generic Routing Encapsulation GRE for data transfer PPTP is a client server protocol The VPN Concentrator always functions as a PPTP Network Server PNS and supports remote PC clients The PPTP tunnel extends all the ...

Page 127: ...om Cisco personnel Enabled Check the box to enable PPTP system wide functions on the VPN Concentrator or clear it to disable The box is checked by default Caution Disabling PPTP terminates any active PPTP sessions Maximum Tunnel Idle Time Enter the time in seconds to wait before disconnecting an established PPTP tunnel with no active sessions An open tunnel consumes system resources Enter 0 to dis...

Page 128: ...l Enter the maximum number of sessions allowed per PPTP tunnel Minimum is 0 maximum depends on the VPN Concentrator model e g Model 3060 5000 Enter 0 for unlimited sessions the default Packet Processing Delay Enter the packet processing delay for PPTP flow control This parameter is sent to the client in a PPTP control packet Entries are in units of 100 milliseconds 0 1 second Maximum is 65535 defa...

Page 129: ...rom PPTP and L2F Layer 2 Forwarding and is regarded as a successor to both The L2TP protocol defines mechanisms both for establishing and controlling the tunnel and for transferring data The VPN Concentrator always functions as a L2TP Network Server LNS and supports remote PC clients The L2TP tunnel extends all the way from the PC to the VPN Concentrator When the client PC is running Windows 2000 ...

Page 130: ...em can receive and buffer Minimum is 1 maximum is 16 and default is 4 packets Control Retransmit Interval Enter the time in seconds to wait before retransmitting an unacknowledged L2TP tunnel control message to the remote client Minimum is 1 the default and maximum is 10 seconds Control Retransmit Limit Enter the number of times to retransmit L2TP tunnel control packets before assuming that the re...

Page 131: ... In IPSec terminology a peer is a remote access client or another secure gateway During tunnel establishment under IPSec the two peers negotiate Security Associations that govern authentication encryption encapsulation key management etc These negotiations involve two phases first to establish the tunnel the IKE SA and second to govern traffic within the tunnel the IPSec SA In IPSec LAN to LAN con...

Page 132: ... which correspondingly route secure traffic to and from many hosts on their private LANs There is no user configuration or authentication in a LAN to LAN connection all hosts configured on the private networks can access hosts on the other side of the connection at any time If you have a WAN connection as the public interface you still use this section to configure a LAN to WAN connection To fully...

Page 133: ...he Manager displays the Configuration System Tunneling Protocols IPSec LAN to LAN No Public Interfaces screen To modify the parameters of a configured connection select the connection from the list and click Modify See the Configuration System Tunneling Protocols IPSec LAN to LAN Modify screen To delete a configured connection select the connection from the list and click Delete There is no confir...

Page 134: ...ure 7 6 Configuration System Tunneling Protocols IPSec LAN to LAN No Public Interfaces screen Click the highlighted link to configure the desired public interface The Manager opens the appropriate Configuration Interfaces screen Configuration System Tunneling Protocols IPSec LAN to LAN Add or Modify These screens let you Add Configure and add a new IPSec LAN to LAN connection Modify Modify paramet...

Page 135: ...s with the Apply IPSec action one inbound one outbound named L2L Name In and L2L Name Out Creates or modifies an IPSec Security Association named L2L Name Applies these rules to the filter on the public interface and applies the SA to the rules If the public interface doesn t have a filter it applies the Public default filter with the rules above Creates or modifies a group named with the Peer IP ...

Page 136: ...n as you click Apply If client sessions are using this connection changes delete the tunnel and the sessions without warning Name Enter a unique descriptive name for this connection Maximum 32 characters Since the created rules and SA use this name we recommend that you keep it short Interface Add screen Click the drop down menu button and select the configured public interface on this VPN Concent...

Page 137: ...not a manual encryption or authentication key The system automatically generates those session keys Authentication This parameter specifies the data or packet authentication algorithm Packet authentication proves that data comes from whom you think it comes from it is often referred to as data integrity in VPN literature The IPSec ESP Encapsulating Security Payload protocol provides both encryptio...

Page 138: ...ork addresses on each side of the LAN to LAN connection This feature uses RIP and Inbound RIP RIPv2 v1 must be enabled on the Ethernet 1 Private interface of both VPN Concentrators See Configuration Interfaces If you check this box skip the Local and Remote Network parameters below they are ignored Network autodiscovery is not allowed on a WAN interface Local Network These entries identify the pri...

Page 139: ...r whose hosts can use the LAN to LAN connection These entries must match those in the Local Network section on the peer VPN Concentrator Network List Click the drop down menu button and select the configured network list that specifies the remote network addresses A network list is a list of network addresses that are treated as a single object See the Configuration Policy Management Traffic Manag...

Page 140: ...the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System Tunneling Protocols IPSec LAN to LAN screen and the LAN to LAN Connection list is unchanged Configuration System Tunneling Protocols IPSec LAN to LAN Add Local or...

Page 141: ...Local Network List screen edit this name after the system generates the network list Network List Enter the networks in this network list Enter each network on a single line using the format n n n n w w w w where n n n n is a network IP address and w w w w is a wildcard mask Note Enter a wildcard mask which is the reverse of a subnet mask A wildcard mask has 1s in bit positions to ignore 0s in bit...

Page 142: ... Configuration System Tunneling Protocols IPSec LAN to LAN Add Done screen Configuration System Tunneling Protocols IPSec LAN to LAN Add Done The Manager displays this screen when you have finished configuring all parameters for a new IPSec LAN to LAN connection It documents the added configuration entities The Manager displays this screen only once We suggest you print a copy of the screen to sav...

Page 143: ...oritize IKE proposals which are sets of parameters for Phase 1 IPSec negotiations During Phase 1 the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters The VPN Concentrator uses IKE proposals both as initiator and responder in IPSec negotiations In LAN to LAN connections the VPN Concentrator can function as initiator or responder In client to LAN connection...

Page 144: ... by default Inactive by default Inactive by default Authentication Mode Preshared Keys Preshared Keys Preshared Keys RSA Digital Certificate DSA Digital Certificate RSA Digital Certificate Authentication Algorithm MD5 HMAC 128 MD5 HMAC 128 MD5 HMAC 128 MD5 HMAC 128 SHA HMAC 160 MD5 HMAC 128 Encryption Algorithm 3DES 168 3DES 168 DES 56 3DES 168 3DES 168 3DES 168 Diffie Hellman Group Group 2 1024 b...

Page 145: ...t activate IKE 3DES MD5 RSA Also see the Configuration User Management screens Activate To activate an inactive IKE proposal select it from the Inactive Proposals list and click this button The Manager moves the proposal to the Active Proposals list and refreshes the screen Deactivate To deactivate an active IKE proposal select it from the Active Proposals list and click this button If the active ...

Page 146: ...oposals or Inactive Proposals and click this button If an active proposal is configured on a Security Association the Manager displays an error message and you must remove it from the SA before you can delete it Otherwise there is no confirmation or undo The Manager refreshes the screen and shows the remaining IKE proposals in the list Reminder The Manager immediately includes your changes in the ...

Page 147: ...tication proves that the connecting entity is who you think it is If you select one of the digital certificate modes an appropriate digital certificate must be installed on this VPN Concentrator and the remote client or peer See the discussion under Administration Certificate Management Click the drop down menu button and select the method Preshared Keys Use preshared keys the default The keys are...

Page 148: ...r numbers in a mathematical relationship Click the drop down menu button and select the group Group 1 768 bits Use Diffie Hellman Group 1 to generate IPSec SA keys where the prime and generator numbers are 768 bits Select this option if you select DES 56 under Encryption Algorithm above Group 2 1024 bits use Diffie Hellman Group 2 to generate IPSec SA keys where the prime and generator numbers are...

Page 149: ...r Apply The Manager returns to the Configuration System Tunneling Protocols IPSec IKE Proposals screen To use the new proposal you must activate and prioritize it as explained for that screen Modify screen To apply your changes to this IKE proposal click Apply The Manager returns to the Configuration System Tunneling Protocols IPSec IKE Proposals screen If you modify an active proposal changes do ...

Page 150: ......

Page 151: ...ets are not encrypted it routes them according to the configured IP routing parameters To route packets the subsystem uses learned routes first learned from RIP and OSPF then static routes then uses the default gateway If you don t configure the default gateway the subsystem drops packets that it can t otherwise route The VPN Concentrator also provides a tunnel default gateway which is a separate ...

Page 152: ...t Configuration Protocol global parameters Redundancy Virtual Router Redundancy Protocol parameters You configure RIP and interface specific OSPF parameters on the network interfaces click the highlighted link to go to the Configuration Interfaces screen Figure 8 1 Configuration System IP Routing screen Configuration System IP Routing Static Routes This section of the Manager lets you configure st...

Page 153: ...ic Routes Modify screen If you select the default gateway the Manager opens the Configuration System IP Routing Default Gateways screen To delete a configured static route select the route from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining static routes in the list You cannot delete the default gateways here to do so see the Con...

Page 154: ...etric so the system will use it only if all high speed routes are unavailable Destination Click a radio button to select the outbound destination for these packets You can select only one destination either a specific router gateway or a VPN Concentrator interface Router Address Enter the IP address of the specific router or gateway to which to route these packets that is the IP address of the nex...

Page 155: ...ation address it tries to route the packet to the tunnel default gateway first If that route isn t configured it uses the regular default gateway Figure 8 4 Configuration System IP Routing Default Gateways screen Default Gateway Enter the IP address of the default gateway or router Use dotted decimal notation e g 192 168 12 77 This address must not be the same as the IP address configured on any V...

Page 156: ...onfiguration click Apply The Manager returns to the Configuration System IP Routing screen If you configure a Default Gateway it also appears in the Static Routes list on the Configuration System IP Routing Static Routes screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cance...

Page 157: ...vention however this identifier is the same as the IP address of the interface that is connected to the OSPF router network Enter the router ID in the field using dotted decimal IP address format e g 10 10 4 6 The default entry is 0 0 0 0 no router configured If you enable the OSPF router you must enter an ID Once you configure and apply a router ID you must disable OSPF above before you can chang...

Page 158: ...e see Configuration Interfaces Those area identifiers appear in the OSPF Area list on this screen Figure 8 6 Configuration System IP Routing OSPF Areas screen OSPF Area The OSPF Area list shows identifiers for all areas that are connected to this VPN Concentrator OSPF router The format is the same as a dotted decimal IP address e g 10 10 0 0 The default entry is 0 0 0 0 which identifies a special ...

Page 159: ...y screen Area ID Add Enter the area ID in the field using IP address dotted decimal notation e g 10 10 0 0 The default entry is 0 0 0 0 the backbone Modify Once you have configured an area ID you cannot change it See note above The Area ID identifies the subnet area within the OSPF Autonomous System or domain While its format is the same as an IP address it functions only as an identifier and not ...

Page 160: ...nder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System IP Routing OSPF Areas screen and the OSPF Area list is unchanged Configuration System IP Routing DHCP This screen lets you configure DHCP Dynamic Host Configuration Protocol paramete...

Page 161: ... which is the well known port To ensure proper communication with DHCP servers we strongly recommend that you not change this default Timeout Period Enter the initial time in seconds to wait for a response to a DHCP request before sending the request to the next configured DHCP server Minimum is 1 default is 2 maximum is 10 seconds This time doubles with each cycle through the list of configured D...

Page 162: ...ems A Backup system acts as a virtual Master system when a switchover occurs VRRP works only on LAN Ethernet interfaces not on WAN interfaces This feature supports user access via IPSec LAN to LAN connections IPSec client single user remote access connections and PPTP client connections For IPSec LAN to LAN connections switchover is fully automatic Users need do nothing For single user IPSec and P...

Page 163: ...m in this group the default selection Be sure to configure only one Master system in a group with a given Group ID Backup 1 through Backup 5 This is a Backup system in this group Advertisement Interval Enter the time interval in seconds between VRRP advertisements to other systems in this group Only the Master system sends advertisements this field is ignored on Backup systems while they remain Ba...

Page 164: ...ters in this group Apply Cancel To apply the settings for VRRP and to include your settings in the active configuration click Apply The Manager returns to the Configuration System IP Routing screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the C...

Page 165: ... Protocols This section of the Manager lets you configure and enable built in VPN Concentrator servers that provide management functions using FTP File Transfer Protocol HTTP HTTPS Hypertext Transfer Protocol and HTTP over SSL Secure Sockets Layer protocol TFTP Trivial File Transfer Protocol Telnet terminal emulation protocol and Telnet over SSL SNMP Simple Network Management Protocol SNMP Communi...

Page 166: ...Protocols FTP screen Enable Check the box to enable the FTP server The box is checked by default Disabling the FTP server provides additional security Port Enter the port number that the FTP server uses The default is 21 which is the well known port Changing the port number provides additional security Maximum Connections Enter the maximum number of concurrent control connections sessions that the...

Page 167: ... with the other protocol if it is enabled and configured If you disable both HTTP and HTTPS you cannot use a Web browser to connect to the VPN Concentrator Use the Cisco Command Line Interface from the console or a Telnet session Related information For information on installing the SSL digital certificate in your browser and connecting via HTTPS see Chapter 1 Using the VPN 3000 Concentrator Serie...

Page 168: ...rrent HTTP HTTPS connection click Apply If HTTP or HTTPS is still enabled the Manager returns to the main login screen If both HTTP and HTTPS are disabled you can no longer use the Manager Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configura...

Page 169: ...us connections that the TFTP server allows Minimum is 1 default is 5 maximum is 20 Timeout Enter the timeout in seconds for inactive TFTP connections Minimum is 1 default is 10 maximum is 30 seconds Change the default value only if you have problems with TFTP transfers Apply Cancel To apply your TFTP settings and to include your settings in the active configuration click Apply The Manager returns ...

Page 170: ...ty Crypto SSLapps for ssltel02 zip an SSL Telnet for Windows shareware application Please note that we mention this application for information only and that Cisco Systems does not supply support or endorse it in any way See the Configuration System Management Protocols SSL screen to configure SSL parameters See the Administration Certificate Management Certificates screen to manage the SSL digita...

Page 171: ...ation click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Configuration System Management Protocols SNMP This screen lets you configure and enable the VPN Concentrator s SNMP Simple Network Management Protocol server When the server is enabled you can use an SNMP client to coll...

Page 172: ...nt Protocols screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Configuration System Management Protocols SNMP Communities This section of the Manager lets you configure and manage SNMP communi...

