1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. CVPN3015-NR - VPN Concentrator 3015
  6. Getting started

Cisco CVPN3015-NR - VPN Concentrator 3015 Getting Started

Vpn 3000 series concentrator
Hide thumbs
Table of Contents

Advertisement

Quick Links

VPN 3000 Series Concentrator
Getting Started
Release 4.7
August 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: 78-15733
Text Part Number: 78-15733-03

Advertisement

Table of Contents
loading

Related Manuals for Cisco CVPN3015-NR - VPN Concentrator 3015

Summary of Contents for Cisco CVPN3015-NR - VPN Concentrator 3015

  • Page 1 VPN 3000 Series Concentrator Getting Started Release 4.7 August 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: 78-15733 Text Part Number: 78-15733-03...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...

  • Page 3: Table Of Contents

    C O N T E N T S Preface Audience Organization Related Documentation Conventions viii Obtaining Documentation Obtaining Technical Assistance Obtaining Additional Publications and Information xiii Understanding the VPN 3000 Concentrator C H A P T E R Hardware Features Software Features How the VPN Concentrator Works Where the VPN Concentrator Fits in Your Network...
  • Page 4 Contents Configuring the Internal Server User Database 3-17 Configuring the IPSec Group 3-18 Changing Admin Password 3-19 Finishing Quick Configuration 3-20 Saving the Active Configuration 3-21 What Next? 3-21 Using Other VPN Concentrator Manager Functions 3-22 Understanding the VPN Concentrator Manager Window 3-23 Using the Command-Line Interface for Quick Configuration C H A P T E R...

  • Page 5: Preface

    Preface VPN 3000 Series Concentrator Getting Started provides information to take you from unpacking and installing the VPN 3000 Concentrator through quick configuration (configuring the minimal parameters to make it operational). You can perform quick configuration from a console with the menu-based command-line interface, or you can use the HTML-based VPN Concentrator Manager with a browser.

  • Page 6: Related Documentation

    The Cisco VPN Client User Guide for Windows, the Cisco VPN Client User Guide for Linux and Solaris, and the Cisco VPN Client User Guide for Mac OS X explain how to install, configure, and use the VPN Client. The VPN Client lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator.
  • Page 7 VPN Client software distribution CD-ROM, also in PDF format. To view the latest versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat Reader 3.0 or later;...

  • Page 8: Conventions

    Preface Conventions Conventions This document uses the following conventions: Convention Description boldface font Commands and keywords are in boldface. italic font Arguments for which you supply values are in italics. font Terminal sessions and information the system displays screen are in font.

  • Page 9: Obtaining Documentation

    Port numbers use decimal numbers from 0 to 65535. No commas or spaces are permitted in a number. Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
  • Page 10 Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.
  • Page 11 Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html...

  • Page 12: Obtaining Technical Assistance

    Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 13 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

  • Page 14: Obtaining Additional Publications And Information

    Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...

  • Page 15: Chapter 1 Understanding The Vpn 3000 Concentrator

    TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections. Figure 1-1 The Cisco VPN 3000 Concentrator Model 3005 Model 3015 to 3080 VPN 3000 Series Concentrator Getting Started...

  • Page 16: Hardware Features

    Model 3015 Software-based encryption • • Single power supply • Expansion capabilities: – Up to two Enhanced Cisco Scalable Encryption Processing (SEP-E) modules for hardware-based encryption – Up to two SEP-E modules for redundancy – Optional redundant power supply •...
  • Page 17 Chapter 1 Understanding the VPN 3000 Concentrator Hardware Features VPN Concentrator Model Hardware Features Model 3030 One SEP-E module for hardware-based • encryption Single power supply • Expansion capabilities: • One additional SEP-E module for – hardware-based encryption Up to two additional SEP-E modules for –...

