Cisco mds 9000 family command reference - cisco mds san-os release 3.0(1) through 3.3(1a) (ol-16217-01, april 2008) (1550 pages)
Summary of Contents for Cisco VPN 3000
Page 1
VPN 3000 Concentrator Series User Guide Release 2.5 July 2000 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811137= Text Part Number: 78-11137-01...
(the left frame of the Manager browser window; see Figure 1-30 in Chapter 1. Chapter 1, Using the VPN 3000 Concentrator Series Manager explains how to log in, navigate, and use the VPN Concentrator Manager with a browser. It explains both HTTP and HTTPS browser connections, and how to install the SSL certificate for a secure (HTTPS) connection.
Help icon on the toolbar in the Manager window. The VPN 3000 Client User Guide explains how to install, configure, and use the Cisco VPN 3000 Client, which lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator.
Documentation Conventions The VPN 3000 Monitor User Guide explains how to install, set up, and use the VPN 3000 Monitor, which is a separate Java™ application that polls VPN 3000 Concentrators in a network for information and displays that information on your workstation.
For example, is a legitimate filename. The VPN Concentrator always stores filenames as uppercase. LOG00007.TXT Port numbers Port numbers use decimal numbers from 0 to 65535 with no commas or spaces. VPN 3000 Concentrator Series User Guide...
Cisco provides extensive technical support through its own staff and through authorized agents. If you have questions, we suggest you first try the Cisco Web site at www.cisco.com , and go to the Service & section. From there you can go to additional support areas such as the Technical Assistance Support Center (TAC), software updates, technical documentation, and service and support solutions.
The VPN 3000 Concentrator Series Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3000 Concentrator with a standard Web browser. To use it, you need only to connect to the VPN Concentrator using a PC and browser on the same private network with the VPN Concentrator.
Using the VPN 3000 Concentrator Series Manager • Internet Explorer 5.0: – On the Tools menu, select Internet Options . – On the Security tab, click Custom Level . – In the Security Settings window, scroll down to Scripting .
SSL encrypts all data between client and server at the IP socket level, and is thus more secure. SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is VPN 3000 Concentrator Series User Guide...
Using the VPN 3000 Concentrator Series Manager installed, you can connect using HTTPS. You need to install the certificate from a given VPN Concentrator only once. Managing the VPN Concentrator is the same with or without SSL. Manager screens may take slightly longer to load with SSL because of encryption / decryption processing.
Page 47
Figure 1-4: Internet Explorer Certificate dialog box 4 Click Install Certificate . The browser starts a wizard to install the certificate. The certificate store is where such certificates are stored in Internet Explorer. VPN 3000 Concentrator Series User Guide...
Page 48
Using the VPN 3000 Concentrator Series Manager Figure 1-5: Internet Explorer Certificate Manager Import Wizard dialog box 5 Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6: Internet Explorer Certificate Manager Import Wizard dialog box 6 Let the wizard Automatically select the certificate store , and click Next .
Page 49
10 On the Manager SSL screen (Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN 3000 Concentrator Series using SSL Depending on how your browser is configured, you may see a Security Alert dialog box.
Page 50
Using the VPN 3000 Concentrator Series Manager Figure 1-10: Internet Explorer Security Alert dialog box 11 Click OK . The VPN Concentrator displays the HTTPS version of the Manager login screen. Figure 1-11: VPN Concentrator Manager login screen using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecure site;...
The VPN Concentrator SSL certificate name is its Ethernet 1 (Private) IP address. Figure 1-13: Internet Explorer 4.0 Certificate Authorities list Select a certificate, then click View Certificate . The browser displays the Certificate Properties screen, as in Figure 1-12 above. VPN 3000 Concentrator Series User Guide...
Using the VPN 3000 Concentrator Series Manager Installing the SSL certificate with Netscape This section describes SSL certificate installation using Netscape Navigator / Communicator 4.5. Reinstallation You need to install the SSL certificate from a given VPN Concentrator only once. If you try to reinstall it, Netscape displays the note in Figure 1-14.
Page 53
Figure 1-17: Netscape New Certificate Authority screen 3 3 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default. 1-11 VPN 3000 Concentrator Series User Guide...
Page 54
Using the VPN 3000 Concentrator Series Manager Figure 1-18: Netscape New Certificate Authority screen 4 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites . Click to proceed. Next> Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN Concentrator.
Page 55
6 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN Concentrator . This name appears in the list of installed certificates; see Viewing certificates with 10.10.147.2...
Page 56
Using the VPN 3000 Concentrator Series Manager Figure 1-22: VPN Concentrator Manager login screen using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case, you may see a Security Information Alert dialog box.
Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates then Signers . The “nickname” you entered in Step 6 identifies the VPN Concentrator SSL certificate. 1-15 VPN 3000 Concentrator Series User Guide...
Page 58
Using the VPN 3000 Concentrator Series Manager Figure 1-25: Netscape Certificates Signers list Select a certificate, then click Edit , Verify , or Delete . Click OK when finished. 1-16 VPN 3000 Concentrator Series User Guide...
The browser displays the VPN Concentrator Manager HTTPS login screen. A locked-padlock icon on the browser status bar indicates an HTTPS session. Also, this login screen does not include the Install SSL Certificate link. Figure 1-26: VPN Concentrator Manager HTTPS login screen 1-17 VPN 3000 Concentrator Series User Guide...
Using the VPN 3000 Concentrator Series Manager Logging in the VPN Concentrator Manager Logging in the VPN Concentrator Manager is the same for both types of connections: cleartext HTTP or secure HTTPS. Entries are case-sensitive, so type them carefully. With Microsoft Internet Explorer, you can press the key to move from field to field;...
The title bar at the top of the browser window includes the VPN Concentrator device name or IP address in brackets; e.g., [10.10.104.7] . Status bar The status bar at the bottom of the browser window displays explanatory messages for selected items and Manager activity. 1-19 VPN 3000 Concentrator Series User Guide...
Manager. CCO at www.cisco.com Click this link to open a browser window on the main Cisco Web page, Cisco Connection Online (CCO). From that page, you can browse to all Cisco resources, including the Technical Assistance Center (TAC).
Understanding the VPN Concentrator Manager window tac@cisco.com Click this link to open your configured email application and compose an email message to Cisco’s Technical Assistance Center (TAC). When you finish, the application closes and returns to this Support screen. Logout tab Click to log out of the Manager and return to the login screen.
The date and time above this reminder indicate when the screen was last updated. Cisco Systems logo Click the Cisco Systems logo to open a browser and go to the Cisco web site, www.cisco.com . Left frame (Table of contents) The left frame provides a table of contents to Manager screens.
• Monitoring : viewing routing tables, event logs, system LEDs and status, data on user sessions, and statistics for protocols and system functions. This manual covers all these topics. For Quick Configuration, see the VPN 3000 Concentrator Series Getting Started manual.
Using the VPN 3000 Concentrator Series Manager Navigating the VPN Concentrator Manager Your primary tool for navigating the VPN Concentrator Manager is the table of contents in the left frame. Figure 1-30 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column.
Configuring the VPN Concentrator means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; and once you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you should configure the system in detail.
C H A P T E R Interfaces This section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet and WAN network interfaces. Here you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power supply and voltage sensor alarms.
WANs, you can configure independent WAN connections on Port A and Port B. Note: Interface settings take effect as soon as you apply them. If the system is in active use, changes may affect tunnel traffic. The table shows all installed interfaces and their status. VPN 3000 Concentrator Series User Guide...
To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link. VPN 3000 Concentrator Series User Guide...
PPP Multilink and no longer has an IP address. To connect this port to a WAN, you must supply an IP address. IP Address The IP address configured on this interface. Subnet Mask The subnet mask configured on this interface. VPN 3000 Concentrator Series User Guide...
). If a power supply is faulty, the appropriate Power Supply LED on the front panel is amber. Caution: If a voltage generates an alarm, shut down the system in an orderly way and contact Cisco support. Operating the system with out-of-range voltages, especially if they exceed the high threshold, may cause permanent damage.
High and low thresholds for the 3.3- and 5-volt outputs from the power supplies. You can enter values for the second power supply on Models 3015–3080 even if it is not installed. Board High and low thresholds for the 3.3- and 5-volt sensors on the main circuit board. VPN 3000 Concentrator Series User Guide...
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . VPN 3000 Concentrator Series User Guide...
To make this interface a public interface, check the box. A public interface is an interface to a public network, such as the Internet. You must configure a public interface before you can configure NAT and VPN 3000 Concentrator Series User Guide...
The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.
Click the drop-down menu button and select the outbound RIP function: Disabled = No outbound RIP functions; i.e., the system does not send any RIP messages on this interface (default). RIPv1 Only = Send only RIPv1 messages on this interface. 3-10 VPN 3000 Concentrator Series User Guide...
The area ID identifies the subnet area within the OSPF Autonomous System or domain. Routers within an area have identical link-state databases. While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address. 3-11 VPN 3000 Concentrator Series User Guide...
This entry is the estimated number of seconds it takes to transmit a link state update packet over this interface, and it should include both the transmission and propagation delays of the interface. This delay must be the same for all routers on a common network. 3-12 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Interfaces screen. 3-13 VPN 3000 Concentrator Series User Guide...
Not Present = (Red) Not operational because a lower-layer interface is down. Lower Layer Down = (Red) Not configured or not able to determine status. Unknown = Present but not configured. Not Configured 3-14 VPN 3000 Concentrator Series User Guide...
1536 Kbps. When you click this link, the Manager opens the Configuration | Interfaces | WAN Card in Slot N | Port A B as screen, which lets you configure T1 parameters. 3-15 VPN 3000 Concentrator Series User Guide...
This screen includes five tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . 3-16 VPN 3000 Concentrator Series User Guide...
Internet. You must configure a public interface before you can configure NAT and IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface. 3-17 VPN 3000 Concentrator Series User Guide...
The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.
RIPv1 Only = Send only RIPv1 messages on this interface. = Send only RIPv2 messages on this interface. RIPv2 Only RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this interface. 3-19 VPN 3000 Concentrator Series User Guide...
While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address. The 0.0.0.0 area ID identifies a special area—the backbone—that contains all area border routers, which are the routers connected to multiple areas. 3-20 VPN 3000 Concentrator Series User Guide...
This delay must be the same for all routers on a common network. Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value. 3-21 VPN 3000 Concentrator Series User Guide...
For MD5 authentication, enter the shared key. Maximum 8 characters. The Manager displays your entry in clear text. Figure 3-11: Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 screen, WAN tab 3-22 VPN 3000 Concentrator Series User Guide...