Page 173: ...stem Management Protocols SNMP Communities Add screen To modify a configured community string select the string from the list and click Modify The Manager opens the Configuration System Management Protocols SNMP Communities Modify screen To delete a configured community string select the string from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and sho...

Page 174: ...t configuration click the Save Needed icon at the top of the Manager window To discard your entry or changes click Cancel The Manager returns to the Configuration System Management Protocols SNMP Communities screen and the Community Strings list is unchanged Configuration System Management Protocols SSL This screen lets you configure the VPN Concentrator SSL Secure Sockets Layer protocol server Th...

Page 175: ...nager if you click Apply on this screen even if you have made no changes you will break your connection to the Manager and you must restart the Manager session from the login screen Related information For information on installing the SSL digital certificate in your browser and connecting via HTTPS see Chapter 1 Using the VPN 3000 Concentrator Series Manager To configure HTTPS parameters see the ...

Page 176: ...uthentication The box is not checked by default In the most common SSL connection the client authenticates the server not vice versa Client authentication requires personal certificates installed in the browser and trusted certificates installed in the server Specifically the VPN Concentrator must have a root CA certificate installed and a certificate signed by one of the VPN Concentrator s truste...

Page 177: ...12 bit RSA Key This key size provides sufficient security It is the most common and requires the least processing 768 bit RSA Key This key size provides normal security and is the default selection It requires approximately 2 to 4 times more processing than the 512 bit key 1024 bit RSA Key This key size provides high security It requires approximately 4 to 8 times more processing than the 512 bit ...

Page 178: ......

Page 179: ...tem trap Event attributes include class and severity level Event class Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator Table 10 1 describes the event classes Table 10 1 VPN Concentrator event classes Class name Class description event source Cisco specific event class AUTH Authentication AUTHDBG Authentication debuggin...

Page 180: ...DWAREMON Hardware monitoring fans temperature voltages etc HDLC HDLC SYNC driver for WAN module HTTP HTTP subsystem HWDIAG Hardware diagnostics for WAN module IKE ISAKMP Oakley IKE subsystem IKEDBG ISAKMP Oakley IKE debugging IKEDECODE ISAKMP Oakley IKE decoding IP IP router subsystem IPDBG IP router debugging IPDECODE IP packet decoding IPSEC IP Security subsystem IPSECDBG IP Security debugging I...

Page 181: ...TP PPTP subsystem PPTPDBG PPTP debugging PPTPDECODE PPTP decoding PSH Operating system command shell PSOS Embedded real time operating system QUEUE System queue REBOOT System rebooting RM Resource Manager subsystem SMTP SMTP event handling SNMP SNMP trap subsystem SSL SSL subsystem SYSTEM Buffer heap and other system utilities T1E1 T1 E1 ports on WAN module TCP TCP subsystem TELNET Telnet subsyste...

Page 182: ...nd that you avoid logging these events unless Cisco requests it The VPN Concentrator by default displays all events of severity level 1 through 3 on the console It writes all events of severity level 1 through 5 to the event log You can change these defaults on the Configuration System Events General screen and you can configure specific events for special handling on the Configuration System Even...

Page 183: ...ther to save the event log to a file in flash memory when it is full when it wraps And if so The format of the information in the saved log file Whether to automatically send a copy of the saved log file via FTP to a remote system Event log data Each entry record in the event log consists of several fields including A sequence number Date and time Event severity level Event class and number Event ...

Page 184: ...that starts with 00001 and restarts after 99999 The sequence numbers continue through reboots For example if four log files have already been saved the next one saved after a reboot is LOG00005 TXT If flash memory has less than 2 56 MB of free space the system deletes the oldest log file s to make room for the newest saved log file It also generates an event that notes the deletion If there are no...

Page 185: ...t checked by default To use this option you must also check Save Log on Wrap above This option copies the log file but does not delete it from the VPN Concentrator If you check this box you must also configure FTP destination system parameters on the Configuration System Events FTP Backup screen Email Source Address Enter the address to put in the From field of an emailed event message Enter up to...

Page 186: ...figuration System Events SMTP Servers screens and you must configure email recipients on the Configuration System Events Email Recipients screens You should also configure the Email Source Address above Severity to Trap Click the drop down menu button and select the range of event severity levels to send to an SNMP network management system by default Event messages sent to SNMP systems are called...

Page 187: ...s on a remote computer If you enable FTP Saved Log on Wrap on the Configuration System Events General screen you must configure the FTP parameters on this screen The VPN Concentrator acts as an FTP client when executing this function Figure 10 3 Configuration System Events FTP Backup screen FTP Server Enter the IP address or hostname of the destination computer to receive copies of saved event log...

Page 188: ...ndling You can thus override the general or default handling of event classes For example you might want to send email for HARDWAREMON events of severity 1 2 whereas default event handling doesn t send any email Event classes denote the source of an event and refer to a specific hardware or software subsystem within the VPN Concentrator Table 10 1 describes the event classes Figure 10 4 Configurat...

Page 189: ...y To remove an event class that has been configured for special handling select the event class from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Sa...

Page 190: ...rop down menu button and select the range of event severity levels to enter in the event log Choices are None 1 1 2 1 3 1 13 The default is 1 5 events of severity level 1 through severity level 5 are entered in the event log Severity to Console Click the drop down menu button and select the range of event severity levels to display on the console Choices are None 1 1 2 1 3 1 13 The default is 1 3 ...

Page 191: ...to SNMP systems are called traps Choices are None 1 1 2 1 3 1 4 1 5 The default is None no events are sent as SNMP traps If you select any severity levels to send you must also configure SNMP destination system parameters on the Configuration System Events Trap Destinations screens To configure well known SNMP traps see Table 10 3 under Severity to Trap for Configuration System Events General Add ...

Page 192: ...eceive any events you must also configure the NMS to see the VPN Concentrator as a managed device or agent in the NMS domain Figure 10 6 Configuration System Events Trap Destinations screen Trap Destinations The Trap Destinations list shows the SNMP network management systems that have been configured as destinations for event trap messages and the SNMP protocol version associated with each destin...

Page 193: ... Events Trap Destinations Add or Modify screen Destination Enter the IP address or hostname of the SNMP network management system that is a destination for event trap messages If you have configured a DNS server you can enter a hostname otherwise enter an IP address SNMP Version Click the drop down menu button and select the SNMP protocol version to use when formatting traps to this destination Ch...

Page 194: ... Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events Trap Destinations screen and the Trap Destinations list is unchanged Configuration System Events Syslog Servers This section of the Manager lets you configure UNIX syslog servers as recipients of event messages Syslog is a UNIX daemon or background process that records events The VPN Concen...

Page 195: ...rom the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration System Events Syslog Servers Add or...

Page 196: ... configuration The Manager returns to the Configuration System Events Syslog Servers screen Any new server appears in the Syslog Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System Events Syslog Servers screen and the...

Page 197: ...ers Add To modify a configured SMTP server select the server from the list and click Modify See Configuration System Events SMTP Servers Modify To remove a configured SMTP server select the server from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the SMTP Servers list To change the order in which the system accesses ...

Page 198: ... Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry click Cancel The Manager returns to the Configuration System Events SMTP Servers screen and the SMTP Servers list is unchanged Configuration System Events Email Recipients This section of the Manager lets you configure email re...

Page 199: ...s have been configured the list shows Empty Add Modify Delete To configure a new email recipient click Add See Configuration System Events Email Recipients Add To modify an email recipient who has been configured select the recipient from the list and click Modify See Configuration System Events Email Recipients Modify To remove an email recipient who has been configured select the recipient from ...

Page 200: ...of event severity levels to send to this recipient via email Choices are None 1 1 2 1 3 The default is 1 3 configured events of severity level 1 through severity level 3 are sent to this recipient The event levels emailed to this recipient are the lesser of the Severity to Email setting for a customized event class or this Max Severity setting If an event class has not been customized the events e...

Page 201: ...in the active configuration The Manager returns to the Configuration System Events Email Recipients screen Any new recipient appears at the bottom of the Email Recipients list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry click Cancel The Manager returns to the Configuration System Even...

Page 202: ......

Page 203: ... Concentrator environment items system identification time and date Configuration System General This section of the Manager lets you configure general VPN Concentrator parameters Identification system name contact person system location Time and Date system time and date Figure 11 1 Configuration System General screen ...

Page 204: ... VPN Concentrator on your network e g VPN01 Maximum 255 characters Contact Enter the name of the contact person who is responsible for this VPN Concentrator Maximum 255 characters Location Enter the location of this VPN Concentrator Maximum 255 characters Apply Cancel To apply your system identification settings and include them in the active configuration click Apply The Manager returns to the Co...

Page 205: ... Zone Click the drop down menu buttons to select AM PM Month and Time Zone The time zone selections are offsets in hours relative to GMT Greenwich Mean Time which is the basis for Internet time synchronization Enter the Year as a four digit number Enable DST Support To enable DST support check the box During DST Daylight Saving Time clocks are set one hour ahead of standard time Enabling DST suppo...

Page 206: ......

Page 207: ...other parts Further you might allow specific users within MIS to access systems that other MIS users cannot access You can configure detailed parameters for groups and users on the VPN Concentrator internal authentication server External RADIUS authentication servers also can return group and user parameters that match those on the VPN Concentrator other authentication servers do not The Cisco sof...

Page 208: ...eters groups and users rights can be greater than the base group For example you can give a specific user 24 hour access to the VPN but give the base group access during business hours only To use both IPSec and L2TP over IPsec protocols for remote access a user must be assigned to different groups since the IPSec parameters differ You apply filters to groups and users and thus govern tunneled dat...

Page 209: ...the base group On this screen you configure three kinds of parameters General Parameters security access performance and protocols IPSec Parameters IP Security tunneling protocol PPTP L2TP Parameters PPTP and L2TP tunneling protocols Before configuring these parameters you should configure Access Hours Configuration Policy Management Access Hours Rules and filters Configuration Policy Management T...

Page 210: ... the drop down menu button and select the named hours when remote access users can access the VPN Concentrator Configure access hours on the Configuration Policy Management Access Hours screen Default entries are No Restrictions No named access hours applied the default which means that there are no restrictions on access hours Never No access at any time Business Hours Access 9 a m to 5 p m Monda...

Page 211: ...ears To disable timeout and allow an unlimited idle period enter 0 Maximum Connect Time Enter the maximum user connection time in minutes At the end of this time the system terminates the connection The minimum is 1 minute and the maximum is 2147483647 minutes over 4000 years To allow unlimited connection time enter 0 the default Filter Filters consist of rules that determine whether to allow or r...

Page 212: ...on Processing modules that handle encryption functions which are compute intensive Two SEP modules handle up to 5000 sessions users the system maximum Two additional modules can provide automatic failover for the first two This parameter lets you configure the load on each SEP module Check the box to assign the load to a given SEP module By default all boxes are checked and we recommend you keep t...

Page 213: ...ss clients Note If no protocol is selected no user clients can access or use the VPN Figure 12 3 Configuration User Management Base Group screen IPSec tab IPSec Parameters tab This tab lets you configure IP Security Protocol parameters that apply to the base group If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab configure this section IPSec SA Click t...

Page 214: ...IKE tunnel ESP L2TP TRANSPORT This SA uses DES 56 bit data encryption and ESP MD5 HMAC 128 authentication for IPSec traffic with ESP applied only to the transport layer segment and it uses Triple DES 168 bit data encryption and MD5 HMAC 128 for the IKE tunnel Use this SA with the L2TP over IPSec tunneling protocol Additional SAs that you have configured also appear on the list Tunnel Type Click th...

Page 215: ...This option exchanges configuration parameters with the client while negotiating Security Associations If you check this box configure the desired Mode Configuration Parameters below otherwise ignore them The box is checked by default To use split tunneling you must check this box If you checked L2TP over IPSec under Tunneling Protocols do not check this box Notes IPSec uses Mode Configuration to ...

Page 216: ...ngle user remote access IPSec tunnels not to LAN to LAN connections Split tunneling decisions depend on the destination network address hence the use of Network Lists A Network List is a list of addresses on the private network The IPSec client uses the Network List as an inclusion list a list of networks for which traffic should be sent over the IPSec tunnel All other traffic is routed as normal ...

Page 217: ...T This feature is proprietary it applies only to remote access connections and it requires Mode Configuration Using this feature may slightly degrade system performance Enabling this feature creates runtime filter rules that forward UDP traffic for the configured port even if other filter rules on the interface drop UDP traffic These runtime rules exist only while there is an active IPsec through ...

Page 218: ...address that the client supplies A client must have an IP address to function as a tunnel endpoint but for maximum security we recommend that you control IP address assignment and not allow client supplied IP addresses the default Make sure the setting here is consistent with the setting for Use Client Address on the Configuration System Address Management Assignment screen PPTP Authentication Pro...

Page 219: ...server supports this protocol but external authentication servers do not If you check Required under PPTP Encryption below you must allow one or both MSCHAP protocols and no other PPTP Encryption Check the boxes for the data encryption options that apply to PPTP clients Required During connection setup PPTP clients must agree to use Microsoft encryption MPPE to encrypt data or they will not be con...

Page 220: ...is allowed by default If you check Required under L2TP Encryption below you must allow one or both MSCHAP protocols and no other MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol version 2 This protocol is even more secure than MSCHAPv1 It requires mutual client server authentication uses session unique keys for data encryption by MPPE and derives different encryption keys for the sen...

Page 221: ...ft encryption MPPE uses this algorithm This option is not checked by default If you check Required you must check this option and or the 40 bit option The U S government restricts the distribution of 128 bit encryption software Apply Cancel When you finish setting base group parameters on all tabs click Apply at the bottom of the screen to include your settings in the active configuration The Mana...

Page 222: ... link to the Configuration System Servers Authentication screen The system also automatically configures the internal server when you add the first internal group Configuring external groups means configuring them on an external authentication server such as RADIUS or NT Domain Note If a RADIUS server is configured to return the Class attribute 25 the VPN Concentrator uses that attribute to authen...

Page 223: ...ured select the group from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining groups in the list When you delete a group all its members revert to the base group Deleting a group however does not delete its members user profiles You cannot delete a group that is configured as part of a LAN to LAN connection See the Configuration Syst...

Page 224: ...ration User Management Base Group screen On this screen you configure four kinds of parameters Identity Parameters name password and type General Parameters security access performance and protocols IPSec Parameters IP Security tunneling protocol PPTP L2TP Parameters PPTP and L2TP tunneling protocols Using the tabs This screen includes four tabbed sections Click each tab to display its parameters ...

