Cisco 3005 Getting Started Download

Page: 1 / 122

Corporate Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408

526-4000

800 553-NETS (6387)

Fax: 408

526-4100

VPN 3000 Series Concentrator
Getting Started

Release 4.7
August 2005

Customer Order Number: 78-15733
Text Part Number: 78-15733-03

Summary of Contents for 3005

Page 1: ... West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 VPN 3000 Series Concentrator Getting Started Release 4 7 August 2005 Customer Order Number 78 15733 Text Part Number 78 15733 03 ...

Page 2: ...OR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES VPN 3000 Series Concentrator Getting Started Copyright 2005 Cisco Systems Inc All rights reserved CCSP CCVP the Cisco Square Bridge l...

Page 3: ...ntrator Fits in Your Network 1 8 Physical Specifications 1 9 C H A P T E R 2 Installing and Powering Up the VPN Concentrator 2 1 Preparing to Install 2 1 Unpacking 2 4 Installing the VPN Concentrator Hardware 2 5 Connecting Hardware 2 9 Powering Up 2 12 Beginning Quick Configuration 2 13 C H A P T E R 3 Using the VPN Concentrator Manager for Quick Configuration 3 1 Logging in to the VPN Concentrat...

Page 4: ...n 4 1 Configuring Ethernet Interfaces 4 2 Configuring System Information 4 5 Configuring Tunneling Protocols and Options 4 6 Configuring Address Assignment 4 8 Configuring Authentication 4 10 Configuring the IPSec Group 4 17 Changing the Admin Password 4 18 Completing Quick Configuration 4 19 Saving the Active Configuration 4 19 Exiting the CLI 4 19 What Next 4 20 C H A P T E R 5 Testing the VPN C...

Page 5: ...agement and you should be familiar with Microsoft Internet Explorer Netscape Navigator or Communicator or Mozilla browsers Organization This guide is organized as follows Chapter Title Description Chapter 1 Understanding the VPN 3000 Concentrator Summarizes the hardware and software features and operation If you are familiar with VPN devices you can skip this chapter Chapter 2 Installing and Power...

Page 6: ...ncentrator Manager also includes context oriented online help that you can access by clicking the Help icon on the toolbar in the Manager window VPN Client Documentation The Cisco VPN Client User Guide for Windows the Cisco VPN Client User Guide for Linux and Solaris and the Cisco VPN Client User Guide for Mac OS X explain how to install configure and use the VPN Client The VPN Client lets a remot...

Page 7: ... the VPN 3002 Documentation on VPN Software Distribution CDs The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD ROM in PDF format The VPN Client documentation is included on the VPN Client software distribution CD ROM also in PDF format To view the latest versions on the Cisco web site click the Support ico...

Page 8: ...use the following conventions Warning This warning symbol means danger You are in a situation that could cause bodily injury Before you work on any equipment you must be aware of the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents Convention Description boldface font Commands and keywords are in boldface italic font Arguments for which you s...

Page 9: ...mit leading zeros in a byte position Subnet Masks and Wildcard Masks Subnet masks use 4 byte dotted decimal notation for example 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate ...

Page 10: ...as a single unit or as a subscription Registered Cisco com users Cisco direct customers can order a Product Documentation DVD product number DOC DOCDVD from the Ordering tool or Cisco Marketplace Cisco Ordering tool http www cisco com en US partner ordering Cisco Marketplace http www cisco com go marketplace Ordering Documentation Beginning June 30 2005 registered Cisco com users may order Cisco d...

Page 11: ...idents that involve Cisco products Register to receive security information from Cisco A current list of security advisories and notices for Cisco products is available at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed from this URL ht...

Page 12: ...ntation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Documentation website requires a Cisco com user ID and password If you have ...

Page 13: ...ne of the following numbers Asia Pacific 61 2 8446 7411 Australia 1 800 805 227 EMEA 32 2 704 55 55 USA 1 800 553 2447 For a complete list of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is d...

Page 14: ...iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investme...

Page 15: ...own as the VPN Concentrator creates a virtual private network by creating a secure connection across a TCP IP network such as the Internet that users see as a private connection The VPN Concentrator can create single user to LAN connections and LAN to LAN connections Figure 1 1 The Cisco VPN 3000 Concentrator Model 3005 Model 3015 to 3080 63794 63795 ...

Page 16: ...r file management In addition individual models have the following hardware features VPN Concentrator Model Hardware Features Model 3005 Software based encryption Single power supply 64 MB memory versions prior to 4 1 have 32MB memory Model 3015 Software based encryption Single power supply Expansion capabilities Up to two Enhanced Cisco Scalable Encryption Processing SEP E modules for hardware ba...

Page 17: ... encryption Up to two additional SEP E modules for redundancy Optional redundant power supply 512 MB memory Models 3060 Two SEP E modules for hardware based encryption Expansion capabilities Up to two additional SEP E modules for system redundancy Optional redundant power supply 512 MB memory Model 3080 Two SEP E modules for hardware based encryption Two SEP E modules for system redundancy Dual re...

