1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. CVPN3002-K9 - Fast Ethernet VPN Gateway
  6. Getting started

Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway Getting Started

Hardware client
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
VPN 3002 Hardware Client
Getting Started
Release 3.6
August 2002
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-2854-01

Advertisement

Table of Contents
loading

Related Manuals for Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway

Summary of Contents for Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway

  • Page 1 VPN 3002 Hardware Client Getting Started Release 3.6 August 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-2854-01...
  • Page 2 FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...

  • Page 3: Table Of Contents

    Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco.com Technical Assistance Center Cisco TAC Web Site Cisco TAC Escalation Center Understanding the VPN 3002 Hardware Client C H A P T E R VPN 3002 Hardware Client or VPN Client Software?
  • Page 4 Contents IPSec over NAT-T IPSec over UDP Additional Software Features Interactive Hardware Client Authentication Individual User Authentication IPSec Backup Servers H.323 in PAT Mode Notes on H.323 GateKeepers 1-11 RADIUS with Password Expiry 1-11 Load Balancing 1-12 Simple Certificate Enrollment Protocol (SCEP) 1-12 Reset/Restore Monitoring Statistics 1-12...
  • Page 5 Contents Using the VPN 3002 Hardware Client Manager for Quick Configuration C H A P T E R Logging into the VPN 3002 Hardware Client Manager Starting Quick Configuration About Quick Configuration Setting the Time and Date Uploading an Existing Configuration File Configuring the Private Interface Configuration | Quick | Private Interface | Address Configuration | Quick | Private Interface | DHCP Server...
  • Page 6 Contents Setting the Time and Date Uploading Configuration Configuring the Private Interface Configuring the Public Interface Configuring a System Name Configuring DHCP Configuring PPPoE Configuring a Static IP Address 4-10 Configuring IPSec 4-12 Configuring PAT or Network Extension mode 4-13 Client Mode (PAT) 4-13 VPN 3000 Concentrator Settings Required for PAT...
  • Page 7 Contents Not Allowed Message Not Found Microsoft Internet Explorer Script Error: No such interface supported A-10 Command-Line Interface Errors A-10 A-10 I N D E X VPN 3002 Hardware Client Getting Started OL-2854-01...
  • Page 8 Contents VPN 3002 Hardware Client Getting Started viii OL-2854-01...

  • Page 9: Preface

    Preface VPN 3002 Hardware Client Getting Started provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). You can do Quick Configuration from a console with the menu-based Command-Line Interface, or you can use the HTML-based VPN 3002 Hardware Client Manager with a browser.

  • Page 10: Related Documentation

    It also describes all LED indicators on the VPN 3002. Related Documentation Refer to the following documents for further information about Cisco VPN 3000 Series applications and products. VPN 3002 Hardware Client Documentation The VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN 3002 Hardware Client Manager.

  • Page 11: Vpn Client Documentation

    VPN Client software distribution CD-ROM, also in PDF format. To view the latest versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat Reader 3.0 or later;...

  • Page 12: Conventions

    Preface Conventions Conventions This document uses the following conventions: Convention Description boldface font Commands and keywords are in boldface. italic font Arguments for which you supply values are in italics. font Terminal sessions and information the system displays screen are in font.

  • Page 13: Data Formats

    Preface Conventions Data Formats As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise: Type of Data Format IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position. Subnet Masks and Subnet masks use 4-byte dotted decimal notation (for example, Wildcard Masks...

  • Page 14: Obtaining Documentation

    Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com Translated documentation is available at this URL: http://www.cisco.com/public/countries_languages.shtml...

  • Page 15: Obtaining Technical Assistance

    Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available. The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

  • Page 16: Cisco Tac Web Site

    Obtaining Technical Assistance Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL: http://www.cisco.com/tac...

  • Page 17: Chapter 1 Understanding The Vpn 3002 Hardware Client

    C H A P T E R Understanding the VPN 3002 Hardware Client The Cisco VPN 3002 Hardware Client communicates with a VPN 3000 Series Concentrator to create a virtual private network across a TCP/IP network (such as the Internet). The VPN 3002 requires minimal configuration, and you can monitor, configure, and upgrade multiple hardware clients at multiple sites from a central location.

