Cisco VPN 3000 User Manual

Table of Contents

Quick Links

VPN 3000 Concentrator Series

User Guide

Release 2.5

July 2000

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel:

408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7811137=

Text Part Number: 78-11137-01

Table of Contents

Summary of Contents for Cisco VPN 3000

Page 1 VPN 3000 Concentrator Series User Guide Release 2.5 July 2000 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811137= Text Part Number: 78-11137-01...
Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Contacting Cisco with questions ........
Page 4 Duplex ................. . . 3-9 VPN 3000 Concentrator Series User Guide...
Page 5 Data Inversion ................3-24 VPN 3000 Concentrator Series User Guide...
Page 6 Authentication Server Test: Authentication Error ........... . 5-10 VPN 3000 Concentrator Series User Guide...
Page 7 Add / Modify / Delete ................6-4 VPN 3000 Concentrator Series User Guide...
Page 8 Wildcard Mask ................7-15 viii VPN 3000 Concentrator Series User Guide...
Page 9 Metric ..................8-5 VPN 3000 Concentrator Series User Guide...
Page 10 Enable ..................9-5 VPN 3000 Concentrator Series User Guide...
Page 11 Apply / Cancel ................. 10-9 VPN 3000 Concentrator Series User Guide...
Page 12 Add or Apply / Cancel ............... . . 10-23 VPN 3000 Concentrator Series User Guide...
Page 13 Apply / Cancel ................12-15 xiii VPN 3000 Concentrator Series User Guide...
Page 14 Add or Apply / Cancel ............... . . 12-31 VPN 3000 Concentrator Series User Guide...
Page 15 Add / Modify / Copy / Delete ..............13-6 VPN 3000 Concentrator Series User Guide...
Page 16 Yes / No ................. . . 13-28 VPN 3000 Concentrator Series User Guide...
Page 17 Add or Apply / Cancel ................13-44 xvii VPN 3000 Concentrator Series User Guide...
Page 18 Error (Ping) ................. . 14-20 xviii VPN 3000 Concentrator Series User Guide...
Page 19 OK / Cancel ................. . 14-32 VPN 3000 Concentrator Series User Guide...
Page 20 Validity ..................14-46 VPN 3000 Concentrator Series User Guide...
Page 21 Event repeat ................15-8 VPN 3000 Concentrator Series User Guide...
Page 22 Protocol ................15-17 xxii VPN 3000 Concentrator Series User Guide...
Page 23 [LED selector button] ................15-25 xxiii VPN 3000 Concentrator Series User Guide...
Page 24 Sessions ................. . . 15-40 xxiv VPN 3000 Concentrator Series User Guide...
Page 25 Flow ..................15-51 VPN 3000 Concentrator Series User Guide...
Page 26 Hash Validation Failures ..............15-58 xxvi VPN 3000 Concentrator Series User Guide...
Page 27 Responses ................. . . 15-65 xxvii VPN 3000 Concentrator Series User Guide...
Page 28 Priority 0 Packets Sent ..............15-73 xxviii VPN 3000 Concentrator Series User Guide...
Page 29 TCP Current Established ............... . 15-81 xxix VPN 3000 Concentrator Series User Guide...
Page 30 AS Border Routers ............... . 15-90 VPN 3000 Concentrator Series User Guide...
Page 31 Duplex ..................15-98 xxxi VPN 3000 Concentrator Series User Guide...
Page 32 2.3 Administration > System Reboot ............16-15 xxxii VPN 3000 Concentrator Series User Guide...
Page 33 ERROR:-- The Passwords do not match. Please try again..........A-8 xxxiii VPN 3000 Concentrator Series User Guide...
Page 34 Software License Agreement of Cisco Systems, Inc........
Page 35 Table 13-2: Cisco-supplied default Security Associations ........
Page 37: About This Manual
(the left frame of the Manager browser window; see Figure 1-30 in Chapter 1. Chapter 1, Using the VPN 3000 Concentrator Series Manager explains how to log in, navigate, and use the VPN Concentrator Manager with a browser. It explains both HTTP and HTTPS browser connections, and how to install the SSL certificate for a secure (HTTPS) connection.
Page 38: Additional Documentation
Help icon on the toolbar in the Manager window. The VPN 3000 Client User Guide explains how to install, configure, and use the Cisco VPN 3000 Client, which lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator.
Page 39: Other References
Documentation Conventions The VPN 3000 Monitor User Guide explains how to install, set up, and use the VPN 3000 Monitor, which is a separate Java™ application that polls VPN 3000 Concentrators in a network for information and displays that information on your workstation.
Page 40: Data Formats
For example, is a legitimate filename. The VPN Concentrator always stores filenames as uppercase. LOG00007.TXT Port numbers Port numbers use decimal numbers from 0 to 65535 with no commas or spaces. VPN 3000 Concentrator Series User Guide...
Page 41: Contacting Cisco With Questions
Cisco provides extensive technical support through its own staff and through authorized agents. If you have questions, we suggest you first try the Cisco Web site at www.cisco.com , and go to the Service & section. From there you can go to additional support areas such as the Technical Assistance Support Center (TAC), software updates, technical documentation, and service and support solutions.
Page 43: Using The Vpn 3000 Concentrator Series Manager
The VPN 3000 Concentrator Series Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3000 Concentrator with a standard Web browser. To use it, you need only to connect to the VPN Concentrator using a PC and browser on the same private network with the VPN Concentrator.
Page 44: Cookies
Using the VPN 3000 Concentrator Series Manager • Internet Explorer 5.0: – On the Tools menu, select Internet Options . – On the Security tab, click Custom Level . – In the Security Settings window, scroll down to Scripting .
Page 45: Connecting To The Vpn Concentrator Using Http
SSL encrypts all data between client and server at the IP socket level, and is thus more secure. SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is VPN 3000 Concentrator Series User Guide...
Page 46: Installing The Ssl Certificate With Internet Explorer
Using the VPN 3000 Concentrator Series Manager installed, you can connect using HTTPS. You need to install the certificate from a given VPN Concentrator only once. Managing the VPN Concentrator is the same with or without SSL. Manager screens may take slightly longer to load with SSL because of encryption / decryption processing.
Page 47 Figure 1-4: Internet Explorer Certificate dialog box 4 Click Install Certificate . The browser starts a wizard to install the certificate. The certificate store is where such certificates are stored in Internet Explorer. VPN 3000 Concentrator Series User Guide...
Page 48 Using the VPN 3000 Concentrator Series Manager Figure 1-5: Internet Explorer Certificate Manager Import Wizard dialog box 5 Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6: Internet Explorer Certificate Manager Import Wizard dialog box 6 Let the wizard Automatically select the certificate store , and click Next .
Page 49 10 On the Manager SSL screen (Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN 3000 Concentrator Series using SSL Depending on how your browser is configured, you may see a Security Alert dialog box.
Page 50 Using the VPN 3000 Concentrator Series Manager Figure 1-10: Internet Explorer Security Alert dialog box 11 Click OK . The VPN Concentrator displays the HTTPS version of the Manager login screen. Figure 1-11: VPN Concentrator Manager login screen using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecure site;...
Page 51: Viewing Certificates With Internet Explorer
The VPN Concentrator SSL certificate name is its Ethernet 1 (Private) IP address. Figure 1-13: Internet Explorer 4.0 Certificate Authorities list Select a certificate, then click View Certificate . The browser displays the Certificate Properties screen, as in Figure 1-12 above. VPN 3000 Concentrator Series User Guide...
Page 52: Installing The Ssl Certificate With Netscape
Using the VPN 3000 Concentrator Series Manager Installing the SSL certificate with Netscape This section describes SSL certificate installation using Netscape Navigator / Communicator 4.5. Reinstallation You need to install the SSL certificate from a given VPN Concentrator only once. If you try to reinstall it, Netscape displays the note in Figure 1-14.
Page 53 Figure 1-17: Netscape New Certificate Authority screen 3 3 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default. 1-11 VPN 3000 Concentrator Series User Guide...
Page 54 Using the VPN 3000 Concentrator Series Manager Figure 1-18: Netscape New Certificate Authority screen 4 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites . Click to proceed. Next> Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN Concentrator.
Page 55 6 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN Concentrator . This name appears in the list of installed certificates; see Viewing certificates with 10.10.147.2...
Page 56 Using the VPN 3000 Concentrator Series Manager Figure 1-22: VPN Concentrator Manager login screen using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case, you may see a Security Information Alert dialog box.
Page 57: Viewing Certificates With Netscape
Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates then Signers . The “nickname” you entered in Step 6 identifies the VPN Concentrator SSL certificate. 1-15 VPN 3000 Concentrator Series User Guide...
Page 58 Using the VPN 3000 Concentrator Series Manager Figure 1-25: Netscape Certificates Signers list Select a certificate, then click Edit , Verify , or Delete . Click OK when finished. 1-16 VPN 3000 Concentrator Series User Guide...
Page 59: Connecting To The Vpn Concentrator Using Https
The browser displays the VPN Concentrator Manager HTTPS login screen. A locked-padlock icon on the browser status bar indicates an HTTPS session. Also, this login screen does not include the Install SSL Certificate link. Figure 1-26: VPN Concentrator Manager HTTPS login screen 1-17 VPN 3000 Concentrator Series User Guide...
Page 60: Logging In The Vpn Concentrator Manager
Using the VPN 3000 Concentrator Series Manager Logging in the VPN Concentrator Manager Logging in the VPN Concentrator Manager is the same for both types of connections: cleartext HTTP or secure HTTPS. Entries are case-sensitive, so type them carefully. With Microsoft Internet Explorer, you can press the key to move from field to field;...
Page 61: Configuring Http, Https, And Ssl Parameters
The title bar at the top of the browser window includes the VPN Concentrator device name or IP address in brackets; e.g., [10.10.104.7] . Status bar The status bar at the bottom of the browser window displays explanatory messages for selected items and Manager activity. 1-19 VPN 3000 Concentrator Series User Guide...
Page 62: Mouse Pointer And Tips
Manager. CCO at www.cisco.com Click this link to open a browser window on the main Cisco Web page, Cisco Connection Online (CCO). From that page, you can browse to all Cisco resources, including the Technical Assistance Center (TAC).
Page 63: Logout Tab
Understanding the VPN Concentrator Manager window tac@cisco.com Click this link to open your configured email application and compose an email message to Cisco’s Technical Assistance Center (TAC). When you finish, the application closes and returns to this Support screen. Logout tab Click to log out of the Manager and return to the login screen.
Page 64: Refresh
The date and time above this reminder indicate when the screen was last updated. Cisco Systems logo Click the Cisco Systems logo to open a browser and go to the Cisco web site, www.cisco.com . Left frame (Table of contents) The left frame provides a table of contents to Manager screens.
Page 65: Organization Of The Vpn Concentrator Manager
• Monitoring : viewing routing tables, event logs, system LEDs and status, data on user sessions, and statistics for protocols and system functions. This manual covers all these topics. For Quick Configuration, see the VPN 3000 Concentrator Series Getting Started manual.
Page 66: Navigating The Vpn Concentrator Manager
Using the VPN 3000 Concentrator Series Manager Navigating the VPN Concentrator Manager Your primary tool for navigating the VPN Concentrator Manager is the table of contents in the left frame. Figure 1-30 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column.
Page 67: Configuration
Configuring the VPN Concentrator means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; and once you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you should configure the system in detail.
Page 69: Interfaces
C H A P T E R Interfaces This section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet and WAN network interfaces. Here you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power supply and voltage sensor alarms.
Page 70: Configuration | Interfaces
WANs, you can configure independent WAN connections on Port A and Port B. Note: Interface settings take effect as soon as you apply them. If the system is in active use, changes may affect tunnel traffic. The table shows all installed interfaces and their status. VPN 3000 Concentrator Series User Guide...
Page 71: Interface
To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link. VPN 3000 Concentrator Series User Guide...
Page 72: Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External)
PPP Multilink and no longer has an IP address. To connect this port to a WAN, you must supply an IP address. IP Address The IP address configured on this interface. Subnet Mask The subnet mask configured on this interface. VPN 3000 Concentrator Series User Guide...
Page 73: Power Supplies
). If a power supply is faulty, the appropriate Power Supply LED on the front panel is amber. Caution: If a voltage generates an alarm, shut down the system in an orderly way and contact Cisco support. Operating the system with out-of-range voltages, especially if they exceed the high threshold, may cause permanent damage.
Page 74: Alarm Thresholds
High and low thresholds for the 3.3- and 5-volt outputs from the power supplies. You can enter values for the second power supply on Models 3015–3080 even if it is not installed. Board High and low thresholds for the 3.3- and 5-volt sensors on the main circuit board. VPN 3000 Concentrator Series User Guide...
Page 75: Apply / Cancel
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . VPN 3000 Concentrator Series User Guide...
Page 76: General Parameters Tab
To make this interface a public interface, check the box. A public interface is an interface to a public network, such as the Internet. You must configure a public interface before you can configure NAT and VPN 3000 Concentrator Series User Guide...
Page 77: Mac Address
The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.
Page 78: Rip Parameters Tab
Click the drop-down menu button and select the outbound RIP function: Disabled = No outbound RIP functions; i.e., the system does not send any RIP messages on this interface (default). RIPv1 Only = Send only RIPv1 messages on this interface. 3-10 VPN 3000 Concentrator Series User Guide...
Page 79: Ospf Parameters Tab
The area ID identifies the subnet area within the OSPF Autonomous System or domain. Routers within an area have identical link-state databases. While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address. 3-11 VPN 3000 Concentrator Series User Guide...
Page 80: Ospf Priority
This entry is the estimated number of seconds it takes to transmit a link state update packet over this interface, and it should include both the transmission and propagation delays of the interface. This delay must be the same for all routers on a common network. 3-12 VPN 3000 Concentrator Series User Guide...
Page 81: Ospf Authentication
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Interfaces screen. 3-13 VPN 3000 Concentrator Series User Guide...
Page 82: Configuration | Interfaces | Wan Card In Slot N
Not Present = (Red) Not operational because a lower-layer interface is down. Lower Layer Down = (Red) Not configured or not able to determine status. Unknown = Present but not configured. Not Configured 3-14 VPN 3000 Concentrator Series User Guide...
Page 83: Ip Address
1536 Kbps. When you click this link, the Manager opens the Configuration | Interfaces | WAN Card in Slot N | Port A B as screen, which lets you configure T1 parameters. 3-15 VPN 3000 Concentrator Series User Guide...
Page 84: E1: Up To 31 64-Kbps Channels
This screen includes five tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . 3-16 VPN 3000 Concentrator Series User Guide...
Page 85: Ip Parameters Tab
Internet. You must configure a public interface before you can configure NAT and IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface. 3-17 VPN 3000 Concentrator Series User Guide...
Page 86: Filter
The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.
Page 87: Inbound Rip
RIPv1 Only = Send only RIPv1 messages on this interface. = Send only RIPv2 messages on this interface. RIPv2 Only RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this interface. 3-19 VPN 3000 Concentrator Series User Guide...
Page 88: Ospf Parameters Tab
While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address. The 0.0.0.0 area ID identifies a special area—the backbone—that contains all area border routers, which are the routers connected to multiple areas. 3-20 VPN 3000 Concentrator Series User Guide...
Page 89: Ospf Priority
This delay must be the same for all routers on a common network. Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value. 3-21 VPN 3000 Concentrator Series User Guide...
Page 90: Ospf Authentication
For MD5 authentication, enter the shared key. Maximum 8 characters. The Manager displays your entry in clear text. Figure 3-11: Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 screen, WAN tab 3-22 VPN 3000 Concentrator Series User Guide...
Page 91: Wan Parameters Tab