  • Page 18: Software Features

    – SSHv1 (Secure Shell), including SCP (Secure Copy) Tunneling Protocols IPSec (IP Security) Protocol • Remote access, using Cisco VPN Client or other select IPSec – protocol-compliant clients LAN-to-LAN, between peer VPN Concentrators or between a VPN – Concentrator and another IPSec protocol-compliant secure gateway L2TP over IPSec (for native Windows 2000, Windows NT, and Windows •...
  • Page 19 Chapter 1 Understanding the VPN 3000 Concentrator Software Features VPN Feature Description Network Addressing DNS (Domain Name System) • Support Client address assignment: • DHCP (Dynamic Host Configuration Protocol), including DDNS host – name population and configurable giaddr Internally configured client IP address pools –...
  • Page 20 Chapter 1 Understanding the VPN 3000 Concentrator Software Features VPN Feature Description Routing Protocols • RIP v1, RIP v2 • OSPF • Static routes • Private network autodiscovery for LAN-to-LAN connections • Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network •...

  • Page 21: How The Vpn Concentrator Works

    Chapter 1 Understanding the VPN 3000 Concentrator How the VPN Concentrator Works VPN Feature Description Client Software Cisco VPN Client (IPSec): • Compatibility Windows 98 and Windows ME – ® Windows NT 4.0, Windows 2000, and Windows XP – Mac OS X 10.1 and 10.2 Jaguar –...

  • Page 22: Where The Vpn Concentrator Fits In Your Network

    Chapter 1 Understanding the VPN 3000 Concentrator Where the VPN Concentrator Fits in Your Network Where the VPN Concentrator Fits in Your Network Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users.
  • Page 23 Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications Power 100 to 240 VAC at 50/60 Hz (autosensing) • 3005 = maximum 25 W (0.2A @ 120 VAC) 3015–3080 = maximum 50 W (0.42A @ 120 VAC) • Cabling distances from an Approx.
  • Page 24 Chapter 1 Understanding the VPN 3000 Concentrator Physical Specifications VPN 3000 Series Concentrator Getting Started 1-10 78-15733-03...

  • Page 25: Chapter 2 Installing And Powering Up The Vpn Concentrator

    C H A P T E R Installing and Powering Up the VPN Concentrator This chapter tells you how to prepare for, unpack, install, and power up the VPN Concentrator, and how to begin quick configuration. Preparing to Install Before you begin, ensure that you have the requisite skill set and that your physical environment and software preferences are properly set, as described in the following sections.
  • Page 26 The VPN Concentrator uses the following cables and connectors: Connectors The VPN Concentrator Ethernet interfaces take standard UTP/STP twisted-pair • network cables, Category 5, with RJ-45 8-pin modular connectors. Cisco supplies two with the system. The console port takes a standard straight-through RS-232 serial cable with a •...

  • Page 27: Unpacking

    Chapter 2 Installing and Powering Up the VPN Concentrator Unpacking Browser JavaScript Cookies Internet Explorer 6.0 On the Tools menu, choose Internet Options. On the Tools menu, choose Internet Options. On the Security tab, click Custom Level. On the Privacy tab, set the slider at or below In the Security Settings window, scroll down Medium High.

  • Page 28: Installing The Vpn Concentrator Hardware

    Check Quantity Item 1 or 2 Power cords Cisco VPN 3000 Series Concentrator CD Cisco VPN Software Client CD VPN 3000 Series Concentrator Getting Started (this manual) VPN 3000 Series Concentrator Software License Agreement Cisco VPN Client Software License Agreement...
  • Page 29 Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Models 3015 to 3080 Mount the VPN Concentrator in the rack as shown in Figure 2-2. Use screws or fasteners appropriate for your equipment rack. Figure 2-2 Rack Mounting a VPN Concentrator Model 3005 Models 3015 through 3080...
  • Page 30 Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Installing Rubber Feet To place the VPN Concentrator on a table or shelf, locate the four indentations on the bottom of the chassis. Peel the removable tape off each rubber foot, and place one foot in each indentation. (See Figure 2-3.) Some models of the VPN Concentrator use screws to attach the rubber feet.
  • Page 31 Chapter 2 Installing and Powering Up the VPN Concentrator Installing the VPN Concentrator Hardware Figure 2-4 Installing Rubber Feet with Screws Model 3005 Model 3015 through 3080 VPN 3000 Series Concentrator Getting Started 78-15733-03...