  • Page 18: Client Mode And Network Extension Mode

    A new interactive multimedia piece explains the differences between Client (PAT) mode and Network Extension mode. To view it, go to this url: http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content.

  • Page 19: Client Mode With Split Tunneling

    Chapter 1 Understanding the VPN 3002 Hardware Client Client Mode and Network Extension Mode Client Mode with Split Tunneling You always assign the VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.

  • Page 20: Ipsec

    Chapter 1 Understanding the VPN 3002 Hardware Client IPSec Traffic from the VPN 3002 to any destination other than those within the network list on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface.

  • Page 21: Ipsec Over Udp

    Chapter 1 Understanding the VPN 3002 Hardware Client Additional Software Features Select the second or third options for the Fragmentation Policy parameter in the Configuration | • Interfaces | Public screen. These options let traffic travel across NAT devices that do not support IP fragmentation;...

  • Page 22: Individual User Authentication

    Chapter 1 Understanding the VPN 3002 Hardware Client Additional Software Features Enabling and Later Disabling Interactive Hardware Client Authentication When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file.

  • Page 23: Ipsec Backup Servers

    Chapter 1 Understanding the VPN 3002 Hardware Client Additional Software Features Individual users authenticate according to the order of authentication servers that you configure for a group on the VPN Concentrator. You configure individual user authentication on the VPN Concentrator, which pushes the policy to the VPN 3002.
  • Page 24 Chapter 1 Understanding the VPN 3002 Hardware Client Additional Software Features Be aware of the following characteristics of the backup server feature: If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically •...

  • Page 25: H.323 In Pat Mode

    Chapter 1 Understanding the VPN 3002 Hardware Client Additional Software Features H.323 in PAT Mode H.323 is the packet-based multimedia communications standard written by the ITU. A variety of applications use this standard to effect real-time audio, video and data communications. It lets the VPN 3002 support Microsoft NetMeeting.
  • Page 26 A PC can register with either a GateKeeper or with an ILS server, but not both simultaneously. Note Gateway A Cisco IOS H.323 Gateway, for example, a Cisco 3620 router. Gateways let H.323 devices, in this case NetMeeting PCs, communicate with non-H.323 devices, such as POTS phones.

  • Page 27: Notes On H.323 Gatekeepers

    Log off from the GateKeeper before disconnecting the tunnel. Set the GateKeeper registration timeout value to a shorter time period. We recommend 15 minutes. Use the ‘endpoint ttl’ command on the Cisco GateKeeper to set this value. RADIUS with Password Expiry RADIUS with password expiry is an IPSec authentication method that you configure for a VPN 3002 on on the VPN Concentrator to which it connects.

  • Page 28: Load Balancing

    The VPN 3002 now supports an XML-based interface that lets you use an external management application. Cisco management applications, third-party applications that manage our products, and customers who want to manage their devices using their own infrastructure can use this interface. This feature is enabled by default;...

  • Page 29: Aes With Diffie-Hellman Group 5

    Chapter 1 Understanding the VPN 3002 Hardware Client Management Interfaces AES with Diffie-Hellman Group 5 Software version 3.6 adds support for Advanced Encryption Standard (AES), which is more secure than DES and more efficient than triple DES. AES has 128-, 192-, and 256-bit key strengths. This software version also adds support for Diffie-Hellman Group 5.

  • Page 30: Vpn Software Features Summary

    Chapter 1 Understanding the VPN 3002 Hardware Client VPN Software Features Summary VPN Software Features Summary The VPN 3002 incorporates the following software features: VPN Feature Description Tunneling protocols IPSec Protocol. The VPN 3002 uses the IKE and XAUTH protocols for secure key exchange and authentication, and to create secure VPN tunnels.