0 of each frame in the multiframe carries 4-bit CRC signatures for error detection. This is the default selection for E1. = E1 16-Frame Multiframe. The frame structure (a multiframe) consists of 16 frames. Each frame is 256 bits, or 32 8-bit timeslots. 3-23 VPN 3000 Concentrator Series User Guide...
Page 92: Buildout
Kbps each, for a total of 1536 Kbps. For E1, there are 31 timeslots of 64 Kbps each, for a total of 1984 Kbps. The Currently: field shows the total for checked timeslots. Click Clear All to clear all timeslots, or Set All to set all timeslots. 3-24 VPN 3000 Concentrator Series User Guide...
Page 93: Ppp Multilink Parameters Tab
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Interfaces screen. End of Chapter 3-25 VPN 3000 Concentrator Series User Guide...
Page 95: System Configuration
• General : identifying the system, and setting the time and date. See the appropriate chapter in this manual or the online help for each section. Figure 4-1: Configuration | System screen End of Chapter VPN 3000 Concentrator Series User Guide...
Page 97: Servers
C H A P T E R Servers Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication and accounting functions, convert hostnames to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.
Page 98: Configuration | System | Servers | Authentication
(IP address or hostname, TCP/UDP port, secret/ password, etc.). The VPN Concentrator functions as the client of these servers. The Cisco software CD-ROM includes a 30-day evaluation copy of Funk Software’s Steel-Belted RADIUS authentication server and instructions for using it with the VPN Concentrator.
Page 99: Authentication Servers
Internal Server = The internal VPN Concentrator authentication server. With this server, you can configure a maximum of 100 groups and users (combined) in the internal database. See Configuration | User Management for details. VPN 3000 Concentrator Series User Guide...
Page 100: Server Type = Radius
VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. Minimum is 0 , default is 2 , maximum is 10 retries. VPN 3000 Concentrator Series User Guide...
Page 101: Server Secret
Figure 5-4: Configuration | System | Servers | Authentication | Add or Modify NT Domain screen Authentication Server Address Enter the IP address of the NT Domain authentication server; e.g., 192.168.12.34 . Use dotted decimal notation. VPN 3000 Concentrator Series User Guide...
Page 102: Server Port
To discard your entries, click Cancel . The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged. Server Type = SDI Configure these parameters for an RSA Security Inc. SecurID authentication server. VPN 3000 Concentrator Series User Guide...
Page 103: Authentication Server
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged. VPN 3000 Concentrator Series User Guide...
Page 104: Server Type = Internal Server
SA negotiations. Deleting it also prevents connections by all users that are configured in the internal user database. We strongly recommend that you not delete the internal authentication server. Figure 5-7: Configuration | System | Servers | Authentication | Delete screen VPN 3000 Concentrator Series User Guide...
Page 105: Yes / No
OK / Cancel To send the username and password to the selected authentication server, click OK . The authentication and response process takes a few seconds. The Manager displays a Success or Error screen; see below. VPN 3000 Concentrator Series User Guide...
Page 106: Authentication Server Test: Success
No response from server = There is no response from the selected server within the configured timeout and retry periods. No active server found = The VPN Concentrator cannot find an active, configured server to test. 5-10 VPN 3000 Concentrator Series User Guide...
Page 107: Configuration | System | Servers | Accounting
(IP address or hostname, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers. Figure 5-12: Configuration | System | Servers | Accounting screen 5-11 VPN 3000 Concentrator Series User Guide...
Page 108: Accounting Servers
Servers | Accounting | Add screen. To modify a configured user accounting server, select the server from the list and click Modify . The Manager opens the Configuration | System | Servers | Accounting | Modify screen. 5-12 VPN 3000 Concentrator Series User Guide...
Page 109: Configuration | System | Servers | Accounting | Add Or Modify
Timeout Enter the time in seconds to wait after sending a query to the accounting server and receiving no response, before trying again. Minimum is 1 second (the default), maximum is 30 seconds. 5-13 VPN 3000 Concentrator Series User Guide...
Page 110: Retries
IP addresses. Configuring DNS servers here lets you enter hostnames (e.g., mail01 ) rather than IP addresses as you configure and manage the VPN Concentrator. You can configure up to three DNS servers that the system queries in order. 5-14 VPN 3000 Concentrator Series User Guide...
Page 111: Enabled
Enter the IP address of the tertiary (second backup) DNS server, using dotted decimal notation. If the secondary DNS server doesn’t respond to a query within the Timeout Period specified below, the system queries this server. 5-15 VPN 3000 Concentrator Series User Guide...
Page 112: Timeout Period
VPN Concentrator is enabled by default on that screen. You can configure and prioritize up to three DHCP servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative. 5-16 VPN 3000 Concentrator Series User Guide...
Page 113: Dhcp Servers
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 5-17 VPN 3000 Concentrator Series User Guide...
Page 114: Configuration | System | Servers | Dhcp | Add Or Modify
Clocks in many computers tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Security certificates, for example, carry a timestamp that determines a time frame for their validity. 5-18 VPN 3000 Concentrator Series User Guide...
Page 115: Configuration | System | Servers | Ntp | Parameters
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Servers | NTP screen. 5-19 VPN 3000 Concentrator Series User Guide...
Page 116: Configuration | System | Servers | Ntp | Hosts
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 5-20 VPN 3000 Concentrator Series User Guide...
Page 117: Configuration | System | Servers | Ntp | Hosts | Add Or Modify
Manager window. To discard your entry, click Cancel . The Manager returns to the Configuration | System | Servers | NTP | Hosts screen, and the NTP Hosts list is unchanged. End of Chapter 5-21 VPN 3000 Concentrator Series User Guide...
Page 119: Address Management
Configuration | System | Address Management This section of the VPN 3000 Concentrator Series Manager lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint.
Page 120: Configuration | System | Address Management | Assignment
Check this box to use a DHCP (Dynamic Host Configuration Protocol) server to assign IP addresses. If you use DHCP, configure the server on the Configuration | System | Servers | DHCP and Configuration | System | IP Routing | DHCP screens. VPN 3000 Concentrator Series User Guide...
Page 121: Use Address Pools
. If no pools have been configured, the list shows --Empty-- . The pools are listed in the 10.10.147.177 order they are configured. The system uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on. VPN 3000 Concentrator Series User Guide...
Page 122: Add / Modify / Delete
Enter the first IP address available in this pool. Use dotted decimal notation; e.g., 10.10.147.100 . Range End Enter the last IP address available in this pool. Use dotted decimal notation; e.g., 10.10.147.177 . VPN 3000 Concentrator Series User Guide...
Page 123: Add Or Apply / Cancel
Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | Address Management | Pools screen, and the IP Pool Entry list is unchanged. End of Chapter VPN 3000 Concentrator Series User Guide...
Page 125: Tunneling Protocols
TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3000 Concentrator Series uses tunneling protocols • Negotiate tunnel parameters. • Establish tunnels.
Page 126: Configuration | System | Tunneling Protocols
Microsoft encryption (MPPE). You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management . Groups and users also have PPTP parameters; see Configuration | User Management . VPN 3000 Concentrator Series User Guide...
Page 127: Enabled
Note: Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel. Enabled Check the box to enable PPTP system-wide functions on the VPN Concentrator, or clear it to disable.
Page 128: Packet Window Size
Enter the number of seconds to wait before determining that an acknowledgement has been lost; i.e., before resuming transmission to the client even though the transmit window is closed. Minimum is 1 , maximum is 10 , default is 3 seconds. VPN 3000 Concentrator Series User Guide...
Page 129: Apply / Cancel
Figure 7-3: Configuration | System | Tunneling Protocols | L2TP screen Note: Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel. VPN 3000 Concentrator Series User Guide...
Page 130: Enabled
Enter the maximum number of sessions allowed per L2TP tunnel. Minimum is 0 , maximum depends on the VPN Concentrator model; e.g., Model 3060 = 5000 . Enter 0 for unlimited sessions (the default). VPN 3000 Concentrator Series User Guide...
Page 131: Hello Interval
To establish a connection, both entities must agree on the SAs. The Cisco VPN 3000 Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
Page 132: Configuration | System | Tunneling Protocols | Ipsec Lan-To-Lan
| Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify. Figure 7-4: Configuration | System | Tunneling Protocols | IPSec screen Configuration | System | Tunneling Protocols |...
Page 133: Lan-To-Lan Connection
Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. VPN 3000 Concentrator Series User Guide...
Page 134: Configuration | System | Tunneling Protocols | Ipsec Lan-To-Lan | No Public Interfaces
You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens. You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. 7-10 VPN 3000 Concentrator Series User Guide...
Page 135 Public (default) filter with the rules above. • Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server hasn’t been configured, it does so, and adds the group to the database. 7-11 VPN 3000 Concentrator Series User Guide...
Page 136: Name
Enter the IP address of the remote peer in the LAN-to-LAN connection. This must be the IP address of the public interface on the peer VPN Concentrator. Use dotted decimal notation; e.g., 192.168.34.56 . 7-12 VPN 3000 Concentrator Series User Guide...
Page 137: Digital Certificate
= Use ESP without encryption; no packet encryption. DES-56 = Use DES encryption with a 56-bit key. 3DES-168 = Use Triple-DES encryption with a 168-bit key. This selection is the most secure and it is the default selection. 7-13 VPN 3000 Concentrator Series User Guide...
Page 138: Ike Proposal
IKE proposals before configuring LAN-to-LAN connections. Click the drop-down menu button and select the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are: IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption.
Page 139: Ip Address
If you select a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the wildcard mask note above. IP Address Enter the IP address of the private network on the remote peer VPN Concentrator. Use dotted decimal notation; e.g. 11.0.0.0 . 7-15 VPN 3000 Concentrator Series User Guide...
Page 140: Wildcard Mask
Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table A single network list can contain a maximum of 200 network entries. 7-16 VPN 3000 Concentrator Series User Guide...
Page 141: List Name
If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255 You can enter a maximum of 200 networks in a single network list. 7-17 VPN 3000 Concentrator Series User Guide...
Page 142: Generate Local List
• Filter Rules : See Configuration | Policy Management | Traffic Management | Rules . You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection. 7-18 VPN 3000 Concentrator Series User Guide...
Page 143: Configuration | System | Tunneling Protocols | Ipsec | Ike Proposals
You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN above. You can configure a maximum of 25 IKE proposals total (active and inactive). 7-19 VPN 3000 Concentrator Series User Guide...
Page 144: Table 7-1: Cisco-Supplied Default Ike Proposals
Figure 7-10: Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen Cisco supplies default IKE proposals that you can use or modify; see Table 7-1. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add for explanations of the parameters.
Page 145: Active Proposals
These actions move the proposal up or down one position. To configure and add a new IKE proposal to the list of Inactive Proposals , click this button. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add 7-21 VPN 3000 Concentrator Series User Guide...
Page 146: Modify
: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals. You can configure a maximum of 25 IKE proposals total (active and inactive). 7-22 VPN 3000 Concentrator Series User Guide...
Page 147: Proposal Name
= Use a digital certificate with keys generated by the RSA algorithm. RSA Digital Certificate DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm. 7-23 VPN 3000 Concentrator Series User Guide...
Page 148: Authentication Algorithm
= Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Both Lifetime and Data Lifetime parameters. None = No lifetime measurement. The SA lasts until the connection is terminated for other reasons. 7-24 VPN 3000 Concentrator Series User Guide...
Page 149: Data Lifetime
To discard your settings, click Cancel . The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen, and the IKE proposals lists are unchanged. End of Chapter 7-25 VPN 3000 Concentrator Series User Guide...
Page 151: Ip Routing
It provides automatic switchover to a backup system in case the primary system is out of service, thus assuring user access to the VPN. This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections. VPN 3000 Concentrator Series User Guide...
Page 152: Configuration | System | Ip Routing
This section of the Manager lets you configure static routes for IP routing. You usually configure static routes for private networks that cannot be learned via RIP or OSPF. Figure 8-2: Configuration | System | IP Routing | Static Routes screen VPN 3000 Concentrator Series User Guide...
Page 153: Static Routes
: Configure and add a new static, or manual, route to the IP routing table. Modify : Modify the parameters for a configured static route. Figure 8-3: Configuration | System | IP Routing | Static Routes | Add or Modify screen VPN 3000 Concentrator Series User Guide...
Page 154: Network Address
Apply . Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | IP Routing | Static Routes screen. Any new route appears at the bottom of the Static Routes list. VPN 3000 Concentrator Series User Guide...
Page 155: Configuration | System | Ip Routing | Default Gateways
The routing subsystem always tries to use the least costly route. For example, if this route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable. VPN 3000 Concentrator Series User Guide...
Page 156: Tunnel Default Gateway
The complete private network is called an OSPF Autonomous System (AS), or domain. The subnets within the AS are called areas. You configure OSPF areas on the Configuration | System | IP Routing | OSPF Areas screens. VPN 3000 Concentrator Series User Guide...
Page 157: Enabled
Check the box to indicate that the VPN Concentrator OSPF router is the boundary router for an Autonomous System. If you check this box, the VPN Concentrator also redistributes RIP and static routes into the OSPF areas. By default, the box is not checked. VPN 3000 Concentrator Series User Guide...
Page 158: Apply / Cancel
To delete a configured OSPF area, select the area from the list and click Delete . There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the OSPF Area list. VPN 3000 Concentrator Series User Guide...
Page 159: Configuration | System | Ip Routing | Ospf Areas | Add Or Modify
Advertisements) into OSPF stub areas. LSAs describe the state of the router’s interfaces and routing paths. Stub areas contain only final-destination hosts and do not pass traffic through to other areas. Sending LSAs to them is usually not necessary. By default this box is not checked. VPN 3000 Concentrator Series User Guide...
Page 160: External Lsa Import
Figure 8-8: Configuration | System | IP Routing | DHCP screen Enabled Check the box to enable DHCP functions within the VPN Concentrator. The box is checked by default. To use DHCP address assignment, you must enable DHCP functions here. 8-10 VPN 3000 Concentrator Series User Guide...
Page 161: Lease Timeout
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | IP Routing screen. 8-11 VPN 3000 Concentrator Series User Guide...
Page 162: Configuration | System | Ip Routing | Redundancy
You must also configure identical IPSec LAN-to-LAN parameters on the redundant VPN Concentrators. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens. Figure 8-9: Configuration | System | IP Routing | Redundancy screen 8-12 VPN 3000 Concentrator Series User Guide...
Page 163: Enable Vrrp
On a Backup system, the fields are empty by default, and you must enter the same IP addresses as those on the Master system. 1 (Private) The IP address for the Ethernet 1 (Private) interface shared by the virtual routers in this group. 8-13 VPN 3000 Concentrator Series User Guide...
Page 164: Public)
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | IP Routing screen. End of Chapter 8-14 VPN 3000 Concentrator Series User Guide...
Page 165: Management Protocols
C H A P T E R Management Protocols The VPN 3000 Concentrator Series includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.
Page 166: Configuration | System | Management Protocols | Ftp
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management Protocols screen. VPN 3000 Concentrator Series User Guide...