Page 18: ...nnections SSHv1 Secure Shell including SCP Secure Copy Tunneling Protocols IPSec IP Security Protocol Remote access using Cisco VPN Client or other select IPSec protocol compliant clients LAN to LAN between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol compliant secure gateway L2TP over IPSec for native Windows 2000 Windows NT and Windows XP client compatibility W...

Page 19: ...IUS RADIUS with Password Expiration MSCHAPv2 NT Domain Kerberos Active Directory RSA Security SecurID TACACS administrator only LDAP Authorization Authentication server testing X 509 Digital Certificates RADIUS accounting Certificate Authorities Entrust VeriSign Microsoft Windows 2000 RSA Keon Netscape Baltimore Security Management Group and user profiles Data traffic management by means of Filter...

Page 20: ...Load Balancing System redundancy via VRRP System Administration Session monitoring and management Software image update Boot code upgrade File upload System reset and reboot Ping Configurable system administrator profiles File management including SCP and TFTP transfer Digital certificate enrollment and management Session limit setting Traceroute Monitoring Event logging and notification via syste...

Page 21: ...on It can also receive encapsulated packets unencapsulate them and send them to their final destination The VPN Concentrator performs the following functions Establishes tunnels Negotiates tunnel parameters Authenticates users Assigns user addresses Encrypts and decrypts data Manages security keys Manages data transfer across the tunnel Manages data transfer inbound and outbound as a tunnel endpoi...

Page 22: ... such a configuration is firewall vendor dependent and might require additional firewall configuration For LAN to LAN or branch office applications place a second VPN Concentrator or other IPSec protocol compliant secure gateway at the remote office Figure 1 2 A Typical VPN Concentrator Network Installation Physical Specifications The VPN Concentrator has the following physical specifications Widt...

Page 23: ...sical Specifications Power 100 to 240 VAC at 50 60 Hz autosensing 3005 maximum 25 W 0 2A 120 VAC 3015 3080 maximum 50 W 0 42A 120 VAC Cabling distances from an active network device Approx 328 feet 100 meters UL approved Electrical mechanical and construction Standards compliance FCC E U and VCCI Class A compliance ...

Page 24: ...1 10 VPN 3000 Series Concentrator Getting Started 78 15733 03 Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications ...

Page 25: ...nd VPN devices may be new to you You should be familiar with Windows system configuration and management and with Microsoft Internet Explorer Netscape Navigator or Mozilla browsers Physical Site Requirements The VPN Concentrator requires a normal computing equipment environment Power The VPN Concentrator requires only normal computing equipment power For maximum protection we recommend connecting ...

Page 26: ...xplorer version 6 0 SP1 or higher Windows SP2 required for Windows XP Netscape Navigator version 7 2 or higher Windows Linux or Solaris Mozilla 1 73 or higher Windows Linux or Solaris Firefox 1 0 Windows Macintosh or Linux For best results we recommend Internet Explorer Whatever browser and version you use install the latest patches and service packs for it JavaScript and Cookies Be sure JavaScrip...

Page 27: ...check your contents against the list in Table 2 1 Save the packing material in case you need to repack the unit Browser JavaScript Cookies Internet Explorer 6 0 1 On the Tools menu choose Internet Options 2 On the Security tab click Custom Level 3 In the Security Settings window scroll down to Scripting 4 Click Enable under Active scripting 5 Click Enable under Scripting of Java applets 1 On the T...

Page 28: ...e Rack Mounting Attach the rack mounting brackets with 10 32 screws in the holes on the front left and right sides Be sure to orient the brackets as shown in Figure 2 1 Figure 2 1 Attaching Rack Mounting Brackets Model 3005 1 or 2 Power cords 1 Cisco VPN 3000 Series Concentrator CD 1 Cisco VPN Software Client CD 1 VPN 3000 Series Concentrator Getting Started this manual 1 VPN 3000 Series Concentra...

Page 29: ...he VPN Concentrator Installing the VPN Concentrator Hardware Models 3015 to 3080 Mount the VPN Concentrator in the rack as shown in Figure 2 2 Use screws or fasteners appropriate for your equipment rack Figure 2 2 Rack Mounting a VPN Concentrator Model 3005 Models 3015 through 3080 63797 63798 63799 ...

Page 30: ...e or shelf locate the four indentations on the bottom of the chassis Peel the removable tape off each rubber foot and place one foot in each indentation See Figure 2 3 Some models of the VPN Concentrator use screws to attach the rubber feet If the rubber feet have screws attach them to the bottom of the chassis in the holes at each corner See Figure 2 4 Figure 2 3 Installing Rubber Feet VPN 3005 V...

Page 31: ...ntrator Getting Started 78 15733 03 Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Figure 2 4 Installing Rubber Feet with Screws Model 3005 Model 3015 through 3080 63800 63801 ...

