PDF Version of VPN 3000 Series Concentrator Getting Started Manual
Contents
1. Require Encryption Clients without encryption will not gain access Requires MSCHAP Don t Require Encryption Clients may optionally use encryption Check to enable remote user connections via IPSec LAN to LAN configurations are done outside of Quick Configuration Back Continue Mv IPSec 63737 You must enable at least one of these protocols for the device to function as a VPN device PPTP and L2TP are popular with Microsoft Windows based clients and the VPN 3000 Client uses IPSec To enable disable and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator follow these steps Step 1 Check PPTP to enable Point to Point Tunneling Protocol This box is checked by default Step2 If you enable PPTP click one of the radio buttons to select the encryption option e Require Encryption PPTP connections must use Microsoft encryption to encrypt data This option requires MS CHAP Microsoft Challenge Handshake Authentication Protocol and provides maximum security During connection setup clients must agree to use encryption or they will not be connected e Don t Require Encryption PPTP connections may use Microsoft encryption to encrypt data the default During connection setup clients may or may not agree to use Microsoft encryption they will be connected in either case Step3 Check L2TP to enable Layer 2 Tunneling Protocol This box is checked b2. Configuring Authentication W Configuring RADIUS Authentication Server Step 1 Step 2 Step 3 Step 4 External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator other authentication servers do not The VPN Concentrator software CD ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator To configure an external RADIUS user authentication server follow these steps to supply the required server IP address or hostname server secret and port number You selected the external RADIUS authentication server and the system prompts you to enter its hostname or IP address gt RADIUS Server Name IP Address Quick gt At the cursor enter the RADIUS server hostname or IP address for example 192 168 56 78 The maximum length is 32 characters The system prompts you to enter the RADIUS server secret also called the shared secret that allows access to the server gt RADIUS Server Secret Quick gt At the cursor enter the RADIUS server secret for example B8y077E The maximum length is 64 characters The system displays only asterisks The system prompts you to reenter the RADIUS server secret to verify it Verify gt _ At the cursor reenter the RADIUS server secret The system displays only asterisks The system prompts you to enter the UDP port number by which you access th
3. In the Server Port field enter the UDP port number by which you access the server Enter 0 the default to have the system supply the default port number 5500 In the Timeout field enter the time in seconds to wait after sending a query to the server and receiving no response before trying again The minimum is 1 second default is 4 seconds maximum is 30 seconds In the Retries field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative The minimum is 0 default is 2 maximum is 10 retries Click Continue to proceed If you selected the IPSec tunneling protocol skip to the section Configuring the IPSec Group page 3 17 Otherwise skip to the section Changing Admin Password page 3 18 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter3 Using the VPN Concentrator Manager for Quick Configuration W Configuring Internal Server User Database Configuring Internal Server User Database The Manager displays the Configuration Quick User Database screen This screen displays only when Step 1 you select the internal authentication server Figure 3 12 Configuration Quick User Database Screen Configuration Quick User Database Configure users in the internal authentication server database Since you chose per user address assignment
4. gt Configured Pool Range End Address Quick gt 0 0 0 0 _ At the cursor enter the ending IP address available in the initial configured pool Use dotted decimal notation for example 10 10 1 177 78 14740 01 VPN 3000 Series Concentrator Getting Started E Chapter4 Using the Command Line Interface for Quick Configuration W Configuring Authentication Configuring Authentication You can choose and configure one of four types of servers to authenticate users e The internal VPN Concentrator authentication server e Anexternal RADIUS Remote Authentication Dial In User Service server e Anexternal NT Windows NT Domain server e An external SDI RSA Security Inc SecurID server You must select one authentication server type there is no default You can configure additional authentication servers on regular Configuration menus Before you configure an external server here be sure that the external server you reference is itself properly configured and that you know how to access it IP address or hostname TCP UDP port secret password and so forth The VPN Concentrator functions as the client of these servers The system prompts you to select an authentication server type Specify how to authenticate users 1 Internal Authentication Server 2 RADIUS Authentication Server 3 NT Domain Authentication Server 4 SDI Authentication Server 5 Continue Step 1 At the cursor enter the menu number for yo
5. Appendix A Troubleshooting and System Errors HZ LED Indicators LED Indicators LED indicators on the VPN Concentrator and its expansion modules are normally green The usage gauge LEDs are normally blue LEDs that are amber or off might indicate an error condition NA means not applicable that is the LED does not have that state Contact TAC if any LED indicates an error condition VPN Concentrator front LEDs The LEDs on the front of the VPN 3000 Concentrator are as follows LED Indicator Green Amber Off System Power on Normal Blinking Green Model 3005 only System is in a shutdown halted state ready to power off System has crashed and halted Error Power off All other LEDs are also off The LEDs below exist only on Models 3015 3080 Ethernet Link Status 123 Connected to network and enabled Blinking Green Connected to network and configured but disabled NA Not connected to network or not enabled Expansion Modules Insertion Status 1234 SEP module installed in system NA Module not installed in system Expansion Modules SEP module Module failed during If installed module Run Status operational operation Error failed diagnostics or 1234 encryption code is not running Error Fan Status Operating normally Not running or RPM NA below normal range Error Power Supplies AB Installed and operating normally V
6. The system now has enough information so that you can exit the CLI and continue configuring with a browser the system displays one of the following menus depending on the model of the Concentrator being configured Model 3005 menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Configure Expansion Cards 4 Save changes to Config file 5 Continue 6 Exit Model 3015 3080 menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Modify Ethernet 3 IP Address External 4 Configure Expansion Cards 5 Save changes to Config file 6 Continue 7 Exit 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 2 Installing and Powering Up the VPN Concentrator HZ Beginning Quick Configuration First we recommend that you save your entries to the configuration file At the cursor enter the number for Save changes to Config file The system redisplays the same menu e For easiest use we recommend exiting and using the Manager To do so enter the number for Exit at the cursor and continue with the next step e To continue using the CLI for quick configuration enter the number for Continue at the cursor and see Chapter 4 Step12 We assume you chose Exit The system displays Done Continue quick configuration with the VPN Concentrator Manager in Chapter 3 VPN 3000 Series Concentrator Getting Started P28 i 78 14740 01
7. Problem Possible Cause Command line Interface Errors W Table A 2 lists errors that might occur while using the menu based Command line Interface from a console or Telnet session Solution ERROR Bad IP Address Subnet Mask Wildcard Mask Area ID The system expected a valid 4 byte dotted decimal entry and the entry wasn t in that format e You entered something other than a 4 byte dotted decimal number You might have omitted a byte position or entered a number greater than 255 in a byte position e You entered 0 0 0 0 instead of an appropriate address At the prompt reenter a valid 4 byte dotted decimal number ERROR Out of Range Value Entered The system expected a number within a certain e You entered a letter instead of a At the prompt reenter a number in the appropriate range Try Again range and the entry was number outside that range acne number greater than the possible menu numbers ERROR The The entry for a e You mistyped an At the Verify prompt re enter the password If Passwords Do Not Match Please Try Again password and the entry to verify the password do not match entry e You entered either a password or verify entry but not the other the original password is incorrect press Enter and re enter both the password and the verification at the prompts 78 14740 01 VPN 3000 Series Concentrator Getting Started
8. A access to device physical 2 2 active configuration definition 3 3 4 1 saving 3 20 4 18 Active Sessions LED A 6 adding auser 3 16 4 11 address assignment configuring 3 11 4 8 Address Assignment screen 3 11 administrator skills 2 1 admin password changing 4 17 default 3 18 4 17 Admin Password screen 3 18 Authentication Internal server screen 3 12 NT Domain server screen 3 14 RADIUS server screen 3 13 SDI server screen 3 15 authentication configuring 3 12 4 10 authentication algorithms features 1 4 authentication server internal configuring 3 12 4 11 NT Domain configuring 3 14 4 14 RADIUS configuring 3 13 4 13 SDI configuring 3 15 4 15 Authentication Server field RADIUS 3 13 SDI 3 15 Authentication Server Address field NT Domain 3 14 authentication servers features 1 5 IN D E X Back button 3 3 Bad IP Address error A 5 basic operation 1 7 beginning quick configuration 2 12 boot messages at startup 2 11 brackets default entries in 4 1 browser Back or Forward button displays incorrect screen or incorrect data A 2 A 3 navigation toolbar don t use with Manager navigation toolbar not used with Manager 2 3 Refresh Reload button logs out the Manager requirements 2 2 starting 3 2 78 14740 01 3 3 A 2 A 5 VPN 3000 Series Concentrator Getting Started W index Cc cables connecting 2 9 cables and connectors requirements 2 2 c
9. Changing the Admin Password section on page 4 17 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration HZ Configuring the IPSec Group Configuring the IPSec Group Step 1 Step 2 Step 3 This section appears only if you enable the IPSec tunneling protocol The remote access IPSec client connects to the VPN Concentrator via this group name and password which are automatically configured on the internal authentication server This is the IPSec group that creates the tunnel Users then log in and are authenticated by means of their usernames and passwords To configure the IPSec group name and password follow these steps The system prompts you to enter the IPSec group name gt IPSec Group Name Quick gt _ At the cursor enter a unique name for this group Maximum is 32 characters case sensitive for example Group1 The system prompts you to enter the group password gt IPSec Group Password Quick gt At the cursor enter a unique password for this group The minimum is 4 and the maximum is 32 characters case sensitive The system displays only asterisks The system prompts you to reenter the group password to verify it Verify gt _ At the cursor reenter the group password The system displays only asterisks VPN 3000 Series Concentrator Getting Started Pais i 78 14740 01 _ Chapter 4 Using the Co
10. include the user IP address and subnet mask Passwords must be at least 8 characters long Current Users Actions User to Add User Name Empty Password lt lt Add Verify Remove gt gt IP Address es o Subnet Mask Back Continue 63739 This screen lets you add and remove users in the internal authentication server database When you first do quick configuration the Current Users list is empty To use the internal server you must add at least one user to the database As you add or remove users the system updates and refreshes the screen with the appropriate entries in the Current Users list You can change user parameters on the regular Configuration User Management Users screens but on this quick configuration screen you can only add and remove users Follow these steps to add or remove a user Under User to Add a Type a unique name in the User Name field Maximum is 32 characters case sensitive To be authenticated the user must log in from the client using this name b Move to the Password field and type the password The password must be at least 8 characters long maximum is 32 characters case sensitive The field shows only asterisks To be authenticated the user must log in from the client using this password Each user name password combination must be unique c Move to the Verify field and retype the password The field shows only asterisks d Ifyou selected p
11. Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer automatically opens a case To obtain a directory of toll free Cisco TAC telephone numbers for your country go to this URL http www cisco com warp public 687 Directory DirTAC shtml Before calling please check with your network operations center to determine the level of Cisco support services to which your company is entitled for example SMARTnet SMARTnet Onsite or Network Supported Accounts NSA When you call the center please have available your service agreement number and your product serial number VPN 3000 Series Concentrator Getting Started Pex 78 14740 01 CHAPTER Understanding the VPN 3000 Concentrator The VPN 3000 Concentrator also known as the VPN Concentrator creates a virtual private network by creating a secure connection across a TCP IP network such as the Internet that users see as a private connection The VPN Concentrator can create single user to LAN connections and LAN to LAN connections Figure 1 1 The Cisco VPN 3000 Concentrator Model 3005 Cisco Systems 63794 Model 3015 to 3080 CISCO VPN 3000 CONCENTRATOR smes Cisco SYSTEMS saenl ZZ soos 5
12. EST z M Enable DST Support Specify a DNS server which lets you enter hostnames rather than IP addresses in subsequent Manager fields DNS Server joo 0 0 Enter the IP address of your local DNS server Domain l Enter your Internet domain name e g yourcompany com Default a000 Enter your default gateway Leave at 0 0 0 0 for no default Gateway gateway Back Continue 63738 To configure basic information that identifies your VPN Concentrator on the network refer to the data you recorded in Table 2 2 as you follow these steps Step 1 In the System Name field enter a name such as VPNO1 for the VPN Concentrator This name must uniquely identify this device on your network The system name you entered earlier appears in the System Name field If no system name appears enter a name such as VPN01 for the VPN Concentrator This name must uniquely identify this device on your network Step2 You previously set the time and date on the VPN Concentrator under Using the Console page 2 15 but you can change them here if you want The screen shows the current date and time on the device The values shown in the New Time fields are the time on the browser PC but any entries you make apply to the VPN Concentrator In the appropriate fields make any changes The fields are in order Hour Minute Second Month Day Year Time Zone Click the drop down menu buttons to select Month and Time Zone The time zone selections are off
13. EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE DNS Resolver Client DNS Resolver BSD DEC Internet Software Consortium Copyright 1988 1993 The Regents of the University of California All rights reserved VPN 3000 Series Concentrator Getting Started Ba W 78 14740 01 _ Appendix B Copyrights Licenses and Notices Other Licenses W Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor t
14. Quick Admin Password screen Figure 3 14 Configuration Quick Admin Password Screen We strongly recommend that you change the password for user admin Password Verify Back Continue 63728 This screen lets you change the password for the admin administrator user For ease of use during startup the default admin password supplied with the VPN Concentrator is also admin Since the admin user has full access to all management and administration functions on the device we strongly recommend you change this password to improve device security You can further configure all administrator users on the regular Administration Access Rights Administrators Manager screen To change the password for the admin administrator user follow these steps Step 1 In the Password field enter a new password For maximum security the password should be at least 8 characters long a mixture of upper and lower case alphabetic and numeric characters and not easily guessed for example W8j9Haq3 The field shows only asterisks Step2 In the Verify field re enter the new password to verify it Step3 Click Continue to proceed VPN 3000 Series Concentrator Getting Started P38 78 14740 01 Chapter3 Using the VPN Concentrator Manager for Quick Configuration Finishing Quick Configuration W Finishing Quick Configuration The Manager displays the Configuration Quick Done screen Figure 3 15 Configuration Qu
15. Step 3 Step 4 Step 5 Step 6 Step 7 The Manager displays the Configuration Quick Address Assignment screen This screen appears only when you enable at least one tunneling protocol Figure 3 7 Configuration Quick Address Assignment Screen Select at least one method of assigning IP addresses to clients as a tunnel is established The methods are tried in the order listed Lr Client Specified This method lets the client specify its own IP address This method assigns IP addresses on a per user basis If you use an authentication server 2 Per User which you configure next that has IP addresses configured we recommend selecting this method 3 O DHCP Specify Server Range Start ar Configured Pool Range End This method uses this device to assign IP addresses Back Continue 63727 You can select prioritized methods for assigning IP addresses to clients as a tunnel is established The methods are tried in the order listed You must select at least one method You can select any and all methods There are no default methods To select a method follow these steps Check Client Specified to enable this method which lets the client specify its own IP address Do not check only this box if you use IPSec since IPSec does not allow client specified IP addresses Check Per User to enable this method which assigns IP addresses on a per user basis If you use an authentication server that has IP ad
16. These legal notices must be retained on any copies of the Software and accompanying documentation made pursuant to paragraphs 2 and 3 hereof 9 You shall acquire no rights of any kind to any copyright trade secret patent trademark trade name logo or product designation contained in or relating to the Software or accompanying documentation and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing by Cisco Systems 10 Any notice demand or request with respect to this Agreement shall be in writing and shall be effective only if it is delivered by hand or mailed certified or registered mail postage prepaid return receipt requested addressed to Cisco Systems whose address is set forth below Such communications shall be effective when they are received by Cisco Systems Limited Warranty 11 Cisco Systems warrants that the Software will perform substantially in accordance with the accompanying written materials for a period of 90 days from the date of your receipt of the Software Any implied warranties on the Software are limited to 90 days Some states do not allow limitations on duration of an implied warranty so the above limitation may not apply to you 12 CISCO SYSTEMS DISCLAIMS ALL OTHER WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT WITH RESPECT TO THE SOFTWARE TH
17. click Continue to proceed and skip to Configuring Tunneling Protocols and Options page 3 10 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter3 Using the VPN Concentrator Manager for Quick Configuration WE Configuring IP Interfaces Modifying Ethernet Interface Configuration Parameters When you click on an Ethernet interface the Manager displays the Configuration Quick IP Interfaces Ethernet 1 2 3 screen for the interface you selected see Figure 3 4 Figure 3 4 Configuration Quick IP Interfaces Ethernet 1 2 3 Screen Configuration Quick IP Interfaces Ethernet 1 You are modifying the interface you are using to connect to this device If you make any changes you will break the connection and you will have to restart from the login screen Configuring Ethernet Interface 1 Private General Parameters Disabled Select to disable this interface i Client Select to obtain the IP Address Subnet Mask and 7 Default Gateway via DHCP System Name may be Static IP Addressing TP Address Select to configure the IP Address and Subnet Mask Enter the IP Address and Subnet Mask for this interface Public Interface Check to make this interface a public interface MAC Address 00 90 44 00 25 48 The MAC address for this interface mrufee o Pru Maximum Transmit Unit for this interface 68 Apply Cancel 78631 The screen displays the current parameters if any for an
18. domain name and default gateway Specify tunneling protocols and encryption options Specify methods for assigning IP addresses to clients as a tunnel is established Choose and identify the user authentication server the internal server RADIUS NT Domain or SDI If using the internal authentication server populate the internal user database If using IPSec tunneling protocol assign a name and password to the IPSec tunnel group Change the admin password for security Save the configuration file When you complete this step quick configuration is done VPN 3000 Series Concentrator Getting Started P22 E 78 14740 01 Chapter2 _ Installing and Powering Up the VPN Concentrator Beginning Quick Configuration W Quick Configuration Using Non default Values Although you can choose to accept the default values where applicable for many of the quick configuration parameters you can instead specify particular values for one or more of these parameters Table 2 2 lists the parameters you need for quick configuration and provides space for you to record the values you enter Write those values here now to save time as you enter data Table 2 2 Quick Configuration Parameters Screen Parameter Name Parameter Description and Use Your Entry IP Interfaces Ethernet 1 Private Specify the IP address and subnet mask speed and duplex mode for the VPN Concentrator interface to your private network IP Interfaces Ethe
