Go to page of
Similar user manuals
-
Switch
Cisco Systems N6KC600164P
204 pages 45.73 mb -
Switch
Cisco Systems 2955
11 pages 0.08 mb -
Switch
Cisco Systems 116T
12 pages 0.29 mb -
Switch
Cisco Systems SFS 3012
79 pages 2.15 mb -
Switch
Cisco Systems 4500 E-Series
152 pages 8.7 mb -
Switch
Cisco Systems 3200
246 pages 69.64 mb -
Switch
Cisco Systems Cisco ME 3400E
100 pages 4.42 mb -
Switch
Cisco Systems 3750-48PS
23 pages 0.27 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems VPN 3000, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems VPN 3000 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems VPN 3000. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Cisco Systems VPN 3000 should contain:
- informations concerning technical data of Cisco Systems VPN 3000
- name of the manufacturer and a year of construction of the Cisco Systems VPN 3000 item
- rules of operation, control and maintenance of the Cisco Systems VPN 3000 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems VPN 3000 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems VPN 3000, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems VPN 3000.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems VPN 3000 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
170 West Ta sman Drive San Jos e, CA 95134 -1706 USA http://www.ci sco.com Cisco System s, Inc . Corporate He adquarters Tel: 800 553-NE TS (6387 ) 408 526-4 000 Fax: 408 526-4 100 VPN 30 0 0 Concentrator S eries User Guide R ele ase 2 .5 July 20 0 0 Custome r Order N umber: D OC-78111 37= Text Pa rt Num ber: 78 -11137-0 1[...]
-
Page 2
THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMM ENDATIONS IN THIS MANUA L ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANT Y OF ANY KIND, EXPRESS OR IMP LIED. USERS MUST TAKE FULL RESPONSIB ILITY FOR THEIR APPLICATION OF ANY PR ODUC[...]
-
Page 3
iii VPN 3000 Conce ntrator Seri es User Guide CONTENTS Tabl e of c onten ts Preface Abou t this manu al . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 4
Cont ents—2 Co nfigu rati on iv VPN 3000 Concent rator Ser ies User Guide Logout tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Logged in: [username] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 5
Contents — 3 Inter face s v VPN 3000 Conce ntrator Seri es User Guide RIP P aram eters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Inbound RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 6
Cont ents — 4 Sy stem Configura tion vi VPN 3000 Concent rator Ser ies User Guide Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 T imeslo ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 7
Cont ents — 6 Addr ess Mana geme nt vii VPN 3000 Conce ntrator Seri es User Guide Conf igurat ion | Syste m | Serve rs | Acc ountin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5- 11 Accounting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 8
Cont ents — 7 T un neling Proto cols viii VPN 3000 Conc entrat or Series Use r Guide Conf igurat ion | Syste m | Addr ess Mana gem ent | Pool s | Add or Mod ify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Range Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 9
Cont ents — 8 IP Routi ng ix VPN 3000 Conce ntrator Seri es User Guide Remo te Net work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 Networ k List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 10
Cont ents — 9 Man agement Pr otoco ls x VPN 3000 Concent rator Ser ies User Guide Tunnel Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Overr ide Def ault Ga tewa y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 11
Conten ts — 10 Events xi VPN 3000 Conce ntrator Seri es User Guide Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Maximum Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 12
Cont ents — 10 Events xii VPN 3000 Conc entrat or Series Use r Guide Config uratio n | System | Ev ents | FTP Bac kup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 13
Cont ents — 11 Gene ral xiii VPN 3000 Conce ntrator Seri es User Guide 11 General Config uratio n | System | Gener al . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Conf igurat ion | Syste m | Gene ral | Iden tificatio n . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 14
Cont ents — 12 User Ma nagemen t xiv VPN 3000 Conc entrat or Series Use r Guide Config uratio n | User Manag ement | Grou ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16 Current Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 15
Content s — 13 Poli cy Mana gemen t xv VPN 3000 Conce ntrator Seri es User Guide Conf igurat ion | User Manage men t | Groups | Modify (Extern al) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32 Group Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 16
Cont ents — 13 Policy Mana gement xvi VPN 3000 Concent rator Ser ies User Guide Conf igurat ion | Pol icy Man agem ent | Tr affic Ma nagem ent | Ne twork Lists | Ad d, Modi fy, or Copy . . . . . 13-7 List N ame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 17
Content s — 13 Poli cy Mana gemen t xvii VPN 3000 Conce ntrator Seri es User Guide Configu ration | Polic y Manageme nt | Traffic Mana gement | Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28 Filter Li st . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 18
Cont ents — 14 Administration xviii VPN 3000 Conc entrat or Series Use r Guide 14 Administration Admi nistra tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 Admin istrat ion | Sess ions . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 19
Conten ts — 14 Administra tion xix VPN 3000 Conce ntrator Seri es User Guide Admin istrat ion | Moni toring Ref resh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 0 Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 20
Cont ents — 14 Administration xx VPN 3000 Concent rator Ser ies User Guide Admi nistra tion | Fil e Manag emen t | TFTP Tr ansf er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32 Conc entrator Fi le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 21
Conten ts — 15 Monitoring xxi VPN 3000 Conce ntrator Seri es User Guide Subje ct Alterna tive Nam e (Ful ly Qualif ied D omain Na me) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46 CRL Distr ibutio n Poin t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 22
Cont ents — 15 Monitoring xxii VPN 3000 Conc entrat or Series Use r Guide Event IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8 Event string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 23
Conten ts — 15 Monitoring xxiii VPN 3000 Conce ntrator Seri es User Guide Pack ets Rece ived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17 Bytes R eceiv ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 24
Cont ents — 15 Monitoring xxiv VPN 3000 Conc entrat or Series Use r Guide Moni tor | Sess ions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-26 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 25
Conten ts — 15 Monitoring xxv VPN 3000 Conce ntrator Seri es User Guide Bar Gr aph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-40 Percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 26
Cont ents — 15 Monitoring xxvi VPN 3000 Conc entrat or Series Use r Guide Monit or | Stati stic s | L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-51 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 27
Conten ts — 15 Monitoring xxvii VPN 3000 Conce ntrator Seri es User Guide System Capability Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-58 No-SA Failu res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 28
Cont ents — 15 Monitoring xxviii VPN 3000 Conc entrat or Series Use r Guide Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-65 Server Unreachable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 29
Conten ts — 15 Monitoring xxix VPN 3000 Conce ntrator Seri es User Guide Inva lid T y pe Re ceive d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-73 Addres s Lis t Er rors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 30
Cont ents — 15 Monitoring xxx VPN 3000 Concent rator Ser ies User Guide UDP Data gram s Re ceived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-81 UDP Da tagra ms Trans mitte d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 31
Conten ts — 15 Monitoring xxxi VPN 3000 Conce ntrator Seri es User Guide Area Border Rou ters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-90 Area LSA Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 32
Cont ents — 16 Using th e Command Line Interface xxxii VPN 3000 Conc entrat or Series Use r Guide Monit or | Stati stic s | MIB-II | SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15- 98 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 33
Cont ents — A Er rors a nd troub lesh ooti ng xxxiii VPN 3000 Conce ntrator Seri es User Guide 2.3.2 Administration > System Reboot > S chedule Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-15 2.3.3 Administration > System Reboot > S chedule Shutdown . . . . . . . . . . . . . . . . . . . .[...]
-
Page 34
Cont ents — B Co pyrig hts, lice ns es, a nd no tic es xxxiv VPN 3000 Conc entrat or Series Use r Guide LED indic ator s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 9 VPN Concent rato r LEDs (f ront ) . . . . . . . . . . . . . . . [...]
-
Page 35
Contents — Index xxxv VPN 3000 Conce ntrator Seri es User Guide Tables T able 5-1: RADIUS accounting record attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 T able 7-1: Cisco-supplied default IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 36
[...]
-
Page 37
xxxvii VPN 3000 Conce ntrator Seri es User Guide Preface About this manual The V PN 3000 C oncentrat or Series User Guide provides guide lines for c onfiguring the Cisco VPN 3000 Concentrato r , details on al l the functi ons a v ailable in the VPN 3000 Concen trator Ser ies Mana ger , and instru ctions fo r using the V PN 3000 Concent rator Series[...]
-
Page 38
Prefac e xxxviii VPN 3000 Conc entrat or Series Use r Guide Chapter 6, Addre ss Manageme nt exp lains h ow to conf igur e client IP addresses a v ailabl e in your pri vate network a ddress ing schem e, tha t let t he clien t func tion as a VPN tunnel endpoint . Chapter 7, Tunne ling Protoc ols explains how to configure syste m-wide pa ramete rs for[...]
-
Page 39
Docume ntation Co nventi ons xxxix VPN 3000 Conce ntrator Seri es User Guide The VP N 3000 M onitor User Guide expla ins how to install, set up, a nd use th e VPN 3 000 Monit or , which is a separate Ja v a ™ appli cation that polls VPN 300 0 Concent rators in a netwo rk for infor mation and displays th at informa tion on your work station . The [...]
-
Page 40
Prefac e xl VPN 3000 Concent rator Ser ies User Guide Data Formats As y ou conf igu re and mana ge the system , enter data in thes e for mats unl ess t he instr uctions indi cate otherwi se. IP addresse s IP addre sses use 4-byte dotted decima l notati on; for exam ple, 192. 168.12 .34 . Y ou can omit lea ding zeros in a byte positio n. Subnet mas [...]
-
Page 41
Contac ting Cisco wit h questio ns xli VPN 3000 Conce ntrator Seri es User Guide Contacting Cisco with questions Cisco p rovides extensive technica l suppo rt throu gh its o wn st aff and throug h auth orized agents. If y ou hav e questio ns, we suggest yo u f irst try the Cisc o W eb site at www.cisc o.com , and go to the Service & Supp ort se[...]
-
Page 42
[...]
-
Page 43
1-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 1 Using the VPN 3000 Concen trator Series Manager The VP N 3000 Conce ntrator Se ries Man ager is an HTM L-bas ed interfa ce that le ts you configur e, administ er , monito r , and manage the VPN 3000 Concentrato r with a stan dard W eb browser . T o use it, you need only to c onnect t o the VPN[...]
-
Page 44
1 Using the VPN 3000 Concentrator Series Manager 1-2 VPN 3000 Concentrat or Seri es User Guide • Intern et Expl orer 5.0: – On the To o l s menu , sel ect Internet Options . – On the Security tab, click Custom Level . – In the Security Settings window , scroll do wn to Scripting . – Click Enab le under Active scripting . – Click Enab le[...]
-
Page 45
Conne cting to t he VPN Conc entr ator using HTTP 1-3 VPN 3000 Conce ntrator Seri es User Guide Connecting to the VPN Concentrator using HTTP When your syst em admini stration tasks and network permit a cleart ext connecti on between th e VPN Concentra tor and your browser, you can use the standard HT TP protocol to connect to the system. Ev en if [...]
-
Page 46
1 Using the VPN 3000 Concentrator Series Manager 1-4 VPN 3000 Concentrat or Seri es User Guide install ed, you can co nnect usin g HTTPS. Y ou need to install th e certificat e from a giv en VPN Conc entrator o nly once. Managin g the VPN Con centrator is th e same with o r withou t SSL. Manager screens may take slightl y longer to load with SSL be[...]
-
Page 47
Installing the SSL ce rtificate i n your browser 1-5 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -3: Inter net Explorer File Do wnload dialog box 3 Click the Open this file fr om its current location radi o button, then clic k OK . The br owser displays the Ce rtificate dialog bo x with infor mation ab out th e certificate. Y ou must now ins[...]
-
Page 48
1 Using the VPN 3000 Concentrator Series Manager 1-6 VPN 3000 Concentrat or Seri es User Guide Figure 1 -5: Inter net Explorer Cer tificate M anager Impor t Wizard dialog bo x 5 Click Next to con tinue. The wiza rd opens the next dialog box ask ing you to select a cert ificate store. Figure 1 -6: Inter net Explorer Cer tificate M anager Impor t Wiz[...]
-
Page 49
Installing the SSL ce rtificate i n your browser 1-7 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -7: Inter net Explorer Cer tificate M anager Impor t Wizard dialog bo x 7 Click Finish . The wi zard ope ns the Root Certificate Store dialog box asking yo u to confirm the installation . Figure 1 -8: Inter net Explorer Root Cer tificate St or e [...]
-
Page 50
1 Using the VPN 3000 Concentrator Series Manager 1-8 VPN 3000 Concentrat or Seri es User Guide Figure 1 -1 0: Inter net Exp lor er Secur ity Alert dialog box 11 Click OK . The V PN Conce ntrator displays the H TTPS version of the Manage r login s creen. Figure 1 -1 1: VPN Concentrat or Manager login screen using HTTPS (Inter net Explorer) The bro w[...]
-
Page 51
Installing the SSL ce rtificate i n your browser 1-9 VPN 3000 Conce ntrator Seri es User Guide V iewing certificates with Int ernet Explorer Ther e are (at l eas t) two ways t o exam ine c ertific ates s tore d in Inter net Explor er . First, note t he padlock i con on the br o wser status ba r in Figure 1-11. If yo u double- click on the icon, the[...]
-
Page 52
1 Using the VPN 3000 Concentrator Series Manager 1-1 0 VPN 3000 Conc entrat or Series Use r Guide Installing the SSL certificate with Netscape This secti on describe s SSL certificate inst allatio n using Netsc ape Navigator / Commun icator 4.5. Reinstallation Y ou n eed to i nstall the SSL cer tificate from a giv en VPN Concen trator onl y once. I[...]
-
Page 53
Installing the SSL ce rtificate i n your browser 1-1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -16: Netscape New Certificat e A uthor ity scre en 2 2 Click Next> to p roc eed. Netscap e displays the next New Certificate Authority screen, which lets you examine detai ls of the VPN Concen trator SSL ce rtif icate. Figure 1 -1 7: Netscap[...]
-
Page 54
1 Using the VPN 3000 Concentrator Series Manager 1-12 VPN 3000 Concent rator S eries User Guid e Figure 1 -1 8: Netscape New Certificat e A u thor ity scr een 4 4 Y ou must check at least the first box, Accept this Certificate Authority for Certifying network sites . Click Next> t o pr oceed. Netscap e displays the next New Certificate Authority[...]
-
Page 55
Installing the SSL ce rtificate i n your browser 1-13 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -20: Netscape New Certificat e A uthor ity scre en 6 6 In the Nicknam e fiel d, enter a descri pti ve nam e for this certif icate. “ Nickname ” is something of a misnome r . W e s uggest y ou use a clear ly descrip tiv e name such as Cisc o [...]
-
Page 56
1 Using the VPN 3000 Concentrator Series Manager 1-1 4 VPN 3000 Concent rator Ser ies User Guide Figure 1 -22: VPN Concentrat or Manager login scr een using HTTPS (Netscape) The bro w ser ma intains the HTTPS state until you close i t or ac cess an un secure site; in the latter c ase, you may see a Security Information Alert dia log box . Procee d [...]
-
Page 57
Installing the SSL ce rtificate i n your browser 1-1 5 VPN 3000 Conce ntrator Seri es User Guide V iewing certificates with Netscape There are (at least) two w ays to e xamine certif icate s stored in Netscape Navi gator / Communicator 4.5. First, note th e locked-p adlock icon on the botto m status bar in Figu re 1-22. If yo u click on the ic on, [...]
-
Page 58
1 Using the VPN 3000 Concentrator Series Manager 1-1 6 VPN 3000 Concent rator Ser ies User Guide Figure 1 -25: Netscape Cer tificates Signers list Select a cert ifica te, t hen cli ck Edit , V erify , or Delete . Click OK when fi nished .[...]
-
Page 59
Connec ting to th e VPN Con centrato r using H TTPS 1-1 7 VPN 3000 Conce ntrator Seri es User Guide Connecting to the VPN Concentrator using HTTPS Once you ha ve installed the VPN Concentrator SSL c ertif icate in t he bro wser , you can co nnect directly using HTTPS. 1 Bring up the browser . 2 In th e browser Addres s or Location fiel d, e nt er h[...]
-
Page 60
1 Using the VPN 3000 Concentrator Series Manager 1-1 8 VPN 3000 Concent rator Ser ies User Guide Logging in the VPN Concentrator Manager Logging in t he VPN Concen trator Manage r is th e same for b oth type s of con nections : cle artext HTT P or secure HTTPS. Entries ar e case- sensiti v e, so typ e them c arefully . W ith Mi crosoft I nternet E [...]
-
Page 61
Configu ring HTTP , HT TPS, and SSL parame ters 1-1 9 VPN 3000 Conce ntrator Seri es User Guide Configuring HTTP , HTTPS, an d SSL parameters HTTP , HTTPS, and SSL ar e enable d by defa ult on the VPN Con centrat or , and the y are co nf igured with recommended paramet ers that should suit most administration tasks and security req uirements. T o c[...]
-
Page 62
1 Using the VPN 3000 Concentrator Series Manager 1-20 V PN 3000 Conc entrat or Series Use r Guide Mouse pointer and tips As yo u move the mou se poi nter over an active area, t he poi nter change s shape and i cons c hange col or . A descriptio n also appears in the status bar area . If you momentarily re st the pointer on an icon, a descript iv e [...]
-
Page 63
Under standing th e VPN Conce ntrator Ma nager wi ndow 1-21 VPN 3000 Conce ntrator Seri es User Guide tac@cisco. com Click this link to open your configu red email applica tion and compose an ema il message to Cisco ’ s T echnic al Assistan ce Cent er (T A C ). Wh en you finish , the appli cation cl oses and retu rns to t his S upport screen. Log[...]
-
Page 64
1 Using the VPN 3000 Concentrator Series Manager 1-22 V PN 3000 Conc entrat or Series Use r Guide Refresh Click to refresh (upd ate) the screen conten ts on screens where it appear s (mostly in the Monitorin g section). The date a nd time a bov e this reminder indi cate when the screen was l ast updated. Cisco Sy stems logo Click the C isco Systems[...]
-
Page 65
Organiza tion of th e VPN Con centrato r Manager 1-23 VPN 3000 Conce ntrator Seri es User Guide Organization of the VPN Con centrato r Manager The VP N Concentr ator Mana ger consi sts of three ma jor secti ons and many subsec tions: • Configuration : setting all the pa rameters for the VPN Con centrator tha t gov ern its use and functi onality a[...]
-
Page 66
1 Using the VPN 3000 Concentrator Series Manager 1-24 V PN 3000 Conc entrat or Series Use r Guide Navigating the VPN Concentrator Manager Y our primary tool for navig ating the VPN Concen trator Manage r is the table of contents in the left frame. Figure 1-30 sho ws all its entr ies, completely e xpanded. (The f ig ure sho ws the frame in mult iple[...]
-
Page 67
2-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 2 Configuration Conf iguring the VPN Co ncentrator means setting all the parameter s that go ve rn its use and fu nctionality as a VPN de vice. Cisco supp lies default param eters that cov er typ ical installat ions and uses; and once you supply minim al parameters in Qu ick Conf iguration, the [...]
-
Page 68
[...]
-
Page 69
3-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 3 Interfaces This se ction of the VPN 300 0 Conc entrat or Series M anager applies pr imaril y to Et hernet a nd W AN networ k interfa ces. Here you conf igure functi ons that are interf ace-speci fic , rather than system-wid e. There i s also a scree n to configure power supply and voltage sens[...]
-
Page 70
3 Interfaces 3-2 VPN 3000 Concentrat or Seri es User Guide Configuration | In terfaces This section lets you conf igure the th ree VPN Concentra tor Ethernet interface modules and, i f present, two W AN module interface ports. Y ou can a lso configure a larm thresho lds for the power sup ply module s. Model 30 05 co mes wit h two Et hernet int erfa[...]
-
Page 71
Configur ation | Int erfaces 3-3 VPN 3000 Conce ntrator Seri es User Guide Figure 3-1: Configurat ion | Interf ac es scr een T o co nfigur e a module, either c lick the appropr iate link in the status t able; or use the mouse poin ter to select the m odule on the ba ck-p anel im age, and c lick anyw here in the hi ghlight ed are a. Interface The VP[...]
-
Page 72
3 Interfaces 3-4 VPN 3000 Concentrat or Seri es User Guide Ethernet 1 (Private), Ethernet 2 (Public) , Ethernet 3 (External) T o co nfig ure Ethernet interf ace paramet ers, click the a ppropriate highlighte d link in the tabl e or click in a highl ighted module on the bac k-pan el imag e. See Co nfigur atio n | I nter faces | Et hernet 1 2 3 . WAN[...]
-
Page 73
Configuration | Inte rfaces | Power 3-5 VPN 3000 Conce ntrator Seri es User Guide Powe r Supplies T o configure alarm threshol ds on syst em power supplie s, clic k the appr opriate hi ghlighted link or c lick in a h ighlight ed po wer supply module in the bac k-panel image a nd s ee Configuration | Interfaces | Power . Ethernet 1 (Private), Ethern[...]
-
Page 74
3 Interfaces 3-6 VPN 3000 Concentrat or Seri es User Guide Figure 3-2: Configurat ion | Interf aces | Po wer s creen Alarm Threshold s The fields show default values for a larm th resholds in ce ntiv olts; e.g., 361 = 3 .61 volts. Enter or edi t thes e v alu es as desi red. The hardw are sets v oltage th resholds in incr ements that may not match a[...]
-
Page 75
Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-7 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o apply you r settings to the system and inclu de them in the acti ve co nfig uration, click Apply . The Manager returns to the Con figuration | Interfaces screen. Remin der: To save the activ e configuratio n and make it the boot conf[...]
-
Page 76
3 Interfaces 3-8 VPN 3000 Concentrat or Seri es User Guide Figure 3-3: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, General tab General Parameters tab This t ab lets you configure general i nterface pa rameter s: IP ad dress, subne t mask, pu blic in terface stat us, filter , speed, and transmission mode . Enabled T o mak e the interf [...]