  • Page 32: Connecting Hardware

    Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware Connecting Hardware Warning Be sure the console/PC is turned off before you connect cables to it. Do not connect power cables to the VPN Concentrator until instructed. Connecting the Console/PC Connect the RS-232 straight-through serial cable between the Console port on the back of the VPN Concentrator and the COM1 or serial port on the console/PC.
  • Page 33 Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware Model 3015 through 3080 Connecting Network Cables Connect network patch cables between the Ethernet interface jacks on the back of the VPN Concentrator and your network patch panel or device. See Figure 2-5.
  • Page 34 Chapter 2 Installing and Powering Up the VPN Concentrator Connecting Hardware If you have a system with redundant power modules, make sure you connect power cables between both Note modules and appropriate power outlets. Figure 2-6 Connecting Power Cable(s) Model 3005 Model 3015 through 3080 VPN 3000 Series Concentrator Getting Started 2-10...

  • Page 35: Powering Up

    Chapter 2 Installing and Powering Up the VPN Concentrator Powering Up Powering Up Power up the devices in this sequence: Power up the console / PC. Step 1 Start a terminal emulator (e.g., HyperTerminal) on the console/PC. Configure a connection to COM1, Step 2 with port settings of: 9600 bits per second...

  • Page 36: Beginning Quick Configuration

    Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Beginning Quick Configuration You are now ready to begin quick configuration; that is, accepting default values when possible and configuring minimal parameters to make the VPN 3000 Concentrator operational. You can go through the steps of quick configuration only once, unless you reboot the system with the Note Reboot with Factory/Default configuration option.
  • Page 37 Specify the IP address of your local DNS (Domain Name System) server. System Info | Domain Specify the registered Internet domain name to use with DNS (for example, cisco.com). System Info | Default Gateway Specify the IP address or hostname of the default gateway for packets not otherwise routed.
  • Page 38 Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Table 2-2 Quick Configuration Parameters (continued) Screen | Parameter Name Parameter Description and Use Your Entry Authentication Your choice here determines the parameters you see in the following screen. Possible values are: Internal Server •...
  • Page 39 Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2005 Cisco Systems, Inc. -- : Set the time on your device..> Time Quick -> [ 15:46:41 ] _ At the cursor, enter the correct device time in the format HH:MM:SS, using 24-hour notation. For example, enter 4:24 p.m.
  • Page 40 Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration The system prompts you with a menu to enable DST (Daylight-Saving Time) support. During DST, Step 6 clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time.
  • Page 41 Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration The system prompts you with a menu to set the transmission mode for the Ethernet 1 interface. You can Step 10 let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can configure the interface for full duplex (transmission in both directions at the same time) or half duplex (transmission in only one direction at a time).
  • Page 42 Chapter 2 Installing and Powering Up the VPN Concentrator Beginning Quick Configuration Continue quick configuration with either the VPN Concentrator Manager or the command-line interface. To continue with the VPN Concentrator Manager, see Chapter 3, “Using the VPN Concentrator • Manager for Quick Configuration.”...

  • Page 43: Chapter 3 Using The Vpn Concentrator Manager For Quick Configuration

    C H A P T E R Using the VPN Concentrator Manager for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN Concentrator Manager. Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational, while the Main menu lets you configure all the features of the VPN 3000 Concentrator.

  • Page 44: Logging In To The Vpn Concentrator Manager

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Logging in to the VPN Concentrator Manager Figure 3-1 VPN Concentrator Manager Login Screen Log in. Entries are case-sensitive, so type them exactly as shown. With Microsoft Internet Explorer, you Step 3 can press the Tab key to move from field to field;...

  • Page 45: Starting Quick Configuration

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Starting Quick Configuration Starting Quick Configuration The VPN Concentrator Manager displays the initial configuration screen (see Figure 3-1). Figure 3-2 VPN Concentrator Manager Initial Configuration Screen To start quick configuration, click the highlighted link that says click here to start Quick Configuration. This screen appears only once—and you can go through the steps of quick configuration only Note once—unless you reboot the system with the Reboot ignoring the configuration file option.