Page 167: Configuration | System | Management Protocols | Http/Https
If you disable both HTTP and HTTPS, you cannot use a Web browser to connect to the VPN Concentrator. Use the Cisco Command Line Interface from the console or a Telnet session. Related information: •...
Page 168: Enable Https
The lack of a login procedure makes it relatively unsecure. The settings here have no effect on TFTP file transfer from the Administration | File Management | TFTP Transfer screen. For those operations, the VPN Concentrator acts as a TFTP client. VPN 3000 Concentrator Series User Guide...
Page 169: Enable
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management screen. Protocols VPN 3000 Concentrator Series User Guide...
Page 170: Configuration | System | Management Protocols | Telnet
, an “SSL Telnet for Windows” shareware pub/security/Crypto/SSLapps application. (Please note that we mention this application for information only and that Cisco Systems does not supply, support, or endorse it in any way.) See the Configuration | System | Management Protocols | SSL screen to configure SSL parameters. See the screen to manage the SSL digital certificate.
Page 171: Telnet/Ssl Port
The settings on this screen have no effect on sending system events to SNMP trap destinations (see Configuration | System | Events | General and Trap Destinations ). For those functions, the VPN Concentrator acts as an SNMP client. Figure 9-6: Configuration | System | Management Protocols | SNMP screen VPN 3000 Concentrator Series User Guide...
Page 172: Enable
To use the VPN Concentrator SNMP server, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP server does not include the usual default public community string, and we recommend that you not configure it. VPN 3000 Concentrator Series User Guide...
Page 173: Community Strings
Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. VPN 3000 Concentrator Series User Guide...
Page 174: Configuration | System | Management Protocols | Snmp Communities | Add Or Modify
SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been 9-10 VPN 3000 Concentrator Series User Guide...
Page 175 • For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1, Using the VPN 3000 Concentrator Series Manager. • To configure HTTPS parameters, see the Configuration | System | Management Protocols | HTTP/HTTPS screen.
Page 176: Encryption Protocols
= The server insists on SSL Version 2 only. This selection works with most Telnet/SSL clients. TLS V1 Only = The server insists on TLS Version 1 only. At present, only Microsoft Internet Explorer 5.0 supports this option. 9-12 VPN 3000 Concentrator Series User Guide...
Page 177: Generated Certificate Key Size
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management Protocols screen. End of Chapter 9-13 VPN 3000 Concentrator Series User Guide...
Page 179: Events
C H A P T E R Events An event is any significant occurrence within or affecting the VPN 3000 Concentrator such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN Concentrator records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, an email message, or an SNMP management system trap.
Page 180 IPDBG IP packet decoding* IPDECODE IP Security subsystem IPSEC IP Security debugging* IPSECDBG IP Security decoding* IPSECDECODE L2TP subsystem L2TP L2TP debugging* L2TPDBG L2TP decoding* L2TPDECODE MIB-II trap subsystem: SNMP MIB-II traps* MIB2TRAP 10-2 VPN 3000 Concentrator Series User Guide...
Page 181 WAN module subsystem* Note: The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and may seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.
Page 182: Event Severity Level
Note: The Debug (7–9) and Packet Decode (10–13) severity levels are intended for use by Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it. The VPN Concentrator, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log.
Page 183: Event Log
This section of the Manager lets you configure how the VPN Concentrator handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 10-1: Configuration | System | Events screen 10-5 VPN 3000 Concentrator Series User Guide...
Page 184: Configuration | System | Events | General
The VPN Concentrator automatically saves the log file if it crashes, and when it is rebooted, regardless of this Save Log on Wrap setting. This log file is named SAVELOG.TXT , and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging. 10-6 VPN 3000 Concentrator Series User Guide...
Page 185: Save Log Format
= Original VPN Concentrator event format with information on one line. Cisco IOS Compatible = Event format that is compatible with Cisco syslog management applications. Severity to Log Click the drop-down menu button and select the range of event severity levels to enter in the event log by default.
Page 186: Severity To Console
Event Class coldStart EVENT 1 or higher linkDown 1-3 or higher linkUp 1-3 or higher authFailure SNMP 1-3 or higher (This trap is SNMP authentication failure, not tunnel authentication failure.) 10-8 VPN 3000 Concentrator Series User Guide...
Page 187: Apply / Cancel
For example, c:\vpn\logfiles . FTP Username Enter the username for FTP login on the destination computer. FTP Password Enter the password to use with the FTP username above. The field displays only asterisks. 10-9 VPN 3000 Concentrator Series User Guide...
Page 188: Verify
The initial default entry is MIB2TRAP , which are SNMP MIB-II events, or “traps,” that you might want to monitor with an SNMP network management system. Other configured event classes are listed in 10-10 VPN 3000 Concentrator Series User Guide...
Page 189: Add / Modify / Delete
Modify the special handling of a specific event class. Figure 10-5: Configuration | System | Events | Classes | Add or Modify screen 10-11 VPN 3000 Concentrator Series User Guide...
Page 190: Class Name
If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens, and you should configure the Syslog Format on the Configuration | System | Events | General screen. 10-12 VPN 3000 Concentrator Series User Guide...
Page 191: Severity To Email
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Events | Classes screen. 10-13 VPN 3000 Concentrator Series User Guide...
Page 192: Configuration | System | Events | Trap Destinations
To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete . There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list. 10-14 VPN 3000 Concentrator Series User Guide...
Page 193: Configuration | System | Events | Trap Destinations | Add Or Modify
Enter the community string to use in identifying traps from the VPN Concentrator to this destination. The community string is like a password: it validates messages between the VPN Concentrator and this NMS destination. If you leave this field blank, the default community string is public . 10-15 VPN 3000 Concentrator Series User Guide...
Page 194: Port
To configure default event handling and syslog formats, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | screens. System | Events | Classes Figure 10-8: Configuration | System | Events | Syslog Servers screen 10-16 VPN 3000 Concentrator Series User Guide...
Page 195: Syslog Servers
Syslog Server Enter the IP address or hostname of the UNIX syslog server to receive event messages. (If you have configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) 10-17 VPN 3000 Concentrator Series User Guide...
Page 196: Port
To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | System | Events | Classes screens. 10-18 VPN 3000 Concentrator Series User Guide...
Page 197: Smtp Servers
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 10-19 VPN 3000 Concentrator Series User Guide...
Page 198: Configuration | System | Events | Smtp Servers | Add Or Modify
Configuration | System | Events | General To configure SMTP servers, see the Configuration | System | Events | SMTP Servers screen, or click the highlighted link that says “configure an SMTP server.” 10-20 VPN 3000 Concentrator Series User Guide...
Page 199: Email Recipients
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 10-21 VPN 3000 Concentrator Series User Guide...
Page 200: Configuration | System | Events | Email Recipients | Add Or Modify
1-3 to email, all other events with no severity to email, and bob@altiga.com to receive email events of severity levels 1-2, bob will receive only IPSEC events of severity levels 1-2. 10-22 VPN 3000 Concentrator Series User Guide...
Page 201: Add Or Apply / Cancel
Manager window. To discard your entry, click Cancel . The Manager returns to the Configuration | System | Events | Email Recipients screen, and the Email Recipients list is unchanged. End of Chapter 10-23 VPN 3000 Concentrator Series User Guide...
Page 203: General
C H A P T E R General General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN Concentrator parameters. • Identification : system name, contact person, system location.
Page 204: Configuration | System | General | Identification
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | General screen. 11-2 VPN 3000 Concentrator Series User Guide...
Page 205: Configuration | System | General | Time And Date
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | General screen. End of Chapter 11-3 VPN 3000 Concentrator Series User Guide...
Page 207: User Management
C H A P T E R User Management Groups and users are core concepts in managing the security of VPNs and in configuring the VPN 3000 Concentrator. Groups and users have attributes, configured via parameters, that determine their access to and use of the VPN.
Page 208 Concentrator. You also apply filters to network interfaces, and thus govern all data traffic through the VPN Concentrator. See the Configuration | Policy Management | Traffic Management screens. • We can supply a “dictionary” of Cisco-specific user and group parameters for external RADIUS servers.
Page 209: Configuration | User Management
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . 12-3 VPN 3000 Concentrator Series User Guide...
Page 210: General Parameters Tab
= No access at any time. Never Business Hours = Access 9 a.m. to 5 p.m., Monday through Friday. Additional named access hours that you have configured also appear on the list. 12-4 VPN 3000 Concentrator Series User Guide...
Page 211: Simultaneous Logins
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.
Page 212: Primary Dns
= IP Security Protocol (checked by default). IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN 3000 Client is an IPSec 12-6...
Page 213: Ipsec Parameters Tab
During tunnel establishment, the client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens. 12-7 VPN 3000 Concentrator Series User Guide...
Page 214: Tunnel Type
VPN Concentrator via a group name and password, and then the system authenticates a user via a username and password. If this box is not checked (the default), the system authenticates a user without regard to the user’s assigned group. 12-8 VPN 3000 Concentrator Series User Guide...
Page 215: Authentication
The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’...
Page 216: Allow Password Storage On Client
Configuration to push it to, and enable it on, the IPSec client. You must create a Network List before you can enable split tunneling. See the Configuration | Policy Management | Traffic Management | Network Lists screens. 12-10 VPN 3000 Concentrator Series User Guide...
Page 217: Default Domain Name
Registered Ports range. The Cisco VPN 3000 Client must also be configured to use this feature (it is configured to use it by default). The VPN Client Connection Status dialog box indicates if the feature is being used. See the VPN 3000 Client User Guide.
Page 218: Pptp/L2Tp Parameters Tab
Unchecking all authentication options means that no authentication is required. That is, PPTP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure. 12-12 VPN 3000 Concentrator Series User Guide...
Page 219: Pptp Encryption
Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required , you must check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit encryption software. 12-13 VPN 3000 Concentrator Series User Guide...
Page 220: L2Tp Authentication Protocols
However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is not checked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption. 12-14 VPN 3000 Concentrator Series User Guide...
Page 221: Apply / Cancel
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | User Management screen. 12-15 VPN 3000 Concentrator Series User Guide...
Page 222: Configuration | User Management | Groups
Figure 12-5: Configuration | User Management | Groups screen Current Groups The Current Groups list shows configured groups in alphabetical order, and if they are internal or external. If no groups have been configured, the list shows --Empty-- . 12-16 VPN 3000 Concentrator Series User Guide...
Page 223: Add / Modify / Delete
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 12-17 VPN 3000 Concentrator Series User Guide...
Page 224: Configuration | User Management | Groups | Add Or Modify (Internal)
Figure 12-6: Configuration | User Management | Groups | Add or Modify (Internal) screen, Identity Identity Parameters tab This tab lets you configure the name, password, and authentication server type for this group. 12-18 VPN 3000 Concentrator Series User Guide...
Page 225: Group Name
= Use an external authentication server—such as RADIUS—for this group. If you select this type, ignore the rest of the tabs and parameters on this screen. The external server supplies the group parameters if it can; otherwise the base-group parameters apply. 12-19 VPN 3000 Concentrator Series User Guide...
Page 226: General Parameters Tab
• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group 12-20 VPN 3000 Concentrator Series User Guide...
Page 227: Access Hours
The minimum is 1 , and the maximum is 2147483647 minutes (over 4000 years). To disable timeout and allow an unlimited idle period, enter 12-21 VPN 3000 Concentrator Series User Guide...
Page 228: Maximum Connect Time
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration screens.
Page 229: Primary Wins
= IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN 3000 Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
Page 230: Ipsec Parameters Tab
This tab lets you configure IP Security Protocol parameters that apply to this internally configured group. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure this section. 12-24 VPN 3000 Concentrator Series User Guide...
Page 231: Value / Inherit
IPSec traffic (with ESP applied only to the transport layer segment), and it uses Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec tunneling protocol. Additional SAs that you have configured also appear on the list. 12-25 VPN 3000 Concentrator Series User Guide...
Page 232: Tunnel Type
Security Associations. If you check this box, configure the desired Mode Configuration Parameters below; otherwise, ignore them. To use split tunneling, you must check this box. If you checked L2TP over IPSec under Tunneling Protocols , do not check this box. 12-26 VPN 3000 Concentrator Series User Guide...
Page 233: Mode Configuration Parameters
The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’...
Page 234: Ipsec Through Nat
User Management IPSec through NAT Check the box to allow the Cisco VPN 3000 Client (IPSec client) to connect to the VPN Concentrator via UDP through a firewall or router using NAT. IPSec through NAT UDP Port Enter the UDP port number to use if you allow IPSec through NAT . Enter a number in the range 4001 through 49151 ;...
Page 235: Value / Inherit
= Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is MSCHAPv1 similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores— 12-29 VPN 3000 Concentrator Series User Guide...
Page 236: Pptp Encryption
You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a grayed-out protocol. = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol. 12-30 VPN 3000 Concentrator Series User Guide...
Page 237: L2Tp Encryption
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click the Cancel button. The Manager returns to the Configuration | User Management | Groups screen, and the Current Groups list is unchanged. 12-31 VPN 3000 Concentrator Series User Guide...
Page 238: Configuration | User Management | Groups | Modify (External)
Apply , so you can configure all the parameters. External = To use only an external authentication server, such as RADIUS, keep this selection. The external server supplies the group parameters if it can; otherwise the base-group parameters apply. 12-32 VPN 3000 Concentrator Series User Guide...
Page 239: Configuration | User Management | Users
• Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate specific groups, and you should configure base-group parameters carefully. Figure 12-11: Configuration | User Management | Users screen 12-33 VPN 3000 Concentrator Series User Guide...
Page 240: Current Users
This screen includes four tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add / Apply or Cancel . 12-34 VPN 3000 Concentrator Series User Guide...
Page 241: Identity Parameters Tab
Click the drop-down menu button and select the group to which you assign this user. The list shows specific groups you have configured, plus: --Base Group-- = The default group with its base-group parameters. 12-35 VPN 3000 Concentrator Series User Guide...
Page 242: Subnet Mask
Figure 12-13: Configuration | User Management | Users | Add or Modify screen, General tab General Parameters tab This tab lets you configure general access, performance, and allowed tunneling protocols that apply to this user. 12-36 VPN 3000 Concentrator Series User Guide...
Page 243: Idle Timeout
The minimum is 1 , and the maximum is 2147483647 minutes (over 4000 years). To disable timeout and allow an unlimited idle period, enter 12-37 VPN 3000 Concentrator Series User Guide...
Page 244: Sep Card Assignment