Page 225: ...Verify Re enter the group password to verify it The field displays only asterisks Type Click the drop down menu button and select the authentication server type authentication method for this group Internal Use the internal VPN Concentrator authentication server This is the default selection If you select this type configure the parameters on the other tabs on this screen The VPN Concentrator auto...

Page 226: ... This tab lets you configure general security access performance and tunneling protocol parameters that apply to this internally configured group Value Inherit On this tabbed section The Inherit check box refers to base group parameters Does this specific group inherit the given setting from the base group To inherit the setting check the box default To override the base group ...

Page 227: ...named access hours that you have configured also appear on the list Simultaneous Logins Enter the number of simultaneous logins permitted for a single user in this group The minimum is 0 which disables login and prevents user access While there is no maximum limit allowing several could compromise security and affect performance Minimum Password Length Enter the minimum number of characters for th...

Page 228: ... default filter for the public Ethernet interface External Default No rules applied to this filter Drop all packets This is the default filter for the external Ethernet interface Additional filters that you have configured also appear on the list Note on DNS and WINS entries below If the base group uses DNS or WINS and this group uses the base group setting check the appropriate Inherit box the de...

Page 229: ...ters on the IPSec or PPTP L2TP tabs as appropriate Clients can use only the selected protocols You cannot check both IPSec and L2TP over IPsec The IPSec parameters differ for these two protocols and you cannot configure a single group for both PPTP Point to Point Tunneling Protocol PPTP is a client server protocol and it is popular with Microsoft clients Microsoft Dial Up Networking DUN 1 2 and 1 ...

Page 230: ...agement Groups Add or Modify Internal screen IPSec tab IPSec Parameters tab This tab lets you configure IP Security Protocol parameters that apply to this internally configured group If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab configure this section ...

Page 231: ...reens To use IPSec with remote access clients you must assign an SA With IPSec LAN to LAN connections the system ignores this selection and uses parameters from the Configuration System Tunneling Protocols IPSec LAN to LAN screens The VPN Concentrator supplies these default selections None No SA assigned ESP DES MD5 This SA uses DES 56 bit data encryption for both the IKE tunnel and IPSec traffic ...

Page 232: ...down menu button and select the user authentication method authentication server type to use with this group s remote access IPSec clients This selection identifies the authentication method not the specific server Configure authentication servers on the Configuration System Servers Authentication screens Selecting any authentication method other than None enables ISAKMP Extended Authentication al...

Page 233: ...Check the box to allow this group s IPSec clients to store their login passwords on their local client systems If you do not allow password storage IPSec users must enter their password each time they seek access to the VPN For maximum security we recommend that you not allow password storage Split Tunneling Network List Click the drop down menu button and select the Network List to use for split ...

Page 234: ...out IPSec through NAT under Configuration User Management Base Group on page 12 11 Figure 12 9 Configuration User Management Groups Add or Modify Internal screen PPTP L2TP tab PPTP L2TP Parameters tab This section of the screen lets you configure PPTP and L2TP parameters that apply to this internally configured group During tunnel establishment the client and server negotiate access and usage base...

Page 235: ...P Authentication Protocols Check the boxes for the authentication protocols that this group s PPTP clients can use To establish and use a VPN tunnel users should be authenticated according to some protocol Caution Unchecking all authentication options means that no authentication is required That is PPTP users can connect with no authentication This configuration is allowed so you can test connect...

Page 236: ... changed on every packet otherwise the keys are changed after some number of packets or whenever a packet is lost Stateless encryption is more secure but it requires more processing However it might perform better in a lossy environment where packets are lost such as the Internet 40 bit This group s PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 40 bit key This is signific...

Page 237: ... or they will not be connected If you check this option you must also allow only MSCHAPv1 and or MSCHAPv2 under L2TP Authentication Protocols above and you must also check 40 bit and or 128 bit here Require Stateless During connection setup this group s L2TP clients must agree to use stateless encryption to encrypt data or they will not be connected With stateless encryption the encryption keys ar...

Page 238: ...ion User Management Groups on page 12 16 Password Enter a unique password for this group Minimum is 4 maximum is 32 characters case sensitive The field displays only asterisks Verify Re enter the group password to verify it The field displays only asterisks Type Click the drop down menu button and select the authentication server type for the group Internal To change this group to use the internal...

Page 239: ...e access usage and authentication parameters for users Users inherit parameters from the specific group to which they belong Configuring users in this section means configuring them in the VPN Concentrator internal authentication server If you have not configured the internal authentication server this screen displays a notice that includes a link to the Configuration System Servers Authentication...

Page 240: ...er The screen title identifies the user you are modifying For many of these parameters you can simply specify that the user inherit parameters from a group and a user can be assigned either to a configured group or to the base group Users who are not members of a configured group are by default members of the base group On this screen you configure four kinds of parameters Identity Parameters name...

Page 241: ... this name this user profile replaces the existing profile Password Enter a unique password for this user The minimum length must satisfy the minimum for the group to which you assign this user base group or specific group Maximum is 32 characters case sensitive The field displays only asterisks Verify Re enter the user password to verify it The field displays only asterisks Group Click the drop d...

Page 242: ...on Server on the Configuration System Address Management Assignment screen Otherwise leave this field blank Subnet Mask Enter the subnet mask in dotted decimal notation assigned to this user Enter this mask only if you configure an IP address above otherwise leave this field blank Figure 12 13 Configuration User Management Users Add or Modify screen General tab General Parameters tab This tab lets...

Page 243: ...e this box before continuing and be sure its setting reflects your intent Access Hours Click the drop down menu button and select the named hours when this user can access the VPN Concentrator Configure access hours on the Configuration Policy Management Access Hours screen Default entries are No Restrictions No named access hours applied which means that there are no restrictions on access hours ...

Page 244: ...at you have configured also appear on the list SEP Card Assignment The VPN Concentrator can contain up to four SEP Scalable Encryption Processing modules that handle encryption functions which are compute intensive Two SEP modules handle up to 5000 sessions users the system maximum Two additional modules can provide automatic failover for the first two This parameter lets you configure the load on...

Page 245: ...s tab This tab lets you configure IP Security Protocol parameters that apply to this user If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab configure this section Value Inherit On this tabbed section The Inherit check box refers to group parameters Does this specific user inherit the given setting from the group Add screen inherit base group parameter ...

Page 246: ...D5 HMAC 128 authentication for the IKE tunnel ESP 3DES MD5 This SA uses Triple DES 168 bit data encryption and ESP MD5 HMAC 128 authentication for IPSec traffic and DES 56 encryption and MD5 HMAC 128 authentication for the IKE tunnel ESP IKE 3DES MD5 This SA uses Triple DES 168 bit data encryption for both the IKE tunnel and IPSec traffic ESP MD5 HMAC 128 authentication for IPSec traffic and MD5 H...

Page 247: ...figure these parameters Value Inherit On this tabbed section The Inherit check box refers to group parameters Does this specific user inherit the given setting from the group Add screen inherit base group parameter setting Modify screen inherit assigned group parameter setting which can be the base group or a configured group To inherit the group setting check the box default To override the group...

Page 248: ...w a user to use fewer protocols than the assigned group but not more You cannot allow a grayed out protocol PAP Password Authentication Protocol This protocol passes cleartext username and password during authentication and is not secure We strongly recommend that you not allow this protocol CHAP Challenge Handshake Authentication Protocol In response to the server challenge the client returns the...

Page 249: ...vel of security MSCHAPv1 Microsoft Challenge Handshake Authentication Protocol version 1 This protocol is similar to but more secure than CHAP In response to the server challenge the client returns the encrypted challenge plus encrypted password with a cleartext username Thus the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP This protocol also gener...

Page 250: ......

Page 251: ...les in the order they are arranged on the filter You apply filters to Ethernet interfaces and thus govern all traffic through an interface You also apply filters to groups and users and thus govern tunneled traffic through an interface With IPSec the VPN Concentrator negotiates Security Associations during tunnel establishment that govern authentication key management encryption encapsulation etc ...

Page 252: ...ed as single objects Rules detailed parameters that govern the handling of data packets SAs IPSec Security Associations Filters structures for applying aggregated rules NAT Network Address Translation Figure 13 1 Configuration Policy Management screen Configuration Policy Management Access Hours This section of the Manager lets you configure access times to control when remote access groups and us...

Page 253: ...anager opens the Configuration Policy management Access Hours Add screen To modify a configured access time select the entry from the list and click Modify The Manager opens the Configuration Policy management Access Hours Modify screen To remove a configured access time select the entry from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the ...

Page 254: ...ffects subsequent connections however Figure 13 3 Configuration Policy Management Access Hours Add or Modify screens Name Enter a unique name for this set of access hours Maximum is 48 characters Sunday Saturday For each day of the week click the drop down menu button and select during Allow access during the hours in the range default except Allow access at times except the hours in the range Ent...

Page 255: ...ata traffic through the VPN Concentrator Network lists let you treat lists of network addresses as a single object thus simplifying the configuration of rules for complex networks Filters consist of rules and IPSec rules rules in which you configure an Apply IPSec action also have Security Associations Therefore you first configure any network lists then rules and SAs and finally filters A filter ...

Page 256: ...and Inbound RIP must be enabled on that interface A single network list can contain a maximum of 200 network entries The Manager does not limit the number of network lists you can configure Figure 13 5 Configuration Policy Management Traffic Management Network Lists screen Network List The Network List field shows the names of the network lists you have configured If no lists have been configured ...

Page 257: ...nager window Configuration Policy Management Traffic Management Network Lists Add Modify or Copy These screens let you Add Configure and add a new network list Modify Modify a previously configured network list Copy Copy a configured network list modify its parameters save it with a new name and add it to the configured network lists On the Add and Modify screens the Manager can automatically gene...

Page 258: ...y screen click this button to have the Manager automatically generate a network list containing the first 200 private networks reachable from the Ethernet 1 Private interface It generates this list by reading the routing table see Monitoring Routing Table and Inbound RIP must be enabled on that interface see Configuration Interfaces The Manager refreshes the screen after it generates the list and ...

Page 259: ...e intended to allow an administrator outside the private network to manage the VPN Concentrator with a browser Unmodified they could allow browser connections to any system on the private network If you apply these rules to a filter you should at least change the Source and Destination Address to limit the connections Figure 13 7 Configuration Policy Management Traffic Management Rules screen Filt...

Page 260: ...5 0 255 CRL over LDAP In Inbound TCP Don t Care LDAP 389 Range 0 65535 CRL over LDAP Out Outbound TCP Don t Care Range 0 65535 LDAP 389 GRE In Inbound GRE GRE Out Outbound GRE ICMP In Inbound ICMP 0 18 ICMP Out Outbound ICMP 0 18 IKE In Inbound UDP Range 0 65535 IKE 500 IKE Out Outbound UDP IKE 500 Range 0 65535 Incoming HTTP In Inbound TCP Don t Care Range 0 65535 HTTP 80 Incoming HTTP Out Outbou...

Page 261: ...te screen You cannot delete a rule that is configured as part of a LAN to LAN connection See the Configuration System Tunneling Protocols IPSec LAN to LAN Add Done screen Note Deleting a rule deletes it from every filter that uses it and deletes it from the VPN Concentrator active configuration To remove a rule from a filter but retain it in the active configuration see the Configuration Policy Ma...

Page 262: ...he list of filter rules The VPN Concentrator applies rule parameters to data traffic packets in the order presented on this screen from Protocol down to see if they match If all parameters match the system takes the specified Action If at least one parameter does not match the system ignores the rest of this rule and examines the packet according to the next rule and so forth Note On the Modify sc...

Page 263: ...ration Policy Management Traffic Management Rules Add Modify or Copy 13 13 VPN 3000 Concentrator Series User Guide Figure 13 8 Configuration Policy Management Traffic Management Rules Add Modify or Copy screen ...

Page 264: ...rity Association You must configure a Security Association if you select this action Also you can assign an SA to this rule only if you select this or the following action see Configuration Policy Management Traffic Management Security Associations See note below Apply IPSec and Log Apply IPSec to the packet and log a filter debugging event FILTERDBG event class See notes below Notes The Log actio...

Page 265: ...d in multicasting OSPF Open Shortest Path First 89 interior routing protocol Other Other protocol not listed here If you select Other here you must enter the IANA assigned protocol number in the Other field TCP Connection Click the drop down menu button and select whether this rule applies to packets from established TCP connections For example you might want a rule to forward only those TCP packe...

Page 266: ...ion addresses A network list is a list of network addresses that are treated as a single object See the Configuration Policy Management Traffic Management Network Lists screens Otherwise you can select Use IP Address Wildcard mask below which lets you enter a network address If you select a configured network list the Manager ignores entries in the IP Address and Wildcard mask fields See the wildc...

Page 267: ...inquiry HTTP 80 Hypertext Transfer Protocol POP3 110 Post Office Protocol version 3 NNTP 119 Network News Transfer Protocol NTP 123 Network Time Protocol NetBIOS Name Service 137 Network Basic Input Output System host name assignment NetBIOS 138 NetBIOS datagram service NetBIOS Session 139 NetBIOS session management IMAP 143 Internet Mail Access Protocol SNMP 161 Simple Network Management Protocol...

Page 268: ...ask Request 18 Address Mask Reply The Internet Assigned Numbers Authority IANA manages these ICMP type numbers If you selected ICMP under Protocol above enter the range of ICMP packet type numbers that this rule applies to To specify a single packet type enter the same number in both fields Defaults are 0 to 255 all packet types For example to specify the Timestamp and Timestamp Reply types only e...

Page 269: ...ement Rules screen and shows the remaining rules in the Filter Rules list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To not delete this rule click No The Manager returns to the Configuration Policy Management Traffic Management Rules screen and the Filter Rules list is unchanged Configuration Policy Manag...

Page 270: ...t complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator However the VPN Concentrator can establish IPSec connections with many protocol compliant clients Likewise the VPN Concentrator can establish LAN to LAN connections with other protocol compliant VPN devices often called secure gateways The instructions in this section however assume peer VPN Concentra...

Page 271: ...Associations SA Name Parameter ESP DES MD5 ESP 3DES MD5 ESP IKE 3DES MD5 ESP 3DES NONE ESP L2TP TRANSPORT Inheritance From Rule From Rule From Rule From Rule From Rule IPSec Parameters Authentication Algorithm ESP MD5 HMAC 128 ESP MD5 HMAC 128 ESP MD5 HMAC 128 None ESP MD5 HMAC 128 Encryption Algorithm DES 56 3DES 168 3DES 168 3DES 168 DES 56 Encapsulation Mode Tunnel Tunnel Tunnel Tunnel Transpor...