Page 32: ...cables to the VPN Concentrator until instructed Connecting the Console PC Connect the RS 232 straight through serial cable between the Console port on the back of the VPN Concentrator and the COM1 or serial port on the console PC See Figure 2 5 If you are using a PC with a browser to manage the VPN Concentrator be sure the PC is connected to the same private LAN as the VPN Concentrator Figure 2 5 ...

Page 33: ...ces usually Ethernet 1 and Ethernet 2 Connecting Power Cable s Warning Be sure the VPN Concentrator power switch is OFF O depressed before you connect a power cable The power switch is on the power module on the back of the VPN Concentrator Connect the power cable s between the VPN Concentrator and an appropriate power outlet Be sure the power outlet provides a reliable earth ground See Figure 2 6...

Page 34: ...g and Powering Up the VPN Concentrator Connecting Hardware Note If you have a system with redundant power modules make sure you connect power cables between both modules and appropriate power outlets Figure 2 6 Connecting Power Cable s Model 3005 Model 3015 through 3080 63793 63803 ...

Page 35: ...rnet Link Status 1 2 3 green for the Ethernet interfaces to which you connected patch cables Expansion Modules 1 2 3 4 Insertion Status green for the number of SEP E modules in your device Run Status green for the number of SEP E modules in your device Fan Status green Power Supplies A B green for the number of power supplies in your device Ignore any other LEDs on the front panel Step 4 Watch for...

Page 36: ...r Manager see Chapter 3 Using the VPN Concentrator Manager for Quick Configuration While you can continue with the console instead see Chapter 4 Using the Command Line Interface for Quick Configuration we recommend using a browser Step 3 Configure the other Ethernet interfaces that are connected to a public network or an additional external network Step 4 Enter system identification information sy...

Page 37: ...x mode for the VPN Concentrator interface to the public network IP Interfaces Ethernet 3 External For models 3015 3080 only If so connected specify the IP address and subnet mask speed and duplex mode for the VPN Concentrator interface to an additional external network System Info System Name Specify a device or system name for the VPN Concentrator for example VPN01 System Info DNS Server Specify ...

Page 38: ...in user authentication server specify its IP address port number and Primary Domain Controller hostname SDI If you use an external SDI user authentication server specify its IP address and port number Kerberos Active Directory If you use an external Kerberos Active Directory authentication server specify its IP address port number and realm User Database Group Name Password Verify If you enable th...

Page 39: ...he VPN Concentrator The correct time is very important so that logging and accounting entries are accurate and so that the system can create a valid security certificate The time in brackets is the current device time Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright C 1998 2005 Cisco Systems Inc Set the time on your device Time Quick 15 46 41 _ At the cursor e...

Page 40: ...At the cursor enter the IP address using dotted decimal notation for example 10 10 4 6 Note Ethernet 3 appears only on Models 3015 3080 Step 8 The system initializes its network subsystems which takes a few seconds It then prompts you for the subnet mask for the Ethernet 1 Private interface The entry in brackets is the standard subnet mask for the IP address you just entered For example an IP addr...

Page 41: ...cket size for this interface Either accept the default value 1500 bytes or specify a value in the range 68 to 1500 The standard MTU for Ethernet is 1500 bytes MTU 68 1500 Quick 1500 _ Step 12 The system now has enough information so that you can exit the CLI and continue configuring with a browser The system displays one of the following menus depending on the model of the Concentrator being confi...

Page 42: ...guration Continue quick configuration with either the VPN Concentrator Manager or the command line interface To continue with the VPN Concentrator Manager see Chapter 3 Using the VPN Concentrator Manager for Quick Configuration To continue with the command line interface see Chapter 4 Using the Command Line Interface for Quick Configuration ...

Page 43: ...ntrator Before beginning the procedures in this section you should have completed Steps 1 through 12 under Using the Console page 2 15 As you proceed refer to the data you recorded in the table of Table 2 2Quick Configuration Parameters page 2 13 The figures that follow show only the main frame of the Manager window To use features in the other frames see Understanding the VPN Concentrator Manager...

Page 44: ...Screen Step 3 Log in Entries are case sensitive so type them exactly as shown With Microsoft Internet Explorer you can press the Tab key to move from field to field with other browsers you might have to change fields with the mouse If you make a mistake click Clear and start over a Click in the Login field and type admin Do not press Enter b Click in the Password field and type admin The field sho...

Page 45: ...o the previous screen Caution Do not use the browser navigation toolbar buttons Back Forward or Refresh Reload with the VPN Concentrator Manager unless instructed to do so To protect access security clicking Refresh Reload automatically logs out the Manager session Clicking Back or Forward might display stale Manager screens with incorrect data or settings To prevent mistakes while using the VPN C...