19. routing protocols 1 5 the VPN Concentrator hardware 2 5 security management 1 5 VPN 3000 Series Concentrator Getting Started Pia i 78 14740 01 interfaces Ethernet configuring 4 2 modifying 3 6 interfaces IP configuring 3 4 internal server configuring user database 4 11 selection 3 12 Internet Explorer requirements 2 2 Invalid Login or Session Timeout error A 3 Invalid Login or Session Timeout error A 2 IP Address field Ethernet interface 3 6 user database 3 16 user database CLI 4 12 IP interfaces configuring 3 4 screen 3 4 IPSec check box 3 10 enabling using CLI 4 7 IPSec Group configuring 3 17 Name CLI 4 16 Password CLI 4 16 screen 3 17 IPSec Group configuring 4 16 J JavaScript error A 3 JavaScript requirements 2 3 K key management features 1 4 Index W L L2TP check box 3 10 enable CLI 4 6 LED indicators 100 Ethernet A 7 Active Sessions A 6 Coll Ethernet A 7 CPU Utilization A 6 display at startup 2 11 Ethernet Link Status A 6 Expansion Modules Insertion Status A 6 Expansion Modules Run Status A 6 Fan Status A 6 Link Ethernet A 7 Power SEP A 7 Power Supplies front panel A 6 Status SEP A 7 System A 6 table A 6 Throughput A 6 Tx Ethernet A 7 usage gauge A 7 licenses and copyrights B 1 Link LED Ethernet A 7 logging in the VPN Concentrator Manager login screen 3 2 login name default 2 15 3 2 MAC Address field Et
20. 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration HZ Logging in to the VPN Concentrator Manager Logging in to the VPN Concentrator Manager To access and log in to the VPN Concentrator Manager follow these steps Step 1 Start the browser See Browser Requirements page 2 2 We recommend Microsoft Internet Explorer for best results Maximize the browser window for easiest reading Step2 With the browser connect to the IP address of the VPN Concentrator on your private network the address you entered in Step 7 under Using the Console page 2 15 You can just enter the IP address for example 10 10 4 6 in the Address or Location field The browser displays the login screen Figure 3 1 VPN Concentrator Manager Login Screen Install SSL Certificate VPN 3000 aera CONCENTRATOR SERIES MANAGER VPN 3000 Concentrator Login OO Password a Cisco SYSTEMS Copyright 1998 2001 Cisco Systems Inc 68159 Step3 Login Entries are case sensitive so type them exactly as shown With Microsoft Internet Explorer you can press the Tab key to move from field to field with other browsers you might have to change fields with the mouse If you make a mistake click Clear and start over a Click in the Login field and type admin Do not press Enter b Click in the Password field and type admin The field shows c Click Login
21. AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO FINISHED SHALL NRL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS VPN 3000 Series Concentrator Getting Started lt 78 14740 01 AppendixB Copyrights Licenses and Notices LDAP LZS221 C v6 MPPC C v4 Other Licenses W OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies either expressed or implied of the US Naval Research Laboratory NRL Copyright 1992 1996 Regents of the University of Michigan All rights reserved Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission This software is provided as is without express or implied warranty Copyright 1988 1999 by H
22. Administration tab to go to the main Administration screen to open the first level of subordinate Administration pages in the left frame if they are not already open and to close any open Configuration or Monitoring pages in the left frame Click on the Monitoring tab to go to the main Monitoring screen to open the first level of subordinate Monitoring pages in the left frame if they are not already open and to close any open Configuration or Administration pages in the left frame Click on the Save icon to save the active configuration and make it the boot configuration In this state the reminder indicates that the active configuration is the same as the boot configuration but you can save it anyway When you change the configuration the reminder changes to Save Needed 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration HZ Understanding the VPN Concentrator Manager Window Save Needed Refresh T Reset F Restore Cisco Systems Left frame Table of Contents Main section titles Configuration Administration Monitoring Closed or collapsed Open or expanded Main frame Manager screen This reminder indicates that yo have changed the active configuration Click on the Save Needed icon to save the active configuration and make it the boot configuration As you make configuration entries they take effect immediate
23. Back Continue for this authentication server 63730 To configure the parameters for the NT authentication server follow these steps Step 1 In the Authentication Server Address field enter the IP address of the NT Domain authentication server for example 192 168 12 34 Use dotted decimal notation Step2 In the Server Port field enter the TCP port number by which you access the server Enter 0 the default to have the system supply the default port number 139 Step3 In the Timeout field enter the time in seconds to wait after sending a query to the server and receiving no response before trying again The minimum is 1 second default is 4 seconds maximum is 30 seconds Step4 In the Retries field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative The minimum is 0 default is 2 maximum is 10 retries Step 5 In the Domain Controller Name field enter the NT Primary Domain Controller hostname for this server for example PDCO1 The maximum is 16 characters You must enter this name and it must be the correct hostname for the server whose IP address you entered in Authentication Server Address above if it is incorrect authentication will fail Step6 Click Continue to proceed If you selected the IPSec tunneling protocol skip to the section Configuring the IPSec Group
24. CRSHDUMP TXT file A 1 Current Users list 3 16 D data formats ix date setting 2 15 3 8 Daylight Saving Time enabling 2 16 3 9 E VPN 3000 Series Concentrator Getting Started 78 14740 01 Index W default Dynamic Host Configuration Protocol See DHCP admin password 3 18 4 17 entries CLI 4 1 E login name 2 15 Enable DST Support login password 2 15 check box 3 9 default gateway encryption algorithms CLI 4 5 features 1 4 Default Gateway field 3 9 Encryption option not required deleting a user 3 17 4 12 L2TP 3 10 DHCP PPTP 3 10 address assignment encryption options CLI 4 8 configuring 3 10 check box 3 11 encryption options configuring 4 6 Dial Up Networking 5 2 entries digital Certificate Authorities supported 1 5 default display settings 2 4 CLI 41 DNS server error CLI 4 5 an error has occurred A 3 DNS Server field 3 9 insufficient authorization A 4 documentation not allowed A 4 cautions viii errors conventions vi and troubleshooting A 1 notes viii an error has occurred A 3 related vi bad IP address A 5 tips viii CLI A 5 Domain field 3 9 insufficient authorization A 4 Domain Controller Name field invalid login A 2 A 3 NT Domain 3 14 JavaScript A 3 domain name CLI 4 5 messages 3 3 Don t Require Encryption option no such interface supported IE A 4 L2TP 3 10 not allowed A 4 PPTP 3 10 not found A 4 Done screen 3 19 old browser A 3 DST 2 16 3 9 out of range value A 5 Duplex passwords do n
25. Click Enable under Allow per session cookies not stored Netscape Navigator 1 On the Edit menu choose Preferences 1 On the Edit menu choose Preferences 4 5 4 7 2 On the Advanced screen check the Enable 2 On the Advanced screen click one of the JavaScript check box Accept cookies choices and do not check the Warn me before accepting a cookie check box Netscape Navigator 1 On the Edit menu choose Preferences 1 On the Edit menu choose Preferences 6 0 2 On the Advanced screen check the Enable 2 Under the Advanced category choose JavaScript for Navigator check box Cookies 3 On the Cookies screen choose Enable All Cookies Do not check the Warn me before storing a cookie check box Navigation Toolbar Do not use the browser navigation toolbar buttons Back Forward or Refresh Reload with the VPN Concentrator Manager unless instructed to do so To protect access security clicking Refresh Reload automatically logs out the Manager session Clicking Back or Forward may display stale Manager screens with incorrect data or settings We recommend that you hide the browser navigation toolbar to prevent mistakes while using the VPN Concentrator Manager 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 2 Installing and Powering Up the VPN Concentrator W Unpacking Recommended PC Monitor Display Settings For best legibility and ease of use we recommend setting your monitor or display as
26. Copyright 1989 Regents of the University of California All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Van Jacobson van helios ee lbl gov Dec 31 1989 Initial distribution Modified for KA9Q Internet Software Package by Katie Stevens dkstevens ucdavis edu University of California Davis Computing Services 01 31 90initial adaptation from 1 19 PPP 0502 15 90 ks PPP 0805 02 90 ks use PPP protocol field to signal compression PPP 1509 90 ks improve mbuf handling PPP 1611 02 karn substantially rewritten to use NOS facilities Feb 1991 Bill_Simpson um cc umich edu variable number of conversation slots allow zero or one slots separate routines status display VPN 3000 Series Concentrator Getting Started 78 14740 01 g eo AppendixB Copyrights Licenses a
27. Default No rules applied to this filter Drop all packets This is the default filter for the external Ethernet interface e None No filter applied to the interface which means there are no restrictions on data packets In the Speed field click the drop down menu button and select the interface speed e 10 Mbps Fix the speed at 10 Mbps 1OBASE T networks e 100 Mbps Fix the speed at 100 Mbps per second 100BASE T networks e 10 100 auto Let the VPN Concentrator automatically detect and set the appropriate speed either 10 or 100 Mbps default If you accept the default be sure that the port on the active network device hub switch router etc to which you connect this interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed In the Duplex field click the drop down menu button and select one of the following interface transmission modes e Auto Let the VPN Concentrator automatically detect and set the appropriate transmission mode either full or half duplex default If you accept the default be sure that the port on the active network device hub switch or router to which you connect this interface is also set to automatically negotiate the transmission mode Otherwise select the appropriate fixed mode e Full Duplex Fix the transmission mode as full duplex transmission in both directions at the same time e Half Duplex Fix the transmission mode as half duple
28. Ep 63795 VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter1 Understanding the VPN 3000 Concentrator WE Hardware Features Hardware Features Current VPN Concentrator Models 3005 3015 3030 3060 and 3080 Previous VPN Concentrator Models C10 C20 and C50 All systems feature e 10 100Base T Ethernet interfaces autosensing 3005 Two interfaces 3015 3080 Three interfaces e Motorola PowerPC CPU e SDRAM memory for normal operation e Nonvolatile memory for critical system parameters e Flash memory for file management VPN 3000 Series Concentrator Getting Started 78 14740 01 _ Chapter 1 Understanding the VPN 3000 Concentrator Hardware Features In addition individual models have the following hardware features VPN Concentrator Model Hardware Features Model 3005 Software based encryption Single power supply Model 3015 Software based encryption Single power supply Expansion capabilities Up to four Cisco Scalable Encryption Processing modules for maximum system throughput and redundancy Optional redundant power supply Model 3030 One Scalable Encryption Processing module for hardware based encryption Single power supply Expansion capabilities One additional SEP module for maximum system throughput and redundancy Optional redundant power supply Models 3060 and 3080 Two Scalable Encryption Processing
29. Ethernet interface If you are modifying Ethernet 1 the Manager also displays a caution message To configure parameters for an Ethernet interface follow these steps Step 1 Choose one of the following options e Ifyou want to disable this interface click the Disabled radio button If disabled the interface is offline this state lets you retain or change its configuration parameters while it is offline e Ifyou want to enable this interface and use DHCP to obtain an IP address click the DHCP Client radio button Inthe System Name field enter a name such as VPN01 for the VPN Concentrator This name must uniquely identify this device on your network e Ifyou want to enable this interface and set a static IP address for it click the Static IP Addressing radio button Inthe IP Address field enter the IP address for this interface using dotted decimal notation for example 192 168 12 34 Be sure no other device is using this address on the network VPN 3000 Series Concentrator Getting Started E 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Configuring IP Interfaces W Inthe Subnet Mask field enter the subnet mask for this interface using dotted decimal notation for example 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entere
30. Explorer version 4 0 or higher or Netscape Navigator version 4 5 4 7 or 6 0 For best results we recommend Internet Explorer Whatever browser and version you use install the latest patches and service packs for it VPN 3000 Series Concentrator Getting Started P22 E 78 14740 01 Chapter 2 Installing and Powering Up the VPN Concentrator JavaScript and Cookies Preparing to Install W Be sure JavaScript and Cookies are enabled in the browser Check these settings Browser JavaScript Cookies Internet Explorer 4 0 1 On the View menu choose Internet Options 1 On the View menu choose Internet Options 2 On the Security tab click Custom for expert 2 On the Advanced tab scroll down to Security users then click Settings then Cookies 3 In the Security Settings window scroll down 3 Click Always accept cookies to Scripting 4 Click Enable under Scripting of Java applets 5 Click Enable under Active scripting Internet Explorer 5 0 1 On the Tools menu choose Internet Options 1 On the Tools menu choose Internet Options 2 On the Security tab click Custom Level 2 On the Security tab click Custom Level 3 In the Security Settings window scroll down 3 In the Security Settings window scroll down to Scripting to Cookies 4 Click Enable under Active scripting 4 Click Enable under Allow cookies that are 5 Click Enable under Scripting of Java applets stored on your computer 5
31. For example a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely in a VPN tunnel through the Internet with resources on a private internal corporate network We strongly recommend that you save the active configuration before you proceed VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter 3 Using the VPN Concentrator Manager for Quick Configuration W Saving the Active Configuration Saving the Active Configuration As you make configuration entries they take effect immediately and are included in the active or running configuration However if you reboot the VPN Concentrator without saving the active configuration any configuration changes are lost To remind you to save your settings the Save icon on the Manager toolbar at the top of the Manager screen changes to Save Needed as soon as the active configuration differs from the boot configuration Click either icon to save the active configuration as the boot configuration A pop up window displays a status message Figure 3 16 Save Configuration Window y Save To Configuration File EG Save Successful OK 63743 Click OK to close the window Should you need to restart the VPN Concentrator it will then boot with your configured parameters We strongly recommend that as you configure the VPN Concentrator you make it a habit to click Save Needed whenever you finish setting param
32. OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright 1995 1996 1997 The Internet Software Consortium All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither the name of The Internet Software Consortium nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL
33. and safety precautions The industry Canada label identifies CS 03 certified equipment This certification means that the equipment meets certain telecommunications network protection operation and safety requirements as described in the appropriate terminal equipment requirements document s The department does not guarantee the equipment will operate to the user s satisfaction Before installing the equipment ensure that it is permissible to connect them to the facilities of the local telecommunications company The equipment must also be installed using an acceptable method of connection The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be coordinated by a representative designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment Ensure that the electrical ground connections of the power utility telephone lines and internal metallic water pipe system if present are connected together This precaution may be particularly important in rural areas 78 14740 01 VPN 3000 Series Concentrator Getting Started AppendixB Copyrights Licenses and Notices HZ Regulatory Standards Compliance A Warning Do not attempt to make such connections yourself Co
34. causes harm to the telephone network the telephone company notifies you in advance that temporary discontinuance of service might be required If advance notice is not practical the telephone company notifies the customer as soon as possible Also you are advised of your right to file a complaint with the FCC if you believe it is necessary The telephone company can make changes in its facilities equipment operations or procedures that could affect the operation of the equipment If this happens the telephone company provides advance notice in order for you to make the necessary modifications to maintain uninterrupted service If trouble is experienced with this equipment please contact us for repair and warranty information If the trouble is causing harm to the telephone network the telephone company can request you remove the equipment from the network until the problem is resolved We recommend that you install an AC surge arrestor in the AC outlet to which this device is connected This is to avoid damaging the equipment caused by local lightning strikes and other electrical surges This equipment uses the Uniform Service Order Code USOC jacks described below Model Name Facility Interface Code Service Order Code Jack Type CVPN_3000 2T 04DU9 1SN 6 0N RJ48C CS 03 Certification The equipment is CS 03 certified Refer to Table B 1 for CS03 approval details for equipment Observe the following general information
35. follows e Desktop area 1024 x 768 pixels or greater Minimum 800 x 600 pixels e Color palette 256 colors or higher Unpacking The VPN Concentrator ships with these items Carefully unpack your device and check your contents against the list in Table 2 1 Save the packing material in case you need to repack theunit Table 2 1 VPN Concentrator Packing List Check Quantity Item 1 VPN 3000 Series Concentrator 2 Rack mounting kits one for model 3005 one for models 3015 3080 1 RS 232 straight through serial console cable with DB 9 female connectors on both ends 2 UTP network cables with RJ 45 8 pin modular connectors lor 2 Power cords 1 Cisco VPN 3000 Series Concentrator CD 1 Cisco VPN Software Client CD 1 Evalutation copy of Zone Labs firewall software CD 1 Cisco AVVID Solutions CD 1 VPN 3000 Series Concentrator Getting Started this manual 1 Release Notes for Cisco VPN 3000 Series Concentrator 1 VPN 3000 Series Concentrator Software License Agreement 1 Release Notes for Cisco VPN Client 1 Cisco VPN Client Software License Agreement 1 Export Compliance document 1 Cisco Product Warranty and Information packet 1 Documentation Ordering Instructions VPN 3000 Series Concentrator Getting Started P24 E 78 14740 01 Chapter2 _ Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware W Installing the VPN Concentr
36. for the name plus a maximum of three characters for an extension For example LOGO0007 TXT is a legitimate filename The VPN Concentrator always stores filenames in uppercase Port Numbers Port numbers use decimal numbers from 0 to 65535 No commas or spaces are permitted in a number 78 14740 01 VPN 3000 Series Concentrator Getting Started Preface W Obtaining Documentation Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL http www cisco com Translated documentation is available at this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which is shipped with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Ordering Documentation You can order Cisco documentation in these ways e Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl e Registered Cisco com users can order the Documentation CD ROM through the online Subscription Store http www ci
37. modules for hardware based encryption at maximum system throughput Dual redundant power supplies Expansion capabilities Up to two additional SEP modules for maximum system redundancy 78 14740 01 VPN 3000 Series Concentrator Getting Started ii Chapter1 Understanding the VPN 3000 Concentrator HI Software Features Software Features The VPN Concentrator incorporates the following virtual private networking software features VPN Feature Description Management The VPN Concentrator offers multiple management interfaces Each interface Interfaces provides complete capabilities and can be used to fully configure administer and monitor the device The VPN Concentrator Manager is an HTML based interface that lets you manage the system remotely with a standard web browser using either of the following HTTP connections HTTPS HTTP over SSL secure connections The VPN Concentrator command line interface is a menu and command line based interface that you can use with the local system console or remotely using any of the following Telnet connections Telnet over SSL secure connections SSH Secure Shell including SCP Secure Copy Tunneling Protocols IPSec IP Security Protocol Remote access using Cisco VPN Client or other select IPSec protocol compliant clients LAN to LAN between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol compl