Page 272: ...e an SA that is configured as part of a LAN to LAN connection See the Configuration System Tunneling Protocols IPSec LAN to LAN Add Done screen Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration Policy Management Traffic Manag...

Page 273: ...meter specifies the granularity or how many tunnels to build for this connection Each tunnel uses a unique key Click the drop down menu button and select From Rule One tunnel for each rule in the connection A rule can specify multiple networks thus many hosts can use the same tunnel This is the default and recommended selection From Data One tunnel for every address pair within the address ranges ...

Page 274: ...cure but requires more processing overhead Encryption Algorithm This parameter specifies the data or packet encryption algorithm Data encryption makes the data unreadable if intercepted Click the drop down menu button and select the algorithm Null No packet encryption DES 56 Use DES encryption with a 56 bit key 3DES 168 Use Triple DES encryption with a 168 bit key This is the default selection and...

Page 275: ...nerator numbers are 1024 bits This option is most secure but requires the most processing overhead Lifetime Measurement This parameter specifies how to measure the lifetime of the IPSec SA keys which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys It is used with the Data Lifetime or Time Lifetime parameters below Click the drop down menu button and select th...

Page 276: ...ou configure the connection on the Configuration System Tunneling Protocols IPSec LAN to LAN Add screen the Manager automatically creates a group with the Peer IP address as the Group Name See Configuration User Management for information on groups When you configure this parameter on the remote peer enter the IP address of this VPN Concentrator i e the entries must mirror each other Negotiation M...

Page 277: ... default selection IKE 3DES MD5 DH1 Use preshared keys and MD5 HMAC 128 for authentication Use 3DES 168 encryption Use D H Group 1 to generate SA keys This selection is compatible with the Cisco VPN 3000 Client IKE DES MD5 Use preshared keys and MD5 HMAC 128 for authentication Use DES 56 encryption Use D H Group 1 to generate SA keys This selection is compatible with the Cisco VPN 3000 Client Add ...

Page 278: ...licy Management Traffic Management Security Associations screen and shows the remaining SAs in the IPSec SAs list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To not delete this SA click No The Manager returns to the Configuration Policy Management Traffic Management Security Associations screen and the IPS...

Page 279: ...ters for security since they govern all traffic through an interface You also apply filters to groups and users under Configuration User Management and thus govern tunneled traffic through an interface Caution The Cisco supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs If incorrectly configured they could prese...

Page 280: ...u assign and order the rules that apply to this filter Modify Filter To modify the basic parameters but not the rules for a filter that has been configured click Modify Filter The Manager opens the Configuration Policy Management Traffic Management Filters Modify screen Table 13 3 Cisco supplied default filters Parameter Private Default Public Default External Default Description Default filter fo...

Page 281: ...do Doing so may affect their use of the VPN Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration Policy Management Traffic Management Filters Add Modify or Copy These screens let you Add Configure the basic parameters for a new ...

Page 282: ... on this filter The choices are Drop Discard the packet the default selection Forward Allow the packet to pass Drop and Log Discard the packet and log a filter debugging event FILTERDBG event class See Configuration System Events and see note below Forward and Log Allow the packet to pass and log a filter debugging event FILTERDBG event class See note below Note The Log actions are intended for us...

Page 283: ...s the Configuration Policy Management Traffic Management Assign Rules to Filter screen which lets you assign and order the rules that apply to this filter Modify screen To apply your changes to this filter click Apply The Manager returns to the Configuration Policy Management Traffic Management Filters screen and the modified filter appears in same location in the Filter List Any changes take effe...

Page 284: ...ecified in the filter The Manager groups applied rules by direction inbound or outbound with inbound rules first You can prioritize rules only within a direction You configure rules on the Configuration Policy Management Traffic Management Rules screens Notes Rules affect the operation of the filter as soon as you add remove or prioritize them If the filter is being used by an active interface or ...

Page 285: ...pply IPSec action configured the Manager displays the Configuration Policy Management Traffic Management Assign Rules to Filter Add SA to Rule screen which lets you add a Security Association to the rule The Manager also by default adds Apply IPSec rules to the top of the group of rules with the same direction inbound or outbound Insert Above To add an available rule above a current rule select th...

Page 286: ... Management Assign Rules to Filter Change SA on Rule screen Done When you are finished configuring the rules in this filter click Done The Manager returns to the Configuration Policy Management Traffic Management Filters screen and refreshes the Filter List Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot confi...

Page 287: ...Filter screen for the filter you are configuring modifies the active configuration and updates the Current Rules in Filter list to show the rule with its SA Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration Policy Management Traffic Management Assign Rules to Filter Change SA on Rule This screen le...

Page 288: ...A from the list and click Apply The Manager returns to the Configuration Policy Management Traffic Management Assign Rules to Filter screen for the filter you are configuring modifies the active configuration and updates the Current Rules in Filter list to show the rule with its new SA The change takes effect as soon as you click Apply If this filter is being used by an active interface or group t...

Page 289: ...provide NAT like translation for tunneled data traffic the NAT functions here provide translation for other nontunneled data traffic routed through the VPN Concentrator To use NAT we recommend that you first configure NAT rules then enable the function Before you can configure NAT rules however you must assign an IP address to a public interface on the VPN Concentrator see Configuration Interfaces...

Page 290: ... To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry and leave the active configuration unchanged click Cancel The Manager returns to the Configuration Policy Management Traffic Management NAT screen Configuration Policy Management Traffic Management NAT Rules This section of the Manager lets you add ...

Page 291: ...nt Traffic Management NAT Rules Add screen If you have not configured a public interface the Manager displays the Configuration Policy Management Traffic Management NAT Rules No Public Interfaces screen To modify a configured NAT rule select the rule from the NAT Rules list and click Modify The Manager opens the Configuration Policy Management Traffic Management NAT Rules Modify screen To delete a...

Page 292: ...ld designate only one VPN Concentrator interface as a public interface Figure 13 21 Configuration Policy Management Traffic Management NAT Rules No Public Interfaces screen Click the highlighted link to configure the desired public interface The Manager opens the appropriate Configuration Interfaces screen Configuration Policy Management Traffic Management NAT Rules Add or Modify These screens let...

Page 293: ...ured public interface for this NAT rule You cannot change the interface To move the rule to another interface you must delete this rule and add a new one for the other interface Private Address Specify the private network subnet addresses that NAT translates to and from the public address IP Address Enter the private IP address in dotted decimal notation e g 10 0 0 0 Subnet Mask Enter the subnet m...

Page 294: ... ports 49152 to 65535 on the public IP address and vice versa FTP Proxy Provide FTP proxy server functions and map outbound ports to dynamic ports 49152 to 65535 on the public IP address FTP requires specialized NAT behavior this action allows outgoing FTP transactions to function properly Add or Apply Cancel To add this rule to the list of configured NAT rules click Add Or to apply your changes t...

Page 295: ...r VPN Concentrator shutdown and reboot Ping use ICMP ping to determine connectivity Monitoring Refresh enable automatic refresh of status and statistics in the Monitoring section of the Manager Access Rights configure administrator profiles access and sessions Administrators configure administrator usernames passwords and rights Access Control List configure IP addresses for workstations with acce...

Page 296: ...14 Administration 14 2 VPN 3000 Concentrator Series User Guide Figure 14 1 Administration screen ...

Page 297: ...een shows comprehensive statistics for all active sessions on the VPN Concentrator You can also click a session s name to see detailed parameters and statistics for that session See Administration Sessions Detail Figure 14 2 Administration Sessions screen Refresh To refresh the statistics click Refresh ...

Page 298: ...pe There is no user warning or undo The Manager refreshes the screen after it terminates the sessions Session Summary table This table shows summary totals for LAN to LAN remote access and management sessions A session is a VPN tunnel established with a specific peer In most cases one user connection one tunnel one session However one IPSec LAN to LAN tunnel counts as one session but it allows man...

Page 299: ...d or reset LAN to LAN Sessions table This table shows parameters and statistics for all active IPSec LAN to LAN sessions Each session here identifies only the outer LAN to LAN connection or tunnel not individual host to host sessions within the tunnel Remote Access Sessions Management Sessions Click these active links to go to the other session tables on this Manager screen Connection Name The nam...

Page 300: ... screen Public IP Address The public IP address of the client for this remote access session This is also known as the outer IP address It is typically assigned to the client by the ISP and it lets the client function as a host on the public network Assigned IP Address The private IP address assigned to the remote client for this session This is also known as the inner or virtual IP address and it...

Page 301: ...ng and refreshing statistics on a Monitoring screen for longer than the timeout period loses the lock Table 14 1 Parameter definitions for Administration Sessions screen Parameter Definition Protocol The protocol this session is using Console indicates a direct connection through the Console port on the system Encryption The data encryption algorithm this session is using if any Login Time The dat...

Page 302: ...2TP IPSec PPTP The Manager displays the appropriate screen when you click a highlighted connection name or username on the Administration Sessions screen See Figure 14 4 through Figure 14 9 below Each session detail screen shows two tables summary data at the top and detail data below The summary data echoes the session data from the Administration Sessions screen The session detail table shows al...

Page 303: ...Administration Sessions Detail 14 9 VPN 3000 Concentrator Series User Guide Figure 14 5 Administration Sessions Detail screen IPSec remote access user ...

Page 304: ...14 Administration 14 10 VPN 3000 Concentrator Series User Guide Figure 14 6 Administration Sessions Detail screen IPSec through NAT Figure 14 7 Administration Sessions Detail screen L2TP ...

Page 305: ...Administration Sessions Detail 14 11 VPN 3000 Concentrator Series User Guide Figure 14 8 Administration Sessions Detail screen L2TP over IPSec Figure 14 9 Administration Sessions Detail screen PPTP ...

Page 306: ...tor Connection Name The name of the IPSec LAN to LAN connection Diffie Hellman Group The algorithm and key size used to generate IPSec SA encryption keys Duration The elapsed time HH MM SS between the session login time and the last screen refresh Encapsulation Mode The mode for applying IPSec ESP Encapsulation Security Payload protocol encryption and authentication i e what part of the original I...

Page 307: ... that this session is using Public IP Address The public IP address of the client for this remote access session This is also known as the outer IP address It is typically assigned to the client by the ISP and it lets the client function as a host on the public network Rekey Data Interval The lifetime in kilobytes of the IPSec IKE SA encryption keys Rekey Time Interval The lifetime in seconds of t...

Page 308: ...he active location which stores the image currently running on the system and the backup location Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot Updating twice therefore overwrites the image file in the active location and the current image file is lost Caution You can update the software image while the system is sti...

Page 309: ...rsion numbers are always present the Patch Version number is present only if needed Be sure you select the correct file for your VPN Concentrator model otherwise the update will fail Upload To upload the new image file to the VPN Concentrator click Upload Software Update Progress This window shows the progress of the software upload The number of bytes transferred is refreshed in 10 second interva...

Page 310: ...uccessfully To go to the Administration System Reboot screen click the highlighted link We strongly recommend that you clear your browser s cache after you update the software image delete all the browser s temporary internet files history files and location bar references Figure 14 14 Administration Software Update Success screen Software Update Error This window appears if there was an error in ...

Page 311: ...n while the VPN Concentrator is in a shutdown state before you turn power off On the Models 3015 3080 all 10 blue usage monitor LEDs on the VPN Concentrator front panel blink when the system is in a shutdown state On the Model 3005 the System LED blinks If a delayed reboot or shutdown is pending the Manager also displays a message that describes when the action is scheduled to occur Caution Reboot...

Page 312: ...on This is the default selection Reboot with Factory Default configuration Reboot using all the factory defaults i e start the system as if it had no CONFIG file You will need to go through all the Quick Configuration steps described in the VPN Concentrator Getting Started manual including setting the system date and time and supplying an IP address for the Ethernet 1 Private interface using the s...

Page 313: ...ng hosts from the Administration Sessions screen Figure 14 17 Administration Ping screen Address Hostname to Ping Enter the IP address or hostname of the system you want to test If you configured a DNS server you can enter a hostname otherwise enter an IP address Maximum is 64 characters Ping Cancel To send the ping message click Ping The Manager pauses during the test which may take a few moments...

Page 314: ...etry the operation To go to the main VPN Concentrator Manager screen click Go to main menu Administration Monitoring Refresh This screen lets you enable automatic refresh of all status and statistics screens in the Monitoring section of the VPN Concentrator Manager except the Event Log Figure 14 20 Administration Monitoring Refresh screen Enable To enable automatic refresh check this box The box i...

Page 315: ...tration Access Rights screen Administration Access Rights Administrators Administrators are special users who can access and change the configuration administration and monitoring functions on the VPN Concentrator Only administrators can use the VPN Concentrator Manager Cisco provides five predefined administrators 1 admin System administrator with access to and rights to change all areas This is ...

Page 316: ...rators screen Group Number This is a reference number for the administrator Cisco assigns these numbers so you can refer to administrators by groups of properties The numbers cannot be changed Username The username or login name of the administrator You can change this name on the Administration Access Rights Administrators Modify Properties screen Note The default passwords that Cisco supplies ar...

Page 317: ... must enable at least one administrator and you can enable all administrators By default only admin is enabled Apply Cancel To save this screen s settings in nonvolatile memory click Apply The settings immediately affect new sessions The Manager returns to the Administration Access Rights screen To discard your settings or changes click Cancel The Manager returns to the Administration Access Right...

Page 318: ...nal areas Authentication or General or via SNMP Click the drop down menu button and select the access rights None No access or rights Stats Only Access to only the Monitoring section of the VPN Concentrator Manager No rights to change parameters View Config Access to permitted functional areas of the VPN Concentrator Manager but no rights to change parameters Modify Config Access to permitted func...

Page 319: ... manage files in VPN Concentrator flash memory and to save the active configuration in a file Flash memory acts like a disk Click the drop down menu button and select the file management rights None No file access or management rights List Files See a list of files in VPN Concentrator flash memory Read Files Read view files in flash memory Read Write Files Read and write files in flash memory clea...

Page 320: ... Figure 14 24 Administration Access Rights Access Control List screen Manager Workstations The Manager Workstations list shows the configured workstations that are allowed to access the VPN Concentrator Manager in priority order Each entry shows the priority number IP address mask and administrator group number e g 1 10 10 1 35 255 255 255 255 Group 1 If no workstations have been configured the li...

