Manual Cisco Systems VPN 3000

502 pages 6.51 mb
Download

Go to site of 502

Summary
  • Cisco Systems VPN 3000 - page 1

    170 West Ta sman Drive San Jos e, CA 95134 -1706 USA http://www.ci sco.com Cisco System s, Inc . Corporate He adquarters Tel: 800 553-NE TS (6387 ) 408 526-4 000 Fax: 408 526-4 100 VPN 30 0 0 Concentrator S eries User Guide R ele ase 2 .5 July 20 0 0 Custome r Order N umber: D OC-78111 37= Text Pa rt Num ber: 78 -11137-0 1 ...

  • Cisco Systems VPN 3000 - page 2

    THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMM ENDATIONS IN THIS MANUA L ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANT Y OF ANY KIND, EXPRESS OR IMP LIED. USERS MUST TAKE FULL RESPONSIB ILITY FOR THEIR APPLICATION OF ANY PR ODUC ...

  • Cisco Systems VPN 3000 - page 3

    iii VPN 3000 Conce ntrator Seri es User Guide CONTENTS Tabl e of c onten ts Preface Abou t this manu al . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 4

    Cont ents—2 Co nfigu rati on iv VPN 3000 Concent rator Ser ies User Guide Logout tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Logged in: [username] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 5

    Contents — 3 Inter face s v VPN 3000 Conce ntrator Seri es User Guide RIP P aram eters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Inbound RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 6

    Cont ents — 4 Sy stem Configura tion vi VPN 3000 Concent rator Ser ies User Guide Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 T imeslo ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 7

    Cont ents — 6 Addr ess Mana geme nt vii VPN 3000 Conce ntrator Seri es User Guide Conf igurat ion | Syste m | Serve rs | Acc ountin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5- 11 Accounting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 8

    Cont ents — 7 T un neling Proto cols viii VPN 3000 Conc entrat or Series Use r Guide Conf igurat ion | Syste m | Addr ess Mana gem ent | Pool s | Add or Mod ify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Range Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 9

    Cont ents — 8 IP Routi ng ix VPN 3000 Conce ntrator Seri es User Guide Remo te Net work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 Networ k List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 10

    Cont ents — 9 Man agement Pr otoco ls x VPN 3000 Concent rator Ser ies User Guide Tunnel Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Overr ide Def ault Ga tewa y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 11

    Conten ts — 10 Events xi VPN 3000 Conce ntrator Seri es User Guide Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Maximum Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 12

    Cont ents — 10 Events xii VPN 3000 Conc entrat or Series Use r Guide Config uratio n | System | Ev ents | FTP Bac kup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 13

    Cont ents — 11 Gene ral xiii VPN 3000 Conce ntrator Seri es User Guide 11 General Config uratio n | System | Gener al . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Conf igurat ion | Syste m | Gene ral | Iden tificatio n . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 14

    Cont ents — 12 User Ma nagemen t xiv VPN 3000 Conc entrat or Series Use r Guide Config uratio n | User Manag ement | Grou ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16 Current Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 15

    Content s — 13 Poli cy Mana gemen t xv VPN 3000 Conce ntrator Seri es User Guide Conf igurat ion | User Manage men t | Groups | Modify (Extern al) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32 Group Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 16

    Cont ents — 13 Policy Mana gement xvi VPN 3000 Concent rator Ser ies User Guide Conf igurat ion | Pol icy Man agem ent | Tr affic Ma nagem ent | Ne twork Lists | Ad d, Modi fy, or Copy . . . . . 13-7 List N ame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 17

    Content s — 13 Poli cy Mana gemen t xvii VPN 3000 Conce ntrator Seri es User Guide Configu ration | Polic y Manageme nt | Traffic Mana gement | Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28 Filter Li st . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 18

    Cont ents — 14 Administration xviii VPN 3000 Conc entrat or Series Use r Guide 14 Administration Admi nistra tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 Admin istrat ion | Sess ions . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 19

    Conten ts — 14 Administra tion xix VPN 3000 Conce ntrator Seri es User Guide Admin istrat ion | Moni toring Ref resh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 0 Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 20

    Cont ents — 14 Administration xx VPN 3000 Concent rator Ser ies User Guide Admi nistra tion | Fil e Manag emen t | TFTP Tr ansf er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32 Conc entrator Fi le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 21

    Conten ts — 15 Monitoring xxi VPN 3000 Conce ntrator Seri es User Guide Subje ct Alterna tive Nam e (Ful ly Qualif ied D omain Na me) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46 CRL Distr ibutio n Poin t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 22

    Cont ents — 15 Monitoring xxii VPN 3000 Conc entrat or Series Use r Guide Event IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8 Event string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 23

    Conten ts — 15 Monitoring xxiii VPN 3000 Conce ntrator Seri es User Guide Pack ets Rece ived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17 Bytes R eceiv ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 24

    Cont ents — 15 Monitoring xxiv VPN 3000 Conc entrat or Series Use r Guide Moni tor | Sess ions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-26 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 25

    Conten ts — 15 Monitoring xxv VPN 3000 Conce ntrator Seri es User Guide Bar Gr aph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-40 Percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 26

    Cont ents — 15 Monitoring xxvi VPN 3000 Conc entrat or Series Use r Guide Monit or | Stati stic s | L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-51 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 27

    Conten ts — 15 Monitoring xxvii VPN 3000 Conce ntrator Seri es User Guide System Capability Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-58 No-SA Failu res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 28

    Cont ents — 15 Monitoring xxviii VPN 3000 Conc entrat or Series Use r Guide Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-65 Server Unreachable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 29

    Conten ts — 15 Monitoring xxix VPN 3000 Conce ntrator Seri es User Guide Inva lid T y pe Re ceive d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-73 Addres s Lis t Er rors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 30

    Cont ents — 15 Monitoring xxx VPN 3000 Concent rator Ser ies User Guide UDP Data gram s Re ceived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-81 UDP Da tagra ms Trans mitte d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 31

    Conten ts — 15 Monitoring xxxi VPN 3000 Conce ntrator Seri es User Guide Area Border Rou ters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-90 Area LSA Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 32

    Cont ents — 16 Using th e Command Line Interface xxxii VPN 3000 Conc entrat or Series Use r Guide Monit or | Stati stic s | MIB-II | SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15- 98 Refr esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 33

    Cont ents — A Er rors a nd troub lesh ooti ng xxxiii VPN 3000 Conce ntrator Seri es User Guide 2.3.2 Administration > System Reboot > S chedule Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-15 2.3.3 Administration > System Reboot > S chedule Shutdown . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 34

    Cont ents — B Co pyrig hts, lice ns es, a nd no tic es xxxiv VPN 3000 Conc entrat or Series Use r Guide LED indic ator s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 9 VPN Concent rato r LEDs (f ront ) . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 35

    Contents — Index xxxv VPN 3000 Conce ntrator Seri es User Guide Tables T able 5-1: RADIUS accounting record attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 T able 7-1: Cisco-supplied default IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...

  • Cisco Systems VPN 3000 - page 36

    ...

  • Cisco Systems VPN 3000 - page 37

    xxxvii VPN 3000 Conce ntrator Seri es User Guide Preface About this manual The V PN 3000 C oncentrat or Series User Guide provides guide lines for c onfiguring the Cisco VPN 3000 Concentrato r , details on al l the functi ons a v ailable in the VPN 3000 Concen trator Ser ies Mana ger , and instru ctions fo r using the V PN 3000 Concent rator Series ...

  • Cisco Systems VPN 3000 - page 38

    Prefac e xxxviii VPN 3000 Conc entrat or Series Use r Guide Chapter 6, Addre ss Manageme nt exp lains h ow to conf igur e client IP addresses a v ailabl e in your pri vate network a ddress ing schem e, tha t let t he clien t func tion as a VPN tunnel endpoint . Chapter 7, Tunne ling Protoc ols explains how to configure syste m-wide pa ramete rs for ...

  • Cisco Systems VPN 3000 - page 39

    Docume ntation Co nventi ons xxxix VPN 3000 Conce ntrator Seri es User Guide The VP N 3000 M onitor User Guide expla ins how to install, set up, a nd use th e VPN 3 000 Monit or , which is a separate Ja v a ™ appli cation that polls VPN 300 0 Concent rators in a netwo rk for infor mation and displays th at informa tion on your work station . The ...

  • Cisco Systems VPN 3000 - page 40

    Prefac e xl VPN 3000 Concent rator Ser ies User Guide Data Formats As y ou conf igu re and mana ge the system , enter data in thes e for mats unl ess t he instr uctions indi cate otherwi se. IP addresse s IP addre sses use 4-byte dotted decima l notati on; for exam ple, 192. 168.12 .34 . Y ou can omit lea ding zeros in a byte positio n. Subnet mas ...

  • Cisco Systems VPN 3000 - page 41

    Contac ting Cisco wit h questio ns xli VPN 3000 Conce ntrator Seri es User Guide Contacting Cisco with questions Cisco p rovides extensive technica l suppo rt throu gh its o wn st aff and throug h auth orized agents. If y ou hav e questio ns, we suggest yo u f irst try the Cisc o W eb site at www.cisc o.com , and go to the Service & Supp ort se ...

  • Cisco Systems VPN 3000 - page 42

    ...

  • Cisco Systems VPN 3000 - page 43

    1-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 1 Using the VPN 3000 Concen trator Series Manager The VP N 3000 Conce ntrator Se ries Man ager is an HTM L-bas ed interfa ce that le ts you configur e, administ er , monito r , and manage the VPN 3000 Concentrato r with a stan dard W eb browser . T o use it, you need only to c onnect t o the VPN ...

  • Cisco Systems VPN 3000 - page 44

    1 Using the VPN 3000 Concentrator Series Manager 1-2 VPN 3000 Concentrat or Seri es User Guide • Intern et Expl orer 5.0: – On the To o l s menu , sel ect Internet Options . – On the Security tab, click Custom Level . – In the Security Settings window , scroll do wn to Scripting . – Click Enab le under Active scripting . – Click Enab le ...

  • Cisco Systems VPN 3000 - page 45

    Conne cting to t he VPN Conc entr ator using HTTP 1-3 VPN 3000 Conce ntrator Seri es User Guide Connecting to the VPN Concentrator using HTTP When your syst em admini stration tasks and network permit a cleart ext connecti on between th e VPN Concentra tor and your browser, you can use the standard HT TP protocol to connect to the system. Ev en if ...

  • Cisco Systems VPN 3000 - page 46

    1 Using the VPN 3000 Concentrator Series Manager 1-4 VPN 3000 Concentrat or Seri es User Guide install ed, you can co nnect usin g HTTPS. Y ou need to install th e certificat e from a giv en VPN Conc entrator o nly once. Managin g the VPN Con centrator is th e same with o r withou t SSL. Manager screens may take slightl y longer to load with SSL be ...

  • Cisco Systems VPN 3000 - page 47

    Installing the SSL ce rtificate i n your browser 1-5 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -3: Inter net Explorer File Do wnload dialog box 3 Click the Open this file fr om its current location radi o button, then clic k OK . The br owser displays the Ce rtificate dialog bo x with infor mation ab out th e certificate. Y ou must now ins ...

  • Cisco Systems VPN 3000 - page 48

    1 Using the VPN 3000 Concentrator Series Manager 1-6 VPN 3000 Concentrat or Seri es User Guide Figure 1 -5: Inter net Explorer Cer tificate M anager Impor t Wizard dialog bo x 5 Click Next to con tinue. The wiza rd opens the next dialog box ask ing you to select a cert ificate store. Figure 1 -6: Inter net Explorer Cer tificate M anager Impor t Wiz ...

  • Cisco Systems VPN 3000 - page 49

    Installing the SSL ce rtificate i n your browser 1-7 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -7: Inter net Explorer Cer tificate M anager Impor t Wizard dialog bo x 7 Click Finish . The wi zard ope ns the Root Certificate Store dialog box asking yo u to confirm the installation . Figure 1 -8: Inter net Explorer Root Cer tificate St or e ...

  • Cisco Systems VPN 3000 - page 50

    1 Using the VPN 3000 Concentrator Series Manager 1-8 VPN 3000 Concentrat or Seri es User Guide Figure 1 -1 0: Inter net Exp lor er Secur ity Alert dialog box 11 Click OK . The V PN Conce ntrator displays the H TTPS version of the Manage r login s creen. Figure 1 -1 1: VPN Concentrat or Manager login screen using HTTPS (Inter net Explorer) The bro w ...

  • Cisco Systems VPN 3000 - page 51

    Installing the SSL ce rtificate i n your browser 1-9 VPN 3000 Conce ntrator Seri es User Guide V iewing certificates with Int ernet Explorer Ther e are (at l eas t) two ways t o exam ine c ertific ates s tore d in Inter net Explor er . First, note t he padlock i con on the br o wser status ba r in Figure 1-11. If yo u double- click on the icon, the ...

  • Cisco Systems VPN 3000 - page 52

    1 Using the VPN 3000 Concentrator Series Manager 1-1 0 VPN 3000 Conc entrat or Series Use r Guide Installing the SSL certificate with Netscape This secti on describe s SSL certificate inst allatio n using Netsc ape Navigator / Commun icator 4.5. Reinstallation Y ou n eed to i nstall the SSL cer tificate from a giv en VPN Concen trator onl y once. I ...

  • Cisco Systems VPN 3000 - page 53

    Installing the SSL ce rtificate i n your browser 1-1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -16: Netscape New Certificat e A uthor ity scre en 2 2 Click Next> to p roc eed. Netscap e displays the next New Certificate Authority screen, which lets you examine detai ls of the VPN Concen trator SSL ce rtif icate. Figure 1 -1 7: Netscap ...

  • Cisco Systems VPN 3000 - page 54

    1 Using the VPN 3000 Concentrator Series Manager 1-12 VPN 3000 Concent rator S eries User Guid e Figure 1 -1 8: Netscape New Certificat e A u thor ity scr een 4 4 Y ou must check at least the first box, Accept this Certificate Authority for Certifying network sites . Click Next> t o pr oceed. Netscap e displays the next New Certificate Authority ...

  • Cisco Systems VPN 3000 - page 55

    Installing the SSL ce rtificate i n your browser 1-13 VPN 3000 Conce ntrator Seri es User Guide Figure 1 -20: Netscape New Certificat e A uthor ity scre en 6 6 In the Nicknam e fiel d, enter a descri pti ve nam e for this certif icate. “ Nickname ” is something of a misnome r . W e s uggest y ou use a clear ly descrip tiv e name such as Cisc o ...

  • Cisco Systems VPN 3000 - page 56

    1 Using the VPN 3000 Concentrator Series Manager 1-1 4 VPN 3000 Concent rator Ser ies User Guide Figure 1 -22: VPN Concentrat or Manager login scr een using HTTPS (Netscape) The bro w ser ma intains the HTTPS state until you close i t or ac cess an un secure site; in the latter c ase, you may see a Security Information Alert dia log box . Procee d ...

  • Cisco Systems VPN 3000 - page 57

    Installing the SSL ce rtificate i n your browser 1-1 5 VPN 3000 Conce ntrator Seri es User Guide V iewing certificates with Netscape There are (at least) two w ays to e xamine certif icate s stored in Netscape Navi gator / Communicator 4.5. First, note th e locked-p adlock icon on the botto m status bar in Figu re 1-22. If yo u click on the ic on, ...

  • Cisco Systems VPN 3000 - page 58

    1 Using the VPN 3000 Concentrator Series Manager 1-1 6 VPN 3000 Concent rator Ser ies User Guide Figure 1 -25: Netscape Cer tificates Signers list Select a cert ifica te, t hen cli ck Edit , V erify , or Delete . Click OK when fi nished . ...

  • Cisco Systems VPN 3000 - page 59

    Connec ting to th e VPN Con centrato r using H TTPS 1-1 7 VPN 3000 Conce ntrator Seri es User Guide Connecting to the VPN Concentrator using HTTPS Once you ha ve installed the VPN Concentrator SSL c ertif icate in t he bro wser , you can co nnect directly using HTTPS. 1 Bring up the browser . 2 In th e browser Addres s or Location fiel d, e nt er h ...

  • Cisco Systems VPN 3000 - page 60

    1 Using the VPN 3000 Concentrator Series Manager 1-1 8 VPN 3000 Concent rator Ser ies User Guide Logging in the VPN Concentrator Manager Logging in t he VPN Concen trator Manage r is th e same for b oth type s of con nections : cle artext HTT P or secure HTTPS. Entries ar e case- sensiti v e, so typ e them c arefully . W ith Mi crosoft I nternet E ...

  • Cisco Systems VPN 3000 - page 61

    Configu ring HTTP , HT TPS, and SSL parame ters 1-1 9 VPN 3000 Conce ntrator Seri es User Guide Configuring HTTP , HTTPS, an d SSL parameters HTTP , HTTPS, and SSL ar e enable d by defa ult on the VPN Con centrat or , and the y are co nf igured with recommended paramet ers that should suit most administration tasks and security req uirements. T o c ...

  • Cisco Systems VPN 3000 - page 62

    1 Using the VPN 3000 Concentrator Series Manager 1-20 V PN 3000 Conc entrat or Series Use r Guide Mouse pointer and tips As yo u move the mou se poi nter over an active area, t he poi nter change s shape and i cons c hange col or . A descriptio n also appears in the status bar area . If you momentarily re st the pointer on an icon, a descript iv e ...

  • Cisco Systems VPN 3000 - page 63

    Under standing th e VPN Conce ntrator Ma nager wi ndow 1-21 VPN 3000 Conce ntrator Seri es User Guide tac@cisco. com Click this link to open your configu red email applica tion and compose an ema il message to Cisco ’ s T echnic al Assistan ce Cent er (T A C ). Wh en you finish , the appli cation cl oses and retu rns to t his S upport screen. Log ...

  • Cisco Systems VPN 3000 - page 64

    1 Using the VPN 3000 Concentrator Series Manager 1-22 V PN 3000 Conc entrat or Series Use r Guide Refresh Click to refresh (upd ate) the screen conten ts on screens where it appear s (mostly in the Monitorin g section). The date a nd time a bov e this reminder indi cate when the screen was l ast updated. Cisco Sy stems logo Click the C isco Systems ...

  • Cisco Systems VPN 3000 - page 65

    Organiza tion of th e VPN Con centrato r Manager 1-23 VPN 3000 Conce ntrator Seri es User Guide Organization of the VPN Con centrato r Manager The VP N Concentr ator Mana ger consi sts of three ma jor secti ons and many subsec tions: • Configuration : setting all the pa rameters for the VPN Con centrator tha t gov ern its use and functi onality a ...

  • Cisco Systems VPN 3000 - page 66

    1 Using the VPN 3000 Concentrator Series Manager 1-24 V PN 3000 Conc entrat or Series Use r Guide Navigating the VPN Concentrator Manager Y our primary tool for navig ating the VPN Concen trator Manage r is the table of contents in the left frame. Figure 1-30 sho ws all its entr ies, completely e xpanded. (The f ig ure sho ws the frame in mult iple ...

  • Cisco Systems VPN 3000 - page 67

    2-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 2 Configuration Conf iguring the VPN Co ncentrator means setting all the parameter s that go ve rn its use and fu nctionality as a VPN de vice. Cisco supp lies default param eters that cov er typ ical installat ions and uses; and once you supply minim al parameters in Qu ick Conf iguration, the ...

  • Cisco Systems VPN 3000 - page 68

    ...

  • Cisco Systems VPN 3000 - page 69

    3-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 3 Interfaces This se ction of the VPN 300 0 Conc entrat or Series M anager applies pr imaril y to Et hernet a nd W AN networ k interfa ces. Here you conf igure functi ons that are interf ace-speci fic , rather than system-wid e. There i s also a scree n to configure power supply and voltage sens ...

  • Cisco Systems VPN 3000 - page 70

    3 Interfaces 3-2 VPN 3000 Concentrat or Seri es User Guide Configuration | In terfaces This section lets you conf igure the th ree VPN Concentra tor Ethernet interface modules and, i f present, two W AN module interface ports. Y ou can a lso configure a larm thresho lds for the power sup ply module s. Model 30 05 co mes wit h two Et hernet int erfa ...

  • Cisco Systems VPN 3000 - page 71

    Configur ation | Int erfaces 3-3 VPN 3000 Conce ntrator Seri es User Guide Figure 3-1: Configurat ion | Interf ac es scr een T o co nfigur e a module, either c lick the appropr iate link in the status t able; or use the mouse poin ter to select the m odule on the ba ck-p anel im age, and c lick anyw here in the hi ghlight ed are a. Interface The VP ...

  • Cisco Systems VPN 3000 - page 72

    3 Interfaces 3-4 VPN 3000 Concentrat or Seri es User Guide Ethernet 1 (Private), Ethernet 2 (Public) , Ethernet 3 (External) T o co nfig ure Ethernet interf ace paramet ers, click the a ppropriate highlighte d link in the tabl e or click in a highl ighted module on the bac k-pan el imag e. See Co nfigur atio n | I nter faces | Et hernet 1 2 3 . WAN ...

  • Cisco Systems VPN 3000 - page 73

    Configuration | Inte rfaces | Power 3-5 VPN 3000 Conce ntrator Seri es User Guide Powe r Supplies T o configure alarm threshol ds on syst em power supplie s, clic k the appr opriate hi ghlighted link or c lick in a h ighlight ed po wer supply module in the bac k-panel image a nd s ee Configuration | Interfaces | Power . Ethernet 1 (Private), Ethern ...

  • Cisco Systems VPN 3000 - page 74

    3 Interfaces 3-6 VPN 3000 Concentrat or Seri es User Guide Figure 3-2: Configurat ion | Interf aces | Po wer s creen Alarm Threshold s The fields show default values for a larm th resholds in ce ntiv olts; e.g., 361 = 3 .61 volts. Enter or edi t thes e v alu es as desi red. The hardw are sets v oltage th resholds in incr ements that may not match a ...

  • Cisco Systems VPN 3000 - page 75

    Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-7 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o apply you r settings to the system and inclu de them in the acti ve co nfig uration, click Apply . The Manager returns to the Con figuration | Interfaces screen. Remin der: To save the activ e configuratio n and make it the boot conf ...

  • Cisco Systems VPN 3000 - page 76

    3 Interfaces 3-8 VPN 3000 Concentrat or Seri es User Guide Figure 3-3: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, General tab General Parameters tab This t ab lets you configure general i nterface pa rameter s: IP ad dress, subne t mask, pu blic in terface stat us, filter , speed, and transmission mode . Enabled T o mak e the interf ...

  • Cisco Systems VPN 3000 - page 77

    Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-9 VPN 3000 Conce ntrator Seri es User Guide IPSec LA N-to-L AN, f or example. Y ou should designa te only one V PN Conce ntrator interfac e as a publi c interf ac e. MAC Address This is th e unique hard ware MAC (Medium Acce ss Control) addr ess for this inte rface, displa yed in 6-byte hexadeci ...

  • Cisco Systems VPN 3000 - page 78

    3 Interfaces 3-1 0 VPN 3000 Conc entrat or Series Use r Guide Figure 3-4: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, RIP tab RIP Parameters tab RIP is a routing protocol that router s use for messages to oth er route rs, to de termine n etwork connec ti vity , status, and opt imum path s for sending data traffic. RIP uses distanc e-v ...

  • Cisco Systems VPN 3000 - page 79

    Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-1 1 VPN 3000 Conce ntrator Seri es User Guide RIPv2 Only = Send only RI Pv2 message s on this interface. RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this inte rface. Figure 3-5: Configurat ion | Interf aces | E ther n et 1 2 3 scr een, OSPF tab OSPF Parameters tab ...

  • Cisco Systems VPN 3000 - page 80

    3 Interfaces 3-12 VPN 3000 Concent rator S eries User Guid e The 0.0.0. 0 area ID identif ies a special area — the backbone — that contain s all area bor der router s, which ar e the rout ers conne cted to multip le areas. Enter th e area ID in the f ield, usin g IP addr ess forma t in dott ed decim al notation (e.g., 10.10.0.0 ). Th e default ...

  • Cisco Systems VPN 3000 - page 81

    Conf igur ati on | In terf aces | Ethe rne t 1 2 3 3-13 VPN 3000 Conce ntrator Seri es User Guide Enter the delay as a num ber from 0 to 3600 seconds. T he default is 1 second, which is a typi cal v alue for LA Ns. OSPF Authentication This paramete r sets the authentication method for OSPF protocol messages. OSPF messages can be authenti cated so t ...