Page 46: ...ou are configuring Figure 3 3 Configuration Quick IP Interfaces Screen Model 3005 Models 3015 through 3080 This screen lets you configure the VPN Concentrator Ethernet interfaces Model 3005 comes with two Ethernet interfaces Models 3015 3080 come with three Ethernet interfaces Ethernet 1 Private is the interface to your private network internal LAN Ethernet 2 Public is the interface to the public ...

Page 47: ...re it Caution If you modify any parameters of the interface that you are currently using to connect to the VPN Concentrator you will break the connection and you will have to restart the Manager and quick configuration from the login screen Step 1 To enter or modify parameters for an interface click on the interface and continue using the directions in the following section If you are not modifyin...

Page 48: ...is entry or change it Step 2 To make this interface a public interface check the Public Interface check box A public interface is an interface to a public network such as the Internet You should designate only one VPN Concentrator interface as a public interface The MAC Address is the unique hardware MAC Media Access Control address for this interface in 6 byte hexadecimal notation The screen show...

Page 49: ...ter to which you connect this interface is also set to automatically negotiate the transmission mode Otherwise select the appropriate fixed mode Full Duplex Fix the transmission mode as full duplex transmission in both directions at the same time Half Duplex Fix the transmission mode as half duplex transmission in only one direction at a time Step 6 The MTU value you entered via the CLI displays i...

Page 50: ...that uses DST you must enable DST support Step 3 In the DNS Server field enter the IP address of your local DNS Domain Name System server using dotted decimal notation for example 10 10 0 11 Specifying a DNS server lets you enter Internet hostnames for example mail01 rather than IP addresses for servers as you configure and manage the VPN Concentrator While hostnames are easier to remember using I...

Page 51: ... use encryption or they will not be connected Don t Require Encryption PPTP connections may use Microsoft encryption to encrypt data the default During connection setup clients may or may not agree to use Microsoft encryption they will be connected in either case Step 3 Check L2TP to enable Layer 2 Tunneling Protocol This box is checked by default Step 4 If you enable L2TP click one of the radio b...

Page 52: ...its own IP address If you use IPSec you must check additional boxes since IPSec does not allow client specified IP addresses Step 2 Check Per User to enable this method which assigns IP addresses on a per user basis If you use an authentication server that has IP addresses configured we recommend using this method You configure an authentication server on the next screen Step 3 Check DHCP Dynamic ...

Page 53: ...onfigure specific addresses for particular users Configuring Authentication The Manager displays the Configuration Quick Authentication screen This screen appears only when you enable at least one tunneling protocol Figure 3 8 Configuration Quick Authentication Screen Internal Server You can choose how to authenticate users You can select the VPN Concentrator internal server or one of three extern...

Page 54: ... no configurable parameters Click Continue to proceed Skip to the section Configuring the Internal Server User Database page 3 17 RADIUS Server Type External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator other authentication servers do not The VPN 3000 software CD ROM includes a link that customers with Cisco com logins can use to acces...

Page 55: ...s field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative Minimum is 0 default is 2 maximum is 10 retries Step 5 In the Server Secret field enter the RADIUS server secret also called the shared secret for example C8z077f The maximum is 64 characte...

Page 56: ...out field enter the time in seconds to wait after sending a query to the server and receiving no response before trying again The minimum is 1 second default is 4 seconds maximum is 30 seconds Step 4 In the Retries field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares ...

Page 57: ... IP address Step 2 In the Server Port field enter the UDP port number by which you access the server Enter 0 the default to have the system supply the default port number 5500 Step 3 In the Timeout field enter the time in seconds to wait after sending a query to the server and receiving no response before trying again The minimum is 1 second default is 4 seconds maximum is 30 seconds Step 4 In the...

Page 58: ...second The default time is 4 seconds The maximum time is 30 seconds Step 4 In the Retries field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative and uses the next Kerberos Active Directory authentication server in the list The minimum number of r...

Page 59: ...rs Follow these steps to add or remove a user Step 1 Under User to Add a Type a unique name in the User Name field Maximum is 32 characters case sensitive To be authenticated the user must log in from the client using this name b Move to the Password field and type the password The password must be at least 8 characters long maximum is 32 characters case sensitive The field shows only asterisks To...

Page 60: ...s only when you select the IPSec tunneling protocol and you must configure these parameters to complete quick configuration The remote access IPSec client connects to the VPN Concentrator using this group name and password which are automatically configured on the internal authentication server This is the IPSec group that creates the tunnel Users then log in and are authenticated through their us...

Page 61: ...onnections Enable and configure POP3S IMAP4S and SMTPS sessions to use e mail proxy This screen appears only if you enabled WebVPN on the Configuration Quick Tunneling screen Figure 3 15 Configuration Quick WebVPN Screen Step 1 To enable WebVPN connections to the public interface of the VPN Concentrator check the HTTPS Enable check box If you have not configured the Public Interface WebVPN connect...

Page 62: ...to appear on the WebVPN home page Step 3 You can set up links to websites to appear on the WebVPN home page which will make it easier for WebVPN users to access commonly used internal or external websites Enter up to four web links to appear on the WebVPN home page for example http www cisco com In the corresponding text box enter the name of the link as you want it to appear for example Cisco Sys...

