Cisco VPN 3002 Quick Start Manual

Cisco VPN 3002 Hardware Client Quick Start
These instructions explain how to install and configure the Cisco VPN 3002
using default values.

How to Start

Configure the VPN 3002 using one of the following:
• The VPN 3002 Hardware Client Manager HTML interface. You can use
Microsoft Internet Explorer 4.0 or higher, or Netscape Navigator 4.5–4.7 or
6.0. Be sure to enable both JavaScript and cookies.
• A PC attached to the console port or Telnet or SSH.
At the central-site Concentrator, configure the connection as a client, NOT
LAN-to-LAN. See "Settings on the VPN 3000 Series Concentrator" section.
Client Mode or Network Extension Mode?
The VPN 3002 operates in either Client—also called Port Address Translation
(PAT)—mode or Network Extension mode. A summary of the differences
follows:
Client/PAT Mode (the default)
Easier to configure.
All traffic from the VPN 3002 private
network arrives on the private network
of the central-site VPN Concentrator
with a single source-IP address.
The IP addresses of the computers on
the VPN 3002 private network are
hidden. You cannot ping or access a
device on the VPN 3002 private
network from the central site. But you
can access the assigned IP address of
the VPN 3002 from the central site.
VPN 3002 initiates tunnel, and always
sends data before receiving data.
Some applications are incompatible
with PAT mode.
Network Extension Mode
Two more steps to configure than Client mode.
You must assign an IP address other than the
default to the VPN 3002 private interface,
and you must disable PAT mode.
Devices behind the VPN Concentrator have
direct access to devices on the VPN 3002
private network only through the tunnel. You
can ping or access a device on the VPN 3002
network from the central site.
VPN 3002 initiates tunnel. Central site can
send data first, but only if split-tunneling is
disabled.
Using Default Values to Configure the VPN 3002
For the simplest configuration, Client/PAT mode, accept default values for all
parameters that have defaults. Use the Quick Configuration menu; you can set
parameters in any order. Your changes become the running configuration as
soon as you make them, and the system automatically saves your changes at
the Done screen.
For Either Client or Network Extension Mode
1. You must configure the IPSec parameters. You supply the following:
– The public IP address of the VPN 3000 Series Concentrator to which
this VPN 3002 connects. This is also called the IKE peer address.
– IPSec group and user names and passwords. These must match the
group and user names and passwords you set for this VPN 3002 on
the Concentrator.
2. Configure an IP address on the public interface. If you use DHCP to obtain
an IP address for the public interface, your ISP may require a hostname.
Enter this hostname in the Public Interface parameter.
3. We strongly recommend that you change the admin password.
For Network Extension Mode You Must Also
1. Change the IP address of the private interface (Private Interface
parameter).
2. Disable PAT (PAT parameter).
Settings on the VPN 3000 Series Concentrator
Configure the VPN Concentrator to which this VPN 3002 connects as follows:
1. Configure the connection as a client, NOT LAN-to-LAN.
2. Assign this VPN 3002 to a group. Configure group and user names and
passwords. These must match the group and user names and passwords
that you set on the VPN 3002.
3. If the VPN 3002 uses Client mode, enable a method of address assignment
for the VPN 3002: DHCP, address pools, address from authentication
server, or client specified.
4. If the VPN 3002 uses Network Extension mode:
Be sure that the subnet behind the VPN 3002 is routable from private
–
networks behind the VPN Concentrator. You can use Reverse Route
Injection on the VPN Concentrator if its private network uses RIP or
OSPF, or you can configure a static route.
– Check the box in the Allow Network Extension Mode parameter for
the group to which the VPN 3002 belongs (HW Client tab).