  • Page 31: Physical Specifications

    Chapter 1 Understanding the VPN 3002 Hardware Client Physical Specifications VPN Feature Description System administration Session monitoring and management • Backup IPSec servers • Load balancing • Software image update • • System reset and reboot • Ping • Configurable system administrator profiles •...
  • Page 32 Chapter 1 Understanding the VPN 3002 Hardware Client Physical Specifications VPN 3002 Hardware Client Getting Started 1-16 OL-2854-01...

  • Page 33: Chapter 2 Installing And Powering Up The Vpn 3002

    Standard UTP/STP twisted-pair network cables, Category 5, with RJ-45 8-pin modular connectors. • Cisco supplies two with the system. A standard straight-through RJ-45 serial cable with a female DB-9 connector, which Cisco supplies • with the system. Configuring and Managing the VPN 3002 You can configure and manage the VPN 3002 using the command-line interface from the console or a Telnet or SSH client.

  • Page 34: Javascript And Cookies

    Chapter 2 Installing and Powering Up the VPN 3002 Unpacking JavaScript and Cookies Be sure JavaScript and Cookies are enabled in the browser. Refer to the documentation for your browser for instructions. Navigation Toolbar Do not use the browser navigation toolbar buttons Back, Forward, or Refresh / Reload with the VPN 3002 Hardware Client Manager unless instructed to do so.

  • Page 35: Installing The Vpn 3002

    Chapter 2 Installing and Powering Up the VPN 3002 Installing the VPN 3002 Table 2-1 VPN 3002 Hardware Client Packing List (continued) Quantity Item Warranty card and product information packet Hard copy documentation ordering flyer Installing the VPN 3002 You can place the VPN 3002 on a table or shelf, or you can hang it on the wall. Connecting the PC/Console Connect the RJ45 straight-through serial cable between the console port on the back of the VPN 3002 and the COM1 or serial port on the PC.

  • Page 36: Beginning Quick Configuration

    Active image loaded and verified... Starting loaded image... Starting power-up diagnostics... pSH+ Copyright (c) Integrated Systems, Inc., 1992. Cisco Systems, Inc./VPN 3002 Hardware Client Version 3.0(REL) Feb 02 2001 09:53:35 Features: Initializing VPN 3002 Hardware Client ... Initialization Complete...Waiting for Network...

  • Page 37: Quick Configuration Using Default Values

    Chapter 2 Installing and Powering Up the VPN 3002 Beginning Quick Configuration Configure the DHCP server to assign IP addresses for PCs located on the private network. The default Step 4 IP address pool is 192.168.10.2–192.168.10.128. For Client mode, you do not need to modify this parameter.

  • Page 38: Quick Configuration Using Nondefault Values

    The registered Internet domain name to use with DNS (such as • cisco.com), obtained from your Internet Service Provider (ISP). Static Routes If you want to configure one or more static routes, the IP address(es), subnet mask(s), and metric(s) that apply to the static route(s), and destination router address(es).

  • Page 39: Chapter 3 Using The Vpn 3002 Hardware Client Manager For Quick Configuration

    C H A P T E R Using the VPN 3002 Hardware Client Manager for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN 3002 Hardware Client Manager. The VPN 3002 Hardware Client Manager is an HTML-based configuration, administration, and monitoring system built into the VPN 3002.
  • Page 40 Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Logging into the VPN 3002 Hardware Client Manager Figure 3-1 VPN 3002 Hardware Client Login Screen Step 3 Log in. Entries are case-sensitive, so type them exactly as shown. With Microsoft Internet Explorer, you can click the Tab key to move from field to field;...

  • Page 41: Starting Quick Configuration

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Starting Quick Configuration Starting Quick Configuration The Manager displays the VPN 3002 Hardware Client Manager Main screen. Figure 3-2 VPN 3002 Hardware Client Manager Main Screen To start quick configuration, click the underlined link that says Click here to start Quick Configuration. The Manager displays the Time and Date screen, which is the first of the quick configuration screens.

  • Page 42: Setting The Time And Date

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Setting the Time and Date If you make a mistake and see an Error screen with the message, “An error has occurred while attempting to perform the operation,” and you return to the screen where you were working, carefully check all your previous entries on that screen.