38. must use Microsoft encryption to encrypt data This option requires MS CHAP Microsoft Challenge Handshake Authentication Protocol and provides maximum security During connection setup clients must agree to use encryption or they will not be connected e No Encryption Required PPTP connections may use Microsoft encryption to encrypt data During connection setup clients might or might not agree to use Microsoft encryption they will be connected in either case 1 PPTP Encryption Required 2 No Encryption Required Quick gt 2 At the cursor enter 1 to require encryption or press Enter to accept the default 2 which does not require encryption Accept the default if you disabled PPTP The system prompts you to enable or disable L2TP 1 Enable L2TP 2 Disable L2TP Quick gt 1 At the cursor enter 2 to disable L2TP or press Enter to accept the default 1 which enables L2TP VPN 3000 Series Concentrator Getting Started Poe W 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration Step 4 Step 5 Configuring Tunneling Protocols and Options W If you enable L2TP the system prompts you to select the encryption option e L2TP Encryption Required L2TP connections must use Microsoft encryption to encrypt data This option requires MS CHAP Microsoft Challenge Handshake Authentication Protocol and provides maximum security During connection setup clients must agree
39. return to the previous screen Configuration entries take effect as soon as you click Apply or Continue and they constitute the active or running configuration To save the active configuration and make it the boot configuration click the Save Needed icon on the Manager toolbar in the top frame of the browser window To remind you to save your settings the icon changes from Save to Save Needed as soon as the active configuration differs from the boot configuration If you make a mistake and see an Error screen with the message An error has occurred while attempting to perform the operation and you return to the screen where you were working carefully check all your previous entries on that screen The Manager attempts to retain valid entries but invalid entries are lost See Appendix A Troubleshooting and System Errors for more details Caution Do not use the browser navigation toolbar buttons Back Forward or Refresh Reload with the VPN Concentrator Manager unless instructed to do so To protect access security clicking Refresh Reload automatically logs out the Manager session Clicking Back or Forward might display stale Manager screens with incorrect data or settings To prevent mistakes while using the VPN Concentrator Manager we recommend that you hide the browser navigation toolbar 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Co
40. sure you can use PPP on your ISP account Configure this connection to use TCP IP and configure appropriate IP address assignment and name server addresses according to instructions from your ISP Setup a second connection to the VPN Concentrator using the Microsoft VPN Adapter Connect to the IP address on the VPN Concentrator public interface for example 192 168 12 34 Configure Server Types to Log on to network Enable software compression and Allow TCP IP Configure TCP IP Settings with Server assigned IP address Specify name server addresses and Primary WINS IP address from your network administrator e Configure Network Neighborhood gt Properties and configure the Client for Microsoft Networks gt Properties gt General check Log on to Windows NT domain and enter your domain name in Windows NT domain field for example BigCo VPN 3000 Series Concentrator Getting Started 2 Ey 78 14740 01 Chapter5 Testing the VPN Concentrator Testing the VPN Connection W Testing the VPN Connection Now make the network connections and examine their status To verify that you are connected to the private corporate network follow these steps Step 1 Use the ISP connection in Dial Up Networking and connect to your ISP with a PPP connection Step2 Use the VPN connection in Dial Up Networking and connect to the VPN Concentrator with your username for example simonz and password for example 9se7pt14 Step3 When th
41. the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents VPN 3000 Series Concentrator Getting Started 78 14740 01 Preface Data Formats Conventions W As you configure and manage the system enter data in the following formats unless the instructions indicate otherwise Type of Data Format IP Addresses IP addresses use 4 byte dotted decimal notation for example 192 168 12 34 as the example indicates you can omit leading zeros in a byte position Subnet Masks and Subnet masks use 4 byte dotted decimal notation for example Wildcard Masks 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network hostname or end system name notation for example VPNO1 Spaces are not allowed A hostname must uniquely identify a specific system on a network Text Strings Text strings use upper and lower case alphanumeric characters Most text strings are case sensitive for example simon and Simon represent different usernames In most cases the maximum length of text strings is 48 characters Filenames Filenames on the VPN Concentrator follow the DOS 8 3 naming convention a maximum of eight characters
42. to enter the TCP port number by which you access the NT Domain server gt NT Domain Server Port Quick gt 0 At the cursor enter the NT Domain port number for example 139 To have the system supply the default port number 139 press Enter to accept 0 the default To continue quick configuration skip to the Configuring the IPSec Group section on page 4 16 or the Changing the Admin Password section on page 17 VPN 3000 Series Concentrator Getting Started Pos 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration Configuring Authentication W Configuring SDI Authentication Server Step 1 Step 2 To configure an external SDI RSA Security Inc SecurID user authentication server follow these steps You selected the external SDI authentication server and the system prompts you to enter its hostname or IP address gt SDI Server Name Quick gt At the cursor enter the SDI server hostname or IP address for example 192 168 56 78 The maximum length is 32 characters The system prompts you to enter the UDP port number by which you access the SDI server gt SDI Server Port Quick gt 0 At the cursor enter the SDI port number for example 5500 To have the system supply the default port number 5500 press Enter to accept 0 the default To continue quick configuration proceed to the next section Configuring the IPSec Group or to the
43. work with the browser that you have invoked e You are using the Manager with an unsupported browser e You are using the Manager with an obsolete browser e You are using a browser that does not have JavaScript enabled Use Microsoft Internet Explorer version 4 0 or higher Use Netscape Navigator version 4 5 or higher Be sure JavaScript is enabled in the browser See the Browser Requirements section on page 2 2 of this manual 78 14740 01 VPN 3000 Series Concentrator Getting Started Appendix A Troubleshooting and System Errors HZ VPN Concentrator Manager Errors Table A 1 Symptom Problem VPN Concentrator Manager Errors continued Possible Cause Solution The Manager displays a screen with the message Not Allowed You do not have sufficient authorization to access the specified page You tried to access an area of the Manager that you do not have authorization to access e You logged in using an administrator login name that has limited privileges e You logged in from a workstation that has limited access privileges Log in using the system administrator login name and password Defaults are admin admin Log in from a workstation with greater access privileges Have the system administrator change your privileges on the Administration Access Rights Administrators screen Have the system administrator change the privileges of y
44. your private network You must enter this address to continue quick configuration This table shows current IP addresses Interface IP Address Subnet Mask MAC Address Ethernet 1 Private 0 0 0 0 0 0 0 0 Ethernet 2 Public 0 0 0 0 0 0 0 0 Ethernet 3 External 0 0 0 0 0 0 0 0 An address is required for the private interface gt Enter IP Address Quick Ethernet 1 gt 0 0 0 0 _ At the cursor enter the IP address using dotted decimal notation for example 10 10 4 6 amp Note Ethernet 3 appears only on Models 3015 3080 The system initializes its network subsystems which takes a few seconds It then prompts you for the subnet mask for the Ethernet 1 Private interface The entry in brackets is the standard subnet mask for the IP address you just entered For example an IP address of 10 10 4 6 is a Class A address and the standard subnet mask is 255 0 0 0 gt Enter Subnet Mask Quick Ethernet 1 gt 255 0 0 0 At the cursor enter the subnet mask appropriate for your private network addressing scheme using dotted decimal notation for example 255 255 0 0 To accept the default press Enter VPN 3000 Series Concentrator Getting Started P2416 i 78 14740 01 Chapter 2 Installing and Powering Up the VPN Concentrator Step 9 Step 10 Step 11 Beginning Quick Configuration W The system prompts you with a menu to set the speed for the Ethernet 1 interface You can
45. 0 0 0 gt Enter IP Address for Ethernet 2 Public Quick gt 0 0 0 0 VPN 3000 Series Concentrator Getting Started P42 E 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration Step 3 Step 4 Step 5 Configuring Ethernet Interfaces W At the cursor enter the IP address for the VPN Concentrator Ethernet 2 Public interface using dotted decimal notation for example 192 168 12 34 Be sure no other device is using this address on the network Note that Ethernet 3 appears on models 3015 3080 only The system prompts you for the subnet mask for the Ethernet 2 Public interface The entry in brackets is the standard subnet mask for the IP address you entered above For example an IP address of 192 168 12 34 is a Class C address and the standard subnet mask is 255 255 255 0 gt Enter Subnet Mask for Ethernet 2 Quick gt 255 255 255 0 _ At the cursor enter the subnet mask for Ethernet 2 using dotted decimal notation for example 255 255 255 0 To accept the default press Enter The system prompts with a menu to set the speed for the Ethernet 2 interface You can let the VPN Concentrator automatically detect and set the appropriate speed the default or you can set fixed speeds of 10 or 100 Mbps per second for 1OBASE T or 1OOBASE T networks If you accept the default be sure that the port on the active network device hub switch or router to which you connect this
46. 0 0 0 0 0 0 67508 This screen lets you configure the VPN Concentrator Ethernet interfaces E VPN 3000 Series Concentrator Getting Started 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration A Configuring IP Interfaces W Model 3005 comes with two Ethernet interfaces Models 3015 3080 come with three Ethernet interfaces e Ethernet 1 Private is the interface to your private network internal LAN e Ethernet 2 Public is the interface to the public network e Ethernet 3 External if present is the interface to an additional LAN For the VPN Concentrator to become fully operational you must configure the two interfaces you physically connected to your network under Connecting Network Cables page 2 9 The screen displays the current configuration settings You entered the IP address and subnet mask for Ethernet in Step 7 and Step 8 under Using the Console page 2 15 We assume that is the interface you are using to connect to the device and configure it Caution Step 1 If you modify any parameters of the interface that you are currently using to connect to the VPN Concentrator you will break the connection and you will have to restart the Manager and quick configuration from the login screen To enter or modify parameters for an interface click on the interface and continue using the directions in the following section If you are not modifying an interface
47. 2 cooling 2 2 power 2 2 preparing 2 2 physical specifications 1 9 power requirements 2 2 specifications 1 9 power cable 2 10 powering up 2 11 Power LED SEP A 7 Power Supplies LEDs front panel A 6 E VPN 3000 Series Concentrator Getting Started 78 14740 01 PPTP enable check box 3 10 CLI 4 6 preparing to install 2 1 Private Default filter Ethernet interface 3 7 private interface configuring at startup 2 16 Protocols screen 3 10 Public Default filter Ethernet interface 3 7 Q Quick Configuration completing with Command Line Interface 4 1 with Manager 3 3 Done screen 3 19 finishing 3 19 4 18 running only once 2 12 3 1 3 3 4 1 saving 3 20 4 18 stepsin 2 12 testing 5 1 using nondefault values 2 13 using the VPN Concentrator Manager 3 1 quick configuration beginning 2 12 starting 2 12 starting from the console 2 15 quitting the Command Line Interface 4 18 rack mounting 2 5 RADIUS authentication server configuring using CLI 4 13 selection 3 13 RADIUS Server Name CLI RADIUS Server Port CLI 4 RADIUS Server Secret CLI Range End CLI 4 9 field 3 11 Range Start CLI 4 9 field 3 11 reboot system saves log file A 1 4 13 13 4 13 regulatory agency notices B 10 related documentation vi removing a user 3 17 4 12 Require Encryption option L2TP 3 10 4 7 PPTP 3 10 4 6 requirements browser 2 2 console 2 2 Internet Explorer 2 2 JavaScript 2 3 Netsca
48. CHAPTER Using the VPN Concentrator Manager for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN Concentrator Manager Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational while the Main menu lets you configure all the features of the VPN 3000 Concentrator For example a configured remote user with a PC and modem can use Microsoft PPTP point to point tunneling protocol and a local ISP to connect securely in a VPN tunnel through the Internet with resources on a private internal corporate network The VPN Concentrator Manager is an HTML based configuration administration and monitoring system built into the VPN Concentrator To use it you need only to connect to the VPN Concentrator using a PC and browser on the same private network with the VPN Concentrator Before beginning the procedures in this section you should have completed Steps 1 through 12 under Using the Console page 2 15 As you proceed refer to the data you recorded in the table of Quick Configuration Parameters page 2 13 The figures that follow show only the main frame of the Manager window To use features in the other frames see Understanding the VPN Concentrator Manager Window page 3 22 Note You can go through the steps of quick configuration only once unless you reboot the system with the Reboot ignoring the configuration file option 78
49. CP address assignment or press Enter to accept the default 2 disabled If you enable DHCP continue with the next step If you disable DHCP skip the next step VPN 3000 Series Concentrator Getting Started Pas W 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration Step 4 Step 5 Step 6 Step 7 Configuring Address Assignment W If you enable DHCP address assignment the system prompts for the server address If you disable DHCP this prompt does not appear gt DHCP Server Quick gt At the cursor enter the IP address or hostname of the DHCP server The system prompts you to enable or disable configured pool address assignment 1 Enable Configured Pool Address Assignment 2 Disable Configured Pool Address Assignment Quick gt 2 At the cursor enter 1 to enable configured pool assignment or press Enter to accept the default 2 disabled If you enable configured pool continue with the next two steps otherwise skip them If you enable configured pool address assignment the system prompts for the starting IP address available in the initial pool gt Configured Pool Range Start Address Quick gt _ At the cursor enter the starting IP address available in the initial configured pool Use dotted decimal notation for example 10 10 1 77 If you enable configured pool address assignment the system prompts for the ending IP address available in the initial pool
50. Cisco SYSTEMS VPN 3000 Series Concentrator Getting Started Release 3 6 August 2002 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Customer Order Number DOC 7814740 Text Part Number 78 14740 01 WS THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The following information is for FCC compliance of Class A devices This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instr
51. E ACCOMPANYING WRITTEN MATERIALS AND THE ACCOMPANYING HARDWARE This limited warranty gives you specific legal rights You may have others which vary from state to state 13 CISCO SYSTEMS ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY SHALL BE AT CISCO SYSTEMS CHOICE EITHER A RETURN OF THE PRICE PAID OR B REPLACEMENT OF THE SOFTWARE THAT DOES NOT MEET CISCO SYSTEMS LIMITED WARRANTY AND VPN 3000 Series Concentrator Getting Started 78 14740 01 _ Appendix B Copyrights Licenses and Notices Other Licenses W WHICH IS RETURNED TO CISCO SYSTEMS TOGETHER WITH A COPY OF YOUR RECEIPT Any replacement Software will be warranted for the remainder of the original warranty period or 30 days whichever is longer These remedies are not available outside the United States of America 14 This Limited Warranty is void if failure of the Software has resulted from modification accident abuse or misapplication 15 IN NO EVENT WILL CISCO SYSTEMS BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY LOSS OF PROFITS LOST SAVINGS OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OR INABILITY TO USE THE SOFTWARE Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages the above limitation may not apply to you 16 This Agreement is governed by the laws of the State of Massachusetts 17 If you have any questions concerning this Agreement or wish to contact Cisco Syst
52. L IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Portions Copyright 1996 by Internet Software Consortium Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Portions Copyright 1995 by International Business Machines Inc 78 14740 01 VPN 3000 Series Concentrator Getting Started E AppendixB Copyrights Licenses and Notices HZ Other Licenses IPSec International Business Machines Inc hereinafter called IBM gran
53. L based VPN Concentrator Manager from a browser to complete quick configuration Refer to the data you recorded in Table 2 2 You started the terminal emulator window on the console in the Powering Up section on page 2 11 if not start it now and press Enter on the console keyboard until you see the login prompt You may see a password prompt and other messages as you press Enter Ignore them and stop at the login prompt Login _ At the cursor enter the default login name admin At the password prompt enter the default password admin Login admin Password admin The system displays the opening message and prompts you to set the time on the VPN Concentrator The correct time is very important so that logging and accounting entries are accurate and so that the system can create a valid security certificate The time in brackets is the current device time Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright C 1998 2001 Cisco Systems Inc Set the time on your device gt Time Quick gt 15 46 41 _ At the cursor enter the correct device time in the format HH MM SS using 24 hour notation For example enter 4 24 p m as 16 24 00 The system prompts you to set the date The number in brackets is the current device date Enter the date gt Date Quick gt 03 26 2001 _ At the cursor enter the correct date in the format MM DD YYYY Use four digits to ent
54. NY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Client SNMP Copyright 1996 1997 by Westhawk Ltd www westhawk co uk Permission to use copy modify and distribute this software for any purpose and without fee is hereby granted provided that the above copyright notices appear in all copies and that both the copyright notice and this permission notice appear in supporting documentation This software is provided as is without express or implied warranty author tpanton ibm net Tim Panton VPN 3000 Series Concentrator Getting Started B 8 78 14740 01 AppendixB Copyrights Licenses and Notices Other Licenses W SSH Copyright 1993 1995 2000 by DataFellows Inc All rights reserved SSL Plus Certicom the Certicom logo SSL Plus and Security Builder are trademarks of Certicom Corp Copyright 1997 1999 Certicom Corp Portions are Copyright 1997 1998 Consensus Development Corporation a wholly owned subsidiary of Certicom Corp All rights reserved Contains an implementation of NR signatures licensed under U S patent 5 600 725 Protected by U S patents 5 787 028 4 745 568 5 761 305 Patents pending TCP Compression Uncompression Routines to compress and uncompress TCP packets for transmission over low speed serial lines
55. Next Now that the VPN Concentrator is operational you can do the following e Test its operation by following the procedures in Chapter 5 Testing the VPN Concentrator e Explore the command line interface The menus follow the same order and let you perform the same functions as the VPN Concentrator Manager See Appendix A Using the Command Line Interface in the VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring for explanations of parameters and entries e Explore the VPN Concentrator Manager window and other VPN Concentrator functions See Chapter 1 Using the VPN 3000 Concentrator Series Manager in the VPN 3000 Series Concentrator Reference Volume I Configuration e Proceed to a more detailed and complete system configuration See the VPN 3000 Series Concentrator Reference Volume I Configuration VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter4 Using the Command Line Interface for Quick Configuration E What Next VPN 3000 Series Concentrator Getting Started a20 i 78 14740 01 CHAPTER Testing the VPN Concentrator You can test the VPN Concentrator by using Microsoft Dial Up Networking under Windows 95 on a remote PC with a modem You can also connect to an ISP and use PPTP to create a VPN tunnel to a private corporate Windows NT network We first describe the necessary VPN Concentrator configuration settings then the PC settings and f
56. OR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity Follow Me Browsing FormShare Internet Quotient iQ Breakthrough iQ Expertise iQ FastTrack the iQ Logo iQ Net Readiness Scorecard Networking Academy ScriptShare SMARTnet TransPath and Voice LAN are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn Discover All That s Possible The Fastest Way to Increase Your Internet Quotient and iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherSwitch Fast Step GigaStack IOS IP TV LightStream MGX MICA the Networkers logo Network Registrar Packet PIX Post Routing Pre Routing RateMUX Registrar SlideCast StrataView Plus Stratm SwitchProbe TeleRouter and VCO are registered trademarks of Cisco Systems Inc and or its affiliates in the U S and certain other countries All other trademarks me
57. P A 7 steps in Quick Configuration 2 12 stopping the Command Line Interface 4 18 Subnet Mask field Ethernet interface 3 7 user database 3 16 4 12 system information configuring 3 8 4 5 System Info screen 3 8 System LED A 6 system name CLI 4 5 System Name field 3 8 T terminal emulator settings 2 11 starting 2 11 testing the VPN Concentrator 5 1 Throughput LED A 6 E VPN 3000 Series Concentrator Getting Started 78 14740 01 time Daylight Saving 2 16 3 9 setting 2 15 3 8 Timeout field NT Domain 3 14 RADIUS 3 13 SDI 3 15 time zone setting 2 16 3 8 tools needed for installation 2 5 troubleshooting A 1 files created for A 1 tunneling protocols configuring 3 10 4 6 features 1 4 Tx LED Ethernet A 7 typical installation 1 8 typographic conventions vi U understanding the VPN Concentrator Manager window 3 22 unpacking 2 4 usage graph LEDs table A 7 user adding 3 16 4 11 deleting 3 17 4 12 user administrator skills 2 1 user database configuring 4 11 User Database screen 3 16 User Name CLI 4 11 User to Add field 3 16 User to Delete CLI 4 12 using VPN Concentrator Manager functions 3 21 Index W Vv VPN Adapter Microsoft 5 2 VPN Concentrator installilng hardware 2 5 VPN Concentrator configuration settings for testing 5 1 VPN Concentrator Manager errors A 2 logging in 3 2 understanding the window 3 22 using for Quick Configuration 3 1 using