-
Page 77
Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-9 VPN 3000 Conce ntrator Seri es User Guide IPSec LA N-to-L AN, f or example. Y ou should designa te only one V PN Conce ntrator interfac e as a publi c interf ac e. MAC Address This is th e unique hard ware MAC (Medium Acce ss Control) addr ess for this inte rface, displa yed in 6-byte hexadeci [...]
-
Page 78
3 Interfaces 3-1 0 VPN 3000 Conc entrat or Series Use r Guide Figure 3-4: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, RIP tab RIP Parameters tab RIP is a routing protocol that router s use for messages to oth er route rs, to de termine n etwork connec ti vity , status, and opt imum path s for sending data traffic. RIP uses distanc e-v[...]
-
Page 79
Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-1 1 VPN 3000 Conce ntrator Seri es User Guide RIPv2 Only = Send only RI Pv2 message s on this interface. RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this inte rface. Figure 3-5: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, OSPF tab OSPF Parameters tab [...]
-
Page 80
3 Interfaces 3-12 VPN 3000 Concent rator S eries User Guid e The 0.0.0. 0 area ID identif ies a special area — the backbone — that contain s all area bor der router s, which ar e the rout ers conne cted to multip le areas. Enter th e area ID in the f ield, usin g IP addr ess forma t in dott ed decim al notation (e.g., 10.10.0.0 ). Th e default [...]
-
Page 81
Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-13 VPN 3000 Conce ntrator Seri es User Guide Enter the delay as a num ber from 0 to 3600 seconds. T he default is 1 second, which is a typi cal v alue for LA Ns. OSPF Authentication This paramete r sets the authentication method for OSPF protocol messages. OSPF messages can be authenti cated so t[...]
-
Page 82
3 Interfaces 3-1 4 VPN 3000 Concent rator Ser ies User Guide Configuration | In terfaces | W AN Card in Slot N The Man ager disp lays this screen w hen you c lick the W AN module in the back-pa nel image on the Configuration | Interfaces screen. The ta ble shows the status of the W A N modul e inte rface por ts, an d from there you ca n choose a po[...]
-
Page 83
Configuration | Interfaces | W AN Card in Slot N | Port A B | Select T1/E1 3-1 5 VPN 3000 Conce ntrator Seri es User Guide Red = (Red) Red alarm: Line has lost synchron ization or signa l. This alar m indicate s out of frame erro rs or a mismat ched fra ming format, or a disconn ected line. Blue = (Blue) Blue alarm: A proble m on the recei v e path[...]
-
Page 84
3 Interfaces 3-1 6 VPN 3000 Concent rator Ser ies User Guide E1: up to 31 64-Kbps c hannels The E1 inter face confor ms to Eu ropean Digital Hierarchy standar ds, with up to 31 64-Kbps chan nels for a maxim um of 1984 Kbps. When you click t his link, the Mana ger opens t he Configuration | Interfaces | WAN Card in Slot N | Po rt A B as E1 screen, w[...]
-
Page 85
Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 3-8: Configurat ion | Interf aces | W AN Car d in Slot N | P ort A B as T1 or E1 screen, IP tab IP Parameters tab This tab lets you conf igur e IP address, subnet mask, public in terfa ce status, and f ilter . Enabled T o [...]
-
Page 86
3 Interfaces 3-1 8 VPN 3000 Concent rator Ser ies User Guide Filter The filter governs the hand ling of da ta packets thro ugh this in terface: whether to forwa rd or dro p, according to conf igured criteria. Ci sco supplie s three def ault filte rs that you can modify a nd use with the VPN Conc entrato r . Y ou can conf igure f ilt ers on the Conf[...]
-
Page 87
Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-1 9 VPN 3000 Conce ntrator Seri es User Guide Inbound RIP This paramet er applies to RIP message s coming into the VPN Co ncentrator . It conf igures the system to listen fo r RIP messages on this interf ace. Click the drop-do wn menu b utton and select the in bound RIP func[...]
-
Page 88
3 Interfaces 3-20 V PN 3000 Conc entrat or Series Use r Guide Figure 3 -1 0: C onfiguration | Interf ac es | W AN Car d in Slot N | P ort A B as T1 or E1 screen, OSPF tab OSPF Parameters tab OSPF is a routing protocol that routers u se for messages to other routers, to determine network connec ti vity , st atus, and optimum p aths for se nding dat [...]
-
Page 89
Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-21 VPN 3000 Conce ntrator Seri es User Guide Enter th e area ID in the f ield, usin g IP addr ess forma t in dott ed decim al notation (e.g., 10.10.0.0 ). Th e default en try is 0.0.0.0 , the backbo ne. Y our entry a lso app ears in th e OSPF Area lis t on th e Configuration[...]
-
Page 90
3 Interfaces 3-22 V PN 3000 Conc entrat or Series Use r Guide OSPF Authentication This param eter sets the authentication method for OSPF prot ocol messages. OSPF messages can be authenti cated so th at only trusted rout ers can r oute message s within the domain. T his authenti cation method must b e the same for all rou ters on a commo n network.[...]
-
Page 91
Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-23 VPN 3000 Conce ntrator Seri es User Guide WAN Param ete rs tab This tab lets you conf igure T1 /E1 paramete rs: line coding, line framing, line b uildout, clock source, data in version, loopba ck mode, and t imeslots. Line Coding A T1/E1 line uses a bipola r format for ge[...]
-
Page 92
3 Interfaces 3-24 V PN 3000 Conc entrat or Series Use r Guide Buildout Line b uildou t is a co nditioning f actor that limi ts loss of sign al strength on the li ne. Y our T1/E1 carrier provid es information on ho w to set this option. The len gth of the line and the transmit po wer across it determine th e build out va lue, which is measured i n d[...]
-
Page 93
Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-25 VPN 3000 Conce ntrator Seri es User Guide Figure 3-12: Configuration | Interf ac es | W AN Card in Slot N | P or t A B as T 1 or E1 sc r een, PPP tab PPP Multilink Parameters tab This tab lets you configure a PPP Multilink connection on this W AN interface. PPP (Point-to-[...]
-
Page 94
[...]
-
Page 95
4-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 4 Sy stem Configu ration System conf iguratio n means conf iguring parame ters for system-wide fun ctions in the VPN Conc entrator . Configuration | Sy stem This se ction of the M anager lets y ou configur e parame ters f or VPN Concent rator syste m-wid e funct ions. • Servers : identifyi ng [...]
-
Page 96
[...]
-
Page 97
5-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 5 Servers Conf iguring ser vers m eans identi fying them to the VP N 3000 Concentr ator so it can co mmunicate w ith them c orrectly . These serv ers p rov ide us er aut henticat ion a nd accou nting f unctio ns, co n v ert ho stnames to IP a ddresses, a ssign c lient IP addresse s, and s ynchro[...]
-
Page 98
5 Server s 5-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Servers | Authentication This sect ion lets yo u confi gure the VPN Concentr ator inter nal serv er and e xterna l RADIUS, NT Domain, and SDI se rvers fo r au thenti cati ng us ers. T o crea te an d use a VPN , you m ust c onfigure at l east one authenti cation serv [...]
-
Page 99
Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-3 VPN 3000 Conce ntrator Seri es User Guide Authentic ation Servers The Authentication Se rvers list sho ws the conf igure d serve rs, in priority ord er . Each entry sho ws the server identif ier a nd type; e .g., 192. 168. 12.34 ( Radi us) . If no serv ers hav e been conf ig[...]
-
Page 100
5 Server s 5-4 VPN 3000 Concentrat or Seri es User Guide Find your sele cted Serv er T y pe below . Server T ype = RADIUS Conf igure these param eters for a RADIUS (Remote Auth enticatio n Dial-In User Service) authentica tion server . Figure 5-3: Configurat ion | System | Servers | A uthentication | Add or Modify RADIUS screen Authentication S erv[...]
-
Page 101
Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-5 VPN 3000 Conce ntrator Seri es User Guide Server Secret Enter t he RADIU S serve r secr et (also ca lled the sh ared secr et); e .g., C8z077f . Maximum 64 charact ers. The field sho ws only asterisks. Ve r i f y Re-e nter th e RADIU S server se cret to verify it. T he field [...]
-
Page 102
5 Server s 5-6 VPN 3000 Concentrat or Seri es User Guide Server Port Enter the TCP port number by which you access the server . Enter 0 (the default) to ha ve the system supply th e de fault port number, 139 . T ime out Enter the ti me in seconds to wait a fter sending a quer y to the ser ver and receiving n o respons e, be fore trying again. Mini [...]
-
Page 103
Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-7 VPN 3000 Conce ntrator Seri es User Guide Figure 5-5: Configurat ion | System | Servers | A uthentication | Add or Modify SDI scr een Authentication S erver Enter th e IP a ddress or h ostname o f the SDI auth entication server ; e.g. , 192.168. 12.3 4 . Maxi mum 3 2 char ac[...]
-
Page 104
5 Server s 5-8 VPN 3000 Concentrat or Seri es User Guide Server T ype = Interna l Server The VP N Concent rator interna l authen ticatio n server le ts you en ter a max imum of 1 00 grou ps and user s (combi ned) in its database . T o do so, se e the Conf igur ation | User Manag emen t screens, o r click the highligh ted link on the Configuration |[...]
-
Page 105
Configuration | Sys tem | Servers | Authenticati on | T est 5-9 VPN 3000 Conce ntrator Seri es User Guide Ye s / N o T o delete the internal au thenticatio n server , click Ye s . There is no undo. The Mana ger re turns to the Configuration | Sy stem | Servers | Authentication sc reen and shows the remaining entries in the Au thentication Servers l[...]
-
Page 106
5 Server s 5-1 0 VPN 3000 Conc entrat or Series Use r Guide T o ca ncel the test and disc ard your en tries, cl ick Cancel . The Manag er retu rns to the Confi gurati on | Sy stem | Serv ers | Auth enticati on screen . Authentic ation Server T e st: Succes s If the VPN Concent rator com municat es correc tly with th e authenti cation ser ver , and [...]
-
Page 107
Configur ation | System | Ser vers | Acco untin g 5-1 1 VPN 3000 Conce ntrator Seri es User Guide The server ma y be improper ly configured or out of se rvice, the network may be do wn or clog ged, etc. Check the serv er conf iguration par ameters, be sure the s erv er is operati ng, chec k the netw ork connect ions, etc. Figure 5-1 1: Authenticat [...]
-
Page 108
5 Server s 5-12 VPN 3000 Concent rator S eries User Guid e The VPN Conc entrato r comm unicate s with RADIUS a ccountin g ser ver s per R FC 2139 and curren tly includ es the at trib utes in T able 5- 1 in the acco unting st art and sto p record s. These attrib utes may change. Accountin g Serve rs The Accoun ting Se rvers list shows the conf igure[...]
-
Page 109
Configuration | Syst em | Servers | Accountin g | Add or Modify 5-13 VPN 3000 Conce ntrator Seri es User Guide T o remo ve a conf igure d user authentic ation ser ver , select the se rve r from t he list and click Delete . There is no c onfirmat ion or undo. The Man ager refr eshes the sc reen and sh o ws the remain ing entries in the Accoun ting S[...]
-
Page 110
5 Server s 5-1 4 VPN 3000 Concent rator Ser ies User Guide Retries Enter the num ber of times to retry sending a query to the accounting server aft er the timeout peri od. If there is stil l no r esponse after th is number of retries, the sy stem declar es this serv er ino perati ve and uses the nex t accountin g server in the list. Minimum is 0 , [...]
-
Page 111
Configuration | System | Serv ers | DNS 5-1 5 VPN 3000 Conce ntrator Seri es User Guide Figure 5-14: Configurat ion | Syst em | Serv ers | DNS scr een Enabled T o use DNS functi ons, ch eck En abled (the default). T o disabl e DNS, clear the box. Domain Enter the name of the regi stered domain in wh ich the VPN Concen trator is located ; e.g., alti[...]
-
Page 112
5 Server s 5-1 6 VPN 3000 Concent rator Ser ies User Guide Ti m e o u t P e r i o d Enter the initial ti me in se conds to w ait for a response to a DNS qu ery before sending the q uery to th e next server . Min imum is 1 , defa ult is 2 , maximum is 30 sec onds. This t ime double s with each retry cycle through the list of serve rs. T imeout Retri[...]
-
Page 113
Configur ation | Sys tem | Serv ers | DHCP 5-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 5-15: Configurat ion | Syst em | Serv ers | DHCP screen DHCP Servers The DHCP Servers list shows the conf igured serv ers, in p riority or der . Each ent ry sho ws the ser ver identif ier, which can be an IP address or a hostname; e. g., 192.16 8.12.3 [...]
-
Page 114
5 Server s 5-1 8 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | Servers | DHCP | Add or Modify These scr eens let you: Add : Configure and ad d a new DHCP server to the list of configured server s. Modify : Modi fy the paramet ers fo r a conf ig ured DHCP serv er . Figure 5-16: Configuration | Sy stem | Servers | DHCP | Ad d or[...]
-
Page 115
Configuration | System | Servers | NTP | Parameters 5-1 9 VPN 3000 Conce ntrator Seri es User Guide T o m ake the NT P funct ion opera tional, you must configure at least one NTP se rver (host ). Y ou can configure u p to 10 NT P servers. Th e VPN Co ncentrato r quer ies all of them and synchroniz es its system clock with t he der ive d ne twork ti[...]
-
Page 116
5 Server s 5-20 V PN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | Servers | NTP | Hosts This se ction of the Manager lets you add, m odify , a nd d elete NTP h osts (se rvers). T o m ake the N TP func tion ope rational , you m ust con f igure at least one NTP host. Y ou can configure a maxim um of 10 hosts. Th e VPN Concent rato[...]
-
Page 117
Configuration | Sys tem | Servers | NTP | Hosts | Add or Modify 5-21 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | Servers | NTP | Hosts | Add or Modify These s creen s let yo u: Add a new NTP host to the lis t of configured hosts. Modify a configured N TP host. Figure 5-20: Configurat ion | System | Servers | NT P | Hosts | A[...]
-
Page 118
[...]
-
Page 119
6-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 6 Address Management IP addre sses make internet working co nnectio ns possible . They ar e like te lephone numbers: b oth th e sender and recei ver must ha ve an assigne d number in or der to conn ect. Bu t with VPNs, ther e are actual ly two sets o f ad dresses: the first set connec ts clie nt[...]
-
Page 120
6 Address Mana gement 6-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Address Manageme nt | Assignment This scre en lets you sele ct priori tized meth ods for assign ing IP addre sses to clients as a t unnel is established . The VPN Co ncentrator tries the sele cted method s in the ord er listed u ntil it f inds a va lid IP [...]
-
Page 121
Confi guration | System | Ad dress Man agemen t | Pools 6-3 VPN 3000 Conce ntrator Seri es User Guide Use Address Pools Check this bo x to hav e the VPN Con centrator assign IP addresses from an internal ly configured pool. If you us e th is method , configure t he IP a ddress poo ls on t he Con figura tion | Sy stem | Addr ess Mana geme nt | Pools[...]
-
Page 122
6 Address Mana gement 6-4 VPN 3000 Concentrat or Seri es User Guide Add / Modify / Delete T o con f igure a ne w IP address poo l, click Add . The Manage r opens the Conf igura tion | S y stem | Addr ess Manage ment | Pools | Add screen. T o mo dify an IP address po ol that has b een configured, se lect the pool from the list and c lick Modify . Th[...]
-
Page 123
Config uration | Sy stem | Ad dress M anagement | Pools | Add or Mod ify 6-5 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o a dd this IP addr ess pool to t he list of co nfigured pools, click Ad d . Or to app ly your cha nges to this IP address poo l, click Apply . Bot h actions in clude yo ur entry i n the active configuratio[...]
-
Page 124
[...]
-
Page 125
7-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 7 T unneling Protocols T unneling protocol s are th e hear t of v irtual pr i vate networ king. Th e tunne ls make i t possibl e to use a publi c TCP/IP networ k, su ch as th e Inte rnet, to crea te secu re co nnectio ns betwe en rem ote us ers and a pri v ate cor porate netw ork. The secur e co[...]
-
Page 126
7 T unneling P rotocol s 7-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | T unneling Protocols This se ction of the Manager lets you configure system-w ide para meters for tunn eling protocol s. • PPTP : Conf igure PPTP parameters. • L2TP : Conf igure L2TP pa rame ters. • IPSec : Configure IPSec pa rameter s and c onnec[...]
-
Page 127
Configura tion | Syst em | T unnel ing Proto cols | PPT P 7-3 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 2: Configuration | Syst em | T unn eling Prot ocols | PPTP sc r een Note : Cisco supplies def ault settings for PPTP parameter s that ensure optimum performance for typica l VPN use. W e strongly rec ommend that you not ch ange the def[...]
-
Page 128
7 T unneling P rotocol s 7-4 VPN 3000 Concentrat or Seri es User Guide Packet Win dow Si ze Enter th e maxim um numbe r of re cei ve d bu t unack no wledged PPTP pack ets tha t the syst em can b uf fer . The system m ust queue un ackno wledged PPT P packets u ntil it can process them. Minimum is 0 , maxim um is 32 , d efaul t is 16 packe ts. Limit [...]
-
Page 129
Configur ation | System | T un neling Pr otocols | L 2TP 7-5 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o apply your PPTP settings and to include th em in the acti ve configu ration, click Ap ply . The Ma nager returns to the Con figura tion | Sy stem | T unneling Pr otoc ols screen. Remin der: To save the activ e configuratio n an[...]
-
Page 130
7 T unneling P rotocol s 7-6 VPN 3000 Concentrat or Seri es User Guide Enabled Check th e box to enab le L2TP syst em-wi de functi ons on the VPN Conc entra tor , or clear it t o disable. The box is checked by defaul t. Caution : Disabling L2TP ter minates an y acti ve L2TP sessions. Maximum T u nnel Idle T ime Enter the time in seconds to wait bef[...]
-
Page 131
Configura tion | System | T u nneling P rotocol s | IPSec 7-7 VPN 3000 Conce ntrator Seri es User Guide Hello Interval Enter the time in seconds t o wait when t he L2TP t unnel is idle (no contro l or payl oad packets re ceived) before sending a Hell o (or “ ke ep -a live ” ) packet to the remote client. Minimum is 1 , ma xi mum is 3600 , and d[...]
-
Page 132
7 T unneling P rotocol s 7-8 VPN 3000 Concentrat or Seri es User Guide • Extended Auth entication ( XAuth) • Mode Co nfiguration (a lso known a s ISAKMP Configurat ion Method ) • T unnel Enc apsula tion Mo de Y ou c onfigure IKE pr oposals ( parame ters for th e IKE SA ) here. Y ou ap ply them t o IPSec LAN -to-LAN connect ions in this sectio[...]
-
Page 133
Config uration | Sy stem | T unn eling Pr otocols | IPSec LA N-to-LA N 7-9 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 5: Configuration | Syst em | T unn eling Prot ocols | IPSec LAN-to-LAN sc r een LAN-to-LAN Connection The LAN-to-LAN Connection list sho ws connectio ns that h av e be en con fig ured. Th e conn ection s are li sted in the[...]
-
Page 134
7 T unneling P rotocol s 7-1 0 VPN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | T unneling Protocols | IPSec LAN-to-LAN | No Public In terfaces The Ma nager disp lays thi s screen i f you have not con f igure d a publ ic interfac e on the V PN Conce ntrator and you try to add an IPSec L AN-to-L AN conne ction. Th e public in ter[...]
-
Page 135
Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 7: Configuration | Syst em | T unn eling Prot ocols | IPSec LAN -to-LAN | A dd or Mo dify scr een When you Add or Modify a connection on these screens, t he VPN Concen trator automatically : • Cre[...]
-
Page 136
7 T unneling P rotocol s 7-12 VPN 3000 Concent rator S eries User Guid e All of the r ules, SAs, filte rs, and group h ave defaul t para meters or thos e spec if ied o n this screen . Y o u can mo dify t he rules and SA on the Configuration | Policy Ma nagement | T raffic Management screens , the group on the Co nfig uratio n | User Manage ment | G[...]
-
Page 137
Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-13 VPN 3000 Conce ntrator Seri es User Guide Digital Certificate This parameter specifie s whether to use preshared k eys or a PKI (Public K e y Infrastruc ture) digital identity certif icate to authen ticate th e peer d uring Phase 1 IKE n egotia tions. [...]
-
Page 138
7 T unneling P rotocol s 7-1 4 VPN 3000 Concent rator Ser ies User Guide IKE Proposal This parameter specifie s the set of attrib utes for Phase 1 IPSec ne gotiation s, which are kno wn as IKE propos als. See the Configu ration | Sy stem | T unneli ng P rotocol s | I PSec | IKE Prop osals screen. Y o u must conf igure, acti v ate, and prior itize I[...]
-
Page 139
Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-1 5 VPN 3000 Conce ntrator Seri es User Guide Note : An IP addr ess is used with a wildcard mask to provide the desire d granularity . A wildcard mask is the reverse of a su bnet mask ; i. e., th e wildca rd mask has 1s i n bit po sitions t o ignore , 0s [...]
-
Page 140
7 T unneling P rotocol s 7-1 6 VPN 3000 Concent rator Ser ies User Guide Wildcard Mask Enter th e wildcard mask for the pr i v ate rem ote netw ork. Use do tted deci mal not ation; e.g ., 0.255. 255.2 55 . The system su pplies a def ault wild card mask appro priate to th e IP address cla ss. Add or Apply / C ancel Add screen: T o add this connectio[...]
-
Page 141
Configur ation | Sy stem | T un neling Pr otocols | I PSec LAN- to-LAN | Add | Loca l or Remot e Network List 7-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -8: Co nfiguration | S ystem | T unn eling Prot ocols | IPSec LAN-to-LAN | Ad d | Local or Remote N etwor k List screen List Name The Manager supplies a d efault name that id entif ie[...]
