Cisco Systems VPN 3002 User Manual
Size:
3.67 Mb
Download

VPN 3002 Hardware Client

Reference

Release 3.5

November 2001

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive

San Jose, CA 95134-1706USAhttp://www.cisco.com Tel: 408526-4000

800 553-NETS(6387) Fax: 408526-4100

Text Part Number: OL-1893-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of C alifornia.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMEDSUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC,CiscoLink, the CiscoPowered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo,Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX,Post-Routing,Pre-Routing,Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0106R)

VPN 3002 Hardware Client Reference

Copyright © 2001, Cisco Systems, Inc.

All rights reserved.

C O N T E N T S

Preface

ix

 

 

 

 

 

 

 

 

Prerequisites

ix

 

 

 

 

 

 

 

Organization

ix

 

 

 

 

 

 

 

Related Documentation

xi

 

 

 

 

 

 

Documentation conventions

xii

 

 

 

 

 

Obtaining Documentation

xiii

 

 

 

 

 

Obtaining technical assistance

xiv

 

 

 

 

Using the VPN 3002 Hardware Client Manager

1-1

 

 

VPN 3002 Hardware Client Browser Requirements

1-1

 

Connecting to the VPN 3002 Using HTTP

1-2

 

 

 

Installing the SSL Certificate in Your Browser

1-3

 

 

Connecting to the VPN 3002 Using HTTPS

1-16

 

 

Configuring HTTP, HTTPS, and SSL Parameters

1-16

 

Logging into the VPN 3002 Hardware Client Manager

1-17

 

Interactive Hardware Client and Individual User Authentication

1-19

Logging In With Interactive Hardware Client and Individual User Authentication 1-19

Understanding the VPN 3002 Hardware Client Manager Window

1-23

Organization of the VPN 3002 Hardware Client Manager 1-27

 

Navigating the VPN 3002 Hardware Client Manager

1-28

 

Configuration

2-1

 

 

 

 

 

 

 

Configuration

2-1

 

 

 

 

 

 

 

Interfaces

3-1

 

 

 

 

 

 

 

 

Configuration | Interfaces

3-1

 

 

 

 

 

Configuration | Interfaces | Private

3-4

 

 

 

 

Configuration | Interfaces | Public

3-6

 

 

 

 

System Configuration 4-1

 

 

 

 

 

 

 

Configuration | System

4-1

 

 

 

 

 

 

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

78-13782-01

iii

 

Contents

Servers

5-1

 

 

 

 

 

 

Configuration | System | Servers

5-1

 

 

 

Configuration | System | Servers | DNS 5-1

 

 

Tunneling

6-1

 

 

 

 

 

 

Configuration | System | Tunneling Protocols 6-2

 

 

Configuration | System | Tunneling Protocols | IPSec

6-2

IP Routing

7-1

 

 

 

 

 

 

Configuration | System | IP Routing 7-1

 

 

 

Configuration | System | IP Routing | Static Routes

7-2

 

Configuration | System | IP Routing | Static Routes |

 

 

Add or Modify

7-3

 

 

 

 

 

Configuration | System | IP Routing | Default Gateways

7-4

Configuration | System | IP Routing | DHCP

7-6

 

 

Configuration | System | IP Routing | DHCP Options

7-7

 

Configuration | System | IP Routing | DHCP Options |

 

 

Add or Modify

7-8

 

 

 

 

 

Management Protocols

8-1

 

 

 

 

Configuration | System | Management Protocols 8-1

 

Configuration | System | Management Protocols | HTTP/HTTPS 8-2

Configuration | System | Management Protocols | Telnet

8-4

Configuration | System | Management Protocols | SNMP

8-6

Configuration | System | Management Protocols |

 

 

SNMP Communities

8-7

 

 

 

 

Configuration | System | Management Protocols | SSL

8-10

Configuration | System | Management Protocols | SSH

8-13

Configuration | System | Management Protocols | XML

8-16

Events

9-1

 

 

 

 

 

 

 

Event Class

9-1

 

 

 

 

 

Event Severity Level

9-3

 

 

 

 

Event Log

9-4

 

 

 

 

 

Configuration | System | Events

9-5

 

 

 

Configuration | System | Events | General

9-5

 

 

Configuration | System | Events | Classes

9-8

 

 

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

iv

78-13782-01

 

 

 

Contents

 

Configuration | System | Events | Classes | Add or Modify

9-10

 

 

 

 

 

Configuration | System | Events | Trap Destinations 9-12

 

 

 

 

 

Configuration | System | Events | Trap Destinations |

 

 

 

 

 

 

Add or Modify

9-13

 

 

 

 

 

 

 

 

 

Configuration | System | Events | Syslog Servers

9-14

 

 

 

 

 

 

Configuration | System | Events | Syslog Servers | Add or Modify

9-16

 

 

 

 

General 10-1

 

 

 

 

 

 

 

 

 

 

 

Configuration | System | General

10-1

 