  • Cisco Systems VPN 3000 - page 82

    3 Interfaces 3-1 4 VPN 3000 Concent rator Ser ies User Guide Configuration | In terfaces | W AN Card in Slot N The Man ager disp lays this screen w hen you c lick the W AN module in the back-pa nel image on the Configuration | Interfaces screen. The ta ble shows the status of the W A N modul e inte rface por ts, an d from there you ca n choose a po ...

  • Cisco Systems VPN 3000 - page 83

    Configuration | Interfaces | W AN Card in Slot N | Port A B | Select T1/E1 3-1 5 VPN 3000 Conce ntrator Seri es User Guide Red = (Red) Red alarm: Line has lost synchron ization or signa l. This alar m indicate s out of frame erro rs or a mismat ched fra ming format, or a disconn ected line. Blue = (Blue) Blue alarm: A proble m on the recei v e path ...

  • Cisco Systems VPN 3000 - page 84

    3 Interfaces 3-1 6 VPN 3000 Concent rator Ser ies User Guide E1: up to 31 64-Kbps c hannels The E1 inter face confor ms to Eu ropean Digital Hierarchy standar ds, with up to 31 64-Kbps chan nels for a maxim um of 1984 Kbps. When you click t his link, the Mana ger opens t he Configuration | Interfaces | WAN Card in Slot N | Po rt A B as E1 screen, w ...

  • Cisco Systems VPN 3000 - page 85

    Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 3-8: Configurat ion | Interf aces | W AN Car d in Slot N | P ort A B as T1 or E1 screen, IP tab IP Parameters tab This tab lets you conf igur e IP address, subnet mask, public in terfa ce status, and f ilter . Enabled T o ...

  • Cisco Systems VPN 3000 - page 86

    3 Interfaces 3-1 8 VPN 3000 Concent rator Ser ies User Guide Filter The filter governs the hand ling of da ta packets thro ugh this in terface: whether to forwa rd or dro p, according to conf igured criteria. Ci sco supplie s three def ault filte rs that you can modify a nd use with the VPN Conc entrato r . Y ou can conf igure f ilt ers on the Conf ...

  • Cisco Systems VPN 3000 - page 87

    Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-1 9 VPN 3000 Conce ntrator Seri es User Guide Inbound RIP This paramet er applies to RIP message s coming into the VPN Co ncentrator . It conf igures the system to listen fo r RIP messages on this interf ace. Click the drop-do wn menu b utton and select the in bound RIP func ...

  • Cisco Systems VPN 3000 - page 88

    3 Interfaces 3-20 V PN 3000 Conc entrat or Series Use r Guide Figure 3 -1 0: C onfiguration | Interf ac es | W AN Car d in Slot N | P ort A B as T1 or E1 screen, OSPF tab OSPF Parameters tab OSPF is a routing protocol that routers u se for messages to other routers, to determine network connec ti vity , st atus, and optimum p aths for se nding dat ...

  • Cisco Systems VPN 3000 - page 89

    Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-21 VPN 3000 Conce ntrator Seri es User Guide Enter th e area ID in the f ield, usin g IP addr ess forma t in dott ed decim al notation (e.g., 10.10.0.0 ). Th e default en try is 0.0.0.0 , the backbo ne. Y our entry a lso app ears in th e OSPF Area lis t on th e Configuration ...

  • Cisco Systems VPN 3000 - page 90

    3 Interfaces 3-22 V PN 3000 Conc entrat or Series Use r Guide OSPF Authentication This param eter sets the authentication method for OSPF prot ocol messages. OSPF messages can be authenti cated so th at only trusted rout ers can r oute message s within the domain. T his authenti cation method must b e the same for all rou ters on a commo n network. ...

  • Cisco Systems VPN 3000 - page 91

    Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-23 VPN 3000 Conce ntrator Seri es User Guide WAN Param ete rs tab This tab lets you conf igure T1 /E1 paramete rs: line coding, line framing, line b uildout, clock source, data in version, loopba ck mode, and t imeslots. Line Coding A T1/E1 line uses a bipola r format for ge ...

  • Cisco Systems VPN 3000 - page 92

    3 Interfaces 3-24 V PN 3000 Conc entrat or Series Use r Guide Buildout Line b uildou t is a co nditioning f actor that limi ts loss of sign al strength on the li ne. Y our T1/E1 carrier provid es information on ho w to set this option. The len gth of the line and the transmit po wer across it determine th e build out va lue, which is measured i n d ...

  • Cisco Systems VPN 3000 - page 93

    Configuration | Inte rfaces | W AN Card in Slot N | Port A B as T1 or E1 3-25 VPN 3000 Conce ntrator Seri es User Guide Figure 3-12: Configuration | Interf ac es | W AN Card in Slot N | P or t A B as T 1 or E1 sc r een, PPP tab PPP Multilink Parameters tab This tab lets you configure a PPP Multilink connection on this W AN interface. PPP (Point-to- ...

  • Cisco Systems VPN 3000 - page 94

    ...

  • Cisco Systems VPN 3000 - page 95

    4-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 4 Sy stem Configu ration System conf iguratio n means conf iguring parame ters for system-wide fun ctions in the VPN Conc entrator . Configuration | Sy stem This se ction of the M anager lets y ou configur e parame ters f or VPN Concent rator syste m-wid e funct ions. • Servers : identifyi ng ...

  • Cisco Systems VPN 3000 - page 96

    ...

  • Cisco Systems VPN 3000 - page 97

    5-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 5 Servers Conf iguring ser vers m eans identi fying them to the VP N 3000 Concentr ator so it can co mmunicate w ith them c orrectly . These serv ers p rov ide us er aut henticat ion a nd accou nting f unctio ns, co n v ert ho stnames to IP a ddresses, a ssign c lient IP addresse s, and s ynchro ...

  • Cisco Systems VPN 3000 - page 98

    5 Server s 5-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Servers | Authentication This sect ion lets yo u confi gure the VPN Concentr ator inter nal serv er and e xterna l RADIUS, NT Domain, and SDI se rvers fo r au thenti cati ng us ers. T o crea te an d use a VPN , you m ust c onfigure at l east one authenti cation serv ...

  • Cisco Systems VPN 3000 - page 99

    Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-3 VPN 3000 Conce ntrator Seri es User Guide Authentic ation Servers The Authentication Se rvers list sho ws the conf igure d serve rs, in priority ord er . Each entry sho ws the server identif ier a nd type; e .g., 192. 168. 12.34 ( Radi us) . If no serv ers hav e been conf ig ...

  • Cisco Systems VPN 3000 - page 100

    5 Server s 5-4 VPN 3000 Concentrat or Seri es User Guide Find your sele cted Serv er T y pe below . Server T ype = RADIUS Conf igure these param eters for a RADIUS (Remote Auth enticatio n Dial-In User Service) authentica tion server . Figure 5-3: Configurat ion | System | Servers | A uthentication | Add or Modify RADIUS screen Authentication S erv ...

  • Cisco Systems VPN 3000 - page 101

    Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-5 VPN 3000 Conce ntrator Seri es User Guide Server Secret Enter t he RADIU S serve r secr et (also ca lled the sh ared secr et); e .g., C8z077f . Maximum 64 charact ers. The field sho ws only asterisks. Ve r i f y Re-e nter th e RADIU S server se cret to verify it. T he field ...

  • Cisco Systems VPN 3000 - page 102

    5 Server s 5-6 VPN 3000 Concentrat or Seri es User Guide Server Port Enter the TCP port number by which you access the server . Enter 0 (the default) to ha ve the system supply th e de fault port number, 139 . T ime out Enter the ti me in seconds to wait a fter sending a quer y to the ser ver and receiving n o respons e, be fore trying again. Mini ...

  • Cisco Systems VPN 3000 - page 103

    Config uration | Sy stem | Servers | A uthenti cation | Add or Mod ify 5-7 VPN 3000 Conce ntrator Seri es User Guide Figure 5-5: Configurat ion | System | Servers | A uthentication | Add or Modify SDI scr een Authentication S erver Enter th e IP a ddress or h ostname o f the SDI auth entication server ; e.g. , 192.168. 12.3 4 . Maxi mum 3 2 char ac ...

  • Cisco Systems VPN 3000 - page 104

    5 Server s 5-8 VPN 3000 Concentrat or Seri es User Guide Server T ype = Interna l Server The VP N Concent rator interna l authen ticatio n server le ts you en ter a max imum of 1 00 grou ps and user s (combi ned) in its database . T o do so, se e the Conf igur ation | User Manag emen t screens, o r click the highligh ted link on the Configuration | ...

  • Cisco Systems VPN 3000 - page 105

    Configuration | Sys tem | Servers | Authenticati on | T est 5-9 VPN 3000 Conce ntrator Seri es User Guide Ye s / N o T o delete the internal au thenticatio n server , click Ye s . There is no undo. The Mana ger re turns to the Configuration | Sy stem | Servers | Authentication sc reen and shows the remaining entries in the Au thentication Servers l ...

  • Cisco Systems VPN 3000 - page 106

    5 Server s 5-1 0 VPN 3000 Conc entrat or Series Use r Guide T o ca ncel the test and disc ard your en tries, cl ick Cancel . The Manag er retu rns to the Confi gurati on | Sy stem | Serv ers | Auth enticati on screen . Authentic ation Server T e st: Succes s If the VPN Concent rator com municat es correc tly with th e authenti cation ser ver , and ...

  • Cisco Systems VPN 3000 - page 107

    Configur ation | System | Ser vers | Acco untin g 5-1 1 VPN 3000 Conce ntrator Seri es User Guide The server ma y be improper ly configured or out of se rvice, the network may be do wn or clog ged, etc. Check the serv er conf iguration par ameters, be sure the s erv er is operati ng, chec k the netw ork connect ions, etc. Figure 5-1 1: Authenticat ...

  • Cisco Systems VPN 3000 - page 108

    5 Server s 5-12 VPN 3000 Concent rator S eries User Guid e The VPN Conc entrato r comm unicate s with RADIUS a ccountin g ser ver s per R FC 2139 and curren tly includ es the at trib utes in T able 5- 1 in the acco unting st art and sto p record s. These attrib utes may change. Accountin g Serve rs The Accoun ting Se rvers list shows the conf igure ...

  • Cisco Systems VPN 3000 - page 109

    Configuration | Syst em | Servers | Accountin g | Add or Modify 5-13 VPN 3000 Conce ntrator Seri es User Guide T o remo ve a conf igure d user authentic ation ser ver , select the se rve r from t he list and click Delete . There is no c onfirmat ion or undo. The Man ager refr eshes the sc reen and sh o ws the remain ing entries in the Accoun ting S ...

  • Cisco Systems VPN 3000 - page 110

    5 Server s 5-1 4 VPN 3000 Concent rator Ser ies User Guide Retries Enter the num ber of times to retry sending a query to the accounting server aft er the timeout peri od. If there is stil l no r esponse after th is number of retries, the sy stem declar es this serv er ino perati ve and uses the nex t accountin g server in the list. Minimum is 0 , ...

  • Cisco Systems VPN 3000 - page 111

    Configuration | System | Serv ers | DNS 5-1 5 VPN 3000 Conce ntrator Seri es User Guide Figure 5-14: Configurat ion | Syst em | Serv ers | DNS scr een Enabled T o use DNS functi ons, ch eck En abled (the default). T o disabl e DNS, clear the box. Domain Enter the name of the regi stered domain in wh ich the VPN Concen trator is located ; e.g., alti ...

  • Cisco Systems VPN 3000 - page 112

    5 Server s 5-1 6 VPN 3000 Concent rator Ser ies User Guide Ti m e o u t P e r i o d Enter the initial ti me in se conds to w ait for a response to a DNS qu ery before sending the q uery to th e next server . Min imum is 1 , defa ult is 2 , maximum is 30 sec onds. This t ime double s with each retry cycle through the list of serve rs. T imeout Retri ...

  • Cisco Systems VPN 3000 - page 113

    Configur ation | Sys tem | Serv ers | DHCP 5-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 5-15: Configurat ion | Syst em | Serv ers | DHCP screen DHCP Servers The DHCP Servers list shows the conf igured serv ers, in p riority or der . Each ent ry sho ws the ser ver identif ier, which can be an IP address or a hostname; e. g., 192.16 8.12.3 ...

  • Cisco Systems VPN 3000 - page 114

    5 Server s 5-1 8 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | Servers | DHCP | Add or Modify These scr eens let you: Add : Configure and ad d a new DHCP server to the list of configured server s. Modify : Modi fy the paramet ers fo r a conf ig ured DHCP serv er . Figure 5-16: Configuration | Sy stem | Servers | DHCP | Ad d or ...

  • Cisco Systems VPN 3000 - page 115

    Configuration | System | Servers | NTP | Parameters 5-1 9 VPN 3000 Conce ntrator Seri es User Guide T o m ake the NT P funct ion opera tional, you must configure at least one NTP se rver (host ). Y ou can configure u p to 10 NT P servers. Th e VPN Co ncentrato r quer ies all of them and synchroniz es its system clock with t he der ive d ne twork ti ...

  • Cisco Systems VPN 3000 - page 116

    5 Server s 5-20 V PN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | Servers | NTP | Hosts This se ction of the Manager lets you add, m odify , a nd d elete NTP h osts (se rvers). T o m ake the N TP func tion ope rational , you m ust con f igure at least one NTP host. Y ou can configure a maxim um of 10 hosts. Th e VPN Concent rato ...

  • Cisco Systems VPN 3000 - page 117

    Configuration | Sys tem | Servers | NTP | Hosts | Add or Modify 5-21 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | Servers | NTP | Hosts | Add or Modify These s creen s let yo u: Add a new NTP host to the lis t of configured hosts. Modify a configured N TP host. Figure 5-20: Configurat ion | System | Servers | NT P | Hosts | A ...

  • Cisco Systems VPN 3000 - page 118

    ...

  • Cisco Systems VPN 3000 - page 119

    6-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 6 Address Management IP addre sses make internet working co nnectio ns possible . They ar e like te lephone numbers: b oth th e sender and recei ver must ha ve an assigne d number in or der to conn ect. Bu t with VPNs, ther e are actual ly two sets o f ad dresses: the first set connec ts clie nt ...

  • Cisco Systems VPN 3000 - page 120

    6 Address Mana gement 6-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Address Manageme nt | Assignment This scre en lets you sele ct priori tized meth ods for assign ing IP addre sses to clients as a t unnel is established . The VPN Co ncentrator tries the sele cted method s in the ord er listed u ntil it f inds a va lid IP ...

  • Cisco Systems VPN 3000 - page 121

    Confi guration | System | Ad dress Man agemen t | Pools 6-3 VPN 3000 Conce ntrator Seri es User Guide Use Address Pools Check this bo x to hav e the VPN Con centrator assign IP addresses from an internal ly configured pool. If you us e th is method , configure t he IP a ddress poo ls on t he Con figura tion | Sy stem | Addr ess Mana geme nt | Pools ...

  • Cisco Systems VPN 3000 - page 122

    6 Address Mana gement 6-4 VPN 3000 Concentrat or Seri es User Guide Add / Modify / Delete T o con f igure a ne w IP address poo l, click Add . The Manage r opens the Conf igura tion | S y stem | Addr ess Manage ment | Pools | Add screen. T o mo dify an IP address po ol that has b een configured, se lect the pool from the list and c lick Modify . Th ...

  • Cisco Systems VPN 3000 - page 123

    Config uration | Sy stem | Ad dress M anagement | Pools | Add or Mod ify 6-5 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o a dd this IP addr ess pool to t he list of co nfigured pools, click Ad d . Or to app ly your cha nges to this IP address poo l, click Apply . Bot h actions in clude yo ur entry i n the active configuratio ...

  • Cisco Systems VPN 3000 - page 124

    ...

  • Cisco Systems VPN 3000 - page 125

    7-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 7 T unneling Protocols T unneling protocol s are th e hear t of v irtual pr i vate networ king. Th e tunne ls make i t possibl e to use a publi c TCP/IP networ k, su ch as th e Inte rnet, to crea te secu re co nnectio ns betwe en rem ote us ers and a pri v ate cor porate netw ork. The secur e co ...

  • Cisco Systems VPN 3000 - page 126

    7 T unneling P rotocol s 7-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | T unneling Protocols This se ction of the Manager lets you configure system-w ide para meters for tunn eling protocol s. • PPTP : Conf igure PPTP parameters. • L2TP : Conf igure L2TP pa rame ters. • IPSec : Configure IPSec pa rameter s and c onnec ...

  • Cisco Systems VPN 3000 - page 127

    Configura tion | Syst em | T unnel ing Proto cols | PPT P 7-3 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 2: Configuration | Syst em | T unn eling Prot ocols | PPTP sc r een Note : Cisco supplies def ault settings for PPTP parameter s that ensure optimum performance for typica l VPN use. W e strongly rec ommend that you not ch ange the def ...

  • Cisco Systems VPN 3000 - page 128

    7 T unneling P rotocol s 7-4 VPN 3000 Concentrat or Seri es User Guide Packet Win dow Si ze Enter th e maxim um numbe r of re cei ve d bu t unack no wledged PPTP pack ets tha t the syst em can b uf fer . The system m ust queue un ackno wledged PPT P packets u ntil it can process them. Minimum is 0 , maxim um is 32 , d efaul t is 16 packe ts. Limit ...

  • Cisco Systems VPN 3000 - page 129

    Configur ation | System | T un neling Pr otocols | L 2TP 7-5 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o apply your PPTP settings and to include th em in the acti ve configu ration, click Ap ply . The Ma nager returns to the Con figura tion | Sy stem | T unneling Pr otoc ols screen. Remin der: To save the activ e configuratio n an ...

  • Cisco Systems VPN 3000 - page 130

    7 T unneling P rotocol s 7-6 VPN 3000 Concentrat or Seri es User Guide Enabled Check th e box to enab le L2TP syst em-wi de functi ons on the VPN Conc entra tor , or clear it t o disable. The box is checked by defaul t. Caution : Disabling L2TP ter minates an y acti ve L2TP sessions. Maximum T u nnel Idle T ime Enter the time in seconds to wait bef ...

  • Cisco Systems VPN 3000 - page 131

    Configura tion | System | T u nneling P rotocol s | IPSec 7-7 VPN 3000 Conce ntrator Seri es User Guide Hello Interval Enter the time in seconds t o wait when t he L2TP t unnel is idle (no contro l or payl oad packets re ceived) before sending a Hell o (or “ ke ep -a live ” ) packet to the remote client. Minimum is 1 , ma xi mum is 3600 , and d ...

  • Cisco Systems VPN 3000 - page 132

    7 T unneling P rotocol s 7-8 VPN 3000 Concentrat or Seri es User Guide • Extended Auth entication ( XAuth) • Mode Co nfiguration (a lso known a s ISAKMP Configurat ion Method ) • T unnel Enc apsula tion Mo de Y ou c onfigure IKE pr oposals ( parame ters for th e IKE SA ) here. Y ou ap ply them t o IPSec LAN -to-LAN connect ions in this sectio ...

  • Cisco Systems VPN 3000 - page 133

    Config uration | Sy stem | T unn eling Pr otocols | IPSec LA N-to-LA N 7-9 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 5: Configuration | Syst em | T unn eling Prot ocols | IPSec LAN-to-LAN sc r een LAN-to-LAN Connection The LAN-to-LAN Connection list sho ws connectio ns that h av e be en con fig ured. Th e conn ection s are li sted in the ...

  • Cisco Systems VPN 3000 - page 134

    7 T unneling P rotocol s 7-1 0 VPN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | T unneling Protocols | IPSec LAN-to-LAN | No Public In terfaces The Ma nager disp lays thi s screen i f you have not con f igure d a publ ic interfac e on the V PN Conce ntrator and you try to add an IPSec L AN-to-L AN conne ction. Th e public in ter ...

  • Cisco Systems VPN 3000 - page 135

    Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 7 - 7: Configuration | Syst em | T unn eling Prot ocols | IPSec LAN -to-LAN | A dd or Mo dify scr een When you Add or Modify a connection on these screens, t he VPN Concen trator automatically : • Cre ...

  • Cisco Systems VPN 3000 - page 136

    7 T unneling P rotocol s 7-12 VPN 3000 Concent rator S eries User Guid e All of the r ules, SAs, filte rs, and group h ave defaul t para meters or thos e spec if ied o n this screen . Y o u can mo dify t he rules and SA on the Configuration | Policy Ma nagement | T raffic Management screens , the group on the Co nfig uratio n | User Manage ment | G ...

  • Cisco Systems VPN 3000 - page 137

    Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-13 VPN 3000 Conce ntrator Seri es User Guide Digital Certificate This parameter specifie s whether to use preshared k eys or a PKI (Public K e y Infrastruc ture) digital identity certif icate to authen ticate th e peer d uring Phase 1 IKE n egotia tions. ...

  • Cisco Systems VPN 3000 - page 138

    7 T unneling P rotocol s 7-1 4 VPN 3000 Concent rator Ser ies User Guide IKE Proposal This parameter specifie s the set of attrib utes for Phase 1 IPSec ne gotiation s, which are kno wn as IKE propos als. See the Configu ration | Sy stem | T unneli ng P rotocol s | I PSec | IKE Prop osals screen. Y o u must conf igure, acti v ate, and prior itize I ...

  • Cisco Systems VPN 3000 - page 139

    Con figur ati on | Sy ste m | T unnel ing Prot ocols | IPS ec LA N-to -LAN | Add o r Modi fy 7-1 5 VPN 3000 Conce ntrator Seri es User Guide Note : An IP addr ess is used with a wildcard mask to provide the desire d granularity . A wildcard mask is the reverse of a su bnet mask ; i. e., th e wildca rd mask has 1s i n bit po sitions t o ignore , 0s ...

  • Cisco Systems VPN 3000 - page 140

    7 T unneling P rotocol s 7-1 6 VPN 3000 Concent rator Ser ies User Guide Wildcard Mask Enter th e wildcard mask for the pr i v ate rem ote netw ork. Use do tted deci mal not ation; e.g ., 0.255. 255.2 55 . The system su pplies a def ault wild card mask appro priate to th e IP address cla ss. Add or Apply / C ancel Add screen: T o add this connectio ...

  • Cisco Systems VPN 3000 - page 141

    Configur ation | Sy stem | T un neling Pr otocols | I PSec LAN- to-LAN | Add | Loca l or Remot e Network List 7-1 7 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -8: Co nfiguration | S ystem | T unn eling Prot ocols | IPSec LAN-to-LAN | Ad d | Local or Remote N etwor k List screen List Name The Manager supplies a d efault name that id entif ie ...

  • Cisco Systems VPN 3000 - page 142

    7 T unneling P rotocol s 7-1 8 VPN 3000 Concent rator Ser ies User Guide Generate Lo cal List On the Local Net work L ist screen, click th is button to hav e the Manager automatical ly generate a netwo rk list using the f irs t 200 valid network ro utes in the routing table for the Ethernet 1 (Pri vate) inte rfac e of this VPN Concentr ator . (See ...

  • Cisco Systems VPN 3000 - page 143

    Configura tion | Syst em | T u nneli ng Protoco ls | IPSec | IK E Propos als 7-1 9 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -9: Co nfiguration | Syst em | T unneling Prot ocols | IPSec LAN-to-LAN | Add | Done screen OK T o close this screen and re turn to the C onfig uratio n | Sy stem | T unneling Protoc ols | I PSec LAN -to-LA N screen, ...

  • Cisco Systems VPN 3000 - page 144

    7 T unneling P rotocol s 7-20 V PN 3000 Conc entrat or Series Use r Guide Figure 7 - 1 0: Configuration | System | T unneling P r otocols | IPSec | IKE Proposals sc r een Cisco su pplies defau lt IKE proposals t hat y ou can use or m odify; see T a ble 7-1. See Configur ation | Sy stem | T unneling Prot ocols | IPSec | IKE Propo sals | Add for expl ...

  • Cisco Systems VPN 3000 - page 145

    Configura tion | Syst em | T u nneli ng Protoco ls | IPSec | IK E Propos als 7-21 VPN 3000 Conce ntrator Seri es User Guide Active Pr oposa ls The field shows the names of IKE pr oposals t hat have been configured, a ctiv ated, and pri oritiz ed. As an IPSec respo nder , the VPN Conce ntrator checks these pr oposals in priority order, to see if it ...