  • Page 43: Uploading An Existing Configuration File

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Uploading an Existing Configuration File Uploading an Existing Configuration File The Manager displays the Configuration | Quick | Upload Config screen. Figure 3-4 VPN 3002 Configuration | Quick | Upload Config Screen This feature enables you to use HTTP or HTTPS to transfer (upload) configuration files from your PC, or from a system accessible to your PC, to the VPN 3002 flash memory.

  • Page 44: Configuring The Private Interface

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring the Private Interface Configuring the Private Interface The VPN 3002 Configuration | Quick | Private Interface screen displays. Figure 3-6 Configuration | Quick | Private Interface Screen This screen lets you configure the VPN 3002 private interface, which is the interface to your private network (internal LAN).

  • Page 45: Configuration | Quick | Private Interface | Address

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring the Private Interface Configuration | Quick | Private Interface | Address The Configuration | Quick | Private Interface | Address screen lets you enter a new IP address and subnet mask for the private interface.
  • Page 46 Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring the Private Interface Figure 3-8 Configuration | Quick | Private Interface | DHCP Server Screen Step 1 Check the Enabled box to enable DHCP services for this interface. Step 2 In the Lease Timeout field, enter the amount of time, in minutes, that DHCP clients own the IP address the DHCP server assigns.

  • Page 47: Configuring The Public Interface

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring the Public Interface Configuring the Public Interface The Manager displays the Configuration | Quick | Public Interface screen. Figure 3-10 Configuration | Quick | Public Interface Screen The public interface can obtain an IP address in one of three ways: using DHCP, PPPoE, or by static addressing.

  • Page 48: Dhcp

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring the Public Interface If you specify an IP address, in the Default Gateway field, enter the IP address or hostname of the system Step 8 to which the VPN 3002 should forward packets that do not have a static route. The default gateway must be accessible from the VPN 3002 public network.

  • Page 49: Configuring Ipsec

    VPN Concentrator over a secure VPN tunnel. The VPN 3002 can also establish IPSec tunnels to other IPSec security gateways, including the Cisco PIX firewall, and Cisco IOS routers. In the Remote Server field, enter the IP address or hostname of the VPN Concentrator to which this Step 1 VPN 3002 hardware client connects.
  • Page 50 Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring IPSec If you are not using digital certificates, in the Group Name field, enter a unique name for this group Step 6 (maximum is 32 characters, case-sensitive). This is the same group name that you configure for this VPN 3002 on the central-site VPN Concentrator.

  • Page 51: Configuring Pat Or Network Extension Mode

    To view a brief interactive multimedia piece that explains the differences between the two modes, go to this url: http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a free copy from: http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash...

  • Page 52: Client Mode With Split Tunneling

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring PAT or Network Extension Mode PAT mode employs NAT (Network Address Translation). NAT translates the network addresses of • the devices connected to the VPN 3002 private interface to the IP address of the VPN 3002 public interface.

  • Page 53: Network Extension Mode Per Group

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring PAT or Network Extension Mode In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned IP address).

  • Page 54: Tunnel Initiation

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring PAT or Network Extension Mode Configure a group to which you assign this VPN 3002. This includes assigning a group name and password. Refer to the chapter, “User Management,” in the VPN 3000 Series Concentrator Reference Volume 1: Configuration.

  • Page 55: Configuring Dns

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring DNS Table 3-1 summarizes instances in which the VPN 3002 and the central-site VPN Concentrator can initiate data exchange. Table 3-1 Data Initiation: VPN 3002 and Central-Site VPN Concentrator VPN 3002 Can Send Central-Site VPN Concentrator Can Send Data Mode...

  • Page 56: Configuring Static Routes

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring Static Routes Configuring Static Routes The Manager displays the Configuration | Quick | Static Routes screen. The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination].

  • Page 57: Adding A Static Route

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Configuring Static Routes Adding a Static Route This screen lets you add a new static route to the IP routing table. Figure 3-15 Configuration | Quick | Static Routes | Add Screen In the Network Address field, enter the network IP address for this static route.