  • Page 46: Configuring Ip Interfaces

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces Configuring IP Interfaces The Manager displays the Configuration | Quick | IP Interfaces screen appropriate to the model you are configuring. Figure 3-3 Configuration | Quick | IP Interfaces Screen Model 3005 Models 3015 through 3080 This screen lets you configure the VPN Concentrator Ethernet interfaces.
  • Page 47 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring IP Interfaces For the VPN Concentrator to become fully operational, you must configure the two interfaces you physically connected to your network under Connecting Network Cables, page 2-9. The screen displays the current configuration settings. You entered the IP address and subnet mask for Ethernet 1 in Step 7 and Step 8 under Using the Console, page 2-15.
  • Page 48 You can customize filters under regular system configuration on the Configuration | Policy Management | Traffic Management screens. Cisco supplies the following default filters with the VPN Concentrator: 1.

  • Page 49: Configuring System Information

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring System Information 10/100 auto—Let the VPN Concentrator automatically detect and set the appropriate speed, either • 10 or 100 Mbps (default). If you accept the default, be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the speed.
  • Page 50 In the Domain field, enter the registered domain in which the VPN Concentrator is located (for example, Step 4 cisco.com), sometimes called the domain name suffix or subdomain. In the Default Gateway field, enter the IP address or hostname of the system to which the VPN Step 5 Concentrator should route packets that are not explicitly routed.

  • Page 51: Configuring Tunneling Protocols And Options

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Tunneling Protocols and Options Configuring Tunneling Protocols and Options The Manager displays the Configuration | Quick | Tunneling screen. Figure 3-6 Configuration | Quick | Tunneling Screen You must enable at least one of these protocols for the device to function as a VPN device. PPTP and L2TP are popular with Microsoft Windows-based clients, and the VPN 3000 Client uses IPSec.

  • Page 52: Configuring Address Assignment

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Address Assignment Click Continue to proceed. Step 7 If you enable none of the protocols, skip to the section on Changing Admin Password, page 3-21. If you enable at least one protocol, continue to the next section. Configuring Address Assignment The Manager displays the Configuration | Quick | Address Assignment screen.

  • Page 53: Configuring Authentication

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication Click Continue to proceed. Step 7 When you configure the VPN Concentrator to service IPSec or L2TP VPN clients, you must configure the users, users' Group, or Base Group to allocate client VPN (private side) addresses. VPN clients (as opposed to Clientless access) require that the VPN Concentrator provide private-side IP addresses which the clients then use to configure their virtual network adaptors.
  • Page 54 VPN Concentrator; other authentication servers do not. The VPN 3000 software CD-ROM includes a link that customers with Cisco.com logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.
  • Page 55 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication In the Server Port field, enter the UDP port number by which you access the server. Enter to have the Step 2 system supply the default port number, 1645. In the Timeout field, enter the time in seconds to wait after sending a query to the server and receiving Step 3 no response, before trying again.
  • Page 56 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication NT Domain Server Type Configure these parameters for an external Windows NT Domain authentication server. We suggest you accept the default values. (See Figure 3-10.) Figure 3-10 Configuration | Quick | Authentication Screen, NT Domain Server To configure the parameters for the NT authentication server, follow these steps: In the Authentication Server Address field, enter the IP address of the NT Domain authentication server;...
  • Page 57 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication SDI Server Type Configure these parameters for an external SDI (RSA Security Inc. SecurID) authentication server. We suggest you accept the defaults. Figure 3-11 Configuration | Quick | Authentication Screen, SDI Server To configure the parameters for the SDI authentication server, follow these steps: In the Authentication Server field, enter the hostname or IP address of the external SDI server.
  • Page 58 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring Authentication Kerberos/Active Directory Server Type Configure these parameters for an external Windows/Active Directory server or a UNIX/Lynx Kerberos server. Figure 3-12 Configuration | Quick | Authentication Screen, Kerberos/Active Directory Server To configure the parameters for the Kerberos/Active Directory server, follow these steps: In the Authentication Server field, enter the hostname or IP address of the external Kerberos/Active Step 1...

  • Page 59: Configuring The Internal Server User Database

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring the Internal Server User Database Configuring the Internal Server User Database The Manager displays the Configuration | Quick | User Database screen. This screen displays only when you select the internal authentication server. Figure 3-13 Configuration | Quick | User Database Screen This screen lets you add and remove users in the internal authentication server database.

