Cisco CVPN3015-NR - VPN Concentrator 3015, 3005, 3015, 3020, 3030 Getting Started

...

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

VPN 3000 Series Concentrator Getting Started

Release 4.7 August 2005

Customer Order Number: 78-15733 Text Part Number: 78-15733-03

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

VPN 3000 Series Concentrator Getting Started

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pac ke t , PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

iii

VPN 3000 Series Concentrator Getting Started

78-15413-01

CONTENTS

Preface v

Audience v

Organization v

Related Documentation

VPN 3002 Hardware Client Documentation

The VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN 3002 Hardware Client Manager. This manual is online only.

The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). This manual is available only online.

The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration. This quick reference card is provided with the VPN 3002 and is also available online.

The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick configuration. It is provided with the VPN 3002 and you can also print it from the online version; you can affix the label to the VPN 3002.

Documentation on VPN Software Distribution CDs

The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation is included on the VPN Client software distribution CD-ROM, also in PDF format. To view the latest versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution CD-ROM and on the VPN Client software distribution CD-ROM.

Other References

Other useful references include:

• Cisco Systems, Dictionary of Internetworking Terms and Acronyms. Cisco Press: 2001.

• Virtual Private Networking: An Overview. Microsoft Corporation: 1999. (Available from Microsoft

website.)

• www.ietf.org for Internet Engineering Task Force (IETF) Working Group drafts on IP Security

Protocol (IPSec).

• www.whatis.com, a web reference site with definitions for computer, networking, and data

communication terms.

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Conventions

This document uses the following conventions:

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

publication.

Tips use the following conventions:

Tip Means the following are useful tips.

Cautions use the following conventions:

Caution Means reader be careful. Cautions alert you to actions or conditions that could result in equipment

damage or loss of data.

Warnings use the following conventions:

Warning

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents.

Convention Description

boldface font Commands and keywords are in boldface.

italic font Arguments for which you supply values are in italics.

screen font Terminal sessions and information the system displays

are in

screen font.

boldface screen

font

Information you must enter is in boldface screen font.

^ The symbol ^ represents the key labeled Control—for

example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Obtaining Documentation

Data Formats

As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise:

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Type of Data Format

IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34);

as the example indicates, you can omit leading zeros in a byte position.

Subnet Masks and Wildcard Masks

Subnet masks use 4-byte dotted decimal notation (for example,

255.255.255.0). Wildcard masks use the same notation (for example,

0.0.0.255); as the example illustrates, you can omit leading zeros in a byte position.

MAC Addresses MAC addresses use 6-byte hexadecimal notation (for example,

00.10.5A.1F.4F.07).

Hostnames Hostnames use legitimate network hostname or end-system name notation (for

example, VPN01). Spaces are not allowed. A hostname must uniquely identify a specific system on a network.

Text Strings Text strings use upper- and lower-case alphanumeric characters. Most text

strings are case-sensitive (for example, simon and Simon represent different usernames).

Filenames Filenames on the VPN Concentrator follow the DOS 8.3 naming convention:

a maximum of eight characters for the name, plus a maximum of three characters for an extension. For example, LOG00007.TXT is a legitimate filename. The VPN Concentrator always stores filenames in uppercase.

Port Numbers Port numbers use decimal numbers from 0 to 65535. No commas or spaces are

permitted in a number.

xii

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Obtaining Documentation

Product Documentation DVD

Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation.

The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Cisco will continue to support documentation orders using the Ordering tool:

• Registered Cisco.com users (Cisco direct customers) can order documentation from the

Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

• Instructions for ordering documentation using the Ordering tool are at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

xiii

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can send comments about Cisco documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies— security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• Nonemergencies— psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

xiv

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Obtaining Technical Assistance

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive

information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm

The link on this page has the current PGP key ID in use.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Obtaining Technical Assistance

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

xvi

VPN 3000 Series Concentrator Getting Started

78-15733-03

Preface

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Pack et magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share

questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

CHA P TER

1-1

VPN 3000 Series Concentrator Getting Started

78-15733-03

Understanding the VPN 3000 Concentrator

The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.