0 of each frame in the multiframe carries 4-bit CRC signatures for error detection. This is the default selection for E1. = E1 16-Frame Multiframe. The frame structure (a multiframe) consists of 16 frames. Each frame is 256 bits, or 32 8-bit timeslots. 3-23 VPN 3000 Concentrator Series User Guide...
Kbps each, for a total of 1536 Kbps. For E1, there are 31 timeslots of 64 Kbps each, for a total of 1984 Kbps. The Currently: field shows the total for checked timeslots. Click Clear All to clear all timeslots, or Set All to set all timeslots. 3-24 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Interfaces screen. End of Chapter 3-25 VPN 3000 Concentrator Series User Guide...
• General : identifying the system, and setting the time and date. See the appropriate chapter in this manual or the online help for each section. Figure 4-1: Configuration | System screen End of Chapter VPN 3000 Concentrator Series User Guide...
C H A P T E R Servers Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication and accounting functions, convert hostnames to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.
(IP address or hostname, TCP/UDP port, secret/ password, etc.). The VPN Concentrator functions as the client of these servers. The Cisco software CD-ROM includes a 30-day evaluation copy of Funk Software’s Steel-Belted RADIUS authentication server and instructions for using it with the VPN Concentrator.
Internal Server = The internal VPN Concentrator authentication server. With this server, you can configure a maximum of 100 groups and users (combined) in the internal database. See Configuration | User Management for details. VPN 3000 Concentrator Series User Guide...
VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. Minimum is 0 , default is 2 , maximum is 10 retries. VPN 3000 Concentrator Series User Guide...
Figure 5-4: Configuration | System | Servers | Authentication | Add or Modify NT Domain screen Authentication Server Address Enter the IP address of the NT Domain authentication server; e.g., 192.168.12.34 . Use dotted decimal notation. VPN 3000 Concentrator Series User Guide...
To discard your entries, click Cancel . The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged. Server Type = SDI Configure these parameters for an RSA Security Inc. SecurID authentication server. VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged. VPN 3000 Concentrator Series User Guide...
SA negotiations. Deleting it also prevents connections by all users that are configured in the internal user database. We strongly recommend that you not delete the internal authentication server. Figure 5-7: Configuration | System | Servers | Authentication | Delete screen VPN 3000 Concentrator Series User Guide...
OK / Cancel To send the username and password to the selected authentication server, click OK . The authentication and response process takes a few seconds. The Manager displays a Success or Error screen; see below. VPN 3000 Concentrator Series User Guide...
No response from server = There is no response from the selected server within the configured timeout and retry periods. No active server found = The VPN Concentrator cannot find an active, configured server to test. 5-10 VPN 3000 Concentrator Series User Guide...
(IP address or hostname, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers. Figure 5-12: Configuration | System | Servers | Accounting screen 5-11 VPN 3000 Concentrator Series User Guide...
Servers | Accounting | Add screen. To modify a configured user accounting server, select the server from the list and click Modify . The Manager opens the Configuration | System | Servers | Accounting | Modify screen. 5-12 VPN 3000 Concentrator Series User Guide...
Timeout Enter the time in seconds to wait after sending a query to the accounting server and receiving no response, before trying again. Minimum is 1 second (the default), maximum is 30 seconds. 5-13 VPN 3000 Concentrator Series User Guide...
IP addresses. Configuring DNS servers here lets you enter hostnames (e.g., mail01 ) rather than IP addresses as you configure and manage the VPN Concentrator. You can configure up to three DNS servers that the system queries in order. 5-14 VPN 3000 Concentrator Series User Guide...
Enter the IP address of the tertiary (second backup) DNS server, using dotted decimal notation. If the secondary DNS server doesn’t respond to a query within the Timeout Period specified below, the system queries this server. 5-15 VPN 3000 Concentrator Series User Guide...
VPN Concentrator is enabled by default on that screen. You can configure and prioritize up to three DHCP servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative. 5-16 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 5-17 VPN 3000 Concentrator Series User Guide...
Clocks in many computers tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Security certificates, for example, carry a timestamp that determines a time frame for their validity. 5-18 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Servers | NTP screen. 5-19 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 5-20 VPN 3000 Concentrator Series User Guide...
Manager window. To discard your entry, click Cancel . The Manager returns to the Configuration | System | Servers | NTP | Hosts screen, and the NTP Hosts list is unchanged. End of Chapter 5-21 VPN 3000 Concentrator Series User Guide...
Configuration | System | Address Management This section of the VPN 3000 Concentrator Series Manager lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint.
Check this box to use a DHCP (Dynamic Host Configuration Protocol) server to assign IP addresses. If you use DHCP, configure the server on the Configuration | System | Servers | DHCP and Configuration | System | IP Routing | DHCP screens. VPN 3000 Concentrator Series User Guide...
. If no pools have been configured, the list shows --Empty-- . The pools are listed in the 10.10.147.177 order they are configured. The system uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on. VPN 3000 Concentrator Series User Guide...
Enter the first IP address available in this pool. Use dotted decimal notation; e.g., 10.10.147.100 . Range End Enter the last IP address available in this pool. Use dotted decimal notation; e.g., 10.10.147.177 . VPN 3000 Concentrator Series User Guide...
Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | Address Management | Pools screen, and the IP Pool Entry list is unchanged. End of Chapter VPN 3000 Concentrator Series User Guide...
TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3000 Concentrator Series uses tunneling protocols • Negotiate tunnel parameters. • Establish tunnels.
Microsoft encryption (MPPE). You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management . Groups and users also have PPTP parameters; see Configuration | User Management . VPN 3000 Concentrator Series User Guide...
Note: Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel. Enabled Check the box to enable PPTP system-wide functions on the VPN Concentrator, or clear it to disable.
Enter the number of seconds to wait before determining that an acknowledgement has been lost; i.e., before resuming transmission to the client even though the transmit window is closed. Minimum is 1 , maximum is 10 , default is 3 seconds. VPN 3000 Concentrator Series User Guide...
Figure 7-3: Configuration | System | Tunneling Protocols | L2TP screen Note: Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel. VPN 3000 Concentrator Series User Guide...
Enter the maximum number of sessions allowed per L2TP tunnel. Minimum is 0 , maximum depends on the VPN Concentrator model; e.g., Model 3060 = 5000 . Enter 0 for unlimited sessions (the default). VPN 3000 Concentrator Series User Guide...
To establish a connection, both entities must agree on the SAs. The Cisco VPN 3000 Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
| Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify. Figure 7-4: Configuration | System | Tunneling Protocols | IPSec screen Configuration | System | Tunneling Protocols |...
Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. VPN 3000 Concentrator Series User Guide...
You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens. You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. 7-10 VPN 3000 Concentrator Series User Guide...
Page 135
Public (default) filter with the rules above. • Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server hasn’t been configured, it does so, and adds the group to the database. 7-11 VPN 3000 Concentrator Series User Guide...
Enter the IP address of the remote peer in the LAN-to-LAN connection. This must be the IP address of the public interface on the peer VPN Concentrator. Use dotted decimal notation; e.g., 192.168.34.56 . 7-12 VPN 3000 Concentrator Series User Guide...
= Use ESP without encryption; no packet encryption. DES-56 = Use DES encryption with a 56-bit key. 3DES-168 = Use Triple-DES encryption with a 168-bit key. This selection is the most secure and it is the default selection. 7-13 VPN 3000 Concentrator Series User Guide...
IKE proposals before configuring LAN-to-LAN connections. Click the drop-down menu button and select the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are: IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption.
If you select a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the wildcard mask note above. IP Address Enter the IP address of the private network on the remote peer VPN Concentrator. Use dotted decimal notation; e.g. 11.0.0.0 . 7-15 VPN 3000 Concentrator Series User Guide...
Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table A single network list can contain a maximum of 200 network entries. 7-16 VPN 3000 Concentrator Series User Guide...
If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255 You can enter a maximum of 200 networks in a single network list. 7-17 VPN 3000 Concentrator Series User Guide...
• Filter Rules : See Configuration | Policy Management | Traffic Management | Rules . You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection. 7-18 VPN 3000 Concentrator Series User Guide...
You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN above. You can configure a maximum of 25 IKE proposals total (active and inactive). 7-19 VPN 3000 Concentrator Series User Guide...
Figure 7-10: Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen Cisco supplies default IKE proposals that you can use or modify; see Table 7-1. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add for explanations of the parameters.
These actions move the proposal up or down one position. To configure and add a new IKE proposal to the list of Inactive Proposals , click this button. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add 7-21 VPN 3000 Concentrator Series User Guide...
: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals. You can configure a maximum of 25 IKE proposals total (active and inactive). 7-22 VPN 3000 Concentrator Series User Guide...
= Use a digital certificate with keys generated by the RSA algorithm. RSA Digital Certificate DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm. 7-23 VPN 3000 Concentrator Series User Guide...
= Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Both Lifetime and Data Lifetime parameters. None = No lifetime measurement. The SA lasts until the connection is terminated for other reasons. 7-24 VPN 3000 Concentrator Series User Guide...
To discard your settings, click Cancel . The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen, and the IKE proposals lists are unchanged. End of Chapter 7-25 VPN 3000 Concentrator Series User Guide...
It provides automatic switchover to a backup system in case the primary system is out of service, thus assuring user access to the VPN. This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections. VPN 3000 Concentrator Series User Guide...
This section of the Manager lets you configure static routes for IP routing. You usually configure static routes for private networks that cannot be learned via RIP or OSPF. Figure 8-2: Configuration | System | IP Routing | Static Routes screen VPN 3000 Concentrator Series User Guide...
: Configure and add a new static, or manual, route to the IP routing table. Modify : Modify the parameters for a configured static route. Figure 8-3: Configuration | System | IP Routing | Static Routes | Add or Modify screen VPN 3000 Concentrator Series User Guide...
Apply . Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | IP Routing | Static Routes screen. Any new route appears at the bottom of the Static Routes list. VPN 3000 Concentrator Series User Guide...
The routing subsystem always tries to use the least costly route. For example, if this route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable. VPN 3000 Concentrator Series User Guide...
The complete private network is called an OSPF Autonomous System (AS), or domain. The subnets within the AS are called areas. You configure OSPF areas on the Configuration | System | IP Routing | OSPF Areas screens. VPN 3000 Concentrator Series User Guide...
Check the box to indicate that the VPN Concentrator OSPF router is the boundary router for an Autonomous System. If you check this box, the VPN Concentrator also redistributes RIP and static routes into the OSPF areas. By default, the box is not checked. VPN 3000 Concentrator Series User Guide...