  • Cisco Systems VPN 3000 - page 146

    7 T unneling P rotocol s 7-22 V PN 3000 Conc entrat or Series Use r Guide Modify T o m odify a c onfigured IKE p roposal, se lect it f rom ei ther Active Prop osals or Inac tive Pro posal s and click this bu tton. See Configuration | Sy s tem | T unneling Protocols | IPSec | IKE Proposals | Modify . Modifyin g an active proposal does n ot affect c ...

  • Cisco Systems VPN 3000 - page 147

    Configur ation | Sy stem | T unn eling Prot ocols | I PSec | IKE Pro posals | A dd, Modif y , or Copy 7-23 VPN 3000 Conce ntrator Seri es User Guide Figure 7 -1 1 : Configuration | Sy stem | T unneling Protocols | IPSec | IKE Pr oposals | Add, Modify , or Copy scr een Proposal Name Enter a u nique na me for thi s IKE pro posal. Max imum is 4 8 char ...

  • Cisco Systems VPN 3000 - page 148

    7 T unneling P rotocol s 7-24 V PN 3000 Conc entrat or Series Use r Guide Authentication Algorithm This param eter specif ies the data, or pac ket, auth entication algorithm. P acket auth entication prov es that data co mes from whom you thi nk it c omes fr om. Click the drop-do wn menu b utton and select the algorithm: MD5/HMAC-128 = HMA C ( Hashe ...

  • Cisco Systems VPN 3000 - page 149

    Configur ation | Sy stem | T unn eling Prot ocols | I PSec | IKE Pro posals | A dd, Modif y , or Copy 7-25 VPN 3000 Conce ntrator Seri es User Guide Data Lifetime If yo u select Data or Both und er Lifetime Measurement abo ve, ente r the number of kilob ytes of payloa d data af ter whi ch th e IKE SA expires. Minimu m is 10 0 KB, default is 10000 K ...

  • Cisco Systems VPN 3000 - page 150

    ...

  • Cisco Systems VPN 3000 - page 151

    8-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 8 IP Routing In a typical instal lation, the VPN Concen trator is conne cted to the public netwo rk through an e xternal router, which routes data t raff ic be tween network s, and i t may also b e conne cted to the priv ate ne twork through a rout er . The VPN Concentrator itself inclu des an I ...

  • Cisco Systems VPN 3000 - page 152

    8 IP Routing 8-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | IP Routing This secti on of the Mana ger lets you configure system-w ide IP routin g parame ters. • Static Routes : manually conf igured routing tables. • Default Gateway s : routes for o therw ise unrou ted traf fic. • OSPF : Open Sh ortest Pa th First routi ...

  • Cisco Systems VPN 3000 - page 153

    Configuration | System | IP Ro uting | Static Routes | Add or Modify 8-3 VPN 3000 Conce ntrator Seri es User Guide Static Routes The Static Routes list shows manual IP rout es that hav e been con figured. The f ormat is [ dest ination networ k add ress/s ubnet mask -> outb ound destin atio n] ; e.g ., 192. 168.1 2.0/ 255.25 5.255 .0 -> 10.10 ...

  • Cisco Systems VPN 3000 - page 154

    8 IP Routing 8-4 VPN 3000 Concentrat or Seri es User Guide Network Ad dress Enter the destination network IP address th at this static rout e applies to. Pa ckets with this d estination address wi ll be sent to the Destination below . Used dotted decimal notatio n; e.g., 192.168 .12.0 . Subnet Ma sk Enter t he subne t mask f or the destinat ion net ...

  • Cisco Systems VPN 3000 - page 155

    Configuration | Sy stem | IP Routing | De fault Gatewa ys 8-5 VPN 3000 Conce ntrator Seri es User Guide Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Save Need ed icon at th e top of the Manage r window. T o disc ard your e ntries, click Cancel . The Man ager returns to the Configuration | Sy ste m | I ...

  • Cisco Systems VPN 3000 - page 156

    8 IP Routing 8-6 VPN 3000 Concentrat or Seri es User Guide T unnel Default Gateway Enter the IP addres s of the default ga tew ay for tunne led dat a. Use d otted de cimal notation; e.g., 10.10. 0.2 . If you do not use a tunne l default gateway , enter 0. 0.0.0 ( the default en try). T o delete a conf igured tunnel d efault ga tew ay , enter 0.0.0. ...

  • Cisco Systems VPN 3000 - page 157

    Configuration | System | IP Routi ng | OSPF 8-7 VPN 3000 Conce ntrator Seri es User Guide Figure 8-5: Configurat ion | System | IP Routing | OSPF screen Enabled T o enable the VPN Concentrator OSPF router , check the box. (By default it is not check ed.) Y ou must also enter a Router ID below . Y ou must chec k this bo x for OSPF to wo rk on an y i ...

  • Cisco Systems VPN 3000 - page 158

    8 IP Routing 8-8 VPN 3000 Concentrat or Seri es User Guide Apply / C ancel T o apply y our OSPF settings, and to include yo ur settings in the activ e configurat ion, click Apply . The Manager returns to the Con figuration | Sy stem | IP Routing screen . Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Sa ...

  • Cisco Systems VPN 3000 - page 159

    Confi guration | System | I P Routing | OSPF Area s | Add or Modify 8-9 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anager window. ...

  • Cisco Systems VPN 3000 - page 160

    8 IP Routing 8-1 0 VPN 3000 Conc entrat or Series Use r Guide External LSA Import Click th e drop -down menu button a nd selec t whet her to br ing in L SAs f rom neigh boring Autonomou s Systems . LSAs de scribe the state o f the AS route r ’ s interfaces an d routing paths. Imp orting those LSA s builds a more compl ete link- state datab ase, b ...

  • Cisco Systems VPN 3000 - page 161

    Configuration | System | IP Routing | DHCP 8-1 1 VPN 3000 Conce ntrator Seri es User Guide Lease T imeout Enter the timeou t in min utes for ad dresses that ar e obtained from a DHCP serv er . Minim um is 5 , defau lt is 12 0 , maximu m is 500000 minutes. DHCP serv ers “ lease ” IP addresses for this period of time. Be fore the lease expires, t ...

  • Cisco Systems VPN 3000 - page 162

    8 IP Routing 8-12 VPN 3000 Concent rator S eries User Guid e Configuration | Sy stem | IP Routing | Redundancy This sc reen le ts you configure p arameters for V irtu al Router Redunda ncy Protocol (VRRP), w hich manages autom atic swi tchover from one VPN C oncent rator to a nother in a re dundant install ation. Automa tic switch ove r pro vides u ...

  • Cisco Systems VPN 3000 - page 163

    Configur ation | Sy stem | IP Rout ing | Redu ndancy 8-13 VPN 3000 Conce ntrator Seri es User Guide Enable VR RP Check this bo x to enable VRRP fun ctions . The box is not chec ked by defaul t. Group ID Enter a number tha t uniquel y identifies this group of re dundant VPN Conce ntrator s. This num ber must be the same on all syst ems in this group ...

  • Cisco Systems VPN 3000 - page 164

    8 IP Routing 8-1 4 VPN 3000 Concent rator Ser ies User Guide 2 (Public) The IP ad dress for the Et hernet 2 (P ublic) i nterface shar ed by the virtua l rout ers in this group. 3 (External) The IP address for the Ether net 3 (External) inter face share d by the virt ual routers in this group. Apply / C ancel T o apply the settings for VRRP , and to ...

  • Cisco Systems VPN 3000 - page 165

    9-1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 9 Management Protocols The VPN 3000 Concent rator Series includes v arious b uilt-in server s, using v arious protocols, th at let you perform typica l networ k and sys tem mana gement function s. Th is sect ion explain s how you con figure and enable those servers. Configuration | Sy stem | Man ...

  • Cisco Systems VPN 3000 - page 166

    9 Manage ment Pr otoc ols 9-2 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Management Protoco ls | F TP This scr een le ts you c onfigure and enab le the V PN Con centrat or ’ s FT P (File T ransfer Pro tocol) se rv er . When th e serv er is enabled, you can use an FTP clie nt to up load and do wnlo ad f iles in VPN Concen ...

  • Cisco Systems VPN 3000 - page 167

    Configur ation | Sy stem | Mana gement Protocol s | HTTP /HTTPS 9-3 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | Management Protoco ls | HTTP/HTTPS This scr een lets you co nfi gure and en able the VPN Concen trator ’ s HTTP /HTT PS serv er: Hype rtex t T r ansf er Protoc ol and HTTP o v er SSL ( Secure So ckets Layer) prot ...

  • Cisco Systems VPN 3000 - page 168

    9 Manage ment Pr otoc ols 9-4 VPN 3000 Concentrat or Seri es User Guide Enable HTT PS Chec k the box to enable the H TTPS se rver . Th e box is ch ecked by defaul t. HTT PS — also kn own as HTTP o ver SSL — lets you use the V PN C oncentra tor Mana ger over an encryp ted c onnectio n. HTTP Port Enter the p ort num ber th at the HTTP se rver use ...

  • Cisco Systems VPN 3000 - page 169

    Configura tion | Sys tem | Mana gement Pr otocols | TF T P 9-5 VPN 3000 Conce ntrator Seri es User Guide Figure 9-4: Configuration | S ystem | Management Prot ocols | TFTP screen Enable Check the bo x to enable the TFT P serve r . The box is not checke d by def ault. Disab ling the TFTP serv er provid es additional securi ty . Port Ente r the port ...

  • Cisco Systems VPN 3000 - page 170

    9 Manage ment Pr otoc ols 9-6 VPN 3000 Concentrat or Seri es User Guide Configuration | Sy stem | Management Protoco ls | T elnet This screen l ets yo u conf igure and enable t he VPN Co ncentrat or ’ s T elnet terminal em ulation ser ver , and T elnet ov er SSL ( Secure So ckets Layer pr otoc ol). Wh en the se rver is enable d, you can use a T e ...

  • Cisco Systems VPN 3000 - page 171

    Configur ation | Sys tem | Man agement Pr otocols | SNM P 9-7 VPN 3000 Conce ntrator Seri es User Guide T elnet/SS L Port Enter the port numbe r that T eln et over SSL uses. The default is 992 , which is the w ell-known port number . Changing th e port numbe r provides additi onal secur ity . Maximum Conn ections Enter the ma ximum nu mber of concu ...

  • Cisco Systems VPN 3000 - page 172

    9 Manage ment Pr otoc ols 9-8 VPN 3000 Concentrat or Seri es User Guide Enable Check the box to enabl e the SNMP serv er . The box is checked b y defa ult. Disab ling the SNMP ser ver provid es additional securi ty . Port Enter the port numbe r that the SN MP server uses. Th e default is 16 1 , which is the well-kno wn port number . Changing th e p ...

  • Cisco Systems VPN 3000 - page 173

    Confi gur atio n | Sy ste m | Ma nage ment Prot ocol s | SNMP C ommu niti es 9-9 VPN 3000 Conce ntrator Seri es User Guide Figure 9-7: Configuration | S ystem | Management Prot ocols | SNMP Co mmunities sc r een Community Strings The Community Strings list shows SNMP co mmunity stri ngs that have been c onfigured. If n o strings have been conf igur ...

  • Cisco Systems VPN 3000 - page 174

    9 Manage ment Pr otoc ols 9-1 0 VPN 3000 Conc entrat or Series Use r Guide Configuration | Sy stem | Management Protoco ls | SNMP Communities | Add or Modify These Ma nager scr eens let you: Add : Configure and ad d a new SNMP community stri ng. Modify : Modify a co nfigured SNMP comm unity string . Figure 9-8: Configuration | System | Management P ...

  • Cisco Systems VPN 3000 - page 175

    Configur ation | Syste m | Manage ment Prot ocols | SSL 9-1 1 VPN 3000 Conce ntrator Seri es User Guide issued in a PKI conte xt. This ce rtif icate must then be install ed in the cl ient (for HTTPS; T elnet doesn ’ t usually re quire it). Y ou need t o install the cert ificate from a given VPN Concent rator only once. The default SSL settin gs s ...

  • Cisco Systems VPN 3000 - page 176

    9 Manage ment Pr otoc ols 9-12 VPN 3000 Concent rator S eries User Guid e Encryption P rotocols Check the box es for the e ncryption algorith ms that the VPN Concentra tor SSL server can ne gotiate w ith a client a nd use f or sessio n encryp tion. All a re check ed b y def ault. Y ou mu st check at least on e algor ithm to enable SSL. Unchec king ...

  • Cisco Systems VPN 3000 - page 177

    Configur ation | Syste m | Manage ment Prot ocols | SSL 9-13 VPN 3000 Conce ntrator Seri es User Guide TLS V1 with SSL V2 He llo = The serve r insists on TLS V e rsion 1 b ut accepts an initi al SSL V ersion 2 “ Hello. ” At pre sent, only Microsoft Internet Ex plorer 5.0 supports thi s option. Generated Certificate Key Size Click the d rop-do w ...

  • Cisco Systems VPN 3000 - page 178

    ...

  • Cisco Systems VPN 3000 - page 179

    10 -1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 10 Events An event is an y signi fic ant oc currence within or af fecting the VPN 30 00 Conc entrat or such as an alarm, trap, error conditi on, networ k probl em, task compl etion, threshold breac h, or st atus cha nge. T he VPN Concentrato r records e vents in an e vent log, whi ch is stored ...

  • Cisco Systems VPN 3000 - page 180

    10 Events 10 - 2 VPN 3000 Conc entrat or Series User Guid e DNSDBG DNS deb ugg ing * DNSDEC ODE DNS de coding * EVENT E vent subsystem* EVENTD BG Event subsyst em debugging * EVENTM IB Event MI B changes * EXPANS IONCA RD Expans ion card (module) subsyste m FILTER Filter su bsystem FILTER DBG Filter debuggin g* FSM Finit e State Machine subsystem ( ...

  • Cisco Systems VPN 3000 - page 181

    Event c lass 10 -3 VPN 3000 Conce ntrator Seri es User Guide Note : The Cisco-specif ic event cla sses provide in formation that is meaningful only to Cisco enginee ring or support perso nnel. Also , the DBG an d DECODE events require signi ficant system reso urces and may seriously degrade perfo rmance. W e re commend that you av oid logg ing thes ...

  • Cisco Systems VPN 3000 - page 182

    10 Events 10 - 4 VPN 3000 Conc entrat or Series User Guid e Event severity level Sever ity l evel ind icates how serious or si gnificant the event is; i.e., how likely it is to cause unstable operati on of th e VPN c oncent rator, whether i t rep resent s a high- lev el or l ow-lev el opera tion, or wheth er it returns little or great detail. Le v ...

  • Cisco Systems VPN 3000 - page 183

    Event l og 10 -5 VPN 3000 Conce ntrator Seri es User Guide Event log The VPN Conce ntrator r ecords e v ents in an e ven t log, wh ich is stored in non vola tile memory . Thus the e ven t log persists e v en if the sy stem is po wered of f. F or troublesh ooting an y system dif f iculty , or just to exa mine details of system acti v ity , consult t ...

  • Cisco Systems VPN 3000 - page 184

    10 Events 10 - 6 VPN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | General This M anager scree n lets y ou co nfigure th e gene ral, or default, handlin g of all events. Th ese d efaults apply to all e ve nt classes. Y ou can ove rride these def ault settings b y conf iguring specif ic even ts for special handli ng on th ...

  • Cisco Systems VPN 3000 - page 185

    Configuration | Sys tem | Events | Ge neral 10 -7 VPN 3000 Conce ntrator Seri es User Guide Y ou ca n manage saved log f iles wit h options on this screen an d on the Administration | File Management screens. Save L og Form at Click the drop-do wn menu b utton to specify the format of the sa ved log f iles. Multiline = E ntries are ASCII te xt and ...

  • Cisco Systems VPN 3000 - page 186

    10 Events 10 - 8 VPN 3000 Conc entrat or Series User Guid e Severity to Console Click the dr op-down menu button a nd select the r ange of event sev erity levels to display on t he conso le by default. Ch oices ar e: None , 1 , 1-2 , 1-3 , .. ., 1-13 . The default is 1-3 : all e ve nts of se v erity le v el 1 through se veri ty le vel 3 are di spla ...

  • Cisco Systems VPN 3000 - page 187

    Configuration | Syste m | Events | F TP Backup 10 -9 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o include your setting s for default e v ent handlin g in the acti ve c onfig uration, click Apply . Th e Mana ger returns to the Config urat ion | Sy s tem | E vent s screen. Remin der: To save the activ e configuratio n and make it the ...

  • Cisco Systems VPN 3000 - page 188

    10 Events 10 - 10 VPN 3000 Conc entrat or Series User Guid e V erify Re-enter the FTP passwor d to v erify it. T he f ield displa ys only aster isks. Apply / C ancel T o inc lude your FTP backup system settin gs in the ac ti ve configuration, cli ck Apply . The Mana ger r etur ns to the Config uratio n | Sy stem | Events screen. Remin der: To save ...

  • Cisco Systems VPN 3000 - page 189

    Conf igura ti on | Sy stem | Eve nts | Clas ses | Add o r Modi fy 10 -1 1 VPN 3000 Conce ntrator Seri es User Guide order by c lass nu mber and na me. If n o cla sses have been configured f or sp ecial handling, the l ist shows --Empty-- . Add / Modify / Delete T o conf igure an d add a new e ven t class fo r speci al handl ing, click Add . See Con ...

  • Cisco Systems VPN 3000 - page 190

    10 Events 10 - 1 2 VPN 3000 Concent rator S eries User Guid e Class Name Add screen: Click t he drop -down menu button and selec t the event class you want to add and co nfigure for special handli ng. (Please not e that Select Class is an inst ruction reminde r , not a class.) T able 10-1 describes the event classes. Modify screen : The field shows ...

  • Cisco Systems VPN 3000 - page 191

    Conf igura ti on | Sy stem | Eve nts | Clas ses | Add o r Modi fy 10 - 13 VPN 3000 Conce ntrator Seri es User Guide Severity to Email Click the drop-d ow n menu butto n and select the range of e v ent se verity lev els to send to reci pients via ema il. Ch oices are: None , 1 , 1-2 , 1-3 . The def ault is None : no events are se nt vi a ema il. If ...

  • Cisco Systems VPN 3000 - page 192

    10 Events 10 - 14 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | Events | T rap Destinations This sect ion of the M anager lets you configure SNMP ne twork mana gement syste ms as destinat ions of e ven t traps. Eve nt messages sent to SNMP system s are called “ trap s. ” If you configure any event handling — default or s ...

  • Cisco Systems VPN 3000 - page 193

    Confi guration | System | Ev ents | T r ap Desti nations | Add or Mod ify 10 - 15 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anage ...

  • Cisco Systems VPN 3000 - page 194

    10 Events 10 - 16 VPN 3000 Concent rator Ser ies User Guide Port Enter the UD P port number by which you ac cess the destinat ion SNM P server . Use a decim al num ber from 0 to 65535 . The def ault is 162 , which is the wel l-kno wn port numbe r for SNMP traps. Add or Apply / C ancel T o add this system to the list of SNMP trap destination s, clic ...

  • Cisco Systems VPN 3000 - page 195

    Configur ation | Sys tem | Even ts | Syslo g Servers | Add or Mod ify 10 - 17 VPN 3000 Conce ntrator Seri es User Guide Sy slog Serve rs The Sy slog Servers list sh ows the UNI X syslog se rvers that have been configured as re cipients o f ev ent messages. Y o u can configure a maximum of fi ve syslog servers. If no syslog servers hav e been config ...

  • Cisco Systems VPN 3000 - page 196

    10 Events 10 - 18 VPN 3000 Concent rator Ser ies User Guide Port Enter the UDP port num ber by which you acce ss the syslog server . Use a dec imal numbe r from 0 to 65535 . The defaul t is 514 , which is the w ell-kn o wn port numbe r . Facility Click the drop-d ow n menu butto n and select the syslog faci lity tag for e v ents sent to this serv e ...

  • Cisco Systems VPN 3000 - page 197

    Conf igur ati on | Sy stem | Ev ents | SMTP Ser vers 10 - 19 VPN 3000 Conce ntrator Seri es User Guide Figure 1 0-1 0: Configuration | Syst em | Events | SMTP Servers screen SMTP Serve rs The SMTP Serve rs list shows the co nfigur ed SMTP serve rs in the order in which the system accesses them. Y ou can configur e two prioritiz ed SMTP servers so t ...

  • Cisco Systems VPN 3000 - page 198

    10 Events 10 - 2 0 V PN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | SMTP Servers | Add or Modify These scr eens let you: Add an SMTP server to the list of configu red SMTP servers. Y ou can c onfigure two SMTP servers: a primar y and a backu p. Modify the IP addr ess or ho stname of a conf igured SMTP ser ver . Figure ...

  • Cisco Systems VPN 3000 - page 199

    Confi guration | System | Ev ents | Ema il Recipi ents 10 - 2 1 VPN 3000 Conce ntrator Seri es User Guide T o con f igu re d efa ult e vent ha ndli ng, clic k the hig hli ghte d li nk t hat s ays “ Click he re to configu re general event paramete rs . ” T o co nfigure specia l ev ent hand ling, see t he Config urat ion | Sy s tem | Ev ent s | C ...

  • Cisco Systems VPN 3000 - page 200

    10 Events 10 - 2 2 V PN 3000 Conc entrat or Series User Guid e Configuration | Sy stem | Events | Email Recipients | Add or Mo dify These scr eens let you: Add and conf igur e an e ve nt messag e email recip ient. Y ou can conf igure a maximu m of f i ve em ail recip ients . Modify the pa ramet ers for a c onfigured e mail r ecipien t. Figure 1 0-1 ...

  • Cisco Systems VPN 3000 - page 201

    Conf igura ti on | Sy stem | Eve nts | Emai l Rec ipien ts | Add or M odif y 10 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o add this r ecipien t to the l ist of e mail rec ipients, click Add . Or to apply your change s to this email recipi ent, click Apply . Both actions include y our entry in th e acti ve conf igurat ...

  • Cisco Systems VPN 3000 - page 202

    ...

  • Cisco Systems VPN 3000 - page 203

    11 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 11 General General configuration pa rameter s include V PN 3000 Conce ntrator e n v ironment items: system identif ication, time, and date. Configuration | Sy stem | General This se ction of the Manage r lets you configu re genera l VPN C oncen trator paramet ers. • Identification : system ...

  • Cisco Systems VPN 3000 - page 204

    11 Gene ral 11 - 2 VPN 3000 Concent rator Ser ies User Guide Configuration | Sy stem | General | Identification This screen lets you co nfigur e system identif ication parameters that ar e stored in the standard MIB-II system objec t. Net work man agement systems using SN MP ca n retr ie ve this object and id entify the system. Conf iguring this in ...

  • Cisco Systems VPN 3000 - page 205

    Confi guration | System | Genera l | T ime and Dat e 11 - 3 VPN 3000 Conce ntrator Seri es User Guide Configuration | Sy stem | General | T ime and Date This screen lets you set the time and date on the VPN Concentrator . Setting the correct time is very important so that lo gging and accountin g information is accurate . Figure 1 1 -3: Configurat ...

  • Cisco Systems VPN 3000 - page 206

    ...

  • Cisco Systems VPN 3000 - page 207

    12 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 12 User Management Groups an d users are co re conce pts in mana ging the se curity of VPNs and in c onfiguring the VPN 3000 Conc entrator . Group s and users ha ve attri b utes, conf igure d vi a param eters, tha t det ermine th eir a ccess to and use of the VPN . Use rs are memb ers of grou ...

  • Cisco Systems VPN 3000 - page 208

    12 U ser Manag ement 12 - 2 VPN 3000 Concent rator Ser ies User Guide Some additional p oints to note: • Base-gro up parame ters are the de fault, or system -wide, pa rameter s. • A user can be a me mber of only one g roup. • Users w ho are not mem bers of a sp ecific group a re, by default, mem bers of the base group . Therefor e, to ensu re ...

  • Cisco Systems VPN 3000 - page 209

    Config uration | U ser Mana gement 12 - 3 VPN 3000 Conce ntrator Seri es User Guide Configuration | User Mana gement This sec tion o f the Man ager lets you con figure base-gr oup, g roup, and individual u ser para meters. These param eters determi ne ac cess and us e of t he VPN Conc entrato r . Figure 12-1: Configurat ion | User Management scr ee ...