Figure 1-1 The Cisco VPN 3000 Concentrator

Model 3005

Model 3015 to 3080

63794

63795

1-2

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Hardware Features

Current VPN Concentrator Models: 3005, 3015, 3020, 3030, 3060, and 3080.

Previous VPN Concentrator Models: C10, C20, and C50.

All systems feature:

• 10/100Base-T Ethernet interfaces (autosensing)

–

3005: Two interfaces

–

3015–3080: Three interfaces

• Motorola® PowerPC CPU

• SDRAM memory for normal operation

• Nonvolatile memory for critical system parameters

• Flash memory for file management

In addition, individual models have the following hardware features:

VPN Concentrator Model Hardware Features

Model 3005

• Software-based encryption

• Single power supply

• 64 MB memory (versions prior to 4.1 have

32MB memory)

Model 3015

• Software-based encryption

• Single power supply

• Expansion capabilities:

–

Up to two Enhanced Cisco Scalable Encryption Processing (SEP-E) modules for hardware-based encryption

–

Up to two SEP-E modules for redundancy

–

Optional redundant power supply

• 128 MB memory

Model 3020

• One SEP-E module for hardware-based

encryption

• Single power supply

• Expansion capabilities:

–

Up to one additional SEP-E module for redundancy

–

Optional redundant power supply

• 256 MB memory

1-3

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Hardware Features

Model 3030 • One SEP-E module for hardware-based

encryption

• Single power supply

• Expansion capabilities:

–

One additional SEP-E module for hardware-based encryption

–

Up to two additional SEP-E modules for redundancy

–

Optional redundant power supply

• 512 MB memory

Models 3060

• Two SEP-E modules for hardware-based

encryption

• Expansion capabilities:

–

Up to two additional SEP-E modules for system redundancy

–

Optional redundant power supply

• 512 MB memory

Model 3080

• Two SEP-E modules for hardware-based

encryption

• Two SEP-E modules for system redundancy

• Dual redundant power supplies

• 512 MB memory

VPN Concentrator Model Hardware Features

1-4

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Software Features

The VPN Concentrator incorporates the following virtual private networking software features:

VPN Feature Description

Management Interfaces

The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.

• The VPN Concentrator Manager is an HTML-based interface that lets you

manage the system remotely with a standard web browser using either of the following:

–

HTTP connections

–

HTTPS (HTTP over SSL) secure connections

• The VPN Concentrator command-line interface is a menu- and

command-line based interface that you can use with the local system console or remotely using any of the following:

–

Telnet connections

–

SSHv1 (Secure Shell), including SCP (Secure Copy)

Tunneling Protocols

• IPSec (IP Security) Protocol

–

Remote access, using Cisco VPN Client or other select IPSec protocol-compliant clients

–

LAN-to-LAN, between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol-compliant secure gateway

• L2TP over IPSec (for native Windows 2000, Windows NT, and Windows

XP client compatibility)

• WebVPN (clientless access using an HTTPS web browser)

• PPTP (Point-to-Point Tunneling Protocol) with encryption

• L2TP (Layer 2 Tunneling Protocol)

Encryption Algorithms

• 56-bit DES (Data Encryption Standard)

• 168-bit Triple DES

• Microsoft Encryption (MPPE): 40-bit and 128-bit RC4

• 128-bit, 192-bit, and 256-bit AES (Advanced Encryption Standard)

Authentication Algorithms

• MD5 (Message Digest 5)

• SHA-1 (Secure Hash Algorithm)

• HMAC (Hashed Message Authentication Coding) with MD5

• HMAC with SHA-1

Key Management

• IKE (Internet Key Exchange), formerly called ISAKMP/Oakley, with

Diffie-Hellman key technique

• Diffie-Hellman Group 1, Group 2, Group 5, and Group 7 (ECC)

• Perfect Forward Secrecy (PFS)