Page 321: ...r workstation to the list of those that are allowed to access the VPN Concentrator Manager Modify a previously configured workstation that is allowed to access the VPN Concentrator Manager Figure 14 25 Administration Access Rights Access Control List Add or Modify screen Priority Modify screen only This field shows the priority number of this workstation in the list of Manager Workstations You can...

Page 322: ...rkstation click Apply Both actions include your entry in the active configuration The Manager returns to the Administration Access Rights Access Control List screen Any new entry appears at the bottom of the Manager Workstations list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings clic...

Page 323: ... Check this box to encrypt entries such as passwords keys and user information To use clear text for all CONFIG file entries clear the box For maximum security we do not recommend this option Apply Cancel To save your settings in the active configuration click Apply The Manager returns to the Administration Access Rights screen To cancel your settings click Cancel The Manager returns to the Admini...

Page 324: ... the table Figure 14 28 Administration File Management Files screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Total Used Free KB The total size of flash memory in kilobytes the amount used by the files listed and the remaining free space in flash memory Filename The name of the file in flash memory The VPN Concentrator store...

Page 325: ...Manager screen A pop up menu presents choices whose exact wording depends on your browser but among them are Open Link Open Link in New Window Open in New Window Open and view the file in a new browser window as above Save Target As Save Link As Save a copy of the file on your PC Your system will prompt for a filename and location The default filename is the same as on the VPN Concentrator When yo...

Page 326: ...figuration Files screen OK Cancel To swap CONFIG and CONFIG BAK files click OK The Manager goes to the Administration System Reboot screen To leave the files unchanged click Cancel The Manager returns to the Administration File Management screen Administration File Management TFTP Transfer This screen lets you use TFTP Trivial File Transfer Protocol to transfer files to and from VPN Concentrator f...

Page 327: ... configured a DNS server you can enter a hostname otherwise enter an IP address TFTP Server File Enter the name of the file on the remote system This filename must conform to naming conventions applicable to the remote system Do not include a path the configuration of the remote TFTP server determines the location path of the file Caution If either filename is the same as an existing file TFTP ove...

Page 328: ...e Management This section of the Manager lets you manage digital certificates Enrollment create a certificate request to enroll with a Certificate Authority CA Installation install certificates on the VPN Concentrator Certificates view delete configure revocation checking and generate certificates Digital certificates are a form of digital identification used for authentication CAs issue them in t...

Page 329: ...nder Administration File Management After you install a digital certificate on the VPN Concentrator it is available in the Digital Certificate list for configuring IPSec LAN to LAN connections and IPSec SAs See Configuration System Tunnelling Protocols IPSec LAN to LAN and Configuration Policy Management Traffic Management Security Associations The VPN Concentrator can have only one SSL certificat...

Page 330: ...dinate certificate s c Finally install the identity certificate 5 Use the Administration Certificate Management Certificates screen to view the certificates and check them and perhaps to enable revocation checking You must complete the enrollment and certificate installation process within one week of generating the request See the appropriate Administration Certificate Management screen for more ...

Page 331: ...e allowed You must enter a name in this field If you are requesting an SSL certificate enter the IP address or domain name you use to connect to this VPN Concentrator e g 10 10 147 2 Organizational Unit OU Enter the name for the department or other organizational unit to which this VPN Concentrator belongs e g CPU Design Spaces are allowed Organization O Enter the name for the company or organizat...

Page 332: ...key size If you are requesting an SSL certificate you must select an RSA choice RSA 512 bits Generate 512 bit keys using the RSA Rivest Shamir Adelman algorithm This key size provides sufficient security and is the default selection It is the most common and requires the least processing RSA 768 bits Generate 768 bit keys using the RSA algorithm This key size provides normal security It requires a...

Page 333: ... Concentrator and it is not visible You must complete the enrollment and certificate installation process within one week of generating the request Figure 14 35 Administration Certificate Management Enrollment Request Generated screen To go to the Administration File Management Files screen click the highlighted File Management page link From there you can view copy or delete the file in flash mem...

Page 334: ...ens a dialog box that lets you navigate to the desired location and enter a filename Use a name that clearly identifies this as a root certificate with a txt extension 6 Repeat the previous step for any subordinate certificates and finally for the identity certificate Name the files so that you can distinguish the certificate types 7 Proceed to the Administration Certificate Management Installatio...

Page 335: ...ome source Installing this certificate type is not a completely secure process and we strongly recommend not using it If you select this type complete the Certificate Password and Verify fields below Server Identity via Enrollment Identity certificates obtained via enrollment with a CA in a PKI Select this type and install the identity certificate last Server Identity import with Private Key Ident...

Page 336: ...discard your entries and cancel the operation click Cancel The Manager returns to the Administration Certificate Management screen Administration Certificate Management Certificates This screen shows all the certificates installed in the VPN Concentrator and lets you view enable revocation checking and delete certificates You can also generate a self signed SSL server certificate The Manager displ...

Page 337: ...plus the Organization O in the Subject and Issuer fields of the certificate The format is CN at O OU at O or just O e g Root 2 at CyberTrust The CN OU and O fields display a maximum of 33 characters each See Administration Certificate Management Certificates View Expiration The expiration date of the certificate Format is MM DD YYYY Actions View CRL Delete To view details of this certificate click...

Page 338: ...rm to ITU X 520 This screen is read only you cannot change any information here Figure 14 39 Administration Certificate Management Certificates View screen Subject The person or system that uses the certificate For a CA root certificate the Subject and Issuer are the same Issuer The CA or other entity jurisdiction that issued the certificate Subject and Issuer consist of a specific to general iden...

Page 339: ... town where the organization is located SP State Province the state or province where the organization is located C Country the two letter country abbreviation These codes conform to ISO 3166 country abbreviations Serial Number The serial number of the certificate Each certificate issued by a CA or other entity must be unique CRL checking uses this serial number Signing Algorithm The cryptographic...

Page 340: ... for this VPN Concentrator that identifies it in this PKI The alternative name is an optional additional data field in the certificate and it provides interoperability with many Cisco IOS and PIX systems in LAN to LAN connections CRL Distribution Point The distribution point for CRLs Certificate Revocation Lists from this CA If this information is included in the certificate in the proper format a...

Page 341: ...determine its presence If the CRL distribution point is present in the certificate in the proper format you need not configure any fields below the checkbox on this screen Figure 14 40 Administration Certificate Management Certificates CRL screen Certificate The certificate for which you are configuring CRL checking This is the name in Subject field of Certificate Authorities table on Administrati...

Page 342: ...e database Maximum 128 characters Base DN Enter the LDAP base DN Distinguished Name which defines the directory path to the CRL database e g cn crl ou certs o CANam c US Maximum 128 characters Login DN Enter the login DN to access this CRL database Maximum 128 characters Password Enter the password for the Login DN above Maximum 128 characters Verify Re enter the password to verify it Maximum 128 ...

Page 343: ... certificates last Otherwise the Manager displays an error message If the certificate is in use by an SA the Manager displays an error message If you delete the SSL certificate the Manager displays Error getting SSL Certificate SSLIOErr in the SSL Certificate table Generate a new SSL certificate to clear this message Figure 14 41 Administration Certificate Management Certificates Delete screen Yes...

Page 344: ......

Page 345: ...re revisions uptime SEP modules system power supplies Ethernet interfaces WAN interfaces front panel LEDs and hardware sensors Sessions currently active sessions sorted by protocol SEP and encryption Top Ten Lists Top ten sessions sorted by data duration and throughput General Statistics PPTP L2TP IPSec HTTP events Telnet DNS authentication accounting filtering VRRP SSL DHCP and address pools MIB ...

Page 346: ...gured parameters The routing table shows the valid forwarding paths that the IP routing subsystem knows about from whatever source static routes learned via routing protocols interface addresses etc However the table lists only the best routes based on metric and type with duplicates removed To configure routing see the Configuration System IP Routing and Configuration Interfaces screens Figure 15...

Page 347: ...ss in the Address field 0 0 0 0 indicates the default gateway Next Hop For remote routes the IP address of the next system in the path to the destination 0 0 0 0 indicates a local route i e there is no next hop Interface The VPN Concentrator network interface through which traffic moves on this route 1 Ethernet 1 Private interface 2 Ethernet 2 Public interface 3 Ethernet 3 External interface 8 or ...

Page 348: ...ooting any system difficulty or just to examine details of system activity consult the event log first The VPN Concentrator records events in nonvolatile memory thus the event log persists even if the system is powered off The Model 3015 3080 event log holds 2048 events the Model 3005 holds 256 events and it wraps when it is full that is entry 2049 or 257 overwrites entry 1 etc Use the scroll cont...

Page 349: ... all events of a single severity level click the drop down menu button and select the severity level To select a contiguous range of severity levels select the first severity level in the range hold down the keyboard Shift key and select the last severity level in the range To select multiple severity levels select the first severity level hold down the keyboard Ctrl key and select the other sever...

Page 350: ...ile menu on the new browser window and select Save As The browser opens a dialog box that lets you save the file The default filename is vpn3000log txt Alternatively you can use the secondary mouse button to click Get Log on this Monitor Event Log screen A pop up menu presents choices whose exact wording depends on your browser but among them are Open Link Open Link in New Window Open in New Windo...

Page 351: ... event log When the log file wraps after 2048 entries Model 3015 3080 256 entries on Model 3005 numbering continues with event 2049 or 257 overwriting event 1 The maximum sequence number is 65536 Although numbering restarts at 1 when the system powers up it does not overwrite existing entries in the event log it appends them Assuming the log doesn t wrap it could contain several sequences of event...

Page 352: ...urred since the VPN Concentrator was last booted or reset For example RPT 17 indicates that this is the 17th occurrence of this specific event Event IP address The IP address of the client or host associated with this event Only certain events have this field For tunnel related events this is typically the outer or tunnel endpoint address In the Event log format example above 10 10 1 35 is the IP ...

Page 353: ...s screen shows the status of several software and hardware variables at the time the screen displays From this screen you can also display the status and statistics for SEP modules system power supplies and network interfaces Figure 15 4 Monitor System Status screen Model 3005 Model 3015 3080 ...

Page 354: ... and date of the VPN Concentrator system software image file You can update this image file from the Administration Software Update screen Up Since The date and time that the VPN Concentrator was last booted or reset RAM Size The total amount of SDRAM memory installed in the VPN Concentrator Front Panel Model 3015 3080 only The front panel image is an active link Put the mouse pointer anywhere wit...

Page 355: ...pply cage The Model 3005 has one sensor near the CPU This table shows the temperature at the sensor s Temperatures between 0 and 50 C 32 and 122 F are acceptable Values outside this range trigger a hardware event CPU Utilization This usage graph shows the CPU load as a percentage of the maximum possible load Each segment represents 10 of the maximum possible load Active Sessions This usage graph s...

Page 356: ...face screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Back To return to the Monitor System Status screen click Back Interface The VPN Concentrator Ethernet interface number 1 Private interface 2 Public interface 3 External interface IP Address The IP address configured on this interface Status The operational status of this ...

Page 357: ...ets are those addressed to a single host Rx Multicast The number of multicast packets that were received by this interface since the VPN Concentrator was last booted or reset Multicast packets are those addressed to a specific group of hosts Tx Multicast The number of multicast packets that were routed to this interface for transmission since the VPN Concentrator was last booted or reset including...

Page 358: ...m Status Dual T1 E1 WAN Slot N screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Back To return to the Monitor System Status screen click Back T1 E1 Statistics This table shows statistics for the physical T1 E1 interface ports with a column of statistics for each configured port RFC 1406 defines most T1 E1 errors Slot The phy...

Page 359: ...number of seconds this T1 E1 port has been running Errored Seconds The number of seconds during which one or more path coding violations out of frame defects controlled slips AIS Alarm Indication Signal defects or bipolar violations was detected on this port This number excludes unavailable seconds Severely Errored Seconds The number of seconds during which these errors were detected on this port ...

Page 360: ... a pulse of the same polarity follows the previous pulse B8ZS or HDB3 coded signal a pulse of the same polarity follows the previous pulse but is not a part of the zero substitution code Line Coding Violations The number of line coding violations detected on this port which are bipolar violations or excessive zeros violations for AMI 15 contiguous zeros for B8ZS 7 contiguous zeros Path Coding Viol...

Page 361: ... state Up Green Synchronized and operational able to transmit and receive packets Down Red Unable to transmit or receive packets possibly disconnected from the line Unknown Red Not configured or unable to determine status Protocol The WAN protocol enabled on this interface MP PPP Multilink protocol PPP Point to Point Protocol Unknown Unable to determine protocol Packets Received The number of pack...

Page 362: ...These errors occur when the frame does not contain a multiple of 8 bits and could indicate misconfigured timeslots Received CRC Errors The number of received CRC Cyclic Redundancy Checking errors on this interface port These errors could indicate a lossy or noisy transmission line Receiver Overrun Errors The number of receiver overrun errors on this interface port These errors occur when the memor...

Page 363: ...er screen Figure 15 7 Monitor System Status Power screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Back To return to the Monitor System Status screen click Back CPU Voltage and status for the voltage sensor on the CPU chip The screen shows either 1 9 or 2 5 volts depending on the CPU chip in the system Power Supply A B Volta...

Page 364: ...set SEP redundancy The VPN Concentrator can contain up to four SEP modules for maximum system throughput and redundancy Two SEP modules provide maximum throughput additional modules provide redundancy in case of module failure SEP redundancy requires no configuration it is always enabled and completely automatic no administrator action is required If a SEP module fails the VPN Concentrator automat...

Page 365: ...een was last updated Back To return to the Monitor System Status screen click Back SEP The chassis slot number where this SEP is inserted and the type of hardware in this SEP CryptSet first release hardware using a set of integrated circuits CryptIC second release hardware using a single integrated circuit Unknown hardware could not be determined This is an error condition please contact Cisco Cus...

Page 366: ...tomer Support DSP Code Version The version of DSP Digital Signal Processing microcode running on this SEP module This information may be useful during troubleshooting Inbound Hash Octets Packets The number of inbound authentication only octets bytes packets processed by this SEP Only hashing algorithms are applied to authentication only traffic there is no encryption or decryption Outbound Hash Oc...

Page 367: ...request to generate a block of random numbers to replenish the cache Random Bytes Available The number of bytes currently available in the random number cache on the VPN Concentrator Random Cache Empty The number of times the VPN Concentrator received a request for random numbers and the random number cache was empty Since the VPN Concentrator monitors this cache and communicates with the SEP to r...