  • Page 60: Configuring The Ipsec Group

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring the IPSec Group Click << Add. Step 2 Repeat Steps 1 and 2 for each user. The screen refreshes each time you add a user. Step 3 To remove a user, select the user in the Current Users list and click Remove >>. The screen refreshes Step 4 each time you remove a user.
  • Page 61 Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Configuring WebVPN Remote Access Configuring WebVPN Remote Access The Manager displays the WebVPN Remote Access screen. WebVPN allows remote users to access the corporate network from any computer with an Internet connection to use e-mail, files, or internal websites.
  • Page 62 . In the corresponding text box, http://www.cisco.com enter the name of the link as you want it to appear, for example: Cisco Systems. If you want to configure links to particular websites to appear on the WebVPN home page, enter the Step 4 website name and URL.

  • Page 63: Changing Admin Password

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Changing Admin Password Changing Admin Password The Manager displays the Configuration | Quick | Admin Password screen. Figure 3-17 Configuration | Quick | Admin Password Screen This screen lets you change the password for the admin administrator user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin Since the admin user has full access to all management and administration functions on the device, we...

  • Page 64: Finishing Quick Configuration

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Finishing Quick Configuration Finishing Quick Configuration The Manager displays the Configuration | Quick | Done screen. Figure 3-18 Configuration | Quick | Done Screen You have finished quick configuration, and your entries constitute the active or running configuration. The VPN Concentrator now has enough information, and it is operational.

  • Page 65: What Next

    Main—Return to the main Manager screen. Help—Open another browser window and view online help for the current Manager screen. • Support—Open a Manager screen with links to Cisco support and documentation resources. • Logout—Log out of this Manager session and return to the login screen.

  • Page 66: Understanding The Vpn Concentrator Manager Window

    Chapter 3 Using the VPN Concentrator Manager for Quick Configuration Understanding the VPN Concentrator Manager Window Understanding the VPN Concentrator Manager Window The VPN Concentrator Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information.
  • Page 67 Close the help window when you are finished. Click on the Support tab to open a Manager screen with links to Cisco support and documentation resources.
  • Page 68 Click on the Restore icon to restore the screen contents to their status prior to when you last clicked the Reset icon. Click on the Cisco Systems logo to open a browser and go to the Cisco.com web site, www.cisco.com Left frame On Manager screens, the left frame provides a table of contents.

  • Page 69: Chapter 4 Using The Command-Line Interface For Quick Configuration

    C H A P T E R Using the Command-Line Interface for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN 3000 Series command-line interface (CLI). Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational. For example, a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely—in a VPN tunnel through the Internet—with resources on a private, internal corporate network.

  • Page 70: Configuring Ethernet Interfaces

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Ethernet Interfaces Configuring Ethernet Interfaces This section describes how to configure the VPN Concentrator Ethernet interfaces. Ethernet 1 (Private) is the interface to your private network (internal LAN). • Ethernet 2 (Public) is the interface to the public network. •...
  • Page 71 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Ethernet Interfaces The system prompts you for the subnet mask for the Ethernet 2 (Public) interface. The entry in brackets Step 3 is the standard subnet mask for the IP address you entered above. For example, an IP address of 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0.

  • Page 72: Configuring System Information

    -- : Enter your Internet domain name; ... > Domain Quick -> _ At the cursor, enter your domain name; for example, cisco.com. The system prompts you to specify a default gateway, which is the system to which the VPN Step 4 Concentrator routes packets that are not explicitly routed.

  • Page 73: Configuring Tunneling Protocols And Options

    Protocol) and L2TP (Layer 2 Tunneling Protocol), with or without Microsoft encryption required; and IPSec (IP Security protocol). PPTP and L2TP are popular with Microsoft Windows-based clients, and the Cisco VPN Client uses IPSec. To enable, disable, and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator, follow these steps: The system shows default settings for PPTP and L2TP—both enabled, both with no encryption required.

  • Page 74: Configuring Address Assignment

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Address Assignment The system prompts you to enable or disable L2TP. Step 3 1) Enable L2TP 2) Disable L2TP Quick -> [ 1 ] At the cursor, enter to disable L2TP, or press Enter to accept the default (1), which enables L2TP. If you enable L2TP, the system prompts you to select the encryption option.
  • Page 75 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Address Assignment Per user—a server assigns IP addresses on a per-user basis. If you are using an authentication server • that has IP addresses configured, we recommend using this method. (You configure an authentication server in the next section.) DHCP (Dynamic Host Configuration Protocol)—a DHCP server assigns IP addresses.