58. The maximum is 64 characters The field shows only asterisks In the Verify field re enter the RADIUS server secret to verify it The field shows only asterisks Click Continue to proceed If you selected the IPSec tunneling protocol skip to the section Configuring the IPSec Group page 3 17 Otherwise skip to the section Changing Admin Password page 3 18 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration W Configuring Authentication NT Domain Server Type Configure these parameters for an external Windows NT Domain authentication server We suggest you accept the default values See Figure 3 10 Figure 3 10 Configuration Quick Authentication Screen NT Domain Server Specify how to authenticate users under PPTP L2TP or IPSec You can use the internal server or an external authentication server If you select the Jzterzal Server you must configure the internal user database You may configure additional servers using System Configuration Server Type NT Domain z Selecting Jzterzal Server will let you add users to the internal user database Authentication Server TE Address Enter the IP address Server Port fo Enter 0 for default port 139 Timeout a Enter the timeout for this server seconds Retries 2 Enter the number of retries for this server Domain Controller Cd Enter the NT Primary Domain Controller name Name
59. VPN 3000 Series Concentrator Getting Started P32 E 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Starting Quick Configuration Wl Starting Quick Configuration The VPN Concentrator Manager displays the initial configuration screen see Figure 3 2 Figure 3 2 VPN Concentrator Manager Initial Configuration Screen Welcome to the VPN 3000 Concentrator Manager The VPN 3000 Concentrator has booted and you must now supply some configuration parameters to make it operational To configure the minimal parameters click here to start Quick Configuration To configure ad features click here to go to the Main Menu 67507 To start quick configuration click the highlighted link that says click here to start Quick Configuration Note A This screen appears only once and you can go through the steps of quick configuration only once unless you reboot the system with the Reboot ignoring the configuration file option You cannot return to this screen if you click the highlighted link that says click here to go to the Main Menu Text entries are case sensitive for example admin and ADMIN are different passwords After you make an entry in a field do not press Enter Just move the cursor from field to field With Microsoft Internet Explorer you can press Tab to move from field to field other browsers may work differently On any screen where it appears click Back to
60. able Low Speed Remote User VPN Access via Modem Enterprise Network Router Public Segment Untrusted Cisco VPN 3000 Concentrator Firewall Segment Web FTP Server Private Segment Trusted File Mail Intranet Authentication Server Server Server Server 63718 VPN 3000 Series Concentrator Getting Started 78 14740 01 _ Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications The VPN Concentrator has the following physical specifications Physical Specifications W Width 17 25 inches 43 8 cm 19 inch 48 26 cm rack mountable Depth e 3005 11 75 inches 29 85 cm e 3015 3080 17 inches 43 2 cm Height e 3005 1 75 inches 4 45 cm 1U high form factor e 3015 3080 3 5 inches 8 89 cm 2 U high form factor Weight e 3005 8 5 Ibs 3 9 kg e 3015 3080 27 to 33 Ibs 12 25 to 15 kg depending on model and options Cooling Normal operating environment 32 to 122 F 0 to 50 C Power 100 to 240 VAC at 50 60 Hz autosensing 3005 maximum 25 W 0 2A 120 VAC 3015 3080 maximum 50 W 0 42A 120 VAC Cabling distances from an active network device Approx 328 feet 100 meters UL approved Electrical mechanical and construction Standards compliance FCC E U and VCCI Class A compliance 78 14740 01 VPN 3000 Series Concentrator Getting Started ii Chapter1 Understanding the VPN 3000 C
61. abling distances specifications 1 9 case sensitivity 3 3 4 1 Certificate Authorities supported 1 5 changing admin password 4 17 CiscoSecure ACS server 3 13 4 13 CLI errors A 5 exiting 4 18 client configuration settings for testing 5 2 client software compatibility features 1 6 Client Specified check box 3 11 client specified address assignment CLI 4 8 Coll LED Ethernet A 7 Command Line Interface See CLI completing Quick Configuration with Command Line Interface 4 1 with Manager 3 3 compliance standards B 10 configuration active or running 3 3 4 1 configuration files for troubleshooting A 2 saving 2 18 3 20 4 18 Configured Pool check box 3 11 configured pool address assignment CLI 4 9 configuring address assignment 3 11 4 8 authentication 3 12 4 10 Ethernet interfaces 4 2 internal authentication server 3 12 4 11 internal server user database 4 11 IP interfaces 3 4 IPSec Group 3 17 4 16 NT Domain authentication server 3 14 4 14 private Ethernet interface at startup 2 16 RADIUS authentication server 3 13 4 13 SDI authentication server 3 15 4 15 system information 3 8 4 5 tunneling protocols and options 3 10 4 6 connecting console 2 8 network cables 2 9 power cable 2 10 console connecting 2 8 requirements 2 2 to start quick configuration 2 15 conventions documentation vi cooling requirements 2 2 specifications 1 9 copyrights and licenses B 1 CPU Utilization LED A 6 crash system saves log file A 1
62. and Use Your Entry Authentication Your choice here determines the parameters you see in the following screen Possible values are e Internal Server Choosing Internal Server means using the internal VPN Concentrator user authentication server On the User Database screen specify the username and password for each user Additionally if you specify per user address assignment specify the IP address and subnet mask for each user e RADIUS If you use an external RADIUS user authentication server specify its IP address or hostname port number and server secret or password e NT Domain If you use an external Windows NT Domain user authentication server specify its IP address port number and Primary Domain Controller hostname e SDI If you use an external SDI user authentication server specify its IP address and port number User Database Group Name If you enable the IPSec tunneling protocol specify a name Password Verify and password for the IPSec tunnel group VPN 3000 Series Concentrator Getting Started P24 78 14740 01 Chapter2 _ Installing and Powering Up the VPN Concentrator Beginning Quick Configuration W Using the Console Step 1 Step 2 Step 3 Step 4 You must use the console for the first part of quick configuration setting the system time and date and configuring the private Ethernet interface as described in the following steps Then you can use the HTM
63. ansfer terminates your license You may not rent or lease the Software or otherwise transfer or assign the right to use the Software except as stated in this paragraph 5 You may not export the Software even as part of the Cisco product to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and or approval Furthermore you may not export the Software even as part of the Cisco product in violation of any export control laws of the United States or any other country 6 You may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or accompanying documentation or any copy thereof in whole or in part 7 The subject license will terminate immediately if you do not comply with any and all of the terms and conditions set forth herein Upon termination for any reason you the licensee must immediately destroy or return to Cisco Systems the Software and accompanying documentation and all copies thereof Cisco Systems is not liable to you for damages in any form solely by reason of termination of this license 8 You may not remove or alter any copyright trade secret patent trademark trade name logo product designation or other proprietary and or other legal notices contained in or on the Software and accompanying documentation
64. ator Hardware You can install the VPN Concentrator in a standard 19 inch equipment rack or just place it on a table or shelf Tools Required e No 1 Phillips screwdriver if you install the rubber feet on the device e No 2 Phillips screwdriver if you rack mount the device Rack Mounting Attach the rack mounting brackets with 10 32 screws in the holes on the front left and right sides Be sure to orient the brackets as shown in Figure 2 1 Figure 2 1 Attaching Rack Mounting Brackets Model 3005 Models 3015 to 3080 VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter 2 Installing and Powering Up the VPN Concentrator HZ Installing the VPN Concentrator Hardware Mount the VPN Concentrator in the rack as shown in Figure 2 2 Use screws or fasteners appropriate for your equipment rack Figure 2 2 Rack Mounting a VPN Concentrator Model 3005 ee000000000 oooo0o0o0o05009000000000000 63798 Models 3015 through 3080 voowvoo0o0000000000 eoo0000 63799 VPN 3000 Series Concentrator Getting Started P26 W 78 14740 01 Chapter2 _ Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware W Installing Rubber Feet To place the VPN Concentrator on a table or shelf attach the four rubber feet with screws on the bottom of the chassis See Figure 2 3 Figure 2 3 Installing Rubber Fe
65. ay configure additional servers using System Configuration Server Type Internal Server z Selecting M ernal Server will let you add users to the internal user database Back Continue 63729 You can choose how to authenticate users You can select the VPN Concentrator internal server or one of three external server types You must select one server type You can configure additional authentication servers on the Configuration System Servers Authentication screen using regular system configuration Click the drop down menu button and select the Server Type The screen and its configurable fields change depending on the Server Type Choose one of the following e Internal Server The internal VPN Concentrator authentication server This is the default selection e RADIUS An external Remote Authentication Dial In User Service server e NT Domain An external Windows NT Domain server e SDI An external RSA Security Inc SecurID server Before you configure an external server here be sure that the external server you reference is itself properly configured and that you know how to access it IP address or hostname TCP UDP port secret password and so forth The VPN Concentrator functions as the client of these servers Find your selected Server Type in the following sections and follow the configuration instructions there Internal Server Server Type The VPN Concentrator internal authentication server lets you ent
66. ces e Logout Log out of this Manager session and return to the login screen For details on the frames functions and icons in the Manager window see the following section Understanding the VPN Concentrator Manager Window For details on the VPN Concentrator hardware all the functions available in the VPN Concentrator Manager or using the CLI see the VPN 3000 Concentrator Series User Guide VPN 3000 Series Concentrator Getting Started 78 14740 01 ESN Chapter 3 Using the VPN Concentrator Manager for Quick Configuration HZ Understanding the VPN Concentrator Manager Window Understanding the VPN Concentrator Manager Window The VPN Concentrator Manager window on your browser consists of three frames top left and main and it provides helpful messages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 3 17 VPN Concentrator Manager Window Title bar gt File Edit View Go Communicator Help Back Reload Home Top frame gt Manager toolbar EA ry VPN 3000 E Contiguration EhAdministration Monitoring Left frame gt Table of contents isco Systems Inc YPN 3000 Concentrator 192 168 10 100 Netscape s a w Search Netscape amp 7 Bookmarks Location http 161 44 246 15 access html 7 E What s Related Concentrator Series Manager cs 2 Security Stop Main H
67. d For instance an IP address of 192 168 12 34 is a Class C address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it To make this interface a public interface check the Public Interface check box A public interface is an interface to a public network such as the Internet You should designate only one VPN Concentrator interface as a public interface The MAC Address is the unique hardware MAC Medium Access Control address for this interface in 6 byte hexadecimal notation The screen shows this address only after you first configure an interface and you cannot change it In the Filter field click the drop down menu button and select the filter that applies to this interface The filter rules govern the handling of data packets through this interface whether to forward or drop according to configured criteria You can customize filters under regular system configuration on the Configuration Policy Management Traffic Management screens Cisco supplies the following default filters with the VPN Concentrator e 1 Private Default Allow all packets except source routed IP packets This is the default filter for the private Ethernet interface e 2 Public Default Allow inbound and outbound tunneling protocols plus ICMP and VRRP Allow fragmented IP packets Drop everything else including source routed packets This is the default filter for the public Ethernet interface e 3 External
68. displays the Invalid Login or Session Timeout screen The Manager session has been idle longer than the configured timeout interval e No activity for interval seconds The Manager resets the inactivity timer only when you click an action button such as Apply Add or Cancel or a link on a screen that is when you invoke a different screen Entering values or setting parameters on a given screen does not reset the timer e Default timeout interval is 600 seconds 10 minutes e Timeout interval set too low for normal use On the Administration Access Rights Access Settings screen change the Session Timeout interval to a larger value and click Apply The Manager displays a screen with the message Error An error has occurred while attempting to perform the operation An additional error message describes the erroneous operation You tried to perform some operation that is not allowed The screen displays a message that describes the cause Click Retry the operation to return to the screen where you were working and correct the mistake Carefully check all your previous entries on that screen The Manager attempts to retain valid entries but invalid entries are lost Click Go to main menu to go to the main Manager screen The Manager displays a screen with the message You are using an old browser or have disabled JavaScript The VPN Concentrator Manager cannot
69. dresses configured we recommend using this method You configure an authentication server on the next screen Check DHCP Dynamic Host Configuration Protocol to enable this method which uses a DHCP server to assign IP addresses If you enable DHCP enter the DHCP server hostname or IP address in the Specify Server field If you configured a DNS server you can enter a hostname in this field otherwise enter an IP address Check Configured Pool to enable this method which uses the VPN Concentrator to assign IP addresses from an internally configured pool If you enable Configured Pool enter the starting and ending IP addresses available in the initial pool in the Range Start and Range End fields Enter these addresses in dotted decimal notation for example 10 10 147 77 Click Continue to proceed 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration W Configuring Authentication Configuring Authentication The Manager displays the Configuration Quick Authentication screen This screen appears only when you enable at least one tunneling protocol Figure 3 8 Configuration Quick Authentication Screen Internal Server Specify how to authenticate users under PPTP L2TP or IPSec You can use the internal server or an external authentication server If you select the Jeternal Server you must configure the internal user database You m
70. e the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense cfr reference 15 21 For Class A equipment NOTE This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense cfr reference 15 105 Canada Class A Warning This Class A digital apparatus complies with Canadian ICES 003 Cet appareil numerique de la classe A e_t conforme 4 la norme NMB 003 de Canada CISPR 22 Class A Warning Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Japan VCCI Class A Warning OSES TBS BS Eee RS Eae OY CCl mi TED SSAA RCT OR E SRR CEA ot Be Mee SIS RIOT CEM SYST COS IRSA HRS eS SLSR RSAALLEMEY ET Translatio
71. e Command Line Interface for Quick Configuration HZ Configuring Tunneling Protocols and Options Configuring Tunneling Protocols and Options Step 1 Step 2 Step 3 This section describes how to enable disable and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator You must enable at least one of the following protocols for the device to function as a VPN device The protocol choices are PPTP Point to Point Tunneling Protocol and L2TP Layer 2 Tunneling Protocol with or without Microsoft encryption required and IPSec IP Security protocol PPTP and L2TP are popular with Microsoft Windows based clients and the Cisco VPN Client uses IPSec To enable disable and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator follow these steps The system shows default settings for PPTP and L2TP both enabled both with no encryption required It then prompts you to enable or disable PPTP Configure protocols and encryption options This table shows current protocol settings PPTP L2TP Enabled Enabled No Encryption Req No Encryption Req 1 Enable PPTP 2 Disable PPTP Quick gt 1 At the cursor enter 2 to disable PPTP or press Enter to accept the default 1 which enables PPTP If you enable PPTP the system prompts you to select the encryption option e PPTP Encryption Required PPTP connections
72. e NT Domain login window appears enter your NT username password and domain for example BigCo Step4 Examine the status of your ISP connection You should see a window similar to Figure 5 1 Figure 5 1 Connected to ISP Screen lt Connected to ISP 27 x ao Connected at 49 333 bps OK Duration 000 04 01 Bytes received 18 501 Disconnect Bytes sent 15 575 Modem U S Robotics 56K FAX INT Server type PPP Internet Windows NT Server Windows Protocols TCP IP z 63745 Step5 Examine the status of your VPN connection You should a window similar to Figure 5 2 Figure 5 2 Connected to VPN Screen ao Connected OK Duration 000 02 06 Bytes received 5 888 _Disconnect Bytes sent 7 504 T Device Microsoft VPN Adapter Server type PPP Intemet Windows NT Server Windows Protocols Microsoft encryption r3 Microsoft mutual challenge handshake authentication TCPAIP g 63746 Step6 Use Windows Explorer to open Network Neighborhood You should see and be able to access network nodes folders and files as if you were in the office and using Explorer on your usual system VPN 3000 Series Concentrator Getting Started 78 14740 01 a 53 Chapter5 Testing the VPN Concentrator HZ Testing the VPN Connection VPN 3000 Series Concentrator Getting Started lt a 78 14740 01 APPENDIX A Troubleshooting and System Errors Appendix A describes common errors that can occu
73. e RADIUS server gt RADIUS Server Port Quick gt 0 At the cursor enter the RADIUS port number for example 1645 To have the system supply the default port number 1645 press Enter to accept 0 the default To continue quick configuration skip to the Configuring the IPSec Group section on page 16 or the Changing the Admin Password section on page 4 17 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration W Configuring Authentication Configuring NT Domain Authentication Server Step 1 Step 2 Step 3 To configure an external Windows NT Domain user authentication server follow these steps You selected the external Windows NT Domain authentication server and the system prompts you to enter its IP address gt NT Domain Server Address Quick gt At the cursor enter the NT Domain server IP address in dotted decimal notation for example 192 168 56 78 The system prompts you to enter the NT Primary Domain Controller hostname for this server You must enter this name and it must be the correct hostname for the server whose IP address you entered in Step 1 if it is incorrect authentication will fail gt Primary Domain Controller Quick gt At the cursor enter the NT Primary Domain Controller hostname for this server for example PDCO1 The maximum length is 16 characters The system prompts you
74. ed Chapter 2 Installing and Powering Up the VPN Concentrator HZ Beginning Quick Configuration Beginning Quick Configuration amp You are now ready to begin quick configuration that is accepting default values when possible and configuring minimal parameters to make the VPN 3000 Concentrator operational Note Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 You can go through the steps of quick configuration only once unless you reboot the system with the Reboot with Factory Default configuration option In that case you can and must go through all the steps again See Administration System Reboot in the VPN 3000 Concentrator Series User Guide Quick configuration consists of the following steps Set the system time date and time zone from the console Configure the VPN Concentrator Ethernet 1 interface to your private network from the console At this point you can use a browser to complete Quick Configuration with the VPN Concentrator Manager see Chapter 3 Using the VPN Concentrator Manager for Quick Configuration While you can continue with the console instead see Chapter 4 Using the Command Line Interface for Quick Configuration we recommend using a browser Configure the other Ethernet interfaces that are connected to a public network or an additional external network Enter system identification information system name date time DNS