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration screens.
Page 245: Ipsec Parameters Tab
• The Value column thus shows either group parameter settings that also apply to this user ( Inherit? checked), or unique parameter settings configured for this user ( Inherit? cleared). You cannot configure a grayed-out parameter. 12-39 VPN 3000 Concentrator Series User Guide...
Page 246: Store Password On Client
Check the box to allow this IPSec user (client) to store the login password on the client system. If you do not allow password storage, IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage. 12-40 VPN 3000 Concentrator Series User Guide...
Page 247: Pptp/L2Tp Parameters Tab
• The Value column thus shows either group parameter settings that also apply to this user ( Inherit? checked), or unique parameter settings configured for this user ( Inherit? cleared). You cannot configure a grayed-out parameter. 12-41 VPN 3000 Concentrator Series User Guide...
Page 248: Use Client Address
= Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. 12-42 VPN 3000 Concentrator Series User Guide...
Page 249: L2Tp Authentication Protocols
Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | User Management | Users screen, and the Current Users list is unchanged. End of Chapter 12-43 VPN 3000 Concentrator Series User Guide...
Page 251 You configure “what data traffic can flow through it” under Traffic Management , and it’s a bit more complex. The Cisco VPN 3000 Concentrator hierarchy is straightforward, however: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first construct (configure) rules and SAs, then use them to construct filters.
Page 252: Configuration | Policy Management
VPN Concentrator. You assign access hours to groups and users under Configuration | User Management . Access hours don’t apply to LAN-to-LAN connections. Figure 13-2: Configuration | Policy Management | Access Hours screen 13-2 VPN 3000 Concentrator Series User Guide...
Page 253: Current Access Hours
Configuration | Policy Management | Access Hours Current Access Hours The Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are: Never = Never. No access at any time. Business Hours = Monday through Friday, 9 a.m. to 5 p.m.
Page 254: Configuration | Policy Management | Access Hours | Add Or Modify
Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS . Use 24-hour notation; e.g., enter 5:30 p.m. as 17:30 . By default, all ranges are 00:00:00 to 23:59:59 . 13-4 VPN 3000 Concentrator Series User Guide...
Page 255: Configuration | Policy Management | Traffic Management
You also apply filters to groups and users under Configuration | User Management ; these filters apply to tunneled traffic only. Figure 13-4: Configuration | Policy Management | Traffic Management screen 13-5 VPN 3000 Concentrator Series User Guide...
Page 256: Configuration | Policy Management | Traffic Management | Network Lists
To delete a configured network list, select the list and click Delete . If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the 13-6 VPN 3000 Concentrator Series User Guide...
Page 257: Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, Or Copy
Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface. Figure 13-6: Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy screens 13-7 VPN 3000 Concentrator Series User Guide...
Page 258: Network List
Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Policy Management | screen, and the Network Lists field is unchanged. Traffic Management | Network Lists 13-8 VPN 3000 Concentrator Series User Guide...
Page 259: Configuration | Policy Management | Traffic Management | Rules
The rules are listed in the order they are configured. Cisco supplies several default rules that you can modify and use. See Table 13-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.
Page 260: Table 13-1: Cisco-Supplied Default Filter Rules
Don’t Care LDAP (389) Range 0-65535 OSPF In Inbound OSPF OSPF Out Outbound OSPF Outgoing HTTP In Inbound Don’t Care HTTP (80) Range 0-65535 Outgoing HTTP Outbound Don’t Care Range 0-65535 HTTP (80) 13-10 VPN 3000 Concentrator Series User Guide...
Page 261: Add / Modify / Copy / Delete
Configuration | Policy Management | Traffic Management | Rules Table 13-1: Cisco-supplied default filter rules (continued) Filter Rule Name Direction Protocol TCP/UDP TCP/UDP ICMP Connection Source Port Destination Port Packet Type Outgoing HTTPS In Inbound Don’t Care HTTPS (443) Range 0-65535...
Page 262: Configuration | Policy Management | Traffic Management | Rules | Add, Modify, Or Copy
On the Modify screen, any changes take effect as soon as you click Apply . Changes affect all filters that use this rule. If this rule is being used by an active filter, changes may affect tunnel traffic. 13-12 VPN 3000 Concentrator Series User Guide...
Page 263 Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Figure 13-8: Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy screen 13-13 VPN 3000 Concentrator Series User Guide...
Page 264: Rule Name
LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN . Protocol or Other This parameter refers to the IANA (Internet Assigned Numbers Authority)-assigned protocol number in an IP packet. The descriptions below include the IANA number [in brackets] for reference. 13-14 VPN 3000 Concentrator Series User Guide...
Page 265: Tcp Connection
Otherwise, you can select: Use IP Address/Wildcard-mask below , which lets you enter a network address. If you select a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. 13-15 VPN 3000 Concentrator Series User Guide...
Page 266: Wildcard-Mask
Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet 13-16 VPN 3000 Concentrator Series User Guide...
Page 267: Port Or Range
= LDAP over a secure session (TLS/SSL). LDAP/SSL (636) Telnet/SSL (992) = Telnet over a secure session (TLS/SSL). LapLink (1547) = Remote file management and mail. = Layer 2 Tunneling Protocol. L2TP (1701) PPTP (1723) = Point-to-Point Tunneling Protocol 13-17 VPN 3000 Concentrator Series User Guide...
Page 268: Tcp/Udp Destination Port
Policy Management Range = To specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Range here (the default selection) and enter—in the Range [start] to [end] fields—the inclusive range of port numbers that this rule applies to. To specify a single port number, enter the same number in both fields.
Page 269: Configuration | Policy Management | Traffic Management | Rules | Delete
SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals , or click the IKE Proposals link on this screen. 13-19 VPN 3000 Concentrator Series User Guide...
Page 270 IPSec Parameters section on the appropriate Configuration | User Management screens. You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN 3000 Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
Page 271: Ipsec Sas
The IPSec SAs list shows the configured SAs that are available. The SAs are listed in the order they are configured. Cisco supplies default SAs that you can use or modify; see Table 13-2. See Configuration | Policy for explanations of the parameters.
Page 272: Configuration | Policy Management | Traffic Management | Security Associations | Add Or Modify
On the Modify screen, any changes take effect as soon as you click Apply . If the SA is being used by an active filter rule or group, changes may affect tunnel traffic. 13-22 VPN 3000 Concentrator Series User Guide...
Page 273: Inheritance
= One tunnel for every address pair within the address ranges specified in the rule. Each host uses a separate tunnel, and hence, separate keys. This selection is more secure but requires more processing overhead. 13-23 VPN 3000 Concentrator Series User Guide...
Page 274: Ipsec Parameters
= Apply ESP encryption and authentication only to the transport layer segment (data only) of the original IP packet. This mode protects packet contents but not the ultimate source and destination addresses. Use this mode for Windows 2000 client compatibility. 13-24 VPN 3000 Concentrator Series User Guide...
Page 275: Perfect Forward Secrecy
If you select Time or Both under Lifetime Measurement above, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is seconds (about 68 years). 2147483647 13-25 VPN 3000 Concentrator Series User Guide...
Page 276: Ike Parameters
Click the drop-down menu button and select the option. The list shows any digital certificates that have been installed, plus: None (Use Preshared Keys) = Use preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default selection. 13-26 VPN 3000 Concentrator Series User Guide...
Page 277: Ike Proposal
= Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 IKE-3DES-MD5-DH1 encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN 3000 Client. IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56 encryption.
Page 278: Configuration | Policy Management | Traffic Management | Security Associations | Delete
Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter. 13-28 VPN 3000 Concentrator Series User Guide...
Page 279 Configuration | User Management , and thus govern tunneled traffic through an interface. Caution: The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If incorrectly configured, they could present security risks.
Page 280: Filter List
Policy Management Filter List The Filter List shows configured filters, listed in the order they are configured. Cisco supplies default filters that you can use and modify; see Table 13-3. Table 13-3: Cisco-supplied default filters Parameter Private (Default) Public (Default)
Page 281: Copy Filter
Note: On the Modify screen, any changes take effect as soon as you click Apply . If this filter is being used by an interface or group, changes may affect data traffic. 13-31 VPN 3000 Concentrator Series User Guide...
Page 282: Filter Name
The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and may seriously degrade performance. 13-32 VPN 3000 Concentrator Series User Guide...
Page 283: Source Routing
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 13-33 VPN 3000 Concentrator Series User Guide...
Page 284: Configuration | Policy Management | Traffic Management | Assign Rules To Filter
Figure 13-15: Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen Filter Name: The name of the filter whose rules you are configuring. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Modify 13-34 VPN 3000 Concentrator Series User Guide...
Page 285: Current Rules In Filter
You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen. 13-35 VPN 3000 Concentrator Series User Guide...
Page 286: Move Up / Move Down
You configure Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens. Figure 13-16: Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen 13-36 VPN 3000 Concentrator Series User Guide...
Page 287: Add Sa To Rule On Filter:
Policy Management | Traffic Management | Security Associations screens. Note: The change takes effect as soon as you click Apply . If this filter is being used by an interface or group, the change may affect tunnel traffic. 13-37 VPN 3000 Concentrator Series User Guide...
Page 288: Change Sa On Rule In Filter:
To discard the change and keep the current SA on the rule, click Cancel . The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, and the Current Rules in Filter list is unchanged. 13-38 VPN 3000 Concentrator Series User Guide...
Page 289: Configuration | Policy Management | Traffic Management | Nat
See Configuration | Policy Management | Traffic Management | NAT | Rules | Add for descriptions of the rules. You can change NAT rules while NAT is enabled. Doing so will affect subsequent sessions, but not current sessions. Figure 13-18: Configuration | Policy Management | Traffic Management | NAT screen 13-39 VPN 3000 Concentrator Series User Guide...
Page 290: Configuration | Policy Management | Traffic Management | Nat | Enable
• Provide FTP Proxy services for all private network addresses. • Map TCP/UDP ports in packets to and from all private network addresses. • Translate IP addresses for protocols that don’t use ports ( No Port Mapping ). 13-40 VPN 3000 Concentrator Series User Guide...
Page 291: Nat Rules
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 13-41 VPN 3000 Concentrator Series User Guide...
Page 292: Configuration | Policy Management | Traffic Management | Nat | Rules | No Public Interfaces
: Configure and add a new NAT rule. : Modify a previously configured NAT rule. Modify You must configure a public interface on the VPN Concentrator before you can add a NAT rule. See the screens. Configuration | Interfaces 13-42 VPN 3000 Concentrator Series User Guide...
Page 293: Private Address
255.255.255.255 . For example, to translate all private addresses in the 10. subdomain, enter 255.0.0.0 . In the NAT Rules list, the subnet mask is shown as the number of 1s; for example, 255.255.0.0 is shown as /16 . 13-43 VPN 3000 Concentrator Series User Guide...
Page 294: Action
To discard your settings, click Cancel . The Manager returns to the Configuration | Policy Management | screen, and the NAT Rules list is unchanged. Traffic Management | NAT | Rules End of Chapter 13-44 VPN 3000 Concentrator Series User Guide...
Page 295: Administration
C H A P T E R Administration Administering the VPN 3000 Concentrator Series involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it.
Page 296 Administration Figure 14-1: Administration screen 14-2 VPN 3000 Concentrator Series User Guide...
Page 297: Administration | Sessions
You can also click a session’s name to see detailed parameters and statistics for that session. See Administration | Sessions | Detail Figure 14-2: Administration | Sessions screen Refresh To refresh the statistics, click Refresh . 14-3 VPN 3000 Concentrator Series User Guide...
Page 298: Logout All: Pptp | L2Tp | Ipsec User | L2Tp/Ipsec | Ipsec/Nat | Ipsec/Lan-To-Lan
The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions that are currently active. Active Management Sessions The number of administrator management sessions that are currently active. 14-4 VPN 3000 Concentrator Series User Guide...
Page 299: Total Active Sessions
The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this LAN-to-LAN connection. Protocol, Encryption, Login Time, Duration, Actions See Table 14-1 on page 14-7 for definitions of these parameters. 14-5 VPN 3000 Concentrator Series User Guide...
Page 300: Remote Access Sessions Table
The administrator username or login name for the session. The lock icon indicates the administrator who has the configuration lock; i.e., who has the right to make changes to the active system configuration. See Configuration locked by below. 14-6 VPN 3000 Concentrator Series User Guide...
Page 301: Protocol, Encryption, Login Time, Duration, Actions
(see the Administration | Access Rights | Access Settings screen). For example, an administrator who is just viewing and refreshing statistics on a Monitoring screen for longer than the timeout period, loses the lock. 14-7 VPN 3000 Concentrator Series User Guide...
Page 302: Administration | Sessions | Detail
See Table 14-2 on page 14-12 for definitions of the session detail parameters, in alphabetical order. Figure 14-4: Administration | Sessions | Detail screen: IPSec LAN-to-LAN 14-8 VPN 3000 Concentrator Series User Guide...
Page 303 Administration | Sessions | Detail Figure 14-5: Administration | Sessions | Detail screen: IPSec remote access user 14-9 VPN 3000 Concentrator Series User Guide...
Page 304 Administration Figure 14-6: Administration | Sessions | Detail screen: IPSec through NAT Figure 14-7: Administration | Sessions | Detail screen: L2TP 14-10 VPN 3000 Concentrator Series User Guide...
Page 305 Administration | Sessions | Detail Figure 14-8: Administration | Sessions | Detail screen: L2TP over IPSec Figure 14-9: Administration | Sessions | Detail screen: PPTP 14-11 VPN 3000 Concentrator Series User Guide...
Page 306: Back To Sessions
The total number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic. IP Address The IP address of the remote peer VPN Concentrator or other secure gateway that initiated the IPSec LAN-to-LAN connection. 14-12 VPN 3000 Concentrator Series User Guide...
Page 307 The UDP port number used in an IPSec through NAT connection. Username The username or login name for the session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate. 14-13 VPN 3000 Concentrator Series User Guide...
Page 308: Administration | Software Update
The new image file must be accessible by the workstation you are using to manage the VPN Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.com , under Service & Support >...
Page 309: Browse
Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3000 Concentrator software image files are named: Model 3005 = vpn3005.<Major Version>.<Minor Version>.<Patch Version>.bin ;...
Page 310: Software Update Success
Software Update Error This window appears if there was an error in uploading or verifying the image file. You may have selected the wrong file. Try the update again, or contact Cisco support. Figure 14-15: Administration | Software Update Error screen...
Page 311: Administration | System Reboot
See Configuration | System | Events | General , Administration | File Management , and Monitor | Event Log for more information on the event log file. Figure 14-16: Administration | System Reboot screen 14-17 VPN 3000 Concentrator Series User Guide...
Page 312: When To Reboot/Shutdown
Apply / Cancel To take action with the selected options, click Apply . The Manager returns to the main Administration screen if you don’t reboot or shutdown now. 14-18 VPN 3000 Concentrator Series User Guide...
Page 313: Administration | Ping
If the system is reachable, the Manager displays a Success screen with the name of the tested host. Figure 14-18: Administration | Ping | Success screen Continue To return to the Administration | Ping screen, click Continue . 14-19 VPN 3000 Concentrator Series User Guide...