Page 63: ...as full access to all management and administration functions on the device we strongly recommend you change this password to improve device security You can further configure all administrator users on the standard Administration Access Rights Administrators Manager screen To change the password for the admin administrator user follow these steps Step 1 In the Password field enter a new password ...

Page 64: ...t securely in a VPN tunnel through the Internet with resources on a private internal corporate network We strongly recommend that you save the active configuration before you proceed Saving the Active Configuration As you make configuration entries they take effect immediately and are included in the active or running configuration However if you reboot the VPN Concentrator without saving the acti...

Page 65: ...n for assistance Using Other VPN Concentrator Manager Functions To use other VPN Concentrator Manager functions listed below click the topic in the left frame of the Manager window or on the Manager toolbar in the top frame of the Manager window Configuration Configure all the features of the VPN Concentrator Administration Control administrative functions of this device Monitoring View status sta...

Page 66: ...essages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 3 20 VPN Concentrator Manager Window Title bar The title bar at the top of the browser window includes the VPN Concentrator device name or IP address in brackets for example 10 10 4 6 Status bar The status bar at the bottom of the browser window displays Manager acti...

Page 67: ... Logout tab to log out of the Manager and return to the login screen Logged in username The administrator username you used to log in to this Manager session Click on the Configuration tab to go to the main Configuration screen to open the first level of subordinate Configuration pages in the left frame if they are not already open and to close any open Administration or Monitoring pages in the le...

Page 68: ...n the Monitoring section Restore Click on the Restore icon to restore the screen contents to their status prior to when you last clicked the Reset icon Click on the Cisco Systems logo to open a browser and go to the Cisco com web site www cisco com Left frame Table of Contents On Manager screens the left frame provides a table of contents The table of contents uses the familiar Windows Explorer me...

Page 69: ...refer to the data you recorded in Table 2 2 on page 2 13 About Quick Configuration The CLI has the following characteristics These quick configuration menus appear only once and you can go through the steps of quick configuration only once unless you reboot the system with the Reboot Ignoring the Configuration File option Entries are case sensitive for example admin and ADMIN are different passwor...

Page 70: ...to Config file 4 Continue 5 Exit Quick _ Model 3015 3080 Menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Modify Ethernet 3 IP Address External 4 Save changes to Config file 5 Continue 6 Exit Quick _ You entered values for Ethernet 1 under Using the Console section on page 2 15 You can change them now to do so enter 1 at the cursor To configure another interface ...

Page 71: ... enter the menu number for your selection for example 1 To accept the default 3 press Enter Step 5 The system prompts with a menu to set the transmission mode for the Ethernet 2 interface You can let the VPN Concentrator automatically detect and set the appropriate mode the default or you can configure the interface for full duplex transmission in both directions at the same time or half duplex tr...

Page 72: ...e and manage the VPN Concentrator While hostnames are easier to remember using IP addresses avoids problems that might arise with the DNS server offline congested or otherwise indisposed Specify a local DNS server DNS Server Quick 0 0 0 0 At the cursor enter the IP address of your local DNS server in dotted decimal notation for example 10 10 0 11 Step 3 The system prompts you to enter the register...

Page 73: ...cols and encryption options on the VPN Concentrator follow these steps Step 1 The system shows default settings for PPTP and L2TP both enabled both with no encryption required It then prompts you to enable or disable PPTP Configure protocols and encryption options This table shows current protocol settings PPTP L2TP Enabled Enabled No Encryption Req No Encryption Req 1 Enable PPTP 2 Disable PPTP Q...

Page 74: ...ed 2 No Encryption Required Quick 2 _ At the cursor enter 1 to require encryption or press Enter to accept the default 2 which does not require encryption Step 5 The system prompts you to enable or disable IPSec 1 Enable IPSec 2 Disable IPSec Quick 1 _ At the cursor enter 2 to disable IPSec or press Enter to accept the default 1 which enables IPSec Step 6 The system prompts you to enable or disabl...

Page 75: ...signment 2 Disable Client Specified Address Assignment Quick 2 At the cursor enter 1 to enable client specified address assignment or press Enter to accept the default 2 disabled Step 2 The system prompts you to enable or disable per user address assignment 1 Enable Per User Address Assignment 2 Disable Per User Address Assignment Quick 2 _ At the cursor enter 1 to enable per user address assignme...

Page 76: ... 10 10 1 177 Configuring Authentication You can choose and configure one of five types of servers to authenticate users The internal VPN Concentrator authentication server An external RADIUS Remote Authentication Dial In User Service server An external NT Windows NT Domain server An external SDI RSA Security Inc SecurID server An external Kerberos Active Directory server You must select one authen...

