Cisco VPN 3000 Getting Started

VPN 3000 Series Concentrator Getting Started

Release 3.6 August 2002

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7814740= Text Part Number: 78-14740-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0206R)

VPN 3000 Series Concentrator Getting Started

Preface v

Audience v

Organization v

Audience

Preface

VPN 3000 Series Concentrator Getting Started provides information to take you from unpacking and installing the VPN 3000 Concentrator through quick configuration (configuring the minimal parameters to make it operational). You can perform quick configuration from a console with the menu-based command-line interface, or you can use the HTML-based VPN Concentrator Manager with a browser. This guide describes both methods, and we recommend the latter for ease of use.

We assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices might be new to you. You should be familiar with Windows system configuration and management, and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers.

Organization

This guide is organized as follows:

Chapter Title Description

Chapter 1 Understanding the VPN 3000

Chapter 2 Installing and Powering Up

Chapter 3 Using the VPN Concentrator

Chapter 4 Using the Command-Line

Concentrator

the VPN Concentrator

Manager for Quick Configuration

Interface for Quick Configuration

Summarizes the hardware and software features and operation. If you are familiar with VPN devices, you can skip this chapter.

Explains how to prepare for, unpack, install, and power up the VPN Concentrator, and how to begin quick configuration. Once you have completed the steps in this chapter, you can use either Chapter 3 or Chapter 4 to complete quick configuration.

Explains how to complete quick configuration of the system using the VPN Concentrator Manager with a browser. We recommend this method.

Explains how to complete quick configuration of the system using the command-line interface from the console or a Telnet session.

78-14740-01

VPN 3000 Series Concentrator Getting Started

Conventions

This document uses the following conventions:

Convention Description

boldface font Commands and keywords are in boldface.

italic font Arguments for which you supply values are in italics.

screen font Terminal sessions and information the system displays

screen font.

are in

boldface screen

font

^ The symbol ^ represents the key labeled Control—for

Information you must enter is in boldface screen font.

example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

Preface

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not

covered in the publication.

Tips use the following conventions:

Tip s Means the following are useful tips.

Cautions use the following conventions:

Caution Means reader be careful. Cautions alert you to actions or conditions that could result in

equipment damage or loss of data.

Warnings use the following conventions:

Warning

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents.

viii

VPN 3000 Series Concentrator Getting Started

78-14740-01

Preface

Data Formats

Conventions

As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise:

Type of Data Format

IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34);

as the example indicates, you can omit leading zeros in a byte position.

Subnet Masks and Wildcard Masks

MAC Addresses MAC addresses use 6-byte hexadecimal notation (for example,

Hostnames Hostnames use legitimate network hostname or end-system name notation (for

Text Strings Text strings use upper- and lower-case alphanumeric characters. Most text

Filenames Filenames on the VPN Concentrator follow the DOS 8.3 naming convention:

Port Numbers Port numbers use decimal numbers from 0 to 65535. No commas or spaces are

Subnet masks use 4-byte dotted decimal notation (for example,

255.255.255.0). Wildcard masks use the same notation (for example,

0.0.0.255); as the example illustrates, you can omit leading zeros in a byte position.

00.10.5A.1F.4F.07).

example, VPN01). Spaces are not allowed. A hostname must uniquely identify a specific system on a network.

strings are case-sensitive (for example, simon and Simon represent different usernames). In most cases, the maximum length of text strings is 48 characters.

a maximum of eight characters for the name, plus a maximum of three characters for an extension. For example, LOG00007.TXT is a legitimate filename. The VPN Concentrator always stores filenames in uppercase.

permitted in a number.

78-14740-01

VPN 3000 Series Concentrator Getting Started

Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Preface

Ordering Documentation

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription

Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the “Leave Feedback” section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems; Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

VPN 3000 Series Concentrator Getting Started

78-14740-01

Preface

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

Obtaining Technical Assistance

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,

product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably

impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects

of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations

will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

78-14740-01

VPN 3000 Series Concentrator Getting Started

Obtaining Technical Assistance

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site .

Preface

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

xii

VPN 3000 Series Concentrator Getting Started

78-14740-01

CHAPTER

Understanding the VPN 3000 Concentrator

The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.

Figure 1-1 The Cisco VPN 3000 Concentrator

Model 3005

63794

Model 3015 to 3080

63795

78-14740-01

VPN 3000 Series Concentrator Getting Started

1-1

Hardware Features

Current VPN Concentrator Models: 3005, 3015, 3030, 3060, and 3080.