Page 368: ...ckets The number of RSA encrypted octets bytes packets this SEP has generated RSA Decryptions Octets Packets The number of RSA encrypted octets bytes packets this SEP has received and decrypted DSA Digital Keys Generated The number of times this SEP has generated a new DSA Digital Signature Algorithm encryption key pair DSA Digital Signings The number of times this SEP has generated a DSA digital ...

Page 369: ...ns of the LEDs The usage graph displays CPU Utilization Active Sessions or Throughput according to the selection you make with the front panel button You can press the front panel button either physically on the unit itself or logically on this screen See Monitor System Status for an explanation of usage graph units Figure 15 9 Monitor System Status LED Status screen Refresh To update the screen a...

Page 370: ...the screen and its data click Refresh The date and time indicate when the screen was last updated Session Summary table This table shows summary totals for LAN to LAN remote access and management sessions A session is a VPN tunnel established with a specific peer In most cases one user connection one tunnel one session However one IPSec LAN to LAN tunnel counts as one session but it allows many ho...

Page 371: ... Concurrent Sessions Limit The maximum number of concurrently active sessions permitted on this VPN Concentrator This number is model dependent e g Model 3060 5000 sessions Total Cumulative Sessions The total cumulative number of sessions of all types since the VPN Concentrator was last booted or reset LAN to LAN Sessions table This table shows parameters and statistics for all active IPSec LAN to...

Page 372: ...username or login name for the session The field shows Authenticating if the remote access client is still negotiating authentication If the client is using a digital certificate for authentication the field shows the Subject CN or Subject OU from the certificate To display detailed parameters and statistics for this session click this name See the Monitor Sessions Detail screen Public IP Address ...

Page 373: ... Parameter definitions for Monitor Sessions screen Parameter Definition Protocol The protocol this session is using Console indicates a direct connection through the Console port on the system See Monitor Sessions Protocols for a graphical representation of sessions by protocol used Encryption The data encryption algorithm this session is using if any See Monitor Sessions Encryption for a graphica...

Page 374: ...ec L2TP IPSec PPTP The Manager displays the appropriate screen when you click a highlighted connection name or username on the Monitor Sessions screen See Figure 15 11 through Figure 15 16 below Each session detail screen shows two tables summary data at the top and detail data below The summary data echoes the session data from the Monitor Sessions screen The session detail table shows all the re...

Page 375: ...Monitor Sessions Detail 15 31 VPN 3000 Concentrator Series User Guide Figure 15 12 Monitor Sessions Detail screen IPSec remote access user ...

Page 376: ...15 Monitoring 15 32 VPN 3000 Concentrator Series User Guide Figure 15 13 Monitor Sessions Detail screen IPSec through NAT Figure 15 14 Monitor Sessions Detail screen L2TP ...

Page 377: ...Monitor Sessions Detail 15 33 VPN 3000 Concentrator Series User Guide Figure 15 15 Monitor Sessions Detail screen L2TP over IPSec Figure 15 16 Monitor Sessions Detail screen PPTP ...

Page 378: ...on Name The name of the IPSec LAN to LAN connection Diffie Hellman Group The algorithm and key size used to generate IPSec SA encryption keys Duration The elapsed time HH MM SS between the session login time and the last screen refresh Encapsulation Mode The mode for applying IPSec ESP Encapsulation Security Payload protocol encryption and authentication i e what part of the original IP packet has...

Page 379: ... that this session is using Public IP Address The public IP address of the client for this remote access session This is also known as the outer IP address It is typically assigned to the client by the ISP and it lets the client function as a host on the public network Rekey Data Interval The lifetime in kilobytes of the IPSec IKE SA encryption keys Rekey Time Interval The lifetime in seconds of t...

Page 380: ...onitor Sessions Protocols screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Active Sessions The number of currently active sessions Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset Protocol The protocol that the session is using Other protocol other than those listed here PPTP Po...

Page 381: ...use only Debug Console debugging via console Cisco use only L2TP IPSec L2TP over IPSec IPSec LAN to LAN IPSec LAN to LAN connection IPSec NAT IPSec through NAT Network Address Translation Sessions The number of active sessions using this protocol The sum of this column equals the total number of Active Sessions above Bar Graph The percentage of sessions using this protocol relative to the total ac...

Page 382: ...screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Active Sessions The number of currently active sessions Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset SEP The SEP module that the sessions are using Not on SEP using software encryption or not using encryption 1 2 3 4 SEP modul...

Page 383: ...ssions as a number The sum of this column equals 100 rounded Monitor Sessions Encryption This screen graphically displays the data encryption algorithms used by currently active user and administrator sessions on the VPN Concentrator Figure 15 19 Monitor Sessions Encryption screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Ac...

Page 384: ...s or whenever a packet is lost RC4 128 Stateless RSA RC4 encryption with a 128 bit key and with keys changed on every packet RC4 128 Stateful RSA RC4 encryption with a 128 bit key and with keys changed after some number of packets or whenever a packet is lost Sessions The number of active sessions using this encryption algorithm The sum of this column equals the total number of Active Sessions abo...

Page 385: ...nected Throughput average throughput bytes sec Figure 15 20 Monitor Sessions Top Ten Lists screen Monitor Sessions Top Ten Lists Data This screen shows statistics for the top 10 currently active VPN Concentrator sessions sorted by data total bytes transmitted and received Figure 15 21 Monitor Sessions Top Ten Lists Data screen Refresh To update the screen and its data click Refresh The date and ti...

Page 386: ...col L2TP IPSec L2TP over IPSec Other protocol other than those listed here PPTP Point to Point Tunneling Protocol SNMP Simple Network Management Protocol Telnet terminal emulation protocol TFTP Trivial File Transfer Protocol Encryption The data encryption algorithm that the session is using None no data encryption DES 40 Data Encryption Standard algorithm with a 56 bit key 40 bits of which are pri...

Page 387: ...Duration This screen shows statistics for the top 10 currently active VPN Concentrator sessions sorted by duration total time connected Figure 15 22 Monitor Sessions Top Ten Lists Duration screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Username The login username for the session IP Address The IP address of the session use...

Page 388: ...erminal emulation protocol TFTP Trivial File Transfer Protocol Encryption The data encryption algorithm that the session is using None no data encryption DES 40 Data Encryption Standard algorithm with a 56 bit key 40 bits of which are private DES 56 DES encryption with a 56 bit key 3DES 168 Triple DES encryption with a 168 bit key RC4 40 Stateless RSA RC4 encryption with a 40 bit key and with keys...

Page 389: ...ghput screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Username The login username for the session IP Address The IP address of the session user This is the address assigned to or supplied by a remote user or the host address of a networked user Local identifies the console directly connected to the VPN Concentrator Protocol...

Page 390: ...56 bit key 40 bits of which are private DES 56 DES encryption with a 56 bit key 3DES 168 Triple DES encryption with a 168 bit key RC4 40 Stateless RSA RC4 encryption with a 40 bit key and with keys changed on every packet RC4 40 Stateful RSA RC4 encryption with a 40 bit key and with keys changed after some number of packets or whenever a packet is lost RC4 128 Stateless RSA RC4 encryption with a 1...

Page 391: ...s received and transmitted packets failures drops etc HTTP total data traffic and connection statistics Events total events sorted by class number and count Telnet total sessions and current session inbound and outbound traffic DNS total requests responses timeouts etc Authentication total requests accepts rejects challenges timeouts etc Accounting total requests responses timeouts etc Filtering t...

Page 392: ...ment To configure PPTP on rules in filters that govern data traffic see Configuration Policy Management Traffic Management Figure 15 25 Monitor Statistics PPTP screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Total Tunnels The total number of PPTP tunnels created since the VPN Concentrator was last booted or reset including ...

Page 393: ...trol data octets bytes received by the VPN Concentrator since it was last booted or reset Rx Packets Control Data The number of PPTP control data packets received by the VPN Concentrator since it was last booted or reset Rx Discards Control Data The number of PPTP control data packets received and discarded by the VPN Concentrator since it was last booted or reset Tx Octets Control Data The number...

Page 394: ...TP Zero Length Body acknowledgement data packets received by this session ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement Transmit Octets The total number of PPTP data octets bytes transmitted by this session Transmit Packets The total number of PPTP data packets transmitted by this session Transmit ZLB The total number of P...

Page 395: ...d packets is equal to the window size on both ends None Neither end of the session has a full buffer i e packet flow for the session is ON This is the normal operating state Monitor Statistics L2TP This screen shows statistics for L2TP activity on the VPN Concentrator since it was last booted or reset and for current L2TP sessions The Monitor Sessions Detail screens also show L2TP data To configur...

Page 396: ... The total number of user sessions successfully established through L2TP tunnels since the VPN Concentrator was last booted or reset Active Sessions The number of user sessions that are currently active through PPTP tunnels The L2TP Sessions table shows statistics for these sessions Maximum Sessions The maximum number of user sessions that have been simultaneously active through L2TP tunnels on th...

Page 397: ...a channel packets transmitted by the VPN Concentrator since it was last booted or reset L2TP Sessions This table shows statistics for active L2TP sessions on the VPN Concentrator Each active session is a row Remote IP The IP address of the remote host that established the L2TP tunnel for this session i e the tunnel endpoint IP address The Monitor Sessions screen shows the IP address assigned to th...

Page 398: ...y this session ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement Transmit Octets The total number of L2TP data octets bytes transmitted by this session Transmit Packets The total number of L2TP data packets transmitted by this session Transmit ZLB The total number of L2TP Zero Length Body acknowledgement packets transmitted by thi...

Page 399: ...reens also show IPSec data To configure system wide IPSec parameters and LAN to LAN connections see the Configuration System Tunneling Protocols IPSec screens To configure IPSec parameters for users and groups see Configuration User Management To configure IPSec parameters and SAs on rules in filters that govern data traffic see Configuration Policy Management Traffic Management Figure 15 27 Monit...

Page 400: ...sly active IKE tunnels Received Packets The cumulative total of packets received by all currently and previously active IKE tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IKE tunnels Received Packets Dropped The cumulative total of packets that were dropped during receive processing by all currently and previously active IKE tunnels If there is a p...

Page 401: ...changes Received The cumulative total of IPSec Phase 2 exchanges that were received found to be invalid because of protocol errors and dropped by all currently and previously active IKE tunnels In other words the total of Phase 2 negotiations that were initiated by a remote peer but that this VPN Concentrator dropped because of protocol errors Invalid Phase 2 Exchanges Sent The cumulative total of...

Page 402: ...er level authentication Decryption Failures The cumulative total of decryptions that failed by all currently and previously active IKE tunnels This number should be at or near zero if not check for misconfiguration or SEP module problems Hash Validation Failures The cumulative total of hash validations that failed by all currently and previously active IKE tunnels Hash validation failures usually ...

Page 403: ... Phase 2 tunnels after compression In other words total bytes of IPSec only data sent by the IPSec subsystem after compressing the IPSec payload Received Packets The cumulative total of packets received by all currently and previously active IPSec Phase 2 tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IPSec Phase 2 tunnels Received Packets Dropped ...

Page 404: ...ions performed by all currently and previously active IPSec Phase 2 tunnels Failed Outbound Authentications The cumulative total of outbound packet authentications that failed by all currently and previously active IPSec Phase 2 tunnels This number should be zero or very small if not check the event log for an internal IPSec subsystem problem Decryptions The cumulative total of inbound decryptions...

Page 405: ...nization problems Protocol Use Failures The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase 2 tunnels These failures indicate errors parsing IPSec packets Monitor Statistics HTTP This screen shows statistics for HTTP activity on the VPN Concentrator since it was last booted or reset To configure system wide HTTP server pa...

Page 406: ... reset Active Connections The number of currently active HTTP connections Max Connections The maximum number of HTTP connections that have been simultaneously active on the VPN Concentrator since it was last booted or reset Monitor Statistics Events This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset To configure event handling see the Configuratio...

Page 407: ...ent within the event class For example CONFIG event number 2 is Reading configuration file This reference number assists Cisco support personnel if they need to examine event statistics Count of Events The number of times that specific event has occurred on the VPN Concentrator since it was last booted or reset Monitor Statistics Telnet This screen shows statistics for Telnet activity on the VPN C...

Page 408: ...active Telnet sessions on the VPN Concentrator Each active session is a row Client IP Address Port The IP address and TCP source port number of this session s remote Telnet client Inbound Octets Total The total number of Telnet octets bytes received by this session Inbound Octets Command The number of octets bytes containing Telnet commands or options received by this session Inbound Octets Discar...

Page 409: ...sh The date and time indicate when the screen was last updated Requests The total number of DNS queries the VPN Concentrator made since it was last booted or reset This number equals the sum of the numbers in the four cells below Responses The number of DNS queries that were successfully resolved Timeouts The number of DNS queries that failed because there was no response from the server Server Un...

Page 410: ... updated Server IP Address Port The IP address of the configured authentication server and the port number that the VPN Concentrator is using to access the server Each configured authentication server is a row in this table Internal identifies the internal VPN Concentrator authentication server The default or well known port numbers identify an authentication server type 139 NT Domain 389 LDAP 164...

Page 411: ...number of bad authentication response packets received from this server Bad authenticators contain invalid authenticators or signature attributes Pending Requests The number of authentication request packets destined for this server that have not yet timed out or received a response Timeouts The number of authentication timeouts to this server After a timeout the system may retry the same server s...

Page 412: ...DIUS user accounting server and the port number that the VPN Concentrator is using to access the server Each configured accounting server is a row in this table The well known port number for RADIUS accounting is 1646 Requests The number of accounting request packets sent to this RADIUS accounting server This number does not include retransmissions Retransmissions The number of accounting request ...

Page 413: ...meout Sending to a different server is counted as a request as well as a timeout Unknown Type The number of RADIUS packets of unknown type received from this server on the accounting port Monitor Statistics Filtering This screen shows statistics for filtering of traffic that has passed through the interfaces on the VPN Concentrator since it was last booted or reset To configure filters see the Con...

Page 414: ...been filtered and dropped on this interface Inbound Packets Post Filter The number of inbound packets that have been filtered and forwarded on this interface This number equals Inbound Packets Pre Filter minus Inbound Packets Filtered Outbound Packets Pre Filter The total number of outbound packets received on this interface Outbound Packets Filtered The number of outbound packets that have been f...

Page 415: ...onfiguration System IP Routing Redundancy screen Figure 15 35 Monitor Statistics VRRP screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Checksum Errors The total number of VRRP packets received with an invalid VRRP checksum value Version Errors The total number of VRRP packets received with an unknown or unsupported version n...