Page 314: Error (Ping)
Enter the refresh period in seconds. Minimum is 1 , default is 30 , and maximum is 2000000000 seconds (about 63 years). Very short periods may affect system performance. The refresh period timer begins after the Manager fully displays a given screen. 14-20 VPN 3000 Concentrator Series User Guide...
Page 315: Administration | Access Rights
• 1 - admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default; i.e., this is the only administrator who can log in to, and use, the VPN Concentrator Manager as supplied by Cisco. • 2 - config = Configuration administrator with all rights except SNMP access.
Page 316: Group Number
Figure 14-22: Administration | Access Rights | Administrators screen Group Number This is a reference number for the administrator. Cisco assigns these numbers so you can refer to administrators by groups of properties. The numbers cannot be changed. Username The username, or login name, of the administrator.
Page 317: Administrator
This screen lets you modify the username, password, and rights for an administrator. Any changes affect new sessions as soon as you click Apply or Default . Figure 14-23: Administration | Access Rights | Administrators | Modify Properties screen 14-23 VPN 3000 Concentrator Series User Guide...
Page 318: Username
Enter or edit the unique password for this administrator. Maximum is 31 characters. The field displays only asterisks. Note: The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. Verify Re-enter the password to verify it.
Page 319: General
Manager returns to the Administration | Access Rights | Administrators screen. To restore the Cisco-supplied access rights for this administrator, and to save your settings in nonvolatile memory, click Default . The settings take effect immediately. This action does not restore the default username or password.
Page 320: Administration | Access Rights | Access Control List
To change the priority order for configured manager workstations, select the entry from the list and click ↑ or Move ↓ . The Manager refreshes the screen and shows the reordered Manager Workstations list. Move 14-26 VPN 3000 Concentrator Series User Guide...
Page 321: Administration | Access Rights | Access Control List | Add Or Modify
To change the priority, use the Move buttons on the Administration | Access Rights | Access Control List screen. IP Address Enter the IP address of the workstation in dotted decimal notation; e.g., 10.10.1.35 . 14-27 VPN 3000 Concentrator Series User Guide...
Page 322: Access Group
Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the VPN Concentrator Manager session terminates. Minimum is 1 , default is 600 , and maximum is 1800 seconds (30 minutes). 14-28 VPN 3000 Concentrator Series User Guide...
Page 323: Session Limit
• Swap Configuration Files : swap backup and boot configuration files. • TFTP Transfer : use TFTP to transfer files to and from the VPN Concentrator. Figure 14-27: Administration | File Management screen 14-29 VPN 3000 Concentrator Series User Guide...
Page 324: Administration | File Management | Files
The size of the file in bytes. Date/Time The date and time the file was created. The format is MM/DD/YY HH:MM:SS , with time in 24-hour notation. For example, 05/07/99 15:20:24 is May 7, 1999 at 3:20:24 PM. 14-30 VPN 3000 Concentrator Series User Guide...
Page 325: Actions
Filenames must adhere to the 8.3 naming convention. If you confirm, the Manager refreshes the screen and shows the revised list of files. 14-31 VPN 3000 Concentrator Series User Guide...
Page 326: Administration | File Management | Swap Configuration Files
Rights | Administrators | Modify Properties You can list, view, and manage VPN Concentrator files on the Administration | File Management | Files screen. Figure 14-30: Administration | File Management | TFTP Transfer screen 14-32 VPN 3000 Concentrator Series User Guide...
Page 327: Concentrator File
The Manager then displays either a Success or Error screen; see below. To cancel your settings on this screen, click Cancel . The Manager returns to the main Administration screen. 14-33 VPN 3000 Concentrator Series User Guide...
Page 328: Success (Tftp)
“A” trusts “B,” and “B” trusts “C,” therefore “A” trusts “C.” CAs issue root certificates (also known as trusted or signing certificates). They may also issue subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for 14-34 VPN 3000 Concentrator Series User Guide...
Page 329 VPN Concentrator is correct and synchronized with network time. See Configuration | System | Servers | NTP and Configuration | System | General | Time and Date . Figure 14-33: Administration | Certificate Management screen 14-35 VPN 3000 Concentrator Series User Guide...
Page 330: Installing Digital Certificates On The Vpn Concentrator
(format, content, and syntax). You must at least enter the Common Name (CN) . All entries may appear in your identity certificate. When you click Apply , the system generates a certificate request; see the Administration | Certificate Management | Enrollment | Request Generated screen. 14-36 VPN 3000 Concentrator Series User Guide...
Page 331: Common Name (Cn)
Enter the name for the department or other organizational unit to which this VPN Concentrator belongs; e.g., CPU Design . Spaces are allowed. Organization (O) Enter the name for the company or organization to which this VPN Concentrator belongs; e.g., Altiga . Spaces are allowed. Networks 14-37 VPN 3000 Concentrator Series User Guide...
Page 332: Locality (L)
Enter the fully qualified domain name for this VPN Concentrator that identifies it in this PKI; e.g., . This field is optional. The alternative name is an additional data field in the vpn3030.altiga.com certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. Key Size Click the drop-down menu button and select the algorithm for generating the public-key / private-key pair, and the key size.
Page 333: Administration | Certificate Management | Enrollment | Request Generated
Some CAs let you paste the request on a Web interface, some ask you to send a file; use the method your CA requires. Figure 14-36: Browser window with PKCS-10 certificate request Close this browser window when you are finished. 14-39 VPN 3000 Concentrator Series User Guide...
Page 334: Enrolling With A Certificate Authority
You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN Concentrator can have only one SSL certificate, regardless of type. 14-40 VPN 3000 Concentrator Series User Guide...
Page 335: Certificate Type
Complete this field only if you select an import with Private Key certificate type. Enter the password for the private key. Verify Complete this field only if you select an import with Private Key certificate type. Re-enter the private key password to verify it. 14-41 VPN 3000 Concentrator Series User Guide...
Page 336: Local File / Browse
Figure 14-38: Administration | Certificate Management | Certificates screen Certificate Authorities This table shows installed root and subordinate (trusted) certificates issued by Certificate Authorities (CAs). Identity Certificates This table shows installed server identity certificates. 14-42 VPN 3000 Concentrator Series User Guide...
Page 337: Ssl Certificate / [ Generate ]
Administration | Certificate Management | Certificates | CRL screen; see below. To delete this certificate from the VPN Concentrator, click Delete . The Manager opens the Administration | Certificate Management | Certificates | Delete screen; see below. 14-43 VPN 3000 Concentrator Series User Guide...
Page 338: Administration | Certificate Management | Certificates | View
X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen. Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. 14-44 VPN 3000 Concentrator Series User Guide...
Page 339: Serial Number
The algorithm and size of the public key that the CA or other issuer used in generating this certificate. Certificate Usage The purpose of the key contained in the certificate; e.g., digital signature, certificate signing, nonrepudiation, key or data encipherment, etc. 14-45 VPN 3000 Concentrator Series User Guide...
Page 340: Md5 Thumbprint
The fully qualified domain name for this VPN Concentrator that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. CRL Distribution Point The distribution point for CRLs (Certificate Revocation Lists) from this CA.
Page 341: Certificate
Otherwise, ignore them. Contact the security administrator at the CA to get the proper entries for these fields. Server Enter the IP address or hostname of the CRL distribution point server (LDAP server). Maximum 32 characters. 14-47 VPN 3000 Concentrator Series User Guide...
Page 342: Update Period
To configure CRL checking for this certificate, click Apply . The Manager returns to the Administration | Certificate Management | Certificates screen. To discard your settings, click Cancel . The Manager returns to the Administration | Certificate Management screen. | Certificates 14-48 VPN 3000 Concentrator Series User Guide...
Page 343: Administration | Certificate Management | Certificates | Delete
To retain this certificate, click No . The Manager returns to the Administration | Certificate Management | Certificates screen, and the certificates are unchanged. End of Chapter 14-49 VPN 3000 Concentrator Series User Guide...
Page 345: Monitor
C H A P T E R Monitoring The VPN 3000 Concentrator tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics.
Page 346: Monitor | Routing Table
To configure routing, see the Configuration | System | IP Routing and Configuration | Interfaces screens. Figure 15-2: Monitor | Routing Table screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-2 VPN 3000 Concentrator Series User Guide...
Page 347: Valid Routes
= learned via Open Shortest Path First protocol. OSPF = configured static route. Static = local VPN Concentrator interface address. Local = learned from an ICMP (Internet Control Message Protocol) redirect message. ICMP = the default gateway. Default 15-3 VPN 3000 Concentrator Series User Guide...
Page 348: Metric
To Get , Save , or Clear the event log file, you must have Access Rights to Read/Write Files . See the screen. Administration | Administrators | Modify Properties Figure 15-3: Monitor | Event Log screen 15-4 VPN 3000 Concentrator Series User Guide...
Page 349: Select Filter Options
= Display events in actual chronological order, with oldest events at the top of the screen. This is the default selection. Newest to Oldest = Display events in reverse chronological order, with newest events at the top of the screen. 15-5 VPN 3000 Concentrator Series User Guide...
Page 350: First Page
If the filename you enter is the same as an existing file, the browser overwrites the existing file without asking for confirmation. To list and manage files on the VPN Concentrator, see the Administration | File Management screen. 15-6 VPN 3000 Concentrator Series User Guide...
Page 351: Clear Log
Event severity The severity level of the event; for example: SEV=4 identifies an event of severity level 4. See Table 10-2 under Configuration | System | Events for an explanation of severity levels. 15-7 VPN 3000 Concentrator Series User Guide...
Page 352: Event Class / Number
For example: HTTP/47 identifies that an administrator logged in to the VPN Concentrator using HTTP to connect to the Manager. Table 10-1 under Configuration | System | Events describes the event classes. The internal reference number assists Cisco support personnel if they need to examine a log file.
Page 353: Monitor | System Status
This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status and statistics for SEP modules, system power supplies, and network interfaces. Figure 15-4: Monitor | System Status screen Model 3005 Model 3015–3080 15-9 VPN 3000 Concentrator Series User Guide...
Page 354: Vpn Concentrator Type
The bootcode is installed at the factory, and there is no need to upgrade it. If an engineering change requires a bootcode upgrade, only Cisco support personnel can do so. Software Rev The version name, number, and date of the VPN Concentrator system software image file.
Page 355: Cpu, Cage
This usage graph shows current throughput (measured in LAN packets) as a percentage of the maximum possible system throughput. For example, if two interfaces are set for 100 Mbps, the maximum possible throughput is 200 Mbps and each segment represents 20 Mbps. 15-11 VPN 3000 Concentrator Series User Guide...
Page 356: Monitor | System Status | Ethernet Interface
= External interface. IP Address The IP address configured on this interface. Status The operational status of this interface: = configured and enabled, ready to pass data traffic. = configured but disabled. DOWN 15-12 VPN 3000 Concentrator Series User Guide...
Page 357: Rx Unicast
The number of broadcast packets that were routed to this interface for transmission since the VPN Concentrator was last booted or reset, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network. 15-13 VPN 3000 Concentrator Series User Guide...
Page 358: Monitor | System Status | Dual T1/E1 Wan Slot N
This table shows statistics for the physical T1/E1 interface ports, with a column of statistics for each configured port. RFC 1406 defines most T1/E1 errors. Slot The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module. 15-14 VPN 3000 Concentrator Series User Guide...
Page 359: Status
The number of seconds during which one to 319 path coding violations, but no severely errored frame defects or AIS defects, were detected on this port. This number excludes controlled slips and unavailable seconds. 15-15 VPN 3000 Concentrator Series User Guide...
Page 360: Severely Errored Framing Seconds
(synchronization) of the receiving port and the received signal. Synchronous Statistics This table shows statistics for the synchronous traffic (frames) through the WAN interface ports, with a column of statistics for each configured port. 15-16 VPN 3000 Concentrator Series User Guide...
Page 361: Slot
The number of bytes (octets) received on this interface port. Packets Transmitted The number of packets (frames) transmitted on this interface port. Bytes Transmitted The number of bytes (octets) transmitted on this interface port. 15-17 VPN 3000 Concentrator Series User Guide...
Page 362: Received Frame Too Long
The number of transmission underruns on this interface port. These errors occur when the memory system can’t keep up with the outgoing data stream. This number should be zero; if not, check the event log for system malfunction or contact technical support. 15-18 VPN 3000 Concentrator Series User Guide...
Page 363: Monitor | System Status | Power
Voltage and status for the voltage sensor on the CPU chip. The screen shows either 1.9 or 2.5 volts, depending on the CPU chip in the system. Power Supply A, B Voltages and status for the 3.3- and 5-volt outputs from the power supplies. 15-19 VPN 3000 Concentrator Series User Guide...
Page 364: Board
If a SEP module fails, the system generates an event of severity level 2. It continues to generate an event every 10 minutes until the failed module is removed or replaced and the VPN Concentrator is rebooted. The front- and back-panel Status LEDs also indicate the failed module, as does this screen. 15-20 VPN 3000 Concentrator Series User Guide...
Page 365: Back
= first-release hardware using a set of integrated circuits. CryptSet = second-release hardware using a single integrated circuit. CryptIC = hardware could not be determined. This is an error condition; please contact Cisco Unknown Customer Support. 15-21 VPN 3000 Concentrator Series User Guide...
Page 366: Dsp Code Version
= module is installed but is not yet operational. If this condition persists after the VPN Found Concentrator finishes initializing, it is an error. Please contact Cisco Customer Support. = module could not be found. This is an error condition; please contact Cisco Not Found Customer Support.
Page 367: Hash Decrypted: Packets
The number of times this SEP has derived the Diffie-Hellman secret key. In public-key cryptography, the VPN Concentrator receives a remote public key, and the SEP uses the local private key to generate the secret key. 15-23 VPN 3000 Concentrator Series User Guide...
Page 368: Rsa Digital Signings
The number of times this SEP has verified a DSA digital signature. When the VPN Concentrator receives a signed digital certificate for authentication, it must verify the digital signature by computing a hash of the certificate and comparing it with the received-certificate hash. 15-24 VPN 3000 Concentrator Series User Guide...
Page 369: Monitor | System Status | Led Status
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. [LED selector button] To toggle the usage graph LEDs, click the front-panel button on this screen. Clicking the button here also changes the selection on the VPN Concentrator itself. 15-25 VPN 3000 Concentrator Series User Guide...
Page 370: Monitor | Sessions
A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel. 15-26 VPN 3000 Concentrator Series User Guide...
Page 371: Active Lan-To-Lan Sessions
Click these active links to go to the other session tables on this Manager screen. Connection Name The name of the IPSec LAN-to-LAN connection. To display detailed parameters and statistics for this connection, click this name. See the Monitor | Sessions | Detail screen. 15-27 VPN 3000 Concentrator Series User Guide...
Page 372: Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx
“virtual” IP address, and it lets the client appear to be a host on the private network. Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx See Table 15-1 on page 15-29 for definitions of these parameters. 15-28 VPN 3000 Concentrator Series User Guide...
Page 373: Management Sessions Table
The total number of bytes transmitted to the remote peer or client by the VPN Concentrator. Bytes Rx The total number of bytes received from the remote peer or client by the VPN Concentrator. 15-29 VPN 3000 Concentrator Series User Guide...