  • Page 58: Changing Admin Password

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Changing admin Password Changing admin Password The Manager displays the Configuration | Quick | Admin Password screen. Figure 3-16 Configuration | Quick | Admin Password | Screen This screen lets you change the password for the admin administrator user. For ease of use during startup, the default admin password supplied with the VPN 3002 is also admin.

  • Page 59: Finishing Quick Configuration

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Finishing Quick Configuration Finishing Quick Configuration The Manager displays the Configuration | Quick | Done screen. Figure 3-17 Configuration | Quick | Done Screen You have finished quick configuration, and your entries constitute the active or running configuration. This configuration has now been saved as the boot configuration.

  • Page 60: Using Other Vpn 3002 Hardware Client Manager Functions

    Help—Opens another browser window and lets you view online help for the current Manager screen. • Support—Opens a Manager screen with links to Cisco support and documentation resources. • Logout—Logs out of this Manager session and returns to the login screen.

  • Page 61: Understanding The Vpn 3002 Hardware Client Manager Window

    Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Understanding the VPN 3002 Hardware Client Manager Window Understanding the VPN 3002 Hardware Client Manager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items.
  • Page 62 Close the help window when you are finished. Click the Support tab to open a Manager screen with links to Cisco support and documentation resources. Click the Logout tab to log out of the Manager and return to the login screen.
  • Page 63 Click the Restore icon to restore the screen contents to their status prior to when you last clicked the Reset icon. Click the Cisco Systems logo to open a browser and go to the Cisco.com web site, www.cisco.com Left frame On Manager screens, the left frame provides a table of contents.
  • Page 64 Chapter 3 Using the VPN 3002 Hardware Client Manager for Quick Configuration Understanding the VPN 3002 Hardware Client Manager Window VPN 3002 Hardware Client Getting Started 3-26 OL-2854-01...

  • Page 65: Chapter 4 Using The Command-Line Interface For Quick Configuration

    C H A P T E R Using the Command-Line Interface for Quick Configuration This chapter tells you how to complete quick configuration of the system using the VPN 3002 command-line interface (CLI). Quick configuration supplies the minimal parameters needed to make the VPN3002 operational. The CLI is a menu-based configuration, administration, and monitoring system built into the VPN 3002.

  • Page 66: Starting Quick Configuration

    Active image loaded and verified... Starting loaded image... Starting power-up diagnostics... pSH+ Copyright (c) Integrated Systems, Inc., 1992. Cisco Systems, Inc./VPN 3002 Hardware Client Version 3.0(REL) Feb 02 2001 09:53:35 Features: Initializing VPN 3002 Hardware Client ... Initialization Complete...Waiting for Network...

  • Page 67: Setting The Time And Date

    Chapter 4 Using the Command-Line Interface for Quick Configuration Setting the Time and Date 1) Quick Configuration 2) Interface Configuration 3) System Management 4) Policy Management 5) Back Config -> _ At the cursor, enter 1 to start quick configuration. Setting the Time and Date To set the time and date on the VPN 3002: The system prompts you to set the time on your device.

  • Page 68: Uploading Configuration

    Chapter 4 Using the Command-Line Interface for Quick Configuration Uploading Configuration -- : +12 : Marshall Is. > Time Zone Quick -> [ -5 ] _ At the cursor, enter the time zone offset in the format +/- NN, or accept the default, -5 for U.S.
  • Page 69 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Private Interface If you do not change the private interface IP address, you cannot disable PAT mode. That is, you Note cannot use Network Extension mode unless you configure a private IP address other than the default, which is 192.168.10.1 The system prompts you to configure the VPN 3002 private interface.
  • Page 70 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Private Interface The system gives you the option of configuring the DHCP server. The DHCP server for the private Step 4 interface lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or lease period.

  • Page 71: Configuring The Public Interface

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Public Interface At the prompt, enter the number of minutes for the DHCP lease period, or press Enter to accept the default, 120 minutes, and continue with quick configuration. The DHCP pool is the range of IP addresses that this DHCP server can assign.