To delete a configured OSPF area, select the area from the list and click Delete . There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the OSPF Area list. VPN 3000 Concentrator Series User Guide...
Advertisements) into OSPF stub areas. LSAs describe the state of the router’s interfaces and routing paths. Stub areas contain only final-destination hosts and do not pass traffic through to other areas. Sending LSAs to them is usually not necessary. By default this box is not checked. VPN 3000 Concentrator Series User Guide...
Figure 8-8: Configuration | System | IP Routing | DHCP screen Enabled Check the box to enable DHCP functions within the VPN Concentrator. The box is checked by default. To use DHCP address assignment, you must enable DHCP functions here. 8-10 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | IP Routing screen. 8-11 VPN 3000 Concentrator Series User Guide...
You must also configure identical IPSec LAN-to-LAN parameters on the redundant VPN Concentrators. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens. Figure 8-9: Configuration | System | IP Routing | Redundancy screen 8-12 VPN 3000 Concentrator Series User Guide...
On a Backup system, the fields are empty by default, and you must enter the same IP addresses as those on the Master system. 1 (Private) The IP address for the Ethernet 1 (Private) interface shared by the virtual routers in this group. 8-13 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel . The Manager returns to the Configuration | System | IP Routing screen. End of Chapter 8-14 VPN 3000 Concentrator Series User Guide...
C H A P T E R Management Protocols The VPN 3000 Concentrator Series includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management Protocols screen. VPN 3000 Concentrator Series User Guide...
If you disable both HTTP and HTTPS, you cannot use a Web browser to connect to the VPN Concentrator. Use the Cisco Command Line Interface from the console or a Telnet session. Related information: •...
The lack of a login procedure makes it relatively unsecure. The settings here have no effect on TFTP file transfer from the Administration | File Management | TFTP Transfer screen. For those operations, the VPN Concentrator acts as a TFTP client. VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management screen. Protocols VPN 3000 Concentrator Series User Guide...
, an “SSL Telnet for Windows” shareware pub/security/Crypto/SSLapps application. (Please note that we mention this application for information only and that Cisco Systems does not supply, support, or endorse it in any way.) See the Configuration | System | Management Protocols | SSL screen to configure SSL parameters. See the screen to manage the SSL digital certificate.
The settings on this screen have no effect on sending system events to SNMP trap destinations (see Configuration | System | Events | General and Trap Destinations ). For those functions, the VPN Concentrator acts as an SNMP client. Figure 9-6: Configuration | System | Management Protocols | SNMP screen VPN 3000 Concentrator Series User Guide...
To use the VPN Concentrator SNMP server, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP server does not include the usual default public community string, and we recommend that you not configure it. VPN 3000 Concentrator Series User Guide...
Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. VPN 3000 Concentrator Series User Guide...
SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been 9-10 VPN 3000 Concentrator Series User Guide...
Page 175
• For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1, Using the VPN 3000 Concentrator Series Manager. • To configure HTTPS parameters, see the Configuration | System | Management Protocols | HTTP/HTTPS screen.
= The server insists on SSL Version 2 only. This selection works with most Telnet/SSL clients. TLS V1 Only = The server insists on TLS Version 1 only. At present, only Microsoft Internet Explorer 5.0 supports this option. 9-12 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Management Protocols screen. End of Chapter 9-13 VPN 3000 Concentrator Series User Guide...
C H A P T E R Events An event is any significant occurrence within or affecting the VPN 3000 Concentrator such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN Concentrator records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, an email message, or an SNMP management system trap.
Page 180
IPDBG IP packet decoding* IPDECODE IP Security subsystem IPSEC IP Security debugging* IPSECDBG IP Security decoding* IPSECDECODE L2TP subsystem L2TP L2TP debugging* L2TPDBG L2TP decoding* L2TPDECODE MIB-II trap subsystem: SNMP MIB-II traps* MIB2TRAP 10-2 VPN 3000 Concentrator Series User Guide...
Page 181
WAN module subsystem* Note: The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and may seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.
Note: The Debug (7–9) and Packet Decode (10–13) severity levels are intended for use by Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it. The VPN Concentrator, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log.
This section of the Manager lets you configure how the VPN Concentrator handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 10-1: Configuration | System | Events screen 10-5 VPN 3000 Concentrator Series User Guide...
The VPN Concentrator automatically saves the log file if it crashes, and when it is rebooted, regardless of this Save Log on Wrap setting. This log file is named SAVELOG.TXT , and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging. 10-6 VPN 3000 Concentrator Series User Guide...
= Original VPN Concentrator event format with information on one line. Cisco IOS Compatible = Event format that is compatible with Cisco syslog management applications. Severity to Log Click the drop-down menu button and select the range of event severity levels to enter in the event log by default.
Event Class coldStart EVENT 1 or higher linkDown 1-3 or higher linkUp 1-3 or higher authFailure SNMP 1-3 or higher (This trap is SNMP authentication failure, not tunnel authentication failure.) 10-8 VPN 3000 Concentrator Series User Guide...
For example, c:\vpn\logfiles . FTP Username Enter the username for FTP login on the destination computer. FTP Password Enter the password to use with the FTP username above. The field displays only asterisks. 10-9 VPN 3000 Concentrator Series User Guide...
The initial default entry is MIB2TRAP , which are SNMP MIB-II events, or “traps,” that you might want to monitor with an SNMP network management system. Other configured event classes are listed in 10-10 VPN 3000 Concentrator Series User Guide...
Modify the special handling of a specific event class. Figure 10-5: Configuration | System | Events | Classes | Add or Modify screen 10-11 VPN 3000 Concentrator Series User Guide...
If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens, and you should configure the Syslog Format on the Configuration | System | Events | General screen. 10-12 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | Events | Classes screen. 10-13 VPN 3000 Concentrator Series User Guide...
To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete . There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list. 10-14 VPN 3000 Concentrator Series User Guide...
Enter the community string to use in identifying traps from the VPN Concentrator to this destination. The community string is like a password: it validates messages between the VPN Concentrator and this NMS destination. If you leave this field blank, the default community string is public . 10-15 VPN 3000 Concentrator Series User Guide...
To configure default event handling and syslog formats, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | screens. System | Events | Classes Figure 10-8: Configuration | System | Events | Syslog Servers screen 10-16 VPN 3000 Concentrator Series User Guide...
Syslog Server Enter the IP address or hostname of the UNIX syslog server to receive event messages. (If you have configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) 10-17 VPN 3000 Concentrator Series User Guide...
To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | System | Events | Classes screens. 10-18 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 10-19 VPN 3000 Concentrator Series User Guide...
Configuration | System | Events | General To configure SMTP servers, see the Configuration | System | Events | SMTP Servers screen, or click the highlighted link that says “configure an SMTP server.” 10-20 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 10-21 VPN 3000 Concentrator Series User Guide...
1-3 to email, all other events with no severity to email, and bob@altiga.com to receive email events of severity levels 1-2, bob will receive only IPSEC events of severity levels 1-2. 10-22 VPN 3000 Concentrator Series User Guide...
Manager window. To discard your entry, click Cancel . The Manager returns to the Configuration | System | Events | Email Recipients screen, and the Email Recipients list is unchanged. End of Chapter 10-23 VPN 3000 Concentrator Series User Guide...
C H A P T E R General General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN Concentrator parameters. • Identification : system name, contact person, system location.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | General screen. 11-2 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | System | General screen. End of Chapter 11-3 VPN 3000 Concentrator Series User Guide...
C H A P T E R User Management Groups and users are core concepts in managing the security of VPNs and in configuring the VPN 3000 Concentrator. Groups and users have attributes, configured via parameters, that determine their access to and use of the VPN.
Page 208
Concentrator. You also apply filters to network interfaces, and thus govern all data traffic through the VPN Concentrator. See the Configuration | Policy Management | Traffic Management screens. • We can supply a “dictionary” of Cisco-specific user and group parameters for external RADIUS servers.
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel . 12-3 VPN 3000 Concentrator Series User Guide...
= No access at any time. Never Business Hours = Access 9 a.m. to 5 p.m., Monday through Friday. Additional named access hours that you have configured also appear on the list. 12-4 VPN 3000 Concentrator Series User Guide...
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.
= IP Security Protocol (checked by default). IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN 3000 Client is an IPSec 12-6...
During tunnel establishment, the client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens. 12-7 VPN 3000 Concentrator Series User Guide...
VPN Concentrator via a group name and password, and then the system authenticates a user via a username and password. If this box is not checked (the default), the system authenticates a user without regard to the user’s assigned group. 12-8 VPN 3000 Concentrator Series User Guide...
The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’...
Configuration to push it to, and enable it on, the IPSec client. You must create a Network List before you can enable split tunneling. See the Configuration | Policy Management | Traffic Management | Network Lists screens. 12-10 VPN 3000 Concentrator Series User Guide...
Registered Ports range. The Cisco VPN 3000 Client must also be configured to use this feature (it is configured to use it by default). The VPN Client Connection Status dialog box indicates if the feature is being used. See the VPN 3000 Client User Guide.
Unchecking all authentication options means that no authentication is required. That is, PPTP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure. 12-12 VPN 3000 Concentrator Series User Guide...
Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required , you must check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit encryption software. 12-13 VPN 3000 Concentrator Series User Guide...
However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is not checked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption. 12-14 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | User Management screen. 12-15 VPN 3000 Concentrator Series User Guide...
Figure 12-5: Configuration | User Management | Groups screen Current Groups The Current Groups list shows configured groups in alphabetical order, and if they are internal or external. If no groups have been configured, the list shows --Empty-- . 12-16 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 12-17 VPN 3000 Concentrator Series User Guide...
Figure 12-6: Configuration | User Management | Groups | Add or Modify (Internal) screen, Identity Identity Parameters tab This tab lets you configure the name, password, and authentication server type for this group. 12-18 VPN 3000 Concentrator Series User Guide...
= Use an external authentication server—such as RADIUS—for this group. If you select this type, ignore the rest of the tabs and parameters on this screen. The external server supplies the group parameters if it can; otherwise the base-group parameters apply. 12-19 VPN 3000 Concentrator Series User Guide...
• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group 12-20 VPN 3000 Concentrator Series User Guide...
The minimum is 1 , and the maximum is 2147483647 minutes (over 4000 years). To disable timeout and allow an unlimited idle period, enter 12-21 VPN 3000 Concentrator Series User Guide...
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration screens.
= IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN 3000 Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
This tab lets you configure IP Security Protocol parameters that apply to this internally configured group. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure this section. 12-24 VPN 3000 Concentrator Series User Guide...
IPSec traffic (with ESP applied only to the transport layer segment), and it uses Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec tunneling protocol. Additional SAs that you have configured also appear on the list. 12-25 VPN 3000 Concentrator Series User Guide...
Security Associations. If you check this box, configure the desired Mode Configuration Parameters below; otherwise, ignore them. To use split tunneling, you must check this box. If you checked L2TP over IPSec under Tunneling Protocols , do not check this box. 12-26 VPN 3000 Concentrator Series User Guide...
The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’...
User Management IPSec through NAT Check the box to allow the Cisco VPN 3000 Client (IPSec client) to connect to the VPN Concentrator via UDP through a firewall or router using NAT. IPSec through NAT UDP Port Enter the UDP port number to use if you allow IPSec through NAT . Enter a number in the range 4001 through 49151 ;...
= Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is MSCHAPv1 similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores— 12-29 VPN 3000 Concentrator Series User Guide...
You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a grayed-out protocol. = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol. 12-30 VPN 3000 Concentrator Series User Guide...
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click the Cancel button. The Manager returns to the Configuration | User Management | Groups screen, and the Current Groups list is unchanged. 12-31 VPN 3000 Concentrator Series User Guide...
Apply , so you can configure all the parameters. External = To use only an external authentication server, such as RADIUS, keep this selection. The external server supplies the group parameters if it can; otherwise the base-group parameters apply. 12-32 VPN 3000 Concentrator Series User Guide...
• Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate specific groups, and you should configure base-group parameters carefully. Figure 12-11: Configuration | User Management | Users screen 12-33 VPN 3000 Concentrator Series User Guide...
This screen includes four tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add / Apply or Cancel . 12-34 VPN 3000 Concentrator Series User Guide...
Click the drop-down menu button and select the group to which you assign this user. The list shows specific groups you have configured, plus: --Base Group-- = The default group with its base-group parameters. 12-35 VPN 3000 Concentrator Series User Guide...
Figure 12-13: Configuration | User Management | Users | Add or Modify screen, General tab General Parameters tab This tab lets you configure general access, performance, and allowed tunneling protocols that apply to this user. 12-36 VPN 3000 Concentrator Series User Guide...
The minimum is 1 , and the maximum is 2147483647 minutes (over 4000 years). To disable timeout and allow an unlimited idle period, enter 12-37 VPN 3000 Concentrator Series User Guide...
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration screens.
• The Value column thus shows either group parameter settings that also apply to this user ( Inherit? checked), or unique parameter settings configured for this user ( Inherit? cleared). You cannot configure a grayed-out parameter. 12-39 VPN 3000 Concentrator Series User Guide...
Check the box to allow this IPSec user (client) to store the login password on the client system. If you do not allow password storage, IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage. 12-40 VPN 3000 Concentrator Series User Guide...
• The Value column thus shows either group parameter settings that also apply to this user ( Inherit? checked), or unique parameter settings configured for this user ( Inherit? cleared). You cannot configure a grayed-out parameter. 12-41 VPN 3000 Concentrator Series User Guide...
= Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. 12-42 VPN 3000 Concentrator Series User Guide...
Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | User Management | Users screen, and the Current Users list is unchanged. End of Chapter 12-43 VPN 3000 Concentrator Series User Guide...
Page 251
You configure “what data traffic can flow through it” under Traffic Management , and it’s a bit more complex. The Cisco VPN 3000 Concentrator hierarchy is straightforward, however: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first construct (configure) rules and SAs, then use them to construct filters.
VPN Concentrator. You assign access hours to groups and users under Configuration | User Management . Access hours don’t apply to LAN-to-LAN connections. Figure 13-2: Configuration | Policy Management | Access Hours screen 13-2 VPN 3000 Concentrator Series User Guide...
Configuration | Policy Management | Access Hours Current Access Hours The Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are: Never = Never. No access at any time. Business Hours = Monday through Friday, 9 a.m. to 5 p.m.
Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS . Use 24-hour notation; e.g., enter 5:30 p.m. as 17:30 . By default, all ranges are 00:00:00 to 23:59:59 . 13-4 VPN 3000 Concentrator Series User Guide...
You also apply filters to groups and users under Configuration | User Management ; these filters apply to tunneled traffic only. Figure 13-4: Configuration | Policy Management | Traffic Management screen 13-5 VPN 3000 Concentrator Series User Guide...
To delete a configured network list, select the list and click Delete . If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the 13-6 VPN 3000 Concentrator Series User Guide...
Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface. Figure 13-6: Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy screens 13-7 VPN 3000 Concentrator Series User Guide...
Manager window. To discard your settings, click Cancel . The Manager returns to the Configuration | Policy Management | screen, and the Network Lists field is unchanged. Traffic Management | Network Lists 13-8 VPN 3000 Concentrator Series User Guide...
The rules are listed in the order they are configured. Cisco supplies several default rules that you can modify and use. See Table 13-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.
Don’t Care LDAP (389) Range 0-65535 OSPF In Inbound OSPF OSPF Out Outbound OSPF Outgoing HTTP In Inbound Don’t Care HTTP (80) Range 0-65535 Outgoing HTTP Outbound Don’t Care Range 0-65535 HTTP (80) 13-10 VPN 3000 Concentrator Series User Guide...
On the Modify screen, any changes take effect as soon as you click Apply . Changes affect all filters that use this rule. If this rule is being used by an active filter, changes may affect tunnel traffic. 13-12 VPN 3000 Concentrator Series User Guide...
Page 263
Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Figure 13-8: Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy screen 13-13 VPN 3000 Concentrator Series User Guide...
LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN . Protocol or Other This parameter refers to the IANA (Internet Assigned Numbers Authority)-assigned protocol number in an IP packet. The descriptions below include the IANA number [in brackets] for reference. 13-14 VPN 3000 Concentrator Series User Guide...
Otherwise, you can select: Use IP Address/Wildcard-mask below , which lets you enter a network address. If you select a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. 13-15 VPN 3000 Concentrator Series User Guide...
Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet 13-16 VPN 3000 Concentrator Series User Guide...
Policy Management Range = To specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Range here (the default selection) and enter—in the Range [start] to [end] fields—the inclusive range of port numbers that this rule applies to. To specify a single port number, enter the same number in both fields.
SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals , or click the IKE Proposals link on this screen. 13-19 VPN 3000 Concentrator Series User Guide...
Page 270
IPSec Parameters section on the appropriate Configuration | User Management screens. You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN 3000 Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
The IPSec SAs list shows the configured SAs that are available. The SAs are listed in the order they are configured. Cisco supplies default SAs that you can use or modify; see Table 13-2. See Configuration | Policy for explanations of the parameters.
On the Modify screen, any changes take effect as soon as you click Apply . If the SA is being used by an active filter rule or group, changes may affect tunnel traffic. 13-22 VPN 3000 Concentrator Series User Guide...
= One tunnel for every address pair within the address ranges specified in the rule. Each host uses a separate tunnel, and hence, separate keys. This selection is more secure but requires more processing overhead. 13-23 VPN 3000 Concentrator Series User Guide...
= Apply ESP encryption and authentication only to the transport layer segment (data only) of the original IP packet. This mode protects packet contents but not the ultimate source and destination addresses. Use this mode for Windows 2000 client compatibility. 13-24 VPN 3000 Concentrator Series User Guide...
If you select Time or Both under Lifetime Measurement above, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is seconds (about 68 years). 2147483647 13-25 VPN 3000 Concentrator Series User Guide...
Click the drop-down menu button and select the option. The list shows any digital certificates that have been installed, plus: None (Use Preshared Keys) = Use preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default selection. 13-26 VPN 3000 Concentrator Series User Guide...
= Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 IKE-3DES-MD5-DH1 encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN 3000 Client. IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56 encryption.
Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter. 13-28 VPN 3000 Concentrator Series User Guide...
Page 279
Configuration | User Management , and thus govern tunneled traffic through an interface. Caution: The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If incorrectly configured, they could present security risks.
Policy Management Filter List The Filter List shows configured filters, listed in the order they are configured. Cisco supplies default filters that you can use and modify; see Table 13-3. Table 13-3: Cisco-supplied default filters Parameter Private (Default) Public (Default)
Note: On the Modify screen, any changes take effect as soon as you click Apply . If this filter is being used by an interface or group, changes may affect data traffic. 13-31 VPN 3000 Concentrator Series User Guide...
The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and may seriously degrade performance. 13-32 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 13-33 VPN 3000 Concentrator Series User Guide...
Figure 13-15: Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen Filter Name: The name of the filter whose rules you are configuring. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Modify 13-34 VPN 3000 Concentrator Series User Guide...
You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen. 13-35 VPN 3000 Concentrator Series User Guide...
Policy Management | Traffic Management | Security Associations screens. Note: The change takes effect as soon as you click Apply . If this filter is being used by an interface or group, the change may affect tunnel traffic. 13-37 VPN 3000 Concentrator Series User Guide...
To discard the change and keep the current SA on the rule, click Cancel . The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, and the Current Rules in Filter list is unchanged. 13-38 VPN 3000 Concentrator Series User Guide...
See Configuration | Policy Management | Traffic Management | NAT | Rules | Add for descriptions of the rules. You can change NAT rules while NAT is enabled. Doing so will affect subsequent sessions, but not current sessions. Figure 13-18: Configuration | Policy Management | Traffic Management | NAT screen 13-39 VPN 3000 Concentrator Series User Guide...
• Provide FTP Proxy services for all private network addresses. • Map TCP/UDP ports in packets to and from all private network addresses. • Translate IP addresses for protocols that don’t use ports ( No Port Mapping ). 13-40 VPN 3000 Concentrator Series User Guide...
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 13-41 VPN 3000 Concentrator Series User Guide...
: Configure and add a new NAT rule. : Modify a previously configured NAT rule. Modify You must configure a public interface on the VPN Concentrator before you can add a NAT rule. See the screens. Configuration | Interfaces 13-42 VPN 3000 Concentrator Series User Guide...
255.255.255.255 . For example, to translate all private addresses in the 10. subdomain, enter 255.0.0.0 . In the NAT Rules list, the subnet mask is shown as the number of 1s; for example, 255.255.0.0 is shown as /16 . 13-43 VPN 3000 Concentrator Series User Guide...
To discard your settings, click Cancel . The Manager returns to the Configuration | Policy Management | screen, and the NAT Rules list is unchanged. Traffic Management | NAT | Rules End of Chapter 13-44 VPN 3000 Concentrator Series User Guide...