-
Page 142
7 T unneling P rotocol s 7-1 8 VPN 3000 Concent rator Ser ies User Guide Generate Lo cal List On the Local Net work L ist screen, click th is button to hav e the Manager automatical ly generate a netwo rk list using the f irs t 200 valid network ro utes in the routing table for the Ethernet 1 (Pri vate) inte rfac e of this VPN Concentr ator . (See [...]
-
Page 143
Configura tion | Syst em | T u nneli ng Protoco ls | IPSec | IK E Propos als 7-1 9 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -9: Co nfiguration | Syst em | T unneling Prot ocols | IPSec LAN-to-LAN | Add | Done screen OK T o close this screen and re turn to the C onfig uratio n | Sy stem | T unneling Protoc ols | I PSec LAN -to-LA N screen,[...]
-
Page 144
7 T unneling P rotocol s 7-20 V PN 3000 Conc entrat or Series Use r Guide Figure 7 - 1 0: Configuration | System | T unneling P r otocols | IPSec | IKE Proposals sc r een Cisco su pplies defau lt IKE proposals t hat y ou can use or m odify; see T a ble 7-1. See Configur ation | Sy stem | T unneling Prot ocols | IPSec | IKE Propo sals | Add for expl[...]
-
Page 145
Configura tion | Syst em | T u nneli ng Protoco ls | IPSec | IK E Propos als 7-21 VPN 3000 Conce ntrator Seri es User Guide Active Pr oposa ls The field shows the names of IKE pr oposals t hat have been configured, a ctiv ated, and pri oritiz ed. As an IPSec respo nder , the VPN Conce ntrator checks these pr oposals in priority order, to see if it [...]
-
Page 146
7 T unneling P rotocol s 7-22 V PN 3000 Conc entrat or Series Use r Guide Modify T o m odify a c onfigured IKE p roposal, se lect it f rom ei ther Active Prop osals or Inac tive Pro posal s and click this bu tton. See Configuration | Sy s tem | T unneling Protocols | IPSec | IKE Proposals | Modify . Modifyin g an active proposal does n ot affect c [...]
-
Page 147
Configur ation | Sy stem | T unn eling Prot ocols | I PSec | IKE Pro posals | A dd, Modif y , or Copy 7-23 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -1 1 : Configuration | Sy stem | T unneling Protocols | IPSec | IKE Pr oposals | Add, Modify , or Copy scr een Proposal Name Enter a u nique na me for thi s IKE pro posal. Max imum is 4 8 char[...]
-
Page 148
7 T unneling P rotocol s 7-24 V PN 3000 Conc entrat or Series Use r Guide Authentication Algorithm This param eter specif ies the data, or pac ket, auth entication algorithm. P acket auth entication prov es that data co mes from whom you thi nk it c omes fr om. Click the drop-do wn menu b utton and select the algorithm: MD5/HMAC-128 = HMA C ( Hashe[...]
-
Page 149
Configur ation | Sy stem | T unn eling Prot ocols | I PSec | IKE Pro posals | A dd, Modif y , or Copy 7-25 VPN 3000 Conce ntrator Seri es User Guide Data Lifetime If yo u select Data or Both und er Lifetime Measurement abo ve, ente r the number of kilob ytes of payloa d data af ter whi ch th e IKE SA expires. Minimu m is 10 0 KB, default is 10000 K[...]
-
Page 150
[...]
-
Page 151
8-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 8 IP Routing In a typical instal lation, the VPN Concen trator is conne cted to the public netwo rk through an e xternal router, which routes data t raff ic be tween network s, and i t may also b e conne cted to the priv ate ne twork through a rout er . The VPN Concentrator itself inclu des an I[...]
-
Page 152
8 IP Routing 8-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | IP Routing This secti on of the Mana ger lets you configure system-w ide IP routin g parame ters. • Static Routes : manually conf igured routing tables. • Default Gateway s : routes for o therw ise unrou ted traf fic. • OSPF : Open Sh ortest Pa th First routi[...]
-
Page 153
Configuration | System | IP Ro uting | Static Routes | Add or Modify 8-3 VPN 3000 Conce ntrator Seri es User Guide Static Routes The Static Routes list shows manual IP rout es that hav e been con figured. The f ormat is [ dest ination networ k add ress/s ubnet mask -> outb ound destin atio n] ; e.g ., 192. 168.1 2.0/ 255.25 5.255 .0 -> 10.10 [...]
-
Page 154
8 IP Routing 8-4 VPN 3000 Concentrat or Seri es User Guide Network Ad dress Enter the destination network IP address th at this static rout e applies to. Pa ckets with this d estination address wi ll be sent to the Destination below . Used dotted decimal notatio n; e.g., 192.168 .12.0 . Subnet Ma sk Enter t he subne t mask f or the destinat ion net[...]
-
Page 155
Configuration | Sy stem | IP Routing | De fault Gatewa ys 8-5 VPN 3000 Conce ntrator Seri es User Guide Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Save Need ed icon at th e top of the Manage r window. T o disc ard your e ntries, click Cancel . The Man ager returns to the Configuration | Sy ste m | I[...]
-
Page 156
8 IP Routing 8-6 VPN 3000 Concentrat or Seri es User Guide T unnel Default Gateway Enter the IP addres s of the default ga tew ay for tunne led dat a. Use d otted de cimal notation; e.g., 10.10. 0.2 . If you do not use a tunne l default gateway , enter 0. 0.0.0 ( the default en try). T o delete a conf igured tunnel d efault ga tew ay , enter 0.0.0.[...]
-
Page 157
Configuration | System | IP Routi ng | OSPF 8-7 VPN 3000 Conce ntrator Seri es User Guide Figure 8-5: Configurat ion | System | IP Routing | OSPF screen Enabled T o enable the VPN Concentrator OSPF router , check the box. (By default it is not check ed.) Y ou must also enter a Router ID below . Y ou must chec k this bo x for OSPF to wo rk on an y i[...]
-
Page 158
8 IP Routing 8-8 VPN 3000 Concentrat or Seri es User Guide Apply / C ancel T o apply y our OSPF settings, and to include yo ur settings in the activ e configurat ion, click Apply . The Manager returns to the Con figuration | Sy stem | IP Routing screen . Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Sa[...]
-
Page 159
Confi guration | System | I P Routing | OSPF Area s | Add or Modify 8-9 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anager window. [...]
-
Page 160
8 IP Routing 8-1 0 VPN 3000 Conc entrat or Series Use r Guide External LSA Import Click th e drop -down menu button a nd selec t whet her to br ing in L SAs f rom neigh boring Autonomou s Systems . LSAs de scribe the state o f the AS route r ’ s interfaces an d routing paths. Imp orting those LSA s builds a more compl ete link- state datab ase, b[...]
-
Page 161
Configuration | System | IP Routing | DHCP 8-1 1 VPN 3000 Conce ntrator Seri es User Guide Lease T imeout Enter the timeou t in min utes for ad dresses that ar e obtained from a DHCP serv er . Minim um is 5 , defau lt is 12 0 , maximu m is 500000 minutes. DHCP serv ers “ lease ” IP addresses for this period of time. Be fore the lease expires, t[...]
-
Page 162
8 IP Routing 8-12 VPN 3000 Concent rator S eries User Guid e Configuration | Sy stem | IP Routing | Redundancy This sc reen le ts you configure p arameters for V irtu al Router Redunda ncy Protocol (VRRP), w hich manages autom atic swi tchover from one VPN C oncent rator to a nother in a re dundant install ation. Automa tic switch ove r pro vides u[...]
-
Page 163
Configur ation | Sy stem | IP Rout ing | Redu ndancy 8-13 VPN 3000 Conce ntrator Seri es User Guide Enable VR RP Check this bo x to enable VRRP fun ctions . The box is not chec ked by defaul t. Group ID Enter a number tha t uniquel y identifies this group of re dundant VPN Conce ntrator s. This num ber must be the same on all syst ems in this group[...]
-
Page 164
8 IP Routing 8-1 4 VPN 3000 Concent rator Ser ies User Guide 2 (Public) The IP ad dress for the Et hernet 2 (P ublic) i nterface shar ed by the virtua l rout ers in this group. 3 (External) The IP address for the Ether net 3 (External) inter face share d by the virt ual routers in this group. Apply / C ancel T o apply the settings for VRRP , and to[...]
-
Page 165
9-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 9 Management Protocols The VPN 3000 Concent rator Series includes v arious b uilt-in server s, using v arious protocols, th at let you perform typica l networ k and sys tem mana gement function s. Th is sect ion explain s how you con figure and enable those servers. Configuration | Sy stem | Man[...]
-
Page 166
9 Manage ment Pr otoc ols 9-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Management Protoco ls | F TP This scr een le ts you c onfigure and enab le the V PN Con centrat or ’ s FT P (File T ransfer Pro tocol) se rv er . When th e serv er is enabled, you can use an FTP clie nt to up load and do wnlo ad f iles in VPN Concen [...]
-
Page 167
Configur ation | Sy stem | Mana gement Protocol s | HTTP /HTTPS 9-3 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | Management Protoco ls | HTTP/HTTPS This scr een lets you co nfi gure and en able the VPN Concen trator ’ s HTTP /HTT PS serv er: Hype rtex t T r ansf er Protoc ol and HTTP o v er SSL ( Secure So ckets Layer) prot[...]
-
Page 168
9 Manage ment Pr otoc ols 9-4 VPN 3000 Concentrat or Seri es User Guide Enable HTT PS Chec k the box to enable the H TTPS se rver . Th e box is ch ecked by defaul t. HTT PS — also kn own as HTTP o ver SSL — lets you use the V PN C oncentra tor Mana ger over an encryp ted c onnectio n. HTTP Port Enter the p ort num ber th at the HTTP se rver use[...]
-
Page 169
Configura tion | Sys tem | Mana gement Pr otocols | TF T P 9-5 VPN 3000 Conce ntrator Seri es User Guide Figure 9-4: Configuration | S ystem | Management Prot ocols | TFTP screen Enable Check the bo x to enable the TFT P serve r . The box is not checke d by def ault. Disab ling the TFTP serv er provid es additional securi ty . Port Ente r the port [...]
-
Page 170
9 Manage ment Pr otoc ols 9-6 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Management Protoco ls | T elnet This screen l ets yo u conf igure and enable t he VPN Co ncentrat or ’ s T elnet terminal em ulation ser ver , and T elnet ov er SSL ( Secure So ckets Layer pr otoc ol). Wh en the se rver is enable d, you can use a T e[...]
-
Page 171
Configur ation | Sys tem | Man agement Pr otocols | SNM P 9-7 VPN 3000 Conce ntrator Seri es User Guide T elnet/SS L Port Enter the port numbe r that T eln et over SSL uses. The default is 992 , which is the w ell-known port number . Changing th e port numbe r provides additi onal secur ity . Maximum Conn ections Enter the ma ximum nu mber of concu[...]
-
Page 172
9 Manage ment Pr otoc ols 9-8 VPN 3000 Concentrat or Seri es User Guide Enable Check the box to enabl e the SNMP serv er . The box is checked b y defa ult. Disab ling the SNMP ser ver provid es additional securi ty . Port Enter the port numbe r that the SN MP server uses. Th e default is 16 1 , which is the well-kno wn port number . Changing th e p[...]
-
Page 173
Confi gur atio n | Sy ste m | Ma nage ment Prot ocol s | SNMP C ommu niti es 9-9 VPN 3000 Conce ntrator Seri es User Guide Figure 9-7: Configuration | S ystem | Management Prot ocols | SNMP Co mmunities sc r een Community Strings The Community Strings list shows SNMP co mmunity stri ngs that have been c onfigured. If n o strings have been conf igur[...]
-
Page 174
9 Manage ment Pr otoc ols 9-1 0 VPN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | Management Protoco ls | SNMP Communities | Add or Modify These Ma nager scr eens let you: Add : Configure and ad d a new SNMP community stri ng. Modify : Modify a co nfigured SNMP comm unity string . Figure 9-8: Configuration | System | Management P[...]
-
Page 175
Configur ation | Syste m | Manage ment Prot ocols | SSL 9-1 1 VPN 3000 Conce ntrator Seri es User Guide issued in a PKI conte xt. This ce rtif icate must then be install ed in the cl ient (for HTTPS; T elnet doesn ’ t usually re quire it). Y ou need t o install the cert ificate from a given VPN Concent rator only once. The default SSL settin gs s[...]
-
Page 176
9 Manage ment Pr otoc ols 9-12 VPN 3000 Concent rator S eries User Guid e Encryption P rotocols Check the box es for the e ncryption algorith ms that the VPN Concentra tor SSL server can ne gotiate w ith a client a nd use f or sessio n encryp tion. All a re check ed b y def ault. Y ou mu st check at least on e algor ithm to enable SSL. Unchec king [...]
-
Page 177
Configur ation | Syste m | Manage ment Prot ocols | SSL 9-13 VPN 3000 Conce ntrator Seri es User Guide TLS V1 with SSL V2 He llo = The serve r insists on TLS V e rsion 1 b ut accepts an initi al SSL V ersion 2 “ Hello. ” At pre sent, only Microsoft Internet Ex plorer 5.0 supports thi s option. Generated Certificate Key Size Click the d rop-do w[...]
-
Page 178
[...]
-
Page 179
10 -1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 10 Events An event is an y signi fic ant oc currence within or af fecting the VPN 30 00 Conc entrat or such as an alarm, trap, error conditi on, networ k probl em, task compl etion, threshold breac h, or st atus cha nge. T he VPN Concentrato r records e vents in an e vent log, whi ch is stored[...]
-
Page 180
10 Events 10 - 2 VPN 3000 Conc entrat or Series User Guid e DNSDBG DNS deb ugg ing * DNSDEC ODE DNS de coding * EVENT E vent subsystem* EVENTD BG Event subsyst em debugging * EVENTM IB Event MI B changes * EXPANS IONCA RD Expans ion card (module) subsyste m FILTER Filter su bsystem FILTER DBG Filter debuggin g* FSM Finit e State Machine subsystem ([...]
-
Page 181
Event c lass 10 -3 VPN 3000 Conce ntrator Seri es User Guide Note : The Cisco-specif ic event cla sses provide in formation that is meaningful only to Cisco enginee ring or support perso nnel. Also , the DBG an d DECODE events require signi ficant system reso urces and may seriously degrade perfo rmance. W e re commend that you av oid logg ing thes[...]
-
Page 182
10 Events 10 - 4 VPN 3000 Conc entrat or Series User Guid e Event severity level Sever ity l evel ind icates how serious or si gnificant the event is; i.e., how likely it is to cause unstable operati on of th e VPN c oncent rator, whether i t rep resent s a high- lev el or l ow-lev el opera tion, or wheth er it returns little or great detail. Le v [...]
-
Page 183
Event l og 10 -5 VPN 3000 Conce ntrator Seri es User Guide Event log The VPN Conce ntrator r ecords e v ents in an e ven t log, wh ich is stored in non vola tile memory . Thus the e ven t log persists e v en if the sy stem is po wered of f. F or troublesh ooting an y system dif f iculty , or just to exa mine details of system acti v ity , consult t[...]
-
Page 184
10 Events 10 - 6 VPN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | General This M anager scree n lets y ou co nfigure th e gene ral, or default, handlin g of all events. Th ese d efaults apply to all e ve nt classes. Y ou can ove rride these def ault settings b y conf iguring specif ic even ts for special handli ng on th[...]
-
Page 185
Configuration | Sys tem | Events | Ge neral 10 -7 VPN 3000 Conce ntrator Seri es User Guide Y ou ca n manage saved log f iles wit h options on this screen an d on the Administration | File Management screens. Save L og Form at Click the drop-do wn menu b utton to specify the format of the sa ved log f iles. Multiline = E ntries are ASCII te xt and [...]
-
Page 186
10 Events 10 - 8 VPN 3000 Conc entrat or Series User Guid e Severity to Console Click the dr op-down menu button a nd select the r ange of event sev erity levels to display on t he conso le by default. Ch oices ar e: None , 1 , 1-2 , 1-3 , .. ., 1-13 . The default is 1-3 : all e ve nts of se v erity le v el 1 through se veri ty le vel 3 are di spla[...]
-
Page 187
Configuration | Syste m | Events | F TP Backup 10 -9 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o include your setting s for default e v ent handlin g in the acti ve c onfig uration, click Apply . Th e Mana ger returns to the Config urat ion | Sy s tem | E vent s screen. Remin der: To save the activ e configuratio n and make it the[...]
-
Page 188
10 Events 10 - 10 VPN 3000 Conc entrat or Series User Guid e V erify Re-enter the FTP passwor d to v erify it. T he f ield displa ys only aster isks. Apply / C ancel T o inc lude your FTP backup system settin gs in the ac ti ve configuration, cli ck Apply . The Mana ger r etur ns to the Config uratio n | Sy stem | Events screen. Remin der: To save [...]
-
Page 189
Conf igura ti on | Sy stem | Eve nts | Clas ses | Add o r Modi fy 10 -1 1 VPN 3000 Conce ntrator Seri es User Guide order by c lass nu mber and na me. If n o cla sses have been configured f or sp ecial handling, the l ist shows --Empty-- . Add / Modify / Delete T o conf igure an d add a new e ven t class fo r speci al handl ing, click Add . See Con[...]
-
Page 190
10 Events 10 - 1 2 VPN 3000 Concent rator S eries User Guid e Class Name Add screen: Click t he drop -down menu button and selec t the event class you want to add and co nfigure for special handli ng. (Please not e that Select Class is an inst ruction reminde r , not a class.) T able 10-1 describes the event classes. Modify screen : The field shows[...]
-
Page 191
Conf igura ti on | Sy stem | Eve nts | Clas ses | Add o r Modi fy 10 - 13 VPN 3000 Conce ntrator Seri es User Guide Severity to Email Click the drop-d ow n menu butto n and select the range of e v ent se verity lev els to send to reci pients via ema il. Ch oices are: None , 1 , 1-2 , 1-3 . The def ault is None : no events are se nt vi a ema il. If [...]
-
Page 192
10 Events 10 - 14 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | Events | T rap Destinations This sect ion of the M anager lets you configure SNMP ne twork mana gement syste ms as destinat ions of e ven t traps. Eve nt messages sent to SNMP system s are called “ trap s. ” If you configure any event handling — default or s[...]
-
Page 193
Confi guration | System | Ev ents | T r ap Desti nations | Add or Mod ify 10 - 15 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anage[...]
-
Page 194
10 Events 10 - 16 VPN 3000 Concent rator Ser ies User Guide Port Enter the UD P port number by which you ac cess the destinat ion SNM P server . Use a decim al num ber from 0 to 65535 . The def ault is 162 , which is the wel l-kno wn port numbe r for SNMP traps. Add or Apply / C ancel T o add this system to the list of SNMP trap destination s, clic[...]
-
Page 195
Configur ation | Sys tem | Even ts | Syslo g Servers | Add or Mod ify 10 - 17 VPN 3000 Conce ntrator Seri es User Guide Sy slog Serve rs The Sy slog Servers list sh ows the UNI X syslog se rvers that have been configured as re cipients o f ev ent messages. Y o u can configure a maximum of fi ve syslog servers. If no syslog servers hav e been config[...]
-
Page 196
10 Events 10 - 18 VPN 3000 Concent rator Ser ies User Guide Port Enter the UDP port num ber by which you acce ss the syslog server . Use a dec imal numbe r from 0 to 65535 . The defaul t is 514 , which is the w ell-kn o wn port numbe r . Facility Click the drop-d ow n menu butto n and select the syslog faci lity tag for e v ents sent to this serv e[...]
-
Page 197
Conf igur ati on | Sy stem | Ev ents | SMTP Ser vers 10 - 19 VPN 3000 Conce ntrator Seri es User Guide Figure 1 0-1 0: Configuration | Syst em | Events | SMTP Servers screen SMTP Serve rs The SMTP Serve rs list shows the co nfigur ed SMTP serve rs in the order in which the system accesses them. Y ou can configur e two prioritiz ed SMTP servers so t[...]
-
Page 198
10 Events 10 - 2 0 V PN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | SMTP Servers | Add or Modify These scr eens let you: Add an SMTP server to the list of configu red SMTP servers. Y ou can c onfigure two SMTP servers: a primar y and a backu p. Modify the IP addr ess or ho stname of a conf igured SMTP ser ver . Figure [...]
-
Page 199
Confi guration | System | Ev ents | Ema il Recipi ents 10 - 2 1 VPN 3000 Conce ntrator Seri es User Guide T o con f igu re d efa ult e vent ha ndli ng, clic k the hig hli ghte d li nk t hat s ays “ Click he re to configu re general event paramete rs . ” T o co nfigure specia l ev ent hand ling, see t he Config urat ion | Sy s tem | Ev ent s | C[...]
-
Page 200
10 Events 10 - 2 2 V PN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | Email Recipients | Add or Mo dify These scr eens let you: Add and conf igur e an e ve nt messag e email recip ient. Y ou can conf igure a maximu m of f i ve em ail recip ients . Modify the pa ramet ers for a c onfigured e mail r ecipien t. Figure 1 0-1[...]
-
Page 201
Conf igura ti on | Sy stem | Eve nts | Emai l Rec ipien ts | Add or M odif y 10 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o add this r ecipien t to the l ist of e mail rec ipients, click Add . Or to apply your change s to this email recipi ent, click Apply . Both actions include y our entry in th e acti ve conf igurat[...]
-
Page 202
[...]
-
Page 203
11 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 11 General General configuration pa rameter s include V PN 3000 Conce ntrator e n v ironment items: system identif ication, time, and date. Configuration | Sy stem | General This se ction of the Manage r lets you configu re genera l VPN C oncen trator paramet ers. • Identification : system [...]
-
Page 204
11 Gene ral 11 - 2 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | General | Identification This screen lets you co nfigur e system identif ication parameters that ar e stored in the standard MIB-II system objec t. Net work man agement systems using SN MP ca n retr ie ve this object and id entify the system. Conf iguring this in[...]