  • Cisco Systems VPN 3000 - page 210

    12 U ser Manag ement 12 - 4 VPN 3000 Concent rator Ser ies User Guide Figure 12-2: Configuration | User Management | Base Group screen, General tab General Parameters tab This tab lets you configure gene ral secur ity , acce ss, perform ance, an d protocol parame ters that ap ply to the base group. Access Hours Click the drop-do wn menu bu tton and ...

  • Cisco Systems VPN 3000 - page 211

    Configur ation | U ser Manage ment | Base Group 12 - 5 VPN 3000 Conce ntrator Seri es User Guide Simultaneous Logins Enter the number o f simulta neous log ins permitt ed for a si ngle us er . T he minim um is 0 , whic h disa bles login a nd prevents user access; defaul t is 3 . While there is no max imum limit, a llo wing se veral could compr omis ...

  • Cisco Systems VPN 3000 - page 212

    12 U ser Manag ement 12 - 6 VPN 3000 Concent rator Ser ies User Guide Primary DNS Enter the IP addres s, in d otted decimal notat ion, of the pri mary D NS s erver for base-gr oup users. The system sends this addr ess to the client as the first DNS server to use for resolv ing hostname s. If the base group doe sn ’ t use DNS, l eav e this f ield ...

  • Cisco Systems VPN 3000 - page 213

    Configur ation | U ser Manage ment | Base Group 12 - 7 VPN 3000 Conce ntrator Seri es User Guide client specif icall y designed to wor k with the VPN Concentrator . Howe v er , the VPN Concen trator can establ ish IPSec conn ections with ma ny protocol-com pliant clie nts. L2TP over IPSec = L2TP u sing I PSec for secu rity (n ot che cked b y defaul ...

  • Cisco Systems VPN 3000 - page 214

    12 U ser Manag ement 12 - 8 VPN 3000 Concent rator Ser ies User Guide T o use IPSec with remote-a ccess client s, you mu st assign an SA. W ith IPSec LAN-to -LAN conn ections, the system ignores this se lection an d uses pa rameters from the Config uratio n | Sy st em | T u nnelin g Pr otocol s | IPSec LAN-to-LA N screens. The VPN Concentrator supp ...

  • Cisco Systems VPN 3000 - page 215

    Configur ation | U ser Manage ment | Base Group 12 - 9 VPN 3000 Conce ntrator Seri es User Guide Authentication Click the dro p-do wn menu b utton an d select the u ser authen tication meth od (authentica tion serv er type) to use with remote-acce ss IPSec clients. This selec tion identif ies the authentic ation metho d , not th e specif ic serv er ...

  • Cisco Systems VPN 3000 - page 216

    12 U ser Manag ement 12 - 10 VPN 3000 C oncentrat or Series Use r Guide Allow Passwor d Storage o n Client Check the bo x to allow IPSec clie nts to store thei r login passwords on t heir loca l client sy stems. If you do not allo w passw ord st orage (the defa ult), IPSec us ers must enter their passw ord eac h time the y seek acces s to t he VPN. ...

  • Cisco Systems VPN 3000 - page 217

    Configur ation | U ser Manage ment | Base Group 12 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Default Domain Na me Enter the d efault d omain name that the VPN Concentr ator passes to the I PSec client , for the clie nt ’ s T CP/ IP stack to append to DN S queries that o mit the domai n f ield. This domain name applie s only to tunneled pack ...

  • Cisco Systems VPN 3000 - page 218

    12 U ser Manag ement 12 - 12 VPN 3000 Concent rator Ser ies User Guide Figure 12-4: Configuration | User Management | Base Group screen, PPTP/L2TP tab PPTP/L2T P Paramete rs tab This tab le ts you configure PPTP and L2TP par ameters that apply to the base group. During tunn el establ ishmen t, the clie nt and server negoti ate access an d usage ba ...

  • Cisco Systems VPN 3000 - page 219

    Configur ation | U ser Manage ment | Base Group 12- 13 VPN 3000 Conce ntrator Seri es User Guide These choices spe cify the allo wable authenticati on protocols in order from lea st secure to most secure. PA P = P assword Authent ication Protoc ol. This proto col passes clea rtext user name and password during au thent ication and is not secure. W ...

  • Cisco Systems VPN 3000 - page 220

    12 U ser Manag ement 12 - 14 VPN 3000 C oncentrat or Series Use r Guide L2TP Authentication Protocol s Check th e box es for th e authentic ation pr otocol s that L2TP clients can use. T o establish an d use a VPN tunnel, users sho uld be authent icated according to som e prot ocol. Caution : Unchec king a ll authenti cation option s means that no ...

  • Cisco Systems VPN 3000 - page 221

    Configur ation | U ser Manage ment | Base Group 12 - 15 VPN 3000 Conce ntrator Seri es User Guide 40-bit = L2TP clients are allo wed to use the RSA RC4 encry ption alg orithm with a 40- bit ke y . This is signif icantl y less secure than the 128-bit option. Microsoft en cryption ( MPPE) uses this al gorithm. This op tion is not ch ecked by default. ...

  • Cisco Systems VPN 3000 - page 222

    12 U ser Manag ement 12 - 16 VPN 3000 C oncentrat or Series Use r Guide Configuration | User Mana gement | Groups This sec tion of the Ma nager let s you configur e access and usage para meters fo r specific group s. A group is a collection of users treated as a single ent ity . Groups inherit pa rameters from the base group. See th e discussi on o ...

  • Cisco Systems VPN 3000 - page 223

    Config uration | User M anagem ent | Grou ps 12- 1 7 VPN 3000 Conce ntrator Seri es User Guide Add / Modify / Delete T o conf igur e and add a n e w group, click Add . The Ma nage r opens the Config uratio n | U ser M anagem ent | Groups | Add sc reen. T o m odify parame ters f or a gr oup tha t has been configur ed, se lect the group f rom th e li ...

  • Cisco Systems VPN 3000 - page 224

    12 U ser Manag ement 12 - 18 VPN 3000 C oncentrat or Series Use r Guide Configuration | User Mana gement | Groups | Add or Modify (Internal) These scr eens let you: Add : Configure and add a new group. Modify : Change para meters for a group that you hav e previously con figured on the int ernal server . The screen title i dentifies the gr oup you ...

  • Cisco Systems VPN 3000 - page 225

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12 - 19 VPN 3000 Conce ntrator Seri es User Guide Group Name Enter a uniqu e name for thi s speci fic group. Ma ximum is 32 cha ract ers, ca se-sensi ti ve. Chang ing a gr oup name autom atically up dates the gr oup name for all users in the group. See the no te about co ...

  • Cisco Systems VPN 3000 - page 226

    12 U ser Manag ement 12 - 2 0 VPN 3000 Concent rator Ser ies User Guid e Figure 12-7: Configuration | User Management | G roups | Add or Modify (Inter nal) screen, General tab General Parameters tab This tab l ets you c onfigure gene ral securit y , acce ss, perfor mance, a nd tunne ling prot ocol param eters that apply to this inte rnally con fig ...

  • Cisco Systems VPN 3000 - page 227

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 21 VPN 3000 Conce ntrator Seri es User Guide setting , clear the che ck box. If you clea r the c heck bo x, yo u must al so ent er or ch ange any corresp ondin g Val u e field; do n ot le av e the field bla nk. • The Va l u e column thus sho ws either base-gr oup p ...

  • Cisco Systems VPN 3000 - page 228

    12 U ser Manag ement 12 - 2 2 VPN 3000 Concent rator Ser ies User Guid e Maximum Connect T ime Ente r the grou p ’ s maximum user connectio n time in minutes. At the end of this time, the system terminate s the connection . The minimum is 1 , and th e maximu m is 21474 83647 mi nutes (over 4000 years). T o allo w unlim ited connec tion time, ente ...

  • Cisco Systems VPN 3000 - page 229

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 23 VPN 3000 Conce ntrator Seri es User Guide Primary WI NS Enter the IP a ddress, in dotted dec imal notation, of the primary WINS serv er f or this group ’ s users. The system sends this address to the client as the first WINS server to use for resolving hostname ...

  • Cisco Systems VPN 3000 - page 230

    12 U ser Manag ement 12 - 2 4 VPN 3000 Concent rator Ser ies User Guid e Figure 12-8: Configuration | User Management | Groups | A dd or Modify (Inter nal) screen, IPSec tab IPSec Parameters tab This tab lets you conf igur e IP Security Protoc ol parameters that apply to this internally configu red group. I f you c hecked IPSec or L2TP ove r IPSec ...

  • Cisco Systems VPN 3000 - page 231

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 25 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check b ox refe rs to base-g roup pa rameter s: Does this spe cific group inheri t the given setting from the base group? T o inhe rit the setting, check the b ox ...

  • Cisco Systems VPN 3000 - page 232

    12 U ser Manag ement 12 - 2 6 VPN 3000 Concent rator Ser ies User Guid e T unnel T y pe Click the drop-d ow n menu butto n and select the type of IPSec tu nnel that this group ’ s clients use: LAN-to-LAN = IPSec LAN-to-L AN c onnectio ns betwe en two V PN Conce ntrator s (or be tween a VP N Concentra tor and another protoc ol-compli ant sec urity ...

  • Cisco Systems VPN 3000 - page 233

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 27 VPN 3000 Conce ntrator Seri es User Guide Notes : IPSec uses Mode Co nfiguratio n to pass all configura tion parame ters to a client: IP add ress, DN S and WINS addresse s, etc. You must check t his box to use Mode C onfigurat ion. Othe rwise, th ose paramet ers ? ...

  • Cisco Systems VPN 3000 - page 234

    12 U ser Manag ement 12 - 2 8 VPN 3000 Concent rator Ser ies User Guid e IPSec through NA T Check the box to a llo w the Cisco VPN 3000 Client (IPSec client) to connec t to th e VPN Concen trator via UD P throug h a f irewall or ro uter u sing NA T . IPSec through NA T UDP Port Enter the UD P port numbe r to u se if y ou a llo w IPSec t hroug h NA ...

  • Cisco Systems VPN 3000 - page 235

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 29 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check b ox refe rs to base-g roup pa rameter s: Does this spe cific group inheri t the given setting from the base group? T o inhe rit the setting, check the b ox ...

  • Cisco Systems VPN 3000 - page 236

    12 U ser Manag ement 12 - 3 0 VPN 3000 Concent rator Ser ies User Guid e and co mpares — only encrypte d passw ords , rather th an clearte xt pass wor ds as in CHAP . This protocol also genera tes a key for dat a encryption by MPPE (Microsoft Point-to-Po int Encryptio n). If you check Required under PPTP Encryption below , you must allow one or b ...

  • Cisco Systems VPN 3000 - page 237

    Confi gura tion | Use r Mana geme nt | Gr oups | Add o r Mo dify ( Int erna l) 12- 31 VPN 3000 Conce ntrator Seri es User Guide CHAP = Challenge-Hand shake Authenticatio n Protoc ol. In r esponse to the serv er ch allenge, t he client r eturns the enc rypted [c hallen ge plus password], w ith a cleart ext username. It is m ore sec ure than P AP . E ...

  • Cisco Systems VPN 3000 - page 238

    12 U ser Manag ement 12 - 3 2 VPN 3000 Concent rator Ser ies User Guid e Configuration | User Mana gement | Groups | Modify (Exte rnal) This scre en lets you cha nge ide ntity par ameters for an external gro up that you have pre viousl y conf igured. T he screen ti tle iden tifi es the grou p you are m odifying. Figure 12-1 0: Configu ration | User ...

  • Cisco Systems VPN 3000 - page 239

    Config uration | User Mana gement | Use rs 12- 33 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel When you finish chan ging the se paramet ers, click Apply to include y our settings in the a ctiv e conf iguration. The Manag er returns to the Configu ration | U ser Mana gement | Grou ps screen and re freshes the Current Gr oups list. H o w ...

  • Cisco Systems VPN 3000 - page 240

    12 U ser Manag ement 12 - 3 4 VPN 3000 Concent rator Ser ies User Guid e Current Use rs The C urrent Users list shows configured u sers in alp habetica l order . If no users have been configured , the list sho ws --Empty-- . Add / Modify / Delete T o conf igur e a ne w user , click Ad d . The Man ager op ens the Con figura tion | User Management | ...

  • Cisco Systems VPN 3000 - page 241

    Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 35 VPN 3000 Conce ntrator Seri es User Guide Figure 12-12: Configurat ion | User Management | Users | A dd or Modify screen, Identity tab Identity Parameters tab This ta b lets you configure th e name, pa ssword, group , and IP addre ss for this user . User N ame Ente r a un ique n ame ...

  • Cisco Systems VPN 3000 - page 242

    12 U ser Manag ement 12 - 3 6 VPN 3000 Concent rator Ser ies User Guid e IP Address Enter the IP addres s, in d otted de cimal not ation, assigned to th is user . Enter this ad dress o nly if y ou assign th is user to the ba se group or an int ernally configured group, and if you configure Use Addr ess from Authentication Server on the Conf igur at ...

  • Cisco Systems VPN 3000 - page 243

    Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 37 VPN 3000 Conce ntrator Seri es User Guide V alue / Inherit? On this tabbed se ction: • The Inherit? check box refers to group paramete rs: Does this sp ecif ic user inh erit the gi v en setting from the group ? – Add screen = inherit base- group para meter setti ng. – Modify s ...

  • Cisco Systems VPN 3000 - page 244

    12 U ser Manag ement 12 - 3 8 VPN 3000 Concent rator Ser ies User Guid e Maximum Connect T ime Enter this user ’ s maximum connection time in min utes. At the end of this time, the system terminates the conn ecti on. The minimum is 1 , and the maxi mum is 21474 8364 7 minutes (over 4000 years) . T o allo w unlimited co nnection time, enter 0 . Fi ...

  • Cisco Systems VPN 3000 - page 245

    Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 39 VPN 3000 Conce ntrator Seri es User Guide specif ically d esigned t o work with the VPN Concent rator . Howe v er , the VPN Concen trator can establi sh IPSec conn ections with ma ny protocol-com pliant cli ents. L2TP over IPSec = L2TP using IPSec for security . L2TP pack ets are en ...

  • Cisco Systems VPN 3000 - page 246

    12 U ser Manag ement 12 - 4 0 VPN 3000 Concent rator Ser ies User Guid e Note : The sett ing of the Inherit? check box takes prior ity o ver an entry in a Val u e field. E xamine t his box be fore conti nuing and be s ure its setting refle cts you r inten t. IPSec SA Click the drop-do wn menu button and select th e IPSec Security As sociation (SA) ...

  • Cisco Systems VPN 3000 - page 247

    Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 41 VPN 3000 Conce ntrator Seri es User Guide Figure 12-15: Configuration | User Management | Users | Add or Mo dify screen, PPTP/L2TP tab PPTP/L2T P Paramete rs tab This tab le ts you configure PPTP and L2TP param eters tha t apply to this use r . Du ring tunne l establish ment, the us ...

  • Cisco Systems VPN 3000 - page 248

    12 U ser Manag ement 12 - 4 2 VPN 3000 Concent rator Ser ies User Guid e Note : The sett ing of the Inherit? check box takes prior ity o ver an entry in a Val u e field. E xamine t his box be fore conti nuing and be s ure its setting refle cts you r inten t. Use Client Address Check the b ox to a ccept and u se an I P ad dress that t his u ser (cli ...

  • Cisco Systems VPN 3000 - page 249

    Configu ration | Us er Manag ement | Users | Add or Modi fy 12- 43 VPN 3000 Conce ntrator Seri es User Guide L2TP Authentication Protocol s Check the box es for the authen tication protoco ls that this L2TP user (client) can use. T o establish and use a VPN tunne l, users should be authent icated according to some protocol. Caution : Unchec king al ...

  • Cisco Systems VPN 3000 - page 250

    ...

  • Cisco Systems VPN 3000 - page 251

    13 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 13 Policy Management Managin g a VP N, and protec ting t he integri ty and securit y of ne twork reso urces, inclu des car efully designing and im pleme nting pol icies tha t govern who ca n use the VPN, when, and wha t data traff ic can flow through it. User ma nagement deals with “ who ca ...

  • Cisco Systems VPN 3000 - page 252

    13 Poli cy Mana gement 13 - 2 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management This se ction of the Manage r lets you configur e polic ies tha t apply to gro ups, user s, an d VPN Concen trator Ethe rnet inter faces . Policies gov ern: • Access Hou rs : when remote us ers can ac cess the VP N Concentr ator . • T raffi ...

  • Cisco Systems VPN 3000 - page 253

    Confi guration | Policy M anagement | Acce ss Hours 13 - 3 VPN 3000 Conce ntrator Seri es User Guide Current Access Hours The Curr ent Acces s Ho urs li st shows the names of configured access times. The Cisco- supplied de fault acces s times are: Never = Ne ver . No ac cess at any time. Business Hours = Mon day thr ough Friday , 9 a.m. to 5 p .m. ...

  • Cisco Systems VPN 3000 - page 254

    13 Poli cy Mana gement 13 - 4 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Managemen t | Access Hours | Add or Mo dify These Ma nager scr eens let you: Add : Conf igure and add a ne w access time to the list of conf igured acce ss times. Modify : Modif y a conf igured access time. Chan ging an a ccess tim e has no ef fect on con ...

  • Cisco Systems VPN 3000 - page 255

    Configur ation | Po licy Mana gement | T ra ffic Mana gement 13 - 5 VPN 3000 Conce ntrator Seri es User Guide Add or Apply / C ancel T o add this access tim e to the list, c lick Add . Or to appl y your ch anges f or this ac cess ti me, click Ap ply . Both actions inclu de your entry in the acti ve conf iguration. The Manager returns to the Con fig ...

  • Cisco Systems VPN 3000 - page 256

    13 Poli cy Mana gement 13 - 6 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management | T raffic Management | Network Lists This sec tion of the Manager lets you configu re network li sts, whi ch are li sts of network s that a re groupe d as sing le obje cts. N etwork lis ts make co nfiguration easier: f or exam ple, you can use ...

  • Cisco Systems VPN 3000 - page 257

    Configur ation | Po licy Manag ement | T ra ffic Managem ent | Net work List s | Add, Modi fy , or Copy 13 - 7 VPN 3000 Conce ntrator Seri es User Guide action to tak e before you can delete the list. Oth erwise, t here i s no conf irmation o r undo. The Mana ger deletes the list, r efreshes the screen, and shows the remain ing network lists. Remin ...

  • Cisco Systems VPN 3000 - page 258

    13 Poli cy Mana gement 13 - 8 VPN 3000 Concent rator Ser ies User Guide List Name Enter a u nique na me for thi s networ k list. Max imum 48 char acters , case-se nsiti ve. Spaces are allo wed. If you use the Gener ate Local List featur e on the Add screen, enter this name after the system generates the network list. Network List Enter the networks ...

  • Cisco Systems VPN 3000 - page 259

    Conf igur ati on | P oli cy Ma nage ment | T raff ic Man age ment | Rules 13 - 9 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Management | T raffic Management | Rules This sec tion o f the Ma nager let s you ad d, con f igure , modif y , copy , a nd del ete filter rul es. Y ou u se rul es to construct f ilter s. Caution: The Cis ...

  • Cisco Systems VPN 3000 - page 260

    13 Poli cy Mana gement 13 - 10 VPN 3000 C oncentrat or Series Use r Guide For all the def ault rules exc ept VRRP In and Ou t , these parameter s are identi cal: Action = Forward Sour ce Add ress = Use I P Addr ess/W ildcar d-Mask = 0.0.0.0 /255.25 5.25 5.255 = any a ddress Desti nati on Addr ess = U se IP Add ress /Wild card- Mask = 0.0.0.0/ 255.2 ...

  • Cisco Systems VPN 3000 - page 261

    Conf igur ati on | P oli cy Ma nage ment | T raff ic Man age ment | Rules 13 - 1 1 VPN 3000 Conce ntrator Seri es User Guide *For VRRP In and VRRP Out , the Destinati on Ad dress is 224. 0.0. 18/0.0. 0.0 , which i s the IAN A-assigned IP multicast a ddress for VRRP . Add / Modify / Copy / Delete T o conf igure a ne w rule, cl ick Add . The Ma nage ...

  • Cisco Systems VPN 3000 - page 262

    13 Poli cy Mana gement 13 - 12 VPN 3000 Concent rator Ser ies User Guide Configuration | Policy Management | T raffic Management | Rules | Add, Modify , or Copy These Ma nager scr eens let you: Add : Config ure and a dd a ne w f ilter rule to the list of f ilter rule s. Modify : Modi fy a pr ev iously co nf igured f ilter rule. Copy : Cop y a co nf ...

  • Cisco Systems VPN 3000 - page 263

    Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13- 13 VPN 3000 Conce ntrator Seri es User Guide Figure 13-8: Configurat ion | P olicy Manag ement | T raffic Manag ement | Rules | Add, Modify , or Copy scr een ...

  • Cisco Systems VPN 3000 - page 264

    13 Poli cy Mana gement 13 - 14 VPN 3000 C oncentrat or Series Use r Guide Rule Name Enter a unique name for this ru le. Ma ximum is 48 ch aracte rs. Direction Click the drop-do wn menu b utton and sel ect the data direction to which this rule applies: Inbo und = I nto the VPN Conce ntrator inte rface ; or into the VPN tu nnel fr om the r emote clie ...

  • Cisco Systems VPN 3000 - page 265

    Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13 - 15 VPN 3000 Conce ntrator Seri es User Guide Click the drop-do wn menu b utton and sel ect the protocol to which this rule applies. Any = A ny protocol [255] (the d efault sel ection). ICMP = Inter net Cont rol Messa ge Protoc ol [1] (used by ping , f ...

  • Cisco Systems VPN 3000 - page 266

    13 Poli cy Mana gement 13 - 16 VPN 3000 C oncentrat or Series Use r Guide Note : An IP addr ess is used with a wildcard mask to provide the desire d granularity . A wildcard mask is the reverse of a su bnet mask ; i. e., th e wildca rd mask has 1s i n bit po sitions t o ignore , 0s in bit posi tions to matc h. F or ex ample : 0.0.0. 0/255 .255.2 55 ...

  • Cisco Systems VPN 3000 - page 267

    Configur ation | P olicy Mana gement | T ra ffic Man agement | Rul es | Add, Modify , or Copy 13- 1 7 VPN 3000 Conce ntrator Seri es User Guide Assigned Nu mbers Autho rity (IANA) manage s port numbers an d classifies them a s W ell Kn o wn, Registered, a nd Dyn amic (or Private). The W ell Known ports are thos e fro m 0 th rough 102 3; th e Regist ...

  • Cisco Systems VPN 3000 - page 268

    13 Poli cy Mana gement 13 - 18 VPN 3000 C oncentrat or Series Use r Guide Range = T o specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Rang e h ere (the default sele ction) and enter — in the Range [start] to [end] fields — the inc lusive range of port numbers that thi s rule applies to. T o specify a ...

  • Cisco Systems VPN 3000 - page 269

    Configuration | Po licy Management | T raffic Management | Rules | D elete 13 - 19 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Management | T raffic Management | Rules | Delete This screen asks you to conf irm deletion of a rule that is being used in a f ilter . Doing so deletes the rule from all filters that use it, and delete ...

  • Cisco Systems VPN 3000 - page 270

    13 Poli cy Mana gement 13 - 2 0 VPN 3000 Concent rator Ser ies User Guid e Y ou apply SAs to f il ter rules that ar e conf igur ed with an Apply IPSec action, for LAN- to-LAN tra ff ic. See Configuration | Policy M anagement | T raffic Management | Rules . T he VPN Concen trator auto matically creat es and a pplies a ppropri ate rul es when y ou cr ...

  • Cisco Systems VPN 3000 - page 271

    Config uration | Policy Ma nageme nt | T raffi c Manageme nt | Secur ity As sociatio ns 13- 21 VPN 3000 Conce ntrator Seri es User Guide IPSec SA s The IPSec SAs list sho ws the configured SAs that are a v ailable . The SAs are listed in the order the y are configured . Cisco s upplies d efault SA s that y ou can use or mod ify; see T able 13-2. Se ...

  • Cisco Systems VPN 3000 - page 272

    13 Poli cy Mana gement 13 - 2 2 VPN 3000 Concent rator Ser ies User Guid e T o delete a conf igured SA, sele ct the SA from the list and click Delete . • If the SA has not been assign ed to a f ilter rule — e ven if it has been assigne d to a group or user — the Manager deletes the SA, refreshes the screen, and sho ws the remaining SAs in the ...