C H A P T E R Administration Administering the VPN 3000 Concentrator Series involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it.
Page 296
Administration Figure 14-1: Administration screen 14-2 VPN 3000 Concentrator Series User Guide...
You can also click a session’s name to see detailed parameters and statistics for that session. See Administration | Sessions | Detail Figure 14-2: Administration | Sessions screen Refresh To refresh the statistics, click Refresh . 14-3 VPN 3000 Concentrator Series User Guide...
The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions that are currently active. Active Management Sessions The number of administrator management sessions that are currently active. 14-4 VPN 3000 Concentrator Series User Guide...
The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this LAN-to-LAN connection. Protocol, Encryption, Login Time, Duration, Actions See Table 14-1 on page 14-7 for definitions of these parameters. 14-5 VPN 3000 Concentrator Series User Guide...
The administrator username or login name for the session. The lock icon indicates the administrator who has the configuration lock; i.e., who has the right to make changes to the active system configuration. See Configuration locked by below. 14-6 VPN 3000 Concentrator Series User Guide...
(see the Administration | Access Rights | Access Settings screen). For example, an administrator who is just viewing and refreshing statistics on a Monitoring screen for longer than the timeout period, loses the lock. 14-7 VPN 3000 Concentrator Series User Guide...
See Table 14-2 on page 14-12 for definitions of the session detail parameters, in alphabetical order. Figure 14-4: Administration | Sessions | Detail screen: IPSec LAN-to-LAN 14-8 VPN 3000 Concentrator Series User Guide...
Page 303
Administration | Sessions | Detail Figure 14-5: Administration | Sessions | Detail screen: IPSec remote access user 14-9 VPN 3000 Concentrator Series User Guide...
Page 304
Administration Figure 14-6: Administration | Sessions | Detail screen: IPSec through NAT Figure 14-7: Administration | Sessions | Detail screen: L2TP 14-10 VPN 3000 Concentrator Series User Guide...
The total number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic. IP Address The IP address of the remote peer VPN Concentrator or other secure gateway that initiated the IPSec LAN-to-LAN connection. 14-12 VPN 3000 Concentrator Series User Guide...
Page 307
The UDP port number used in an IPSec through NAT connection. Username The username or login name for the session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate. 14-13 VPN 3000 Concentrator Series User Guide...
The new image file must be accessible by the workstation you are using to manage the VPN Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.com , under Service & Support >...
Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3000 Concentrator software image files are named: Model 3005 = vpn3005.<Major Version>.<Minor Version>.<Patch Version>.bin ;...
Software Update Error This window appears if there was an error in uploading or verifying the image file. You may have selected the wrong file. Try the update again, or contact Cisco support. Figure 14-15: Administration | Software Update Error screen...
See Configuration | System | Events | General , Administration | File Management , and Monitor | Event Log for more information on the event log file. Figure 14-16: Administration | System Reboot screen 14-17 VPN 3000 Concentrator Series User Guide...
Apply / Cancel To take action with the selected options, click Apply . The Manager returns to the main Administration screen if you don’t reboot or shutdown now. 14-18 VPN 3000 Concentrator Series User Guide...
If the system is reachable, the Manager displays a Success screen with the name of the tested host. Figure 14-18: Administration | Ping | Success screen Continue To return to the Administration | Ping screen, click Continue . 14-19 VPN 3000 Concentrator Series User Guide...
Enter the refresh period in seconds. Minimum is 1 , default is 30 , and maximum is 2000000000 seconds (about 63 years). Very short periods may affect system performance. The refresh period timer begins after the Manager fully displays a given screen. 14-20 VPN 3000 Concentrator Series User Guide...
• 1 - admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default; i.e., this is the only administrator who can log in to, and use, the VPN Concentrator Manager as supplied by Cisco. • 2 - config = Configuration administrator with all rights except SNMP access.
Figure 14-22: Administration | Access Rights | Administrators screen Group Number This is a reference number for the administrator. Cisco assigns these numbers so you can refer to administrators by groups of properties. The numbers cannot be changed. Username The username, or login name, of the administrator.
This screen lets you modify the username, password, and rights for an administrator. Any changes affect new sessions as soon as you click Apply or Default . Figure 14-23: Administration | Access Rights | Administrators | Modify Properties screen 14-23 VPN 3000 Concentrator Series User Guide...
Enter or edit the unique password for this administrator. Maximum is 31 characters. The field displays only asterisks. Note: The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. Verify Re-enter the password to verify it.
Manager returns to the Administration | Access Rights | Administrators screen. To restore the Cisco-supplied access rights for this administrator, and to save your settings in nonvolatile memory, click Default . The settings take effect immediately. This action does not restore the default username or password.
To change the priority order for configured manager workstations, select the entry from the list and click ↑ or Move ↓ . The Manager refreshes the screen and shows the reordered Manager Workstations list. Move 14-26 VPN 3000 Concentrator Series User Guide...
To change the priority, use the Move buttons on the Administration | Access Rights | Access Control List screen. IP Address Enter the IP address of the workstation in dotted decimal notation; e.g., 10.10.1.35 . 14-27 VPN 3000 Concentrator Series User Guide...
Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the VPN Concentrator Manager session terminates. Minimum is 1 , default is 600 , and maximum is 1800 seconds (30 minutes). 14-28 VPN 3000 Concentrator Series User Guide...
• Swap Configuration Files : swap backup and boot configuration files. • TFTP Transfer : use TFTP to transfer files to and from the VPN Concentrator. Figure 14-27: Administration | File Management screen 14-29 VPN 3000 Concentrator Series User Guide...
The size of the file in bytes. Date/Time The date and time the file was created. The format is MM/DD/YY HH:MM:SS , with time in 24-hour notation. For example, 05/07/99 15:20:24 is May 7, 1999 at 3:20:24 PM. 14-30 VPN 3000 Concentrator Series User Guide...
Filenames must adhere to the 8.3 naming convention. If you confirm, the Manager refreshes the screen and shows the revised list of files. 14-31 VPN 3000 Concentrator Series User Guide...
Rights | Administrators | Modify Properties You can list, view, and manage VPN Concentrator files on the Administration | File Management | Files screen. Figure 14-30: Administration | File Management | TFTP Transfer screen 14-32 VPN 3000 Concentrator Series User Guide...
The Manager then displays either a Success or Error screen; see below. To cancel your settings on this screen, click Cancel . The Manager returns to the main Administration screen. 14-33 VPN 3000 Concentrator Series User Guide...
“A” trusts “B,” and “B” trusts “C,” therefore “A” trusts “C.” CAs issue root certificates (also known as trusted or signing certificates). They may also issue subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for 14-34 VPN 3000 Concentrator Series User Guide...
Page 329
VPN Concentrator is correct and synchronized with network time. See Configuration | System | Servers | NTP and Configuration | System | General | Time and Date . Figure 14-33: Administration | Certificate Management screen 14-35 VPN 3000 Concentrator Series User Guide...
(format, content, and syntax). You must at least enter the Common Name (CN) . All entries may appear in your identity certificate. When you click Apply , the system generates a certificate request; see the Administration | Certificate Management | Enrollment | Request Generated screen. 14-36 VPN 3000 Concentrator Series User Guide...
Enter the name for the department or other organizational unit to which this VPN Concentrator belongs; e.g., CPU Design . Spaces are allowed. Organization (O) Enter the name for the company or organization to which this VPN Concentrator belongs; e.g., Altiga . Spaces are allowed. Networks 14-37 VPN 3000 Concentrator Series User Guide...
Enter the fully qualified domain name for this VPN Concentrator that identifies it in this PKI; e.g., . This field is optional. The alternative name is an additional data field in the vpn3030.altiga.com certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. Key Size Click the drop-down menu button and select the algorithm for generating the public-key / private-key pair, and the key size.
Some CAs let you paste the request on a Web interface, some ask you to send a file; use the method your CA requires. Figure 14-36: Browser window with PKCS-10 certificate request Close this browser window when you are finished. 14-39 VPN 3000 Concentrator Series User Guide...
You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN Concentrator can have only one SSL certificate, regardless of type. 14-40 VPN 3000 Concentrator Series User Guide...
Complete this field only if you select an import with Private Key certificate type. Enter the password for the private key. Verify Complete this field only if you select an import with Private Key certificate type. Re-enter the private key password to verify it. 14-41 VPN 3000 Concentrator Series User Guide...
Administration | Certificate Management | Certificates | CRL screen; see below. To delete this certificate from the VPN Concentrator, click Delete . The Manager opens the Administration | Certificate Management | Certificates | Delete screen; see below. 14-43 VPN 3000 Concentrator Series User Guide...
X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen. Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. 14-44 VPN 3000 Concentrator Series User Guide...
The algorithm and size of the public key that the CA or other issuer used in generating this certificate. Certificate Usage The purpose of the key contained in the certificate; e.g., digital signature, certificate signing, nonrepudiation, key or data encipherment, etc. 14-45 VPN 3000 Concentrator Series User Guide...
The fully qualified domain name for this VPN Concentrator that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. CRL Distribution Point The distribution point for CRLs (Certificate Revocation Lists) from this CA.
Otherwise, ignore them. Contact the security administrator at the CA to get the proper entries for these fields. Server Enter the IP address or hostname of the CRL distribution point server (LDAP server). Maximum 32 characters. 14-47 VPN 3000 Concentrator Series User Guide...
To configure CRL checking for this certificate, click Apply . The Manager returns to the Administration | Certificate Management | Certificates screen. To discard your settings, click Cancel . The Manager returns to the Administration | Certificate Management screen. | Certificates 14-48 VPN 3000 Concentrator Series User Guide...
To retain this certificate, click No . The Manager returns to the Administration | Certificate Management | Certificates screen, and the certificates are unchanged. End of Chapter 14-49 VPN 3000 Concentrator Series User Guide...
C H A P T E R Monitoring The VPN 3000 Concentrator tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics.
To configure routing, see the Configuration | System | IP Routing and Configuration | Interfaces screens. Figure 15-2: Monitor | Routing Table screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-2 VPN 3000 Concentrator Series User Guide...
= learned via Open Shortest Path First protocol. OSPF = configured static route. Static = local VPN Concentrator interface address. Local = learned from an ICMP (Internet Control Message Protocol) redirect message. ICMP = the default gateway. Default 15-3 VPN 3000 Concentrator Series User Guide...