 

 

 

 

 

 

Configuration | System | General | Identification

10-2

 

 

 

 

 

 

Configuration | System | General | Time and Date

10-3

 

 

 

 

 

 

Policy Management

11-1

 

 

 

 

 

 

 

 

 

Client Mode/PAT

11-1

 

 

 

 

 

 

 

 

 

Network Extension Mode

11-2

 

 

 

 

 

 

 

 

Configuration | Policy Management 11-5

 

 

 

 

 

 

 

Configuration | Policy Management | Traffic Management 11-5

 

 

 

 

 

Configuration | Policy Management | Traffic

 

 

 

 

 

 

 

Management | PAT

11-6

 

 

 

 

 

 

 

 

 

Configuration | Policy Management | Traffic Management |

 

 

 

 

 

PAT | Enable

11-6

 

 

 

 

 

 

 

 

 

 

Administration

12-1

 

 

 

 

 

 

 

 

 

 

Administration

12-1

 

 

 

 

 

 

 

 

 

Administration | Software Update

12-2

 

 

 

 

 

 

 

Administration | System Reboot

12-5

 

 

 

 

 

 

 

Administration | Ping 12-7

 

 

 

 

 

 

 

 

Administration | Access Rights 12-9

 

 

 

 

 

 

 

Administration | Access Rights | Administrators

12-9

 

 

 

 

 

 

Administration | Access Rights | Access Settings

12-11

 

 

 

 

 

 

Administration | File Management

12-12

 

 

 

 

 

 

 

Administration | File Management | Swap Config Files

12-13

 

 

 

 

 

Administration | File Management | Config File Upload

12-14

 

 

 

 

 

Certificate Management

12-16

 

 

 

 

 

 

 

 

Administration | Certificate Management 12-31

 

 

 

 

 

 

 

Administration | Certificate Management | Enroll

12-37

 

 

 

 

 

 

Administration | Certificate Management | Enroll | Certificate Type

12-38

 

 

 

 

 

 

 

 

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

 

 

 

 

 

 

 

 

 

78-13782-01

 

 

 

 

 

 

 

 

v

 

 

 

 

 

 

 

 

 

 

 

Contents

 

 

 

Administration | Certificate Management | Enroll | Certificate Type | PKCS10

12-39

 

 

 

 

 

Administration | Certificate Management | Enrollment orRenewal | Request Generated

12-40

 

 

 

 

Administration | Certificate Management | Enroll | Identity Certificate | SCEP

12-41

 

 

 

 

 

Administration | Certificate Management | Enroll | SSL Certificate | SCEP

12-42

 

 

 

 

 

Administration | Certificate Management | Install

12-44

 

 

 

 

 

 

 

 

Administration | Certificate Management | Install | Certificate Obtained via Enrollment

12-45

 

 

 

 

Administration | Certificate Management | Install | Certificate Type 12-46

 

 

 

 

 

 

Administration | Certificate Management | Install | CA Certificate | SCEP

12-47

 

 

 

 

 

Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text

12-48

 

 

 

 

Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation12-49

 

 

 

Administration | Certificate Management | View

12-50

 

 

 

 

 

 

 

 

Administration | Certificate Management | Configure CA Certificate

12-53

 

 

 

 

 

 

Administration | Certificate Management | Renewal

12-54

 

 

 

 

 

 

 

 

Administration | Certificate Management | Activate orRe-Submit | Status

12-56

 

 

 

 

 

Administration | Certificate Management | Delete

 

12-57

 

 

 

 

 

 

 

 

Administration | Certificate Management | View Enrollment Request

12-58

 

 

 

 

 

 

Administration | Certificate Management | Cancel Enrollment Request

 

12-60

 

 

 

 

 

Administration | Certificate Management | Delete Enrollment Request

 

12-61

 

 

 

 

 

Monitoring 13-1

 

 

 

 

 

 

 

 

 

 

 

 

 

Monitoring | Routing Table

13-2

 

 

 

 

 

 

 

 

 

 

Monitoring | Filterable Event Log

13-3

 

 

 

 

 

 

 

 

 

 

Monitoring | Live Event Log

13-6

 

 

 

 

 

 

 

 

 

 

Monitoring | System Status

13-8

 

 

 

 

 

 

 

 

 

 

Monitoring | System Status | Private/Public Interface

13-11

 

 

 

 

 

 

 

 

Monitoring | User Status

13-14

 

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics

13-15

 

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | IPSec

 

13-16

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | HTTP

13-22

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | Telnet

13-25

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | DNS

13-27

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | SSL

13-28

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | DHCP

 

13-30

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | SSH

13-32

 

 

 

 

 

 

 

 

 

 

Monitoring | Statistics | NAT

13-34

 

 

 

 

 

 

 

 

 

 

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

vi

 

 

 

 

 

 

 

 

 

 

78-13782-01

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Monitoring | Statistics | PPPoE

13-36

 

 