-
Page 205
Confi guration | System | Genera l | T ime and Dat e 11 - 3 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | General | T ime and Date This screen lets you set the time and date on the VPN Concentrator . Setting the correct time is very important so that lo gging and accountin g information is accurate . Figure 1 1 -3: Configurat [...]
-
Page 206
[...]
-
Page 207
12 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 12 User Management Groups an d users are co re conce pts in mana ging the se curity of VPNs and in c onfiguring the VPN 3000 Conc entrator . Group s and users ha ve attri b utes, conf igure d vi a param eters, tha t det ermine th eir a ccess to and use of the VPN . Use rs are memb ers of grou[...]
-
Page 208
12 U ser Manag ement 12 - 2 VPN 3000 Concent rator Ser ies User Guide Some additional p oints to note: • Base-gro up parame ters are the de fault, or system -wide, pa rameter s. • A user can be a me mber of only one g roup. • Users w ho are not mem bers of a sp ecific group a re, by default, mem bers of the base group . Therefor e, to ensu re[...]
-
Page 209
Config uration | U ser Mana gement 12 - 3 VPN 3000 Conce ntrator Seri es User Guide Configuration | User Mana gement This sec tion o f the Man ager lets you con figure base-gr oup, g roup, and individual u ser para meters. These param eters determi ne ac cess and us e of t he VPN Conc entrato r . Figure 12-1: Configurat ion | User Management scr ee[...]
-
Page 210
12 U ser Manag ement 12 - 4 VPN 3000 Concent rator Ser ies User Guide Figure 12-2: Configuration | User Management | Base Group screen, General tab General Parameters tab This tab lets you configure gene ral secur ity , acce ss, perform ance, an d protocol parame ters that ap ply to the base group. Access Hours Click the drop-do wn menu bu tton and[...]
-
Page 211
Configur ation | U ser Manage ment | Base Group 12 - 5 VPN 3000 Conce ntrator Seri es User Guide Simultaneous Logins Enter the number o f simulta neous log ins permitt ed for a si ngle us er . T he minim um is 0 , whic h disa bles login a nd prevents user access; defaul t is 3 . While there is no max imum limit, a llo wing se veral could compr omis[...]
-
Page 212
12 U ser Manag ement 12 - 6 VPN 3000 Concent rator Ser ies User Guide Primary DNS Enter the IP addres s, in d otted decimal notat ion, of the pri mary D NS s erver for base-gr oup users. The system sends this addr ess to the client as the first DNS server to use for resolv ing hostname s. If the base group doe sn ’ t use DNS, l eav e this f ield [...]
-
Page 213
Configur ation | U ser Manage ment | Base Group 12 - 7 VPN 3000 Conce ntrator Seri es User Guide client specif icall y designed to wor k with the VPN Concentrator . Howe v er , the VPN Concen trator can establ ish IPSec conn ections with ma ny protocol-com pliant clie nts. L2TP over IPSec = L2TP u sing I PSec for secu rity (n ot che cked b y defaul[...]
-
Page 214
12 U ser Manag ement 12 - 8 VPN 3000 Concent rator Ser ies User Guide T o use IPSec with remote-a ccess client s, you mu st assign an SA. W ith IPSec LAN-to -LAN conn ections, the system ignores this se lection an d uses pa rameters from the Config uratio n | Sy st em | T u nnelin g Pr otocol s | IPSec LAN-to-LA N screens. The VPN Concentrator supp[...]
-
Page 215
Configur ation | U ser Manage ment | Base Group 12 - 9 VPN 3000 Conce ntrator Seri es User Guide Authentication Click the dro p-do wn menu b utton an d select the u ser authen tication meth od (authentica tion serv er type) to use with remote-acce ss IPSec clients. This selec tion identif ies the authentic ation metho d , not th e specif ic serv er[...]
-
Page 216
12 U ser Manag ement 12 - 10 VPN 3000 C oncentrat or Series Use r Guide Allow Passwor d Storage o n Client Check the bo x to allow IPSec clie nts to store thei r login passwords on t heir loca l client sy stems. If you do not allo w passw ord st orage (the defa ult), IPSec us ers must enter their passw ord eac h time the y seek acces s to t he VPN.[...]
-
Page 217
Configur ation | U ser Manage ment | Base Group 12 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Default Domain Na me Enter the d efault d omain name that the VPN Concentr ator passes to the I PSec client , for the clie nt ’ s T CP/ IP stack to append to DN S queries that o mit the domai n f ield. This domain name applie s only to tunneled pack[...]
-
Page 218
12 U ser Manag ement 12 - 12 VPN 3000 Concent rator Ser ies User Guide Figure 12-4: Configuration | User Management | Base Group screen, PPTP/L2TP tab PPTP/L2T P Paramete rs tab This tab le ts you configure PPTP and L2TP par ameters that apply to the base group. During tunn el establ ishmen t, the clie nt and server negoti ate access an d usage ba [...]
-
Page 219
Configur ation | U ser Manage ment | Base Group 12- 13 VPN 3000 Conce ntrator Seri es User Guide These choices spe cify the allo wable authenticati on protocols in order from lea st secure to most secure. PA P = P assword Authent ication Protoc ol. This proto col passes clea rtext user name and password during au thent ication and is not secure. W [...]
-
Page 220
12 U ser Manag ement 12 - 14 VPN 3000 C oncentrat or Series Use r Guide L2TP Authentication Protocol s Check th e box es for th e authentic ation pr otocol s that L2TP clients can use. T o establish an d use a VPN tunnel, users sho uld be authent icated according to som e prot ocol. Caution : Unchec king a ll authenti cation option s means that no [...]
-
Page 221
Configur ation | U ser Manage ment | Base Group 12 - 15 VPN 3000 Conce ntrator Seri es User Guide 40-bit = L2TP clients are allo wed to use the RSA RC4 encry ption alg orithm with a 40- bit ke y . This is signif icantl y less secure than the 128-bit option. Microsoft en cryption ( MPPE) uses this al gorithm. This op tion is not ch ecked by default.[...]
-
Page 222
12 U ser Manag ement 12 - 16 VPN 3000 C oncentrat or Series Use r Guide Configuration | User Mana gement | Groups This sec tion of the Ma nager let s you configur e access and usage para meters fo r specific group s. A group is a collection of users treated as a single ent ity . Groups inherit pa rameters from the base group. See th e discussi on o[...]
-
Page 223
Config uration | User M anagem ent | Grou ps 12- 1 7 VPN 3000 Conce ntrator Seri es User Guide Add / Modify / Delete T o conf igur e and add a n e w group, click Add . The Ma nage r opens the Config uratio n | U ser M anagem ent | Groups | Add sc reen. T o m odify parame ters f or a gr oup tha t has been configur ed, se lect the group f rom th e li[...]
-
Page 224
12 U ser Manag ement 12 - 18 VPN 3000 C oncentrat or Series Use r Guide Configuration | User Mana gement | Groups | Add or Modify (Internal) These scr eens let you: Add : Configure and add a new group. Modify : Change para meters for a group that you hav e previously con figured on the int ernal server . The screen title i dentifies the gr oup you [...]
-
Page 225
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12 - 19 VPN 3000 Conce ntrator Seri es User Guide Group Name Enter a uniqu e name for thi s speci fic group. Ma ximum is 32 cha ract ers, ca se-sensi ti ve. Chang ing a gr oup name autom atically up dates the gr oup name for all users in the group. See the no te about co[...]
-
Page 226
12 U ser Manag ement 12 - 2 0 VPN 3000 Concent rator Ser ies User Guid e Figure 12-7: Configuration | User Management | G roups | Add or Modify (Inter nal) screen, General tab General Parameters tab This tab l ets you c onfigure gene ral securit y , acce ss, perfor mance, a nd tunne ling prot ocol param eters that apply to this inte rnally con fig [...]
-
Page 227
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 21 VPN 3000 Conce ntrator Seri es User Guide setting , clear the che ck box. If you clea r the c heck bo x, yo u must al so ent er or ch ange any corresp ondin g Val u e field; do n ot le av e the field bla nk. • The Va l u e column thus sho ws either base-gr oup p[...]
-
Page 228
12 U ser Manag ement 12 - 2 2 VPN 3000 Concent rator Ser ies User Guid e Maximum Connect T ime Ente r the grou p ’ s maximum user connectio n time in minutes. At the end of this time, the system terminate s the connection . The minimum is 1 , and th e maximu m is 21474 83647 mi nutes (over 4000 years). T o allo w unlim ited connec tion time, ente[...]
-
Page 229
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 23 VPN 3000 Conce ntrator Seri es User Guide Primary WI NS Enter the IP a ddress, in dotted dec imal notation, of the primary WINS serv er f or this group ’ s users. The system sends this address to the client as the first WINS server to use for resolving hostname [...]
-
Page 230
12 U ser Manag ement 12 - 2 4 VPN 3000 Concent rator Ser ies User Guid e Figure 12-8: Configuration | User Management | Groups | A dd or Modify (Inter nal) screen, IPSec tab IPSec Parameters tab This tab lets you conf igur e IP Security Protoc ol parameters that apply to this internally configu red group. I f you c hecked IPSec or L2TP ove r IPSec [...]
-
Page 231
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 25 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check b ox refe rs to base-g roup pa rameter s: Does this spe cific group inheri t the given setting from the base group? T o inhe rit the setting, check the b ox[...]
-
Page 232
12 U ser Manag ement 12 - 2 6 VPN 3000 Concent rator Ser ies User Guid e T unnel T y pe Click the drop-d ow n menu butto n and select the type of IPSec tu nnel that this group ’ s clients use: LAN-to-LAN = IPSec LAN-to-L AN c onnectio ns betwe en two V PN Conce ntrator s (or be tween a VP N Concentra tor and another protoc ol-compli ant sec urity[...]
-
Page 233
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 27 VPN 3000 Conce ntrator Seri es User Guide Notes : IPSec uses Mode Co nfiguratio n to pass all configura tion parame ters to a client: IP add ress, DN S and WINS addresse s, etc. You must check t his box to use Mode C onfigurat ion. Othe rwise, th ose paramet ers ?[...]
-
Page 234
12 U ser Manag ement 12 - 2 8 VPN 3000 Concent rator Ser ies User Guid e IPSec through NA T Check the box to a llo w the Cisco VPN 3000 Client (IPSec client) to connec t to th e VPN Concen trator via UD P throug h a f irewall or ro uter u sing NA T . IPSec through NA T UDP Port Enter the UD P port numbe r to u se if y ou a llo w IPSec t hroug h NA [...]
-
Page 235
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 29 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check b ox refe rs to base-g roup pa rameter s: Does this spe cific group inheri t the given setting from the base group? T o inhe rit the setting, check the b ox[...]
-
Page 236
12 U ser Manag ement 12 - 3 0 VPN 3000 Concent rator Ser ies User Guid e and co mpares — only encrypte d passw ords , rather th an clearte xt pass wor ds as in CHAP . This protocol also genera tes a key for dat a encryption by MPPE (Microsoft Point-to-Po int Encryptio n). If you check Required under PPTP Encryption below , you must allow one or b[...]
-
Page 237
Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 31 VPN 3000 Conce ntrator Seri es User Guide CHAP = Challenge-Hand shake Authenticatio n Protoc ol. In r esponse to the serv er ch allenge, t he client r eturns the enc rypted [c hallen ge plus password], w ith a cleart ext username. It is m ore sec ure than P AP . E[...]
-
Page 238
12 U ser Manag ement 12 - 3 2 VPN 3000 Concent rator Ser ies User Guid e Configuration | User Mana gement | Groups | Modify (Exte rnal) This scre en lets you cha nge ide ntity par ameters for an external gro up that you have pre viousl y conf igured. T he screen ti tle iden tifi es the grou p you are m odifying. Figure 12-1 0: Configu ration | User[...]
-
Page 239
Config uration | User Mana gement | Use rs 12- 33 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel When you finish chan ging the se paramet ers, click Apply to include y our settings in the a ctiv e conf iguration. The Manag er returns to the Configu ration | U ser Mana gement | Grou ps screen and re freshes the Current Gr oups list. H o w[...]
-
Page 240
12 U ser Manag ement 12 - 3 4 VPN 3000 Concent rator Ser ies User Guid e Current Use rs The C urrent Users list shows configured u sers in alp habetica l order . If no users have been configured , the list sho ws --Empty-- . Add / Modify / Delete T o conf igur e a ne w user , click Ad d . The Man ager op ens the Con figura tion | User Management | [...]
-
Page 241
Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 35 VPN 3000 Conce ntrator Seri es User Guide Figure 12-12: Configurat ion | User Management | Users | A dd or Modify screen, Identity tab Identity Parameters tab This ta b lets you configure th e name, pa ssword, group , and IP addre ss for this user . User N ame Ente r a un ique n ame[...]
-
Page 242
12 U ser Manag ement 12 - 3 6 VPN 3000 Concent rator Ser ies User Guid e IP Address Enter the IP addres s, in d otted de cimal not ation, assigned to th is user . Enter this ad dress o nly if y ou assign th is user to the ba se group or an int ernally configured group, and if you configure Use Addr ess from Authentication Server on the Conf igur at[...]
-
Page 243
Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 37 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check box refers to group paramete rs: Does this sp ecif ic user inh erit the gi v en setting from the group ? – Add screen = inherit base- group para meter setti ng. – Modify s[...]
-
Page 244
12 U ser Manag ement 12 - 3 8 VPN 3000 Concent rator Ser ies User Guid e Maximum Connect T ime Enter this user ’ s maximum connection time in min utes. At the end of this time, the system terminates the conn ecti on. The minimum is 1 , and the maxi mum is 21474 8364 7 minutes (over 4000 years) . T o allo w unlimited co nnection time, enter 0 . Fi[...]
-
Page 245
Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 39 VPN 3000 Conce ntrator Seri es User Guide specif ically d esigned t o work with the VPN Concent rator . Howe v er , the VPN Concen trator can establi sh IPSec conn ections with ma ny protocol-com pliant cli ents. L2TP over IPSec = L2TP using IPSec for security . L2TP pack ets are en[...]
-
Page 246
12 U ser Manag ement 12 - 4 0 VPN 3000 Concent rator Ser ies User Guid e Note : The sett ing of the Inherit? check box takes prior ity o ver an entry in a Val u e field. E xamine t his box be fore conti nuing and be s ure its setting refle cts you r inten t. IPSec SA Click the drop-do wn menu button and select th e IPSec Security As sociation (SA) [...]
-
Page 247
Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 41 VPN 3000 Conce ntrator Seri es User Guide Figure 12-15: Configuration | User Management | Users | Add or Mo dify screen, PPTP/L2TP tab PPTP/L2T P Paramete rs tab This tab le ts you configure PPTP and L2TP param eters tha t apply to this use r . Du ring tunne l establish ment, the us[...]
-
Page 248
12 U ser Manag ement 12 - 4 2 VPN 3000 Concent rator Ser ies User Guid e Note : The sett ing of the Inherit? check box takes prior ity o ver an entry in a Val u e field. E xamine t his box be fore conti nuing and be s ure its setting refle cts you r inten t. Use Client Address Check the b ox to a ccept and u se an I P ad dress that t his u ser (cli[...]
-
Page 249
Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 43 VPN 3000 Conce ntrator Seri es User Guide L2TP Authentication Protocol s Check the box es for the authen tication protoco ls that this L2TP user (client) can use. T o establish and use a VPN tunne l, users should be authent icated according to some protocol. Caution : Unchec king al[...]
-
Page 250
[...]
-
Page 251
13 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 13 Policy Management Managin g a VP N, and protec ting t he integri ty and securit y of ne twork reso urces, inclu des car efully designing and im pleme nting pol icies tha t govern who ca n use the VPN, when, and wha t data traff ic can flow through it. User ma nagement deals with “ who ca[...]
-
Page 252
13 Poli cy Mana gement 13 - 2 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management This se ction of the Manage r lets you configur e polic ies tha t apply to gro ups, user s, an d VPN Concen trator Ethe rnet inter faces . Policies gov ern: • Access Hou rs : when remote us ers can ac cess the VP N Concentr ator . • T raffi[...]
-
Page 253
Confi guration | Policy M anagement | Acce ss Hours 13 - 3 VPN 3000 Conce ntrator Seri es User Guide Current Access Hours The Curr ent Acces s Ho urs li st shows the names of configured access times. The Cisco- supplied de fault acces s times are: Never = Ne ver . No ac cess at any time. Business Hours = Mon day thr ough Friday , 9 a.m. to 5 p .m. [...]
-
Page 254
13 Poli cy Mana gement 13 - 4 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Managemen t | Access Hours | Add or Mo dify These Ma nager scr eens let you: Add : Conf igure and add a ne w access time to the list of conf igured acce ss times. Modify : Modif y a conf igured access time. Chan ging an a ccess tim e has no ef fect on con[...]
-
Page 255
Configur ation | Po licy Mana gement | T ra ffic Mana gement 13 - 5 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o add this access tim e to the list, c lick Add . Or to appl y your ch anges f or this ac cess ti me, click Ap ply . Both actions inclu de your entry in the acti ve conf iguration. The Manager returns to the Con fig[...]
-
Page 256
13 Poli cy Mana gement 13 - 6 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management | T raffic Management | Network Lists This sec tion of the Manager lets you configu re network li sts, whi ch are li sts of network s that a re groupe d as sing le obje cts. N etwork lis ts make co nfiguration easier: f or exam ple, you can use[...]
-
Page 257
Configur ation | Po licy Manag ement | T ra ffic Managem ent | Net work List s | Add, Modi fy , or Copy 13 - 7 VPN 3000 Conce ntrator Seri es User Guide action to tak e before you can delete the list. Oth erwise, t here i s no conf irmation o r undo. The Mana ger deletes the list, r efreshes the screen, and shows the remain ing network lists. Remin[...]
-
Page 258
13 Poli cy Mana gement 13 - 8 VPN 3000 Concent rator Ser ies User Guide List Name Enter a u nique na me for thi s networ k list. Max imum 48 char acters , case-se nsiti ve. Spaces are allo wed. If you use the Gener ate Local List featur e on the Add screen, enter this name after the system generates the network list. Network List Enter the networks[...]
-
Page 259
Conf igur ati on | P oli cy Ma nage ment | T raff ic Man age ment | Rules 13 - 9 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Management | T raffic Management | Rules This sec tion o f the Ma nager let s you ad d, con f igure , modif y , copy , a nd del ete filter rul es. Y ou u se rul es to construct f ilter s. Caution: The Cis[...]
-
Page 260
13 Poli cy Mana gement 13 - 10 VPN 3000 C oncentrat or Series Use r Guide For all the def ault rules exc ept VRRP In and Ou t , these parameter s are identi cal: Action = Forward Sour ce Add ress = Use I P Addr ess/W ildcar d-Mask = 0.0.0.0 /255.25 5.25 5.255 = any a ddress Desti nati on Addr ess = U se IP Add ress /Wild card- Mask = 0.0.0.0/ 255.2[...]
-
Page 261
Conf igur ati on | P oli cy Ma nage ment | T raff ic Man age ment | Rules 13 - 1 1 VPN 3000 Conce ntrator Seri es User Guide *For VRRP In and VRRP Out , the Destinati on Ad dress is 224. 0.0. 18/0.0. 0.0 , which i s the IAN A-assigned IP multicast a ddress for VRRP . Add / Modify / Copy / Delete T o conf igure a ne w rule, cl ick Add . The Ma nage [...]
-
Page 262
13 Poli cy Mana gement 13 - 12 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management | T raffic Management | Rules | Add, Modify , or Copy These Ma nager scr eens let you: Add : Config ure and a dd a ne w f ilter rule to the list of f ilter rule s. Modify : Modi fy a pr ev iously co nf igured f ilter rule. Copy : Cop y a co nf[...]
-
Page 263
Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13- 13 VPN 3000 Conce ntrator Seri es User Guide Figure 13-8: Configurat ion | P olicy Manag ement | T raffic Manag ement | Rules | Add, Modify , or Copy scr een[...]
-
Page 264
13 Poli cy Mana gement 13 - 14 VPN 3000 C oncentrat or Series Use r Guide Rule Name Enter a unique name for this ru le. Ma ximum is 48 ch aracte rs. Direction Click the drop-do wn menu b utton and sel ect the data direction to which this rule applies: Inbo und = I nto the VPN Conce ntrator inte rface ; or into the VPN tu nnel fr om the r emote clie[...]
-
Page 265
Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13 - 15 VPN 3000 Conce ntrator Seri es User Guide Click the drop-do wn menu b utton and sel ect the protocol to which this rule applies. Any = A ny protocol [255] (the d efault sel ection). ICMP = Inter net Cont rol Messa ge Protoc ol [1] (used by ping , f[...]
-
Page 266
13 Poli cy Mana gement 13 - 16 VPN 3000 C oncentrat or Series Use r Guide Note : An IP addr ess is used with a wildcard mask to provide the desire d granularity . A wildcard mask is the reverse of a su bnet mask ; i. e., th e wildca rd mask has 1s i n bit po sitions t o ignore , 0s in bit posi tions to matc h. F or ex ample : 0.0.0. 0/255 .255.2 55[...]
-
Page 267
Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13- 1 7 VPN 3000 Conce ntrator Seri es User Guide Assigned Nu mbers Autho rity (IANA) manage s port numbers an d classifies them a s W ell Kn o wn, Registered, a nd Dyn amic (or Private). The W ell Known ports are thos e fro m 0 th rough 102 3; th e Regist[...]
-
Page 268
13 Poli cy Mana gement 13 - 18 VPN 3000 C oncentrat or Series Use r Guide Range = T o specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Rang e h ere (the default sele ction) and enter — in the Range [start] to [end] fields — the inc lusive range of port numbers that thi s rule applies to. T o specify a[...]