Previous VPN Concentrator Models: C10, C20, and C50.

All systems feature:

• 10/100Base-T Ethernet interfaces (autosensing)

–

3005: Two interfaces

–

3015–3080: Three interfaces

• Motorola® PowerPC CPU

• SDRAM memory for normal operation

• Nonvolatile memory for critical system parameters

• Flash memory for file management

Chapter 1 Understanding the VPN 3000 Concentrator

1-2

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 1 Understanding the VPN 3000 Concentrator

In addition, individual models have the following hardware features:

VPN Concentrator Model Hardware Features

Model 3005

Model 3015

Model 3030

Hardware Features

• Software-based encryption

• Single power supply

• Software-based encryption

• Single power supply

• Expansion capabilities:

–

Up to four Cisco Scalable Encryption Processing modules for maximum system throughput and redundancy

–

Optional redundant power supply

• One Scalable Encryption Processing module

for hardware-based encryption

• Single power supply

Models 3060 and 3080

• Expansion capabilities:

–

One additional SEP module for maximum system throughput and redundancy

–

Optional redundant power supply

• Two Scalable Encryption Processing modules

for hardware-based encryption at maximum system throughput

• Dual redundant power supplies

• Expansion capabilities:

–

Up to two additional SEP modules for maximum system redundancy

78-14740-01

VPN 3000 Series Concentrator Getting Started

1-3

Software Features

The VPN Concentrator incorporates the following virtual private networking software features:

VPN Feature Description

Management Interfaces

Chapter 1 Understanding the VPN 3000 Concentrator

The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.

• The VPN Concentrator Manager is an HTML-based interface that lets you

manage the system remotely with a standard web browser using either of the following:

–

HTTP connections

–

HTTPS (HTTP over SSL) secure connections

• The VPN Concentrator command-line interface is a menu- and

command-line based interface that you can use with the local system console or remotely using any of the following:

Tunneling Protocols

Encryption Algorithms

Authentication Algorithms

Key Management

–

Telnet connections

–

Telnet over SSL secure connections

–

SSH (Secure Shell), including SCP (Secure Copy)

• IPSec (IP Security) Protocol

–

Remote access, using Cisco VPN Client or other select IPSec protocol-compliant clients

–

LAN-to-LAN, between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol-compliant secure gateway

• L2TP over IPSec (for native Windows 2000 and Windows XP client

compatibility)

• PPTP (Point-to-Point Tunneling Protocol) with encryption

• L2TP (Layer 2 Tunneling Protocol)

• 56-bit DES (Data Encryption Standard)

• 168-bit Triple DES

• Microsoft Encryption (MPPE): 40- and 128-bit RC4

• 128-, 192-, and 256-bit AES

• MD5 (Message Digest 5)

• SHA-1 (Secure Hash Algorithm)

• HMAC (Hashed Message Authentication Coding) with MD5

• HMAC with SHA-1

• IKE (Internet Key Exchange), formerly called ISAKMP/Oakley, with

Diffie-Hellman key technique

• Diffie-Hellman Group 1, Group 2, Group 5, and Group 7 (ECC)

1-4

• Perfect Forward Secrecy (PFS)

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 1 Understanding the VPN 3000 Concentrator

VPN Feature Description

Network Addressing Support

Authentication and Accounting Servers

• DNS (Domain Name System)

• Client address assignment:

–

DHCP (Dynamic Host Configuration Protocol), including DDNS host name population

–

Internally configured client IP address pools

–

RADIUS

• Internal authentication server

• Support for external authentication servers:

–

RADIUS

–

RADIUS with Password Expiration (MSCHAPv2)

–

NT Domain

–

RSA Security SecurID

–

TACACS (administrator only)

• Authentication server testing

Software Features

Certificate Authorities

Security Management

Routing Protocols

• X.509 Digital Certificates

• RADIUS accounting

• Entrust

• Ve ri Si g n

• Microsoft Windows 2000

• RSA Keon

• Netscape

• Baltimore

• Group and user profiles

• Data traffic management, by means of:

–

Filters and rules

–

IPSec Security Associations

–

NAT (Network Address Translation), many-to-one, also called PAT (Port Address Translation)