Monitoring | Statistics | MIB-II

13-39

 

 

Monitoring | Statistics | MIB-II | Interfaces

13-40

Monitoring | Statistics | MIB-II | TCP/UDP

13-42

Monitoring | Statistics | MIB-II | IP

13-45

 

Monitoring | Statistics | MIB-II | ICMP

13-48

Monitoring | Statistics | MIB-II | ARP Table

13-51

Monitoring | Statistics | MIB-II | Ethernet

 

13-53

Monitoring | Statistics | MIB-II | SNMP

13-56

Using the Command-Line Interface

14-1

 

Accessing the Command-line Interface

14-1

Starting the Command-line Interface

14-2

 

Using the Command-line Interface

14-3

 

Menu Reference

14-7

 

 

 

 

Troubleshooting and System Errors

A-1

 

Files for Troubleshooting A-1

 

 

 

 

LED Indicators

A-2

 

 

 

 

System Errors

A-3

 

 

 

 

Settings on the VPN Concentrator

A-4

 

 

VPN 3002 Hardware Client Manager Errors

A-5

Command-line Interface Errors

A-10

 

 

I N D E X

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

78-13782-01

vii

 

Contents

VPN 3000 Series Concentrator Reference Volume I: Configuration

 

viii

78-13782-01

 

 

 

Preface

The VPN 3002 Hardware Client Reference provides guidelines for configuring the Cisco VPN 3002, details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for using the VPN 3002 Command Line Interface.

Prerequisites

We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager is not described here.

We also assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices might be new to you. You should be familiar with Windows system configuration and management, and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers.

Organization

This manual is organized by the order in which sections appear in the VPN 3002 Hardware Client Manager table of contents (the left frame of the Manager browser window; see Figure 1-35 inChapter 1, “Using the VPN 3002 Hardware Client Manager.”

Chapter

Title

Description

 

 

 

Chapter 1

Using the VPN 3002

Explains how to log in, navigate, and use the VPN

 

Hardware Client Manager

3002 Hardware Client Manager with a browser. It

 

 

explains both HTTP and HTTPS browser

 

 

connections, and how to install the SSL certificate

 

 

for a secure (HTTPS) connection.

 

 

 

Chapter 2

Configuration

Describes the main VPN 3002 Hardware Client

 

 

Manager configuration screen.

 

 

 

Chapter 3

Interfaces

Explains how to configure the VPN 3002 private

 

 

and public interfaces.

 

 

 

Chapter 4

System Configuration

Describes the system configuration screen of the

 

 

VPN 3002 Hardware Client Manager.

 

 

 

VPN 3002 Hardware Client Reference

 

OL-1893-01

ix

 

Preface

Organization

Chapter

Title

Description

 

 

 

Chapter 5

Servers

Explains how to configure the VPN 3002 to

 

 

communicate with DNS servers to convert

 

 

hostnames to IP addresses.

 

 

 

Chapter 6

Tunneling

Explains how to configure IPSec.

 

 

 

Chapter 7

IP Routing

Explains how to configure static routes, default

 

 

gateways, and DHCP parameters and options.

 

 

 

Chapter 8

Management Protocols

Explains how to configure built-inVPN 3002

 

 

servers that provide management functions:,

 

 

HTTP and HTTPS, Telnet, SNMP, SNMP

 

 

Community Strings, SSL and SSH.

 

 

 

Chapter 9

Events

Explains how to configure system events such as

 

 

alarms, traps, error conditions, network problems,

 

 

task completion, or status changes.

 

 

 

Chapter 10

General

Explains how to configure the system

 

 

identification, date, and time.

 

 

 

Chapter 11

Policy Management

Explains how to configure and use PAT and

 

 

Network Extension modes.

 

 

 

Chapter 12

Administration

Explains how to configure and use high-levelVPN

 

 

3002 administrator activities such as who is

 

 

allowed to configure the system, what software

 

 

runs on it, rebooting and shutting down the system,

 

 

managing its configuration files, and managing

 

 

X.509 digital certificates.

 

 

 

Chapter 13

Monitoring

Explains the many status, statistics, sessions, and

 

 

event log screens that you can use to monitor the

 

 

VPN 3002.

 

 

 

Chapter 14

Using the Command-Line

Explains how to use the built-inmenuand

 

Interface

command-line-basedadministrative management

 

 

system via the system console or a Telnet session.

 

 

With the CLI, you can access and configure all the

 

 

same parameters as you can using the

 

 

HTML-basedVPN 3002 Hardware Client

 

 

Manager.

 

 

 

Appendix A

Troubleshooting and System

Describes common errors that may occur while

 

Errors

configuring the system, and how to correct them.

 

 

It also describes all system and module LED

 

 

indicators.

 

 

 

Appendix B

Copyrights, Licenses and

Provides copyright licenses and notices.

 

Notices

 

 

 

 

VPN 3002 Hardware Client Reference

 

x

OL-1893-01