-
Page 269
Configuration | Po licy Management | T raffic Management | Rules | D elete 13 - 19 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Management | T raffic Management | Rules | Delete This screen asks you to conf irm deletion of a rule that is being used in a f ilter . Doing so deletes the rule from all filters that use it, and delete[...]
-
Page 270
13 Poli cy Mana gement 13 - 2 0 VPN 3000 Concent rator Ser ies User Guid e Y ou apply SAs to f il ter rules that ar e conf igur ed with an Apply IPSec action, for LAN- to-LAN tra ff ic. See Configuration | Policy M anagement | T raffic Management | Rules . T he VPN Concen trator auto matically creat es and a pplies a ppropri ate rul es when y ou cr[...]
-
Page 271
Config uration | Policy Ma nageme nt | T raffi c Manageme nt | Secur ity As sociatio ns 13- 21 VPN 3000 Conce ntrator Seri es User Guide IPSec SA s The IPSec SAs list sho ws the configured SAs that are a v ailable . The SAs are listed in the order the y are configured . Cisco s upplies d efault SA s that y ou can use or mod ify; see T able 13-2. Se[...]
-
Page 272
13 Poli cy Mana gement 13 - 2 2 VPN 3000 Concent rator Ser ies User Guid e T o delete a conf igured SA, sele ct the SA from the list and click Delete . • If the SA has not been assign ed to a f ilter rule — e ven if it has been assigne d to a group or user — the Manager deletes the SA, refreshes the screen, and sho ws the remaining SAs in the[...]
-
Page 273
Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 23 VPN 3000 Conce ntrator Seri es User Guide Figure 13-1 1: Co nfiguration | P olicy Management | T raf fic Management | Secur ity Ass ociations | Add or Modify screen SA Name Enter a uni que nam e for this Se curity A ssocia tion. M[...]
-
Page 274
13 Poli cy Mana gement 13 - 2 4 VPN 3000 Concent rator Ser ies User Guid e IPSec Parameters These p aramet ers app ly to I PSec SAs, w hich ar e Phas e 2 SAs ne gotiate d under IPSec, where t he two parties estab lish conditions for use of the tunnel. Authentication Algorithm This param eter specif ies the data, or pac ket, auth entication algorith[...]
-
Page 275
Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 25 VPN 3000 Conce ntrator Seri es User Guide Perfect F orward Secrecy This pa rameter specif ies whether to use Perfe ct For ward Secrec y , and the size of the n umbers to use, in gener ating Ph ase 2 IPSec ke ys. Pe rfec t Forw ard[...]
-
Page 276
13 Poli cy Mana gement 13 - 2 6 VPN 3000 Concent rator Ser ies User Guid e IKE Parameters These pa rameters gov ern IKE SA s, which a re Phase 1 SAs negoti ated unde r IPSec, where the two parties establish a se cure tunnel within whic h they then ne gotiate the I PSec SAs. In th is IKE SA the y e xchange automa ted key management informa tion unde[...]
-
Page 277
Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 27 VPN 3000 Conce ntrator Seri es User Guide IKE Proposal This parameter specifie s the set of attrib utes that go v ern Phase 1 IPSec neg otiations, wh ich are kno wn as IKE pr oposal s. See the Con figura tion | Sy stem | T unn eli[...]
-
Page 278
13 Poli cy Mana gement 13 - 2 8 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | Security Associations | Delete This screen asks you to conf irm dele tion of a Security Associatio n that is assigned to a rule in a filte r . Doing so deletes th e SA from the VP N Concentrator active c onfiguration,[...]
-
Page 279
Confi guration | Policy M anagem ent | T raffi c Manag ement | Fil ters 13- 29 VPN 3000 Conce ntrator Seri es User Guide Conf iguring a f ilter in volve s two steps: 1 Conf iguring its basic parame ters (name, default action, etc.) by clicking Add Filter , Modify Filter , or Copy Filter , and 2 Assigning rules to a f ilter by cli cking Assign Rules[...]
-
Page 280
13 Poli cy Mana gement 13 - 3 0 VPN 3000 Concent rator Ser ies User Guid e Filter List The Filter List show s conf igu red filt ers, listed in th e order the y are co nfi gured . Cisco s upplie s default filters that you c an use and m odify; se e T able 13- 3. Add Filter T o conf igur e and add a ne w f ilter , click Add Filter . The Mana ger ope [...]
-
Page 281
Configura tion | Po licy Manag ement | T raf fic Mana gement | Filters | A dd, Modif y , o r Copy 13- 31 VPN 3000 Conce ntrator Seri es User Guide Copy Filter T o cr eate a new filter by copying the ba sic parame ters and rule s from a filter that has been co nfigured, click Copy Filter . The Ma nager ope ns the Configuration | Policy Management | [...]
-
Page 282
13 Poli cy Mana gement 13 - 3 2 VPN 3000 Concent rator Ser ies User Guid e Figure 1 3-14: Configuration | P olicy Manag ement | T raf fic Manag ement | Filters | Add, Modify , or Copy scr een Filter Name Ente r a unique na me for t his f ilter . Maximum is 48 char acters. Default Action Click the drop-d ow n menu butto n and select the action tha t[...]
-
Page 283
Configura tion | Po licy Manag ement | T raf fic Mana gement | Filters | A dd, Modif y , o r Copy 13- 33 VPN 3000 Conce ntrator Seri es User Guide Source Rou ting Check thi s box to al low IP source routed p ackets to pass. A source ro uted packe t specifies its own route through the net work and does not re ly on t he syst em to con trol f orwardi[...]
-
Page 284
13 Poli cy Mana gement 13 - 3 4 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | Assign Rules to Filter This sec tion of the M anager le ts you add, re move, and prioriti ze the rule s in a filter , and assign Se curity Associa tions to r ules th at are c onf igured with an Apply IPSec action. A f[...]
-
Page 285
Configura tion | Po licy Manag ement | T raf fic Mana gement | As sign Rules to Filter 13- 35 VPN 3000 Conce ntrator Seri es User Guide Current Rules in Filter This list sho ws the rules currently assigned to the filt er . Use the scroll controls (if presen t) to see all the rules in the l ist. If no rules have been assigne d, the list shows --Em p[...]
-
Page 286
13 Poli cy Mana gement 13 - 3 6 VPN 3000 Concent rator Ser ies User Guid e Move Up / Move Down T o change th e order in wh ich a rul e is applie d within the f ilter , select the rule from th e Current Rules in Filter list and click Move Up or Mo ve Down . The Manage r reorder s the curre nt rule s, modifies the a ctiv e configurati on, refre shes [...]
-
Page 287
Configur ation | Po licy Mana gement | T ra ffic Mana gement | As sign Rul es to Filte r | Change SA on Rule 13- 37 VPN 3000 Conce ntrator Seri es User Guide Add SA to Rule on Filter: The Ma nager sho ws the na me of fi lter to which you are ad ding a ru le that has an Apply IPSec action configured . Y ou cannot chang e this name he re. See Configu[...]
-
Page 288
13 Poli cy Mana gement 13 - 3 8 VPN 3000 Concent rator Ser ies User Guid e Figure 13-1 7 : Configuration | P olicy Management | T raf fic Management | Assign Rules to Filt er | Chang e SA on Rule scr een Change SA on Rule in Filter: The Man ager sho ws the name of the f ilter to which th e IPSec rule is assig ned. Y o u can not change this name he [...]
-
Page 289
Configura tion | Po licy Manag ement | T r affic Ma nagement | NA T 13- 39 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Man agement | T raffic Manageme nt | NA T This se ction of the Manage r lets you configu re and enabl e NA T ( Network A ddress Translati on). NA T transla tes priv ate network addresses in to an IANA-assigned [...]
-
Page 290
13 Poli cy Mana gement 13 - 4 0 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | NA T | Enable This screen lets you en able system-wide N A T operation, which applies N A T to all confi gured traf fic flowing thr ough the public interfac e. W e re commend that you co nfigure NA T rul es befo re yo[...]
-
Page 291
Confi gur atio n | Po licy Mana geme nt | T raffi c Mana geme nt | NA T | Rul es 13- 41 VPN 3000 Conce ntrator Seri es User Guide Figure 13-20: Configuration | P olicy Management | T raffic Manag ement | NA T | Rules sc r een NA T Rules The NA T Rule s list shows N A T rules that ha ve been configu red. If no rules hav e been conf igured , the list[...]
-
Page 292
13 Poli cy Mana gement 13 - 4 2 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | NA T | Rules | No Public Interf aces The Ma nager disp lays thi s screen i f you have not con f igure d a publ ic interfac e on the V PN Conce ntrator and yo u try to a dd a NA T rule. T he publ ic interfac e need not[...]
-
Page 293
Configur ation | Po licy Mana gement | T ra ffic Mana gement | NA T | Rules | Add or Modify 13- 43 VPN 3000 Conce ntrator Seri es User Guide Figure 13-22: Configuration | P olicy Management | T raffic Manag ement | NA T | Rules | Add or Modif y scr een Interface Add screen: Click the drop-d ow n menu bu tton and select the conf igured public interf[...]
-
Page 294
13 Poli cy Mana gement 13 - 4 4 VPN 3000 Concent rator Ser ies User Guid e Action Click the drop-do wn menu b utton and select the translation action for this N A T rule: No Port Map ping = T ranslat e addre sses for packe ts with protoc ols that don ’ t use por ts and thus d on ’ t in volv e port mapp ing (defaul t). For example, thi s action [...]
-
Page 295
14 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 14 Administration Admin istering t he VPN 3000 Co ncentra tor Ser ies in volves activities tha t keep t he syst em oper ational and secure . Conf iguring t he system se ts the par ameters tha t gov ern its use and functionality as a VPN de vice, b ut admini stration in volv es higher le ve l [...]
-
Page 296
14 Ad ministration 14 - 2 VPN 3000 Concentrat or Series Use r Guide Figure 14-1: A dministr ation screen[...]
-
Page 297
Admini stration | Sessio ns 14 - 3 VPN 3000 Conce ntrator Seri es User Guide Administration | Sessions This scr een sho ws comp rehen si ve st atistics for all acti ve sessi ons on the VPN Concent rator . Y ou ca n also click a se ssion ’ s name to see detailed parameters and statist ics for that session. See Administration | Sessions | Detail . [...]
-
Page 298
14 Ad ministration 14 - 4 VPN 3000 Concentrat or Series Use r Guide Logout All: PPTP | L2TP | IP Sec User | L2TP/IPSec | IPSec/NA T | IPSec/LAN-to-LAN These a cti ve l abels let you log out all active sessions of a gi ven tunnel type at once: • PPTP • L2TP • IPSec User = IPSec remote- access users • L2TP/IPSec = L2TP o ver IPSec • IPSec/N[...]
-
Page 299
Admini stration | Sessio ns 14 - 5 VPN 3000 Conce ntrator Seri es User Guide T otal Act ive Sessions The total number of sessi ons of all types tha t are current ly active. Peak Concurrent Sessions The high est numbe r of sessions of al l types that were concur rently ac tiv e since the V PN Concen trato r was la st booted or reset. Concurrent Sess[...]
-
Page 300
14 Ad ministration 14 - 6 VPN 3000 Concentrat or Series Use r Guide Remote Ac cess Ses sions table This table shows parameter s and statistics for all acti ve remote-access s essions. Each session is a single-us er conn ection from a remo te clie nt to t he VPN Concen trator . Remo te-acce ss sessions include PPTP , L2TP , IPSec remote- access u se[...]
-
Page 301
Admini stration | Sessio ns 14 - 7 VPN 3000 Conce ntrator Seri es User Guide IP Address The IP address of the manager workstation that is accessing the system. Local indicates a direc t connec tion th rough the Console port on t he system . Protocol, Encryption, Login T ime, Dura tion, Actions See T able 14- 1 for def initio ns of the se pa ramet e[...]
-
Page 302
14 Ad ministration 14 - 8 VPN 3000 Concentrat or Series Use r Guide Administration | Sessions | Detail These Man ager screen s show detailed parameters and statistic s for a specif ic remote- access or LAN-to- LAN session. The parame ters and st atistics differ dependi ng on the sess ion prot ocol. The re are unique scre ens for: • IPSec L AN-to-[...]
-
Page 303
Administrat ion | Sessions | De tail 14 - 9 VPN 3000 Conce ntrator Seri es User Guide Figure 14-5: A dministr ation | Sessions | Detail screen: IPS ec remot e access user[...]
-
Page 304
14 Ad ministration 14 - 10 VPN 3000 Concent rator Ser ies User Guide Figure 14-6: A dministr ation | Sessions | Detail screen: IPSec through NA T Figure 14-7: A dministr ation | Sessions | Detail screen: L2TP[...]
-
Page 305
Administrat ion | Sessions | De tail 14 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 14-8: A dministr ation | Sessions | Detail screen: L2TP o ver IPSec Figure 14-9: A dministr ation | Sessions | Detail screen: PPTP[...]
-
Page 306
14 Ad ministration 14 - 1 2 VPN 3000 Concent rator Ser ies User Guid e Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. Back to Sessions T o return to the Administration | Sessions scre en, clic k B ack to Sess ions . Administration | Sessions | Detail parameters Table 14-[...]
-
Page 307
Administrat ion | Sessions | De tail 14 - 1 3 VPN 3000 Conce ntrator Seri es User Guide IPSec Sessions: The total number of IPSec (Phase 2) sessio ns, which are da ta traf f ic s ession s thro ugh the tunnel . Eac h IPSec remote -acce ss session may have two IPSec sessions: one showing the tunnel endpo ints, and one showing th e private networks r [...]
-
Page 308
14 Ad ministration 14 - 14 VPN 3000 Concentrat or Series Use r Guide Administration | Software Update This scree n lets you upd ate th e VPN Concent rator executab le sys tem so ftware (t he sof tware i mag e). Thi s process up loads the file to the VPN Concen trator , which the n ver ifie s the in tegrity of the file . The ne w imag e file must be[...]
-
Page 309
Administ ration | S oftware Upda te 14 - 1 5 VPN 3000 Conce ntrator Seri es User Guide Browse... Enter the comple te pathname of the new im age f ile, or click Br owse ... to find and select th e file from your workstation or n etwork. Cisc o-suppl ied VPN 3000 C oncentrat or software i mage files are na med: Model 3005 = vpn300 5. <M ajor V ers[...]
-
Page 310
14 Ad ministration 14 - 16 VPN 3000 Concentrat or Series Use r Guide If th e uplo ad or v e rif icatio n is no t succ essful, the progre ss wi ndo w dis plays a fail ure messa ge. Figure 14-13: A dministration | Sof twar e Up dat e F ailure windo w Click OK to close the progre ss window . T ry the uploa d again. Soft ware Upda te Succ ess This wind[...]
-
Page 311
Admini stration | System Reboot 14 - 17 VPN 3000 Conce ntrator Seri es User Guide Administration | Sy stem Reboot This scre en lets you re boot or shut do wn (halt ) the VPN Con centrat or with various option s. We str ongl y recomm end t hat you s hut do wn the VPN Conc entr ator be fore you tur n power off. If you ju st turn pow er off wi thout s[...]
-
Page 312
14 Ad ministration 14 - 18 VPN 3000 Concentrat or Series Use r Guide Action Click a radio b utton to select the desired action . Y ou can select only one action. Rebo ot = Re boot the VPN Concentrato r . Rebooting termin ates al l sessions, resets the hardware, loads and verifies the software ima ge, ex ecutes syste m diagnos tics, and ini tializes[...]
-
Page 313
Admi nist ratio n | Pi ng 14 - 1 9 VPN 3000 Conce ntrator Seri es User Guide T o can cel your sett ings on this scr een, click Cancel . Th e Manage r ret urns t o the mai n Administration screen. (Note that this Canc el b utton does not ca ncel a schedul ed reboot or shutdown.) Administration | Ping This sc reen l ets yo u use th e ICM P ping (Pack[...]
-
Page 314
14 Ad ministration 14 - 2 0 V PN 3000 Conc entrat or Series User Guid e Error (Ping) If the syste m is unreach able for an y reas on — host down, ICM P not ru nning o n host, route no t configured, intermedi ate route r down, network down or congeste d, etc. — the Manage r displays an Error screen with the name of the tested host. T o troublesh[...]
-
Page 315
Administrat ion | Access Right s 14 - 2 1 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o sav e yo ur settings in the a ctiv e c onfig uration, c lick Apply . T he Mana ger goes t o the m ain Administration sc reen. Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Save Need ed icon at th e t[...]
-
Page 316
14 Ad ministration 14 - 2 2 V PN 3000 Conc entrat or Series User Guid e Note : The VPN Concentrato r sav es Administrator parameter sett ings from this screen and the Modify Properties screen in non volat ile memory , not in the acti ve co nf iguration ( CONFIG ) f ile. Thus, th ese settin gs are retained e ven if the sy stem loses po wer . These s[...]
-
Page 317
Adminis tration | Acces s Rights | Admini strator s | Modif y Prope rties 14 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Administrator T o assign “ system administrator ” privile g es to o ne admin istrator , click t he radio butt on. On ly the “ system administrator ” c an access a nd configure prope rties in t his section. Y ou ca n s[...]
-
Page 318
14 Ad ministration 14 - 2 4 V PN 3000 Conc entrat or Series User Guid e T ab le 14-3 shows the matrix of Cisc o-supplie d default right s for the fi ve administrat ors. Username Enter or edit th e unique username for this administrator . Maximum is 31 characters. Passwo rd Enter or edit the uni que pa ssword for this adm inistra tor . Maximum is 3 [...]
-
Page 319
Adminis tration | Acces s Rights | Admini strator s | Modif y Prope rties 14 - 2 5 VPN 3000 Conce ntrator Seri es User Guide Authentication This area co nsists of V PN Conc entrator Mana ger fu nctions that a f fect a uthenti cation: • Confi gurati on | U ser Ma nagem ent • Confi gurati on | P olicy Manage ment | Acce ss H ours • Configuratio[...]
-
Page 320
14 Ad ministration 14 - 2 6 V PN 3000 Conc entrat or Series User Guid e Administration | Access Rights | Access Control List This se ction of th e Man ager le ts you configure and pri oritize the sy stems ( workstation s) th at are allowed to acce ss the VPN Con centrator Mana ger . For example, you mi ght want t o allow access o nly fro m one or t[...]
-
Page 321
Administration | Ac cess Rights | Acc ess Control List | Add or Modify 14 - 2 7 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anager [...]
-
Page 322
14 Ad ministration 14 - 2 8 V PN 3000 Conc entrat or Series User Guid e IP Mask Enter t he mask f or the I P address i n dotted decimal notation. This mask lets you rest rict ac cess to a si ngle IP address, a range of a ddresses, or all addresses. T o restrict access to a single IP address, enter 255.25 5.255 .255 ( the def ault). T o allo w all I[...]
-
Page 323
Admini strati on | F ile M anage ment 14 - 2 9 VPN 3000 Conce ntrator Seri es User Guide The Mana ger reset s the inact i vity timer only whe n you click an action button ( Apply , Add , Ca ncel , et c.) or a link on a scr een — that is, whe n you in v ok e a diff erent screen . Entering v alu es or setting paramete rs on a giv en screen does not[...]
-
Page 324
14 Ad ministration 14 - 3 0 V PN 3000 Conc entrat or Series User Guid e Administration | File Management | Fil es This screen lets you ma nage file s in VPN Concentra tor flash mem ory . (Flash memory acts like a d isk.) Such f iles inc lude CONFIG , CONFIG. BAK , LOG NNNN N.TXT files, and co pies of them tha t you h av e save d unde r dif fer ent [...]
-
Page 325
Administrat ion | File Management | Files 14 - 3 1 VPN 3000 Conce ntrator Seri es User Guide Actions For a selected file, c lick the desi red acti on link. Th e action s av a ilable to you depen d on your Access Rights to Files ; see the Admini strati on | A ccess Rights | Ad minist rators | Modi fy Pro pertie s screen. V iew (Save) T o vie w the s[...]
-
Page 326
14 Ad ministration 14 - 3 2 V PN 3000 Conc entrat or Series User Guid e Administration | File Management | Swa p Configuration Files This scr een lets you sw ap the boo t conf iguration file with the backup conf igura tion f ile. Ev ery time you sav e the act iv e conf igurati on, the system writes it to the CONF IG f ile, which i s the boot co nfi[...]
-
Page 327
Admini stra tion | File Manage ment | TF TP T r ansfer 14 - 3 3 VPN 3000 Conce ntrator Seri es User Guide Concentrato r File Enter the name of the file on the VPN Conce ntrator . This fi lename must confo rm to the 8.3 naming convention. Action Click the drop-d ow n menu butto n and select the TFTP actio n: GET << = Get a file from the rem ot[...]
-
Page 328
14 Ad ministration 14 - 3 4 V PN 3000 Conc entrat or Series User Guid e Success (TF T P) If the TFTP transfer is suc cessful, the Manager display s a Succes s screen. Figure 14-31: A dministr ation | File Management | TFTP T ransfer | Success screen Continue T o return to the Admi nistr ation | Fil e Ma nagem ent | TF TP T ra nsfer scre en, cli ck [...]
-
Page 329
Admini strati on | Certi ficate Manage ment 14 - 3 5 VPN 3000 Conce ntrator Seri es User Guide specif ic system s or hosts. T here must b e at lea st one i dentity cert ific ate (an d its root c ertif icate) on a giv en VPN C oncentra tor; ther e may be mo re than one root ce rtificate. Durin g IKE (IPSec) Phase 1 auth enticatio n, the commu nicati[...]
-
Page 330
14 Ad ministration 14 - 3 6 V PN 3000 Conc entrat or Series User Guid e Installing digital certificates on the VPN Concentrator Installing a digital c ertif icate on the VPN Concentrator requires these steps: 1 Use the Administration | Certificate Management | Enrollment scre en to gene rate a ce rtificat e requ est. Sav e the reque st as a file, o[...]