Page 374: Monitor | Sessions | Detail
See Table 15-2 on page 15-34 for definitions of the session detail parameters, in alphabetical order. Figure 15-11: Monitor | Sessions | Detail screen: IPSec LAN-to-LAN 15-30 VPN 3000 Concentrator Series User Guide...
Page 375 Monitor | Sessions | Detail Figure 15-12: Monitor | Sessions | Detail screen: IPSec remote access user 15-31 VPN 3000 Concentrator Series User Guide...
Page 376 Monitoring Figure 15-13: Monitor | Sessions | Detail screen: IPSec through NAT Figure 15-14: Monitor | Sessions | Detail screen: L2TP 15-32 VPN 3000 Concentrator Series User Guide...
Page 377 Monitor | Sessions | Detail Figure 15-15: Monitor | Sessions | Detail screen: L2TP over IPSec Figure 15-16: Monitor | Sessions | Detail screen: PPTP 15-33 VPN 3000 Concentrator Series User Guide...
Page 378: Monitor | Sessions | Detail Parameters
The total number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic. IP Address The IP address of the remote peer VPN Concentrator or other secure gateway that initiated the IPSec LAN-to-LAN connection. 15-34 VPN 3000 Concentrator Series User Guide...
Page 379 The UDP port number used in an IPSec through NAT connection. Username The username or login name for the session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate. 15-35 VPN 3000 Concentrator Series User Guide...
Page 380: Monitor | Sessions | Protocols
The total number of sessions since the VPN Concentrator was last booted or reset. Protocol The protocol that the session is using. Other = protocol other than those listed here. PPTP = Point-to-Point Tunneling Protocol. 15-36 VPN 3000 Concentrator Series User Guide...
Page 381: Sessions
= Simple Network Management Protocol. = Trivial File Transfer Protocol. TFTP Console = directly connected console; no protocol. Debug/Telnet = debugging via Telnet (Cisco use only). Debug/Console = debugging via console (Cisco use only). L2TP/IPSec = L2TP over IPSec. IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection.
Page 382: Monitor | Sessions | Seps
, 2 , 3 , 4 = SEP module 1, 2, 3, and 4 respectively. Sessions The number of active sessions using this SEP module. The sum of this column equals the total number of Active Sessions above. 15-38 VPN 3000 Concentrator Series User Guide...
Page 383: Bar Graph
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Active Sessions The number of currently active sessions. Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset. 15-39 VPN 3000 Concentrator Series User Guide...
Page 384: Encryption
Each segment of the bar in the column heading represents 25%. Percentage The percentage of sessions using this encryption algorithm relative to the total active sessions, as a number. The sum of this column equals 100% (rounded). 15-40 VPN 3000 Concentrator Series User Guide...
Page 385: Monitor | Sessions | Top Ten Lists
Figure 15-21: Monitor | Sessions | Top Ten Lists | Data screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Username The login username for the session. 15-41 VPN 3000 Concentrator Series User Guide...
Page 386: Protocol
Concentrator. Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet = File Transfer Protocol. = Hypertext Transfer Protocol (Web browser).
Page 387: Login Time
The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. 15-43 VPN 3000 Concentrator Series User Guide...
Page 388: Protocol
Monitoring Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet = File Transfer Protocol. = Hypertext Transfer Protocol (Web browser).
Page 389: Duration
Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet 15-45 VPN 3000 Concentrator Series User Guide...
Page 390: Avg. Throughput (Bytes/Sec)
Avg. Throughput (bytes/sec) The average throughput of the session, which is [total bytes transmitted and received] divided by total connect time. N/A = the session is not passing data; e.g., it is an administrator session. 15-46 VPN 3000 Concentrator Series User Guide...
Page 391: Monitor | Statistics
• DHCP : leased addresses, duration, server addresses, etc. • Address Pools : configured pools, allocated and available addresses. • MIB-II Stats : interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, ARP table, Ethernet, and SNMP. Figure 15-24: Monitor | Statistics screen 15-47 VPN 3000 Concentrator Series User Guide...
Page 392: Monitor | Statistics | Pptp
The number of PPTP tunnels that are currently active. Maximum Tunnels The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset. 15-48 VPN 3000 Concentrator Series User Guide...
Page 393: Total Sessions
The number of PPTP control / data packets transmitted by the VPN Concentrator since it was last booted or reset. PPTP Sessions This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a row. 15-49 VPN 3000 Concentrator Series User Guide...
Page 394: Receive Octets
The total number of acknowledgement timeouts seen on PPTP data packets for this session. When the system times out waiting for a data packet on which to piggyback an acknowledgement, it sends a ZLB instead. Therefore, this number should equal the Transmit ZLB number above. 15-50 VPN 3000 Concentrator Series User Guide...
Page 395: Flow
L2TP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management Figure 15-26: Monitor | Statistics | L2TP screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-51 VPN 3000 Concentrator Series User Guide...
Page 396: Total Tunnels
Concentrator was last booted or reset. Rx Octets Control / Data The number of L2TP control / data channel octets (bytes) received by the VPN Concentrator since it was last booted or reset. 15-52 VPN 3000 Concentrator Series User Guide...
Page 397: Rx Packets Control / Data
The serial number of the session within an L2TP tunnel. If there are multiple sessions using a tunnel, each session has a unique serial number. Receive Octets The total number L2TP data octets (bytes) received by this session. 15-53 VPN 3000 Concentrator Series User Guide...
Page 398: Receive Packets
The total number of L2TP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement. 15-54 VPN 3000 Concentrator Series User Guide...
Page 399: Monitor | Statistics | Ipsec
Configuration | Policy Management | Traffic Management Figure 15-27: Monitor | Statistics | IPSec screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-55 VPN 3000 Concentrator Series User Guide...
Page 400: Ike (Phase 1) Statistics
The cumulative total of packets that were dropped during send processing by all currently and previously active IKE tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. 15-56...
Page 401: Received Notifies
IKE tunnels. See comment above. Phase-2 SA Delete Requests Received The cumulative total of requests to delete IPSec Phase-2 Security Associations received by all currently and previously active IKE tunnels. 15-57 VPN 3000 Concentrator Series User Guide...
Page 402: Phase-2 Sa Delete Requests Sent
The cumulative total of nonexistent-Security Association failures that occurred during processing of all currently and previously active IKE tunnels. These failures occur when the system receives a packet for which it has no Security Association, and may indicate synchronization problems. 15-58 VPN 3000 Concentrator Series User Guide...
Page 403: Ipsec (Phase 2) Statistics
IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there may be a faulty network or a security breach, and the system drops the packet. 15-59 VPN 3000 Concentrator Series User Guide...
Page 404: Sent Packets Dropped
The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. Inbound Authentications The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.
Page 405: System Capability Failures
The total number of HTTP octets (bytes) sent since the VPN Concentrator was last booted or reset. Octets Received The total number of HTTP octets (bytes) received since the VPN Concentrator was last booted or reset. 15-61 VPN 3000 Concentrator Series User Guide...
Page 406: Packets Sent
This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset. To configure event handling, see the Configuration | System | Events screens. Figure 15-29: Monitor | Statistics | Events screen 15-62 VPN 3000 Concentrator Series User Guide...
Page 407: Event Number
VPN Concentrator. Table 10-1 under Configuration | System | Events describes the event classes. Event Number Event number is an Cisco-assigned reference number that denotes a specific event within the event class. For example, CONFIG event number 2 is “ Reading configuration file. ” This reference number assists Cisco support personnel if they need to examine event statistics.
Page 408: Active Sessions
The number of Telnet octets (bytes) received and dropped during input processing by this session. Outbound Octets Total The total number of Telnet octets (bytes) transmitted by this session. Outbound Octets Dropped The number of outbound Telnet octets dropped during output processing by this session. 15-64 VPN 3000 Concentrator Series User Guide...
Page 409: Monitor | Statistics | Dns
The number of DNS queries that failed because the address of the server is not reachable according to the VPN Concentrator’s routing table. Other Failures The number of DNS queries that failed for an unspecified reason. 15-65 VPN 3000 Concentrator Series User Guide...
Page 410: Monitor | Statistics | Authentication
The total number of authentication request packets sent to this server. This number does not include retransmissions. Retransmissions The number of authentication request packets retransmitted to this server. Accepts The number of authentication acceptance packets received from this server. 15-66 VPN 3000 Concentrator Series User Guide...
Page 411: Rejects
Sending to a different server is counted as a request as well as a timeout. Unknown Type The number of authentication packets of unknown type received from this server. 15-67 VPN 3000 Concentrator Series User Guide...
Page 412: Monitor | Statistics | Accounting
The number of accounting response packets received from this RADIUS accounting server. Malformed Responses The number of malformed accounting response packets received from this RADIUS accounting server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number. 15-68 VPN 3000 Concentrator Series User Guide...
Page 413: Bad Authenticators
Configuration | User Management screens. Figure 15-34: Monitor | Statistics | Filtering screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-69 VPN 3000 Concentrator Series User Guide...
Page 414: Inbound Packets Pre-Filter
The number of outbound packets that have been filtered and dropped on this interface. Outbound Packets Post Filter The number of outbound packets that have been filtered and forwarded on this interface. This number equals Outbound Packets Pre-Filter minus Outbound Packets Filtered . 15-70 VPN 3000 Concentrator Series User Guide...
Page 415: Monitor | Statistics | Vrrp
The total number of VRRP packets received with an invalid VRRP checksum value. Version Errors The total number of VRRP packets received with an unknown or unsupported version number. The VPN Concentrator supports VRRP version 2 as defined in RFC 2338. 15-71 VPN 3000 Concentrator Series User Guide...
Page 416: Vrid Errors
The total number of VRRP advertisement packets received by this interface, in which the advertisement interval differs from the interval configured on this VPN Concentrator. Authentication Failures The total number of VRRP packets received by this interface that do not pass the authentication check. 15-72 VPN 3000 Concentrator Series User Guide...
Page 417: Time-To-Live Errors
The total number of packets received by this interface with an authentication type that differs from the configured authentication type. Packet Length Errors The total number of packets received by this interface with a packet length less than the length of the VRRP header. 15-73 VPN 3000 Concentrator Series User Guide...
Page 418: Monitor | Statistics | Ssl
The number of unencrypted outbound octets (bytes) sent to the encryption engine. Encrypted Outbound Octets The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes negotiation traffic. Total Sessions The total number of SSL sessions. 15-74 VPN 3000 Concentrator Series User Guide...
Page 419: Max Active Sessions
Lease Duration The duration of the current IP address lease, shown as HH:MM:SS. Time Used The total length of time that this session has had an active IP address lease, shown as HH:MM:SS. 15-75 VPN 3000 Concentrator Series User Guide...
Page 420: Time Left
The total number of IP addresses in this configured pool. Available Addresses The number of IP addresses available (unassigned) in this pool. Allocated Addresses The number of IP addresses currently assigned from this pool. 15-76 VPN 3000 Concentrator Series User Guide...
Page 421: Max Allocated Addresses
• SNMP : Simple Network Management Protocol requests, bad community strings, parsing errors, etc. To configure and enable the VPN Concentrator’s SNMP server, see the Configuration | System | Management Protocols | SNMP screen. Figure 15-39: Monitor | Statistics | MIB-II screen 15-77 VPN 3000 Concentrator Series User Guide...
Page 422: Monitor | Statistics | Mib-Ii | Interfaces
= configured and enabled but waiting for an external action, such as an incoming Dormant connection. = missing hardware components. Not Present = not operational because a lower-layer interface is down. Lower Layer Down = not configured. Unknown 15-78 VPN 3000 Concentrator Series User Guide...
Page 423: Unicast In
Broadcast Out The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network. 15-79 VPN 3000 Concentrator Series User Guide...
Page 424: Monitor | Statistics | Mib-Ii | Tcp/Udp
Segment is the official TCP name for what is casually called a data packet. TCP Timeout Min The minimum value permitted for TCP retransmission timeout, measured in milliseconds. 15-80 VPN 3000 Concentrator Series User Guide...
Page 425: Tcp Timeout Max
The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet. UDP Datagrams Transmitted The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called a data packet. 15-81 VPN 3000 Concentrator Series User Guide...
Page 426: Udp Errored Datagrams
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Packets Received (Total) The total number of IP data packets received by the VPN Concentrator, including those received with errors. 15-82 VPN 3000 Concentrator Series User Guide...
Page 427: Packets Received (Delivered)
The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN Concentrator could not route because all of its default routers are down. 15-83 VPN 3000 Concentrator Series User Guide...
Page 428: Packets Transmitted (Requests)
The number of IP data packets that have been discarded because they needed to be fragmented but could not be (e.g., because the Don’t Fragment flag was set). Fragments Created The number of IP data packet fragments that have been generated by the VPN Concentrator. 15-84 VPN 3000 Concentrator Series User Guide...
Page 429: Monitor | Statistics | Mib-Ii | Rip
The IP address configured on the interface. Received Bad Packets The number of RIP response packets received by this interface that were subsequently discarded for any reason (e.g., wrong version, unknown command type). 15-85 VPN 3000 Concentrator Series User Guide...
Page 430: Received Bad Routes
The number of routes in valid RIP packets received by this interface that were ignored for any reason (e.g., unknown address family, invalid metric). Sent Updates The number of triggered RIP updates actually sent by this interface. This number does not include full updates sent containing new information. 15-86 VPN 3000 Concentrator Series User Guide...
Page 431: Monitor | Statistics | Mib-Ii | Ospf
Configuration | System | IP Routing . Figure 15-44: Monitor | Statistics | MIB-II | OSPF screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-87 VPN 3000 Concentrator Series User Guide...
Page 432: Version
This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area elects one OSPF router to be the Designated Router. 15-88 VPN 3000 Concentrator Series User Guide...
Page 433: Interface Address
While the format is that of an IP address, it functions only as an identifier. By convention, however, it is the same as the IP address of the interface that is connected to the OSPF router network. 15-89 VPN 3000 Concentrator Series User Guide...
Page 434: State
AS Border Routers The total number of Autonomous System border routers reachable within this area. Area Border Routers The total number of area border routers reachable within this area. 15-90 VPN 3000 Concentrator Series User Guide...
Page 435: Area Lsa Count
The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and duplicate LSAs. The larger the number, the more recent the LSA. The age of the LSA in seconds. 15-91 VPN 3000 Concentrator Series User Guide...
Page 436: Monitor | Statistics | Mib-Ii | Icmp
The number of ICMP Destination Unreachable messages received / sent. Destination Unreachable messages apply to many network situations, including inability to determine a route, an unusable source route specified, and the Don’t Fragment flag set for a packet that must be fragmented. 15-92 VPN 3000 Concentrator Series User Guide...
Page 437: Time Exceeded Received / Transmitted
Timestamp Reply message. Timestamp Replies Received / Transmitted The number of ICMP Timestamp Reply messages received / sent. Timestamp Reply messages are sent in response to Timestamp messages, to measure propagation delay in the network. 15-93 VPN 3000 Concentrator Series User Guide...
Page 438: Address Mask Requests Received / Transmitted
Figure 15-46: Monitor | Statistics | MIB-II | ARP Table screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-94 VPN 3000 Concentrator Series User Guide...
Page 439: Physical Address