  • Page 76: Configuring Authentication

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication At the cursor, enter to enable configured pool assignment, or press Enter to accept the default (2), disabled. If you enable configured pool, continue with the next two steps; otherwise, skip them. If you enable configured pool address assignment, the system prompts for the starting IP address Step 6 available in the initial pool.
  • Page 77 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication To bypass this step and continue quick configuration, enter . If you enabled IPSec tunneling protocol, skip to the “Configuring the IPSec Group” section on page 4-14; otherwise skip to the “Changing the Admin Password”...
  • Page 78 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication If you specified per-user address assignment, the system prompts you to enter the IP address for this user. Step 5 This is the IP address assigned to this user as a client. >...
  • Page 79 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication Configuring RADIUS Authentication Server External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator; other authentication servers do not. The VPN Concentrator software CD-ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator.
  • Page 80 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication Configuring NT Domain Authentication Server To configure an external Windows NT Domain user authentication server, follow these steps: Step 1 You selected the external Windows NT Domain authentication server, and the system prompts you to enter its IP address.
  • Page 81 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Authentication At the cursor, enter the SDI port number; for example, 5500. To have the system supply the default port number (5500), press Enter to accept 0 (the default). To continue quick configuration, proceed to the next section, “Configuring the IPSec Group,”...

  • Page 82: Configuring The Ipsec Group

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the IPSec Group Configuring the IPSec Group This section appears only if you enable the IPSec tunneling protocol. The remote-access IPSec client connects to the VPN Concentrator via this group name and password, which are automatically configured on the internal authentication server.
  • Page 83 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring WebVPN Remote Access The system prompts you to enable or disable POP3S. Step 2 1) Enable POP3S 2) Disable POP3S Quick -> [ 2 ] At the cursor, enter to enable POP3S, or press to accept the default (2), which disables POP3S.
  • Page 84 Chapter 4 Using the Command-Line Interface for Quick Configuration Setting Up the WebVPN Home Page Setting Up the WebVPN Home Page The following prompts appear only if you enabled WebVPN. (See “Configuring Tunneling Protocols and Options.”) This section describes how to customize the home page that WebVPN users will see when they log in. You can change the title, add a banner, and configure up to four URLs.

  • Page 85: Changing The Admin Password

    Chapter 4 Using the Command-Line Interface for Quick Configuration Changing the Admin Password Changing the Admin Password You can change the password for the admin user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin. Since the admin user has full access to all management and administration functions on the device, we strongly recommend you change this password to improve device security.

  • Page 86: Saving The Active Configuration

    Chapter 4 Using the Command-Line Interface for Quick Configuration Saving the Active Configuration Saving the Active Configuration The system displays the final quick configuration menu. 1) Goto Main Configuration Menu 2) Save changes to Config file 3) Exit Quick -> 2 At the cursor, enter to save the active configuration in the system config file.

  • Page 87: Chapter 5 Testing The Vpn Concentrator

    C H A P T E R Testing the VPN Concentrator To test if you are able to connect to the VPN Concentrator and reach the private network, it is not necessary to install a software client. You can use either of the following methods. On a remote PC, connect to an ISP and use PPTP to create a secure tunnel through the Internet to •...
  • Page 88 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Testing the VPN Concentrator Follow these steps to create and test a secure connection from a Windows 2000 PC client to the VPN Concentrator. On the client PC, choose Start > Settings > Network and Dial-up Connections > Make a New Step 1 Connection from the Windows 2000 Start menu.
  • Page 89 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-3 Public Network Window Choose Do Not Dial the Initial Connection. Step 5 Click Next. The Destination Address window appears. (See Figure 5-4.) Step 6 Figure 5-4 Destination Address Window Enter the public interface address of your VPN Concentrator.
  • Page 90 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-5 Connection Availability Window Choose For all Users. Step 9 Click Next. The Completing the Network Connection Wizard window appears. (See Figure 5-6.) Step 10 Figure 5-6 Completing the Network Connection Wizard Window Enter a name for the connection, for example: Step 11 TestVPN...
  • Page 91 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-7 Connect Window Enter the username you previously added to the internal server user database. (See “Before You Begin.”) Step 13 Click the Properties button. The Properties dialog box appears. Step 14 Step 15 Choose the Networking tab.
  • Page 92 Chapter 5 Testing the VPN Concentrator Testing the VPN Concentrator Figure 5-9 Connection Complete Click OK to dismiss the window. Step 19 If you receive an error message, check your connections and VPN Concentrator settings, then run the test again. VPN 3000 Series Concentrator Getting Started 78-15733-03...