  • Cisco Systems VPN 3000 - page 273

    Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 23 VPN 3000 Conce ntrator Seri es User Guide Figure 13-1 1: Co nfiguration | P olicy Management | T raf fic Management | Secur ity Ass ociations | Add or Modify screen SA Name Enter a uni que nam e for this Se curity A ssocia tion. M ...

  • Cisco Systems VPN 3000 - page 274

    13 Poli cy Mana gement 13 - 2 4 VPN 3000 Concent rator Ser ies User Guid e IPSec Parameters These p aramet ers app ly to I PSec SAs, w hich ar e Phas e 2 SAs ne gotiate d under IPSec, where t he two parties estab lish conditions for use of the tunnel. Authentication Algorithm This param eter specif ies the data, or pac ket, auth entication algorith ...

  • Cisco Systems VPN 3000 - page 275

    Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 25 VPN 3000 Conce ntrator Seri es User Guide Perfect F orward Secrecy This pa rameter specif ies whether to use Perfe ct For ward Secrec y , and the size of the n umbers to use, in gener ating Ph ase 2 IPSec ke ys. Pe rfec t Forw ard ...

  • Cisco Systems VPN 3000 - page 276

    13 Poli cy Mana gement 13 - 2 6 VPN 3000 Concent rator Ser ies User Guid e IKE Parameters These pa rameters gov ern IKE SA s, which a re Phase 1 SAs negoti ated unde r IPSec, where the two parties establish a se cure tunnel within whic h they then ne gotiate the I PSec SAs. In th is IKE SA the y e xchange automa ted key management informa tion unde ...

  • Cisco Systems VPN 3000 - page 277

    Con figur ati on | P olic y Mana geme nt | T raffic Mana gemen t | Sec uri ty As sociat io ns | Ad d or Mo dif y 13- 27 VPN 3000 Conce ntrator Seri es User Guide IKE Proposal This parameter specifie s the set of attrib utes that go v ern Phase 1 IPSec neg otiations, wh ich are kno wn as IKE pr oposal s. See the Con figura tion | Sy stem | T unn eli ...

  • Cisco Systems VPN 3000 - page 278

    13 Poli cy Mana gement 13 - 2 8 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | Security Associations | Delete This screen asks you to conf irm dele tion of a Security Associatio n that is assigned to a rule in a filte r . Doing so deletes th e SA from the VP N Concentrator active c onfiguration, ...

  • Cisco Systems VPN 3000 - page 279

    Confi guration | Policy M anagem ent | T raffi c Manag ement | Fil ters 13- 29 VPN 3000 Conce ntrator Seri es User Guide Conf iguring a f ilter in volve s two steps: 1 Conf iguring its basic parame ters (name, default action, etc.) by clicking Add Filter , Modify Filter , or Copy Filter , and 2 Assigning rules to a f ilter by cli cking Assign Rules ...

  • Cisco Systems VPN 3000 - page 280

    13 Poli cy Mana gement 13 - 3 0 VPN 3000 Concent rator Ser ies User Guid e Filter List The Filter List show s conf igu red filt ers, listed in th e order the y are co nfi gured . Cisco s upplie s default filters that you c an use and m odify; se e T able 13- 3. Add Filter T o conf igur e and add a ne w f ilter , click Add Filter . The Mana ger ope ...

  • Cisco Systems VPN 3000 - page 281

    Configura tion | Po licy Manag ement | T raf fic Mana gement | Filters | A dd, Modif y , o r Copy 13- 31 VPN 3000 Conce ntrator Seri es User Guide Copy Filter T o cr eate a new filter by copying the ba sic parame ters and rule s from a filter that has been co nfigured, click Copy Filter . The Ma nager ope ns the Configuration | Policy Management | ...

  • Cisco Systems VPN 3000 - page 282

    13 Poli cy Mana gement 13 - 3 2 VPN 3000 Concent rator Ser ies User Guid e Figure 1 3-14: Configuration | P olicy Manag ement | T raf fic Manag ement | Filters | Add, Modify , or Copy scr een Filter Name Ente r a unique na me for t his f ilter . Maximum is 48 char acters. Default Action Click the drop-d ow n menu butto n and select the action tha t ...

  • Cisco Systems VPN 3000 - page 283

    Configura tion | Po licy Manag ement | T raf fic Mana gement | Filters | A dd, Modif y , o r Copy 13- 33 VPN 3000 Conce ntrator Seri es User Guide Source Rou ting Check thi s box to al low IP source routed p ackets to pass. A source ro uted packe t specifies its own route through the net work and does not re ly on t he syst em to con trol f orwardi ...

  • Cisco Systems VPN 3000 - page 284

    13 Poli cy Mana gement 13 - 3 4 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | Assign Rules to Filter This sec tion of the M anager le ts you add, re move, and prioriti ze the rule s in a filter , and assign Se curity Associa tions to r ules th at are c onf igured with an Apply IPSec action. A f ...

  • Cisco Systems VPN 3000 - page 285

    Configura tion | Po licy Manag ement | T raf fic Mana gement | As sign Rules to Filter 13- 35 VPN 3000 Conce ntrator Seri es User Guide Current Rules in Filter This list sho ws the rules currently assigned to the filt er . Use the scroll controls (if presen t) to see all the rules in the l ist. If no rules have been assigne d, the list shows --Em p ...

  • Cisco Systems VPN 3000 - page 286

    13 Poli cy Mana gement 13 - 3 6 VPN 3000 Concent rator Ser ies User Guid e Move Up / Move Down T o change th e order in wh ich a rul e is applie d within the f ilter , select the rule from th e Current Rules in Filter list and click Move Up or Mo ve Down . The Manage r reorder s the curre nt rule s, modifies the a ctiv e configurati on, refre shes ...

  • Cisco Systems VPN 3000 - page 287

    Configur ation | Po licy Mana gement | T ra ffic Mana gement | As sign Rul es to Filte r | Change SA on Rule 13- 37 VPN 3000 Conce ntrator Seri es User Guide Add SA to Rule on Filter: The Ma nager sho ws the na me of fi lter to which you are ad ding a ru le that has an Apply IPSec action configured . Y ou cannot chang e this name he re. See Configu ...

  • Cisco Systems VPN 3000 - page 288

    13 Poli cy Mana gement 13 - 3 8 VPN 3000 Concent rator Ser ies User Guid e Figure 13-1 7 : Configuration | P olicy Management | T raf fic Management | Assign Rules to Filt er | Chang e SA on Rule scr een Change SA on Rule in Filter: The Man ager sho ws the name of the f ilter to which th e IPSec rule is assig ned. Y o u can not change this name he ...

  • Cisco Systems VPN 3000 - page 289

    Configura tion | Po licy Manag ement | T r affic Ma nagement | NA T 13- 39 VPN 3000 Conce ntrator Seri es User Guide Configuration | Policy Man agement | T raffic Manageme nt | NA T This se ction of the Manage r lets you configu re and enabl e NA T ( Network A ddress Translati on). NA T transla tes priv ate network addresses in to an IANA-assigned ...

  • Cisco Systems VPN 3000 - page 290

    13 Poli cy Mana gement 13 - 4 0 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | NA T | Enable This screen lets you en able system-wide N A T operation, which applies N A T to all confi gured traf fic flowing thr ough the public interfac e. W e re commend that you co nfigure NA T rul es befo re yo ...

  • Cisco Systems VPN 3000 - page 291

    Confi gur atio n | Po licy Mana geme nt | T raffi c Mana geme nt | NA T | Rul es 13- 41 VPN 3000 Conce ntrator Seri es User Guide Figure 13-20: Configuration | P olicy Management | T raffic Manag ement | NA T | Rules sc r een NA T Rules The NA T Rule s list shows N A T rules that ha ve been configu red. If no rules hav e been conf igured , the list ...

  • Cisco Systems VPN 3000 - page 292

    13 Poli cy Mana gement 13 - 4 2 VPN 3000 Concent rator Ser ies User Guid e Configuration | Policy Management | T raffic Management | NA T | Rules | No Public Interf aces The Ma nager disp lays thi s screen i f you have not con f igure d a publ ic interfac e on the V PN Conce ntrator and yo u try to a dd a NA T rule. T he publ ic interfac e need not ...

  • Cisco Systems VPN 3000 - page 293

    Configur ation | Po licy Mana gement | T ra ffic Mana gement | NA T | Rules | Add or Modify 13- 43 VPN 3000 Conce ntrator Seri es User Guide Figure 13-22: Configuration | P olicy Management | T raffic Manag ement | NA T | Rules | Add or Modif y scr een Interface Add screen: Click the drop-d ow n menu bu tton and select the conf igured public interf ...

  • Cisco Systems VPN 3000 - page 294

    13 Poli cy Mana gement 13 - 4 4 VPN 3000 Concent rator Ser ies User Guid e Action Click the drop-do wn menu b utton and select the translation action for this N A T rule: No Port Map ping = T ranslat e addre sses for packe ts with protoc ols that don ’ t use por ts and thus d on ’ t in volv e port mapp ing (defaul t). For example, thi s action ...

  • Cisco Systems VPN 3000 - page 295

    14 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 14 Administration Admin istering t he VPN 3000 Co ncentra tor Ser ies in volves activities tha t keep t he syst em oper ational and secure . Conf iguring t he system se ts the par ameters tha t gov ern its use and functionality as a VPN de vice, b ut admini stration in volv es higher le ve l ...

  • Cisco Systems VPN 3000 - page 296

    14 Ad ministration 14 - 2 VPN 3000 Concentrat or Series Use r Guide Figure 14-1: A dministr ation screen ...

  • Cisco Systems VPN 3000 - page 297

    Admini stration | Sessio ns 14 - 3 VPN 3000 Conce ntrator Seri es User Guide Administration | Sessions This scr een sho ws comp rehen si ve st atistics for all acti ve sessi ons on the VPN Concent rator . Y ou ca n also click a se ssion ’ s name to see detailed parameters and statist ics for that session. See Administration | Sessions | Detail . ...

  • Cisco Systems VPN 3000 - page 298

    14 Ad ministration 14 - 4 VPN 3000 Concentrat or Series Use r Guide Logout All: PPTP | L2TP | IP Sec User | L2TP/IPSec | IPSec/NA T | IPSec/LAN-to-LAN These a cti ve l abels let you log out all active sessions of a gi ven tunnel type at once: • PPTP • L2TP • IPSec User = IPSec remote- access users • L2TP/IPSec = L2TP o ver IPSec • IPSec/N ...

  • Cisco Systems VPN 3000 - page 299

    Admini stration | Sessio ns 14 - 5 VPN 3000 Conce ntrator Seri es User Guide T otal Act ive Sessions The total number of sessi ons of all types tha t are current ly active. Peak Concurrent Sessions The high est numbe r of sessions of al l types that were concur rently ac tiv e since the V PN Concen trato r was la st booted or reset. Concurrent Sess ...

  • Cisco Systems VPN 3000 - page 300

    14 Ad ministration 14 - 6 VPN 3000 Concentrat or Series Use r Guide Remote Ac cess Ses sions table This table shows parameter s and statistics for all acti ve remote-access s essions. Each session is a single-us er conn ection from a remo te clie nt to t he VPN Concen trator . Remo te-acce ss sessions include PPTP , L2TP , IPSec remote- access u se ...

  • Cisco Systems VPN 3000 - page 301

    Admini stration | Sessio ns 14 - 7 VPN 3000 Conce ntrator Seri es User Guide IP Address The IP address of the manager workstation that is accessing the system. Local indicates a direc t connec tion th rough the Console port on t he system . Protocol, Encryption, Login T ime, Dura tion, Actions See T able 14- 1 for def initio ns of the se pa ramet e ...

  • Cisco Systems VPN 3000 - page 302

    14 Ad ministration 14 - 8 VPN 3000 Concentrat or Series Use r Guide Administration | Sessions | Detail These Man ager screen s show detailed parameters and statistic s for a specif ic remote- access or LAN-to- LAN session. The parame ters and st atistics differ dependi ng on the sess ion prot ocol. The re are unique scre ens for: • IPSec L AN-to- ...

  • Cisco Systems VPN 3000 - page 303

    Administrat ion | Sessions | De tail 14 - 9 VPN 3000 Conce ntrator Seri es User Guide Figure 14-5: A dministr ation | Sessions | Detail screen: IPS ec remot e access user ...

  • Cisco Systems VPN 3000 - page 304

    14 Ad ministration 14 - 10 VPN 3000 Concent rator Ser ies User Guide Figure 14-6: A dministr ation | Sessions | Detail screen: IPSec through NA T Figure 14-7: A dministr ation | Sessions | Detail screen: L2TP ...

  • Cisco Systems VPN 3000 - page 305

    Administrat ion | Sessions | De tail 14 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Figure 14-8: A dministr ation | Sessions | Detail screen: L2TP o ver IPSec Figure 14-9: A dministr ation | Sessions | Detail screen: PPTP ...

  • Cisco Systems VPN 3000 - page 306

    14 Ad ministration 14 - 1 2 VPN 3000 Concent rator Ser ies User Guid e Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. Back to Sessions T o return to the Administration | Sessions scre en, clic k B ack to Sess ions . Administration | Sessions | Detail parameters Table 14- ...

  • Cisco Systems VPN 3000 - page 307

    Administrat ion | Sessions | De tail 14 - 1 3 VPN 3000 Conce ntrator Seri es User Guide IPSec Sessions: The total number of IPSec (Phase 2) sessio ns, which are da ta traf f ic s ession s thro ugh the tunnel . Eac h IPSec remote -acce ss session may have two IPSec sessions: one showing the tunnel endpo ints, and one showing th e private networks r ...

  • Cisco Systems VPN 3000 - page 308

    14 Ad ministration 14 - 14 VPN 3000 Concentrat or Series Use r Guide Administration | Software Update This scree n lets you upd ate th e VPN Concent rator executab le sys tem so ftware (t he sof tware i mag e). Thi s process up loads the file to the VPN Concen trator , which the n ver ifie s the in tegrity of the file . The ne w imag e file must be ...

  • Cisco Systems VPN 3000 - page 309

    Administ ration | S oftware Upda te 14 - 1 5 VPN 3000 Conce ntrator Seri es User Guide Browse... Enter the comple te pathname of the new im age f ile, or click Br owse ... to find and select th e file from your workstation or n etwork. Cisc o-suppl ied VPN 3000 C oncentrat or software i mage files are na med: Model 3005 = vpn300 5. <M ajor V ers ...

  • Cisco Systems VPN 3000 - page 310

    14 Ad ministration 14 - 16 VPN 3000 Concentrat or Series Use r Guide If th e uplo ad or v e rif icatio n is no t succ essful, the progre ss wi ndo w dis plays a fail ure messa ge. Figure 14-13: A dministration | Sof twar e Up dat e F ailure windo w Click OK to close the progre ss window . T ry the uploa d again. Soft ware Upda te Succ ess This wind ...

  • Cisco Systems VPN 3000 - page 311

    Admini stration | System Reboot 14 - 17 VPN 3000 Conce ntrator Seri es User Guide Administration | Sy stem Reboot This scre en lets you re boot or shut do wn (halt ) the VPN Con centrat or with various option s. We str ongl y recomm end t hat you s hut do wn the VPN Conc entr ator be fore you tur n power off. If you ju st turn pow er off wi thout s ...

  • Cisco Systems VPN 3000 - page 312

    14 Ad ministration 14 - 18 VPN 3000 Concentrat or Series Use r Guide Action Click a radio b utton to select the desired action . Y ou can select only one action. Rebo ot = Re boot the VPN Concentrato r . Rebooting termin ates al l sessions, resets the hardware, loads and verifies the software ima ge, ex ecutes syste m diagnos tics, and ini tializes ...

  • Cisco Systems VPN 3000 - page 313

    Admi nist ratio n | Pi ng 14 - 1 9 VPN 3000 Conce ntrator Seri es User Guide T o can cel your sett ings on this scr een, click Cancel . Th e Manage r ret urns t o the mai n Administration screen. (Note that this Canc el b utton does not ca ncel a schedul ed reboot or shutdown.) Administration | Ping This sc reen l ets yo u use th e ICM P ping (Pack ...

  • Cisco Systems VPN 3000 - page 314

    14 Ad ministration 14 - 2 0 V PN 3000 Conc entrat or Series User Guid e Error (Ping) If the syste m is unreach able for an y reas on — host down, ICM P not ru nning o n host, route no t configured, intermedi ate route r down, network down or congeste d, etc. — the Manage r displays an Error screen with the name of the tested host. T o troublesh ...

  • Cisco Systems VPN 3000 - page 315

    Administrat ion | Access Right s 14 - 2 1 VPN 3000 Conce ntrator Seri es User Guide Apply / C ancel T o sav e yo ur settings in the a ctiv e c onfig uration, c lick Apply . T he Mana ger goes t o the m ain Administration sc reen. Remin der: To save the activ e configuratio n and make it the boot configuratio n, click the Save Need ed icon at th e t ...

  • Cisco Systems VPN 3000 - page 316

    14 Ad ministration 14 - 2 2 V PN 3000 Conc entrat or Series User Guid e Note : The VPN Concentrato r sav es Administrator parameter sett ings from this screen and the Modify Properties screen in non volat ile memory , not in the acti ve co nf iguration ( CONFIG ) f ile. Thus, th ese settin gs are retained e ven if the sy stem loses po wer . These s ...

  • Cisco Systems VPN 3000 - page 317

    Adminis tration | Acces s Rights | Admini strator s | Modif y Prope rties 14 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Administrator T o assign “ system administrator ” privile g es to o ne admin istrator , click t he radio butt on. On ly the “ system administrator ” c an access a nd configure prope rties in t his section. Y ou ca n s ...

  • Cisco Systems VPN 3000 - page 318

    14 Ad ministration 14 - 2 4 V PN 3000 Conc entrat or Series User Guid e T ab le 14-3 shows the matrix of Cisc o-supplie d default right s for the fi ve administrat ors. Username Enter or edit th e unique username for this administrator . Maximum is 31 characters. Passwo rd Enter or edit the uni que pa ssword for this adm inistra tor . Maximum is 3 ...

  • Cisco Systems VPN 3000 - page 319

    Adminis tration | Acces s Rights | Admini strator s | Modif y Prope rties 14 - 2 5 VPN 3000 Conce ntrator Seri es User Guide Authentication This area co nsists of V PN Conc entrator Mana ger fu nctions that a f fect a uthenti cation: • Confi gurati on | U ser Ma nagem ent • Confi gurati on | P olicy Manage ment | Acce ss H ours • Configuratio ...

  • Cisco Systems VPN 3000 - page 320

    14 Ad ministration 14 - 2 6 V PN 3000 Conc entrat or Series User Guid e Administration | Access Rights | Access Control List This se ction of th e Man ager le ts you configure and pri oritize the sy stems ( workstation s) th at are allowed to acce ss the VPN Con centrator Mana ger . For example, you mi ght want t o allow access o nly fro m one or t ...

  • Cisco Systems VPN 3000 - page 321

    Administration | Ac cess Rights | Acc ess Control List | Add or Modify 14 - 2 7 VPN 3000 Conce ntrator Seri es User Guide Remin der: The Manager immediat ely include s your c hanges i n the active c onfigu ration. To save t he activ e configura tion a nd mak e it t he boot c onfigu ration, c lick th e S ave N eeded ic on at the top of the M anager ...

  • Cisco Systems VPN 3000 - page 322

    14 Ad ministration 14 - 2 8 V PN 3000 Conc entrat or Series User Guid e IP Mask Enter t he mask f or the I P address i n dotted decimal notation. This mask lets you rest rict ac cess to a si ngle IP address, a range of a ddresses, or all addresses. T o restrict access to a single IP address, enter 255.25 5.255 .255 ( the def ault). T o allo w all I ...

  • Cisco Systems VPN 3000 - page 323

    Admini strati on | F ile M anage ment 14 - 2 9 VPN 3000 Conce ntrator Seri es User Guide The Mana ger reset s the inact i vity timer only whe n you click an action button ( Apply , Add , Ca ncel , et c.) or a link on a scr een — that is, whe n you in v ok e a diff erent screen . Entering v alu es or setting paramete rs on a giv en screen does not ...

  • Cisco Systems VPN 3000 - page 324

    14 Ad ministration 14 - 3 0 V PN 3000 Conc entrat or Series User Guid e Administration | File Management | Fil es This screen lets you ma nage file s in VPN Concentra tor flash mem ory . (Flash memory acts like a d isk.) Such f iles inc lude CONFIG , CONFIG. BAK , LOG NNNN N.TXT files, and co pies of them tha t you h av e save d unde r dif fer ent ...

  • Cisco Systems VPN 3000 - page 325

    Administrat ion | File Management | Files 14 - 3 1 VPN 3000 Conce ntrator Seri es User Guide Actions For a selected file, c lick the desi red acti on link. Th e action s av a ilable to you depen d on your Access Rights to Files ; see the Admini strati on | A ccess Rights | Ad minist rators | Modi fy Pro pertie s screen. V iew (Save) T o vie w the s ...

  • Cisco Systems VPN 3000 - page 326

    14 Ad ministration 14 - 3 2 V PN 3000 Conc entrat or Series User Guid e Administration | File Management | Swa p Configuration Files This scr een lets you sw ap the boo t conf iguration file with the backup conf igura tion f ile. Ev ery time you sav e the act iv e conf igurati on, the system writes it to the CONF IG f ile, which i s the boot co nfi ...

  • Cisco Systems VPN 3000 - page 327

    Admini stra tion | File Manage ment | TF TP T r ansfer 14 - 3 3 VPN 3000 Conce ntrator Seri es User Guide Concentrato r File Enter the name of the file on the VPN Conce ntrator . This fi lename must confo rm to the 8.3 naming convention. Action Click the drop-d ow n menu butto n and select the TFTP actio n: GET << = Get a file from the rem ot ...

  • Cisco Systems VPN 3000 - page 328

    14 Ad ministration 14 - 3 4 V PN 3000 Conc entrat or Series User Guid e Success (TF T P) If the TFTP transfer is suc cessful, the Manager display s a Succes s screen. Figure 14-31: A dministr ation | File Management | TFTP T ransfer | Success screen Continue T o return to the Admi nistr ation | Fil e Ma nagem ent | TF TP T ra nsfer scre en, cli ck ...

  • Cisco Systems VPN 3000 - page 329

    Admini strati on | Certi ficate Manage ment 14 - 3 5 VPN 3000 Conce ntrator Seri es User Guide specif ic system s or hosts. T here must b e at lea st one i dentity cert ific ate (an d its root c ertif icate) on a giv en VPN C oncentra tor; ther e may be mo re than one root ce rtificate. Durin g IKE (IPSec) Phase 1 auth enticatio n, the commu nicati ...

  • Cisco Systems VPN 3000 - page 330

    14 Ad ministration 14 - 3 6 V PN 3000 Conc entrat or Series User Guid e Installing digital certificates on the VPN Concentrator Installing a digital c ertif icate on the VPN Concentrator requires these steps: 1 Use the Administration | Certificate Management | Enrollment scre en to gene rate a ce rtificat e requ est. Sav e the reque st as a file, o ...

  • Cisco Systems VPN 3000 - page 331

    Administration | Ce rtificate Manageme nt | Enrollment 14 - 3 7 VPN 3000 Conce ntrator Seri es User Guide Figure 14-34: A dministr ation | Certificat e Manag ement | Enrollment scr een Commo n Name (CN) Enter the n ame for thi s VPN Concentr ator that identif ies it in the PKI; e.g., Engi neering VPN . Spac es are allo wed. Y ou must enter a name i ...

  • Cisco Systems VPN 3000 - page 332

    14 Ad ministration 14 - 3 8 V PN 3000 Conc entrat or Series User Guid e Locality (L) Enter the city or tow n where this VPN Concent rator is located; e. g., Fr ankli n . Spac es are a llo wed. State/Provinc e (SP) Enter th e state o r pro vince wh ere this VPN Concentra tor is l ocated; e. g., Massac huse tts . Spe ll ou t complete ly , do not abbr ...

  • Cisco Systems VPN 3000 - page 333

    Administration | Ce rtificate Manageme nt | Enrollment | Reque st Generated 14 - 3 9 VPN 3000 Conce ntrator Seri es User Guide Administration | Certificate Man agement | Enrollmen t | Request Generated The Mana ger displays t his screen wh en the system has successful ly generate d a certificate re quest. T he request is a Base-64 encod ed file in ...