To Get , Save , or Clear the event log file, you must have Access Rights to Read/Write Files . See the screen. Administration | Administrators | Modify Properties Figure 15-3: Monitor | Event Log screen 15-4 VPN 3000 Concentrator Series User Guide...
= Display events in actual chronological order, with oldest events at the top of the screen. This is the default selection. Newest to Oldest = Display events in reverse chronological order, with newest events at the top of the screen. 15-5 VPN 3000 Concentrator Series User Guide...
If the filename you enter is the same as an existing file, the browser overwrites the existing file without asking for confirmation. To list and manage files on the VPN Concentrator, see the Administration | File Management screen. 15-6 VPN 3000 Concentrator Series User Guide...
Event severity The severity level of the event; for example: SEV=4 identifies an event of severity level 4. See Table 10-2 under Configuration | System | Events for an explanation of severity levels. 15-7 VPN 3000 Concentrator Series User Guide...
For example: HTTP/47 identifies that an administrator logged in to the VPN Concentrator using HTTP to connect to the Manager. Table 10-1 under Configuration | System | Events describes the event classes. The internal reference number assists Cisco support personnel if they need to examine a log file.
This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status and statistics for SEP modules, system power supplies, and network interfaces. Figure 15-4: Monitor | System Status screen Model 3005 Model 3015–3080 15-9 VPN 3000 Concentrator Series User Guide...
The bootcode is installed at the factory, and there is no need to upgrade it. If an engineering change requires a bootcode upgrade, only Cisco support personnel can do so. Software Rev The version name, number, and date of the VPN Concentrator system software image file.
This usage graph shows current throughput (measured in LAN packets) as a percentage of the maximum possible system throughput. For example, if two interfaces are set for 100 Mbps, the maximum possible throughput is 200 Mbps and each segment represents 20 Mbps. 15-11 VPN 3000 Concentrator Series User Guide...
= External interface. IP Address The IP address configured on this interface. Status The operational status of this interface: = configured and enabled, ready to pass data traffic. = configured but disabled. DOWN 15-12 VPN 3000 Concentrator Series User Guide...
The number of broadcast packets that were routed to this interface for transmission since the VPN Concentrator was last booted or reset, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network. 15-13 VPN 3000 Concentrator Series User Guide...
This table shows statistics for the physical T1/E1 interface ports, with a column of statistics for each configured port. RFC 1406 defines most T1/E1 errors. Slot The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module. 15-14 VPN 3000 Concentrator Series User Guide...
The number of seconds during which one to 319 path coding violations, but no severely errored frame defects or AIS defects, were detected on this port. This number excludes controlled slips and unavailable seconds. 15-15 VPN 3000 Concentrator Series User Guide...
(synchronization) of the receiving port and the received signal. Synchronous Statistics This table shows statistics for the synchronous traffic (frames) through the WAN interface ports, with a column of statistics for each configured port. 15-16 VPN 3000 Concentrator Series User Guide...
The number of bytes (octets) received on this interface port. Packets Transmitted The number of packets (frames) transmitted on this interface port. Bytes Transmitted The number of bytes (octets) transmitted on this interface port. 15-17 VPN 3000 Concentrator Series User Guide...
The number of transmission underruns on this interface port. These errors occur when the memory system can’t keep up with the outgoing data stream. This number should be zero; if not, check the event log for system malfunction or contact technical support. 15-18 VPN 3000 Concentrator Series User Guide...
Voltage and status for the voltage sensor on the CPU chip. The screen shows either 1.9 or 2.5 volts, depending on the CPU chip in the system. Power Supply A, B Voltages and status for the 3.3- and 5-volt outputs from the power supplies. 15-19 VPN 3000 Concentrator Series User Guide...
If a SEP module fails, the system generates an event of severity level 2. It continues to generate an event every 10 minutes until the failed module is removed or replaced and the VPN Concentrator is rebooted. The front- and back-panel Status LEDs also indicate the failed module, as does this screen. 15-20 VPN 3000 Concentrator Series User Guide...
= first-release hardware using a set of integrated circuits. CryptSet = second-release hardware using a single integrated circuit. CryptIC = hardware could not be determined. This is an error condition; please contact Cisco Unknown Customer Support. 15-21 VPN 3000 Concentrator Series User Guide...
= module is installed but is not yet operational. If this condition persists after the VPN Found Concentrator finishes initializing, it is an error. Please contact Cisco Customer Support. = module could not be found. This is an error condition; please contact Cisco Not Found Customer Support.
The number of times this SEP has derived the Diffie-Hellman secret key. In public-key cryptography, the VPN Concentrator receives a remote public key, and the SEP uses the local private key to generate the secret key. 15-23 VPN 3000 Concentrator Series User Guide...
The number of times this SEP has verified a DSA digital signature. When the VPN Concentrator receives a signed digital certificate for authentication, it must verify the digital signature by computing a hash of the certificate and comparing it with the received-certificate hash. 15-24 VPN 3000 Concentrator Series User Guide...
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. [LED selector button] To toggle the usage graph LEDs, click the front-panel button on this screen. Clicking the button here also changes the selection on the VPN Concentrator itself. 15-25 VPN 3000 Concentrator Series User Guide...
A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel. 15-26 VPN 3000 Concentrator Series User Guide...
Click these active links to go to the other session tables on this Manager screen. Connection Name The name of the IPSec LAN-to-LAN connection. To display detailed parameters and statistics for this connection, click this name. See the Monitor | Sessions | Detail screen. 15-27 VPN 3000 Concentrator Series User Guide...
“virtual” IP address, and it lets the client appear to be a host on the private network. Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx See Table 15-1 on page 15-29 for definitions of these parameters. 15-28 VPN 3000 Concentrator Series User Guide...
The total number of bytes transmitted to the remote peer or client by the VPN Concentrator. Bytes Rx The total number of bytes received from the remote peer or client by the VPN Concentrator. 15-29 VPN 3000 Concentrator Series User Guide...
See Table 15-2 on page 15-34 for definitions of the session detail parameters, in alphabetical order. Figure 15-11: Monitor | Sessions | Detail screen: IPSec LAN-to-LAN 15-30 VPN 3000 Concentrator Series User Guide...
Page 375
Monitor | Sessions | Detail Figure 15-12: Monitor | Sessions | Detail screen: IPSec remote access user 15-31 VPN 3000 Concentrator Series User Guide...
Page 376
Monitoring Figure 15-13: Monitor | Sessions | Detail screen: IPSec through NAT Figure 15-14: Monitor | Sessions | Detail screen: L2TP 15-32 VPN 3000 Concentrator Series User Guide...
The total number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic. IP Address The IP address of the remote peer VPN Concentrator or other secure gateway that initiated the IPSec LAN-to-LAN connection. 15-34 VPN 3000 Concentrator Series User Guide...
Page 379
The UDP port number used in an IPSec through NAT connection. Username The username or login name for the session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate. 15-35 VPN 3000 Concentrator Series User Guide...
The total number of sessions since the VPN Concentrator was last booted or reset. Protocol The protocol that the session is using. Other = protocol other than those listed here. PPTP = Point-to-Point Tunneling Protocol. 15-36 VPN 3000 Concentrator Series User Guide...
, 2 , 3 , 4 = SEP module 1, 2, 3, and 4 respectively. Sessions The number of active sessions using this SEP module. The sum of this column equals the total number of Active Sessions above. 15-38 VPN 3000 Concentrator Series User Guide...
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Active Sessions The number of currently active sessions. Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset. 15-39 VPN 3000 Concentrator Series User Guide...
Each segment of the bar in the column heading represents 25%. Percentage The percentage of sessions using this encryption algorithm relative to the total active sessions, as a number. The sum of this column equals 100% (rounded). 15-40 VPN 3000 Concentrator Series User Guide...
Figure 15-21: Monitor | Sessions | Top Ten Lists | Data screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Username The login username for the session. 15-41 VPN 3000 Concentrator Series User Guide...
Concentrator. Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet = File Transfer Protocol. = Hypertext Transfer Protocol (Web browser).
The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. 15-43 VPN 3000 Concentrator Series User Guide...
Monitoring Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet = File Transfer Protocol. = Hypertext Transfer Protocol (Web browser).
Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using. = directly connected console; no protocol. Console = debugging via console (Cisco use only). Debug/Console = debugging via Telnet (Cisco use only). Debug/Telnet 15-45 VPN 3000 Concentrator Series User Guide...
Avg. Throughput (bytes/sec) The average throughput of the session, which is [total bytes transmitted and received] divided by total connect time. N/A = the session is not passing data; e.g., it is an administrator session. 15-46 VPN 3000 Concentrator Series User Guide...
The number of PPTP tunnels that are currently active. Maximum Tunnels The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset. 15-48 VPN 3000 Concentrator Series User Guide...
The number of PPTP control / data packets transmitted by the VPN Concentrator since it was last booted or reset. PPTP Sessions This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a row. 15-49 VPN 3000 Concentrator Series User Guide...
The total number of acknowledgement timeouts seen on PPTP data packets for this session. When the system times out waiting for a data packet on which to piggyback an acknowledgement, it sends a ZLB instead. Therefore, this number should equal the Transmit ZLB number above. 15-50 VPN 3000 Concentrator Series User Guide...
L2TP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management Figure 15-26: Monitor | Statistics | L2TP screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-51 VPN 3000 Concentrator Series User Guide...
Concentrator was last booted or reset. Rx Octets Control / Data The number of L2TP control / data channel octets (bytes) received by the VPN Concentrator since it was last booted or reset. 15-52 VPN 3000 Concentrator Series User Guide...
The serial number of the session within an L2TP tunnel. If there are multiple sessions using a tunnel, each session has a unique serial number. Receive Octets The total number L2TP data octets (bytes) received by this session. 15-53 VPN 3000 Concentrator Series User Guide...
The total number of L2TP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement. 15-54 VPN 3000 Concentrator Series User Guide...
Configuration | Policy Management | Traffic Management Figure 15-27: Monitor | Statistics | IPSec screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-55 VPN 3000 Concentrator Series User Guide...
The cumulative total of packets that were dropped during send processing by all currently and previously active IKE tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. 15-56...
IKE tunnels. See comment above. Phase-2 SA Delete Requests Received The cumulative total of requests to delete IPSec Phase-2 Security Associations received by all currently and previously active IKE tunnels. 15-57 VPN 3000 Concentrator Series User Guide...
The cumulative total of nonexistent-Security Association failures that occurred during processing of all currently and previously active IKE tunnels. These failures occur when the system receives a packet for which it has no Security Association, and may indicate synchronization problems. 15-58 VPN 3000 Concentrator Series User Guide...
IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there may be a faulty network or a security breach, and the system drops the packet. 15-59 VPN 3000 Concentrator Series User Guide...
The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. Inbound Authentications The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.
The total number of HTTP octets (bytes) sent since the VPN Concentrator was last booted or reset. Octets Received The total number of HTTP octets (bytes) received since the VPN Concentrator was last booted or reset. 15-61 VPN 3000 Concentrator Series User Guide...
This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset. To configure event handling, see the Configuration | System | Events screens. Figure 15-29: Monitor | Statistics | Events screen 15-62 VPN 3000 Concentrator Series User Guide...
VPN Concentrator. Table 10-1 under Configuration | System | Events describes the event classes. Event Number Event number is an Cisco-assigned reference number that denotes a specific event within the event class. For example, CONFIG event number 2 is “ Reading configuration file. ” This reference number assists Cisco support personnel if they need to examine event statistics.
The number of Telnet octets (bytes) received and dropped during input processing by this session. Outbound Octets Total The total number of Telnet octets (bytes) transmitted by this session. Outbound Octets Dropped The number of outbound Telnet octets dropped during output processing by this session. 15-64 VPN 3000 Concentrator Series User Guide...
The number of DNS queries that failed because the address of the server is not reachable according to the VPN Concentrator’s routing table. Other Failures The number of DNS queries that failed for an unspecified reason. 15-65 VPN 3000 Concentrator Series User Guide...
The total number of authentication request packets sent to this server. This number does not include retransmissions. Retransmissions The number of authentication request packets retransmitted to this server. Accepts The number of authentication acceptance packets received from this server. 15-66 VPN 3000 Concentrator Series User Guide...
Sending to a different server is counted as a request as well as a timeout. Unknown Type The number of authentication packets of unknown type received from this server. 15-67 VPN 3000 Concentrator Series User Guide...
The number of accounting response packets received from this RADIUS accounting server. Malformed Responses The number of malformed accounting response packets received from this RADIUS accounting server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number. 15-68 VPN 3000 Concentrator Series User Guide...
Configuration | User Management screens. Figure 15-34: Monitor | Statistics | Filtering screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-69 VPN 3000 Concentrator Series User Guide...
The number of outbound packets that have been filtered and dropped on this interface. Outbound Packets Post Filter The number of outbound packets that have been filtered and forwarded on this interface. This number equals Outbound Packets Pre-Filter minus Outbound Packets Filtered . 15-70 VPN 3000 Concentrator Series User Guide...
The total number of VRRP packets received with an invalid VRRP checksum value. Version Errors The total number of VRRP packets received with an unknown or unsupported version number. The VPN Concentrator supports VRRP version 2 as defined in RFC 2338. 15-71 VPN 3000 Concentrator Series User Guide...
The total number of VRRP advertisement packets received by this interface, in which the advertisement interval differs from the interval configured on this VPN Concentrator. Authentication Failures The total number of VRRP packets received by this interface that do not pass the authentication check. 15-72 VPN 3000 Concentrator Series User Guide...
The total number of packets received by this interface with an authentication type that differs from the configured authentication type. Packet Length Errors The total number of packets received by this interface with a packet length less than the length of the VRRP header. 15-73 VPN 3000 Concentrator Series User Guide...
The number of unencrypted outbound octets (bytes) sent to the encryption engine. Encrypted Outbound Octets The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes negotiation traffic. Total Sessions The total number of SSL sessions. 15-74 VPN 3000 Concentrator Series User Guide...
Lease Duration The duration of the current IP address lease, shown as HH:MM:SS. Time Used The total length of time that this session has had an active IP address lease, shown as HH:MM:SS. 15-75 VPN 3000 Concentrator Series User Guide...
The total number of IP addresses in this configured pool. Available Addresses The number of IP addresses available (unassigned) in this pool. Allocated Addresses The number of IP addresses currently assigned from this pool. 15-76 VPN 3000 Concentrator Series User Guide...
• SNMP : Simple Network Management Protocol requests, bad community strings, parsing errors, etc. To configure and enable the VPN Concentrator’s SNMP server, see the Configuration | System | Management Protocols | SNMP screen. Figure 15-39: Monitor | Statistics | MIB-II screen 15-77 VPN 3000 Concentrator Series User Guide...
= configured and enabled but waiting for an external action, such as an incoming Dormant connection. = missing hardware components. Not Present = not operational because a lower-layer interface is down. Lower Layer Down = not configured. Unknown 15-78 VPN 3000 Concentrator Series User Guide...
Broadcast Out The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network. 15-79 VPN 3000 Concentrator Series User Guide...
Segment is the official TCP name for what is casually called a data packet. TCP Timeout Min The minimum value permitted for TCP retransmission timeout, measured in milliseconds. 15-80 VPN 3000 Concentrator Series User Guide...
The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet. UDP Datagrams Transmitted The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called a data packet. 15-81 VPN 3000 Concentrator Series User Guide...
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Packets Received (Total) The total number of IP data packets received by the VPN Concentrator, including those received with errors. 15-82 VPN 3000 Concentrator Series User Guide...
The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN Concentrator could not route because all of its default routers are down. 15-83 VPN 3000 Concentrator Series User Guide...
The number of IP data packets that have been discarded because they needed to be fragmented but could not be (e.g., because the Don’t Fragment flag was set). Fragments Created The number of IP data packet fragments that have been generated by the VPN Concentrator. 15-84 VPN 3000 Concentrator Series User Guide...
The IP address configured on the interface. Received Bad Packets The number of RIP response packets received by this interface that were subsequently discarded for any reason (e.g., wrong version, unknown command type). 15-85 VPN 3000 Concentrator Series User Guide...
The number of routes in valid RIP packets received by this interface that were ignored for any reason (e.g., unknown address family, invalid metric). Sent Updates The number of triggered RIP updates actually sent by this interface. This number does not include full updates sent containing new information. 15-86 VPN 3000 Concentrator Series User Guide...
Configuration | System | IP Routing . Figure 15-44: Monitor | Statistics | MIB-II | OSPF screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-87 VPN 3000 Concentrator Series User Guide...
This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area elects one OSPF router to be the Designated Router. 15-88 VPN 3000 Concentrator Series User Guide...
While the format is that of an IP address, it functions only as an identifier. By convention, however, it is the same as the IP address of the interface that is connected to the OSPF router network. 15-89 VPN 3000 Concentrator Series User Guide...
AS Border Routers The total number of Autonomous System border routers reachable within this area. Area Border Routers The total number of area border routers reachable within this area. 15-90 VPN 3000 Concentrator Series User Guide...
The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and duplicate LSAs. The larger the number, the more recent the LSA. The age of the LSA in seconds. 15-91 VPN 3000 Concentrator Series User Guide...
The number of ICMP Destination Unreachable messages received / sent. Destination Unreachable messages apply to many network situations, including inability to determine a route, an unusable source route specified, and the Don’t Fragment flag set for a packet that must be fragmented. 15-92 VPN 3000 Concentrator Series User Guide...
Timestamp Reply message. Timestamp Replies Received / Transmitted The number of ICMP Timestamp Reply messages received / sent. Timestamp Reply messages are sent in response to Timestamp messages, to measure propagation delay in the network. 15-93 VPN 3000 Concentrator Series User Guide...
Figure 15-46: Monitor | Statistics | MIB-II | ARP Table screen Refresh To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. 15-94 VPN 3000 Concentrator Series User Guide...
The Manager deletes the entry and refreshes the screen. To delete an entry, you must have the administrator privilege to Modify Config under General Access Rights . See Administration | Access Rights | Administrators . You cannot delete static mappings. 15-95 VPN 3000 Concentrator Series User Guide...
The number of frames received on this interface that are an integral number of bytes long but do not pass the FCS (Frame Check Sequence) check. Carrier Sense Errors The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface. 15-96 VPN 3000 Concentrator Series User Guide...
The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error. This number does not include Alignment Errors , FCS Errors , or Frame Too Long Errors . 15-97 VPN 3000 Concentrator Series User Guide...
The total number of SNMP messages received by the VPN Concentrator. Bad Version The total number of SNMP messages received that were for an unsupported SNMP version. The VPN Concentrator supports SNMP version 2. 15-98 VPN 3000 Concentrator Series User Guide...
The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason (other than a timeout). End of Chapter 15-99 VPN 3000 Concentrator Series User Guide...
Console access To access the CLI via console: 1 Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable (which Cisco supplies with the system) between the Console port on the VPN Concentrator and the COM1 or serial port on the PC.
VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2000 Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> _ 16-2 VPN 3000 Concentrator Series User Guide...
Continuing the example above, this is the prompt to enter a value for the system name: > Host Name General -> [ Lab VPN ] _ You can enter a new name at the prompt, or just press Enter to keep the current name. 16-3 VPN 3000 Concentrator Series User Guide...
Authentication -> _ To delete the RADIUS server, enter 3 at the prompt. The CLI displays: > Delete Server (number) Authentication -> _ At the prompt, you must enter 2 for the RADIUS server. 16-4 VPN 3000 Concentrator Series User Guide...
1) General Parameters 2) Server Parameters 3) IPSec Parameters 4) PPTP/L2TP Parameters 5) Back (General Parameters) Base Group -> 1 1) Access Parameters 2) Tunneling Protocols 3) SEP Config 4) Back Base Group -> _ 16-5 VPN 3000 Concentrator Series User Guide...
To display a brief help message, enter 5 at the main menu prompt. The CLI explains how to navigate through menus and enter values. This help message is available only at the main menu. Cisco Systems. Help information for the Command Line Interface From any menu except the Main menu.
Main -> _ The default User administrator can only monitor the VPN Concentrator, not configure system parameters or administer the system. See Administration | Access Rights | Administrators in Chapter 14, Administration, for more information. 16-7 VPN 3000 Concentrator Series User Guide...
4) Save changes to Config file 5) Help Information 6) Exit Main -> _ 1 Configuration 1) Interface Configuration 2) System Management 3) User Management 4) Policy Management 5) Back Config -> _ 16-8 VPN 3000 Concentrator Series User Guide...
Voltages will be adjusted to conform to the hardware. 1) Configure CPU voltage thresholds 2) Configure Power Supply 1 voltage thresholds 3) Configure Power Supply 2 voltage thresholds 4) Configure Board voltage thresholds 5) Back Interfaces -> _ 16-9 VPN 3000 Concentrator Series User Guide...