  • Page 93: Appendix

    This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, and timers., which are helpful to Cisco support engineers. In case of a crash, we ask that you send this file when you contact Technical Assistance Center (TAC) for assistance. See Administration | File Management | Files for information on managing files in flash memory.

  • Page 94: Appendix A Troubleshooting And System Error

    Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Configuration Files The VPN Concentrator saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See Administration | File Management | Files for information on managing files in flash memory. VPN Concentrator Manager Errors Table A-1 lists errors that might occur while using the HTML-based VPN Concentrator Manager with a browser.
  • Page 95 Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Table A-1 VPN Concentrator Manager Errors (continued) Symptom Problem Possible Cause Solution The Manager displays The Manager session No activity for On the Administration | Access Rights | Access • the Invalid Login or has been idle longer (interval) seconds.
  • Page 96 Appendix A Troubleshooting and System Errors VPN Concentrator Manager Errors Table A-1 VPN Concentrator Manager Errors (continued) Symptom Problem Possible Cause Solution The Manager displays a You tried to access an You logged in using Log in using the system administrator login •...
  • Page 97 Appendix A Troubleshooting and System Errors Command-line Interface Errors Command-line Interface Errors Table A-2 lists errors that might occur while using the menu-based Command-line Interface from a console or Telnet session. Table A-2 VPN 3000 Concentrator Command-Line Interface Errors Console Message Problem Possible Cause Solution...
  • Page 98 Appendix A Troubleshooting and System Errors LED Indicators VPN Concentrator (front) LEDs The LEDs on the front of the VPN 3000 Concentrator are as follows: LED Indicator Green Amber System Power on. Normal System has crashed and Power off. (All other halted.
  • Page 99 Appendix A Troubleshooting and System Errors LED Indicators VPN Concentrator Rear LEDs The LEDs on the rear of the VPN 3000 Concentrator are as follows: LED Indicator Green Amber Private / Public / External Ethernet Interfaces (connected to network) Link Carrier detected.
  • Page 100 Appendix A Troubleshooting and System Errors LED Indicators VPN 3000 Series Concentrator Getting Started 78-15733-03...

  • Page 101: Appendix

    Grant of License 2. Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product. To this end, the Software contains both operator software for use by the network administrator and client software for use by clients at remote network nodes.