  • Page 72: Configuring A System Name

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Public Interface Configuring a System Name This table shows current IP addresses. Intf Status IP Address/Subnet Mask MAC Address ------------------------------------------------------------------------------- Pri Intf| 10.10.99.50/255.255.0.0 00.90.A4.00.25.A8 Pub Intf| Disabled 0.0.0.0/0.0.0.0 00.90.A4.00.25.A9 ------------------------------------------------------------------------------- DNS Server(s): DNS Server Not Configured DNS Domain Name: ispdomain.com...

  • Page 73: Configuring Pppoe

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Public Interface 5) Back Quick -> [2] Dynamic Host Configuration Protocol (DHCP) is a communications protocol that lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or lease period.

  • Page 74: Configuring A Static Ip Address

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Public Interface Enter a PPPoE username. The maximum length is 64 characters; however, only the first 17 characters Step 2 display. Press Enter. The system prompts for a PPPoE password. >...
  • Page 75 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring the Public Interface The system prompts for a subnet mask. Step 3 > Enter Subnet Mask Quick Public Interface -> [ 255.0.0.0 ] Enter the subnet mask for this interface, using dotted decimal notation. The default is a standard subnet mask appropriate for the IP address you just entered.

  • Page 76: Configuring Ipsec

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring IPSec Configuring IPSec The VPN 3002 connects to the remote VPN Concentrator using the IPSec remote server address, group name and password, and username and password. Note that these are the same group and usernames and passwords that you configure on the central-site VPN Concentrator for this VPN 3002.

  • Page 77: Configuring Pat Or Network Extension Mode

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring PAT or Network Extension mode The system prompts you to enter the user password. Minimum is 4, maximum is 32 characters, Step 7 case-sensitive. The system displays only asterisks. > IPSec User Password Quick ->...

  • Page 78: Network Extension Mode

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring PAT or Network Extension mode Configure a group to which you assign this VPN 3002. This includes assigning a group name and password. See Chapter 14, “User Management,” in the VPN 3000 Series Concentrator Reference Volume 1: Configuration.

  • Page 79: Configuring Dns

    Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring DNS Configuring DNS You can specify a Domain Name System (DNS) server for your local ISP, which lets you enter Internet hostnames (for example, mail01) rather than IP addresses for servers as you configure and manage the VPN 3002.
  • Page 80 Chapter 4 Using the Command-Line Interface for Quick Configuration Configuring Static Routes If you selected 1 to add a static route, the system now prompts for the Net Address. > Net Address Quick -> Enter the network IP address for this static route. Packets with this address are sent to the destination address below.

  • Page 81: Deleting A Static Route

    Chapter 4 Using the Command-Line Interface for Quick Configuration Changing admin Password Quick -> _ Step 7 The system redisplays the static routes. Static Routes ------------- Destination Mask Metric Destination ------------------------------------------------------------ 0.0.0.0 0.0.0.0 1 130.0.0.1 192.44.55.6 255.0.0.0 1 10.10.99.10 1) Add Static Route 2) Delete Static Route 3) Back 4) Continue...

  • Page 82: Completing Quick Configuration

    Chapter 4 Using the Command-Line Interface for Quick Configuration Completing Quick Configuration At the cursor, enter a new password for admin. Remember that entries are case sensitive. For maximum security, the password should be at least 8 characters long, a mixture of upper- and lower-case alphabetic and numeric characters, and not easily guessed;...

  • Page 83: Appendix

    VPN 3002 Hardware Client Manager Errors Command-Line Interface Errors Files for Troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems: Event log—Record of system events.

  • Page 84: Crash Dump File

    This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, and timers that help Cisco support engineers diagnose the problem. In case of a crash, we ask that you send this file when you contact TAC for assistance. To view the CRSHDUMP.TXT file, see Administration | File Management | View, and click View Saved Log Crash Dump File .

  • Page 85: Vpn 3002 Rear Leds

    Make sure that the power cable is plugged into the VPN 3002 and a power outlet. SYS LED is solid amber. Unit has failed diagnostics. Contact Cisco Support immediately. You see this LED display: Verify that the VPN Concentrator to which this VPN 3002 connects is running version 3.0 software or...