1-5

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Software Features

Network Addressing Support

• DNS (Domain Name System)

• Client address assignment:

–

DHCP (Dynamic Host Configuration Protocol), including DDNS host name population and configurable giaddr

–

Internally configured client IP address pools

–

RADIUS

Authentication and Accounting Servers

• Internal authentication server

• Support for external authentication servers:

–

RADIUS

–

RADIUS with Password Expiration (MSCHAPv2)

–

NT Domain

–

Kerberos (Active Directory)

–

RSA Security SecurID

–

TACACS (administrator only)

• LDAP Authorization

• Authentication server testing

• X.509 Digital Certificates

• RADIUS accounting

Certificate Authorities

• Entrust

• Ve ri S ig n

• Microsoft Windows 2000

• RSA Keon

• Netscape

• Baltimore

Security Management

• Group and user profiles

• Data traffic management, by means of:

–

Filters and rules (including RADIUS-based Access Control Lists)

–

IPSec Security Associations

–

NAT (Network Address Translation), many-to-one, also called PAT (Port Address Translation)

–

Network lists

–

WebVPN

–

Access Control List, including file shares and Web URL filtering

VPN Feature Description

1-6

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Software Features

Routing Protocols • IP

• RIP v1, RIP v2

• OSPF

• Static routes

• Private network autodiscovery for LAN-to-LAN connections

• Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network

extension networks to be announced via RIPv2/OSPF

Clustering

• Load Balancing

• System redundancy via VRRP

System Administration

• Session monitoring and management

• Software image update

• Boot code upgrade

• File upload

• System reset and reboot

• Ping

• Configurable system administrator profiles

• File management, including SCP and TFTP transfer

• Digital certificate enrollment and management

• Session limit setting

• Traceroute

Monitoring

• Event logging and notification via system console, syslog, SNMP traps,

and email

• FTP backup of event logs

• SNMP MIB-II support

• System status

• Session data

• Memory usage

• Extensive statistics

VPN Feature Description

1-7

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

How the VPN Concentrator Works

The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.

The secure connection is called a tunnel, and the VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.

The VPN Concentrator performs the following functions:

• Establishes tunnels

• Negotiates tunnel parameters

• Authenticates users

• Assigns user addresses

• Encrypts and decrypts data

• Manages security keys

• Manages data transfer across the tunnel

• Manages data transfer inbound and outbound as a tunnel endpoint or router

The VPN Concentrator invokes various standard protocols to accomplish these functions.

Client Software Compatibility

• Cisco VPN Client (IPSec):

–

Windows 98 and Windows ME

–

Windows NT® 4.0, Windows 2000, and Windows XP

–

Mac OS X 10.1 and 10.2 Jaguar

–

Linux Intel v2.2/v2.4 kernels and Solaris ULTRASparc 32-bit and 64-bit (command-line interfaces only)

• Microsoft VPN Clients:

–

Windows® 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP (PPTP)

–

Windows 98, Windows ME, Windows NT 4.0, Windows 2000 and Windows XP (L2TP over IPSec)

• Certicom movianVPN Client (ECC, handheld)

Other Features

• Software data compression

• Split tunneling

• Bandwidth management

VPN Feature Description

1-8

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Where the VPN Concentrator Fits in Your Network

Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users. In some cases, the VPN Concentrator may be deployed behind the firewall; such a configuration is firewall-vendor dependent and might require additional firewall configuration.

For LAN-to-LAN or branch office applications, place a second VPN Concentrator or other IPSec protocol-compliant secure gateway at the remote office.