75. ed This file contains the crash date and time software version tasks stack registers memory buffers and timers which are helpful to Cisco support engineers In case of a crash we ask that you send this file when you contact Technical Assistance Center TAC for assistance See Administration File Management Files for information on managing files in flash memory 78 14740 01 VPN 3000 Series Concentrator Getting Started Appendix A Troubleshooting and System Errors HZ VPN Concentrator Manager Errors Configuration Files The VPN Concentrator saves the current boot configuration file CONFIG and its predecessor CONFIG BAK as files in flash memory These files may be useful for troubleshooting See Administration File Management Files for information on managing files in flash memory VPN Concentrator Manager Errors Table A 1 lists errors that might occur while using the HTML based VPN Concentrator Manager with a browser Table A 1 VPN Concentrator Manager Errors Symptom Problem Possible Cause Solution Browser Refresh or You clicked the Refresh To protect access Do not use the browser navigation toolbar Reload Button Logs Out the Manager or Reload button on the browser navigation toolbar and the Manager logged out The main login screen appears security clicking Refresh Reload on the browser toolbar automatically logs out the Manager session buttons with the VPN Concentrator Manage
76. eliable earth ground Cooling In the VPN 3005 cooling intake vents are on the front and fans are on the rear of the chassis In the VPN 3015 3080 cooling intake vents are on the left side and fans on the right side of the chassis looking at the front Allow at least 3 inches 75 mm of unobstructed space on all sides If you install the device in an equipment rack be sure there is adequate airflow Access The VPN Concentrator requires access only to the front and back Cables and The VPN Concentrator uses the following cables and connectors Connectors e The VPN Concentrator Ethernet interfaces take standard UTP STP twisted pair network cables Category 5 with RJ 45 8 pin modular connectors Cisco supplies two with the system e The console port takes a standard straight through RS 232 serial cable with a female DB 9 connector which Cisco supplies with the system Console and PC Telnet Browser Requirements The VPN Concentrator requires a console by which you enter initial configuration parameters You can also completely configure and manage the VPN Concentrator via the CLI from the console or a Telnet client However for easiest use we strongly recommend using the VPN Concentrator Manager which is HTML based from a PC and browser The PC must be able to run the recommended browser The console can be the same PC that runs the browser Browser Requirements The VPN Concentrator Manager requires either Microsoft Internet
77. elp Support Logo Logged in adm Configuration Administration Monitori Welcome to the VPN 3000 Concentrator Manager In the left frame or the navigation bar above click the function you want gt Main frame Manager screen Status bar gt Title bar Status bar Configuration to configure all features of this device stration to control administrative functions on this device The bar at the top right has Main to return to this screen Help to get help for the current screen Support to access VPN 3000 Concentrator support and documentation Logout to log out of this session and return to the Manager login screen Under the location bar in the upper right these icons may appear Click to Save save the active configuration and make it the boot configuration Save Needed as above indicating you have changed the active configuration Reset to temporarily reset statistics to zero Restore Y to restore statistics from their reset values Refresh to refresh statistics Cisco Systems 5 Le R Document Done ae 5 SP Es D The title bar at the top of the browser window includes the VPN Concentrator device name or IP address in brackets for example 10 10 4 6 The status bar at the bottom of the browser window displays Manager activity and explanatory messages for some items E VPN 3000 Series Concentrator G
78. ems for any reason please call 508 541 7300 or write to Cisco Systems Inc 124 Grove Street Suite 205 Franklin Massachusetts 02038 18 U S Government Restricted Rights The Software and accompanying documentation are provided with Restricted Rights Use duplication or disclosure by the Government is subject to restrictions set forth in subparagraph c 1 of The Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs c 1 ii and 2 of Commercial Computer Software Restricted Rights at 48 CFR 52 227 19 as applicable Supplier is Cisco Systems Inc 124 Grove Street Suite 205 Franklin Massachusetts 02038 19 This Agreement constitutes the entire agreement between Cisco Systems and the licensee There are no understandings agreements representations or warranties expressed or implied not specified herein regarding this Agreement or the Software licensed hereunder Only the terms and conditions contained in this Agreement shall govern the transaction contemplated hereunder notwithstanding any additional different or conflicting terms which may be contained in any purchase order or other documents pertaining to the subject transaction Other Licenses The VPN 3000 Concentrator Series contains and uses software from other firms under license Relevant copyright and license notices follow BSD Software Copyright 1990 1993 The Regents of the University of California All rights
79. entries continue on to other quick configuration parameters or exit the CLI We recommend that you save first Model 3005 Menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Configure Expansion Cards 4 Save changes to Config file 5 Continue 6 Exit Quick gt Model 3015 3080 Menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Modify Ethernet 3 IP Address External 4 Configure Expansion Cards 5 Save changes to Config file 6 Continue 7 Exit Quick gt _ At the cursor enter the number for Save changes to Config file VPN 3000 Series Concentrator Getting Started Maa E 78 14740 01 Chapter4 Using the Command Line Interface for Quick Configuration Configuring System Information W Configuring System Information Step 1 Step 2 Step 3 Step 4 To configure basic information that identifies your VPN Concentrator on the network follow these steps The system prompts you to assign a system name to the VPN Concentrator Assign a system name to this device gt System Name Quick gt At the cursor enter a name such as VPNO1 This name must uniquely identify this device on your network The system prompts you to specify a local DNS Domain Name System server which lets you enter Internet hostnames for example mail01 rather than IP addresses for servers as you configure and manage the VPN Concentrato
80. ents CHAPTER 4 CHAPTER 5 APPENDIX A APPENDIX B INDEX Configuring the IPSec Group 3 17 Changing Admin Password 3 18 Finishing Quick Configuration 3 19 Saving the Active Configuration 3 20 What Next 3 20 Using Other VPN Concentrator Manager Functions 3 21 Understanding the VPN Concentrator Manager Window _ 3 22 Using the Command Line Interface for Quick Configuration 4 1 Configu iji imi f f Configuri figuri f iguri ing Ethernet Interfaces 4 2 ng System Information 4 5 ing Tunneling Protocols and Options 4 6 ng Address Assignment 4 8 ng Authentication 4 10 ng the IPSec Group 4 16 Changing the Admin Password 4 17 Completi ng Quick Configuration 4 18 Saving the Active Configuration 4 18 Exiting the CLI 4 18 What Next 4 19 Testing the VPN Concentrator 5 1 VPN Concentrator Configuration Settings 5 1 Windows 95 PC Client Configuration 5 2 Testing the VPN Connection 5 3 Troubleshooting and System Errors A 1 Files for Troubleshooting A 1 VPN Concentrator Manager Errors A 2 Command line Interface Errors A 5 LED Indicators A 6 Copyrights Licenses and Notices B 1 Index VPN 3000 Series Concentrator Getting Started 78 14740 01 Audience Preface VPN 3000 Series Concentrator Getting Started provides information to take you from unpacking and installing the VPN 3000 Concentrator through quick configuration configuring
81. er a maximum of 100 groups and users combined in its database which is adequate for a small user base For larger numbers of users we recommend using a RADIUS authentication server See the Configuration User Management screens under regular System Configuration The internal server has no configurable parameters Click Continue to proceed Skip to the section Configuring Internal Server User Database page 3 16 VPN 3000 Series Concentrator Getting Started Ea 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication W RADIUS Server Type Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator other authentication servers do not The VPN 3000 software CD ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator Figure 3 9 Configuration Quick Authentication Screen RADIUS Server Specify how to authenticate users under PPTP L2TP or IPSec You can use the internal server or an external authentication server If you select the Jzterzal Server you must configure the internal user database You may configure additional servers using System Configuration Server Type RADIUS z Selecting ternal Server will let you add users to the internal user database Authent
82. er the year For example enter June 12 2000 as 06 12 2001 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 2 Installing and Powering Up the VPN Concentrator HZ Beginning Quick Configuration Step 5 Step 6 Step 7 Step 8 The system prompts you to set the time zone The time zone selections are offsets in hours relative to GMT Greenwich Mean Time which is the basis for Internet time synchronization The number in brackets is the current time zone offset Set the time zone on your device Enter the time zone using the hour offset from GMT gt Time Zone Quick gt 0 At the cursor enter the time zone offset in the format NN For example enter 5 for U S Eastern Standard Time The system prompts you with a menu to enable DST Daylight Saving Time support During DST clocks are set one hour ahead of standard time Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time If your system is in a time zone that uses DST you must enable DST support 1 Enable Daylight Savings Time Support 2 Disable Daylight Savings Time Support Quick gt 2 At the cursor enter 2 to disable DST support or enter 1 to enable DST support The system prompts you to enter an IP address for Ethernet 1 which is the VPN Concentrator interface to your private network internal LAN Be sure no other device is using this address on
83. er user address assignment e Move to the IP Address field and enter the user IP address in dotted decimal notation for example 10 10 1 35 This is the IP address assigned to this user as a client This field is not present if you selected other address assignment methods e Move to the Subnet Mask field and enter the user subnet mask in dotted decimal notation for example 255 255 0 0 This is the subnet mask assigned to this user as a client This field is not present if you selected other address assignment methods E VPN 3000 Series Concentrator Getting Started 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Step 2 Step 3 Step 4 Step 5 Configuring the IPSec Group W Click lt lt Add Repeat Steps 1 and 2 for each user The screen refreshes each time you add a user To remove a user select the user in the Current Users list and click Remove gt gt The screen refreshes each time you remove a user There is no confirmation or undo to reinstate a user enter the data in Step 1 When you have finished entering users click Continue to proceed If you selected the IPSec tunneling protocol proceed to the section Configuring the IPSec Group below Otherwise skip to the section Changing Admin Password page 3 18 Configuring the IPSec Group Step 1 Step 2 Step 3 Step 4 The Manager displays the Configuration Quick IPSec Group screen This screen appea
84. es If the equipment causes interference to radio or television reception try to correct the interference by using one or more of the following measures Turn the television or radio antenna until the interference stops e Move the equipment to one side or the other of the television or radio e Move the equipment farther away from the television or radio e Plug the equipment into an outlet that is on a different circuit from the television or radio That is make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses Modifications to this product not authorized by Cisco Systems Inc could void the FCC approval and negate your authority to operate the product The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE F
85. ess operations No workaround is available e Priority level 1 P1 Your production network is down and a critical impact to business operations will occur if service is not restored quickly No workaround is available The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts when applicable 78 14740 01 VPN 3000 Series Concentrator Getting Started Preface HZ Obtaining Technical Assistance Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC Web Site go to this URL http www cisco com tac All customers partners and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site The Cisco TAC Web Site requires a Cisco com login ID and password If you have a valid service contract but do not have a login ID or password go to this URL to register http www cisco com register If you are a Cisco com registered user and you cannot resolve your technical issues by using the Cisco TAC Web Site you can open a case online by using the TAC Case Open tool at this URL http www cisco com tac caseopen If you have Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site
86. et Model 3005 VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter 2 Installing and Powering Up the VPN Concentrator HZ Connecting Hardware Connecting Hardware A Warning Be sure the console PC is turned off before you connect cables to it Do not connect power cables to the VPN Concentrator until instructed Connecting the Console PC Connect the RS 232 straight through serial cable between the Console port on the back of the VPN Concentrator and the COM 1 or serial port on the console PC See Figure 2 4 If you are using a PC with a browser to manage the VPN Concentrator be sure the PC is connected to the same private LAN as the VPN Concentrator Figure 2 4 Connecting the Console and Network Cables Model 3005 VPN 3000 Series Concentrator Getting Started 78 14740 01 Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware W Model 3015 through 3080 63802 Connecting Network Cables Connect network patch cables between the Ethernet interface jacks on the back of the VPN Concentrator and your network patch panel or device See Figure 2 4 The interfaces are left to right Private Ethernet 1 VPN Concentrator interface to your private network internal LAN Public Ethernet 2 VPN Concentrator interface to the public network External Ethernet 3 VPN Concentrator interface to an additional LAN present only on models 3015 3080 To
87. eters on a Manager screen What Next Now that the VPN Concentrator is operational you can proceed to the following functions e Test its operation by following the procedures under Chapter 5 Testing the VPN Concentrator e Explore the Manager window and other VPN Concentrator functions See the section Using Other VPN Concentrator Manager Functions e Read a more detailed and complete system configuration See the VPN 3000 Series Concentrator Reference Volumen I Configuration for assistance VPN 3000 Series Concentrator Getting Started P320 i 78 14740 01 Chapter3 Using the VPN Concentrator Manager for Quick Configuration Using Other VPN Concentrator Manager Functions Mi Using Other VPN Concentrator Manager Functions To use other VPN Concentrator Manager functions listed below click the topic in the left frame of the Manager window or on the Manager toolbar in the top frame of the Manager window e Configuration Configure all the features of the VPN Concentrator e Administration Control administrative functions of this device e Monitoring View status statistics and event logs on this device e Save Save Needed Save the active configuration and make it the boot configuration e Main Return to the main Manager screen e Help Open another browser window and view online help for the current Manager screen e Support Open a Manager screen with links to Cisco support and documentation resour
88. ets unencapsulate them and send them to their final destination The VPN Concentrator performs the following functions e Establishes tunnels e Negotiates tunnel parameters e Authenticates users e Assigns user addresses e Encrypts and decrypts data e Manages security keys e Manages data transfer across the tunnel e Manages data transfer inbound and outbound as a tunnel endpoint or router The VPN Concentrator invokes various standard protocols to accomplish these functions VPN 3000 Series Concentrator Getting Started 78 14740 01 si Chapter1 Understanding the VPN 3000 Concentrator HE Where the VPN Concentrator Fits in Your Network Where the VPN Concentrator Fits in Your Network Enterprise network configurations vary widely but the VPN Concentrator is flexible and functional enough to satisfy most applications Figure 1 2 shows a typical installation with the VPN Concentrator configured in parallel with a firewall and supporting both low speed and high speed remote users In some cases the VPN Concentrator may be deployed behind the firewall such a configuration is firewall vendor dependent and might require additional firewall configuration LAN to LAN or branch office applications are also supported by placing a second VPN Concentrator or other IPSec protocol compliant secure gateway at the remote office Figure 1 2 A Typical VPN Concentrator Network Installation High Speed Remote User VPN Access via C
89. etting Started 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Mouse pointer and tips Top frame Manager toolbar Logged in username Administration Understanding the VPN Concentrator Manager Window W As you move the mouse pointer over an active area the pointer changes shape and icons change color A description also appears in the status bar area If you momentarily rest the pointer on an icon a descriptive tip appears for that icon The Manager toolbar in the top frame provides quick access to Manager features These include the following icons Click on the Main tab to go to the main Manager screen and to close all subordinate sections and titles in the left frame Click on the Help tab to open context sensitive online help Help opens in a separate browser window that yo can move or resize as you want Close the help window when you are finished Click on the Support tab to open a Manager screen with links to Cisco support and documentation resources Click on the Logout tab to log out of the Manager and return to the login screen The administrator username you used to log in to this Manager session Click on the Configuration tab to go to the main Configuration screen to open the first level of subordinate Configuration pages in the left frame if they are not already open and to close any open Administration or Monitoring pages in the left frame Click on the
90. fts on IP Security Protocol IPSec e www whatis com a web reference site with definitions for computer networking and data communication terms 78 14740 01 VPN 3000 Series Concentrator Getting Started Preface HZ Conventions Conventions This document uses the following conventions Convention Description boldface font Commands and keywords are in boldface italic font Arguments for which you supply values are in italics Terminal sessions and information the system displays are in screen font screen font Information you must enter is in boldface screen font boldface screen font A The symbol represents the key labeled Control for example the key combination D in a screen display means hold down the Control key while you press the D key Notes use the following conventions Note Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Tips use the following conventions Means the following are useful tips Cautions use the following conventions Caution A Means reader be careful Cautions alert you to actions or conditions that could result in equipment damage or loss of data Warnings use the following conventions Warning This warning symbol means danger You are in a situation that could cause bodily injury Before you work on any equipment you must be aware of
91. functions 3 21 Ww welcome screen 3 3 where the VPN Concentrator fits in your network 1 8 window Manager understanding 3 22 Y You are using an old browser or have disabled JavaScript error A 3 78 14740 01 VPN 3000 Series Concentrator Getting Started W index VPN 3000 Series Concentrator Getting Started PIN 10 I 78 14740 01
92. g Certificate Authorities Entrust e VeriSign e Microsoft Windows 2000 e RSA Keon e Netscape e Baltimore Security Management e Group and user profiles e Data traffic management by means of Filters and rules IPSec Security Associations NAT Network Address Translation many to one also called PAT Port Address Translation Network lists Routing Protocols e IP e RIP vl RIP v2 e OSPF e Static routes e Private network autodiscovery for LAN to LAN connections e Reverse Route Injection RRI allows client LAN to LAN and network extension networks to be announced via RIPv2 OSPF VPN 3000 Series Concentrator Getting Started 78 14740 01 g is Chapter1 Understanding the VPN 3000 Concentrator HI Software Features VPN Feature Description Clustering e Load Balancing e System redundancy via VRRP System Administration Session monitoring and management e Software image update e File upload e System reset and reboot e Ping e Configurable system administrator profiles e File management including SCP and TFTP transfer e Digital certificate enrollment and management e Session limit setting Monitoring e Event logging and notification via system console syslog SNMP traps and email e FTP backup of event logs e SNMP MIB II support e System status e Session data e Extensive statistics Client Software e Cisco VPN Client IPSec Compatibi
93. he names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Portions Copyright 1993 by Digital Equipment Corporation Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without specific written prior permission THE SOFTWARE IS PROVIDED AS IS AND DIGITAL EQUIPMENT CORP DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING AL
94. hernet interface 3 7 management interfaces features 1 4 Microsoft Dial Up Networking 5 2 Microsoft VPN Adapter 5 2 78 14740 01 VPN 3000 Series Concentrator Getting Started W index mistakes detecting and correcting 3 3 Model 3005 features 1 3 Model 3015 features 1 3 Model 3030 features 1 3 Model 3060 features 1 3 Model 3080 features 1 3 modifying an Ethernet interface configuration 3 6 monitoring features 1 6 monitor settings 2 4 mounting in rack 2 5 moving from field to field 3 3 MTU field 3 7 Netscape Navigator requirements 2 2 network addressing support features 1 5 network cables connecting 2 9 No such interface supported error A 4 Not Allowed error A 4 Not Allowed error A 4 Not Found error A 4 notices regulatory agency B 10 NT Domain selection 3 14 NT Domain authentication server configuring 3 14 4 14 NT Domain Server Address CLI 4 14 NT Domain Server Port CLI 4 14 NT Primary Domain Controller CLI 4 14 O old browser error A 3 operation basic 1 7 organization of manual v OSPF 3 9 Out of Range value error A 5 P parameters needed for quick configuration 2 13 password admin changing 4 17 default login 2 15 user database CLI 4 11 Password field admin 3 18 IPSec Group 3 17 user database 3 16 Passwords do not match error A 5 per user address assignment 3 16 4 8 Per User check box 3 11 physical site access to device 2 2 cables and connectors 2