Page 416: ... the router is functioning as the Master router Backup VRRP is enabled and the router is functioning as a Backup router monitoring the status of the Master router Init VRRP has been configured but is disabled i e the router is waiting to be enabled initialized Became Master The total number of times that this VPN Concentrator has become a VRRP Master router after having a different role This numbe...

Page 417: ...ed participating in VRRP Invalid Type Received The number of VRRP packets received by this interface with an invalid value in the Type field For VRRP version 2 the only valid Type value is 1 which indicates an advertisement packet Address List Errors The total number of packets received for which the address list does not match the list configured on this VPN Concentrator Invalid Authentication Er...

Page 418: ...e indicate when the screen was last updated Unencrypted Inbound Octets The number of octets bytes of inbound traffic output by the decryption engine Encrypted Inbound Octets The number of octets bytes of encrypted inbound traffic sent to the decryption engine This number includes negotiation traffic Unencrypted Outbound Octets The number of unencrypted outbound octets bytes sent to the encryption ...

Page 419: ... VPN Concentrator see Configuration System Servers DHCP To configure system wide DHCP functions within the VPN Concentrator see Configuration System IP Routing DHCP To use DHCP to assign addresses to clients see the Configuration System Address Management Assignment screen Figure 15 37 Monitor Statistics DHCP screen Refresh To update the screen and its data click Refresh The date and time indicate...

Page 420: ...lients from an internal address pool To configure address pools see the Configuration System Address Management screens Figure 15 38 Monitor Statistics Address Pools screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated IP Address Range Start End The starting and ending IP addresses in the configured address pool Each configured ...

Page 421: ...nd received on network interfaces and VPN tunnels TCP UDP Transmission Control Protocol and User Datagram Protocol segments and datagrams sent and received etc IP Internet Protocol packets sent and received fragmentation and reassembly data etc RIP Routing Information Protocol global route changes bad packets and bad routes received etc OSPF Open Shortest Path First protocol LSA data Area data etc...

Page 422: ...ivate interface Ethernet 2 Public Ethernet 2 Public interface Ethernet 3 External Ethernet 3 External interface WAN 1 A WAN interface module in Slot 1 Port A WAN 1 B WAN interface module in Slot 1 Port B WAN 2 A WAN interface module in Slot 2 Port A WAN 2 B WAN interface module in Slot 2 Port B 1000 and up VPN tunnels which are treated as logical interfaces Status The operational status of this in...

Page 423: ...e received by this interface Multicast packets are those addressed to a specific group of hosts Multicast Out The number of multicast packets that were routed to this interface for transmission including those that were discarded or not sent Multicast packets are those addressed to a specific group of hosts Broadcast In The number of broadcast packets that were received by this interface Broadcast...

Page 424: ...se received in error and those received on currently established connections Segment is the official TCP name for what is casually called a data packet TCP Segments Transmitted The total number of segments sent including those on currently established connections but excluding those containing only retransmitted bytes Segment is the official TCP name for what is casually called a data packet TCP S...

Page 425: ...nnection synchronizing state These connections are usually in the majority TCP Attempt Failures The number of TCP connection attempts that failed Technically this is the number of TCP connections that went to an unconnected state plus the number that went to a listening state from a connection synchronizing state TCP Established Resets The number of established TCP connections that abruptly closed...

Page 426: ... there was no application at the destination port Datagram is the official UDP name for what is casually called a data packet Monitor Statistics MIB II IP This screen shows statistics in MIB II objects for IP traffic on the VPN Concentrator since it was last booted or reset RFC 2011 defines IP MIB objects Figure 15 42 Monitor Statistics MIB II IP screen Refresh To update the screen and its data cl...

Page 427: ...no problems preventing continued processing but that were discarded e g for lack of buffer space This number does not include any packets discarded while awaiting reassembly Packets Received Delivered The number of IP data packets received and successfully delivered to IP user protocols including ICMP on the VPN Concentrator i e the VPN Concentrator was the final destination Packets Forwarded The ...

Page 428: ...ilures The number of failures detected by the IP reassembly algorithm for whatever reason timed out errors etc This number is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments by combining them as they are received Fragmentation Successes The number of IP data packets that have been successfully fragmented by the VPN Concentrator Frag...

Page 429: ...ta click Refresh The date and time indicate when the screen was last updated Global Route Changes The total number of route changes made to the IP route database by RIP This number does not include changes that only refresh a route s age Global Queries The total number of responses sent to RIP queries from other systems Interfaces This table shows a row of statistics for each configured interface ...

Page 430: ...er of routes in valid RIP packets received by this interface that were ignored for any reason e g unknown address family invalid metric Sent Updates The number of triggered RIP updates actually sent by this interface This number does not include full updates sent containing new information ...

Page 431: ...oncentrator since it was last booted or reset RFC 1850a defines OSPF version 2 MIB objects To configure OSPF on interfaces see Configuration Interfaces To configure system wide OSPF parameters see Configuration System IP Routing Figure 15 44 Monitor Statistics MIB II OSPF screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated ...

Page 432: ...sum of the checksums of the external Link State Advertisements in the link state database You can use this sum to determine if there has been a change in the system s OSPF router link state database and to compare its database with other routers LSAs Originated The number of new Link State Advertisements that the system has originated This number is incremented each time the OSPF router originates...

Page 433: ... B Designated Router The IP address of the Designated Router in this OSPF area Backup Designated Router The IP address of the backup Designated Router in this OSPF area Neighbors This table shows a row of statistics for each OSPF neighbor for all areas in which the VPN Concentrator participates A neighbor is another OSPF router in an OSPF area and this table includes all such areas for the VPN Con...

Page 434: ...ing an adjacency relationship Exchanging The VPN Concentrator is describing its entire link state database by sending Database Description packets to this neighbor to establish an adjacency relationship Loading The VPN Concentrator is sending Link State Request packets to this neighbor asking for the more recent LSAs that have been discovered but not yet received in the Exchange state Full Green T...

Page 435: ...ormat Router Link Describes the states of the router s interfaces LS Type 1 Network Link Describes the set of routers attached to the network LS Type 2 Summary Link Describes routes to networks LS Type 3 AS Summary Link Describes routes to AS boundary routers LS Type 4 AS External Link Describes routes to destinations external to the AS LS Type 5 Multicast Link Describes group membership for multi...

Page 436: ... messages counted as Errors Received Transmitted ICMP messages solicit and provide information about the network environment Errors Received Transmitted The number of ICMP messages that the VPN Concentrator received but determined to have ICMP specific errors bad ICMP checksums bad length etc The number of ICMP messages that the VPN Concentrator did not send due to problems within ICMP such as a l...

Page 437: ...se that there is a better route to a particular destination Echo Requests PINGs Received Transmitted The number of ICMP Echo request messages received sent Echo messages are probably the most visible ICMP messages They test the communication path between network entities by asking for Echo Reply response messages Echo Replies PINGs Received Transmitted The number of ICMP Echo Reply messages receiv...

Page 438: ... II ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN Concentrator was last booted or reset ARP matches IP addresses with physical MAC addresses so the system can forward traffic to computers on its network RFC 2011 defines MIB entries in the ARP table The entries are sorted first by Interface then by IP Address To speed display the Manager may cons...

Page 439: ...o the IP Address Exceptions are 00 a virtual address for a tunnel FF FF FF FF FF FF a network broadcast address IP Address The IP address that maps to the Physical Address Mapping Type The type of mapping Other none of the following Invalid an invalid mapping Dynamic a learned mapping Static a static mapping on the VPN Concentrator Action Delete To remove a dynamic or learned mapping from the tabl...

Page 440: ...n and its data click Refresh The date and time indicate when the screen was last updated Interface The Ethernet interface to which the data in this row applies Only configured interfaces are shown Alignment Errors The number of frames received on this interface that are not an integral number of bytes long and do not pass the FCS Frame Check Sequence used for error detection check FCS Errors The n...

Page 441: ...sions number Multiple Collisions The number of successfully transmitted frames on this interface for which transmission is inhibited by more than one collision This number does not include the Single Collisions number Late Collisions The number of times that a collision is detected on this interface later than 512 bit times into the transmission of a packet 512 bit times 51 2 microseconds on a 10 ...

Page 442: ... SNMP traffic on the VPN Concentrator since it was last booted or reset RFC 1907 defines SNMP version 2 MIB objects To configure the VPN Concentrator SNMP server see Configuration System Management Protocols SNMP Figure 15 48 Monitor Statistics MIB II SNMP screen Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Requests Received Th...

Page 443: ...entrator does not include the usual default public community string Parsing Errors The total number of syntax or transmission errors encountered by the VPN Concentrator when decoding received SNMP messages Silent Drops The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size Proxy Drops The total number of SNMP request messa...

Page 444: ......

Page 445: ...d options see the corresponding section of the VPN Concentrator Manager in this manual For example to understand Ethernet interface configuration parameters and choices see Configuration Interfaces Ethernet 1 2 3 in Chapter 3 Interfaces Accessing the CLI You can access the CLI in two ways via the system console or a Telnet or Telnet over SSL client Console access To access the CLI via console 1 Co...

Page 446: ... 992 Terminal Type VT100 or ANSI Telnet SSL only If the client offers it enable both SSL and SSL Only 3 The VPN Concentrator displays a login prompt Login _ Starting the CLI You start the CLI by logging in CLI login usernames and passwords for both console and Telnet access are the same as those configured and enabled for administrators See the Administration Access Rights Administrators screen By...

Page 447: ...mpt always shows the menu context Choosing menu items To use the CLI enter a number at the prompt that corresponds to the desired menu item and press Enter For example this is the Configuration System General System Identification menu 1 Set System Name 2 Set Contact 3 Set Location 4 Back General _ Enter 1 to set the system name Entering values The CLI shows any current or default value for a para...

Page 448: ...p 3 Delete a Group 4 Back Groups _ To delete QuickGroup enter 3 at the prompt The CLI displays Enter the Group to Delete Groups _ At the prompt you can enter either its number 1 or its name QuickGroup However this next example shows the prompt for a specific identifier The Configuration System Servers Authentication menu lists configured servers Authentication Server Summary Table Num Server Type ...

Page 449: ...parated by periods For example suppose you want to change the General Parameters for the Base Group The series of menus that gets to that level from the main menu is 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main 1 Configuration 1 Interface Configuration 2 System Management 3 User Management 4 Policy Management 5 Back Config 3 User Manage...

Page 450: ... entering a number you can just enter b or B to move back to the previous menu Also at any menu level you can just enter h or H to move home to the main menu Getting Help Information To display a brief help message enter 5 at the main menu prompt The CLI explains how to navigate through menus and enter values This help message is available only at the main menu Cisco Systems Help information for t...

Page 451: ...I To stop the CLI navigate to the main menu and enter 6 for Exit at the prompt 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main 6 Done Make sure you save any configuration changes before you exit from the CLI Understanding CLI access rights What you see and can configure with the CLI depends on administrator access rights If you don t have ...

Page 452: ...n User Management Base Group menu Notes The CLI menus and options and thus the keyboard shortcuts may change with new software versions Please check familiar shortcuts carefully when using a new release The Model 3005 has two Ethernet interfaces and one expansion card slot and Models 3015 3080 have three interfaces and four expansion card slots Therefore CLI menu shortcuts differ where they involv...

Page 453: ...1 1 1 1 1 2 or 1 1 3 Configuration Interface Configuration Configure Ethernet 1 or 2 or 3 Only 1 1 1 and 1 1 2 on Model 3005 1 Enable Disable 2 Set IP Address 3 Set Subnet Mask 4 Select IP Filter 5 Select Ethernet Speed 6 Select Duplex 7 Set Port Routing Config 8 Set Public Interface 9 Back Ethernet Interface 1 _ 1 1 4 Configuration Interface Configuration Configure Power Supplies Model 3015 3080 ...

Page 454: ...uration Configure Expansion Cards Model 3015 3080 only Expansion Cards 1 SEP 2 Dual T1 E1 WAN 3 None 4 None 1 Configure Slot 1 2 Configure Slot 2 3 Configure Slot 3 4 Configure Slot 4 5 Back Interfaces _ 1 1 4 Configuration Interface Configuration Configure Expansion Cards Model 3005 only Expansion Card 1 Configure Expansion Card 2 Back Interfaces _ 1 2 Configuration System Management 1 Servers Au...

Page 455: ... 1 2 2 Configuration System Management Address Management 1 Address Assignment 2 Address Pools 3 Back Address _ 1 2 3 Configuration System Management Tunneling Protocols 1 PPTP 2 L2TP 3 IKE Proposals 4 Back Tunnel _ Note The CLI does not include IPSec LAN to LAN configuration 1 2 4 Configuration System Management IP Routing 1 Static Routes 2 Default Gateways 3 OSPF 4 OSPF Areas 5 DHCP 6 Redundancy...

Page 456: ...re SNMP 6 Configure SNMP Community Strings 7 Configure SSL 8 Back Network _ 1 2 6 Configuration System Management Event Configuration 1 General 2 FTP Backup 3 Classes 4 Trap Destinations 5 Syslog Servers 6 SMTP Servers 7 Email Recipients 8 Back Event _ 1 2 7 Configuration System Management General Config 1 System Identification 2 System Time and Date 3 Back General _ 1 3 Configuration User Managem...

Page 457: ...4 PPTP L2TP Parameters 5 Back Base Group _ 1 3 2 Configuration User Management Groups Current User Groups 1 Add a Group 2 Modify a Group 3 Delete a Group 4 Back Groups _ 1 3 3 Configuration User Management Users Current Users 1 Add a User 2 Modify a User 3 Delete a User 4 Back Users _ 1 4 Configuration Policy Management 1 Access Hours 2 Traffic Management 3 Back Policy _ ...

Page 458: ...Configuration Policy Management Traffic Management 1 Network Lists 2 Rules 3 Security Associations SAs 4 Filters 5 Network Address Translation NAT 6 Back Traffic _ 2 Administration 1 Administer Sessions 2 Software Update 3 System Reboot 4 Ping 5 Access Rights 6 File Management 7 Certificate Management 8 Back Admin _ 2 1 Administration Administer Sessions Active Sessions 1 Refresh Session Status 2 ...

Page 459: ... Configuration file 3 Reboot with Factory Default Configuration 4 Back Admin _ 2 3 3 Administration System Reboot Schedule Shutdown 1 Save active configuration and use it at next reboot 2 Shutdown without saving active Configuration file 3 Use Factory Default Configuration at next reboot 4 Back Admin _ 2 5 Administration Access Rights 1 Administrators 2 Access Control List 3 Access Settings 4 Back...