The CLI does not include IPSec LAN-to-LAN configuration. 1.2.4 Configuration > System Management > IP Routing 1) Static Routes 2) Default Gateways 3) OSPF 4) OSPF Areas 5) DHCP 6) Redundancy 7) Back Routing -> _ 16-11 VPN 3000 Concentrator Series User Guide...
1.2.7 Configuration > System Management > General Config 1) System Identification 2) System Time and Date 3) Back General -> _ 1.3 Configuration > User Management 1) Base Group 2) Groups 3) Users 4) Back User Management -> _ 16-12 VPN 3000 Concentrator Series User Guide...
1) Add a User 2) Modify a User 3) Delete a User 4) Back Users -> _ 1.4 Configuration > Policy Management 1) Access Hours 2) Traffic Management 3) Back Policy -> _ 16-13 VPN 3000 Concentrator Series User Guide...
6) Swap Configuration File 7) Upload Configuration File 8) Back File -> _ 2.6.6 Administration > File Management > Swap Configuration File Every time the active configuration is saved,... 1) Swap 2) Back Admin -> _ 16-16 VPN 3000 Concentrator Series User Guide...
2) Card in Slot 2 3) Card in Slot 3 4) Card in Slot 4 5) Back Card Status -> _ Model 3005 only 1) Card in Slot 1 2) Back Card Status -> _ 16-19 VPN 3000 Concentrator Series User Guide...
2) Top 10 Users based on Duration 3) Top 10 Users based on Throughput 4) Back Sessions -> _ 3.4.3 Monitoring > Sessions > View Session Protocols Session Protocols 1) Refresh Session Protocols 2) Back Sessions -> _ 16-20 VPN 3000 Concentrator Series User Guide...
’q’ to Quit, ’<SPACE>’ to Continue -> 1) Refresh Event Statistics 2) Back General -> _ 3.5.4 Monitoring > General Statistics > MIB II Statistics 1) Interface-based 2) System-level 3) Back MIB2 -> _ End of Chapter 16-22 VPN 3000 Concentrator Series User Guide...
This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, timers, etc., which are helpful to Cisco support engineers. In case of a crash, we ask that you send this file when you contact Cisco for assistance. See Administration | File Management | Files for information on managing files in flash memory.
Manager screens. the wrong screen or browser’s toolbar We recommend that you hide the browser’s incorrect data. deletes pointers and navigation toolbar to prevent mistakes. values within the Manager. VPN 3000 Concentrator Series User Guide...
Apply . reset the timer. • Default timeout interval is 600 seconds (10 minutes). • Timeout interval set too low for normal use. VPN 3000 Concentrator Series User Guide...
Carefully check all your previous entries on that screen. The Manager attempts to retain valid entries, but invalid entries are lost. Click Go to main menu to go to the main Manager screen. VPN 3000 Concentrator Series User Guide...
• You are using the Be sure JavaScript is enabled in the browser. See Manager with an Required browser in Chapter 2 of VPN 3000 obsolete browser. Concentrator Series Getting Started, or Browser • You are using a requirements in Chapter 1 of VPN 3000 browser that does Concentrator Series User Guide.
Administration | Access Rights | privileges. Administrators screen. Have the system administrator change the privileges of your workstation on the Administration | Access Rights | Access Control List screen. VPN 3000 Concentrator Series User Guide...
2 Log out of the Manager. Needed , Help , Software Update , 3 Close Internet Explorer. etc.), Internet Explorer cannot open the window and displays 4 Reinstall Internet Explorer. the error dialog box. VPN 3000 Concentrator Series User Guide...
If the • You entered either a do not match. original password is incorrect, password or verify entry, but press Enter and re-enter both not the other. the password and the verification at the prompts. VPN 3000 Concentrator Series User Guide...
LEDs are normally blue. LEDs that are amber or off may indicate an error condition. NA = not applicable; i.e., the LED does not have that state. Contact Cisco support if any LED indicates an error condition. VPN 3000 Concentrator Series User Guide...
Error. CPU Utilization This statistic selected Not selected. for usage gauge display. Active Sessions This statistic selected Not selected. for usage gauge display. Throughput This statistic selected Not selected. for usage gauge display. A-10 VPN 3000 Concentrator Series User Guide...
Power is not reaching the module. It may not be seated correctly. Error. Status Encryption code is Module failed during Module failed running. Normal. operation. Error. diagnostics or encryption code is not running. Error. A-11 VPN 3000 Concentrator Series User Guide...
Power Normal operation. Power is not reaching the module. It may not be seated correctly. Error. Status Module has passed Module failed Module has failed. diagnostics and is diagnostics. Error. Error. operational. Normal. A-12 VPN 3000 Concentrator Series User Guide...
Page 479
“Yellow” in loopback mode. “Blue” = Problem in receive path; i.e., the line has lost synchronization with the remote connection. “Blue” in loopback mode. End of Appendix A-13 VPN 3000 Concentrator Series User Guide...
Grant of License 2. Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product. To this end, the Software contains both operator software for use by the network administrator and client software for use by clients at remote network nodes.
5. You may not export the Software, even as part of the Cisco product, to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and/or approval.
Other licenses 16. This Agreement is governed by the laws of the State of Massachusetts. 17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any reason, please call (508) 541-7300, or write to Cisco Systems, Inc.
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. VPN 3000 Concentrator Series User Guide...
Page 485
NRL and have assigned All Rights for those portions to NRL. Outside the USA, NRL also has copyright on the software developed at NRL. The affected files all contain specific copyright notices and those notices must be retained in any derived work. NRL LICENSE VPN 3000 Concentrator Series User Guide...
Page 486
This program is Copyright 1996, 1997, 1998 by Danny Goodman. You may adapt this outline for your Web pages, provided these opening credit lines (down to the lower dividing line) are in your outline HTML document. You may not reprint or redistribute this code without permission from the author. VPN 3000 Concentrator Series User Guide...
Page 487
This software is provided “as is” without express or implied warranty. author tpanton@ibm.net (Tim Panton) VPN 3000 Concentrator Series User Guide...
- Feb 1991 Bill_Simpson@um.cc.umich.edu variable number of conversation slots allow zero or one slots separate routines status display Telnet server Copyright phase2 networks 1996 All rights reserved SID: 1.1 Revision History: 97/06/23 21:17:43 root VPN 3000 Concentrator Series User Guide...
Note 1. *VCCI-A: Equipment satisfying the recommended values for Class A ITE. WAN Module Customer Instructions: FCC Requirements Notice to Users of T1 Service The following instructions are provided to ensure compliance with the Federal Communications Commission (FCC) Rules, Part 68. VPN 3000 Concentrator Series User Guide...
The following instructions are provided to ensure compliance with the Federal Communications Commission (FCC) Rules, Part 68. This equipment is certified with the FCC under Part 68 as a component device for use with the following Cisco Systems host routers: In order for the FCC certification of this product to be retained, all other products used in conjunction with this product must also be FCC Part 68 certified for use with these hosts.
______________________________________________Signature ______________________________________________ Title ______________________________________________Date Subscribed and sworn to before me This day of , 20____ ____________________________________________ Notary Public My commission expires: B-11 VPN 3000 Concentrator Series User Guide...
Page 492
Caution: Users should not attempt to make such connections themselves, but should contact the appropriate electric inspection authority, or electrician, as appropriate. Industry Canada CS-03 Application, Rev.1 Model No.: CVPN 3000-2T1 End of Appendix B-12 VPN 3000 Concentrator Series User Guide...
Page 493
OSPF area 8-9 NT Domain 5-5 security association to rule on filter 13-36 RADIUS 5-4 security association (traffic management) 13-22 SecurID 5-6 SMTP server for events 10-20 testing 5-9 SNMP community 9-10 authentication statistics 15-66 VPN 3000 Concentrator Series User Guide Index-1...
Page 494
IP routing 8-5 stopping 16-7 IKE proposals, table 7-20 using 16-1, 16-3 security associations, table 13-21 using Back and Home 16-6 tunnel gateway, configuring 8-5 using shortcut numbers to navigate 16-5 Index-2 VPN 3000 Concentrator Series User Guide...
Page 495
10-10 encryption algorithms used by sessions (monitoring) 15-39 section of Manager 10-1 enrolling with a Certificate Authority 14-40 statistics 15-62 entering values with CLI 16-3 exiting from CLI 16-7 the Manager (logout) 1-21 Index-3 VPN 3000 Concentrator Series User Guide...
Page 496
14-28 data xl IKE proposals filenames xl active 7-21 hostnames xl configuring 7-19 IP addresses xl add 7-22 MAC addresses xl copy 7-22 port numbers xl modify 7-22 subnet masks xl Index-4 VPN 3000 Concentrator Series User Guide...
Page 497
Index IKE proposals (continued) IPSec default, table 7-20 Cisco VPN 3000 Client 7-7, 12-6, 12-23, 12-38, 13-20 in IPSec LAN-to-LAN 7-14 configuring 7-7 in security association 13-19 base group 12-6, 12-7 inactive 7-21 group (internal) 12-23, 12-24 IKE security association...
Page 498
15-25 Mode Configuration, IPSec 12-9, 12-26 Status (SEP) A-11 and split tunneling 12-9, 12-26 Status (WAN) A-12 Cisco VPN 3000 Client supports 12-9, 12-27 Sync (WAN) A-13 model number, system 15-10 System A-10 modify table A-9...
Page 499
10-6, 14-17, A-1 OSPF 3-1, 3-2 redundancy configuring configuring, system 8-12 on Ethernet interface 3-11 SEP modules 15-20 on WAN interface 3-20 references (bibliography) xxxix system-wide parameters 8-6 Refresh (icon) 1-22 MIB-II statistics 15-87 Index-7 VPN 3000 Concentrator Series User Guide...
Page 500
15-20 viewing with Internet Explorer 1-9 used by sessions (monitoring) 15-38 viewing with Netscape 1-15 servers, configuring system access to 5-1 VPN Concentrator 1-3 Session Timeout (error) A-3 starting the CLI 16-2 Index-8 VPN 3000 Concentrator Series User Guide...
Page 501
10-17 troubleshooting A-1 modify 10-17 consult event log 10-5, 15-4 system configuration section of Manager 4-1 files created for A-1 system identification, configuring 11-2 tunnel default gateway, configuring 8-5 System LED A-10 Index-9 VPN 3000 Concentrator Series User Guide...
Page 502
1-19 using 1-1 VRRP configuring 8-12 statistics 15-71 WAN card LED indicators A-12 putting in loopback mode A-13 WAN interface See interfaces wildcard masks 7-15, 7-17, 13-8, 13-16 format xl Index-10 VPN 3000 Concentrator Series User Guide...