Figure 1-2 A Typical VPN Concentrator Network Installation

Physical Specifications

The VPN Concentrator has the following physical specifications:

Width 17.25 inches (43.8 cm); 19-inch (48.26-cm), rack mountable

Depth

• 3005 = 11.75 inches (29.85 cm)

• 3015–3080 = 17 inches (43.2 cm)

Height

• 3005 = 1.75 inches (4.45 cm); 1U high form factor

• 3015–3080 = 3.5 inches (8.89 cm); 2 U high form factor

Weight

• 3005 = 8.5 lbs (3.9 kg)

• 3015–3080 = 27 to 33 lbs (12.25 to 15 kg), depending on model and

options

Cooling Normal operating environment, 32

to 122oF (0o to 50oC)

1-9

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Physical Specifications

Power 100 to 240 VAC at 50/60 Hz (autosensing)

• 3005 = maximum 25 W (0.2A @ 120 VAC)

• 3015–3080 = maximum 50 W (0.42A @ 120 VAC)

Cabling distances from an active network device

Approx. 328 feet (100 meters)

UL approved Electrical, mechanical, and construction

Standards compliance FCC, E.U., and VCCI Class A compliance

1-10

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 1 Understanding the VPN 3000 Concentrator

Physical Specifications

CHA P TER

2-1

VPN 3000 Series Concentrator Getting Started

78-15733-03

Installing and Powering Up the VPN Concentrator

This chapter tells you how to prepare for, unpack, install, and power up the VPN Concentrator, and how to begin quick configuration.

Preparing to Install

Before you begin, ensure that you have the requisite skill set and that your physical environment and software preferences are properly set, as described in the following sections.

User or Administrator Skills

We assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices may be new to you. You should be familiar with Windows system configuration and management and with Microsoft Internet Explorer, Netscape Navigator, or Mozilla browsers.

Physical Site Requirements

The VPN Concentrator requires a normal computing-equipment environment.

Power The VPN Concentrator requires only normal computing-equipment power. For

maximum protection, we recommend connecting it to a conditioned power source or uninterruptible power supply (UPS). Be sure that the power source provides a reliable earth ground.

Cooling In the VPN 3005, cooling intake vents are on the front, and fans are on the rear of

the chassis. In the VPN 3015–3080, cooling intake vents are on the left side, and fans on the right side, of the chassis (looking at the front). Allow at least 3 inches (75 mm) of unobstructed space on all sides. If you install the device in an equipment rack, be sure there is adequate airflow.

2-2

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 2 Installing and Powering Up the VPN Concentrator

Preparing to Install

Console and PC / Telnet / Browser Requirements

The VPN Concentrator requires a console by which you enter initial configuration parameters. You can also completely configure and manage the VPN Concentrator via the CLI from the console or a Telnet client. However, for easiest use, we strongly recommend using the VPN Concentrator Manager, which is HTML-based, from a PC and browser.

The PC must be able to run the recommended browser. The console can be the same PC that runs the browser.

Browser Requirements

The VPN Concentrator Manager requires one of the following browsers:

• Microsoft Internet Explorer version 6.0 SP1 or higher (Windows) (SP2 required for Windows XP)

• Netscape Navigator version 7.2 or higher (Windows, Linux, or Solaris)

• Mozilla 1.73 or higher (Windows, Linux, or Solaris)

• Firefox 1.0 (Windows, Macintosh, or Linux)

For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.

JavaScript and Cookies

Be sure JavaScript and Cookies are enabled in the browser. Check these settings.

Access The VPN Concentrator requires access only to the front and back.

Cables and Connectors

The VPN Concentrator uses the following cables and connectors:

• The VPN Concentrator Ethernet interfaces take standard UTP/STP twisted-pair

network cables, Category 5, with RJ-45 8-pin modular connectors. Cisco supplies two with the system.

• The console port takes a standard straight-through RS-232 serial cable with a

female DB-9 connector, which Cisco supplies with the system.

2-3

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 2 Installing and Powering Up the VPN Concentrator

Unpacking

Navigation Toolbar

Do not use the browser navigation toolbar buttons Back, Forward, or Refresh / Reload with the VPN Concentrator Manager unless instructed to do so. To protect access security, clicking Refresh / Reload automatically logs out the Manager session. Clicking Back or Forward may display stale Manager screens with incorrect data or settings.

We recommend that you hide the browser navigation toolbar to prevent mistakes while using the VPN Concentrator Manager.