-
Page 331
Administration | Ce rtificate Manageme nt | Enrollment 14 - 3 7 VPN 3000 Conce ntrator Seri es User Guide Figure 14-34: A dministr ation | Certificat e Manag ement | Enrollment scr een Commo n Name (CN) Enter the n ame for thi s VPN Concentr ator that identif ies it in the PKI; e.g., Engi neering VPN . Spac es are allo wed. Y ou must enter a name i[...]
-
Page 332
14 Ad ministration 14 - 3 8 V PN 3000 Conc entrat or Series User Guid e Locality (L) Enter the city or tow n where this VPN Concent rator is located; e. g., Fr ankli n . Spac es are a llo wed. State/Provinc e (SP) Enter th e state o r pro vince wh ere this VPN Concentra tor is l ocated; e. g., Massac huse tts . Spe ll ou t complete ly , do not abbr[...]
-
Page 333
Administration | Ce rtificate Manageme nt | Enrollment | Reque st Generated 14 - 3 9 VPN 3000 Conce ntrator Seri es User Guide Administration | Certificate Man agement | Enrollmen t | Request Generated The Mana ger displays t his screen wh en the system has successful ly generate d a certificate re quest. T he request is a Base-64 encod ed file in [...]
-
Page 334
14 Ad ministration 14 - 4 0 V PN 3000 Conc entrat or Series User Guid e Enrolling with a Certificate Authority T o send the cer tifi cate requ est to a CA, enro ll, and re cei ve your digit al certif icates, follo w these steps. (Thes e are cut-and -pas te step s; yo ur CA may follo w di f feren t proc edures . In any case, you m ust e nd up with c[...]
-
Page 335
Admin istrat ion | Cert ificate Ma nageme nt | Install ation 14 - 4 1 VPN 3000 Conce ntrator Seri es User Guide Figure 14-37: A dministr ation | Certificat e Manag ement | Installation scr een Certificate T y pe Click the drop-d ow n menu butto n and select the type of digital ce rtif icate to instal l. (Please note that --Select a Certificate T yp[...]
-
Page 336
14 Ad ministration 14 - 4 2 V PN 3000 Conc entrat or Series User Guid e Local File / Browse Enter the comple te path and f ilename of the certif icate you are insta lling; e.g., d:cer tsca _root. txt . Or click Brow se to navigate t o the f ile on your PC or ot her rea chable network ho st. Apply / C ancel T o install the certifi cate, cli ck App[...]
-
Page 337
Admin istr ation | Cert ific ate Ma nage ment | Certi fica tes 14 - 4 3 VPN 3000 Conce ntrator Seri es User Guide SSL Certificate / [ Generate ] This table sho ws the SSL se rver cer tif icate ins talled o n the VPN Concentr ator . The syste m can ha ve only one SSL se rver certif icate installed: either a self-si gned certif icate or one issued in[...]
-
Page 338
14 Ad ministration 14 - 4 4 V PN 3000 Conc entrat or Series User Guid e Administration | Certificate Man agement | Certificates | V iew The Man ager display s this scr een of c ertific ate deta ils when y ou click View for a certi f icate on th e Administration | Certificate Management | Certificates screen . The detail s v ary depe ndin g on th e [...]
-
Page 339
Administration | Certificate Management | Certificates | V iew 14 - 4 5 VPN 3000 Conce ntrator Seri es User Guide For the VPN Co ncentr ator self -signed SSL cert ific ate, the CN is the IP addre ss on the Ethe rnet 1 (Pr i vate) interf ace at th e time the cer tifi cate is generated. SSL compare s this CN wi th the address you u se to connec t to [...]
-
Page 340
14 Ad ministration 14 - 4 6 V PN 3000 Conc entrat or Series User Guid e MD5 Thumb print A 128-bit MD5 h ash of the comple te certif icate co ntents, sho wn as a 16- byte stri ng. This v alue is u nique for e v ery certif icate , and it positi vely identif ies the c ertif icate. If you question a cer tif icate ’ s aut henticity , you can check thi[...]
-
Page 341
Administra tion | C ertifica te Manage ment | Cer tificate s | CRL 14 - 4 7 VPN 3000 Conce ntrator Seri es User Guide serial n umber . Enabling CRL checking m eans that e very time th e VPN Concen trator use s the certif icate for au thenticatio n, it a lso checks the late st CRL to en sure that the ce rtif icate has not bee n re v oked . CAs use L[...]
-
Page 342
14 Ad ministration 14 - 4 8 V PN 3000 Conc entrat or Series User Guid e Server Po rt Enter the port numbe r for t he CRL server . Enter 0 (the default ) to hav e the system sup ply the default por t number, 389 (LD AP). Update Period Enter th e frequenc y in mi nutes to poll for updat ed CRLs. En ter 0 (the def ault) to h av e the syste m fetch the[...]
-
Page 343
Administrat ion | Certificat e Management | Certifica tes | Delete 14 - 4 9 VPN 3000 Conce ntrator Seri es User Guide Administration | Certificate Man agement | Certificates | Delete The Mana ger displa ys this confirmatio n screen wh en you clic k Delete for a c ertif icate on the Administration | Certificate Manage ment | Certificates screen. The[...]
-
Page 344
[...]
-
Page 345
15 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 15 Monitoring The VPN 3000 Concentrato r tracks ma ny s tatisti cs and the statu s of man y items ess ential to s ystem administ ration a nd manageme nt. This sect ion of the Ma nager lets you view all those status item s and stati stics. Y ou can even see the stat e of LED s that s how the s[...]
-
Page 346
15 M onitor ing 15 - 2 VPN 3000 Concentrat or Series Use r Guide Figure 15-1: Monit or scr een Monitor | Routing T able This scr een sho ws the VPN Con centrato r routing t able at the time the screen di splays. The IP rout ing subsystem examines the de stination IP addr ess of packets com ing th rough the VPN Co ncentr ator an d forwards or drops [...]
-
Page 347
Monit or | Routing T ab le 15 - 3 VPN 3000 Conce ntrator Seri es User Guide V alid Routes The total nu mber of curr ent valid rou tes th at the V PN Co ncentr ator kn o ws abou t. Thi s numb er inclu des all v alid routes , and it may be gre ater than the number of rows in the rou ting table, wh ich shows only the best routes w ith dup licates remo[...]
-
Page 348
15 M onitor ing 15 - 4 VPN 3000 Concentrat or Series Use r Guide Age The numbe r of seconds si nce this rout e was last updated or otherwise validated. The a ge is relative to the screen displa y time; e.g., 25 means the r oute was la st validated 25 sec onds befo re the s creen was displayed. 0 indicat es a static , local, or def ault ro ute. Metr[...]
-
Page 349
Moni tor | Even t Lo g 15 - 5 VPN 3000 Conce ntrator Seri es User Guide Select Filter Options Y ou can select any or all of the follo wing fi ve options for displaying the e v ent log. After selectin g the option(s) , click any one of the four Page buttons. T he Mana ger re freshes the sc reen and displays the e vent log acco rding to your se lecti[...]
-
Page 350
15 M onitor ing 15 - 6 VPN 3000 Concentrat or Series Use r Guide First Page T o display the fi rst page (s creen) of the e v ent log, click this bu tton. By def ault, the Manager d isplays the first page of the e vent log when you first op en this scree n. Previous Pa ge T o display the pre vious page (scr een) of the e ve nt log, click this b utto[...]
-
Page 351
Moni tor | Even t Lo g 15 - 7 VPN 3000 Conce ntrator Seri es User Guide Clear Log T o clear the cur rent e ve nt log fr om memory , click this b utton . The Manag er then r efreshes th e screen an d sho ws the e mpty log. Caution: The Manager imm ediately erases the ev ent log from memory with out ask ing for confirmati on. Ther e is no undo. Event[...]
-
Page 352
15 M onitor ing 15 - 8 VPN 3000 Concentrat or Series Use r Guide Event class / nu mber The class — or source — of the e vent, and th e internal r eference n umber assoc iated with the specif ic e v ent withi n the e vent cla ss. F or exam ple: HTTP/4 7 identi fies that an administra tor logged in to the VPN Concent rator usin g HTTP to conne ct[...]
-
Page 353
Monit or | System Stat us 15 - 9 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status This screen shows the status o f sev eral software and ha rdware variables at the time the sc reen displays. From this s creen you can a lso display th e status and statistics fo r SEP modules , system power supplie s, and network i nterfaces. Figure[...]
-
Page 354
15 M onitor ing 15 - 10 VPN 3000 Concent rator Ser ies User Guide Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. VPN Co ncentra tor T ype The type, or model numb er , of th is VP N Conce ntrator . Bootco de Rev The version name, nu mber , an d date of the V PN Con centra[...]
-
Page 355
Monit or | System Stat us 15 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Fan 1, Fan 2 The VP N Concen trator inc ludes two cool ing fa ns. In the Model 3005, they are on t he rear of the cha ssis, with Fa n 1 on the left as you fa ce the rear . In the Model 3015 – 3080, they are on the r ight sid e of the chass is as yo u face th e front , wi[...]
-
Page 356
15 M onitor ing 15 - 1 2 VPN 3000 Concent rator Ser ies User Guid e Monitor | Sy stem Status | Ethernet Interfac e This scr een di splays st atus an d statis tics for a VPN Co ncentra tor Ether net inter face. T o conf igure an interf ace, s ee Configuration | Interfaces . Figure 15-5: Monit or | S ystem Stat us | Ether net Inter f ace scr een Refr[...]
-
Page 357
Monito r | S ystem S tat us | Et hern et In terface 15 - 1 3 VPN 3000 Conce ntrator Seri es User Guide Testin g = in test m ode; no regular da ta traffic can pa ss. Dorman t = conf igured and enabl ed bu t w aiting for an ex ternal action, such a s an incomin g connec tion. Not Prese nt = missing hardware compon ents. Lower Lay er Dow n = not opera[...]
-
Page 358
15 M onitor ing 15 - 14 VPN 3000 Concentrat or Series Use r Guide Monitor | Sy stem Status | Dual T1/E1 W AN Slot N Thi s scree n displ ays s tatus and stat isti cs for a VPN Conc entra tor W AN modu le. T o confi gure a W AN module in terfa ce, see Config urati on | Interfa ces . Figure 15-6: Monit or | Sys tem Stat us | Dual T1/E1 W AN Slot N scr[...]
-
Page 359
Monitor | System Statu s | Dual T1 /E1 WAN Slot N 15 - 1 5 VPN 3000 Conce ntrator Seri es User Guide Port The int erface port on the W AN module (A or B). Status The cu rren t status of this por t: Up = ( Green ) Configure d, en abled, and o peratio nal; synchroni zed wi th th e network and re ady to pass data traf f ic. Red = (Red) Red alarm: Port[...]
-
Page 360
15 M onitor ing 15 - 16 VPN 3000 Concentrat or Series Use r Guide Severely Errored Fram ing Seconds The num ber o f second s during wh ich one or more out-of -frame de fects or an A IS defec t were detected on this port. Unavailable Seconds The numbe r of seconds dur ing which this por t has not been av ailable . Basically , unav a ilable second s [...]
-
Page 361
Monitor | System Statu s | Dual T1 /E1 WAN Slot N 15 - 17 VPN 3000 Conce ntrator Seri es User Guide Slot The physic al slot in the VPN Concent rator (1 thro ugh 4) that house s the W AN module. Port The int erface port on the W AN module (A or B). IfIndex The unique in terface inde x (an inte ger) that ide ntif ies this W AN port. F or W AN ports, [...]
-
Page 362
15 M onitor ing 15 - 18 VPN 3000 Concentrat or Series Use r Guide Received Frame T oo Long The num ber of received frame to o long erro rs on this interfac e port. The size of the packets received exc eeds the MTU ( Maximum T ransmission Unit). These err ors could in dicate that the T1 /E1 line is not configured correc tly; f or exam ple, if you ar[...]
-
Page 363
Moni tor | Syst em St atus | Po wer 15 - 1 9 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status | Po wer Thi s scree n dis plays s tatus and dat a for V PN Conc entr ator po wer suppl ies a nd v oltag e sen sors i n the system. T o configure alarm thres holds fo r system voltages, see th e Configuration | Interfaces | Power screen. [...]
-
Page 364
15 M onitor ing 15 - 2 0 V PN 3000 Conc entrat or Series User Guid e Board V o ltages and stat us for the 3. 3- and 5-volt sensors on the main circu it board. 1.9/2.5V Sta tus, 3.3V Sta tus, 5V Statu s The status of vo ltages relati v e to the config ured thresholds: OK = w ithin l o w and high thr eshold limits. ALARM = outsi de of low or high th [...]
-
Page 365
Moni tor | Syst em St atus | S EP 15 - 2 1 VPN 3000 Conce ntrator Seri es User Guide Figure 15-8: Monit or | Sys tem Stat us | SEP scr een Refresh T o update the screen an d its data, click Refresh . The date and ti me indi cate when th e scre en was la st update d. Back T o return to the Monitor | Sy stem Status scre en, clic k B ack . SEP The cha[...]
-
Page 366
15 M onitor ing 15 - 2 2 V PN 3000 Conc entrat or Series User Guid e Status The func tional state of this SE P module: Operat ional = module is operatin g correctly . Not Opera tion al = mod ule has failed dur ing oper ation . This is an error condition ; ple ase co ntac t Cisco C ustomer Sup port. Found = module is installed b ut is not yet operat[...]
-
Page 367
Moni tor | Syst em St atus | S EP 15 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Hash Decr ypted: Pa ckets The numbe r of packets that this SEP processed usi ng both hashin g (authent ication) a nd decryption algorithms. Drops: Pack ets The numbe r of packets intende d for proce ssing by this SEP , but dropped due to the SEP being overloaded. R[...]
-
Page 368
15 M onitor ing 15 - 2 4 V PN 3000 Conc entrat or Series User Guid e RSA Digital Si gnings The numbe r of times thi s SEP has generat ed an RSA (Rivest, Shamir, Adelman algor ithm) digit al signature. The VPN Concentrat or generates a digita l signature w hen it cr eates a d igital c ertific ate. RSA Digital V erifications The numbe r of times this[...]
-
Page 369
Monito r | Syst em St atus | LED S tatu s 15 - 2 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status | LED Sta tus Model 3015 – 30 80 only This sc reen sho ws the st atus of VPN Conc entr ator fron t-pane l LED ind icator s, e xactl y as the y appe ar on the unit itse lf. LED indic ators on the VP N Conce ntrator are nor mally gr[...]
-
Page 370
15 M onitor ing 15 - 2 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions This screen sh ows comprehensiv e data for all acti ve user and a dministrator sessions on the VPN Conc entrator . Figure 15-1 0: Monitor | Sessions scr een Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen[...]
-
Page 371
Monitor | Session s 15 - 2 7 VPN 3000 Conce ntrator Seri es User Guide Active LAN-to-LAN Sess ions The num ber of IPSe c LAN- to-L AN se ssions that ar e curr ently active. Active Remote Access Sessions The num ber of PPTP , L2TP , IPSec remote -acce ss user , L2T P over IPSec, and IPSec throu gh NA T ses sions that ar e curr entl y act ive. Active[...]
-
Page 372
15 M onitor ing 15 - 2 8 V PN 3000 Conc entrat or Series User Guid e IP Address The IP ad dress of the rem ote peer VPN Concent rator or othe r secure gate way that in itiated this LAN-to-L AN connec tion. Protocol, Encryption, Login T ime, Dura tion, Bytes Tx, Bytes Rx See T able 15-1 on page 15-29 fo r definitions of the se para meters. Remote Ac[...]
-
Page 373
Monitor | Session s 15 - 2 9 VPN 3000 Conce ntrator Seri es User Guide Manageme nt Session s table This table show s parameters a nd statistics for a ll acti v e administrator ma nagement sessions on the VPN Conc entrator . [ LAN-to-LAN Sessions | Remote Access Sessions ] Click these acti v e links to go to the other session tables on this Manager [...]
-
Page 374
15 M onitor ing 15 - 3 0 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions | Detail These Man ager screen s show detailed parameters and statistic s for a specif ic remote- access or LAN-to- LAN session. The parame ters and st atistics differ dependi ng on the sess ion prot ocol. The re are unique scre ens for: • IPSec L AN-to-LAN ( [...]
-
Page 375
Moni tor | Sessions | Detail 15 - 3 1 VPN 3000 Conce ntrator Seri es User Guide Figure 15-12: Monit or | Sessions | Detail scr een: IPSec r emote access user[...]
-
Page 376
15 M onitor ing 15 - 3 2 V PN 3000 Conc entrat or Series User Guid e Figure 15-13: Monit or | Sessions | Detail screen: IPSec thr ough NA T Figure 15-14: Monit or | Sessions | Detail screen: L2TP[...]
-
Page 377
Moni tor | Sessions | Detail 15 - 3 3 VPN 3000 Conce ntrator Seri es User Guide Figure 15-15: Monit or | Sessions | Detail scr een: L2TP ov er IPSec Figure 15-16: Monit or | Sessions | Detail screen: PPTP[...]
-
Page 378
15 M onitor ing 15 - 3 4 V PN 3000 Conc entrat or Series User Guid e Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. Back to Sessions T o return to the Monitor | Sessions sc reen, cl ick Back to Sessions . Monitor | Sessions | Detail parameters T able 15-2: Parameter defi[...]
-
Page 379
Moni tor | Sessions | Detail 15 - 3 5 VPN 3000 Conce ntrator Seri es User Guide IPSec Sessions: The total number of IPSec (Phase 2) sessio ns, which are da ta traf f ic s ession s thro ugh the tunnel . Eac h IPSec remote -acce ss session may have two IPSec sessions: one showing the tunnel endpo ints, and one showing th e private networks r eachabl [...]
-
Page 380
15 M onitor ing 15 - 3 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions | Protoc ols This sc reen g raphicall y displa ys the protocol s used by c urren tly active user a nd admin istrator sessions on the VPN Co ncentra tor . Figure 15-1 7: Monitor | Sessions | Protocols scr een Refresh T o update the screen an d its data, click Ref[...]
-
Page 381
Monitor | Sessions | Protocols 15 - 3 7 VPN 3000 Conce ntrator Seri es User Guide L2TP = L ayer 2 Tunneling Pr otocol. IPSec = Inte rnet Protoc ol Securi ty tunn eling pr otocol (re mote-acce ss users). HTTP = Hypert ext Transfer Prot ocol (W eb browser). FT P = File Transfer Prot ocol. Te l n e t = termina l emulation pr otocol. SNMP = Simp le Net[...]
-
Page 382
15 M onitor ing 15 - 3 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessio ns | SEPs Model 3015 – 30 80 only This sc reen g raphicall y displa ys the SEP (Scala ble Enc ryption Processing) module s used by curre ntly active user and a dministrat or sessio ns on the VP N Concent rator . SEP module s perform data encryp tion functions in[...]
-
Page 383
Monitor | Sessions | Encryption 15 - 3 9 VPN 3000 Conce ntrator Seri es User Guide Bar Graph The percentag e of sessions using this SEP module re lati ve to the total ac tiv e sessio ns, as a horizontal b ar grap h. Each se gment of the bar in the column he ading re prese nts 25%. Perc enta ge The percenta ge of sessions using this SEP module rela [...]
-
Page 384
15 M onitor ing 15 - 4 0 V PN 3000 Conc entrat or Series User Guid e Encryption The da ta encr yption algorit hm that the se ssions are using : Other = other than listed bel ow . None = no data encrypt ion. DES-56 = Data En crypti on Standard algorith m with a 56-bi t ke y . DES-40 = DES en crypti on with a 56-b it key , 40 bits of wh ich are pri v[...]
-
Page 385
Monitor | Sessions | T o p T en Lists 15 - 4 1 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sessions | T o p T en Lists This section of the Manager shows statistics for the top 10 cu rrently activ e VPN Concentrato r sessions, sorted by: • Data : total bytes transmi tted and recei ved. • Duration : total time connected. • Throug hpu t [...]
-
Page 386
15 M onitor ing 15 - 4 2 V PN 3000 Conc entrat or Series User Guid e IP Address The IP addre ss of the session use r . Th is is the address assi gned to or sup plied by a remote user, or the host addre ss of a networked user . Loca l iden tifi es the c onsole dir ectly conn ected to the VP N Conc entrator . Protocol The pr otocol t hat the sessio n[...]
-
Page 387
Monitor | Se ssions | T op T e n Lists | Dur ation 15 - 4 3 VPN 3000 Conce ntrator Seri es User Guide Login T ime The date a nd time tha t this session logged in: MM/DD/Y YYY HH :MM:SS . T ime is in 24-hour notation. T otal Bytes The total number of b ytes transmitted and recei ved by thi s session. N/A = the sessi on is not pass ing data; e.g., it[...]
-
Page 388
15 M onitor ing 15 - 4 4 V PN 3000 Conc entrat or Series User Guid e Protocol The pr otocol t hat the sessio n is using . Consol e = directly connec ted c onsole; n o pro tocol. Debug/ Conso le = d ebugging via console (Cisco use onl y). Debug/ Telne t = debugging via T el net (C isco use only) . FTP = File Transfer Protocol . HTTP = Hyp ertext T r[...]
-
Page 389
Monito r | Session s | T op T en L ists | Thr oughput 15 - 4 5 VPN 3000 Conce ntrator Seri es User Guide Duration The tota l amount o f time tha t this session has been c onnected : HH:MM: SS . Monitor | Sessions | T op T en Lists | Throughput This sc reen sho ws statistics f or the top 1 0 curren tly acti ve VPN Conc entrato r session s, sort ed b[...]
-
Page 390
15 M onitor ing 15 - 4 6 V PN 3000 Conc entrat or Series User Guid e FTP = File Transfer Protocol . HTTP = Hyp ertext T ransfe r Protocol (W eb bro wser). IPSec = Int ernet Protocol Secur ity tunnel ing protoc ol (remot e-access user) . IPSec/ LAN-t o-LAN = IP Sec LA N-to -LAN co nnecti on. IPSec/ NAT = IPSec th rough NA T (Network Addre ss T ransl[...]