–

Network lists

• IP

• RIP v1, RIP v2

• OSPF

78-14740-01

• Static routes

• Private network autodiscovery for LAN-to-LAN connections

• Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network

extension networks to be announced via RIPv2/OSPF

VPN 3000 Series Concentrator Getting Started

1-5

Software Features

VPN Feature Description

Clustering • Load Balancing

• System redundancy via VRRP

System Administration

Monitoring

• Session monitoring and management

• Software image update

• File upload

• System reset and reboot

• Ping

• Configurable system administrator profiles

• File management, including SCP and TFTP transfer

• Digital certificate enrollment and management

• Session limit setting

• Event logging and notification via system console, syslog, SNMP traps,

and email

Chapter 1 Understanding the VPN 3000 Concentrator

Client Software Compatibility

Other Features

• FTP backup of event logs

• SNMP MIB-II support

• System status

• Session data

• Extensive statistics

• Cisco VPN Client (IPSec):

–

Windows® 95 (OSR 2 or greater), Windows 98, and Windows ME

–

Windows NT® 4.0, Windows 2000, and Windows XP

–

Linux Intel v2.2/v2.4 kernels, Solaris ULTRASparc 32-bit, MAC OS X (command-line interfaces only)

• Microsoft VPN Clients:

–

Windows 95, Windows 98, and Windows ME (PPTP)

–

Windows NT 4.0 (PPTP)

–

Windows® 2000 and Windows XP (PPTP, L2TP over IPSec)

• Certicom movianVPN Client (ECC, handheld)

• Software data compression

• Split tunneling

• Bandwidth management

1-6

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 1 Understanding the VPN 3000 Concentrator

How the VPN Concentrator Works

The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.

The secure connection is called a tunnel, and the VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.

The VPN Concentrator performs the following functions:

• Establishes tunnels

• Negotiates tunnel parameters

• Authenticates users

• Assigns user addresses

How the VPN Concentrator Works

• Encrypts and decrypts data

• Manages security keys

• Manages data transfer across the tunnel

• Manages data transfer inbound and outbound as a tunnel endpoint or router

The VPN Concentrator invokes various standard protocols to accomplish these functions.

78-14740-01

VPN 3000 Series Concentrator Getting Started

1-7

Chapter 1 Understanding the VPN 3000 Concentrator

Where the VPN Concentrator Fits in Your Network

Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users. In some cases, the VPN Concentrator may be deployed behind the firewall; such a configuration is firewall-vendor dependent and might require additional firewall configuration.

LAN-to-LAN or branch office applications are also supported by placing a second VPN Concentrator, or other IPSec protocol-compliant secure gateway, at the remote office.

Figure 1-2 A Typical VPN Concentrator Network Installation

1-8

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 1 Understanding the VPN 3000 Concentrator

Physical Specifications

The VPN Concentrator has the following physical specifications:

Width 17.25 inches (43.8 cm); 19-inch (48.26-cm), rack mountable

Depth

Height

Weight

Cooling Normal operating environment, 32

Power 100 to 240 VAC at 50/60 Hz (autosensing)

Physical Specifications

• 3005 = 11.75 inches (29.85 cm)

• 3015–3080 = 17 inches (43.2 cm)

• 3005 = 1.75 inches (4.45 cm); 1U high form factor

• 3015–3080 = 3.5 inches (8.89 cm); 2 U high form factor

• 3005 = 8.5 lbs (3.9 kg)

• 3015–3080 = 27 to 33 lbs (12.25 to 15 kg), depending on model and

options

to 122oF (0o to 50oC)

• 3005 = maximum 25 W (0.2A @ 120 VAC)

• 3015–3080 = maximum 50 W (0.42A @ 120 VAC)

Cabling distances from an

Approx. 328 feet (100 meters)

active network device

UL approved Electrical, mechanical, and construction

Standards compliance FCC, E.U., and VCCI Class A compliance

78-14740-01

VPN 3000 Series Concentrator Getting Started

1-9

Physical Specifications

Chapter 1 Understanding the VPN 3000 Concentrator

1-10

VPN 3000 Series Concentrator Getting Started

78-14740-01

Installing and Powering Up the VPN Concentrator

This chapter tells you how to prepare for, unpack, install, and power up the VPN Concentrator, and how to begin quick configuration.

Preparing to Install

Before you begin, ensure that you have the requisite skill set and that your physical environment and software preferences are properly set, as described in the following sections.

User or Administrator Skills

CHAPTER

We assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices may be new to you. You should be familiar with Windows 95/98 or Windows NT system configuration and management and with Microsoft Internet Explorer or Netscape Navigator browsers.