The Manager deletes the entry and refreshes the screen. To delete an entry, you must have the administrator privilege to Modify Config under General Access Rights . See Administration | Access Rights | Administrators . You cannot delete static mappings. 15-95 VPN 3000 Concentrator Series User Guide...
Page 440: Monitor | Statistics | Mib-Ii | Ethernet
The number of frames received on this interface that are an integral number of bytes long but do not pass the FCS (Frame Check Sequence) check. Carrier Sense Errors The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface. 15-96 VPN 3000 Concentrator Series User Guide...
Page 441: Sqe Test Errors
The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error. This number does not include Alignment Errors , FCS Errors , or Frame Too Long Errors . 15-97 VPN 3000 Concentrator Series User Guide...
Page 442: Speed (Mbps)
The total number of SNMP messages received by the VPN Concentrator. Bad Version The total number of SNMP messages received that were for an unsupported SNMP version. The VPN Concentrator supports SNMP version 2. 15-98 VPN 3000 Concentrator Series User Guide...
Page 443: Bad Community String
The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason (other than a timeout). End of Chapter 15-99 VPN 3000 Concentrator Series User Guide...
Page 445: Accessing The Cli
Console access To access the CLI via console: 1 Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable (which Cisco supplies with the system) between the Console port on the VPN Concentrator and the COM1 or serial port on the PC.
Page 446: Telnet Or Telnet/Ssl Access
VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2000 Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> _ 16-2 VPN 3000 Concentrator Series User Guide...
Page 447: Using The Cli
Continuing the example above, this is the prompt to enter a value for the system name: > Host Name General -> [ Lab VPN ] _ You can enter a new name at the prompt, or just press Enter to keep the current name. 16-3 VPN 3000 Concentrator Series User Guide...
Page 448: Specifying Configured Items
Authentication -> _ To delete the RADIUS server, enter 3 at the prompt. The CLI displays: > Delete Server (number) Authentication -> _ At the prompt, you must enter 2 for the RADIUS server. 16-4 VPN 3000 Concentrator Series User Guide...
Page 449: Navigating Quickly Through The Cli
1) General Parameters 2) Server Parameters 3) IPSec Parameters 4) PPTP/L2TP Parameters 5) Back (General Parameters) Base Group -> 1 1) Access Parameters 2) Tunneling Protocols 3) SEP Config 4) Back Base Group -> _ 16-5 VPN 3000 Concentrator Series User Guide...
Page 450: Using Back And Home
To display a brief help message, enter 5 at the main menu prompt. The CLI explains how to navigate through menus and enter values. This help message is available only at the main menu. Cisco Systems. Help information for the Command Line Interface From any menu except the Main menu.
Page 451: Saving The Configuration File
Main -> _ The default User administrator can only monitor the VPN Concentrator, not configure system parameters or administer the system. See Administration | Access Rights | Administrators in Chapter 14, Administration, for more information. 16-7 VPN 3000 Concentrator Series User Guide...
Page 452: Cli Menu Reference
4) Save changes to Config file 5) Help Information 6) Exit Main -> _ 1 Configuration 1) Interface Configuration 2) System Management 3) User Management 4) Policy Management 5) Back Config -> _ 16-8 VPN 3000 Concentrator Series User Guide...
Page 453: Configuration > Interface Configuration
Voltages will be adjusted to conform to the hardware. 1) Configure CPU voltage thresholds 2) Configure Power Supply 1 voltage thresholds 3) Configure Power Supply 2 voltage thresholds 4) Configure Board voltage thresholds 5) Back Interfaces -> _ 16-9 VPN 3000 Concentrator Series User Guide...
Page 454: Configuration > Interface Configuration > Configure Power Supplies
3) Tunneling Protocols (PPTP, L2TP, etc.) 4) IP Routing (static routes, OSPF, etc.) 5) Management Protocols (Telnet, TFTP, FTP, etc.) 6) Event Configuration 7) General Config (system name, time, etc.) 8) Back System -> _ 16-10 VPN 3000 Concentrator Series User Guide...
Page 455: Configuration > System Management > Servers
The CLI does not include IPSec LAN-to-LAN configuration. 1.2.4 Configuration > System Management > IP Routing 1) Static Routes 2) Default Gateways 3) OSPF 4) OSPF Areas 5) DHCP 6) Redundancy 7) Back Routing -> _ 16-11 VPN 3000 Concentrator Series User Guide...
Page 456: Configuration > System Management > Management Protocols
1.2.7 Configuration > System Management > General Config 1) System Identification 2) System Time and Date 3) Back General -> _ 1.3 Configuration > User Management 1) Base Group 2) Groups 3) Users 4) Back User Management -> _ 16-12 VPN 3000 Concentrator Series User Guide...
Page 457: Configuration > User Management > Base Group
1) Add a User 2) Modify a User 3) Delete a User 4) Back Users -> _ 1.4 Configuration > Policy Management 1) Access Hours 2) Traffic Management 3) Back Policy -> _ 16-13 VPN 3000 Concentrator Series User Guide...
Page 458: Configuration > Policy Management > Access Hours
6) File Management 7) Certificate Management 8) Back Admin -> _ 2.1 Administration > Administer Sessions Active Sessions 1) Refresh Session Status 2) Logoff Session 3) Session Details 4) Back Admin -> _ 16-14 VPN 3000 Concentrator Series User Guide...
Page 459: Administration > System Reboot
2.5 Administration > Access Rights 1) Administrators 2) Access Control List 3) Access Settings 4) Back Admin -> _ 2.5.1 Administration > Access Rights > Administrators Administrative Users 1) Modify Administrator 2) Back Admin -> _ 16-15 VPN 3000 Concentrator Series User Guide...
Page 460: Administration > Access Rights > Access Control List
6) Swap Configuration File 7) Upload Configuration File 8) Back File -> _ 2.6.6 Administration > File Management > Swap Configuration File Every time the active configuration is saved,... 1) Swap 2) Back Admin -> _ 16-16 VPN 3000 Concentrator Series User Guide...
Page 461: Administration > Certificate Management
1) View Certificate 2) Delete Certificate 3) CRL Configuration 4) Back Certificates -> _ 2.7.4 Administration > Certificate Management > Identity Certificates Identity Certificates 1) View Certificate 2) Delete Certificate 3) Back Certificates -> _ 16-17 VPN 3000 Concentrator Series User Guide...
Page 462: Administration > Certificate Management > Ssl Certificate
4) Sessions 5) General Statistics 6) Back Monitor -> _ 3.1 Monitoring > Routing Table Routing Table ’q’ to Quit, ’<SPACE>’ to Continue -> 1) Refresh Routing Table 2) Back Routing -> _ 16-18 VPN 3000 Concentrator Series User Guide...
Page 463: Monitoring > Event Log
2) Card in Slot 2 3) Card in Slot 3 4) Card in Slot 4 5) Back Card Status -> _ Model 3005 only 1) Card in Slot 1 2) Back Card Status -> _ 16-19 VPN 3000 Concentrator Series User Guide...
Page 464: Monitoring > Sessions
2) Top 10 Users based on Duration 3) Top 10 Users based on Throughput 4) Back Sessions -> _ 3.4.3 Monitoring > Sessions > View Session Protocols Session Protocols 1) Refresh Session Protocols 2) Back Sessions -> _ 16-20 VPN 3000 Concentrator Series User Guide...
Page 465: Monitoring > Sessions > View Session Seps
3.5.1 Monitoring > General Statistics > Protocol Statistics 1) PPTP Statistics 2) L2TP Statistics 3) IPSec Statistics 4) HTTP Statistics 5) Telnet Statistics 6) DNS Statistics 7) VRRP Statistics 8) SSL Statistics 9) Back General -> _ 16-21 VPN 3000 Concentrator Series User Guide...
Page 466: Monitoring > General Statistics > Server Statistics
’q’ to Quit, ’<SPACE>’ to Continue -> 1) Refresh Event Statistics 2) Back General -> _ 3.5.4 Monitoring > General Statistics > MIB II Statistics 1) Interface-based 2) System-level 3) Back MIB2 -> _ End of Chapter 16-22 VPN 3000 Concentrator Series User Guide...
Page 467: Files For Troubleshooting
This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, timers, etc., which are helpful to Cisco support engineers. In case of a crash, we ask that you send this file when you contact Cisco for assistance. See Administration | File Management | Files for information on managing files in flash memory.
Page 468: Configuration Files
Manager screens. the wrong screen or browser’s toolbar We recommend that you hide the browser’s incorrect data. deletes pointers and navigation toolbar to prevent mistakes. values within the Manager. VPN 3000 Concentrator Series User Guide...
Page 469: Invalid Login Or Session Timeout
Apply . reset the timer. • Default timeout interval is 600 seconds (10 minutes). • Timeout interval set too low for normal use. VPN 3000 Concentrator Series User Guide...
Page 470: Error / An Error Has Occurred While Attempting To Perform
Carefully check all your previous entries on that screen. The Manager attempts to retain valid entries, but invalid entries are lost. Click Go to main menu to go to the main Manager screen. VPN 3000 Concentrator Series User Guide...
Page 471: You Are Using An Old Browser Or Have Disabled Javascript
• You are using the Be sure JavaScript is enabled in the browser. See Manager with an Required browser in Chapter 2 of VPN 3000 obsolete browser. Concentrator Series Getting Started, or Browser • You are using a requirements in Chapter 1 of VPN 3000 browser that does Concentrator Series User Guide.
Page 472: Not Allowed / You Do Not Have Sufficient Authorization
Administration | Access Rights | privileges. Administrators screen. Have the system administrator change the privileges of your workstation on the Administration | Access Rights | Access Control List screen. VPN 3000 Concentrator Series User Guide...
Page 473: Not Found / An Error Has Occurred While Attempting To Access
2 Log out of the Manager. Needed , Help , Software Update , 3 Close Internet Explorer. etc.), Internet Explorer cannot open the window and displays 4 Reinstall Internet Explorer. the error dialog box. VPN 3000 Concentrator Series User Guide...
Page 474: Command Line Interface Errors
If the • You entered either a do not match. original password is incorrect, password or verify entry, but press Enter and re-enter both not the other. the password and the verification at the prompts. VPN 3000 Concentrator Series User Guide...
Page 475: Led Indicators
LEDs are normally blue. LEDs that are amber or off may indicate an error condition. NA = not applicable; i.e., the LED does not have that state. Contact Cisco support if any LED indicates an error condition. VPN 3000 Concentrator Series User Guide...
Page 476: Vpn Concentrator Leds (Front)
Error. CPU Utilization This statistic selected Not selected. for usage gauge display. Active Sessions This statistic selected Not selected. for usage gauge display. Throughput This statistic selected Not selected. for usage gauge display. A-10 VPN 3000 Concentrator Series User Guide...
Page 477: Vpn Concentrator Leds (Rear)
Power is not reaching the module. It may not be seated correctly. Error. Status Encryption code is Module failed during Module failed running. Normal. operation. Error. diagnostics or encryption code is not running. Error. A-11 VPN 3000 Concentrator Series User Guide...
Page 478: Wan Interface Module Leds
Power Normal operation. Power is not reaching the module. It may not be seated correctly. Error. Status Module has passed Module failed Module has failed. diagnostics and is diagnostics. Error. Error. operational. Normal. A-12 VPN 3000 Concentrator Series User Guide...
Page 479 “Yellow” in loopback mode. “Blue” = Problem in receive path; i.e., the line has lost synchronization with the remote connection. “Blue” in loopback mode. End of Appendix A-13 VPN 3000 Concentrator Series User Guide...
Page 481: Software License Agreement Of Cisco Systems, Inc
Grant of License 2. Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product. To this end, the Software contains both operator software for use by the network administrator and client software for use by clients at remote network nodes.
Page 482: Limited Warranty
5. You may not export the Software, even as part of the Cisco product, to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and/or approval.
Page 483: Other Licenses
Other licenses 16. This Agreement is governed by the laws of the State of Massachusetts. 17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any reason, please call (508) 541-7300, or write to Cisco Systems, Inc.
Page 484: Dhcp Client
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. VPN 3000 Concentrator Series User Guide...
Page 485 NRL and have assigned All Rights for those portions to NRL. Outside the USA, NRL also has copyright on the software developed at NRL. The affected files all contain specific copyright notices and those notices must be retained in any derived work. NRL LICENSE VPN 3000 Concentrator Series User Guide...
Page 486 This program is Copyright 1996, 1997, 1998 by Danny Goodman. You may adapt this outline for your Web pages, provided these opening credit lines (down to the lower dividing line) are in your outline HTML document. You may not reprint or redistribute this code without permission from the author. VPN 3000 Concentrator Series User Guide...
Page 487 This software is provided “as is” without express or implied warranty. author tpanton@ibm.net (Tim Panton) VPN 3000 Concentrator Series User Guide...
Page 488: Telnet Server
- Feb 1991 Bill_Simpson@um.cc.umich.edu variable number of conversation slots allow zero or one slots separate routines status display Telnet server Copyright phase2 networks 1996 All rights reserved SID: 1.1 Revision History: 97/06/23 21:17:43 root VPN 3000 Concentrator Series User Guide...
Page 489: Regulatory Agency Notices
Note 1. *VCCI-A: Equipment satisfying the recommended values for Class A ITE. WAN Module Customer Instructions: FCC Requirements Notice to Users of T1 Service The following instructions are provided to ensure compliance with the Federal Communications Commission (FCC) Rules, Part 68. VPN 3000 Concentrator Series User Guide...
Page 490: Notice To Users Of Certified Component Devices
The following instructions are provided to ensure compliance with the Federal Communications Commission (FCC) Rules, Part 68. This equipment is certified with the FCC under Part 68 as a component device for use with the following Cisco Systems host routers: In order for the FCC certification of this product to be retained, all other products used in conjunction with this product must also be FCC Part 68 certified for use with these hosts.
Page 491: Affidavit (Appendix A)
______________________________________________Signature ______________________________________________ Title ______________________________________________Date Subscribed and sworn to before me This day of , 20____ ____________________________________________ Notary Public My commission expires: B-11 VPN 3000 Concentrator Series User Guide...
Page 492 Caution: Users should not attempt to make such connections themselves, but should contact the appropriate electric inspection authority, or electrician, as appropriate. Industry Canada CS-03 Application, Rev.1 Model No.: CVPN 3000-2T1 End of Appendix B-12 VPN 3000 Concentrator Series User Guide...
Page 493 OSPF area 8-9 NT Domain 5-5 security association to rule on filter 13-36 RADIUS 5-4 security association (traffic management) 13-22 SecurID 5-6 SMTP server for events 10-20 testing 5-9 SNMP community 9-10 authentication statistics 15-66 VPN 3000 Concentrator Series User Guide Index-1...
Page 494 IP routing 8-5 stopping 16-7 IKE proposals, table 7-20 using 16-1, 16-3 security associations, table 13-21 using Back and Home 16-6 tunnel gateway, configuring 8-5 using shortcut numbers to navigate 16-5 Index-2 VPN 3000 Concentrator Series User Guide...
Page 495 10-10 encryption algorithms used by sessions (monitoring) 15-39 section of Manager 10-1 enrolling with a Certificate Authority 14-40 statistics 15-62 entering values with CLI 16-3 exiting from CLI 16-7 the Manager (logout) 1-21 Index-3 VPN 3000 Concentrator Series User Guide...
Page 496 14-28 data xl IKE proposals filenames xl active 7-21 hostnames xl configuring 7-19 IP addresses xl add 7-22 MAC addresses xl copy 7-22 port numbers xl modify 7-22 subnet masks xl Index-4 VPN 3000 Concentrator Series User Guide...
Page 497 Index IKE proposals (continued) IPSec default, table 7-20 Cisco VPN 3000 Client 7-7, 12-6, 12-23, 12-38, 13-20 in IPSec LAN-to-LAN 7-14 configuring 7-7 in security association 13-19 base group 12-6, 12-7 inactive 7-21 group (internal) 12-23, 12-24 IKE security association...
Page 498 15-25 Mode Configuration, IPSec 12-9, 12-26 Status (SEP) A-11 and split tunneling 12-9, 12-26 Status (WAN) A-12 Cisco VPN 3000 Client supports 12-9, 12-27 Sync (WAN) A-13 model number, system 15-10 System A-10 modify table A-9...
Page 499 10-6, 14-17, A-1 OSPF 3-1, 3-2 redundancy configuring configuring, system 8-12 on Ethernet interface 3-11 SEP modules 15-20 on WAN interface 3-20 references (bibliography) xxxix system-wide parameters 8-6 Refresh (icon) 1-22 MIB-II statistics 15-87 Index-7 VPN 3000 Concentrator Series User Guide...
Page 500 15-20 viewing with Internet Explorer 1-9 used by sessions (monitoring) 15-38 viewing with Netscape 1-15 servers, configuring system access to 5-1 VPN Concentrator 1-3 Session Timeout (error) A-3 starting the CLI 16-2 Index-8 VPN 3000 Concentrator Series User Guide...
Page 501 10-17 troubleshooting A-1 modify 10-17 consult event log 10-5, 15-4 system configuration section of Manager 4-1 files created for A-1 system identification, configuring 11-2 tunnel default gateway, configuring 8-5 System LED A-10 Index-9 VPN 3000 Concentrator Series User Guide...
Page 502 1-19 using 1-1 VRRP configuring 8-12 statistics 15-71 WAN card LED indicators A-12 putting in loopback mode A-13 WAN interface See interfaces wildcard masks 7-15, 7-17, 13-8, 13-16 format xl Index-10 VPN 3000 Concentrator Series User Guide...