-
Page 391
Monitor | St atist ics 15 - 4 7 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics This sec tion of the Ma nager s hows statistics fo r traffic and act i vity on the VPN Conce ntrator s ince it wa s last booted or reset, and for c urrent tunneled sess ions, plus sta tistics in stan dard MIB-I I objects fo r interf aces, TCP/UDP , IP , I[...]
-
Page 392
15 M onitor ing 15 - 4 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | PPTP This screen sho ws statistic s for PPTP acti vity on the V PN Concentrator since i t was last boo ted or reset, and for current PPTP sessions . The Monitor | Session s | Detail screens also sho w PPTP data. T o conf igur e system- wide PPTP para meters [...]
-
Page 393
Monit or | Statis tics | PPT P 15 - 4 9 VPN 3000 Conce ntrator Seri es User Guide T otal Sessions The to tal number of user se ssions throu gh PPTP tun nels since the VPN Con centrat or was last b ooted or reset. Active Sessions The numbe r of user sessions t hat are curr ently activ e through PPTP tu nnels. Th e PPTP Sessions table sho ws statisti[...]
-
Page 394
15 M onitor ing 15 - 5 0 V PN 3000 Conc entrat or Series User Guid e Peer IP The IP address o f the peer ho st that e stablish ed the PPTP tun nel for this sess ion; i.e., t he tunnel e ndpoint IP address. The Monitor | Sessions scr een sho ws the IP a ddress assig ned to th e clien t using the tu nnel. Userna me The us ername for the sessi on with[...]
-
Page 395
Monitor | Stat istics | L2TP 15 - 5 1 VPN 3000 Conce ntrator Seri es User Guide Flow The state of p acket flow contr ol fo r thi s PPT P ses sion: Local = the local b uf fer is full; i.e., pack et flo w for the local end of the sessio n is OFF because the number o f outst anding unacknowledged p ackets rec eiv ed fro m the p eer is eq ual to t he l[...]
-
Page 396
15 M onitor ing 15 - 5 2 V PN 3000 Conc entrat or Series User Guid e T otal T u nnels The total number of L2TP tunnels successful ly established since th e VPN Concentrator w as last booted or rese t. Active T unne ls The num ber of L2TP t unnels that are curr ently active. Maximum T unnels The maxi mum numbe r of L2TP tunne ls that have been simul[...]
-
Page 397
Monitor | Stat istics | L2TP 15 - 5 3 VPN 3000 Conce ntrator Seri es User Guide Rx Packe ts Control / Data The num ber of L2TP contro l / data channe l packet s rece iv ed by the VPN C oncent rator si nce it was last booted or reset. Rx Discards Control / Data The num ber of L2TP co ntrol / data channel pac kets received and discarde d by the VPN C[...]
-
Page 398
15 M onitor ing 15 - 5 4 V PN 3000 Conc entrat or Series User Guid e Receive Packets The tot al number of L2 TP data packet s received b y this sess ion. Receive Discards The total number of L2 TP data packets re ceived and discarded by this session. Receive ZLB The tot al number of L2 TP Zero Len gth Body ac kno wle dgement da ta packets rece iv e[...]
-
Page 399
Monitor | Statist ics | IPSec 15 - 5 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | IPSec This screen sh o ws statistics for IPSe c activity — in cluding curr ent IPSec tun nels — on th e VPN Concentrato r since it was last booted or rese t. These statistics confor m to the IETF draft for the IPSec Flow Monitoring MIB. The M[...]
-
Page 400
15 M onitor ing 15 - 5 6 V PN 3000 Conc entrat or Series User Guid e IKE (Phase 1) Statistics This tabl e pro vides IPSec Phase 1 (IKE: In ternet K e y Excha nge) g lobal st atistics. During I PSec Phase 1 (IKE), the tw o peers es tablish contr ol tunnels t hrough whic h they negotia te Sec urity Associ ations. Active T unnel s The num ber of curr [...]
-
Page 401
Monitor | Statist ics | IPSec 15 - 5 7 VPN 3000 Conce ntrator Seri es User Guide Received Notifies The cumul ati ve total of notify pa ckets recei ve d b y all c urrently a nd pre viously acti ve IKE tunn els. A notify p acket is an informatio nal pack et that is sen t in respon se to a bad pa cket or to indicate st atus; e.g. , error packe ts, ke [...]
-
Page 402
15 M onitor ing 15 - 5 8 V PN 3000 Conc entrat or Series User Guid e Phase-2 SA Delete Requests Sent The cumulati ve total of requests to delete IPSec Phase -2 Security Associa tions sent b y all currentl y and pre viously a cti ve IKE tunnels. Initiated T unn els The cumul ativ e to tal of I KE tunnel s that th is VPN Concen trator initi ated. T h[...]
-
Page 403
Monitor | Statist ics | IPSec 15 - 5 9 VPN 3000 Conce ntrator Seri es User Guide IPSec (Phas e 2) Sta tistics This table prov ides IPSe c Phase 2 gl obal stat istics. D uring IPSec Ph ase 2, the two peers negotiat e Security Associat ions that go vern traff ic within the tu nnel. Active T unnel s The num ber of curr ently a ctiv e IPSec Phase-2 tun[...]
-
Page 404
15 M onitor ing 15 - 6 0 V PN 3000 Conc entrat or Series User Guid e Sent Packets Dropped The cu mulative total of packets dropp ed duri ng send processi ng by all curren tly and previously ac tiv e IPSec Ph ase-2 tu nnel s. This number should be zer o; if n ot, ch eck for a netw ork pro blem, check the e vent log for an inter nal subsystem failu r[...]
-
Page 405
Monitor | Stat istics | HTTP 15 - 6 1 VPN 3000 Conce ntrator Seri es User Guide Sy stem Capabili ty Failures The tota l number of system cap acity f ailures that occur red during processing of all cu rrently and previously active IPSec Phase-2 tunn els. Thes e failures indic ate that th e system has run out of memory or some other c ritica l resour[...]
-
Page 406
15 M onitor ing 15 - 6 2 V PN 3000 Conc entrat or Series User Guid e Packets S ent The total number of HTT P packets sent sinc e the VPN Co ncentrat or was last booted or re set. Packets R eceive d The total num ber of HTT P packets received since the VPN Conc entrator was last boo ted or reset. Active Conn ections The num ber of curr ently act iv [...]
-
Page 407
Monitor | Statistics | T elnet 15 - 6 3 VPN 3000 Conce ntrator Seri es User Guide Refresh T o update the screen an d its data, click Refresh . The date and ti me indi cate when th e scre en was la st update d. Use the scroll contr ols (if p resent) to vie w the entire ta ble. Event Cl ass Ev ent class denote s the source o f the e ven t and refe rs[...]
-
Page 408
15 M onitor ing 15 - 6 4 V PN 3000 Conc entrat or Series User Guid e Active Sessions The num ber of active T elne t sessions. Th e T elnet Sessions table sho ws statistics for these sessions. Attempted Sessions The tota l number of attempts to establish T elnet sessions on the VPN Concentrator since it was la st booted or reset. Successful Sessions[...]
-
Page 409
Monitor | St atistics | DNS 15 - 6 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | DNS This sc reen sho ws statistics f or DNS (Domain Name Syst em) acti vity on the VPN Concen trator since it was la st booted or reset. T o conf igure the VPN Concen trator to c ommunicate with DNS se rvers, see the Configuration | Sy stem | Serve[...]
-
Page 410
15 M onitor ing 15 - 6 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | Authentication This screen sho ws statistics for user authenticati on acti vity on the VPN Concentrator since it was last booted or reset. T o configur e the VPN Concentrator to commun icate with authe ntication serv ers, see the Configuration | Sy ste m | S[...]
-
Page 411
Monitor | Stati stics | Auth enti cation 15 - 6 7 VPN 3000 Conce ntrator Seri es User Guide Rejects The num ber of authe nticat ion reject ion packets re ceived from this server . Challeng es The num ber of authe nticat ion chall enge packet s received from this server . Malformed Re sponses The number of malformed au thenticatio n response pack et[...]
-
Page 412
15 M onitor ing 15 - 6 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | Accounting This screen sho ws statistics for RADIUS user ac counting acti v ity on the VPN Concentr ator since it was last booted or reset. T o conf igure the VPN Conc entrator to com municate with RAD IUS ac counting serv ers, see the Confi gurati on | Sy s[...]
-
Page 413
Monitor | Statistics | Filtering 15 - 6 9 VPN 3000 Conce ntrator Seri es User Guide Bad Authenticator s The n umber o f acco unting resp onse p acket s rece i ved from t his s erv er that contai ned in valid authenti cators. Pending R equests The n umber of accoun ting req uest pac kets sent t o this RA DIUS ac countin g server th at have not yet t[...]
-
Page 414
15 M onitor ing 15 - 7 0 V PN 3000 Conc entrat or Series User Guid e Interface The VPN Concentrator netw ork interfac e through which the filte red traf f ic has passed. 1 = Ether net 1 (Priv ate ) interface . 2 = E thernet 2 ( Publi c) inte rface . 3 = Ether net 3 (Exter nal) in terface. 8 or g reater = W AN inte rface . Inbound Packets Pre-Filter[...]
-
Page 415
Monitor | Statisti cs | VRRP 15 - 7 1 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | VRRP This scr een shows status a nd stati stics for VRRP (V irtual Route r Redund ancy Protocol ) activity on the VPN Concentrator since it w as last booted or reset. T o conf igur e VRRP , see the Confi gura tion | S y s tem | IP R outin g | Re d[...]
-
Page 416
15 M onitor ing 15 - 7 2 V PN 3000 Conc entrat or Series User Guid e VRID Errors The tot al number of V RRP packets rece iv ed with an inv alid VRRP Grou p ID number for this VPN Conc entrator . VRID The identif ication number that uniquely identif ies the group of virtual routers to which this VPN Conc entrator b elongs. Not Confi gure d = VRRP ha[...]
-
Page 417
Monitor | Statisti cs | VRRP 15 - 7 3 VPN 3000 Conce ntrator Seri es User Guide T ime-to-Live Errors The tota l number of VRRP packets r ecei ve d by this interf ace w ith IP TTL (T ime-T o-Li v e) not equa l to 255 . All VRRP packets must have TTL = 255 . Priority 0 Packets Received The tota l number of VRRP packe ts recei v ed b y this inte rface[...]
-
Page 418
15 M onitor ing 15 - 74 VPN 3000 Concent rator Ser ies User Guide Monitor | Statistics | SSL This scre en shows statistics for SSL (Sec ure Sockets Laye r) protocol traff ic on the VPN Conc entrato r since it was last boot ed or reset. T o conf igur e SSL, see Conf igurat ion | Sy stem | Manage ment Prot ocols | SSL . Figure 15-36: Monit or | Stati[...]
-
Page 419
Monitor | Stat istics | DHCP 15 - 7 5 VPN 3000 Conce ntrator Seri es User Guide Active Sessions The numbe r of curren tly active SSL sessions . Max Active Sessions The maxim um number of SSL se ssions simulta neously active at any one time. Monitor | Statistics | DHCP This screen sho ws statistics for DHCP (Dynamic Host Configurat ion Protocol) act[...]
-
Page 420
15 M onitor ing 15 - 76 VPN 3000 Concentrat or Series Use r Guide Ti m e L e f t The time remaining until the current IP address lease e xpires, sho wn as HH:MM:SS. DHCP Serv er Address The IP address of the DHCP serve r that leased this IP addre ss. Monitor | Statistics | Address Pools This screen sho ws statistics for address pool acti vity on th[...]
-
Page 421
Monitor | Sta tistics | MIB-II 15 - 7 7 VPN 3000 Conce ntrator Seri es User Guide Max Alloca ted Ad dresses The maxi mum numbe r of IP addresses assi gned from this pool at any one time. Monitor | Statistics | MIB-II This section of the Manager lets y ou vi ew statisti cs that are record ed in st andard MIB- II obj ects on the VPN Conce ntrator . M[...]
-
Page 422
15 M onitor ing 15 - 7 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | Interfaces This screen show s statistics in MI B-II objects f or VPN Concentrato r interf aces since the sy stem was l ast booted or reset. This scr een also sh o ws statistics for V PN tunnels as logical i nterfaces. RFC 2233 def ines interf ace MI[...]
-
Page 423
Monitor | Stat istics | MIB-I I | Interfaces 15 - 7 9 VPN 3000 Conce ntrator Seri es User Guide Unicast In The n umber of unica st pac kets that we re rec ei ved b y this inter face. Unicas t pack ets are tho se add ressed to a single host. Unicast Out The number of unicast pack ets that wer e routed t o this interf ace for tr ansmission , includin[...]
-
Page 424
15 M onitor ing 15 - 8 0 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | TCP/UDP This screen sh ow s stati stics i n MIB-II object s for TC P and UDP traf f ic on th e VPN C oncentra tor sin ce it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 de fines UDP MIB objects. Figure 15-41: Monit or | S[...]
-
Page 425
Monitor | Stat istics | MIB-II | TCP/UDP 15 - 8 1 VPN 3000 Conce ntrator Seri es User Guide TCP T imeo ut Max The maximum v alue per mitted for TCP retransmissio n timeout, measured in milliseco nds. TCP Conne ction Li mit The limit on th e total number o f TCP connections th at the system can su pport. A v alue of -1 means th ere is no limit. TCP [...]
-
Page 426
15 M onitor ing 15 - 8 2 V PN 3000 Conc entrat or Series User Guid e UDP Errore d Datagr ams The number o f rece iv ed UD P datag rams that coul d not be delivered for reasons o ther tha n the lack of an application at th e destinatio n port ( UDP No Port ). Datagram is the of ficial UDP name for wh at is casuall y call ed a dat a pack et. UDP No P[...]
-
Page 427
Monitor | Statist ics | MIB-II | IP 15 - 8 3 VPN 3000 Conce ntrator Seri es User Guide Packets R eceived (He ader Errors) The numbe r of IP data packet s received and discarded due to errors in IP heade rs, includ ing bad chec ksums, versio n numb er m ismat ches, other form at er rors, etc. Packets R eceived (Ad dress Errors ) The nu mber of IP da[...]
-
Page 428
15 M onitor ing 15 - 8 4 V PN 3000 Conc entrat or Series User Guid e Packets T r ansmitted (Requests) The numbe r of IP data packet s that local IP use r protocols (inc luding ICM P) supplied to transmissi on requests. This n umber does no t inc lude any pa ckets coun ted in Pack ets Forwar ded . Fragments Nee ding Reasse mbly The num ber of IP fra[...]
-
Page 429
Monitor | Statistics | MIB-II | RIP 15 - 8 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | MIB-II | RIP This screen shows statistics in MIB-II ob jects for RIP version 2 tra f fic on the VPN Concentr ator since it was last booted or reset. RFC 172 4 defines RIP ve rsion 2 MI B objects. T o conf igur e RIP on interf aces, s ee Con[...]
-
Page 430
15 M onitor ing 15 - 8 6 V PN 3000 Conc entrat or Series User Guid e Received Bad Routes The nu mber of route s in v alid RIP pack ets recei ved b y this interf ace th at were ignor ed for any reason (e.g., unknown addr ess fami ly , in valid metr ic). Sent Updates The number of triggered RIP updates actually sent by this interf ace. Th is number d[...]
-
Page 431
Monitor | Statist ics | MIB-II | OSPF 15 - 8 7 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | MIB-II | OSPF This screen sh ow s statistics in MIB-I I objects for OSP F vers ion 2 traf f ic on the VPN Co ncentrator sinc e it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects. T o configure OSPF on interfaces, se[...]
-
Page 432
15 M onitor ing 15 - 8 8 V PN 3000 Conc entrat or Series User Guid e Router ID The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an I P address, it functions only as an identifier and not an address. By con v ention, ho we v er , this iden tifie r i[...]
-
Page 433
Monitor | Statist ics | MIB-II | OSPF 15 - 8 9 VPN 3000 Conce ntrator Seri es User Guide Interface Address The IP ad dress of the VPN Conc entr ator i nterfa ce th at commu nicate s wit h its area . Interface Name The VPN Conc entrato r interfa ce that comm unicate s with its area. Ethern et 1 (Pri vate) = Ethe rnet 1 (Private) inte rface. Ethern e[...]
-
Page 434
15 M onitor ing 15 - 9 0 V PN 3000 Conc entrat or Series User Guid e State The state of the relationship with this neighboring OSPF router: Down = (Re d) The VPN Concent rator ha s rece iv ed n o rece nt inf ormatio n fro m this neighb or . The neighb or may be out of service , or i t may no t have been i n service l ong en ough to establi sh its p[...]
-
Page 435
Monitor | Statist ics | MIB-II | OSPF 15 - 9 1 VPN 3000 Conce ntrator Seri es User Guide Area LSA Count The total number of Lin k-State Advert isements in this ar ea ’ s l ink-state database , excluding A S external LSAs. Area LSA Checksum The sum of the chec ksums of the Link-Sta te Adv ertisements in this ar ea ’ s link-state database. This s[...]
-
Page 436
15 M onitor ing 15 - 9 2 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | ICMP This scr een sho ws stati stics in MIB-I I object s for ICMP traf f ic on the VPN Concentr ator since it w as last booted or reset. RFC 2011 defines ICMP MIB objec ts. Figure 15-45: Monit or | Statistics | MIB-II | ICM P screen Refresh T o upda[...]
-
Page 437
Monitor | Statistics | MIB-II | ICMP 15 - 9 3 VPN 3000 Conce ntrator Seri es User Guide T ime Exceeded Received / T ransmitted The n umber of I CMP T ime Exceed ed me ssage s rec ei ved / se nt. T ime Excee ded mess ages i ndicate that the lifeti me of the pack et has e xpir ed, or tha t a router ca nnot rea ssemble a packet within a time limit . P[...]
-
Page 438
15 M onitor ing 15 - 9 4 V PN 3000 Conc entrat or Series User Guid e Addres s Mask R equest s Recei ved / T ransmi tted The number of I CMP Address M ask Request messa ges receive d / sent. Address Ma sk Request message s ask f or the a ddres s (subn et) mask for th e LAN to w hich a router connect s. Addres s Mask Rep lies Rece ived / T ransmitt e[...]
-
Page 439
Monitor | Statistics | MIB-II | ARP T able 15 - 9 5 VPN 3000 Conce ntrator Seri es User Guide Interface The VPN Con centrat or net work interfa ce on which this m apping applie s: 1 = Ether net 1 (Priv ate ) interface . 2 = E thernet 2 ( Public) interf ace. 3 = Ether net 3 (Exter nal) in terface. 8 or g reater = W AN inte rface . 1000 and up = VPN [...]
-
Page 440
15 M onitor ing 15 - 9 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-I I | Ethernet This s creen sho ws stati stics in MIB-I I obj ects f or Ether net inte rface traf fic on the VPN Conc entrato r since it was last boot ed or reset. IEEE standard 802. 3 describe s Ethernet net works, and RFC 1650 def ine s Ethe rnet inter[...]
-
Page 441
Monitor | Statistic s | MIB-II | Ethernet 15 - 9 7 VPN 3000 Conce ntrator Seri es User Guide SQE T est Erro rs The number of times that the SQE (Sig nal Quality Error ) T est Error message was generate d for this interf ace. The SQE messag e tests the collision circuits o n an interfac e. Fra me T oo Long Error s The nu mber of frames rece iv ed o [...]
-
Page 442
15 M onitor ing 15 - 9 8 V PN 3000 Conc entrat or Series User Guid e Speed (Mb ps) This interf ace ’ s no minal bandwid th in megabits pe r second. Duplex The curren t LA N dupl ex tran smissi on mo de for this interfa ce: Full = Fu ll-Duple x : transmis sion in both direction s at the same time. Half = Half-D uplex: tr ansmission in onl y one di[...]
-
Page 443
Monitor | Statist ics | MIB-II | SNMP 15 - 9 9 VPN 3000 Conce ntrator Seri es User Guide Bad Commun ity String The total num ber of SNMP me ssages received that used an SNMP com munity string the VPN Concentra tor did n ot recogni ze. See Configuration | Sy stem | Manageme nt Protocols | SNMP Communities to configure pe rmitted co mmunit y strings.[...]
-
Page 444
[...]
-
Page 445
16 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 16 Using the Command Line Interface The V PN 30 00 Concent rator Ser ies Comm and Lin e Interfac e (CLI) is a menu- and com mand-l ine-base d conf iguration, admin istration, and monitor ing system built in to the VPN Concentrator . Y ou use it via the system console or a T elnet (or T elnet [...]
-
Page 446
16 Using the Command Line Interface 16 - 2 VPN 3000 Concentrat or Series Use r Guide 3 Press Enter on the PC k eyboard u ntil you see the login prompt . (Y ou may see a pa ssword prompt a nd error m essages as yo u press Enter ; ignor e them and sto p at the login pr ompt.) Login: _ T elnet or T elnet/SSL access T o access the CLI via a T elnet or [...]
-
Page 447
Usin g the CLI 16 - 3 VPN 3000 Conce ntrator Seri es User Guide Using the CLI Thi s sect ion e xp lains ho w to : • Choo se me nu it ems. • Ent er v alues for par amet ers an d opti ons. • Specify con f igure d items by number or name . • Navigate q uickly — using s hort cuts — through the menus. • Dis play a br ief he lp me ssag e. ?[...]
-
Page 448
16 Using the Command Line Interface 16 - 4 VPN 3000 Concentrat or Series Use r Guide Specifying configured items Man y menus giv e choices that act on co nfi gured items — such as groups, users, f ilter rules, et c. — and t he CLI lists t hose item s with a number and their na me. T o specify an ite m, you can usually enter eith er its number o[...]