  • Page 102: Appendix B Copyright, License, And Notice

    Software, except as stated in this paragraph. 5. You may not export the Software, even as part of the Cisco product, to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and/or approval.
  • Page 103 16. This Agreement is governed by the laws of the State of Massachusetts. 17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any reason, please call (508) 553-8621, or write to Cisco Systems, Inc.
  • Page 104 Appendix B Copyrights, Licenses, and Notices Other Licenses Other Licenses The VPN 3000 Concentrator Series contains and uses software from other firms, under license. Relevant copyright and license notices follow. BSD Software Copyright © 1990, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
  • Page 105 Appendix B Copyrights, Licenses, and Notices Other Licenses THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  • Page 106 Appendix B Copyrights, Licenses, and Notices Other Licenses THE SOFTWARE IS PROVIDED “AS IS” AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR...
  • Page 107 Appendix B Copyrights, Licenses, and Notices Other Licenses NRL LICENSE NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the software and documentation created at NRL provided that the following conditions are met: 1.
  • Page 108 Appendix B Copyrights, Licenses, and Notices Other Licenses MPPC-C v4 Copyright © 1996-1998 by Hi/fn, Inc. Includes one or more U.S. Patent numbers: 4701745, 5016009, 5126739, 5146221, 5414425, and 5463390. Other Patents Pending. Outline Style Table of Contents in JavaScript OUTLINE STYLE TABLE OF CONTENTS in JAVASCRIPT, Version 3.0 by Danny Goodman (dannyg@dannyg.com) Analyzed and described at length in “JavaScript Bible”, by Danny Goodman...
  • Page 109 Appendix B Copyrights, Licenses, and Notices Other Licenses CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  • Page 110 Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Modified for KA9Q Internet Software Package by Katie Stevens (dkstevens@ucdavis.edu) University of California, Davis Computing Services - 01-31-90initial adaptation (from 1.19) PPP.0502-15-90 [ks] PPP.0805-02-90 [ks]use PPP protocol field to signal compression PPP.1509-90 [ks]improve mbuf handling PPP.1611-02 [karn]substantially rewritten to use NOS facilities - Feb 1991Bill_Simpson@um.cc.umich.edu...
  • Page 111 Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Specification Description FCC Part 15 (CFR 47) Class A ICES-003 Class A EN55022 Class A CISPR22 Class A AS/NZS 3548 Class A VCCI Class A EN55024 ETS300 386-2 EN50082-1 EN61000-3-2 EN61000-3-3 Telecom (E1) CTR 12/13 ACA TS016...
  • Page 112 Equipment (JATE). Refer to Table B-2 for JATE approval details. Table B-2 JATE Approval Applicant Name Model Number Approval Number Nihon Cisco Systems CVPN3000-2T1 #D00-0687 JP Nihon Cisco Systems CVPN3005-T1 #D00-0687 JP VPN 3000 Series Concentrator Getting Started B-12 78-15733-03...
  • Page 113 In addition, if equipment is operated in a domestic environment, interference might occur. (FCC) Class A Warning “Modifying the equipment without Cisco's authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.”...
  • Page 114 Appendix B Copyrights, Licenses, and Notices Regulatory Standards Compliance Japan (VCCI) Class A Warning Translation: This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may arise.

  • Page 115: I N D E X

    I N D E X bandwidth management Numerics beginning quick configuration 2-12 100 LED (Ethernet) bootcode, upgrading viii boot messages at startup 2-11 brackets, default entries in browser access to device, physical Back or Forward button displays incorrect screen or incorrect data A-2, A-3 active configuration...
  • Page 116 Index See CLI saves log file compliance standards CRSHDUMP.TXT file B-10 configuration active or running 3-3, 4-1 quick See Quick Configuration configuration files data compression for troubleshooting data formats saving 2-17, 3-22, 3-23, 4-18 date, setting 2-15, 3-8 configuring 4-12, 4-13 Daylight-Saving Time, enabling 2-16, 3-8 address assignment...
  • Page 117 Index invalid login clustering A-2, A-3 JavaScript data compression messages digital Certificate Authorities supported no such interface supported (IE) encryption algorithms not allowed key management not found list of old browser management interfaces out of range value monitoring passwords do not match network addressing support recovering from routing protocols...
  • Page 118 Index internal authentication server Tx (Ethernet) 3-12, 4-9 Internet Explorer, requirements usage gauge Invalid Login or Session Timeout error licenses and copyrights A-2, A-3 IP interfaces, configuring Link LED (Ethernet) IPSec Group, configuring logging in to the VPN Concentrator Manager 3-18, 4-14 JavaScript management interfaces, features...
  • Page 119 Index starting from the console 2-15 old browser (error) with Manager organization of manual steps in 2-12 OSPF testing Out of Range value (error) using nondefault values 2-13 using the VPN Concentrator Manager with Command Line Interface parameters needed for quick configuration 2-13 password admin, changing...
  • Page 120 Index screen stopping the Command-Line Interface 4-18 Address Assignment system administration features 3-10 Admin Password system information, configuring 3-21 3-8, 4-4 Done System LED 3-22 initial configuration system name, assigning 3-8, 4-4 IP Interfaces IPSec Group 3-18 Main Protocols terminal emulator System Info settings 2-11...
  • Page 121 Index user administrator requirements user database, configuring using VPN Concentrator Manager functions 3-23 VPN Concentrator configuration settings for testing functions hardware features how it works installing hardware physical specifications picture of software features where it fits in your network VPN Concentrator Manager errors logging in logging out...
  • Page 122 Index VPN 3000 Series Concentrator Getting Started IN-8 78-15733-03...

This manual is also suitable for:

300530153020303030603080

Table of Contents