  • Page 86: Settings On The Vpn Concentrator

    Appendix A Troubleshooting and System Errors Settings on the VPN Concentrator Table A-1 Analyzing System Errors (continued) Problem or Symptom Possible Solution VPN LED is solid amber (tunnel failed Make sure the IPSec parameters are properly to establish to central-site VPN configured.

  • Page 87: Vpn 3002 Hardware Client Manager Errors

    Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors If you are using Network Extension mode, configure a default gateway or a static route to the private Step 4 network of the VPN 3002. Refer to Chapter 8, “IP Routing,” in the VPN 3000 Series Concentrator Series Reference Volume 1: Configuration.

  • Page 88: Manager Logs Out

    Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Table A-2 Invalid Login or Session Timeout Screen Problem Possible Cause Solution You entered an • Typing error. • Reenter the login name and invalid administrator password, and click Login. •...

  • Page 89: Incorrect Display

    Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Incorrect Display The Manager displays an incorrect screen or data when you click the browser back or forward button. Table A-4 Browser Back or Forward Button Displays an Incorrect Screen or Incorrect Data Problem Possible Cause Solution...

  • Page 90: Not Allowed Message

    Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Not Allowed Message The Manager displays a screen with the message: “Not Allowed / You do not have sufficient authorization to access the specified page.” (See Figure A-3.) Figure A-3 Not Allowed Screen Table A-6...

  • Page 91: Not Found

    Then try again. browser’s cache. • There is an internal Please note the system information on the screen Manager error. and contact Cisco support personnel for assistance. VPN 3002 Hardware Client Getting Started OL-2854-01...

  • Page 92: Microsoft Internet Explorer Script Error: No Such Interface Supported

    Appendix A Troubleshooting and System Errors Command-Line Interface Errors Microsoft Internet Explorer Script Error: No such interface supported Microsoft Internet Explorer displays a Script Error dialog box that includes the error message: “No such interface supported.” Table A-8 Microsoft Internet Explorer Script Error Problem Possible cause Solution...

  • Page 93: I N D E X

    I N D E X Client (PAT) mode configuing with CLI 4-13 active configuration 3-3, 4-1 configuring with Manager 3-13 admin password description changing 3-20 interactive multimedia explanation 1-2, 3-13 changing (CLI) 4-17 command line interface default 3-20, 4-17 exiting 4-18 Admin Password (screen) 3-20...
  • Page 94 Index default gateway (CLI) 4-11 Default Gateway (field), Public interface 3-10 features DHCP hardware enabled by default on Public interface software Server for Private interface management interfaces 1-13 display settings monitoring 1-15 DNS Server, configuring 3-17, 4-15 fields, moving between documentation finishing Quick Configuration 3-21, 4-18...
  • Page 95 Index installing monitor / display settings the VPN 3002 monitoring, features 1-15 interactive hardware client authentication moving from field to field interfaces Private, configuring 3-6, 4-4 Public, configuring 3-9, 4-7 Internet Explorer, requirements NAT-T (NAT Traversal), defined Invalid Login or Session Timeout (error) A-5, A-7 NetMeeting, H.323 support for IP Address (field)
  • Page 96 Index PAT mode Netscape Navigator description reset and restore, statistical data 1-12 Peer Address (field) (IPSec) 3-11 reverse route injection (RRI) 1-12 physical specifications RRI (reverse route injection) 1-15 1-12 powering up running configuration 3-3, 4-1 PPPoE configuring the public interface for configuring with the CLI configuring with the HTML interface file...
  • Page 97 Index terminal emulator XML-based management interface 1-12 settings starting time and date, configuring title bar in Manager window 3-23 troubleshooting files created for tunnel initiation 3-16 UDP NAT Transparent IPSec, defined understanding the VPN 3002 the VPN 3002 Hardware Client Manager window 3-23 unpacking upload, configuration file...
  • Page 98 Index VPN 3002 Hardware Client Getting Started IN-6 OL-2854-01...

This manual is also suitable for:

3002

Table of Contents