95. i fn Inc Includes one or more U S Patent numbers 4701745 5016009 5126739 5146221 5414425 5463390 and 5506580 Other Patents Pending Copyright 1996 1998 by Hi fn Inc Includes one or more U S Patent numbers 4701745 5016009 5126739 5146221 5414425 and 5463390 Other Patents Pending Outline Style Table of Contents in JavaScript OUTLINE STYLE TABLE OF CONTENTS in JAVASCRIPT Version 3 0 by Danny Goodman dannyg dannyg com Analyzed and described at length in JavaScript Bible by Danny Goodman IDG Books ISBN 0 7645 3022 4 This program is Copyright 1996 1997 1998 by Danny Goodman You may adapt this outline for your Web pages provided these opening credit lines down to the lower dividing line are in your outline HTML document You may not reprint or redistribute this code without permission from the author 78 14740 01 VPN 3000 Series Concentrator Getting Started AppendixB Copyrights Licenses and Notices HZ Other Licenses RSA Software Copyright 1995 1998 RSA Data Security Inc All rights reserved This work contains pESA proprietary information of RSA Data Security Inc Distribution is limited to authorized nra licensees of RSA Data Security Inc Any unauthorized reproduction or distribution of this Cus document is strictly prohibited BSAFE is a trademark of RSA Data Security Inc SecurelD SecureID is a product of RSA Security Inc Bedford MA formerly Security Dyna
96. iant secure gateway L2TP over IPSec for native Windows 2000 and Windows XP client compatibility PPTP Point to Point Tunneling Protocol with encryption L2TP Layer 2 Tunneling Protocol Encryption Algorithms 56 bit DES Data Encryption Standard 168 bit Triple DES Microsoft Encryption MPPE 40 and 128 bit RC4 128 192 and 256 bit AES Authentication Algorithms MDS Message Digest 5 SHA 1 Secure Hash Algorithm HMAC Hashed Message Authentication Coding with MD5 HMAC with SHA 1 Key Management IKE Internet Key Exchange formerly called ISAKMP Oakley with Diffie Hellman key technique Diffie Hellman Group 1 Group 2 Group 5 and Group 7 ECC Perfect Forward Secrecy PFS VPN 3000 Series Concentrator Getting Started 78 14740 01 Chapter1 Understanding the VPN 3000 Concentrator Software Features W VPN Feature Description Network Addressing e DNS Domain Name System Support e Client address assignment DHCP Dynamic Host Configuration Protocol including DDNS host name population Internally configured client IP address pools RADIUS Authentication and e Internal authentication server CCP UNEE SORT NEES e Support for external authentication servers RADIUS RADIUS with Password Expiration MSCHAPv2 NT Domain RSA Security SecurID TACACS administrator only e Authentication server testing e X 509 Digital Certificates e RADIUS accountin
97. ication Server Enter IP address or hostname Server Port bo Enter 0 for default port 1645 Timeout fa Enter the timeout for this server seconds Retries eR Enter the number of retries for this server Server Secret LoS E Enter RADIUS server secret Verify LoM Re enter the secret Back Continue 63731 We suggest you accept the default values To configure these parameters for a RADIUS Remote Authentication Dial In User Service authentication server follow these steps In the Authentication Server field enter the hostname or IP address of the external RADIUS server Maximum 32 characters If you configured a DNS server you can enter a hostname in this field otherwise enter an IP address In the Server Port field enter the UDP port number by which you access the server Enter 0 to have the system supply the default port number 1645 In the Timeout field enter the time in seconds to wait after sending a query to the server and receiving no response before trying again Minimum is 1 second default is 4 seconds maximum is 30 seconds In the Retries field enter the number of times to retry sending a query to the server after the timeout period If there is still no response after this number of retries the VPN Concentrator declares this server inoperative Minimum is 0 default is 2 maximum is 10 retries In the Server Secret field enter the RADIUS server secret also called the shared secret for example C8z077f
98. icitly routed In other words if the VPN Concentrator has no IP routing parameters such as RIP OSPF or static routes that specify where to send packets it will send them to this gateway When you first start the VPN Concentrator it has no IP routing configuration parameters This address must not be the same as the IP address configured on any VPN Concentrator interface To specify no default gateway leave the field at 0 0 0 0 which means the VPN Concentrator drops unrouted packets You can configure IP routing with regular system configuration For RIP and interface specific OSPF see the Configuration Interfaces screens For global OSPF and static routes see the Configuration System IP Routing screens See the VPN 3000 Series Concentrator Reference Volume I Configuration for more information Click Continue to proceed 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration WE Configuring Tunneling Protocols and Options Configuring Tunneling Protocols and Options The Manager displays the Configuration Quick Protocols screen Figure 3 6 Configuration Quick Protocols Screen Select the tunneling protocols and encryption options that you want to enable C Require Encryption Clients without encryption will not gain access Requires MSCHAP PPTP Don t Require Encryption Clients may optionally use encryption
99. ick Done Screen Configuration Quick Done Save Needed You have finished Quick Configuration and your entries constitute the active configuration The VPN 3000 Concentrator contains enough information to establish single user VPN tunnels through the public Internet and allow remote clients to communicate securely with a corporate server We strongly recommend that you save the active configuration now Click the Save Needed icon above In the left frame or the navigation bar above click the function you want Configuration to configure all features of this device Administration to control administrative functions on this device Monitoring to view status statistics and logs on this device The bar at the top right has Main to return to this screen Help to get help for the current screen Support to access VPN 3000 Concentrator support and documentation Logout to log out of this session and return to the Manager login screen Under the location bar in the upper right these icons may appear Click to Save save the active configuration and make it the boot configuration Save Needed E as above indicating you have changed the active configuration Refresh to refresh statistics 68315 You have finished quick configuration and your entries constitute the active or running configuration The VPN Concentrator now has enough information and it is operational
100. inally the steps in the test Note These instructions in its labs describe a typical installation Please consult your ISP and your network system administrator for specific settings and instructions VPN Concentrator Configuration Settings Configure the VPN Concentrator with the following settings e Ethernet 2 Public interface with appropriate IP address for example 192 168 12 34 and default public filter e Appropriate DNS server domain name and default gateway e PPTP tunneling protocol with encryption required MSCHAP e Address assignment from an appropriate configured pool of IP addresses e User authentication from the internal server e Client username for example simonz and password for example 9se7pt14 added to the internal server user database VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter5 Testing the VPN Concentrator HE Windows 95 PC Client Configuration Windows 95 PC Client Configuration Configure the remote Windows 95 PC and modem with the following settings e Install and set up Microsoft Dial Up Networking DUN 1 3 according to Microsoft instructions DUN 1 3 is available as a free download from the Microsoft website www microsoft com Windows 98 Dial Up Networking includes the DUN 1 3 functions an update is not necessary e Configure Dial Up Networking according to Microsoft instructions Set up a connection to the Internet through your ISP Be
101. interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed 1 Ethernet Speed 10 Mbps 2 Ethernet Speed 100 Mbps 3 Ethernet Speed 10 100 Mbps Auto Detect Quick gt 3 At the cursor enter the menu number for your selection for example 1 To accept the default 3 press Enter The system prompts with a menu to set the transmission mode for the Ethernet 2 interface You can let the VPN Concentrator automatically detect and set the appropriate mode the default or you can configure the interface for full duplex transmission in both directions at the same time or half duplex transmission in only one direction at a time If you accept the default be sure that the port on the active network device hub switch or router to which you connect this interface is also set to automatically negotiate the transmission mode Otherwise select the appropriate fixed mode 1 Enter Duplex Half Full Auto 2 Enter Duplex Full Duplex 3 Enter Duplex Half Duplex Quick gt 1 At the cursor enter the menu number for your selection for example 2 To accept the default 1 press Enter 78 14740 01 VPN 3000 Series Concentrator Getting Started E Chapter4 Using the Command Line Interface for Quick Configuration HZ Configuring Ethernet Interfaces Step6 The system prompts with a menu giving choices for proceeding You can configure other interfaces save your current
102. let the VPN Concentrator automatically detect and set the appropriate speed the default or you can set fixed speeds of 10 or 100 Mbps for 1OBASE T or 1OOBASE T networks If you accept the default be sure that the port on the active network device hub switch or router to which you connect this interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed 1 Ethernet Speed 10 Mbps 2 Ethernet Speed 100 Mbps 3 Ethernet Speed 10 100 Mbps Auto Detect Quick gt 3 At the cursor enter the menu number for your selection for example 1 To accept the default 3 press Enter The system prompts you with a menu to set the transmission mode for the Ethernet 1 interface You can let the VPN Concentrator automatically detect and set the appropriate mode the default or you can configure the interface for full duplex transmission in both directions at the same time or half duplex transmission in only one direction at a time If you accept the default be sure that the port on the active network device hub switch or router to which you connect this interface is also set to automatically negotiate the transmission mode Otherwise select the appropriate fixed mode 1 Enter Duplex Half Full Auto 2 Enter Duplex Full Duplex 3 Enter Duplex Half Duplex Quick gt 1 _ At the cursor enter the menu number for your selection for example 2 To accept the default 1 press Enter
103. lity Windows 95 OSR 2 or greater Windows 98 and Windows ME Windows NT 4 0 Windows 2000 and Windows XP Linux Intel v2 2 v2 4 kernels Solaris ULTRASparc 32 bit MAC OS X command line interfaces only e Microsoft VPN Clients Windows 95 Windows 98 and Windows ME PPTP Windows NT 4 0 PPTP Windows 2000 and Windows XP PPTP L2TP over IPSec e Certicom movianVPN Client ECC handheld Other Features e Software data compression e Split tunneling e Bandwidth management VPN 3000 Series Concentrator Getting Started Pts W 78 14740 01 Chapter1 Understanding the VPN 3000 Concentrator How the VPN Concentrator Works Wi How the VPN Concentrator Works The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP IP network such as the Internet that users see as a private connection It can create single user to LAN connections and LAN to LAN connections The secure connection is called a tunnel and the VPN Concentrator uses tunneling protocols to negotiate security parameters create and manage tunnels encapsulate packets transmit or receive them through the tunnel and unencapsulate them The VPN Concentrator functions as a bidirectional tunnel endpoint it can receive plain packets encapsulate them and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination It can also receive encapsulated pack
104. ly and are included in the active or running configuration However if you reboot the VPN Concentrator without saving the active configuration and configuration changes are lost Clicking on this reminder saves the active configuration as the boot configuration and restores the Save reminder Click on the Refresh icon to refresh update the screen contents on screens where it appears mostly in the Monitoring section The date and time above this reminder indicate when the screen was last updated Click on the Reset icon to reset or start anew the screen contents on screens where it appears mostly in the Monitoring section Click on the Restore icon to restore the screen contents to their status prior to when you last clicked the Reset icon Click on the Cisco Systems logo to open a browser and go to the Cisco com web site www cisco com On Manager screens the left frame provides a table of contents The table of contents uses the familiar Windows Explorer metaphor of collapsed and expanded entries Click on a title to open subordinate sections and titles and to go to that Manager screen in the main frame Click on the closed collapsed icon to open subordinate sections and titles Clicking on this icon does not change the screen in the main frame Click on the open expanded icon to close subordinate sections and titles Clicking on this icon does not change the screen in the main frame The main frame displays the curren
105. make the VPN Concentrator operational you must connect at least two interfaces usually Ethernet 1 and Ethernet 2 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 2 Installing and Powering Up the VPN Concentrator HZ Connecting Hardware Connecting Power Cable s A Warning Be sure the VPN Concentrator power switch is OFF 0 depressed before you connect a power cable The power switch is on the power module on the back of the VPN Concentrator Connect the power cable s between the VPN Concentrator and an appropriate power outlet Be sure the power outlet provides a reliable earth ground See Figure 2 5 Figure 2 5 Connecting Power Cable s Model 3005 Model 3015 through 3080 VPN 3000 Series Concentrator Getting Started P2410 i 78 14740 01 Chapter 2 Installing and Powering Up the VPN Concentrator Powering Up W Powering Up Step 1 Step 2 Step 3 Step 4 Step 5 Power up the devices in this sequence Power up the console PC Start a terminal emulator e g HyperTerminal on the console PC Configure a connection to COM1 with port settings of e 9600 bits per second e 8 data bits e No parity e 1 stop bit e Hardware flow control Set the emulator for VT100 emulation or let it auto detect the emulation type Power up the VPN Concentrator by pressing ON I on the power switch on the back The LED s on the front panel will blink and change colo
106. mics Technologies Inc Use of SDTI s Trade Name and Trademarks a Any advertising or promotional literature or announcement to the press by the Partner regarding its relationship with SDTI or otherwise utilizing SDTI s name or trademarks must be approved by SDTI in writing in advance which approval will not be unreasonably withheld or delayed b The Partner shall include and shall not alter obscure or remove any SDTI name or any other trademark or trade name used by SDTI or any markings colors or other insignia which are contained on or in or fixed to the Software collectively Proprietary Marks Partner agrees to include SDTI s copyright notice in its help screen as it pertains to the SDTI Translation Server SNMP Copyright 1998 by Carnegie Mellon University All Rights Reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR A
107. mmand Line Interface for Quick Configuration Changing the Admin Password W Changing the Admin Password Step 1 Step 2 You can change the password for the admin administrator user For ease of use during startup the default admin password supplied with the VPN Concentrator is also admin Since the admin user has full access to all management and administration functions on the device we strongly recommend you change this password to improve device security You can further configure all administrators with the regular Administration menus The system prompts you to change the admin password We strongly recommend that you change the password gt Reset Admin Password Quick gt At the cursor enter a new password for admin Remember that entries are case sensitive For maximum security the password should be at least 8 characters long a mixture of upper and lower case alphabetic and numeric characters and not easily guessed for example W8j9Haq3 The system displays only asterisks To keep the default press Enter The system prompts you to re enter the password to verify it Verify gt _ At the cursor reenter the new password The system displays only asterisks To keep the default press Enter 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration HZ Completing Quick Configuration Completing Quick Configu
108. n This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment VCCI If this equipment is used in a domestic environment radio disturbance may arise When such trouble occurs the user may be required to take corrective actions Taiwan BSMI Class A Warning BERS DSPRanem FERRER CRESS Ra EBERT SHSLRERARRESSHAR o VPN 3000 Series Concentrator Getting Started 78 14740 01 HEE AppendixB Copyrights Licenses and Notices HZ Regulatory Standards Compliance Hungarian Class A Warning Figyelmeztet s a felhaszn l i k zik nyv sz m ra Ez a berendez s A oszt ly term k felhaszn l s ra s zembe helyez s re a magyar EMC A oszt ly k vetelm nyeknek MSZ EN 55022 megfeleloen ker lhet sor illetve ezen A oszt ly berendez sek csak megfelelo kereskedelmi forr sb l sz rmazhatnak amelyek biztos tj k a megfelelo speci lis zembe helyez si k r lm nyeket s biztons gos zemel si t vols gok alkalmaz s t Translation This equipment is a class A product and should be used and installed properly according to the Hungarian EMC Class A requirements MSZEN55022 the Class A equipment are derived for typical commercial establishments for which special conditions of installation and protection distance are used VPN 3000 Series Concentrator Getting Started 78 14740 01 Numerics 100 LED Ethernet A 7
109. n networking solutions services programs and resources at any time from anywhere in the world Cisco com is a highly integrated Internet application and a powerful easy to use tool that provides a broad range of features and services to help you with these tasks e Streamline business processes and improve productivity e Resolve technical issues with online support e Download and test software packages e Order Cisco learning materials and merchandise e Register for online skill assessment training and certification programs If you want to obtain customized information and service you can self register on Cisco com To access Cisco com go to this URL http www cisco com Technical Assistance Center The Cisco Technical Assistance Center TAC is available to all customers who need technical assistance with a Cisco product technology or solution Two levels of support are available the Cisco TAC Web Site and the Cisco TAC Escalation Center Cisco TAC inquiries are categorized according to the urgency of the issue e Priority level 4 P4 You need information or assistance concerning Cisco product capabilities product installation or basic product configuration e Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue e Priority level 2 P2 Your production network is severely degraded affecting significant aspects of busin
110. nd Notices HZ Regulatory Standards Compliance Telnet Server Copyright phase2 networks 1996 All rights reserved SID 1 1 Revision History 1 197 06 23 21 17 43 root Regulatory Standards Compliance Standards Compliance The VPN 3000 Concentrator complies with the following regulatory standards Specification Description Regulatory compliance Products bear CE Marking indicating compliance with 99 5 EEC directives which includes the following safety and EMC standards Safety UL 60950 CAN CSA C22 2 No 60950 EN 60950 IEC 60950 TS 001 AS NZS 3260 EMC FCC Part 15 CFR 47 Class A ICES 003 Class A EN55022 Class A CISPR22 Class A AS NZS 3548 Class A VCCI Class A EN55024 ETS300 386 2 EN50082 1 EN61000 3 2 EN61000 3 3 Telecom E1 CTR 12 13 ACA TS016 Telecom T1 US FCC Part 68 Canadian CS03 JATE Green Book VPN 3000 Series Concentrator Getting Started u 78 14740 01 _ Appendix B Copyrights Licenses and Notices Regulatory Standards Compliance W FCC Part 68 Notice The equipment complies with Part 68 of the FCC rules On the tray of this equipment is a label that contains among other information the FCC registration number If requested this information must be provided to the telephone company This equipment cannot be used on telephone company provided coin services Connection to the Party Line Service is subject to state tariffs If this equipment
111. nfiguration WE Configuring IP Interfaces Configuring IP Interfaces The Manager displays the Configuration Quick IP Interfaces screen appropriate to the model you are configuring Figure 3 3 Configuration Quick IP Interfaces Screen Model 3005 Configure VPN 3000 Concentrator interfaces e Ethernet 2 Public the interface to the public network e Ethernet 1 Private the interface to your private network internal LAN If you modify the interface that you are currently using to connect to this device you will break the connection and you will have to restart from the login screen Save Interface Status IP Address Subnet Mask Ethernet 1 Private UP 10 10 99 20 255 255 0 0 Ethernet 2 Public Not Configured 0 0 0 0 0 0 0 0 Back Continue 2 5 Models 3015 through 3080 Save Configure VPN 3000 Concentrator interfaces Ethernet 2 Public the interface to the public network Ethernet 3 External the interface to an additional LAN you will have to restart from the login screen Back Continue Ethernet 1 Private the interface to your private network internal LAN If you modify the interface that you are currently using to connect to this device you will break the connection and Interface Status IP Address Subnet Mask Ethernet 1 Private UP 10 10 99 50 255 255 0 0 Ethernet 2 Public Not Configured 0 0 0 0 0 0 0 0 Ethernet 3 External Not Configured 0 0