Recommended PC Monitor / Display Settings

For best legibility and ease of use, we recommend setting your monitor or display as follows:

• Desktop area = 1024 x 768 pixels or greater. Minimum = 800 x 600 pixels.

• Color palette = 256 colors or higher.

Unpacking

The VPN Concentrator ships with these items. Carefully unpack your device and check your contents against the list in Table 2-1. Save the packing material in case you need to repack the unit.

Browser JavaScript Cookies

Internet Explorer 6.0

1. On the Tools menu, choose Internet Options.

2. On the Security tab, click Custom Level.

3. In the Security Settings window, scroll down

to Scripting.

4. Click Enable under Active scripting.

5. Click Enable under Scripting of Java applets.

1. On the Tools menu, choose Internet

Options.

2. On the Privacy tab, set the slider at or below

Medium High.

Netscape Navigator

7.2 and Mozilla 1.7

1. On the Edit menu, choose Preferences.

2. Under the Advanced category, choose Scripts

& Plug-ins.

3. Check the Navigator check box.

4. Check all Allow Web pages check boxes.

1. On the Edit menu, choose Preferences.

2. Under the Privacy & Security category,

choose Cookies.

3. Choose Enable All Cookies.

Table 2-1 VPN Concentrator Packing List

Check Quantity Item

1 VPN 3000 Series Concentrator

2 Rack-mounting kits—one for model 3005; one for models

3015-3080

1 RS-232 straight-through serial console cable with DB-9

female connectors on both ends

2 UTP network cables with RJ-45 8-pin modular connectors

2-4

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 2 Installing and Powering Up the VPN Concentrator

Installing the VPN Concentrator Hardware

You can install the VPN Concentrator in a standard 19-inch equipment rack, or just place it on a table or shelf.

Tools Required

• No. 1 Phillips screwdriver (if you install the screw-mounted rubber feet on the device).

• No. 2 Phillips screwdriver (if you rack-mount the device).

Rack Mounting

Attach the rack-mounting brackets with 10-32 screws in the holes on the front left and right sides. Be sure to orient the brackets as shown in Figure 2-1.

Figure 2-1 Attaching Rack-Mounting Brackets

Model 3005

1 or 2 Power cords

1 Cisco VPN 3000 Series Concentrator CD

1 Cisco VPN Software Client CD

1 VPN 3000 Series Concentrator Getting Started (this manual)

1 VPN 3000 Series Concentrator Software License Agreement

1 Cisco VPN Client Software License Agreement

1 Export Compliance document

1 Cisco Product Warranty and Information packet

1 Documentation Ordering Instructions

Table 2-1 VPN Concentrator Packing List (continued)

Check Quantity Item

63796

2-5

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 2 Installing and Powering Up the VPN Concentrator

Installing the VPN Concentrator Hardware

Models 3015 to 3080

Mount the VPN Concentrator in the rack as shown in Figure 2-2. Use screws or fasteners appropriate for your equipment rack.

Figure 2-2 Rack Mounting a VPN Concentrator

Model 3005

Models 3015 through 3080

63797

63798

63799

2-6

VPN 3000 Series Concentrator Getting Started

78-15733-03

Chapter 2 Installing and Powering Up the VPN Concentrator

Installing the VPN Concentrator Hardware

Installing Rubber Feet

To place the VPN Concentrator on a table or shelf, locate the four indentations on the bottom of the chassis. Peel the removable tape off each rubber foot, and place one foot in each indentation. (See

Figure 2-3.)

Some models of the VPN Concentrator use screws to attach the rubber feet. If the rubber feet have screws, attach them to the bottom of the chassis in the holes at each corner. (See Figure 2-4.)

Figure 2-3 Installing Rubber Feet

VPN 3005

VPN 3015 - 3080

63800

63801

+ 92 hidden pages

Cisco CVPN3015-NR - VPN Concentrator 3015, 3005, 3015, 3020, 3030 Getting Started

Specifications and Main Features

Frequently Asked Questions

User Manual