Page 77: ... authentication server and the system prompts you to add users to the internal authentication server database When you start quick configuration the user database is empty Current Users No Users 1 Add a User 2 Delete a User 3 Continue Quick _ At the cursor enter 1 to add a user Step 2 The system prompts you to enter the user name To be authenticated the user must log in from the client using this ...

Page 78: ... 7 The system redisplays the user database with the new user added You can add more users delete users or continue with quick configuration Quick 0 0 0 0 255 255 0 0 Current Users 1 simonz 1 Add a User 2 Delete a User 3 Continue Quick _ At the cursor enter the menu number for your selection for example 1 To add more users repeat Step 1 through Step 6 in this section To delete a user 2 see the next...

Page 79: ...P Address Quick At the cursor enter the RADIUS server hostname or IP address for example 192 168 56 78 The maximum length is 32 characters Step 2 The system prompts you to enter the RADIUS server secret also called the shared secret that allows access to the server RADIUS Server Secret Quick _ At the cursor enter the RADIUS server secret for example B8y077E The maximum length is 64 characters The ...

Page 80: ...he NT Primary Domain Controller hostname for this server for example PDC01 The maximum length is 16 characters Step 3 The system prompts you to enter the TCP port number by which you access the NT Domain server NT Domain Server Port Quick 0 At the cursor enter the NT Domain port number for example 139 To have the system supply the default port number 139 press Enter to accept 0 the default To cont...

Page 81: ...the Kerberos Active Directory server hostname or IP address for example 192 168 56 78 Step 2 The system prompts you to enter the realm name for this server for example US MYCOMPANY COM You must enter this name and it must be the correct realm name for the server whose IP address you entered in Step 1 If it is incorrect authentication will fail The following types of servers require that you enter ...

Page 82: ...m is 4 and the maximum is 32 characters case sensitive The system displays only asterisks Step 3 The system prompts you to reenter the group password to verify it Verify _ At the cursor reenter the group password The system displays only asterisks Configuring WebVPN Remote Access The following prompts appear only if you enabled WebVPN See Configuring Tunneling Protocols and Options This section de...

Page 83: ...of the mail server Step 3 The system prompts you to enable or disable SMTPS 1 Enable SMTPS 2 Disable SMTPS Quick 2 At the cursor enter 1 to enable SMTPS or press Enter to accept the default 2 which disables SMTPS If you enter 1 the system displays the following menu Set SMTPS Default Server Quick _ Enter the IP address of the mail server Step 4 The system prompts you to enable or disable IMAP4S 1 ...

Page 84: ...r example Welcome to My Company Remote Access To keep the current value enter a period on a separate line as shown below Set Base Group Banner Use by itself on line to finish Enter just a to keep existing value Step 3 To have a link to a specific website appear on the WebVPN home page enter the website s name You can enter any name that users will easily recognize Enter a descriptive name of the f...

Page 85: ...ure of upper and lower case alphabetic and numeric characters and not easily guessed for example W8j9Haq3 The system displays only asterisks To keep the default press Enter Step 2 The system prompts you to re enter the password to verify it Verify _ At the cursor reenter the new password The system displays only asterisks To keep the default press Enter Make subsequent changes to the admin passwor...

Page 86: ...tep 1 above For information on using the CLI see the VPN 3000 Series Concentrator Reference Volume I Configuration What Next Now that the VPN Concentrator is operational you can do the following Test its operation by following the procedures in Chapter 5 Testing the VPN Concentrator Explore the command line interface The menus follow the same order and let you perform the same functions as the VPN...

Page 87: ...re using a different operating system your procedure might differ from the one shown here Note These instructions describe a typical installation Please consult your ISP and your network system administrator for specific settings and instructions Before You Begin To set up the test follow these steps Step 1 Configure the VPN Concentrator with the following settings Ethernet 2 Public interface with...

Page 88: ... the client PC choose Start Settings Network and Dial up Connections Make a New Connection from the Windows 2000 Start menu The Network Connection Wizard window appears See Figure 5 1 Figure 5 1 The Network Connection Wizard Window Step 2 Click Next The Network Connection Type window appears See Figure 5 2 Figure 5 2 Network Connection Type Window Step 3 Choose Connect to a private network through...

Page 89: ...gure 5 3 Public Network Window Step 5 Choose Do Not Dial the Initial Connection Step 6 Click Next The Destination Address window appears See Figure 5 4 Figure 5 4 Destination Address Window Step 7 Enter the public interface address of your VPN Concentrator Step 8 Click Next The Connection Availability window appears See Figure 5 5 ...

Page 90: ...5 5 Connection Availability Window Step 9 Choose For all Users Step 10 Click Next The Completing the Network Connection Wizard window appears See Figure 5 6 Figure 5 6 Completing the Network Connection Wizard Window Step 11 Enter a name for the connection for example TestVPN Step 12 Click Finish The Connect window appears See Figure 5 7 ...