Page 460: ...Workstation Down 6 Back Admin _ 2 5 3 Administration Access Rights Access Settings 1 Set Session Timeout 2 Set Session Limit 3 Enable Disable Encrypt Config File 4 Back Admin _ 2 6 Administration File Management List of Files 1 Delete File 2 Copy File 3 View File 4 Put File via TFTP 5 Get File via TFTP 6 Swap Configuration File 7 Upload Configuration File 8 Back File _ 2 6 6 Administration File Ma...

Page 461: ...tall SSL Certificate from Enrollment 3 Install SSL Certificate with private key 4 Install Identity Certificate from Enrollment 5 Install Identity Certificate with private key 6 Back Certificates _ 2 7 3 Administration Certificate Management Certificate Authorities Certificate Authorities 1 View Certificate 2 Delete Certificate 3 CRL Configuration 4 Back Certificates _ 2 7 4 Administration Certific...

Page 462: ... Quit SPACE to Continue Issuer q to Quit SPACE to Continue Serial Number 1 Delete Certificate 2 Generate Certificate 3 Back Certificates _ 3 Monitoring 1 Routing Table 2 Event Log 3 System Status 4 Sessions 5 General Statistics 6 Back Monitor _ 3 1 Monitoring Routing Table Routing Table q to Quit SPACE to Continue 1 Refresh Routing Table 2 Back Routing _ ...

Page 463: ...w Event Log Event Log entries 1 First Page 2 Previous Page 3 Next Page 4 Last Page 5 Back Log _ 3 3 Monitoring System Status System Status 1 Refresh System Status 2 View Card Status 3 Back Status _ 3 3 2 Monitoring System Status View Card Status Model 3015 3080 only 1 Card in Slot 1 2 Card in Slot 2 3 Card in Slot 3 4 Card in Slot 4 5 Back Card Status _ Model 3005 only 1 Card in Slot 1 2 Back Card...

Page 464: ...istics 2 View Top Ten Lists 3 View Session Protocols 4 View Session Encryption 5 Back Sessions _ 3 4 1 Monitoring Sessions View Session Statistics Active Sessions 1 Refresh Session Statistics 2 Session Details 3 Back Sessions _ 3 4 2 Monitoring Sessions View Top Ten Lists 1 Top 10 Users based on Data 2 Top 10 Users based on Duration 3 Top 10 Users based on Throughput 4 Back Sessions _ 3 4 3 Monito...

Page 465: ...el 3015 3080 3 4 4 on Model 3005 Session Encryption 1 Refresh Session Encryption 2 Back Sessions _ 3 5 Monitoring General Statistics 1 Protocol Statistics 2 Server Statistics 3 Event Statistics 4 MIB II Statistics 5 Back General _ 3 5 1 Monitoring General Statistics Protocol Statistics 1 PPTP Statistics 2 L2TP Statistics 3 IPSec Statistics 4 HTTP Statistics 5 Telnet Statistics 6 DNS Statistics 7 V...

Page 466: ...2 Accounting Statistics 3 Filtering Statistics 4 DHCP Statistics 5 Address Pool Statistics 6 Back General _ 3 5 3 Monitoring General Statistics Event Statistics Event Statistics q to Quit SPACE to Continue 1 Refresh Event Statistics 2 Back General _ 3 5 4 Monitoring General Statistics MIB II Statistics 1 Interface based 2 System level 3 Back MIB2 _ End of Chapter ...

Page 467: ...atile memory NVRAM To troubleshoot operational problems we recommend that you start by examining the event log See Configuration System Events and Monitor Event Log The VPN Concentrator automatically saves the event log to a file in flash memory if it crashes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful...

Page 468: ... protect access security clicking Refresh Reload on the browser s toolbar automatically logs out the Manager session Do not use the browser s navigation toolbar buttons with the VPN Concentrator Manager Use only the Manager s Refresh button where it appears on a screen We recommend that you hide the browser s navigation toolbar to prevent mistakes Problem Possible cause Solution You clicked the Ba...

Page 469: ...n name and password Type carefully The Manager session has been idle longer than the configured timeout interval No activity for interval seconds The Manager resets the inactivity timer only when you click an action button Apply Add Cancel etc or a link on a screen that is when you invoke a different screen Entering values or setting parameters on a given screen does not reset the timer Default ti...

Page 470: ...message describes the erroneous operation Problem Possible cause Solution You tried to perform some operation that is not allowed The screen displays a message that describes the cause Click Retry the operation to return to the screen where you were working and correct the mistake Carefully check all your previous entries on that screen The Manager attempts to retain valid entries but invalid entr...

Page 471: ... browser that you have invoked You are using the Manager with an unsupported browser You are using the Manager with an obsolete browser You are using a browser that does not have JavaScript enabled Use Microsoft Internet Explorer version 4 0 or higher Use Netscape Communicator or Navigator version 4 0 or higher Be sure JavaScript is enabled in the browser See Required browser in Chapter 2 of VPN 3...

Page 472: ...thorization to access You logged in using an administrator login name that has limited privileges You logged in from a workstation that has limited access privileges Log in using the system administrator login name and password Defaults are admin admin Log in from a workstation with greater access privileges Have the system administrator change your privileges on the Administration Access Rights A...

Page 473: ...cause Solution The Manager could not find a screen You updated the software image and did not clear the browser s cache Clear the browser s cache delete its temporary internet files history files and location bar references Then try again There is an internal Manager error Please note the system information on the screen and contact Cisco support personnel for assistance Problem Possible cause Sol...

Page 474: ...d a number greater than 255 in a byte position You entered 0 0 0 0 instead of an appropriate address At the prompt re enter a valid 4 byte dotted decimal number Problem Possible cause Solution The system expected a number within a certain range and the entry was outside that range You entered a letter instead of a number You entered a number greater than the possible menu numbers At the prompt re ...

Page 475: ...ors on the VPN Concentrator and its expansion modules are normally green The usage gauge LEDs are normally blue LEDs that are amber or off may indicate an error condition NA not applicable i e the LED does not have that state Contact Cisco support if any LED indicates an error condition ...

Page 476: ...ion Modules Insertion Status 1 2 3 4 SEP module or WAN interface module installed in system NA Module not installed in system Expansion Modules Run Status 1 2 3 4 SEP module or WAN interface module operational Module failed during operation Error If installed module failed diagnostics or encryption code is not running Error Fan Status Operating normally Not running or RPM below normal range Error ...

Page 477: ... ready to power off LED Indicator Rear Green Amber Off Private Public External Ethernet Interfaces connected to network Link Carrier detected Normal NA No carrier detected Error Tx Transmitting data Normal Intermittent on NA Not transmitting data Idle Intermittent off Coll NA Data collisions detected No collisions Normal 100 Speed set at 100 Mbps NA Speed set at 10 Mbps SEP Module LED Green Amber ...

Page 478: ...odule LEDs are visible from the rear of the VPN Concentrator WAN Module LED On Blinking Off Power Normal operation NA Power is not reaching the module It may not be seated correctly Error Status Module has passed diagnostics and is operational Normal Module failed diagnostics Error Module has failed Error ...

Page 479: ...essed momentary contact switch that sets loopback mode in this sequence Port A on Port B on Ports A and B on Ports A and B off All four Port LEDs blinking in unison Port configured but not enabled T1 E1 Line Error Condition On Off Off Off Red Complete loss of signal Possible causes out of frame errors mismatched framing format e g one side using SF and the other using ESF or disconnected line On O...

Page 480: ......

Page 481: ... Software and any accompanying written materials are owned or licensed by Cisco Systems and are protected by United States copyright laws laws of other nations and or international treaties Grant of License 2 Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product To this end the Software contains both operator software for use by the network a...

Page 482: ...ained in or relating to the Software or accompanying documentation and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing by Cisco Systems 10 Any notice demand or request with respect to this Agreement shall be in writing and shall be effective only if it is delivered by hand or mailed certified or registered mail postage prepaid return receipt requ...

Page 483: ...ght and license notices follow BSD software Copyright 1990 1993 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redis...

Page 484: ...E POSSIBILITY OF SUCH DAMAGE DNS Resolver client DNS Resolver BSD DEC Internet Software Consortium Copyright 1988 1993 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this ...

Page 485: ...TH THE USE OR PERFORMANCE OF THIS SOFTWARE Portions Copyright 1995 by International Business Machines Inc International Business Machines Inc hereinafter called IBM grants permission under its copyrights to use copy modify and distribute this Software with or without fee provided that the above copyright notice and all paragraphs of this notice appear in all copies and that the name of IBM not be ...

Page 486: ...NCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The views and conclusions contained in the softwa...

Page 487: ... screen as it pertains to the SDTI Translation Server SNMP Copyright 1998 by Carnegie Mellon University All Rights Reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting...

Page 488: ...ted to such distribution and use acknowledge that the software was developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHA...

Page 489: ...orrect the interference at his own expense E U EN 55022 Notice Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Voluntary Control Council for Interference by Information Technology Equipment VCCI Statement 1 Class A ITE Information Technology Equipment shall be identified with a la...

Page 490: ...ions Commission FCC Rules Part 68 This equipment is certified with the FCC under Part 68 as a component device for use with the following Cisco Systems host routers In order for the FCC certification of this product to be retained all other products used in conjunction with this product must also be FCC Part 68 certified for use with these hosts If any of these components are not certified then yo...

Page 491: ...uously complies with Part 68 of the FCC Rules and Regulations The digital CPE does not transmit digital signals containing encoded analog content or billing information which is intended to be decoded within the telecommunication network The encoded analog content and billing protection is factory set and is not under the control of the customer I attest that the operator s maintainer s of the dig...

Page 492: ...a certified connector assembly telephone extension cord The customer should be aware that compliance with the above conditions might not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorised Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may g...

Page 493: ...urity association traffic management 13 22 SMTP server for events 10 20 SNMP community 9 10 SNMP event destination 10 15 static route for IP routing 8 3 syslog server to receive events 10 17 user on internal server user management 12 34 address management configuring 6 1 address pools configuring 6 3 add 6 4 modify 6 4 statistics 15 76 admin password default 14 22 administering the VPN Concentrato...

Page 494: ...ion file 16 7 specifying configured items 16 4 starting 16 2 stopping 16 7 using 16 1 16 3 using Back and Home 16 6 using shortcut numbers to navigate 16 5 closed or collapsed icon 1 22 Coll LED Ethernet A 11 Command Line Interface See CLI configuration files changes with software update 14 14 handling at reboot or shutdown 14 18 saving 1 21 CLI 16 7 swap 14 32 useful for troubleshooting A 2 confi...

Page 495: ...0 22 modify 10 22 encryption algorithms used by sessions monitoring 15 39 enrolling with a Certificate Authority 14 40 entering values with CLI 16 3 error an error has occurred A 4 bad IP address A 8 insufficient authorization A 6 invalid login A 3 JavaScript A 5 no such interface supported IE A 7 not allowed A 6 not found A 7 old browser A 5 out of range value A 8 passwords do not match A 8 sessi...

Page 496: ...nsfer via TFTP 14 32 managing files in 14 29 14 30 rights to files in 14 25 saving log files in 10 6 size of 14 30 space used 14 30 formats data xl filenames xl hostnames xl IP addresses xl MAC addresses xl port numbers xl subnet masks xl text strings xl wildcard masks xl fractional T1 E1 interface 3 16 3 24 front panel display monitoring 15 10 FTP configuring internal server 9 2 using to save log...

Page 497: ...tatistics 15 82 IP routing configuring 8 2 section of Manager 8 1 IPSec Cisco VPN 3000 Client 7 7 12 6 12 23 12 38 13 20 configuring 7 7 base group 12 6 12 7 group internal 12 23 12 24 user internal server 12 38 12 39 discussion 7 7 Mode Configuration 12 9 12 26 rules 13 5 security associations See security associations statistics 15 55 XAuth 12 9 12 26 IPSec LAN to LAN automatic parameters 7 11 7...

Page 498: ...ols configuring 9 1 Manager table of contents 1 24 Manager toolbar in Manager window 1 20 Manager window Cisco Systems logo 1 22 left frame table of contents 1 22 main frame 1 22 mouse pointer and tips 1 20 status bar 1 19 title bar 1 19 top frame Manager toolbar 1 20 managing VPN Concentrator with CLI 16 1 memory SDRAM 15 10 menus CLI navigating 16 5 MIB II statistics 15 77 system object 11 2 Mod...

Page 499: ... OSPF 3 1 3 2 configuring on Ethernet interface 3 11 on WAN interface 3 20 system wide parameters 8 6 MIB II statistics 15 87 OSPF areas configuring 8 8 add 8 9 modify 8 9 Out of Range value error A 8 P password default administrator 14 22 factory default Manager 1 18 Passwords do not match error A 8 ping a host 14 19 PKCS 10 enrollment request 14 39 policy management configuring 13 2 section of M...

Page 500: ...monitoring 15 38 servers configuring system access to 5 1 Session Timeout error A 3 sessions active administration 14 3 active monitoring 15 26 count definition 14 4 15 26 data monitoring 15 26 detail 14 8 15 30 parameter definitions 14 12 15 34 encryption algorithms used 15 39 logout all 14 4 maximum permitted 14 5 15 27 parameter definitions 14 7 15 29 protocols monitoring 15 36 SEP modules used...

Page 501: ... 14 17 system shutdown 14 17 system status monitoring 15 9 T T1 E1 3 2 line error conditions WAN card A 13 parameters configuring on WAN interface 3 23 selecting for WAN interface 3 15 statistics 15 14 tab on Manager screen Administration 1 21 Configuration 1 21 Help 1 20 Logout 1 21 Main 1 20 Monitoring 1 21 Support 1 20 table of contents Manager 1 24 TCP UDP MIB II statistics 15 80 Technical Ass...

Page 502: ...er 1 1 V viewing SSL certificates with Internet Explorer 1 9 with Netscape 1 15 voltage status 15 19 VPN Concentrator Manager errors A 2 logging in 1 18 logging out 1 21 navigating 1 24 organization of 1 23 understanding the window 1 19 using 1 1 VRRP configuring 8 12 statistics 15 71 W WAN card LED indicators A 12 putting in loopback mode A 13 WAN interface See interfaces wildcard masks 7 15 7 17...

Reviews:

No comments

Brands by name

Popular brands

Load more brands