78-14740-01

VPN 3000 Series Concentrator Getting Started

2-1

Preparing to Install

Physical Site Requirements

The VPN Concentrator requires a normal computing-equipment environment.

Power The VPN Concentrator requires only normal computing-equipment power. For

maximum protection, we recommend connecting it to a conditioned power source or UPS (uninterruptible power supply). Be sure that the power source provides a reliable earth ground.

Cooling In the VPN 3005, cooling intake vents are on the front, and fans are on the rear of

the chassis. In the VPN 3015–3080, cooling intake vents are on the left side, and fans on the right side, of the chassis (looking at the front). Allow at least 3 inches (75 mm) of unobstructed space on all sides. If you install the device in an equipment rack, be sure there is adequate airflow.

Access The VPN Concentrator requires access only to the front and back.

Chapter 2 Installing and Powering Up the VPN Concentrator

Cables and Connectors

The VPN Concentrator uses the following cables and connectors:

• The VPN Concentrator Ethernet interfaces take standard UTP/STP twisted-pair

network cables, Category 5, with RJ-45 8-pin modular connectors. Cisco supplies two with the system.

• The console port takes a standard straight-through RS-232 serial cable with a

female DB-9 connector, which Cisco supplies with the system.

Console and PC / Telnet / Browser Requirements

The VPN Concentrator requires a console by which you enter initial configuration parameters. You can also completely configure and manage the VPN Concentrator via the CLI from the console or a Telnet client. However, for easiest use, we strongly recommend using the VPN Concentrator Manager, which is HTML-based, from a PC and browser.

The PC must be able to run the recommended browser. The console can be the same PC that runs the browser.

Browser Requirements

The VPN Concentrator Manager requires either Microsoft Internet Explorer version 4.0 or higher, or Netscape Navigator version 4.5-4.7 or 6.0. For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.

2-2

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 2 Installing and Powering Up the VPN Concentrator

Preparing to Install

JavaScript and Cookies

Be sure JavaScript and Cookies are enabled in the browser. Check these settings.

Browser JavaScript Cookies

Internet Explorer 4.0

1. On the View menu, choose Internet Options.

Internet Explorer 5.0

Netscape Navigator

4.5-4.7

Netscape Navigator

6.0

2. On the Security tab, click Custom (for expert

users) then click Settings.

3. In the Security Settings window, scroll down

to Scripting.

4. Click Enable under Scripting of Java applets.

5. Click Enable under Active scripting.

1. On the Tools menu, choose Internet Options.

2. On the Security tab, click Custom Level.

3. In the Security Settings window, scroll down

to Scripting.

4. Click Enable under Active scripting.

5. Click Enable under Scripting of Java applets.

1. On the Edit menu, choose Preferences.

2. On the Advanced screen, check the Enable

JavaScript check box.

1. On the Edit menu, choose Preferences.

2. On the Advanced screen, check the Enable

JavaScript for Navigator check box.

2. On the Advanced tab, scroll down to Security

then Cookies.

3. Click Always accept cookies.

1. On the Tools menu, choose Internet Options.

2. On the Security tab, click Custom Level.

3. In the Security Settings window, scroll down

to Cookies.

4. Click Enable under Allow cookies that are

stored on your computer.

5. Click Enable under Allow per-session

cookies (not stored).

1. On the Edit menu, choose Preferences.

2. On the Advanced screen, click one of the

Accept... cookies choices, and do not check the Warn me before accepting a cookie check box.

1. On the Edit menu, choose Preferences.

2. Under the Advanced category, choose

Cookies.

3. On the Cookies screen, choose Enable All

Cookies. Do not check the Warn me before storing a cookie check box.

Navigation Toolbar

Do not use the browser navigation toolbar buttons Back, Forward, or Refresh / Reload with the VPN Concentrator Manager unless instructed to do so. To protect access security, clicking Refresh / Reload automatically logs out the Manager session. Clicking Back or Forward may display stale Manager screens with incorrect data or settings.

We recommend that you hide the browser navigation toolbar to prevent mistakes while using the VPN Concentrator Manager.

78-14740-01

VPN 3000 Series Concentrator Getting Started

2-3

Unpacking

Recommended PC Monitor / Display Settings

For best legibility and ease of use, we recommend setting your monitor or display as follows:

• Desktop area = 1024 x 768 pixels or greater. Minimum = 800 x 600 pixels.

• Color palette = 256 colors or higher.

Unpacking

The VPN Concentrator ships with these items. Carefully unpack your device and check your contents against the list in Table 2-1. Save the packing material in case you need to repack theunit.