  • Cisco Systems VPN 3000 - page 334

    14 Ad ministration 14 - 4 0 V PN 3000 Conc entrat or Series User Guid e Enrolling with a Certificate Authority T o send the cer tifi cate requ est to a CA, enro ll, and re cei ve your digit al certif icates, follo w these steps. (Thes e are cut-and -pas te step s; yo ur CA may follo w di f feren t proc edures . In any case, you m ust e nd up with c ...

  • Cisco Systems VPN 3000 - page 335

    Admin istrat ion | Cert ificate Ma nageme nt | Install ation 14 - 4 1 VPN 3000 Conce ntrator Seri es User Guide Figure 14-37: A dministr ation | Certificat e Manag ement | Installation scr een Certificate T y pe Click the drop-d ow n menu butto n and select the type of digital ce rtif icate to instal l. (Please note that --Select a Certificate T yp ...

  • Cisco Systems VPN 3000 - page 336

    14 Ad ministration 14 - 4 2 V PN 3000 Conc entrat or Series User Guid e Local File / Browse Enter the comple te path and f ilename of the certif icate you are insta lling; e.g., d:cer tsca _root. txt . Or click Brow se to navigate t o the f ile on your PC or ot her rea chable network ho st. Apply / C ancel T o install the certifi cate, cli ck App ...

  • Cisco Systems VPN 3000 - page 337

    Admin istr ation | Cert ific ate Ma nage ment | Certi fica tes 14 - 4 3 VPN 3000 Conce ntrator Seri es User Guide SSL Certificate / [ Generate ] This table sho ws the SSL se rver cer tif icate ins talled o n the VPN Concentr ator . The syste m can ha ve only one SSL se rver certif icate installed: either a self-si gned certif icate or one issued in ...

  • Cisco Systems VPN 3000 - page 338

    14 Ad ministration 14 - 4 4 V PN 3000 Conc entrat or Series User Guid e Administration | Certificate Man agement | Certificates | V iew The Man ager display s this scr een of c ertific ate deta ils when y ou click View for a certi f icate on th e Administration | Certificate Management | Certificates screen . The detail s v ary depe ndin g on th e ...

  • Cisco Systems VPN 3000 - page 339

    Administration | Certificate Management | Certificates | V iew 14 - 4 5 VPN 3000 Conce ntrator Seri es User Guide For the VPN Co ncentr ator self -signed SSL cert ific ate, the CN is the IP addre ss on the Ethe rnet 1 (Pr i vate) interf ace at th e time the cer tifi cate is generated. SSL compare s this CN wi th the address you u se to connec t to ...

  • Cisco Systems VPN 3000 - page 340

    14 Ad ministration 14 - 4 6 V PN 3000 Conc entrat or Series User Guid e MD5 Thumb print A 128-bit MD5 h ash of the comple te certif icate co ntents, sho wn as a 16- byte stri ng. This v alue is u nique for e v ery certif icate , and it positi vely identif ies the c ertif icate. If you question a cer tif icate ’ s aut henticity , you can check thi ...

  • Cisco Systems VPN 3000 - page 341

    Administra tion | C ertifica te Manage ment | Cer tificate s | CRL 14 - 4 7 VPN 3000 Conce ntrator Seri es User Guide serial n umber . Enabling CRL checking m eans that e very time th e VPN Concen trator use s the certif icate for au thenticatio n, it a lso checks the late st CRL to en sure that the ce rtif icate has not bee n re v oked . CAs use L ...

  • Cisco Systems VPN 3000 - page 342

    14 Ad ministration 14 - 4 8 V PN 3000 Conc entrat or Series User Guid e Server Po rt Enter the port numbe r for t he CRL server . Enter 0 (the default ) to hav e the system sup ply the default por t number, 389 (LD AP). Update Period Enter th e frequenc y in mi nutes to poll for updat ed CRLs. En ter 0 (the def ault) to h av e the syste m fetch the ...

  • Cisco Systems VPN 3000 - page 343

    Administrat ion | Certificat e Management | Certifica tes | Delete 14 - 4 9 VPN 3000 Conce ntrator Seri es User Guide Administration | Certificate Man agement | Certificates | Delete The Mana ger displa ys this confirmatio n screen wh en you clic k Delete for a c ertif icate on the Administration | Certificate Manage ment | Certificates screen. The ...

  • Cisco Systems VPN 3000 - page 344

    ...

  • Cisco Systems VPN 3000 - page 345

    15 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 15 Monitoring The VPN 3000 Concentrato r tracks ma ny s tatisti cs and the statu s of man y items ess ential to s ystem administ ration a nd manageme nt. This sect ion of the Ma nager lets you view all those status item s and stati stics. Y ou can even see the stat e of LED s that s how the s ...

  • Cisco Systems VPN 3000 - page 346

    15 M onitor ing 15 - 2 VPN 3000 Concentrat or Series Use r Guide Figure 15-1: Monit or scr een Monitor | Routing T able This scr een sho ws the VPN Con centrato r routing t able at the time the screen di splays. The IP rout ing subsystem examines the de stination IP addr ess of packets com ing th rough the VPN Co ncentr ator an d forwards or drops ...

  • Cisco Systems VPN 3000 - page 347

    Monit or | Routing T ab le 15 - 3 VPN 3000 Conce ntrator Seri es User Guide V alid Routes The total nu mber of curr ent valid rou tes th at the V PN Co ncentr ator kn o ws abou t. Thi s numb er inclu des all v alid routes , and it may be gre ater than the number of rows in the rou ting table, wh ich shows only the best routes w ith dup licates remo ...

  • Cisco Systems VPN 3000 - page 348

    15 M onitor ing 15 - 4 VPN 3000 Concentrat or Series Use r Guide Age The numbe r of seconds si nce this rout e was last updated or otherwise validated. The a ge is relative to the screen displa y time; e.g., 25 means the r oute was la st validated 25 sec onds befo re the s creen was displayed. 0 indicat es a static , local, or def ault ro ute. Metr ...

  • Cisco Systems VPN 3000 - page 349

    Moni tor | Even t Lo g 15 - 5 VPN 3000 Conce ntrator Seri es User Guide Select Filter Options Y ou can select any or all of the follo wing fi ve options for displaying the e v ent log. After selectin g the option(s) , click any one of the four Page buttons. T he Mana ger re freshes the sc reen and displays the e vent log acco rding to your se lecti ...

  • Cisco Systems VPN 3000 - page 350

    15 M onitor ing 15 - 6 VPN 3000 Concentrat or Series Use r Guide First Page T o display the fi rst page (s creen) of the e v ent log, click this bu tton. By def ault, the Manager d isplays the first page of the e vent log when you first op en this scree n. Previous Pa ge T o display the pre vious page (scr een) of the e ve nt log, click this b utto ...

  • Cisco Systems VPN 3000 - page 351

    Moni tor | Even t Lo g 15 - 7 VPN 3000 Conce ntrator Seri es User Guide Clear Log T o clear the cur rent e ve nt log fr om memory , click this b utton . The Manag er then r efreshes th e screen an d sho ws the e mpty log. Caution: The Manager imm ediately erases the ev ent log from memory with out ask ing for confirmati on. Ther e is no undo. Event ...

  • Cisco Systems VPN 3000 - page 352

    15 M onitor ing 15 - 8 VPN 3000 Concentrat or Series Use r Guide Event class / nu mber The class — or source — of the e vent, and th e internal r eference n umber assoc iated with the specif ic e v ent withi n the e vent cla ss. F or exam ple: HTTP/4 7 identi fies that an administra tor logged in to the VPN Concent rator usin g HTTP to conne ct ...

  • Cisco Systems VPN 3000 - page 353

    Monit or | System Stat us 15 - 9 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status This screen shows the status o f sev eral software and ha rdware variables at the time the sc reen displays. From this s creen you can a lso display th e status and statistics fo r SEP modules , system power supplie s, and network i nterfaces. Figure ...

  • Cisco Systems VPN 3000 - page 354

    15 M onitor ing 15 - 10 VPN 3000 Concent rator Ser ies User Guide Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. VPN Co ncentra tor T ype The type, or model numb er , of th is VP N Conce ntrator . Bootco de Rev The version name, nu mber , an d date of the V PN Con centra ...

  • Cisco Systems VPN 3000 - page 355

    Monit or | System Stat us 15 - 1 1 VPN 3000 Conce ntrator Seri es User Guide Fan 1, Fan 2 The VP N Concen trator inc ludes two cool ing fa ns. In the Model 3005, they are on t he rear of the cha ssis, with Fa n 1 on the left as you fa ce the rear . In the Model 3015 – 3080, they are on the r ight sid e of the chass is as yo u face th e front , wi ...

  • Cisco Systems VPN 3000 - page 356

    15 M onitor ing 15 - 1 2 VPN 3000 Concent rator Ser ies User Guid e Monitor | Sy stem Status | Ethernet Interfac e This scr een di splays st atus an d statis tics for a VPN Co ncentra tor Ether net inter face. T o conf igure an interf ace, s ee Configuration | Interfaces . Figure 15-5: Monit or | S ystem Stat us | Ether net Inter f ace scr een Refr ...

  • Cisco Systems VPN 3000 - page 357

    Monito r | S ystem S tat us | Et hern et In terface 15 - 1 3 VPN 3000 Conce ntrator Seri es User Guide Testin g = in test m ode; no regular da ta traffic can pa ss. Dorman t = conf igured and enabl ed bu t w aiting for an ex ternal action, such a s an incomin g connec tion. Not Prese nt = missing hardware compon ents. Lower Lay er Dow n = not opera ...

  • Cisco Systems VPN 3000 - page 358

    15 M onitor ing 15 - 14 VPN 3000 Concentrat or Series Use r Guide Monitor | Sy stem Status | Dual T1/E1 W AN Slot N Thi s scree n displ ays s tatus and stat isti cs for a VPN Conc entra tor W AN modu le. T o confi gure a W AN module in terfa ce, see Config urati on | Interfa ces . Figure 15-6: Monit or | Sys tem Stat us | Dual T1/E1 W AN Slot N scr ...

  • Cisco Systems VPN 3000 - page 359

    Monitor | System Statu s | Dual T1 /E1 WAN Slot N 15 - 1 5 VPN 3000 Conce ntrator Seri es User Guide Port The int erface port on the W AN module (A or B). Status The cu rren t status of this por t: Up = ( Green ) Configure d, en abled, and o peratio nal; synchroni zed wi th th e network and re ady to pass data traf f ic. Red = (Red) Red alarm: Port ...

  • Cisco Systems VPN 3000 - page 360

    15 M onitor ing 15 - 16 VPN 3000 Concentrat or Series Use r Guide Severely Errored Fram ing Seconds The num ber o f second s during wh ich one or more out-of -frame de fects or an A IS defec t were detected on this port. Unavailable Seconds The numbe r of seconds dur ing which this por t has not been av ailable . Basically , unav a ilable second s ...

  • Cisco Systems VPN 3000 - page 361

    Monitor | System Statu s | Dual T1 /E1 WAN Slot N 15 - 17 VPN 3000 Conce ntrator Seri es User Guide Slot The physic al slot in the VPN Concent rator (1 thro ugh 4) that house s the W AN module. Port The int erface port on the W AN module (A or B). IfIndex The unique in terface inde x (an inte ger) that ide ntif ies this W AN port. F or W AN ports, ...

  • Cisco Systems VPN 3000 - page 362

    15 M onitor ing 15 - 18 VPN 3000 Concentrat or Series Use r Guide Received Frame T oo Long The num ber of received frame to o long erro rs on this interfac e port. The size of the packets received exc eeds the MTU ( Maximum T ransmission Unit). These err ors could in dicate that the T1 /E1 line is not configured correc tly; f or exam ple, if you ar ...

  • Cisco Systems VPN 3000 - page 363

    Moni tor | Syst em St atus | Po wer 15 - 1 9 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status | Po wer Thi s scree n dis plays s tatus and dat a for V PN Conc entr ator po wer suppl ies a nd v oltag e sen sors i n the system. T o configure alarm thres holds fo r system voltages, see th e Configuration | Interfaces | Power screen. ...

  • Cisco Systems VPN 3000 - page 364

    15 M onitor ing 15 - 2 0 V PN 3000 Conc entrat or Series User Guid e Board V o ltages and stat us for the 3. 3- and 5-volt sensors on the main circu it board. 1.9/2.5V Sta tus, 3.3V Sta tus, 5V Statu s The status of vo ltages relati v e to the config ured thresholds: OK = w ithin l o w and high thr eshold limits. ALARM = outsi de of low or high th ...

  • Cisco Systems VPN 3000 - page 365

    Moni tor | Syst em St atus | S EP 15 - 2 1 VPN 3000 Conce ntrator Seri es User Guide Figure 15-8: Monit or | Sys tem Stat us | SEP scr een Refresh T o update the screen an d its data, click Refresh . The date and ti me indi cate when th e scre en was la st update d. Back T o return to the Monitor | Sy stem Status scre en, clic k B ack . SEP The cha ...

  • Cisco Systems VPN 3000 - page 366

    15 M onitor ing 15 - 2 2 V PN 3000 Conc entrat or Series User Guid e Status The func tional state of this SE P module: Operat ional = module is operatin g correctly . Not Opera tion al = mod ule has failed dur ing oper ation . This is an error condition ; ple ase co ntac t Cisco C ustomer Sup port. Found = module is installed b ut is not yet operat ...

  • Cisco Systems VPN 3000 - page 367

    Moni tor | Syst em St atus | S EP 15 - 2 3 VPN 3000 Conce ntrator Seri es User Guide Hash Decr ypted: Pa ckets The numbe r of packets that this SEP processed usi ng both hashin g (authent ication) a nd decryption algorithms. Drops: Pack ets The numbe r of packets intende d for proce ssing by this SEP , but dropped due to the SEP being overloaded. R ...

  • Cisco Systems VPN 3000 - page 368

    15 M onitor ing 15 - 2 4 V PN 3000 Conc entrat or Series User Guid e RSA Digital Si gnings The numbe r of times thi s SEP has generat ed an RSA (Rivest, Shamir, Adelman algor ithm) digit al signature. The VPN Concentrat or generates a digita l signature w hen it cr eates a d igital c ertific ate. RSA Digital V erifications The numbe r of times this ...

  • Cisco Systems VPN 3000 - page 369

    Monito r | Syst em St atus | LED S tatu s 15 - 2 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sy stem Status | LED Sta tus Model 3015 – 30 80 only This sc reen sho ws the st atus of VPN Conc entr ator fron t-pane l LED ind icator s, e xactl y as the y appe ar on the unit itse lf. LED indic ators on the VP N Conce ntrator are nor mally gr ...

  • Cisco Systems VPN 3000 - page 370

    15 M onitor ing 15 - 2 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions This screen sh ows comprehensiv e data for all acti ve user and a dministrator sessions on the VPN Conc entrator . Figure 15-1 0: Monitor | Sessions scr een Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen ...

  • Cisco Systems VPN 3000 - page 371

    Monitor | Session s 15 - 2 7 VPN 3000 Conce ntrator Seri es User Guide Active LAN-to-LAN Sess ions The num ber of IPSe c LAN- to-L AN se ssions that ar e curr ently active. Active Remote Access Sessions The num ber of PPTP , L2TP , IPSec remote -acce ss user , L2T P over IPSec, and IPSec throu gh NA T ses sions that ar e curr entl y act ive. Active ...

  • Cisco Systems VPN 3000 - page 372

    15 M onitor ing 15 - 2 8 V PN 3000 Conc entrat or Series User Guid e IP Address The IP ad dress of the rem ote peer VPN Concent rator or othe r secure gate way that in itiated this LAN-to-L AN connec tion. Protocol, Encryption, Login T ime, Dura tion, Bytes Tx, Bytes Rx See T able 15-1 on page 15-29 fo r definitions of the se para meters. Remote Ac ...

  • Cisco Systems VPN 3000 - page 373

    Monitor | Session s 15 - 2 9 VPN 3000 Conce ntrator Seri es User Guide Manageme nt Session s table This table show s parameters a nd statistics for a ll acti v e administrator ma nagement sessions on the VPN Conc entrator . [ LAN-to-LAN Sessions | Remote Access Sessions ] Click these acti v e links to go to the other session tables on this Manager ...

  • Cisco Systems VPN 3000 - page 374

    15 M onitor ing 15 - 3 0 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions | Detail These Man ager screen s show detailed parameters and statistic s for a specif ic remote- access or LAN-to- LAN session. The parame ters and st atistics differ dependi ng on the sess ion prot ocol. The re are unique scre ens for: • IPSec L AN-to-LAN ( ...

  • Cisco Systems VPN 3000 - page 375

    Moni tor | Sessions | Detail 15 - 3 1 VPN 3000 Conce ntrator Seri es User Guide Figure 15-12: Monit or | Sessions | Detail scr een: IPSec r emote access user ...

  • Cisco Systems VPN 3000 - page 376

    15 M onitor ing 15 - 3 2 V PN 3000 Conc entrat or Series User Guid e Figure 15-13: Monit or | Sessions | Detail screen: IPSec thr ough NA T Figure 15-14: Monit or | Sessions | Detail screen: L2TP ...

  • Cisco Systems VPN 3000 - page 377

    Moni tor | Sessions | Detail 15 - 3 3 VPN 3000 Conce ntrator Seri es User Guide Figure 15-15: Monit or | Sessions | Detail scr een: L2TP ov er IPSec Figure 15-16: Monit or | Sessions | Detail screen: PPTP ...

  • Cisco Systems VPN 3000 - page 378

    15 M onitor ing 15 - 3 4 V PN 3000 Conc entrat or Series User Guid e Refresh T o update the screen an d its data, click Refresh . The date and time indi cate when th e screen was las t update d. Back to Sessions T o return to the Monitor | Sessions sc reen, cl ick Back to Sessions . Monitor | Sessions | Detail parameters T able 15-2: Parameter defi ...

  • Cisco Systems VPN 3000 - page 379

    Moni tor | Sessions | Detail 15 - 3 5 VPN 3000 Conce ntrator Seri es User Guide IPSec Sessions: The total number of IPSec (Phase 2) sessio ns, which are da ta traf f ic s ession s thro ugh the tunnel . Eac h IPSec remote -acce ss session may have two IPSec sessions: one showing the tunnel endpo ints, and one showing th e private networks r eachabl ...

  • Cisco Systems VPN 3000 - page 380

    15 M onitor ing 15 - 3 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessions | Protoc ols This sc reen g raphicall y displa ys the protocol s used by c urren tly active user a nd admin istrator sessions on the VPN Co ncentra tor . Figure 15-1 7: Monitor | Sessions | Protocols scr een Refresh T o update the screen an d its data, click Ref ...

  • Cisco Systems VPN 3000 - page 381

    Monitor | Sessions | Protocols 15 - 3 7 VPN 3000 Conce ntrator Seri es User Guide L2TP = L ayer 2 Tunneling Pr otocol. IPSec = Inte rnet Protoc ol Securi ty tunn eling pr otocol (re mote-acce ss users). HTTP = Hypert ext Transfer Prot ocol (W eb browser). FT P = File Transfer Prot ocol. Te l n e t = termina l emulation pr otocol. SNMP = Simp le Net ...

  • Cisco Systems VPN 3000 - page 382

    15 M onitor ing 15 - 3 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Sessio ns | SEPs Model 3015 – 30 80 only This sc reen g raphicall y displa ys the SEP (Scala ble Enc ryption Processing) module s used by curre ntly active user and a dministrat or sessio ns on the VP N Concent rator . SEP module s perform data encryp tion functions in ...

  • Cisco Systems VPN 3000 - page 383

    Monitor | Sessions | Encryption 15 - 3 9 VPN 3000 Conce ntrator Seri es User Guide Bar Graph The percentag e of sessions using this SEP module re lati ve to the total ac tiv e sessio ns, as a horizontal b ar grap h. Each se gment of the bar in the column he ading re prese nts 25%. Perc enta ge The percenta ge of sessions using this SEP module rela ...

  • Cisco Systems VPN 3000 - page 384

    15 M onitor ing 15 - 4 0 V PN 3000 Conc entrat or Series User Guid e Encryption The da ta encr yption algorit hm that the se ssions are using : Other = other than listed bel ow . None = no data encrypt ion. DES-56 = Data En crypti on Standard algorith m with a 56-bi t ke y . DES-40 = DES en crypti on with a 56-b it key , 40 bits of wh ich are pri v ...

  • Cisco Systems VPN 3000 - page 385

    Monitor | Sessions | T o p T en Lists 15 - 4 1 VPN 3000 Conce ntrator Seri es User Guide Monitor | Sessions | T o p T en Lists This section of the Manager shows statistics for the top 10 cu rrently activ e VPN Concentrato r sessions, sorted by: • Data : total bytes transmi tted and recei ved. • Duration : total time connected. • Throug hpu t ...

  • Cisco Systems VPN 3000 - page 386

    15 M onitor ing 15 - 4 2 V PN 3000 Conc entrat or Series User Guid e IP Address The IP addre ss of the session use r . Th is is the address assi gned to or sup plied by a remote user, or the host addre ss of a networked user . Loca l iden tifi es the c onsole dir ectly conn ected to the VP N Conc entrator . Protocol The pr otocol t hat the sessio n ...

  • Cisco Systems VPN 3000 - page 387

    Monitor | Se ssions | T op T e n Lists | Dur ation 15 - 4 3 VPN 3000 Conce ntrator Seri es User Guide Login T ime The date a nd time tha t this session logged in: MM/DD/Y YYY HH :MM:SS . T ime is in 24-hour notation. T otal Bytes The total number of b ytes transmitted and recei ved by thi s session. N/A = the sessi on is not pass ing data; e.g., it ...

  • Cisco Systems VPN 3000 - page 388

    15 M onitor ing 15 - 4 4 V PN 3000 Conc entrat or Series User Guid e Protocol The pr otocol t hat the sessio n is using . Consol e = directly connec ted c onsole; n o pro tocol. Debug/ Conso le = d ebugging via console (Cisco use onl y). Debug/ Telne t = debugging via T el net (C isco use only) . FTP = File Transfer Protocol . HTTP = Hyp ertext T r ...

  • Cisco Systems VPN 3000 - page 389

    Monito r | Session s | T op T en L ists | Thr oughput 15 - 4 5 VPN 3000 Conce ntrator Seri es User Guide Duration The tota l amount o f time tha t this session has been c onnected : HH:MM: SS . Monitor | Sessions | T op T en Lists | Throughput This sc reen sho ws statistics f or the top 1 0 curren tly acti ve VPN Conc entrato r session s, sort ed b ...

  • Cisco Systems VPN 3000 - page 390

    15 M onitor ing 15 - 4 6 V PN 3000 Conc entrat or Series User Guid e FTP = File Transfer Protocol . HTTP = Hyp ertext T ransfe r Protocol (W eb bro wser). IPSec = Int ernet Protocol Secur ity tunnel ing protoc ol (remot e-access user) . IPSec/ LAN-t o-LAN = IP Sec LA N-to -LAN co nnecti on. IPSec/ NAT = IPSec th rough NA T (Network Addre ss T ransl ...

  • Cisco Systems VPN 3000 - page 391

    Monitor | St atist ics 15 - 4 7 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics This sec tion of the Ma nager s hows statistics fo r traffic and act i vity on the VPN Conce ntrator s ince it wa s last booted or reset, and for c urrent tunneled sess ions, plus sta tistics in stan dard MIB-I I objects fo r interf aces, TCP/UDP , IP , I ...

  • Cisco Systems VPN 3000 - page 392

    15 M onitor ing 15 - 4 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | PPTP This screen sho ws statistic s for PPTP acti vity on the V PN Concentrator since i t was last boo ted or reset, and for current PPTP sessions . The Monitor | Session s | Detail screens also sho w PPTP data. T o conf igur e system- wide PPTP para meters ...

  • Cisco Systems VPN 3000 - page 393

    Monit or | Statis tics | PPT P 15 - 4 9 VPN 3000 Conce ntrator Seri es User Guide T otal Sessions The to tal number of user se ssions throu gh PPTP tun nels since the VPN Con centrat or was last b ooted or reset. Active Sessions The numbe r of user sessions t hat are curr ently activ e through PPTP tu nnels. Th e PPTP Sessions table sho ws statisti ...