Page 91: ...ies dialog box appears Step 15 Choose the Networking tab Figure 5 8 Properties Dialog Box Networking Tab Step 16 Select Point to Point Tunneling Protocol PPTP from the Type of VPN Server I am Calling drop down menu See Figure 5 8 Click OK The Properties dialog box disappears Step 17 In the Connect window enter the password Step 18 Click Connect If the connection is successful the Connection Comple...

Page 92: ...5733 03 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5 9 Connection Complete Step 19 Click OK to dismiss the window If you receive an error message check your connections and VPN Concentrator settings then run the test again ...

Page 93: ...le memory NVRAM To troubleshoot operational problems we recommend that you start by examining the event log See Configuration System Events and Monitor Event Log The VPN Concentrator automatically saves the event log to a file in flash memory if it crashes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful fo...

Page 94: ...owser navigation toolbar buttons with the VPN Concentrator Manager Use only the Manager Refresh button where it appears on a screen We recommend that you hide the browser navigation toolbar to prevent mistakes Browser Back or Forward Button displays an Incorrect Screen or Incorrect Data You clicked the Back or Forward button on the browser navigation toolbar and the Manager displayed the wrong scr...

Page 95: ...ion An additional error message describes the erroneous operation You tried to perform an operation that is not allowed The screen displays a message that describes the cause Click Retry the operation to return to the screen where you were working and correct the mistake Carefully check all your previous entries on that screen The Manager attempts to retain valid entries but invalid entries are lo...

Page 96: ...plays a screen with the message Not Found An error has occurred while attempting to access the specified page The screen includes additional information that identifies system activity and parameters The Manager could not find a screen You updated the software image and did not clear the browser s cache Clear the browser cache delete its temporary internet files history files and location bar refe...

Page 97: ...d 4 byte dotted decimal entry and the entry wasn t in that format You entered something other than a 4 byte dotted decimal number You might have omitted a byte position or entered a number greater than 255 in a byte position You entered 0 0 0 0 instead of an appropriate address At the prompt reenter a valid 4 byte dotted decimal number ERROR Out of Range Value Entered Try Again The system expected...

Page 98: ...module installed in system NA Module not installed in system Expansion Modules Run Status 1 2 3 4 SEP or SEP E module operational Module failed during operation Error If installed module failed diagnostics or encryption code is not running Error Fan Status Operating normally Not running or RPM below normal range Error NA Power Supplies A B Installed and operating normally Voltage s outside of norm...

Page 99: ...ed Normal NA No carrier detected Error Tx Transmitting data Normal Intermittent on NA Not transmitting data Idle Intermittent off Coll NA Data collisions detected No collisions Normal 100 Speed set at 100 Mbps NA Speed set at 10 Mbps SEP Module LED Green Amber Off Power Power on Normal NA Power is not reaching the module It might not be seated correctly Error Status SEP only Encryption code is run...

Page 100: ...A 8 VPN 3000 Series Concentrator Getting Started 78 15733 03 Appendix A Troubleshooting and System Errors LED Indicators ...

Page 101: ... 3000 Concentrator and any accompanying written materials are owned or licensed by Cisco Systems and are protected by United States copyright laws laws of other nations and or international treaties Grant of License 2 Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product To this end the Software contains both operator software for use by the ...

Page 102: ...e or in part 7 The subject license will terminate immediately if you do not comply with any and all of the terms and conditions set forth herein Upon termination for any reason you the licensee must immediately destroy or return to Cisco Systems the Software and accompanying documentation and all copies thereof Cisco Systems is not liable to you for damages in any form solely by reason of terminat...

Page 103: ...nt abuse or misapplication 15 IN NO EVENT WILL CISCO SYSTEMS BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY LOSS OF PROFITS LOST SAVINGS OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OR INABILITY TO USE THE SOFTWARE Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages the above limitation may not apply to you 16 This A...

Page 104: ...S PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE G...

Page 105: ... documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products...

Page 106: ...r its copyrights to use copy modify and distribute this Software with or without fee provided that the above copyright notice and all paragraphs of this notice appear in all copies and that the name of IBM not be used in connection with the marketing of any product incorporating the Software or modifications thereof without specific written prior permission To the extent it has a right to do so IB...

Page 107: ...IES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO FINISHED SHALL NRL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRI...

Page 108: ...SA Data Security Inc SecureID SecureID is a product of RSA Security Inc Bedford MA formerly Security Dynamics Technologies Inc Use of SDTI s Trade Name and Trademarks a Any advertising or promotional literature or announcement to the press by the Partner regarding its relationship with SDTI or otherwise utilizing SDTI s name or trademarks must be approved by SDTI in writing in advance which approv...

Page 109: ...ty Builder are trademarks of Certicom Corp Copyright 1997 1999 Certicom Corp Portions are Copyright 1997 1998 Consensus Development Corporation a wholly owned subsidiary of Certicom Corp All rights reserved Contains an implementation of NR signatures licensed under U S patent 5 600 725 Protected by U S patents 5 787 028 4 745 568 5 761 305 Patents pending TCP Compression Uncompression Routines to ...