112. ntact the appropriate electric inspection authority or electrician as appropriate Table B 1 CS03 Approval Model Number Approval Number CVPN3005 T1 2461 10854 A CVPN3000 2T1 2461 10854 A JATE The equipment meets the requirements of the Japan Approvals Institute for Telecommunications Equipment JATE Refer to Table B 2 for JATE approval details Table B 2 JATE Approval Applicant Name Model Number Approval Number Nihon Cisco Systems CVPN3000 2T1 D00 0687 JP Nihon Cisco Systems CVPN3005 T1 D00 0687 JP EMC Environmental Conditions for Product to be Installed in the European Union This equipment is intended to operate under the following environmental conditions with respect to EMC e A separate defined location under user s control Earthing and bonding shall meet the requirements of ETS 300 253 or CCITT K27 Where applicable AC power distribution shall be one of the following types TN S and TN C as defined in IEC 364 3 In addition if equipment is operated in a domestic environment interference might occur VPN 3000 Series Concentrator Getting Started 78 14740 01 AppendixB Copyrights Licenses and Notices Regulatory Standards Compliance W FCC Class A Warning Modifying the equipment without Cisco s authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices In that event your right to us
113. ntioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0206R VPN 3000 Series Concentrator Getting Started Copyright 2002 Cisco Systems Inc All rights reserved CHAPTER 1 CHAPTER 2 CHAPTER 3 Preface v Audience v Organization v Related Documentation vi Conventions viii Obtaining Documentation x Obtaining Technical Assistance xi Understanding the VPN 3000 Concentrator Hardware Features 1 2 Software Features 1 4 How the VPN Concentrator Works 1 7 Where the VPN Concentrator Fits in Your Network 1 8 Physical Specifications 1 9 Installing and Powering Up the VPN Concentrator 2 1 Preparing to Install 2 1 Unpacking 2 4 Installing the VPN Concentrator Hardware Connecting Hardware 2 8 Powering Up 2 11 Beginning Quick Configuration 2 12 2 5 Using the VPN Concentrator Manager for Quick Configuration 3 1 Loggini Starti g Con Con Con Con g Con p g g gp Con in to the VPN Concentrator Manager ing IP Interfaces ing Authentication Quick Configuration 3 3 3 4 ing System Information 3 8 ing Tunneling Protocols and Options ing Address Assignment 3 11 3 12 ing Internal Server User Database 3 2 3 10 3 16 78 14740 01 VPN 3000 Series Concentrator Getting Started gy E Cont
114. oltage s outside of normal ranges Error Not installed CPU Utilization This statistic selected for usage gauge display NA Not selected Active Sessions This statistic selected NA Not selected for usage gauge display Throughput This statistic selected NA Not selected for usage gauge display VPN 3000 Series Concentrator Getting Started 78 14740 01 Appendix A Troubleshooting and System Errors LED Indicators W Usage Gauge LEDs Models 3015 3080 only Steady or Intermittent Blue Blinking Blue Left to right sequential Normal operation NA segments varying number All 10 segments NA VPN Concentrator is in a shutdown halted state ready to power off VPN Concentrator Rear LEDs The LEDs on the rear of the VPN 3000 Concentrator are as follows LED Indicator Green Amber Off Private Public External Ethernet Interfaces connected to network Link Carrier detected NA No carrier detected Normal Error Tx Transmitting data NA Not transmitting data Normal Intermittent Idle Intermittent off on Coll NA Data collisions No collisions Normal detected 100 Speed set at NA Speed set at 100 Mbps 10 Mbps SEP Module LEDs SEP Scalable Encryption Processing module LEDs are present only on models 3015 through 3080 and are visible from the rear of the VPN Concentrator SEP Module LED Green Amber Off P
115. on with a browser We recommend this method Chapter 4 Using the Command Line Explains how to complete quick configuration of Interface for Quick Configuration the system using the command line interface from the console or a Telnet session 78 14740 01 VPN 3000 Series Concentrator Getting Started Preface HI Related Documentation Chapter Title Description Chapter 5 Testing the VPN Explains how to test the system by using Microsoft Concentrator Dial Up Networking on a PC with a modem to connect to an ISP and use PPTP to create a VPN tunnel to your private corporate network Appendix A Troubleshooting and System Describes common errors that might occur while Errors configuring or using the system and how to correct them It also describes all LED indicators on the VPN Concentrator and its expansion modules Related Documentation Refer to the following documents for further information about Cisco VPN applications and products VPN 3000 Series Concentrator Documentation The VPN 3000 Series Concentrator Reference Volume I Configuration explains how to start and use the VPN Concentrator Manager It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring provides guidelines for administering and monitoring the VPN Concen
116. oncentrator HI Physical Specifications VPN 3000 Series Concentrator Getting Started i0 i 78 14740 01 CHAPTER Installing and Powering Up the VPN Concentrator This chapter tells you how to prepare for unpack install and power up the VPN Concentrator and how to begin quick configuration Preparing to Install Before you begin ensure that you have the requisite skill set and that your physical environment and software preferences are properly set as described in the following sections User or Administrator Skills We assume you are an experienced system administrator or network administrator with appropriate education and training who knows how to install configure and manage internetworking systems However virtual private networks and VPN devices may be new to you You should be familiar with Windows 95 98 or Windows NT system configuration and management and with Microsoft Internet Explorer or Netscape Navigator browsers VPN 3000 Series Concentrator Getting Started 78 14740 01 EN Chapter 2 Installing and Powering Up the VPN Concentrator HI Preparing to Install Physical Site Requirements The VPN Concentrator requires a normal computing equipment environment Power The VPN Concentrator requires only normal computing equipment power For maximum protection we recommend connecting it to a conditioned power source or UPS uninterruptible power supply Be sure that the power source provides a r
117. ot match A 5 CLI 4 3 recovering from 3 3 field session timeout A 2 A 3 Ethernet interface 3 7 VPN Concentrator Manager A 2 VPN 3000 Series Concentrator Getting Started 78 14740 01 ZN W index Ethernet interfaces tunneling protocols 1 4 configuring 4 2 fields modifying 3 6 moving between 3 3 private Filter field configuring at startup 2 16 Ethernet interface 3 7 Ethernet Link Status LEDs A 6 finishing Quick Configuration 3 19 4 18 event log formats saved at system reboot A 1 data ix saved if system crashes A 1 exiting the Command Line Interface 4 18 G Expansion Modules Insertion Status LEDs A 6 Group Name field Expansion Modules Run Status LEDs A 6 IPSec 3 17 External Default filter Ethernet interface 3 7 H F hardware features 1 2 Fan Status LED A 6 installing 2 5 features how the VPN Concentrator works 1 7 hardware 1 2 Model 3005 1 3 Model 3015 1 3 i Model 3030 1 3 icon Model 3060 1 3 Save 3 20 Model 3080 1 3 Save Config 3 20 software Save Needed 3 3 authentication algorithms 1 4 indicators authentication servers 1 5 LED A 6 client compatibility 1 6 initial configuration screen 3 3 digital Certificate Authorities supported 1 5 initialization and boot messages at startup 2 11 encryption algorithms 1 4 installation key management 1 4 preparing for 2 1 list 1 4 typical 1 8 management interfaces 1 4 installing monitoring 1 6 in rack 2 5 network addressing support 1 5 rubber feet 2 7
118. our workstation on the Administration Access Rights Access Control List screen The Manager displays a screen with the message Not Found An error has occurred while attempting to access the specified page The screen includes additional information that identifies system activity and parameters The Manager could not find a screen e You updated the software image and did not clear the browser s cache Clear the browser cache delete its temporary internet files history files and location bar references Then try again e There is an internal Manager error Please note the system information on the screen and contact TAC for assistance Microsoft Internet Explorer displays a Script Error dialog box that includes the error message No such interface supported While using a Manager function that opens another browser window such as Save Needed Help or Software Update Internet Explorer cannot open the window and displays the error dialog box A bug in the Internet Explorer JavaScript interpreter 1 Click No on the error dialog box Log out of the Manager Close Internet Explorer PF N Reinstall Internet Explorer E VPN 3000 Series Concentrator Getting Started 78 14740 01 Appendix A Troubleshooting and System Errors Command line Interface Errors Table A 2 VPN 3000 Concentrator Command Line Interface Errors Console Message
119. ower Power on Normal NA Power is not reaching the module It might not be seated correctly Error Status Encryption code is Module failed during Module failed running Normal operation Error diagnostics or encryption code is not running Error VPN 3000 Series Concentrator Getting Started 78 14740 01 E Appendix A Troubleshooting and System Errors HZ LED Indicators VPN 3000 Series Concentrator Getting Started ne E 78 14740 01 APPENDIX Copyrights Licenses and Notices Software License Agreement of Cisco Systems Inc CISCO SYSTEMS INC IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS IN THIS LICENSE AGREEMENT PLEASE READ THIS AGREEMENT CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE BY OPENING THE SEALED PACKAGE YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CISCO SYSTEMS WILL NOT LICENSE THIS SOFTWARE TO YOU IN THAT CASE YOU SHOULD RETURN THE PRODUCT PROMPTLY INCLUDING THE PACKAGING THE UNOPENED PACKAGE ALL ACCOMPANYING HARDWARE AND ALL WRITTEN MATERIALS TO THE PLACE OF PURCHASE FOR A FULL REFUND Ownership of the Software 1 The software contained in the accompanying Cisco product the Software and any accompanying written materials are owned or licensed by Cisco Systems and are protected by United State
120. page 3 17 Otherwise skip to the section Changing Admin Password page 3 18 VPN 3000 Series Concentrator Getting Started P34 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication W SDI Server Type Step 1 Step 2 Step 3 Step 4 Step 5 Configure these parameters for an external SDI RSA Security Inc SecurID authentication server We suggest you accept the defaults Figure 3 11 Configuration Quick Authentication Screen SDI Server Specify how to authenticate users under PPTP L2TP or IPSec You can use the internal server or an external authentication server If you select the Jeternal Server you must configure the internal user database You may configure additional servers using System Configuration Server Type SDI z Selecting Jzterzal Server will let you add users to the internal user database Authentication Server Enter IP address or hostname Server Port 0 Enter 0 for default port 5500 Timeout 4 Enter the timeout for this server seconds Retries 2 Enter the number of retries for this server Back Continue 63732 To configure the parameters for the SDI authentication server follow these steps In the Authentication Server field enter the hostname or IP address of the external SDI server The maximum is 32 characters If you configured a DNS server you can enter a hostname in this field otherwise enter an IP address
121. pe Navigator 2 2 Retries field NT Domain 3 14 RADIUS 3 13 SDI 3 15 RIP 3 9 routing protocols features 1 5 rubber feet installing 2 7 running configuration 3 3 4 1 Index W S Save Config icon 3 20 Save Configuration window 3 20 78 14740 01 VPN 3000 Series Concentrator Getting Started W index Save icon 3 20 SAVELOG TXT file A 1 Save Needed icon 3 3 saving the active configuration 2 18 3 20 4 18 screen Address Assignment 3 11 Admin Password 3 18 Authentication Internal server 3 12 NT Domain server 3 14 RADIUS server 3 13 SDI server 3 15 Done 3 19 initial configuration 3 3 IP Interfaces 3 4 IPSec Group 3 17 login 3 2 Protocols 3 10 Save Configuration 3 20 System Info 3 8 User Database 3 16 welcome 3 3 SDI authentication server configuring 4 15 selection 3 15 SDI Server Name CLI 4 15 SDI Server Port CLI 4 15 security management features 1 5 Server Port field NT Domain 3 14 RADIUS 3 13 SDI 3 15 Server Secret field RADIUS 3 13 Server Type menu 3 12 4 10 Session Timeout error A 3 Session Timeout error A 2 software features 1 4 specifications cabling distances 1 9 cooling 1 9 physical 1 9 power 1 9 Specify Server field DHCP 3 11 Speed CLI interface 4 3 Speed field Ethernet interface 3 7 standards compliance B 10 starting quick configuration 2 12 startup boot messages 2 11 initialization messages 2 11 static routes 3 9 Status LED SE
122. r Use only the Manager Refresh button where it appears on a screen We recommend that you hide the browser navigation toolbar to prevent mistakes Browser Back or Forward Button displays an Incorrect Screen or Incorrect Data You clicked the Back or Forward button on the browser navigation toolbar and the Manager displayed the wrong screen or incorrect data To protect security and the integrity of data entries clicking Back or Forward on the browser toolbar deletes pointers and values within the Manager Do not use the browser navigation toolbar buttons with the VPN Concentrator Manager Navigate using the location bar at the top of the Manager window the table of contents in the left frame or links on Manager screens We recommend that you hide the browser navigation toolbar to prevent mistakes The Manager displays the Invalid Login or Session Timeout screen You entered an invalid administrator login name and password combination e Typing error e Invalid unrecognized login name or password Reenter the login name and password and click Login Use a valid login name and password type carefully VPN 3000 Series Concentrator Getting Started 78 14740 01 Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors W Table A 1 VPN Concentrator Manager Errors continued Symptom Problem Possible Cause Solution The Manager
123. r While hostnames are easier to remember using IP addresses avoids problems that might arise with the DNS server offline congested or otherwise indisposed Specify a local DNS server gt DNS Server Quick gt 0 0 0 0 At the cursor enter the IP address of your local DNS server in dotted decimal notation for example 10 10 0 11 The system prompts you to enter the registered Internet domain name in which the VPN Concentrator is located sometimes called the domain name suffix or subdomain Enter your Internet domain name gt Domain Quick gt At the cursor enter your domain name for example cisco com The system prompts you to specify a default gateway which is the system to which the VPN Concentrator routes packets that are not explicitly routed In other words if the VPN Concentrator has no IP routing parameters RIP OSPF static routes that specify where to send packets it will send them to this gateway And when you first start the VPN Concentrator it has no IP routing parameters gt Default Gateway Quick gt At the cursor enter the IP address of the default gateway for example 10 10 0 1 This address must not be the same as the IP address configured on any VPN Concentrator interface To specify no default gateway which means the VPN Concentrator drops unrouted packets leave this entry blank 78 14740 01 VPN 3000 Series Concentrator Getting Started E Chapter4 Using th
124. r as the system executes diagnostics Watch for these LEDs if present on the VPN Concentrator front panel to stabilize and display e System green This is the only front panel LED on the Model 3005 e Ethernet Link Status 1 2 3 green for the Ethernet interfaces to which you connected patch cables e Expansion Modules 1 2 3 4 Insertion Status green for the number of SEP modules in your device Run Status green for the number of SEP modules in your device Fan Status green e Power Supplies A B green for the number of power supplies in your device Ignore any other LEDs on the front panel Watch for the following LEDs on the back of the device to display e Private Public External Interfaces Link green for the interfaces connected to networks e SEP Modules if installed Power green Ignore any other LEDs on the back If LEDs that should be green are amber red or off please see Appendix A Troubleshooting and System Errors The console displays initialization and boot messages such as Boot ROM Initializing Boot configured 128Mb of RAM Image Loader Initializing Decompressing amp loading image Verifying image checksum Active image loaded and verified Starting loaded image Starting power up diagnostics Initializing VPN Concentrator Initialization Complete Waiting for Network Login 78 14740 01 VPN 3000 Series Concentrator Getting Start
125. r while configuring and using the system and how to correct them It also describes LED indicators on the system and its expansion modules Files for Troubleshooting Event Logs The VPN 3000 Concentrator creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems e Event log e SAVELOG TXT Event log that is automatically saved when the system crashes and when it is rebooted e CRSHDUMP TXT Internal system data file that is written when the system crashes e CONFIG CONFIG BAK Normal configuration file used to boot the system and backup configuration file The VPN Concentrator records system events in the event log which is stored in nonvolatile memory NVRAM To troubleshoot operational problems we recommend that you start by examining the event log See Configuration System Events and Monitor Event Log The VPN Concentrator automatically saves the event log to a file in flash memory if it crashes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful for debugging See Configuration System Events and Administration File Management Files Crash Dump File If the VPN Concentrator crashes during operation it saves internal system data in nonvolatile memory NVRAM and then automatically writes this data toa CRSHDUMP TXT file in flash memory when it is reboot
126. ration You have finished quick configuration and your entries constitute the active or running configuration The VPN Concentrator now has enough information and it is operational For example a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely in a VPN tunnel through the Internet with resources on a private internal corporate network We strongly recommend that you save the active configuration before you exit Should you need to restart the VPN Concentrator it will then boot with your configured parameters Saving the Active Configuration The system displays the final quick configuration menu 1 Goto Main Configuration Menu 2 Save changes to Config file 3 Exit Quick gt 2 At the cursor enter 2 to save the active configuration in the system config file Exiting the CLI You are now ready to exit the CLI Step 1 The system redisplays the final quick configuration menu 1 Goto Main Configuration Menu 2 Save changes to Config file 3 Exit Quick gt 3 At the cursor enter 3 to exit the CLI Step2 The system displays Done If you wish to use the CLI for other functions enter 1 at the cursor in Step 1 above For information on using the CLI see the VPN 3000 Concentrator Series User Guide VPN 3000 Series Concentrator Getting Started Pais 78 14740 01 Chapter4 Using the Command Line Interface for Quick Configuration What Next W What
127. reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 78 14740 01 VPN 3000 Series Concentrator Getting Started E AppendixB Copyrights Licenses and Notices HZ Other Licenses DHCP Client 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT
128. rnet 2 Public Specifies the IP address and subnet mask speed and duplex mode for the VPN Concentrator interface to the public network IP Interfaces Ethernet 3 External For models 3015 3080 only If so connected specify the IP address and subnet mask speed and duplex mode for the VPN Concentrator interface to an additional external network System Info System Name Specify a device or system name for the VPN Concentrator for example VPNO1 System Info DNS Server Specify the IP address of your local DNS Domain Name System server System Info Domain Specify the registered Internet domain name to use with DNS for example cisco com System Info Default Gateway Specify the IP address or hostname of the default gateway for packets not otherwise routed Address Assignment DHCP Server Jf you use DHCP Dynamic Host Configuration Protocol for remote address assignment specify the IP address or hostname of the DHCP server Address Assignment If you use the VPN Concentrator to assign addresses Configured Pool specify the starting and ending IP addresses in its initial Range Start and Range End configured pool VPN 3000 Series Concentrator Getting Started 78 14740 01 SEE Chapter 2 Installing and Powering Up the VPN Concentrator HZ Beginning Quick Configuration Table 2 2 Quick Configuration Parameters continued Screen Parameter Name Parameter Description
129. rs only when you select the IPSec tunneling protocol and you must configure these parameters to complete quick configuration The remote access IPSec client connects to the VPN Concentrator using this group name and password which are automatically configured on the internal authentication server This is the IPSec group that creates the tunnel Users then log in and are authenticated through their usernames and passwords See Figure 3 13 Figure 3 13 Configuration Quick IPSec Group Screen Select a Group Name and Password to be used by remote IPSec users The Group Password must be at least 4 characters long Group Name C Password C Verify tC Back Continue 63736 In the Group Name field enter a unique name for this group The maximum field length is 32 characters Entries are case sensitive In the Password field enter a unique password for this group The minimum field length is 4 characters The maximum length is 32 characters Entries are case sensitive The field displays only asterisks In the Verify field reenter the group password to verify it The field displays only asterisks Click Continue to proceed You must configure these parameters before you can proceed 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter3 Using the VPN Concentrator Manager for Quick Configuration HE Changing Admin Password Changing Admin Password The Manager displays the Configuration
130. s copyright laws laws of other nations and or international treaties Grant of License 2 Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product To this end the Software contains both operator software for use by the network administrator and client software for use by clients at remote network nodes You may transfer the client software or portions thereof only to prospective nodes on the network and to no one else You may not transfer the operator software Restrictions on Use and Transfer 3 You may not otherwise copy the Software except that you may make one copy of the Software solely for backup or archival purposes To this end you may transfer the Software to a single disk provided you keep the disk solely for backup or archival purposes You may not copy the written materials and you may not use the backup or archival copy of the Software except in conjunction with the accompanying Cisco product 78 14740 01 VPN 3000 Series Concentrator Getting Started AppendixB Copyrights Licenses and Notices HI Software License Agreement of Cisco Systems Inc 4 You may permanently transfer the Software and accompanying written materials including the most recent update and all prior versions only in conjunction with a transfer of the entire Cisco product and only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement Any tr