  • Cisco Systems VPN 3000 - page 394

    15 M onitor ing 15 - 5 0 V PN 3000 Conc entrat or Series User Guid e Peer IP The IP address o f the peer ho st that e stablish ed the PPTP tun nel for this sess ion; i.e., t he tunnel e ndpoint IP address. The Monitor | Sessions scr een sho ws the IP a ddress assig ned to th e clien t using the tu nnel. Userna me The us ername for the sessi on with ...

  • Cisco Systems VPN 3000 - page 395

    Monitor | Stat istics | L2TP 15 - 5 1 VPN 3000 Conce ntrator Seri es User Guide Flow The state of p acket flow contr ol fo r thi s PPT P ses sion: Local = the local b uf fer is full; i.e., pack et flo w for the local end of the sessio n is OFF because the number o f outst anding unacknowledged p ackets rec eiv ed fro m the p eer is eq ual to t he l ...

  • Cisco Systems VPN 3000 - page 396

    15 M onitor ing 15 - 5 2 V PN 3000 Conc entrat or Series User Guid e T otal T u nnels The total number of L2TP tunnels successful ly established since th e VPN Concentrator w as last booted or rese t. Active T unne ls The num ber of L2TP t unnels that are curr ently active. Maximum T unnels The maxi mum numbe r of L2TP tunne ls that have been simul ...

  • Cisco Systems VPN 3000 - page 397

    Monitor | Stat istics | L2TP 15 - 5 3 VPN 3000 Conce ntrator Seri es User Guide Rx Packe ts Control / Data The num ber of L2TP contro l / data channe l packet s rece iv ed by the VPN C oncent rator si nce it was last booted or reset. Rx Discards Control / Data The num ber of L2TP co ntrol / data channel pac kets received and discarde d by the VPN C ...

  • Cisco Systems VPN 3000 - page 398

    15 M onitor ing 15 - 5 4 V PN 3000 Conc entrat or Series User Guid e Receive Packets The tot al number of L2 TP data packet s received b y this sess ion. Receive Discards The total number of L2 TP data packets re ceived and discarded by this session. Receive ZLB The tot al number of L2 TP Zero Len gth Body ac kno wle dgement da ta packets rece iv e ...

  • Cisco Systems VPN 3000 - page 399

    Monitor | Statist ics | IPSec 15 - 5 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | IPSec This screen sh o ws statistics for IPSe c activity — in cluding curr ent IPSec tun nels — on th e VPN Concentrato r since it was last booted or rese t. These statistics confor m to the IETF draft for the IPSec Flow Monitoring MIB. The M ...

  • Cisco Systems VPN 3000 - page 400

    15 M onitor ing 15 - 5 6 V PN 3000 Conc entrat or Series User Guid e IKE (Phase 1) Statistics This tabl e pro vides IPSec Phase 1 (IKE: In ternet K e y Excha nge) g lobal st atistics. During I PSec Phase 1 (IKE), the tw o peers es tablish contr ol tunnels t hrough whic h they negotia te Sec urity Associ ations. Active T unnel s The num ber of curr ...

  • Cisco Systems VPN 3000 - page 401

    Monitor | Statist ics | IPSec 15 - 5 7 VPN 3000 Conce ntrator Seri es User Guide Received Notifies The cumul ati ve total of notify pa ckets recei ve d b y all c urrently a nd pre viously acti ve IKE tunn els. A notify p acket is an informatio nal pack et that is sen t in respon se to a bad pa cket or to indicate st atus; e.g. , error packe ts, ke ...

  • Cisco Systems VPN 3000 - page 402

    15 M onitor ing 15 - 5 8 V PN 3000 Conc entrat or Series User Guid e Phase-2 SA Delete Requests Sent The cumulati ve total of requests to delete IPSec Phase -2 Security Associa tions sent b y all currentl y and pre viously a cti ve IKE tunnels. Initiated T unn els The cumul ativ e to tal of I KE tunnel s that th is VPN Concen trator initi ated. T h ...

  • Cisco Systems VPN 3000 - page 403

    Monitor | Statist ics | IPSec 15 - 5 9 VPN 3000 Conce ntrator Seri es User Guide IPSec (Phas e 2) Sta tistics This table prov ides IPSe c Phase 2 gl obal stat istics. D uring IPSec Ph ase 2, the two peers negotiat e Security Associat ions that go vern traff ic within the tu nnel. Active T unnel s The num ber of curr ently a ctiv e IPSec Phase-2 tun ...

  • Cisco Systems VPN 3000 - page 404

    15 M onitor ing 15 - 6 0 V PN 3000 Conc entrat or Series User Guid e Sent Packets Dropped The cu mulative total of packets dropp ed duri ng send processi ng by all curren tly and previously ac tiv e IPSec Ph ase-2 tu nnel s. This number should be zer o; if n ot, ch eck for a netw ork pro blem, check the e vent log for an inter nal subsystem failu r ...

  • Cisco Systems VPN 3000 - page 405

    Monitor | Stat istics | HTTP 15 - 6 1 VPN 3000 Conce ntrator Seri es User Guide Sy stem Capabili ty Failures The tota l number of system cap acity f ailures that occur red during processing of all cu rrently and previously active IPSec Phase-2 tunn els. Thes e failures indic ate that th e system has run out of memory or some other c ritica l resour ...

  • Cisco Systems VPN 3000 - page 406

    15 M onitor ing 15 - 6 2 V PN 3000 Conc entrat or Series User Guid e Packets S ent The total number of HTT P packets sent sinc e the VPN Co ncentrat or was last booted or re set. Packets R eceive d The total num ber of HTT P packets received since the VPN Conc entrator was last boo ted or reset. Active Conn ections The num ber of curr ently act iv ...

  • Cisco Systems VPN 3000 - page 407

    Monitor | Statistics | T elnet 15 - 6 3 VPN 3000 Conce ntrator Seri es User Guide Refresh T o update the screen an d its data, click Refresh . The date and ti me indi cate when th e scre en was la st update d. Use the scroll contr ols (if p resent) to vie w the entire ta ble. Event Cl ass Ev ent class denote s the source o f the e ven t and refe rs ...

  • Cisco Systems VPN 3000 - page 408

    15 M onitor ing 15 - 6 4 V PN 3000 Conc entrat or Series User Guid e Active Sessions The num ber of active T elne t sessions. Th e T elnet Sessions table sho ws statistics for these sessions. Attempted Sessions The tota l number of attempts to establish T elnet sessions on the VPN Concentrator since it was la st booted or reset. Successful Sessions ...

  • Cisco Systems VPN 3000 - page 409

    Monitor | St atistics | DNS 15 - 6 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | DNS This sc reen sho ws statistics f or DNS (Domain Name Syst em) acti vity on the VPN Concen trator since it was la st booted or reset. T o conf igure the VPN Concen trator to c ommunicate with DNS se rvers, see the Configuration | Sy stem | Serve ...

  • Cisco Systems VPN 3000 - page 410

    15 M onitor ing 15 - 6 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | Authentication This screen sho ws statistics for user authenticati on acti vity on the VPN Concentrator since it was last booted or reset. T o configur e the VPN Concentrator to commun icate with authe ntication serv ers, see the Configuration | Sy ste m | S ...

  • Cisco Systems VPN 3000 - page 411

    Monitor | Stati stics | Auth enti cation 15 - 6 7 VPN 3000 Conce ntrator Seri es User Guide Rejects The num ber of authe nticat ion reject ion packets re ceived from this server . Challeng es The num ber of authe nticat ion chall enge packet s received from this server . Malformed Re sponses The number of malformed au thenticatio n response pack et ...

  • Cisco Systems VPN 3000 - page 412

    15 M onitor ing 15 - 6 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | Accounting This screen sho ws statistics for RADIUS user ac counting acti v ity on the VPN Concentr ator since it was last booted or reset. T o conf igure the VPN Conc entrator to com municate with RAD IUS ac counting serv ers, see the Confi gurati on | Sy s ...

  • Cisco Systems VPN 3000 - page 413

    Monitor | Statistics | Filtering 15 - 6 9 VPN 3000 Conce ntrator Seri es User Guide Bad Authenticator s The n umber o f acco unting resp onse p acket s rece i ved from t his s erv er that contai ned in valid authenti cators. Pending R equests The n umber of accoun ting req uest pac kets sent t o this RA DIUS ac countin g server th at have not yet t ...

  • Cisco Systems VPN 3000 - page 414

    15 M onitor ing 15 - 7 0 V PN 3000 Conc entrat or Series User Guid e Interface The VPN Concentrator netw ork interfac e through which the filte red traf f ic has passed. 1 = Ether net 1 (Priv ate ) interface . 2 = E thernet 2 ( Publi c) inte rface . 3 = Ether net 3 (Exter nal) in terface. 8 or g reater = W AN inte rface . Inbound Packets Pre-Filter ...

  • Cisco Systems VPN 3000 - page 415

    Monitor | Statisti cs | VRRP 15 - 7 1 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | VRRP This scr een shows status a nd stati stics for VRRP (V irtual Route r Redund ancy Protocol ) activity on the VPN Concentrator since it w as last booted or reset. T o conf igur e VRRP , see the Confi gura tion | S y s tem | IP R outin g | Re d ...

  • Cisco Systems VPN 3000 - page 416

    15 M onitor ing 15 - 7 2 V PN 3000 Conc entrat or Series User Guid e VRID Errors The tot al number of V RRP packets rece iv ed with an inv alid VRRP Grou p ID number for this VPN Conc entrator . VRID The identif ication number that uniquely identif ies the group of virtual routers to which this VPN Conc entrator b elongs. Not Confi gure d = VRRP ha ...

  • Cisco Systems VPN 3000 - page 417

    Monitor | Statisti cs | VRRP 15 - 7 3 VPN 3000 Conce ntrator Seri es User Guide T ime-to-Live Errors The tota l number of VRRP packets r ecei ve d by this interf ace w ith IP TTL (T ime-T o-Li v e) not equa l to 255 . All VRRP packets must have TTL = 255 . Priority 0 Packets Received The tota l number of VRRP packe ts recei v ed b y this inte rface ...

  • Cisco Systems VPN 3000 - page 418

    15 M onitor ing 15 - 74 VPN 3000 Concent rator Ser ies User Guide Monitor | Statistics | SSL This scre en shows statistics for SSL (Sec ure Sockets Laye r) protocol traff ic on the VPN Conc entrato r since it was last boot ed or reset. T o conf igur e SSL, see Conf igurat ion | Sy stem | Manage ment Prot ocols | SSL . Figure 15-36: Monit or | Stati ...

  • Cisco Systems VPN 3000 - page 419

    Monitor | Stat istics | DHCP 15 - 7 5 VPN 3000 Conce ntrator Seri es User Guide Active Sessions The numbe r of curren tly active SSL sessions . Max Active Sessions The maxim um number of SSL se ssions simulta neously active at any one time. Monitor | Statistics | DHCP This screen sho ws statistics for DHCP (Dynamic Host Configurat ion Protocol) act ...

  • Cisco Systems VPN 3000 - page 420

    15 M onitor ing 15 - 76 VPN 3000 Concentrat or Series Use r Guide Ti m e L e f t The time remaining until the current IP address lease e xpires, sho wn as HH:MM:SS. DHCP Serv er Address The IP address of the DHCP serve r that leased this IP addre ss. Monitor | Statistics | Address Pools This screen sho ws statistics for address pool acti vity on th ...

  • Cisco Systems VPN 3000 - page 421

    Monitor | Sta tistics | MIB-II 15 - 7 7 VPN 3000 Conce ntrator Seri es User Guide Max Alloca ted Ad dresses The maxi mum numbe r of IP addresses assi gned from this pool at any one time. Monitor | Statistics | MIB-II This section of the Manager lets y ou vi ew statisti cs that are record ed in st andard MIB- II obj ects on the VPN Conce ntrator . M ...

  • Cisco Systems VPN 3000 - page 422

    15 M onitor ing 15 - 7 8 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | Interfaces This screen show s statistics in MI B-II objects f or VPN Concentrato r interf aces since the sy stem was l ast booted or reset. This scr een also sh o ws statistics for V PN tunnels as logical i nterfaces. RFC 2233 def ines interf ace MI ...

  • Cisco Systems VPN 3000 - page 423

    Monitor | Stat istics | MIB-I I | Interfaces 15 - 7 9 VPN 3000 Conce ntrator Seri es User Guide Unicast In The n umber of unica st pac kets that we re rec ei ved b y this inter face. Unicas t pack ets are tho se add ressed to a single host. Unicast Out The number of unicast pack ets that wer e routed t o this interf ace for tr ansmission , includin ...

  • Cisco Systems VPN 3000 - page 424

    15 M onitor ing 15 - 8 0 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | TCP/UDP This screen sh ow s stati stics i n MIB-II object s for TC P and UDP traf f ic on th e VPN C oncentra tor sin ce it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 de fines UDP MIB objects. Figure 15-41: Monit or | S ...

  • Cisco Systems VPN 3000 - page 425

    Monitor | Stat istics | MIB-II | TCP/UDP 15 - 8 1 VPN 3000 Conce ntrator Seri es User Guide TCP T imeo ut Max The maximum v alue per mitted for TCP retransmissio n timeout, measured in milliseco nds. TCP Conne ction Li mit The limit on th e total number o f TCP connections th at the system can su pport. A v alue of -1 means th ere is no limit. TCP ...

  • Cisco Systems VPN 3000 - page 426

    15 M onitor ing 15 - 8 2 V PN 3000 Conc entrat or Series User Guid e UDP Errore d Datagr ams The number o f rece iv ed UD P datag rams that coul d not be delivered for reasons o ther tha n the lack of an application at th e destinatio n port ( UDP No Port ). Datagram is the of ficial UDP name for wh at is casuall y call ed a dat a pack et. UDP No P ...

  • Cisco Systems VPN 3000 - page 427

    Monitor | Statist ics | MIB-II | IP 15 - 8 3 VPN 3000 Conce ntrator Seri es User Guide Packets R eceived (He ader Errors) The numbe r of IP data packet s received and discarded due to errors in IP heade rs, includ ing bad chec ksums, versio n numb er m ismat ches, other form at er rors, etc. Packets R eceived (Ad dress Errors ) The nu mber of IP da ...

  • Cisco Systems VPN 3000 - page 428

    15 M onitor ing 15 - 8 4 V PN 3000 Conc entrat or Series User Guid e Packets T r ansmitted (Requests) The numbe r of IP data packet s that local IP use r protocols (inc luding ICM P) supplied to transmissi on requests. This n umber does no t inc lude any pa ckets coun ted in Pack ets Forwar ded . Fragments Nee ding Reasse mbly The num ber of IP fra ...

  • Cisco Systems VPN 3000 - page 429

    Monitor | Statistics | MIB-II | RIP 15 - 8 5 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | MIB-II | RIP This screen shows statistics in MIB-II ob jects for RIP version 2 tra f fic on the VPN Concentr ator since it was last booted or reset. RFC 172 4 defines RIP ve rsion 2 MI B objects. T o conf igur e RIP on interf aces, s ee Con ...

  • Cisco Systems VPN 3000 - page 430

    15 M onitor ing 15 - 8 6 V PN 3000 Conc entrat or Series User Guid e Received Bad Routes The nu mber of route s in v alid RIP pack ets recei ved b y this interf ace th at were ignor ed for any reason (e.g., unknown addr ess fami ly , in valid metr ic). Sent Updates The number of triggered RIP updates actually sent by this interf ace. Th is number d ...

  • Cisco Systems VPN 3000 - page 431

    Monitor | Statist ics | MIB-II | OSPF 15 - 8 7 VPN 3000 Conce ntrator Seri es User Guide Monitor | Statistics | MIB-II | OSPF This screen sh ow s statistics in MIB-I I objects for OSP F vers ion 2 traf f ic on the VPN Co ncentrator sinc e it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects. T o configure OSPF on interfaces, se ...

  • Cisco Systems VPN 3000 - page 432

    15 M onitor ing 15 - 8 8 V PN 3000 Conc entrat or Series User Guid e Router ID The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an I P address, it functions only as an identifier and not an address. By con v ention, ho we v er , this iden tifie r i ...

  • Cisco Systems VPN 3000 - page 433

    Monitor | Statist ics | MIB-II | OSPF 15 - 8 9 VPN 3000 Conce ntrator Seri es User Guide Interface Address The IP ad dress of the VPN Conc entr ator i nterfa ce th at commu nicate s wit h its area . Interface Name The VPN Conc entrato r interfa ce that comm unicate s with its area. Ethern et 1 (Pri vate) = Ethe rnet 1 (Private) inte rface. Ethern e ...

  • Cisco Systems VPN 3000 - page 434

    15 M onitor ing 15 - 9 0 V PN 3000 Conc entrat or Series User Guid e State The state of the relationship with this neighboring OSPF router: Down = (Re d) The VPN Concent rator ha s rece iv ed n o rece nt inf ormatio n fro m this neighb or . The neighb or may be out of service , or i t may no t have been i n service l ong en ough to establi sh its p ...

  • Cisco Systems VPN 3000 - page 435

    Monitor | Statist ics | MIB-II | OSPF 15 - 9 1 VPN 3000 Conce ntrator Seri es User Guide Area LSA Count The total number of Lin k-State Advert isements in this ar ea ’ s l ink-state database , excluding A S external LSAs. Area LSA Checksum The sum of the chec ksums of the Link-Sta te Adv ertisements in this ar ea ’ s link-state database. This s ...

  • Cisco Systems VPN 3000 - page 436

    15 M onitor ing 15 - 9 2 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-II | ICMP This scr een sho ws stati stics in MIB-I I object s for ICMP traf f ic on the VPN Concentr ator since it w as last booted or reset. RFC 2011 defines ICMP MIB objec ts. Figure 15-45: Monit or | Statistics | MIB-II | ICM P screen Refresh T o upda ...

  • Cisco Systems VPN 3000 - page 437

    Monitor | Statistics | MIB-II | ICMP 15 - 9 3 VPN 3000 Conce ntrator Seri es User Guide T ime Exceeded Received / T ransmitted The n umber of I CMP T ime Exceed ed me ssage s rec ei ved / se nt. T ime Excee ded mess ages i ndicate that the lifeti me of the pack et has e xpir ed, or tha t a router ca nnot rea ssemble a packet within a time limit . P ...

  • Cisco Systems VPN 3000 - page 438

    15 M onitor ing 15 - 9 4 V PN 3000 Conc entrat or Series User Guid e Addres s Mask R equest s Recei ved / T ransmi tted The number of I CMP Address M ask Request messa ges receive d / sent. Address Ma sk Request message s ask f or the a ddres s (subn et) mask for th e LAN to w hich a router connect s. Addres s Mask Rep lies Rece ived / T ransmitt e ...

  • Cisco Systems VPN 3000 - page 439

    Monitor | Statistics | MIB-II | ARP T able 15 - 9 5 VPN 3000 Conce ntrator Seri es User Guide Interface The VPN Con centrat or net work interfa ce on which this m apping applie s: 1 = Ether net 1 (Priv ate ) interface . 2 = E thernet 2 ( Public) interf ace. 3 = Ether net 3 (Exter nal) in terface. 8 or g reater = W AN inte rface . 1000 and up = VPN ...

  • Cisco Systems VPN 3000 - page 440

    15 M onitor ing 15 - 9 6 V PN 3000 Conc entrat or Series User Guid e Monitor | Statistics | MIB-I I | Ethernet This s creen sho ws stati stics in MIB-I I obj ects f or Ether net inte rface traf fic on the VPN Conc entrato r since it was last boot ed or reset. IEEE standard 802. 3 describe s Ethernet net works, and RFC 1650 def ine s Ethe rnet inter ...

  • Cisco Systems VPN 3000 - page 441

    Monitor | Statistic s | MIB-II | Ethernet 15 - 9 7 VPN 3000 Conce ntrator Seri es User Guide SQE T est Erro rs The number of times that the SQE (Sig nal Quality Error ) T est Error message was generate d for this interf ace. The SQE messag e tests the collision circuits o n an interfac e. Fra me T oo Long Error s The nu mber of frames rece iv ed o ...

  • Cisco Systems VPN 3000 - page 442

    15 M onitor ing 15 - 9 8 V PN 3000 Conc entrat or Series User Guid e Speed (Mb ps) This interf ace ’ s no minal bandwid th in megabits pe r second. Duplex The curren t LA N dupl ex tran smissi on mo de for this interfa ce: Full = Fu ll-Duple x : transmis sion in both direction s at the same time. Half = Half-D uplex: tr ansmission in onl y one di ...

  • Cisco Systems VPN 3000 - page 443

    Monitor | Statist ics | MIB-II | SNMP 15 - 9 9 VPN 3000 Conce ntrator Seri es User Guide Bad Commun ity String The total num ber of SNMP me ssages received that used an SNMP com munity string the VPN Concentra tor did n ot recogni ze. See Configuration | Sy stem | Manageme nt Protocols | SNMP Communities to configure pe rmitted co mmunit y strings. ...

  • Cisco Systems VPN 3000 - page 444

    ...

  • Cisco Systems VPN 3000 - page 445

    16 - 1 VPN 3000 Conce ntrator Seri es User Guide CHAPTER 16 Using the Command Line Interface The V PN 30 00 Concent rator Ser ies Comm and Lin e Interfac e (CLI) is a menu- and com mand-l ine-base d conf iguration, admin istration, and monitor ing system built in to the VPN Concentrator . Y ou use it via the system console or a T elnet (or T elnet ...

  • Cisco Systems VPN 3000 - page 446

    16 Using the Command Line Interface 16 - 2 VPN 3000 Concentrat or Series Use r Guide 3 Press Enter on the PC k eyboard u ntil you see the login prompt . (Y ou may see a pa ssword prompt a nd error m essages as yo u press Enter ; ignor e them and sto p at the login pr ompt.) Login: _ T elnet or T elnet/SSL access T o access the CLI via a T elnet or ...

  • Cisco Systems VPN 3000 - page 447

    Usin g the CLI 16 - 3 VPN 3000 Conce ntrator Seri es User Guide Using the CLI Thi s sect ion e xp lains ho w to : • Choo se me nu it ems. • Ent er v alues for par amet ers an d opti ons. • Specify con f igure d items by number or name . • Navigate q uickly — using s hort cuts — through the menus. • Dis play a br ief he lp me ssag e. ? ...

  • Cisco Systems VPN 3000 - page 448

    16 Using the Command Line Interface 16 - 4 VPN 3000 Concentrat or Series Use r Guide Specifying configured items Man y menus giv e choices that act on co nfi gured items — such as groups, users, f ilter rules, et c. — and t he CLI lists t hose item s with a number and their na me. T o specify an ite m, you can usually enter eith er its number o ...

  • Cisco Systems VPN 3000 - page 449

    Usin g the CLI 16 - 5 VPN 3000 Conce ntrator Seri es User Guide Navigatin g quickly th rough the CL I There are t wo ways to move quickly t hrough the CL I: shor tcut num bers, a nd the Back/H ome opti ons. Both way s work only when you are at a men u, not when yo u are at a va lue entry . Using shortcut numbers Once yo u becom e familia r with t h ...

  • Cisco Systems VPN 3000 - page 450

    16 Using the Command Line Interface 16 - 6 VPN 3000 Concentrat or Series Use r Guide As a shor tcut, yo u can just e nter 1.3. 1.1 at the Main -> pro mpt, and m ov e direc tly to the Base Gr oup General P arameters menu: 1) Con figur ation 2) Adm inist ration 3) Mon itori ng 4) Save chan ges to Config file 5) Help Info rmat ion 6) Exit Main -> ...

  • Cisco Systems VPN 3000 - page 451

    Usin g the CLI 16 - 7 VPN 3000 Conce ntrator Seri es User Guide Saving the configuration file Configurati on and admi nistratio n entries take effect immedia tely and ar e include d in the active, or running , co nfiguration. H o wever , i f you reboot the VP N Conc entrato r witho ut saving the acti ve configurati on, you lose any changes. T o s a ...

  • Cisco Systems VPN 3000 - page 452

    16 Using the Command Line Interface 16 - 8 VPN 3000 Concentrat or Series Use r Guide CLI menu reference This section sho ws all the menus in the f irst three le v els belo w the CLI main menu. (There are many additional menus belo w the third le vel; and within the f irst three le ve ls, there are some non-menu param eter s ettings . T o keep thi s ...