Page 110: ...rewritten to use NOS facilities Feb 1991Bill_Simpson um cc umich edu variable number of conversation slots allow zero or one slots separate routines status display Telnet Server Copyright phase2 networks 1996 All rights reserved SID 1 1 Revision History 1 197 06 23 21 17 43 root Regulatory Standards Compliance Standards Compliance The VPN 3000 Concentrator complies with the following regulatory st...

Page 111: ...ent operations or procedures that could affect the operation of the equipment If this happens the telephone company provides advance notice in order for you to make the necessary modifications to maintain uninterrupted service If trouble is experienced with this equipment please contact us for repair and warranty information If the trouble is causing harm to the telephone network the telephone com...

Page 112: ...he above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be coordinated by a representative designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment Ensure that the electrical ground connec...

Page 113: ...interference to radio or television communications at your own expense cfr reference 15 21 For Class A equipment NOTE This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment Th...

Page 114: ...logy Equipment VCCI If this equipment is used in a domestic environment radio disturbance may arise When such trouble occurs the user may be required to take corrective actions Hungarian Class A Warning Warning This equipment is a class A product and should be used and installed properly according to the Hungarian EMC Class A requirements MSZEN55022 Class A equipment is designed for typical commer...

Page 115: ... A 5 bandwidth management 1 7 beginning quick configuration 2 12 bootcode upgrading viii boot messages at startup 2 11 brackets default entries in 4 1 browser Back or Forward button displays incorrect screen or incorrect data A 2 A 3 navigation toolbar don t use with Manager 3 3 navigation toolbar not used with Manager 2 3 Refresh Reload button logs out the Manager A 2 A 5 requirements 2 2 startin...

Page 116: ... 19 connecting console 2 8 network cables 2 9 power cable 2 9 console connecting 2 8 requirements 2 2 to start quick configuration 2 15 conventions documentation viii cooling requirements 2 1 specifications 1 8 copyrights and licenses B 1 CPU Utilization LED A 6 crash system saves log file A 1 CRSHDUMP TXT file A 1 D data compression 1 7 data formats xi date setting 2 15 3 8 Daylight Saving Time e...

Page 117: ...3015 1 2 Model 3020 1 2 Model 3030 1 3 Model 3060 1 3 Model 3080 1 3 software authentication algorithms 1 4 bandwidth management 1 7 client compatibility 1 7 clustering 1 6 data compression 1 7 digital Certificate Authorities supported 1 5 encryption algorithms 1 4 key management 1 4 list of 1 4 management interfaces 1 4 monitoring 1 6 network addressing support 1 5 routing protocols 1 6 security ...

Page 118: ...front panel A 6 Status SEP A 7 System A 6 table A 5 Throughput A 6 Tx Ethernet A 7 usage gauge A 6 licenses and copyrights B 1 Link LED Ethernet A 7 logging in to the VPN Concentrator Manager 3 1 M management interfaces features 1 4 memory upgrading viii mistakes detecting and correcting 3 3 Model 3005 features 1 2 Model 3015 features 1 2 Model 3020 features 1 2 Model 3030 features 1 3 Model 3060 ...

Page 119: ...ick Configuration beginning 2 12 finishing 3 22 4 17 running only once 2 12 3 1 3 3 4 1 saving 3 22 4 18 starting from the console 2 15 with Manager 3 3 steps in 2 12 testing 5 1 using nondefault values 2 13 using the VPN Concentrator Manager 3 1 with Command Line Interface 4 1 R rack mounting 2 4 RADIUS authentication 3 12 4 11 reboot system saves log file A 1 regulatory agency notices B 10 relat...

Page 120: ...starting Quick Configuration 2 12 with Manager 3 3 startup boot messages 2 11 initialization messages 2 11 static routes 3 9 Status LED SEP A 7 steps in Quick Configuration 2 12 stopping the Command Line Interface 4 18 system administration features 1 6 system information configuring 3 8 4 4 System LED A 6 system name assigning 3 8 4 4 T terminal emulator settings 2 11 starting 2 11 testing the VP...

Page 121: ...2 how it works 1 7 installing hardware 2 4 physical specifications 1 8 picture of 1 1 software features 1 4 where it fits in your network 1 8 VPN Concentrator Manager errors A 2 logging in 3 1 logging out 3 23 starting Quick Configuration with 3 3 using for Quick Configuration 3 1 using functions 3 23 window 3 24 W WebVPN 1 5 2 12 2 14 configuring 3 19 3 20 4 14 4 16 setting up home page 2 14 3 20...

Page 122: ...Index IN 8 VPN 3000 Series Concentrator Getting Started 78 15733 03 ...

Search results

Summary of Contents for 3005

Reviews:

Related manuals for 3005

Brands by name

Popular brands

Cisco 3005, Getting Started

Search results

Summary of Contents for 3005

Reviews:

Related manuals for 3005

Brands by name

Popular brands