-
Page 449
Usin g the CLI 16 - 5 VPN 3000 Conce ntrator Seri es User Guide Navigatin g quickly th rough the CL I There are t wo ways to move quickly t hrough the CL I: shor tcut num bers, a nd the Back/H ome opti ons. Both way s work only when you are at a men u, not when yo u are at a va lue entry . Using shortcut numbers Once yo u becom e familia r with t h[...]
-
Page 450
16 Using the Command Line Interface 16 - 6 VPN 3000 Concentrat or Series Use r Guide As a shor tcut, yo u can just e nter 1.3. 1.1 at the Main -> pro mpt, and m ov e direc tly to the Base Gr oup General P arameters menu: 1) Con figur ation 2) Adm inist ration 3) Mon itori ng 4) Save chan ges to Config file 5) Help Info rmat ion 6) Exit Main ->[...]
-
Page 451
Usin g the CLI 16 - 7 VPN 3000 Conce ntrator Seri es User Guide Saving the configuration file Configurati on and admi nistratio n entries take effect immedia tely and ar e include d in the active, or running , co nfiguration. H o wever , i f you reboot the VP N Conc entrato r witho ut saving the acti ve configurati on, you lose any changes. T o s a[...]
-
Page 452
16 Using the Command Line Interface 16 - 8 VPN 3000 Concentrat or Series Use r Guide CLI menu reference This section sho ws all the menus in the f irst three le v els belo w the CLI main menu. (There are many additional menus belo w the third le vel; and within the f irst three le ve ls, there are some non-menu param eter s ettings . T o keep thi s[...]
-
Page 453
CLI men u refe rence 16 - 9 VPN 3000 Conce ntrator Seri es User Guide 1.1 Configuration > Interface Configur ation This tabl e show s current IP addre sses. . . . Model 3015 – 30 80 only 1) Config ure Et hernet #1 (Priv ate) 2) Config ure Et hernet #2 (Publ ic) 3) Config ure Et hernet #3 (Exte rnal) 4) Con figur e Powe r Sup plies 5) Con figur[...]
-
Page 454
16 Using the Command Line Interface 16 - 10 VPN 3000 Concent rator Ser ies User Guide 1.1.3 Configuration > Interface Con figuration > Configure Powe r Supplies Model 30 05 only Alarm Thres hold s in centiv olts (e.g . 361 = 3.6 1V) Voltag es will be adjuste d to conf orm to the ha rdware . 1) Config ure CP U voltage thres holds 2) Con figur [...]
-
Page 455
CLI men u refe rence 16 - 1 1 VPN 3000 Conce ntrator Seri es User Guide 1.2.1 Configuration > Sy stem Mana gement > Servers 1) Aut henti cation Serv ers 2) Acc ounti ng Ser vers 3) DNS Serv ers 4) DHCP Serv ers 5) NTP Serv ers 6) Back Server s -> _ 1.2.2 Configuration > Sy stem Mana gement > Address Management 1) Add ress Assign ment[...]
-
Page 456
16 Using the Command Line Interface 16 - 1 2 VPN 3000 Concent rator Ser ies User Guid e 1.2.5 Configuration > Sy stem Management > Management Pr otocols Networ k Pro tocol Summa ry Tab le . . . 1) Con figur e FTP 2) Con figur e HTTP /HTTP S 3) Con figur e TFTP 4) Con figur e Teln et 5) Con figur e SNMP 6) Con figur e SNMP Comm unity Strings 7[...]
-
Page 457
CLI men u refe rence 16 - 1 3 VPN 3000 Conce ntrator Seri es User Guide 1.3.1 Configuration > User Management > Base Group 1) Gen eral Parame ters 2) Serv er Pa rame ters 3) IPS ec Pa ramete rs 4) PPT P/L2T P Para meter s 5) Back Base G roup -> _ 1.3.2 Configuration > User Management > Groups Curren t Use r Grou ps . . . 1) Add a Gr [...]
-
Page 458
16 Using the Command Line Interface 16 - 14 VPN 3000 Concentrat or Series Use r Guide 1.4.1 Configuration > Policy Management > Access Hour s Curren t Acc ess Ho urs . . . 1) Add Acce ss Hou rs 2) Mod ify A ccess Hours 3) Del ete A ccess Hours 4) Back Access Hour s -> _ 1.4.2 Configuration > Policy Management > T raffic Ma nagement 1[...]
-
Page 459
CLI men u refe rence 16 - 1 5 VPN 3000 Conce ntrator Seri es User Guide 2.3 Administration > Sy stem Reboot 1) Can cel S chedul ed Re boot/S hutdown 2) Sch edule Reboo t 3) Sch edule Shutd own 4) Back Admin -> _ 2.3.2 Administration > Sy stem Reboot > Schedule Reboot 1) Sav e act ive Co nfigu ration and us e it at Reb oot 2) Rebo ot wi [...]
-
Page 460
16 Using the Command Line Interface 16 - 16 VPN 3000 Concentrat or Series Use r Guide 2.5.2 Administration > Access Rights > Access Control List This i s the Curre nt Ac cess L ist . . . 1) Add Mana ger Wo rksta tion 2) Mod ify M anager Work statio n 3) Del ete M anager Work statio n 4) Mov e Man ager W orkst ation Up 5) Mov e Man ager W orks[...]
-
Page 461
CLI men u refe rence 16 - 17 VPN 3000 Conce ntrator Seri es User Guide 2.7 Administration > Certificate Management 1) Enr ollme nt 2) Ins talla tion 3) Cer tific ate Au thori ties 4) Ide ntity Certi ficat es 5) SSL Cert ificat e 6) Back Certif icate s -> _ 2.7.2 Administration > Certifica te Management > Installation 1) Ins tall Certif [...]
-
Page 462
16 Using the Command Line Interface 16 - 18 VPN 3000 Concentrat or Series Use r Guide 2.7.5 Administration > Certifica te Management > SSL Certificate Subjec t . . ’ q ’ to Quit, ’ <SPAC E> ’ to Continu e -> . Issuer . . ’ q ’ to Quit, ’ <SPAC E> ’ to Continu e -> . Serial Numb er . . 1) Dele te Ce rtif icate[...]
-
Page 463
CLI men u refe rence 16 - 1 9 VPN 3000 Conce ntrator Seri es User Guide 3.2 Monitoring > Event Log 1) Config ure Lo g viewing param eters 2) View Even t Log 3) Save Log 4) Cle ar Lo g 5) Back Log -> _ 3.2.2 Monitoring > Event Log > V iew Event Log [Event Log entrie s] . . . 1) Fir st Pa ge 2) Pre vious Page 3) Next Page 4) Last Page 5) [...]
-
Page 464
16 Using the Command Line Interface 16 - 2 0 V PN 3000 Conc entrat or Series User Guid e 3.4 Monitoring > Sessions Model 3015 – 30 80 only 1) View Sess ion St atist ics 2) View Top Te n Lis ts 3) View Sess ion Pr otoco ls 4) View Sess ion SE Ps 5) View Sess ion En crypt ion 6) Back Sessio ns -> _ Model 30 05 only 1 ) View Se ssio n Stati st[...]
-
Page 465
CLI men u refe rence 16 - 2 1 VPN 3000 Conce ntrator Seri es User Guide 3.4.4 Monitoring > Sessions > V iew Session SEPs Model 3015 – 30 80 only Sessio n SEP s . . . 1) Ref resh Sessio n SEP s 2) Back Sessio ns -> _ 3.4.5* Monitoring > Sessions > V iew Session Encryption * 3.4. 5 on Mode l 3015 – 30 80, 3.4. 4 on Mo del 3005 Sess[...]
-
Page 466
16 Using the Command Line Interface 16 - 2 2 V PN 3000 Conc entrat or Series User Guid e 3.5.2 Monitoring > General Statistics > Server Statistics 1) Aut henti cation Stat istics 2) Acc ounti ng Sta tisti cs 3) Fil terin g Stat istic s 4) DHCP Stat isti cs 5) Add ress Pool S tatis tics 6) Back Genera l -> _ 3.5.3 Monitoring > General St[...]
-
Page 467
APPENDIX A-1 VPN 3000 Conce ntrator Seri es User Guide A Errors and troubleshooting This app endix descr ibes com mon error s that may oc cur whil e configuring and u sing the system, and how to correct the m. It also descri bes LED indic ators on the syste m and its expansion mod ules. Files for troublesh ooting The VPN 3000 Con centrator creates [...]
-
Page 468
A Errors an d trouble shooting A-2 VPN 3000 Concent rator Ser ies User Guide Configuration files The VPN Co ncentrator sa v es the curre nt boot con figurat ion f ile ( CO NFIG ) and its prede cessor ( CONFIG .BAK ) as files in flash memo ry . Thes e f iles may be useful for tro ublesho oting. See Administration | File Manag ement | Files for infor[...]
-
Page 469
VPN Conce ntrator Manager errors A-3 VPN 3000 Conce ntrator Seri es User Guide Invalid Login or Sessio n T imeout The Mana ger displays t he Inval id Lo gin or Se ssion T imeou t screen Prob lem Possibl e cause Solutio n Y ou entered an in v alid administrator login name / password comb inat ion. • T ypi ng erro r . • In v alid (un recogniz ed)[...]
-
Page 470
A Errors an d trouble shooting A-4 VPN 3000 Concent rator Ser ies User Guide Error / An error has occurre d while attempting to perform... The Mana ger displa ys a screen with the messa ge: Error / An error ha s occur red whil e attem pti ng to per form the ope ratio n . An addi tion al er ror m essa ge de scrib es t he err one ous operati on. Prob[...]
-
Page 471
VPN Conce ntrator Manager errors A-5 VPN 3000 Conce ntrator Seri es User Guide Y ou are u sing an old browser or have disabled J avaScript The Ma nager disp lays a scre en with the message : Y ou are us ing an old br owser or hav e disab led JavaSc ript ... Prob lem Possible cause Soluti on The V PN Concentra tor Ma nager cannot work w ith the brow[...]
-
Page 472
A Errors an d trouble shooting A-6 VPN 3000 Concent rator Ser ies User Guide Not Allowed / Y ou do not have sufficient authorization... The Mana ger displa ys a screen with the messa ge: Not Allowed / Y o u do not have sufficient authorization to access the specified page . Prob lem Possibl e cause Solut ion Y ou trie d to a ccess an area of t he M[...]
-
Page 473
VPN Conce ntrator Manager errors A-7 VPN 3000 Conce ntrator Seri es User Guide Not Found / An error has occurred while attempting to access... The Mana ger displa ys a screen with the messa ge: Not Found / An error has occurred while attempting to access the specified page. The screen inclu des additional infor mation that identif ies system acti v[...]
-
Page 474
A Errors an d trouble shooting A-8 VPN 3000 Concent rator Ser ies User Guide Command Line Int erface errors These er rors ma y occur wh ile usin g the menu -based Com mand Li ne Interfac e from a c onsole or T e lnet session. ERROR:-- Bad IP Ad dress/Subn et Mask/Wildca rd Mask/Area ID. ERROR:-- Out of Ra nge value entered. T ry again. ERROR:-- The[...]
-
Page 475
LED indicat ors A-9 VPN 3000 Conce ntrator Seri es User Guide LED in dicators LED in dicator s on th e VPN Concentrat or a nd its e xpansion m odule s are n ormally g reen. The u sage gaug e LEDs are normally bl ue. LED s that are amber o r of f may indi cate an err or cond ition. N A = not applicab le; i.e., the LED doe s not hav e that state. Con[...]
-
Page 476
A Errors an d trouble shooting A-1 0 V PN 3000 Conc entrat or Series User Guid e VPN Concentrator LEDs (front) LED Indicator (Front) Green Amber Off Sy stem Po wer on. Normal Blinki ng Gree n (Model 3005 onl y) = Sy stem is in a shutdo wn (halted) sta te, read y to power of f. System h as cras hed and halted. Error . (Power of f. All other LEDs are[...]
-
Page 477
LED indicat ors A-1 1 VPN 3000 Conce ntrator Seri es User Guide VPN Conce ntrator LEDs (rear) SEP (Scalab le Encryption Processin g) Module LEDs (Model 301 5 – 3080 only) SEP module LE Ds are visible f rom the rear of th e VPN Concentrato r . Usag e Gauge LE Ds (Front) (Model 3015 – 3080 o nly) Steady or Intermittent Blue Blinking Blue Left to [...]
-
Page 478
A Errors an d trouble shooting A-12 VPN 3000 C oncentrat or Seri es User Guide W AN Interface Module LEDs W AN module L EDs are vi sibl e fr om the rear of t he VPN Conc entra tor . WAN Module LE D On Blinking Off Power N ormal opera tion. N A Power is not reac hing the m odule. It m ay not be seated correctly . Error . Status Module has passe d di[...]
-
Page 479
LED indicat ors A-13 VPN 3000 Conce ntrator Seri es User Guide This tabl e sho ws all p ossible co mbinations f or the L EDs on ea ch W AN Port. End of Appendi x WAN P or t LED s Alrm Alarm CD Carrier Detect Sync Synchroniz ation LpB k Loopback Condition Of f On On Off Normal opera tion. Carrier de tected , line in sync hronizati on. Of f Off Of f [...]
-
Page 480
[...]
-
Page 481
APPENDIX B-1 VPN 3000 Conce ntrator Seri es User Guide B Copyrights, licenses, and notices Software License Agreeme nt of Cisco Sy stems, Inc. CISCO SY STEMS, INC . IS WI LLING TO LICEN SE TO YOU THE SOFTW ARE CONT AINE D IN THE A CCOMP ANYING C ISCO PR ODUCT ON L Y IF Y OU A CCEPT ALL OF THE TE RMS AND C ONDITI ONS IN THIS LICEN SE A GREEMENT . PL[...]
-
Page 482
B C opyri ghts, li cense s, a nd no tices B-2 VPN 3000 Concent rator Ser ies User Guide 4. Y ou may permanently transfer the Software and accompanyi ng written materia ls (including the most rece nt update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agr[...]
-
Page 483
Other licenses B-3 VPN 3000 Conce ntrator Seri es User Guide 16. This Agr eement is gov erned b y the la ws of the State of Massachuse tts. 17. If you hav e any questions co ncerning this Agreement or wish to contact Cisco Systems for an y reason, please call (508) 541-7300, or write to Cisco S ystems, Inc. 124 Grov e Street, Suite 205 Franklin, Ma[...]
-
Page 484
B C opyri ghts, li cense s, a nd no tices B-4 VPN 3000 Concent rator Ser ies User Guide DHCP client Copyright © 1995, 1996, 1997 The Internet Software Consortium. All ri ghts re serv ed. Redistribution and use in source and binary forms, with or without modif ication, are permitted provided that the follo wing conditions are met: 1. Redistribution[...]
-
Page 485
Other licenses B-5 VPN 3000 Conce ntrator Seri es User Guide Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, co py , modify , and distribute this softw are for any purpose with or without fee is hereby granted, provided that the abo ve copy right notice and this permission notice appear in all copies, and that the na[...]
-
Page 486
B C opyri ghts, li cense s, a nd no tices B-6 VPN 3000 Concent rator Ser ies User Guide NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the softw are and documentat ion created at NRL pro vided that the follo wing conditions ar e met: 1. Redistributions of source code must retain the abo[...]
-
Page 487
Other licenses B-7 VPN 3000 Conce ntrator Seri es User Guide RSA so ftware Copyright © 1995-1998 RSA Data Sec urity , Inc. All rights reserv ed. This work contains propr ietary informa tion of RSA Data Secu rity , I nc. Distri bution is limited to a uthorized lic ensees of RSA Data Security , Inc. Any unauthorized reproduction or distribution of t[...]
-
Page 488
B C opyri ghts, li cense s, a nd no tices B-8 VPN 3000 Concent rator Ser ies User Guide SSL Plus Certicom, the Certicom logo, SSL Plus, and Security Builder are trademarks of Certicom Corp. Copyright © 1997-1999 Certicom Corp. Portions are Copyright © 1997-1998, Consensus De velopment Corporation, a wholly ow ned subsidiary of Certicom Corp. All [...]
-
Page 489
Regulatory Agency No tices B-9 VPN 3000 Conce ntrator Seri es User Guide Regulatory Agency Notice s U.S. Federal Communications Commission (FCC) Compliance Notice NO TE: This equipment has been tested and found to comply with the limits for a Class A digit al de vice, pursuant to part 15 of the FCC Rules. These limits are designed to provide reason[...]
-
Page 490
B C opyri ghts, li cense s, a nd no tices B-1 0 VPN 3000 Concentrat or Series Use r Guide (1) ---- ------- ----- ------- ------ --- (2) Before connecting your unit, you must inform the telephone company of the follo wing information: (3) If the unit appears to be malfunctioning, it should be disconnected from the telephone lines until you l earn if[...]
-
Page 491
Regulatory Agency No tices B-1 1 VPN 3000 Conce ntrator Seri es User Guide • If the telephone com pany requests that you supply the FCC Certif ication number and REN of the device you are connecting, please supply the FCC Certification numbe rs from all component and ho st devices that hav e a direct PSTN connection (i.e. hav e a REN stated on th[...]
-
Page 492
B C opyri ghts, li cense s, a nd no tices B-1 2 VPN 3000 Concent rator S eries User Guid e WAN Module: CS03 Ca nadian Re quirements — Equipment Attachment Limitations NO TIC E : The Industry Canada label identifies certified equipment. This certif ication means that the equipment meets certain telecommunications netw ork protectiv e, operational [...]
-
Page 493
INDE X Inde x -1 VPN 3000 Conce ntrator Seri es User Guide Index Numerics 100 LED (Ethernet) A-1 1 A about th is manual xxxv ii access control list, administration 14-26 add 14-27 modify 14- 27 access hours , configuring 13-2 add 13-4 modify 13- 4 access rights, co nfiguring for administrators 1 4-24 access rights s ection, administration 1 4-21 ac[...]
-
Page 494
Index Inde x -2 VPN 3000 Concent rator Ser ies User Guide autodis covery, ne twork 7-8, 7-14 automatic switchover (redundancy) 8-12 B back panel display ( monito ring) 15-10 Bad IP Ad dress (erro r) A-8 base grou p, config uring (u ser management ) 12-3 bibliograp hy xxx ix bootco de filename 15-10 vers ion 15 -10 brow ser Back or Forward bu tton d[...]
-
Page 495
Index Inde x -3 VPN 3000 Conce ntrator Seri es User Guide dele te digital certificate 14-49 filter rule (traffic management) 13-19 group (u ser manag ement) 12-17 internal authentication server 5-8 security association (traffic manag ement) 13-28 user on internal serve r (user management) 12-3 4 DHCP functions within the VPN Concentrator, configu r[...]
-
Page 496
Index Inde x -4 VPN 3000 Concent rator Ser ies User Guide Expansion Module s Inserti on Status LEDs A-10 Expa nsio n Mod ules Ru n Sta tus L EDs A- 10 Extended Authentication, IPSec 12-9, 12 -26 F Fan Status LED A-10 fans, coolin g (monitor ing) 15-11 file access rights, adminis trators ’ 14-25 file m anagement on VPN Concent rator 14- 29, 14-30 [...]
-
Page 497
Index Inde x -5 VPN 3000 Conce ntrator Seri es User Guide IKE proposal s (continued) defa ult, table 7-20 in IPSec LAN-to-LAN 7-14 in security association 13 -19 inactive 7-21 IKE security association See security associations image, software filen ames 14-15 update 1 4-14 indicators, LED A-9 Install SSL Certificate (screen) 1-4 installing digital [...]
-
Page 498
Index Inde x -6 VPN 3000 Concent rator Ser ies User Guide LAN-to-LAN See IPSec LAN-to-LAN LED indicat ors 100 (Et hernet) A-11 Active Sessions A -10 Alrm (WAN) A-13 CD (WAN) A-13 Coll (Ethernet) A-11 CPU Utilization A- 10 Ether net L ink Stat us A -10 Expansi on Module s Insert ion Status A-10 Expansi on Modul es Run St atus A-1 0 Fan Stat us A-10 [...]
-
Page 499
Index Inde x -7 VPN 3000 Conce ntrator Seri es User Guide mouse po inter and t ips in Mana ger window 1 -20 multilink PPP ( MP), configuring 3-2 5 N NAT configu ring 13-39 enable 13-40 many-to-one trans lation 13-39 no public interf aces screen 13-42 NAT rules, configuring 13-40 add 13-42 modify 13- 42 navigat ing CLI menus 16-5 the VPN Concentrato[...]
-
Page 500
Index Inde x -8 VPN 3000 Concent rator Ser ies User Guide refresh Mo nitoring screens 14-20 refreshing scr een content 1-22 regulatory agen cy notices B-9 requirem ents brows er 1-1 cookies 1- 2 Internet Ex plorer 1- 1 JavaScript 1-1 Netscape Navigator 1-1 RIP 3-1 , 3-2 configuring on Ethernet interface 3-10 configuring on WAN interface 3-18 MIB-II[...]
-
Page 501
Index Inde x -9 VPN 3000 Conce ntrator Seri es User Guide static routes, config uring fo r IP routing 8-2 add 8-3 modify 8-3 statistics 15-47 accounting 15 -68 address poo ls 15-76 authentication 15-66 DHCP 15-75 DNS 15-65 events 15-62 filtering 15-69 HTTP 15-61 IPSec 15-55 L2TP 15-51 MIB-II 15 -77 ARP ta ble 15- 94 Ether net 15-96 ICMP 15-92 inter[...]
-
Page 502
Index Inde x -1 0 VPN 3000 Concentrat or Series Use r Guide tunn elin g proto col s configu ring 7-2 sectio n of Manag er 7- 1 Tx LED (Ethernet) A-11 type ( mode l numb er), sy stem 15-1 0 typographi c conventions xxxix U understa nding th e VPN Concentrat or Manager w indow 1-1 9 update s oftware on VPN Concen trator 14-14 usage graph LEDs (moni t[...]