  • Cisco Systems VPN 3000 - page 453

    CLI men u refe rence 16 - 9 VPN 3000 Conce ntrator Seri es User Guide 1.1 Configuration > Interface Configur ation This tabl e show s current IP addre sses. . . . Model 3015 – 30 80 only 1) Config ure Et hernet #1 (Priv ate) 2) Config ure Et hernet #2 (Publ ic) 3) Config ure Et hernet #3 (Exte rnal) 4) Con figur e Powe r Sup plies 5) Con figur ...

  • Cisco Systems VPN 3000 - page 454

    16 Using the Command Line Interface 16 - 10 VPN 3000 Concent rator Ser ies User Guide 1.1.3 Configuration > Interface Con figuration > Configure Powe r Supplies Model 30 05 only Alarm Thres hold s in centiv olts (e.g . 361 = 3.6 1V) Voltag es will be adjuste d to conf orm to the ha rdware . 1) Config ure CP U voltage thres holds 2) Con figur ...

  • Cisco Systems VPN 3000 - page 455

    CLI men u refe rence 16 - 1 1 VPN 3000 Conce ntrator Seri es User Guide 1.2.1 Configuration > Sy stem Mana gement > Servers 1) Aut henti cation Serv ers 2) Acc ounti ng Ser vers 3) DNS Serv ers 4) DHCP Serv ers 5) NTP Serv ers 6) Back Server s -> _ 1.2.2 Configuration > Sy stem Mana gement > Address Management 1) Add ress Assign ment ...

  • Cisco Systems VPN 3000 - page 456

    16 Using the Command Line Interface 16 - 1 2 VPN 3000 Concent rator Ser ies User Guid e 1.2.5 Configuration > Sy stem Management > Management Pr otocols Networ k Pro tocol Summa ry Tab le . . . 1) Con figur e FTP 2) Con figur e HTTP /HTTP S 3) Con figur e TFTP 4) Con figur e Teln et 5) Con figur e SNMP 6) Con figur e SNMP Comm unity Strings 7 ...

  • Cisco Systems VPN 3000 - page 457

    CLI men u refe rence 16 - 1 3 VPN 3000 Conce ntrator Seri es User Guide 1.3.1 Configuration > User Management > Base Group 1) Gen eral Parame ters 2) Serv er Pa rame ters 3) IPS ec Pa ramete rs 4) PPT P/L2T P Para meter s 5) Back Base G roup -> _ 1.3.2 Configuration > User Management > Groups Curren t Use r Grou ps . . . 1) Add a Gr ...

  • Cisco Systems VPN 3000 - page 458

    16 Using the Command Line Interface 16 - 14 VPN 3000 Concentrat or Series Use r Guide 1.4.1 Configuration > Policy Management > Access Hour s Curren t Acc ess Ho urs . . . 1) Add Acce ss Hou rs 2) Mod ify A ccess Hours 3) Del ete A ccess Hours 4) Back Access Hour s -> _ 1.4.2 Configuration > Policy Management > T raffic Ma nagement 1 ...

  • Cisco Systems VPN 3000 - page 459

    CLI men u refe rence 16 - 1 5 VPN 3000 Conce ntrator Seri es User Guide 2.3 Administration > Sy stem Reboot 1) Can cel S chedul ed Re boot/S hutdown 2) Sch edule Reboo t 3) Sch edule Shutd own 4) Back Admin -> _ 2.3.2 Administration > Sy stem Reboot > Schedule Reboot 1) Sav e act ive Co nfigu ration and us e it at Reb oot 2) Rebo ot wi ...

  • Cisco Systems VPN 3000 - page 460

    16 Using the Command Line Interface 16 - 16 VPN 3000 Concentrat or Series Use r Guide 2.5.2 Administration > Access Rights > Access Control List This i s the Curre nt Ac cess L ist . . . 1) Add Mana ger Wo rksta tion 2) Mod ify M anager Work statio n 3) Del ete M anager Work statio n 4) Mov e Man ager W orkst ation Up 5) Mov e Man ager W orks ...

  • Cisco Systems VPN 3000 - page 461

    CLI men u refe rence 16 - 17 VPN 3000 Conce ntrator Seri es User Guide 2.7 Administration > Certificate Management 1) Enr ollme nt 2) Ins talla tion 3) Cer tific ate Au thori ties 4) Ide ntity Certi ficat es 5) SSL Cert ificat e 6) Back Certif icate s -> _ 2.7.2 Administration > Certifica te Management > Installation 1) Ins tall Certif ...

  • Cisco Systems VPN 3000 - page 462

    16 Using the Command Line Interface 16 - 18 VPN 3000 Concentrat or Series Use r Guide 2.7.5 Administration > Certifica te Management > SSL Certificate Subjec t . . ’ q ’ to Quit, ’ <SPAC E> ’ to Continu e -> . Issuer . . ’ q ’ to Quit, ’ <SPAC E> ’ to Continu e -> . Serial Numb er . . 1) Dele te Ce rtif icate ...

  • Cisco Systems VPN 3000 - page 463

    CLI men u refe rence 16 - 1 9 VPN 3000 Conce ntrator Seri es User Guide 3.2 Monitoring > Event Log 1) Config ure Lo g viewing param eters 2) View Even t Log 3) Save Log 4) Cle ar Lo g 5) Back Log -> _ 3.2.2 Monitoring > Event Log > V iew Event Log [Event Log entrie s] . . . 1) Fir st Pa ge 2) Pre vious Page 3) Next Page 4) Last Page 5) ...

  • Cisco Systems VPN 3000 - page 464

    16 Using the Command Line Interface 16 - 2 0 V PN 3000 Conc entrat or Series User Guid e 3.4 Monitoring > Sessions Model 3015 – 30 80 only 1) View Sess ion St atist ics 2) View Top Te n Lis ts 3) View Sess ion Pr otoco ls 4) View Sess ion SE Ps 5) View Sess ion En crypt ion 6) Back Sessio ns -> _ Model 30 05 only 1 ) View Se ssio n Stati st ...

  • Cisco Systems VPN 3000 - page 465

    CLI men u refe rence 16 - 2 1 VPN 3000 Conce ntrator Seri es User Guide 3.4.4 Monitoring > Sessions > V iew Session SEPs Model 3015 – 30 80 only Sessio n SEP s . . . 1) Ref resh Sessio n SEP s 2) Back Sessio ns -> _ 3.4.5* Monitoring > Sessions > V iew Session Encryption * 3.4. 5 on Mode l 3015 – 30 80, 3.4. 4 on Mo del 3005 Sess ...

  • Cisco Systems VPN 3000 - page 466

    16 Using the Command Line Interface 16 - 2 2 V PN 3000 Conc entrat or Series User Guid e 3.5.2 Monitoring > General Statistics > Server Statistics 1) Aut henti cation Stat istics 2) Acc ounti ng Sta tisti cs 3) Fil terin g Stat istic s 4) DHCP Stat isti cs 5) Add ress Pool S tatis tics 6) Back Genera l -> _ 3.5.3 Monitoring > General St ...

  • Cisco Systems VPN 3000 - page 467

    APPENDIX A-1 VPN 3000 Conce ntrator Seri es User Guide A Errors and troubleshooting This app endix descr ibes com mon error s that may oc cur whil e configuring and u sing the system, and how to correct the m. It also descri bes LED indic ators on the syste m and its expansion mod ules. Files for troublesh ooting The VPN 3000 Con centrator creates ...

  • Cisco Systems VPN 3000 - page 468

    A Errors an d trouble shooting A-2 VPN 3000 Concent rator Ser ies User Guide Configuration files The VPN Co ncentrator sa v es the curre nt boot con figurat ion f ile ( CO NFIG ) and its prede cessor ( CONFIG .BAK ) as files in flash memo ry . Thes e f iles may be useful for tro ublesho oting. See Administration | File Manag ement | Files for infor ...

  • Cisco Systems VPN 3000 - page 469

    VPN Conce ntrator Manager errors A-3 VPN 3000 Conce ntrator Seri es User Guide Invalid Login or Sessio n T imeout The Mana ger displays t he Inval id Lo gin or Se ssion T imeou t screen Prob lem Possibl e cause Solutio n Y ou entered an in v alid administrator login name / password comb inat ion. • T ypi ng erro r . • In v alid (un recogniz ed) ...

  • Cisco Systems VPN 3000 - page 470

    A Errors an d trouble shooting A-4 VPN 3000 Concent rator Ser ies User Guide Error / An error has occurre d while attempting to perform... The Mana ger displa ys a screen with the messa ge: Error / An error ha s occur red whil e attem pti ng to per form the ope ratio n . An addi tion al er ror m essa ge de scrib es t he err one ous operati on. Prob ...

  • Cisco Systems VPN 3000 - page 471

    VPN Conce ntrator Manager errors A-5 VPN 3000 Conce ntrator Seri es User Guide Y ou are u sing an old browser or have disabled J avaScript The Ma nager disp lays a scre en with the message : Y ou are us ing an old br owser or hav e disab led JavaSc ript ... Prob lem Possible cause Soluti on The V PN Concentra tor Ma nager cannot work w ith the brow ...

  • Cisco Systems VPN 3000 - page 472

    A Errors an d trouble shooting A-6 VPN 3000 Concent rator Ser ies User Guide Not Allowed / Y ou do not have sufficient authorization... The Mana ger displa ys a screen with the messa ge: Not Allowed / Y o u do not have sufficient authorization to access the specified page . Prob lem Possibl e cause Solut ion Y ou trie d to a ccess an area of t he M ...

  • Cisco Systems VPN 3000 - page 473

    VPN Conce ntrator Manager errors A-7 VPN 3000 Conce ntrator Seri es User Guide Not Found / An error has occurred while attempting to access... The Mana ger displa ys a screen with the messa ge: Not Found / An error has occurred while attempting to access the specified page. The screen inclu des additional infor mation that identif ies system acti v ...

  • Cisco Systems VPN 3000 - page 474

    A Errors an d trouble shooting A-8 VPN 3000 Concent rator Ser ies User Guide Command Line Int erface errors These er rors ma y occur wh ile usin g the menu -based Com mand Li ne Interfac e from a c onsole or T e lnet session. ERROR:-- Bad IP Ad dress/Subn et Mask/Wildca rd Mask/Area ID. ERROR:-- Out of Ra nge value entered. T ry again. ERROR:-- The ...

  • Cisco Systems VPN 3000 - page 475

    LED indicat ors A-9 VPN 3000 Conce ntrator Seri es User Guide LED in dicators LED in dicator s on th e VPN Concentrat or a nd its e xpansion m odule s are n ormally g reen. The u sage gaug e LEDs are normally bl ue. LED s that are amber o r of f may indi cate an err or cond ition. N A = not applicab le; i.e., the LED doe s not hav e that state. Con ...

  • Cisco Systems VPN 3000 - page 476

    A Errors an d trouble shooting A-1 0 V PN 3000 Conc entrat or Series User Guid e VPN Concentrator LEDs (front) LED Indicator (Front) Green Amber Off Sy stem Po wer on. Normal Blinki ng Gree n (Model 3005 onl y) = Sy stem is in a shutdo wn (halted) sta te, read y to power of f. System h as cras hed and halted. Error . (Power of f. All other LEDs are ...

  • Cisco Systems VPN 3000 - page 477

    LED indicat ors A-1 1 VPN 3000 Conce ntrator Seri es User Guide VPN Conce ntrator LEDs (rear) SEP (Scalab le Encryption Processin g) Module LEDs (Model 301 5 – 3080 only) SEP module LE Ds are visible f rom the rear of th e VPN Concentrato r . Usag e Gauge LE Ds (Front) (Model 3015 – 3080 o nly) Steady or Intermittent Blue Blinking Blue Left to ...

  • Cisco Systems VPN 3000 - page 478

    A Errors an d trouble shooting A-12 VPN 3000 C oncentrat or Seri es User Guide W AN Interface Module LEDs W AN module L EDs are vi sibl e fr om the rear of t he VPN Conc entra tor . WAN Module LE D On Blinking Off Power N ormal opera tion. N A Power is not reac hing the m odule. It m ay not be seated correctly . Error . Status Module has passe d di ...

  • Cisco Systems VPN 3000 - page 479

    LED indicat ors A-13 VPN 3000 Conce ntrator Seri es User Guide This tabl e sho ws all p ossible co mbinations f or the L EDs on ea ch W AN Port. End of Appendi x WAN P or t LED s Alrm Alarm CD Carrier Detect Sync Synchroniz ation LpB k Loopback Condition Of f On On Off Normal opera tion. Carrier de tected , line in sync hronizati on. Of f Off Of f ...

  • Cisco Systems VPN 3000 - page 480

    ...

  • Cisco Systems VPN 3000 - page 481

    APPENDIX B-1 VPN 3000 Conce ntrator Seri es User Guide B Copyrights, licenses, and notices Software License Agreeme nt of Cisco Sy stems, Inc. CISCO SY STEMS, INC . IS WI LLING TO LICEN SE TO YOU THE SOFTW ARE CONT AINE D IN THE A CCOMP ANYING C ISCO PR ODUCT ON L Y IF Y OU A CCEPT ALL OF THE TE RMS AND C ONDITI ONS IN THIS LICEN SE A GREEMENT . PL ...

  • Cisco Systems VPN 3000 - page 482

    B C opyri ghts, li cense s, a nd no tices B-2 VPN 3000 Concent rator Ser ies User Guide 4. Y ou may permanently transfer the Software and accompanyi ng written materia ls (including the most rece nt update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agr ...

  • Cisco Systems VPN 3000 - page 483

    Other licenses B-3 VPN 3000 Conce ntrator Seri es User Guide 16. This Agr eement is gov erned b y the la ws of the State of Massachuse tts. 17. If you hav e any questions co ncerning this Agreement or wish to contact Cisco Systems for an y reason, please call (508) 541-7300, or write to Cisco S ystems, Inc. 124 Grov e Street, Suite 205 Franklin, Ma ...

  • Cisco Systems VPN 3000 - page 484

    B C opyri ghts, li cense s, a nd no tices B-4 VPN 3000 Concent rator Ser ies User Guide DHCP client Copyright © 1995, 1996, 1997 The Internet Software Consortium. All ri ghts re serv ed. Redistribution and use in source and binary forms, with or without modif ication, are permitted provided that the follo wing conditions are met: 1. Redistribution ...

  • Cisco Systems VPN 3000 - page 485

    Other licenses B-5 VPN 3000 Conce ntrator Seri es User Guide Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, co py , modify , and distribute this softw are for any purpose with or without fee is hereby granted, provided that the abo ve copy right notice and this permission notice appear in all copies, and that the na ...

  • Cisco Systems VPN 3000 - page 486

    B C opyri ghts, li cense s, a nd no tices B-6 VPN 3000 Concent rator Ser ies User Guide NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the softw are and documentat ion created at NRL pro vided that the follo wing conditions ar e met: 1. Redistributions of source code must retain the abo ...

  • Cisco Systems VPN 3000 - page 487

    Other licenses B-7 VPN 3000 Conce ntrator Seri es User Guide RSA so ftware Copyright © 1995-1998 RSA Data Sec urity , Inc. All rights reserv ed. This work contains propr ietary informa tion of RSA Data Secu rity , I nc. Distri bution is limited to a uthorized lic ensees of RSA Data Security , Inc. Any unauthorized reproduction or distribution of t ...

  • Cisco Systems VPN 3000 - page 488

    B C opyri ghts, li cense s, a nd no tices B-8 VPN 3000 Concent rator Ser ies User Guide SSL Plus Certicom, the Certicom logo, SSL Plus, and Security Builder are trademarks of Certicom Corp. Copyright © 1997-1999 Certicom Corp. Portions are Copyright © 1997-1998, Consensus De velopment Corporation, a wholly ow ned subsidiary of Certicom Corp. All ...

  • Cisco Systems VPN 3000 - page 489

    Regulatory Agency No tices B-9 VPN 3000 Conce ntrator Seri es User Guide Regulatory Agency Notice s U.S. Federal Communications Commission (FCC) Compliance Notice NO TE: This equipment has been tested and found to comply with the limits for a Class A digit al de vice, pursuant to part 15 of the FCC Rules. These limits are designed to provide reason ...

  • Cisco Systems VPN 3000 - page 490

    B C opyri ghts, li cense s, a nd no tices B-1 0 VPN 3000 Concentrat or Series Use r Guide (1) ---- ------- ----- ------- ------ --- (2) Before connecting your unit, you must inform the telephone company of the follo wing information: (3) If the unit appears to be malfunctioning, it should be disconnected from the telephone lines until you l earn if ...

  • Cisco Systems VPN 3000 - page 491

    Regulatory Agency No tices B-1 1 VPN 3000 Conce ntrator Seri es User Guide • If the telephone com pany requests that you supply the FCC Certif ication number and REN of the device you are connecting, please supply the FCC Certification numbe rs from all component and ho st devices that hav e a direct PSTN connection (i.e. hav e a REN stated on th ...

  • Cisco Systems VPN 3000 - page 492

    B C opyri ghts, li cense s, a nd no tices B-1 2 VPN 3000 Concent rator S eries User Guid e WAN Module: CS03 Ca nadian Re quirements — Equipment Attachment Limitations NO TIC E : The Industry Canada label identifies certified equipment. This certif ication means that the equipment meets certain telecommunications netw ork protectiv e, operational ...

  • Cisco Systems VPN 3000 - page 493

    INDE X Inde x -1 VPN 3000 Conce ntrator Seri es User Guide Index Numerics 100 LED (Ethernet) A-1 1 A about th is manual xxxv ii access control list, administration 14-26 add 14-27 modify 14- 27 access hours , configuring 13-2 add 13-4 modify 13- 4 access rights, co nfiguring for administrators 1 4-24 access rights s ection, administration 1 4-21 ac ...

  • Cisco Systems VPN 3000 - page 494

    Index Inde x -2 VPN 3000 Concent rator Ser ies User Guide autodis covery, ne twork 7-8, 7-14 automatic switchover (redundancy) 8-12 B back panel display ( monito ring) 15-10 Bad IP Ad dress (erro r) A-8 base grou p, config uring (u ser management ) 12-3 bibliograp hy xxx ix bootco de filename 15-10 vers ion 15 -10 brow ser Back or Forward bu tton d ...

  • Cisco Systems VPN 3000 - page 495

    Index Inde x -3 VPN 3000 Conce ntrator Seri es User Guide dele te digital certificate 14-49 filter rule (traffic management) 13-19 group (u ser manag ement) 12-17 internal authentication server 5-8 security association (traffic manag ement) 13-28 user on internal serve r (user management) 12-3 4 DHCP functions within the VPN Concentrator, configu r ...

  • Cisco Systems VPN 3000 - page 496

    Index Inde x -4 VPN 3000 Concent rator Ser ies User Guide Expansion Module s Inserti on Status LEDs A-10 Expa nsio n Mod ules Ru n Sta tus L EDs A- 10 Extended Authentication, IPSec 12-9, 12 -26 F Fan Status LED A-10 fans, coolin g (monitor ing) 15-11 file access rights, adminis trators ’ 14-25 file m anagement on VPN Concent rator 14- 29, 14-30 ...

  • Cisco Systems VPN 3000 - page 497

    Index Inde x -5 VPN 3000 Conce ntrator Seri es User Guide IKE proposal s (continued) defa ult, table 7-20 in IPSec LAN-to-LAN 7-14 in security association 13 -19 inactive 7-21 IKE security association See security associations image, software filen ames 14-15 update 1 4-14 indicators, LED A-9 Install SSL Certificate (screen) 1-4 installing digital ...

  • Cisco Systems VPN 3000 - page 498

    Index Inde x -6 VPN 3000 Concent rator Ser ies User Guide LAN-to-LAN See IPSec LAN-to-LAN LED indicat ors 100 (Et hernet) A-11 Active Sessions A -10 Alrm (WAN) A-13 CD (WAN) A-13 Coll (Ethernet) A-11 CPU Utilization A- 10 Ether net L ink Stat us A -10 Expansi on Module s Insert ion Status A-10 Expansi on Modul es Run St atus A-1 0 Fan Stat us A-10 ...

  • Cisco Systems VPN 3000 - page 499

    Index Inde x -7 VPN 3000 Conce ntrator Seri es User Guide mouse po inter and t ips in Mana ger window 1 -20 multilink PPP ( MP), configuring 3-2 5 N NAT configu ring 13-39 enable 13-40 many-to-one trans lation 13-39 no public interf aces screen 13-42 NAT rules, configuring 13-40 add 13-42 modify 13- 42 navigat ing CLI menus 16-5 the VPN Concentrato ...

  • Cisco Systems VPN 3000 - page 500

    Index Inde x -8 VPN 3000 Concent rator Ser ies User Guide refresh Mo nitoring screens 14-20 refreshing scr een content 1-22 regulatory agen cy notices B-9 requirem ents brows er 1-1 cookies 1- 2 Internet Ex plorer 1- 1 JavaScript 1-1 Netscape Navigator 1-1 RIP 3-1 , 3-2 configuring on Ethernet interface 3-10 configuring on WAN interface 3-18 MIB-II ...

  • Cisco Systems VPN 3000 - page 501

    Index Inde x -9 VPN 3000 Conce ntrator Seri es User Guide static routes, config uring fo r IP routing 8-2 add 8-3 modify 8-3 statistics 15-47 accounting 15 -68 address poo ls 15-76 authentication 15-66 DHCP 15-75 DNS 15-65 events 15-62 filtering 15-69 HTTP 15-61 IPSec 15-55 L2TP 15-51 MIB-II 15 -77 ARP ta ble 15- 94 Ether net 15-96 ICMP 15-92 inter ...

  • Cisco Systems VPN 3000 - page 502

    Index Inde x -1 0 VPN 3000 Concentrat or Series Use r Guide tunn elin g proto col s configu ring 7-2 sectio n of Manag er 7- 1 Tx LED (Ethernet) A-11 type ( mode l numb er), sy stem 15-1 0 typographi c conventions xxxix U understa nding th e VPN Concentrat or Manager w indow 1-1 9 update s oftware on VPN Concen trator 14-14 usage graph LEDs (moni t ...

Manufacturer Cisco Systems Category Switch

Documents that we receive from a manufacturer of a Cisco Systems VPN 3000 can be divided into several groups. They are, among others:
- Cisco Systems technical drawings
- VPN 3000 manuals
- Cisco Systems product data sheets
- information booklets
- or energy labels Cisco Systems VPN 3000
All of them are important, but the most important information from the point of view of use of the device are in the user manual Cisco Systems VPN 3000.

A group of documents referred to as user manuals is also divided into more specific types, such as: Installation manuals Cisco Systems VPN 3000, service manual, brief instructions and user manuals Cisco Systems VPN 3000. Depending on your needs, you should look for the document you need. In our website you can view the most popular manual of the product Cisco Systems VPN 3000.

A complete manual for the device Cisco Systems VPN 3000, how should it look like?
A manual, also referred to as a user manual, or simply "instructions" is a technical document designed to assist in the use Cisco Systems VPN 3000 by users. Manuals are usually written by a technical writer, but in a language understandable to all users of Cisco Systems VPN 3000.

A complete Cisco Systems manual, should contain several basic components. Some of them are less important, such as: cover / title page or copyright page. However, the remaining part should provide us with information that is important from the point of view of the user.

1. Preface and tips on how to use the manual Cisco Systems VPN 3000 - At the beginning of each manual we should find clues about how to use the guidelines. It should include information about the location of the Contents of the Cisco Systems VPN 3000, FAQ or common problems, i.e. places that are most often searched by users in each manual
2. Contents - index of all tips concerning the Cisco Systems VPN 3000, that we can find in the current document
3. Tips how to use the basic functions of the device Cisco Systems VPN 3000 - which should help us in our first steps of using Cisco Systems VPN 3000
4. Troubleshooting - systematic sequence of activities that will help us diagnose and subsequently solve the most important problems with Cisco Systems VPN 3000
5. FAQ - Frequently Asked Questions
6. Contact detailsInformation about where to look for contact to the manufacturer/service of Cisco Systems VPN 3000 in a specific country, if it was not possible to solve the problem on our own.

Do you have a question concerning Cisco Systems VPN 3000?

Use the form below

If you did not solve your problem by using a manual Cisco Systems VPN 3000, ask a question using the form below. If a user had a similar problem with Cisco Systems VPN 3000 it is likely that he will want to share the way to solve it.

Copy the text from the picture

Comments (0)