Table 2-1 VPN Concentrator Packing List

Check Quantity Item

1 VPN 3000 Series Concentrator

2 Rack-mounting kits—one for model 3005; one for models

3015-3080

1 RS-232 straight-through serial console cable with DB-9

female connectors on both ends

2 UTP network cables with RJ-45 8-pin modular connectors

1 or 2 Power cords

1 Cisco VPN 3000 Series Concentrator CD

1 Cisco VPN Software Client CD

1 Evalutation copy of Zone Labs firewall software CD

1 Cisco AVVID Solutions CD

1 VPN 3000 Series Concentrator Getting Started (this manual)

1 Release Notes for Cisco VPN 3000 Series Concentrator

1 VPN 3000 Series Concentrator Software License Agreement

1 Release Notes for Cisco VPN Client

1 Cisco VPN Client Software License Agreement

1 Export Compliance document

1 Cisco Product Warranty and Information packet

1 Documentation Ordering Instructions

Chapter 2 Installing and Powering Up the VPN Concentrator

2-4

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 2 Installing and Powering Up the VPN Concentrator

Installing the VPN Concentrator Hardware

You can install the VPN Concentrator in a standard 19-inch equipment rack, or just place it on a table or shelf.

Tools Required

• No. 1 Phillips screwdriver (if you install the rubber feet on the device).

• No. 2 Phillips screwdriver (if you rack-mount the device).

Rack Mounting

Attach the rack-mounting brackets with 10-32 screws in the holes on the front left and right sides. Be sure to orient the brackets as shown in Figure 2-1.

Figure 2-1 Attaching Rack-Mounting Brackets

Installing the VPN Concentrator Hardware

Model 3005

Models 3015 to 3080

63796

78-14740-01

63797

VPN 3000 Series Concentrator Getting Started

2-5

Installing the VPN Concentrator Hardware

Mount the VPN Concentrator in the rack as shown in Figure 2-2. Use screws or fasteners appropriate for your equipment rack.

Figure 2-2 Rack Mounting a VPN Concentrator

Model 3005

Chapter 2 Installing and Powering Up the VPN Concentrator

63798

Models 3015 through 3080

63799

2-6

VPN 3000 Series Concentrator Getting Started

78-14740-01

Chapter 2 Installing and Powering Up the VPN Concentrator

Installing Rubber Feet

To place the VPN Concentrator on a table or shelf, attach the four rubber feet with screws on the bottom of the chassis. See Figure 2-3.

Figure 2-3 Installing Rubber Feet

Model 3005

Model 3015 through 3080

Installing the VPN Concentrator Hardware

63800

78-14740-01

63801

VPN 3000 Series Concentrator Getting Started

2-7

Connecting Hardware

Chapter 2 Installing and Powering Up the VPN Concentrator

Warning

Be sure the console/PC is turned off before you connect cables to it. Do not connect power cables to the VPN Concentrator until instructed.

Connecting the Console/PC

Connect the RS-232 straight-through serial cable between the Console port on the back of the VPN Concentrator and the COM1 or serial port on the console/PC. See Figure 2-4.

If you are using a PC with a browser to manage the VPN Concentrator, be sure the PC is connected to the same private LAN as the VPN Concentrator.

Figure 2-4 Connecting the Console and Network Cables

Model 3005

2-8

63792

VPN 3000 Series Concentrator Getting Started

78-14740-01

+ 90 hidden pages

Cisco VPN 3000 Getting Started

Specifications and Main Features

Frequently Asked Questions

User Manual

CONTENTS

Audience

Preface

Organization

Related Documentation

VPN 3000 Series Concentrator Documentation

VPN Client Documentation

VPN 3002 Hardware Client Documentation

Documentation on VPN Software Distribution CDs

Other References

Conventions

Data Formats

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center

Understanding the VPN 3000 Concentrator

Hardware Features

Software Features

How the VPN Concentrator Works

Where the VPN Concentrator Fits in Your Network

Physical Specifications

Installing and Powering Up the VPN Concentrator

Preparing to Install

User or Administrator Skills

Physical Site Requirements

Console and PC / Telnet / Browser Requirements

Browser Requirements

JavaScript and Cookies

Navigation Toolbar

Unpacking

Recommended PC Monitor / Display Settings

Installing the VPN Concentrator Hardware

Tools Required

Rack Mounting

Installing Rubber Feet

Connecting Hardware

Connecting the Console/PC