Cisco VPN 3000 User Manual

About this Manual

Organization

Additional Documentation

Documentation Conventions

Data Formats

Contacting Cisco with Questions

Using the VPN 3000 Concentrator Series Manager

Browser Requirements

Recommended PC Monitor / Display Settings

Connecting to the VPN Concentrator Using HTTP

Installing the SSL Certificate in Your Browser

Connecting to the VPN Concentrator Using HTTPS

Logging in the VPN Concentrator Manager

Configuring HTTP, HTTPS, and SSL Parameters

Understanding the VPN Concentrator Manager Window

Save

Organization of the VPN Concentrator Manager

Navigating the VPN Concentrator Manager

Configuration

Interfaces

Configuration | Interfaces

Configuration | Interfaces | Power

Cpu

Configuration | Interfaces | Ethernet 1 2 3

Configuration | Interfaces | WAN Card in Slot N

Configuration | Interfaces | WAN Card in Slot N | Port a B | Select T1/E1

Configuration | Interfaces | WAN Card in Slot N | Port a B as T1 or E1

System Configuration

Configuration | System

Configuration | System | Servers

Configuration | System | Servers | Authentication

Configuration | System | Servers | Authentication | Add or Modify

Configuration | System | Servers | Authentication | Delete

Configuration | System | Servers | Authentication | Test

Configuration | System | Servers | Accounting

Configuration | System | Servers | Accounting | Add or Modify

Verify

Configuration | System | Servers | DNS

Configuration | System | Servers | DHCP

Configuration | System | Servers | DHCP | Add or Modify

Configuration | System | Servers | NTP

Configuration | System | Servers | NTP | Parameters

Configuration | System | Servers | NTP | Hosts

Configuration | System | Servers | NTP | Hosts | Add or Modify

Address Management

Configuration | System | Address Management

Configuration | System | Address Management | Assignment

Configuration | System | Address Management | Pools

Configuration | System | Address Management | Pools | Add or Modify

Tunneling Protocols

Configuration | System | Tunneling Protocols

Configuration | System | Tunneling Protocols | PPTP

Configuration | System | Tunneling Protocols | L2TP

Configuration | System | Tunneling Protocols | Ipsec

Configuration | System | Tunneling Protocols | Ipsec LAN-To-LAN

Configuration | System | Tunneling Protocols | Ipsec LAN-To-LAN | no Public Interfaces

Configuration | System | Tunneling Protocols | Ipsec LAN-To-LAN | Add or Modify

Name

Peer

Configuration | System | Tunneling Protocols | Ipsec LAN-To-LAN | Add

Local or Remote Network List

Configuration | System | Tunneling Protocols | Ipsec LAN-To-LAN | Add | Done

Configuration | System | Tunneling Protocols | Ipsec | IKE Proposals

Quick Links

Related Manuals for Cisco VPN 3000

Summary of Contents for Cisco VPN 3000