131. sco com go subscription e Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California U S A at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback You can submit comments electronically on Cisco com In the Cisco Documentation home page click the Fax or Email option in the Leave Feedback section at the bottom of the page You can e mail your comments to bug doc cisco com You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address Cisco Systems Attn Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments VPN 3000 Series Concentrator Getting Started 78 14740 01 Preface Obtaining Technical Assistance W Obtaining Technical Assistance Cisco com Cisco provides Cisco com as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com is the foundation of a suite of interactive networked services that provides immediate open access to Cisco informatio
132. se developers have each copyrighted the portions that they developed at NRL and have assigned All Rights for those portions to NRL Outside the USA NRL also has copyright on the software developed at NRL The affected files all contain specific copyright notices and those notices must be retained in any derived work NRL LICENSE NRL grants permission for redistribution and use in source and binary forms with or without modification of the software and documentation created at NRL provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed at the Information Technology Division US Naval Research Laboratory 4 Neither the name of the NRL nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
133. ser The system prompts you to enter the user name To be authenticated the user must log in from the client using this name gt User Name Quick gt At the cursor enter a unique user name for example simonz The maximum is 32 characters case sensitive The system prompts you to enter the password for this user To be authenticated the user must log in from the client using this password Each user name and password combination must be unique gt Password Quick gt _ At the cursor enter the user password for example 9se7pt14 It must be at least 8 characters long the maximum is 32 characters case sensitive The system displays only asterisks The system prompts you to verify the password for this user Verify gt _ At the cursor re enter the user password The system displays only asterisks If you specified per user address assignment continue with the next two steps Otherwise skip them 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration W Configuring Authentication Step 5 Step 6 Step 7 Step 8 If you specified per user address assignment the system prompts you to enter the IP address for this user This is the IP address assigned to this user as a client gt User IP Address Quick gt 0 0 0 0 At the cursor enter the user IP address in dotted decimal notation for example 10 10 1 35 If
134. server that has IP addresses configured we recommend using this method You configure an authentication server in the next section e DHCP Dynamic Host Configuration Protocol a DHCP server assigns IP addresses e Configured pool the VPN Concentrator assigns IP addresses from an internally configured pool of addresses You must enable at least one method You can enable any and all methods By default no method is enabled To configure address assignment follow these steps The system prompts you to enable or disable client specified address assignment If you enable IPSec do not enable only this method IPSec does not allow client specified IP addresses Configure address assignment for PPTP L2TP and IPSec 1 Enable Client Specified Address Assignment 2 Disable Client Specified Address Assignment Quick gt 2 At the cursor enter 1 to enable client specified address assignment or press Enter to accept the default 2 disabled The system prompts you to enable or disable per user address assignment 1 Enable Per User Address Assignment 2 Disable Per User Address Assignment Quick gt 2 At the cursor enter 1 to enable per user address assignment or press Enter to accept the default 2 disabled The system prompts you to enable or disable DHCP address assignment 1 Enable DHCP Address Assignment 2 Disable DHCP Address Assignment Quick gt 2 At the cursor enter 1 to enable DH
135. sets in hours relative to Greenwich Mean Time GMT which is the basis for Internet time synchronization Enter the Year as a four digit number VPN 3000 Series Concentrator Getting Started EN 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Step 3 Step 4 Step 5 Step 6 Configuring System Information W To Enable DST Support check the box During DST Daylight Saving Time clocks are set one hour ahead of standard time Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time If your system is in a time zone that uses DST you must enable DST support In the DNS Server field enter the IP address of your local DNS Domain Name System server using dotted decimal notation for example 10 10 0 11 Specifying a DNS server lets you enter Internet hostnames for example mail01 rather than IP addresses for servers as you configure and manage the VPN Concentrator While hostnames are easier to remember using IP addresses avoids problems that might arise with the DNS server offline congested or similarly indisposed In the Domain field enter the registered domain in which the VPN Concentrator is located for example cisco com sometimes called the domain name suffix or subdomain In the Default Gateway field enter the IP address or hostname of the system to which the VPN Concentrator should route packets that are not expl
136. steps of quick configuration only once unless you reboot the system with the Reboot with Factory Default configuration option e Entries are case sensitive for example admin and ADMIN are different passwords e The system displays more tips and examples than appear in the dialogue here e The system shows current or default entries in brackets for example 10 10 4 6 e After each entry press the Enter key on the console keyboard e Configuration entries take effect as soon as you enter them and they constitute the active or running configuration Many quick configuration menus let you save the active configuration to the config file and thus make it the boot configuration We suggest you do so e If you make a mistake the system displays an Error message and repeats the previous prompt You can often enter a correct value and proceed but in some cases you may need to restart the section to correct an earlier error See Appendix A Troubleshooting and System Errors for more details 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration WE Configuring Ethernet Interfaces Configuring Ethernet Interfaces This section describes how to configure the VPN Concentrator Ethernet interfaces e Ethernet 1 Private is the interface to your private network internal LAN e Ethernet 2 Public is the interface to the public network e Ethernet 3 E
137. t VPN Concentrator Manager screen Many screens include a bullet list of links and descriptions of subordinate sections and titles you can click on a link to go to that Manager screen and open subordinate sections and titles in the table of contents E VPN 3000 Series Concentrator Getting Started 78 14740 01 CHAPTER i Using the Command Line Interface for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN 3000 Series command line interface CLI Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational For example a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely in a VPN tunnel through the Internet with resources on a private internal corporate network The CLI is a menu based configuration administration and monitoring system built into the VPN Concentrator You can use it from the console or in a Telnet session To use a Telnet session connect to the IP address of the private Ethernet interface Before beginning the procedures in this section you should have completed Steps 1 through 11 in the Using the Console section on page 2 15 As you proceed refer to the data you recorded in Table 2 2 on page 2 13 About Quick Configuration The CLI has the following characteristics e These quick configuration menus appear only once and you can go through the
138. the minimal parameters to make it operational You can perform quick configuration from a console with the menu based command line interface or you can use the HTML based VPN Concentrator Manager with a browser This guide describes both methods and we recommend the latter for ease of use We assume you are an experienced system administrator or network administrator with appropriate education and training who knows how to install configure and manage internetworking systems However virtual private networks and VPN devices might be new to you You should be familiar with Windows system configuration and management and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers Organization This guide is organized as follows Chapter Title Description Chapter 1 Understanding the VPN 3000 Summarizes the hardware and software features Concentrator and operation If you are familiar with VPN devices you can skip this chapter Chapter 2 Installing and Powering Up __ Explains how to prepare for unpack install and the VPN Concentrator power up the VPN Concentrator and how to begin quick configuration Once you have completed the steps in this chapter you can use either Chapter 3 or Chapter 4 to complete quick configuration Chapter 3 Using the VPN Concentrator Explains how to complete quick configuration of Manager for Quick the system using the VPN Concentrator Manager Configurati
139. to use encryption or they will not be connected e No Encryption Required L2TP connections may use Microsoft encryption to encrypt data During connection setup clients might or might not agree to use Microsoft encryption they will be connected in either case 1 L2TP Encryption Required 2 No Encryption Required Quick gt 2 At the cursor enter 1 to require encryption or press Enter to accept the default 2 which does not require encryption The system prompts you to enable or disable IPSec 1 Enable IPSec 2 Disable IPSec Quick gt 1 At the cursor enter 2 to disable IPSec or press Enter to accept the default 1 which enables IPSec 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter4 Using the Command Line Interface for Quick Configuration WE Configuring Address Assignment Configuring Address Assignment Step 1 Step 2 Step 3 Configuring address assignment applies and its menus appear only when you enable at least one tunneling protocol If you disabled all protocols skip to the Configuring Authentication section on page 4 10 This section lets you configure prioritized methods for assigning IP addresses to clients as a tunnel is established The methods are configured and used in this order e Client specified the client specifies its own IP address e Per user a server assigns IP addresses on a per user basis If you are using an authentication
140. trator It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command line interface The VPN Concentrator Manager also includes context oriented online help that you can access by clicking the Help icon on the toolbar in the Manager window VPN Client Documentation The VPN Client User Guide explains how to install configure and use the VPN Client which lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator The VPN Client Administrator Guide tells how to configure a VPN 3000 Concentrator for remote user connections using the VPN Client how to automate remote user profiles how to use the VPN Client command line interface and how to get troubleshooting information VPN 3000 Series Concentrator Getting Started x 78 14740 01 Preface Related Documentation W VPN 3002 Hardware Client Documentation The VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN 3002 Hardware Client Manager This manual is online only The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002 through configuring the minimal parameters to make it operational called Quick Configuration This man
141. ts permission under its copyrights to use copy modify and distribute this Software with or without fee provided that the above copyright notice and all paragraphs of this notice appear in all copies and that the name of IBM not be used in connection with the marketing of any product incorporating the Software or modifications thereof without specific written prior permission To the extent it has a right to do so IBM grants an immunity from suit under its patents if any for the use sale or manufacture of products to the extent that such products are used for performing Domain Name System dynamic updates in TCP IP networks by means of the Software No immunity is granted for any product per se or for any other function of any product THE SOFTWARE IS PROVIDED AS IS AND IBM DISCLAIMS ALL WARRANTIES INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE EVEN IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES COPYRIGHT 1 1a NRL 17 August 1995 COPYRIGHT NOTICE All of the documentation and software included in this software distribution from the US Naval Research Laboratory NRL are copyrighted by their respective developers This software and documentation were developed at NRL by various people Tho
142. ual is available only online The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration This quick reference card is provided with the VPN 3002 and is also available online The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick configuration It is provided with the VPN 3002 and you can also print it from the online version you can affix the label to the VPN 3002 Documentation on VPN Software Distribution CDs The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD ROM in PDF format The VPN Client documentation is included on the VPN Client software distribution CD ROM also in PDF format To view the latest versions on the Cisco web site click the Support icon on the toolbar at the top of the VPN Concentrator Manager Hardware Client Manager or Client window To open the documentation you need Acrobat Reader 3 0 or later version 4 5 is included on the Cisco VPN 3000 Concentrator software distribution CD ROM and on the VPN Client software distribution CD ROM Other References Other useful references include e Cisco Systems Dictionary of Internetworking Terms and Acronyms Cisco Press 2001 e Virtual Private Networking An Overview Microsoft Corporation 1999 Available from Microsoft website e www ietf org for Internet Engineering Task Force IETF Working Group dra
143. uction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case users will be required to correct the interference at their own expense The following information is for FCC compliance of Class B devices The equipment described in this manual generates and may radiate radio frequency energy If it is not installed in accordance with Cisco s installation instructions it may cause interference with radio and television reception This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules These specifications are designed to provide reasonable protection against such interference in a residential installation However there is no guarantee that interference will not occur in a particular installation Modifying the equipment without Cisco s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices In that event your right to use the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense You can determine whether your equipment is causing interference by turning it off If the interference stops it was probably caused by the Cisco equipment or one of its peripheral devic
144. ur selection for example 1 and skip to the step in the following section that describes your authentication server selection To bypass this step and continue quick configuration enter 5 If you enabled IPSec tunneling protocol skip to the Configuring the IPSec Group section on page 4 16 otherwise skip to the Changing the Admin Password section on page 4 17 VPN 3000 Series Concentrator Getting Started P40 i 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration Configuring Authentication W Configuring Internal Authentication Server and User Database Step 1 Step 2 Step 3 Step 4 The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users combined in its database which is adequate for a small user base For larger numbers of users we recommend using a RADIUS authentication server To use the internal server you must create a database with at least one user each with a user name and password and if you specified per user address assignment an IP address and subnet mask To do so follow these steps You selected the VPN concentrator internal authentication server and the system prompts you to add users to the internal authentication server database When you start quick configuration the user database is empty Current Users 1 Add a User 2 Delete a User 3 Continue Quick gt At the cursor enter 1 to add a u
145. x transmission in only one direction at a time In the MTU field either accept the default value 1500 as the maximum transmission unit in bytes or specify a value in the range 68 to 1500 The standard MTU for Ethernet is 1500 bytes Click Apply to apply your choices to the interface Click Cancel to discard your choices 78 14740 01 VPN 3000 Series Concentrator Getting Started Chapter 3 Using the VPN Concentrator Manager for Quick Configuration WE Configuring System Information The Manager returns to the Configuration Quick IP Interfaces screen If you have entered new parameters for an interface the screen displays your entries Step9 If you want to modify another Ethernet interface click on the interface and continue If you do not want to modify another interface click Continue to proceed and skip to Configuring System Information page 3 8 Configuring System Information The Manager displays the Configuration Quick System Info screen Figure 3 5 Configuration Quick System Info Screen Assign a system nameshostname to this device This may be required if you use DHCP to obtain an address System Name l Enter a hostname for the system e g vpn01 Set the time on your device The correct time is very important so that logging and accounting entries are accurate The current time on this device is Tuesday 20 February 2001 13 51 55 New Time 13 56 44 February f20 2001 GMT 05 00
146. xternal if present is the interface to an additional LAN For the VPN Concentrator to become fully operational you must configure the two interfaces you physically connected to your network in the Connecting Network Cables section on page 2 9 To configure the VPN Concentrator Ethernet Interfaces follow these steps Step 1 The system prompts you to configure the VPN Concentrator interfaces Model 3005 Menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Configure Expansion Cards 4 Save changes to Config file 5 Continue 6 Exit Quick gt Model 3015 3080 Menu 1 Modify Ethernet 1 IP Address Private 2 Modify Ethernet 2 IP Address Public 3 Modify Ethernet 3 IP Address External 4 Configure Expansion Cards 5 Save changes to Config file 6 Continue 7 Exit Quick gt _ You entered values for Ethernet 1 under Using the Console section on page 2 15 You can change them now if you want to do so enter 1 at the cursor To configure another interface enter its number at the cursor Step2 We assume you enter 2 to configure Ethernet 2 The CLI displays a table with the current IP addresses and subnet masks for all three Ethernet interfaces This table shows current IP addresses Interface IP Address Subnet Mask MAC Address Ethernet 1 Private 10 10 4 6 255 255 0 0 00 10 5A 1F 4F 07 Ethernet 2 Public 0 0 0 0 0 0 0 0 Ethernet 3 External 0 0 0 0 0
147. y default Step4 Ifyou enable L2TP click one of the radio buttons to select the encryption option e Require Encryption L2TP connections must use Microsoft encryption to encrypt data This option requires MS CHAP Microsoft Challenge Handshake Authentication Protocol and provides maximum security During connection setup clients must agree to use encryption or they will not be connected e Don t Require Encryption L2TP connections may use Microsoft encryption to encrypt data the default During connection setup clients may or may not agree to use Microsoft encryption they will be connected in either case Step5 Check IPSec to enable remote access user connections using Internet Protocol Security protocol This box is checked by default This option supports only remote access IPSec connections from the VPN 3000 Client or a similar protocol compliant client To configure IPSec LAN to LAN connections see Configuration System Tunneling Protocols IPSec LAN to LAN under regular system configuration Step6 Click Continue to proceed VPN 3000 Series Concentrator Getting Started Eu 78 14740 01 _ Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Address Assignment W If you enable none of the protocols skip to the section on Changing Admin Password page 3 18 If you enable at least one protocol continue to the next section Configuring Address Assignment Step 1 Step 2
148. you specified per user address assignment the system prompts you to enter the subnet mask for this user This is the subnet mask assigned to this user as a client gt User Subnet Mask Quick gt 0 0 0 0 At the cursor enter the user subnet mask in dotted decimal notation for example 255 255 0 0 The system redisplays the user database with the new user added You can add more users delete users or continue with quick configuration Quick gt 0 0 0 0 255 255 0 0 Current Users 1 Add a User 2 Delete a User 3 Continue Quick gt At the cursor enter the menu number for your selection for example 1 To add more users repeat Step 1 through Step 6 in this section To delete a user 2 see the next step To continue 3 skip to the Configuring the IPSec Group section on page 4 16 or the Changing the Admin Password section on page 4 17 If you choose to delete a user from the internal database the system prompts you to enter the name of the user to delete gt User to Delete Quick gt At the cursor enter the name of the existing user you want to delete for example simonz You must enter the name exactly as listed in the table After deleting the user the system redisplays the user database as in the previous step but without the deleted user VPN 3000 Series Concentrator Getting Started Pai i 78 14740 01 _ Chapter 4 Using the Command Line Interface for Quick Configuration
Download Pdf Manuals
Related Search
PDF Version of VPN 3000 Series Concentrator Getting Started Manual