Cisco 3002 User Guide

Cisco 3002 - VPN Hardware Client Manual

Get Cisco 3002 - VPN Hardware Client PDF manuals and user guides
UPC - 746320497631
View all Cisco 3002 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 3002 manual content summary:

  • Cisco 3002 | User Guide - Page 1
    VPN 3002 Hardware Client User Guide Release 3.0 March 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: OL-0874-= Text Part Number: OL-0874-01
  • Cisco 3002 | User Guide - Page 2
    TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES partnership relationship between Cisco and any other company. (0011R) VPN 3002 Hardware Client User Guide Copyright © 2001, Cisco Systems, Inc. All
  • Cisco 3002 | User Guide - Page 3
    Preface About this manual xi Additional documentation xii Documentation on VPN software distribution CDs xiii Obtaining documentation xiii Obtaining technical assistance xiv Other references xv Documentation conventions xvi Data formats xvi 1 Using the VPN 3002 Hardware Client Manager
  • Cisco 3002 | User Guide - Page 4
    | Add or Modify 9-9 Configuration | System | Events | Trap Destinations 9-11 Configuration | System | Events | Trap Destinations | Add or Modify 9-12 Configuration | System | Events | Syslog Servers 9-13 iv VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 5
    | Certificates 12-23 Administration | Certificate Management | Certificates | View 12-24 Administration | Certificate Management | Certificates | Delete 12-27 13 Monitoring Monitoring 13-1 Monitoring | Routing Table 13-2 VPN 3002 Hardware Client User Guide v
  • Cisco 3002 | User Guide - Page 6
    Files for troubleshooting A-1 LED indicators A-2 Errors on the system A-3 Settings on the VPN 3000 Series Concentrator A-4 VPN 3002 Hardware Client Manager errors A-5 Command Line Interface errors A-10 B Copyrights, licenses, and notices Software License Agreement of Cisco Systems, Inc
  • Cisco 3002 | User Guide - Page 7
    Index
  • Cisco 3002 | User Guide - Page 8
    Contents-Table of contents viii VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 9
    Tables Contents Table 9-1: VPN 3002 event classes 9-1 Table 9-2: VPN 3002 event severity levels 9-4 Table 9-3: Configuring "well-known" SNMP traps 9-7 VPN 3002 Hardware Client User Guide ix
  • Cisco 3002 | User Guide - Page 10
  • Cisco 3002 | User Guide - Page 11
    manual The VPN 3002 Hardware Client User Guide provides guidelines for configuring the Cisco VPN 3002, details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for using the VPN 3002 Command Line Interface. Prerequisites We assume you have read the VPN 3002
  • Cisco 3002 | User Guide - Page 12
    VPN 3000 Concentrator. The VPN Client Administrator Guide tells how to configure a VPN 3000 Concentrator for remote user connections via the VPN Client, how to automate remote user profiles, how to use the VPN Client command line interface, and how to get troubleshooting information. xii VPN 3002
  • Cisco 3002 | User Guide - Page 13
    ://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387). VPN 3002 Hardware Client User Guide xiii
  • Cisco 3002 | User Guide - Page 14
    with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by using the Cisco TAC website If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: xiv VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 15
    cisco.com/warp/public/687/Directory/DirTAC.shtml P1 and P2 level problems are defined as follows: • P1-Your production network is down, causing a critical impact to business operations if service for computer, networking, and data communication terms. VPN 3002 Hardware Client User Guide xv
  • Cisco 3002 | User Guide - Page 16
    conventions We use these typographic conventions in this manual: Font This font This font This font formats As you configure and manage the system, enter data in these formats unless the instructions indicate otherwise. IP addresses IP addresses use 4-byte dotted decimal notation; for example, 192
  • Cisco 3002 | User Guide - Page 17
    Data formats Filenames Filenames on the VPN 3002 follow the DOS 8.3 naming convention: a maximum of eight characters for the name, plus a maximum of three uppercase. Port numbers Port numbers use decimal numbers from 0 to 65535 with no commas or spaces. VPN 3002 Hardware Client User Guide xvii
  • Cisco 3002 | User Guide - Page 18
  • Cisco 3002 | User Guide - Page 19
    browser and version you use, install the latest patches and service packs for it. Note: You cannot use the Live Event Log feature with Netscape navigator/Communicator version 4.0. JavaScript Be sure JavaScript is enabled in the browser. Check these settings: VPN 3002 Hardware Client User Guide 1-1
  • Cisco 3002 | User Guide - Page 20
    Back, Forward, or Refresh / Reload with the VPN 3002 Hardware Client Manager unless instructed to do so. To protect access security, clicking Refresh / Reload automatically logs out toolbar to prevent mistakes while using the VPN 3002 Hardware Client Manager. 1-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 21
    VPN 3002 using HTTP When your system administration tasks and network permit a cleartext connection between the VPN 3002 skip to Logging in the VPN 3002 Hardware Client Manager on page secure session between your browser (VPN 3002 hardware client) and the VPN Concentrator (server). This protocol is
  • Cisco 3002 | User Guide - Page 22
    Navigator support SSL. For HTTPS to work on the Public interface, you must enable HTTPS on the VPN 3002 through the CLI or from an HTTP session on the Private interface first. See Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for
  • Cisco 3002 | User Guide - Page 23
    it, the browser repeats all these steps each time. A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Internet Explorer displays a File Download dialog box that store is where such certificates are stored in Internet Explorer. VPN 3002 Hardware Client User Guide 1-5
  • Cisco 3002 | User Guide - Page 24
    1 Using the VPN 3002 Hardware Client Manager Figure 1-5: Internet Explorer Certificate Manager Import Wizard dialog box 5 Click Next to continue select the certificate store, and click Next. The wizard opens a dialog box to complete the installation. 1-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 25
    10 On the Manager SSL screen (Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN 3002 Hardware Client using SSL. Depending on how your browser is configured, you may see a Security Alert dialog box. VPN 3002 Hardware Client User Guide 1-7
  • Cisco 3002 | User Guide - Page 26
    site; in the latter case you may see a Security Alert screen. Proceed to Logging in the VPN 3002 Hardware Client Manager on page 1-17 to log in as usual. Viewing certificates with Internet Explorer screen showing details of the specific certificate in use. 1-8 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 27
    On the Certificate Manager, click the Trusted Root Certification Authorities tab. The VPN 3002 Hardware Client SSL certificate name is its Ethernet 1 (Private) IP address. describes SSL certificate installation using Netscape Navigator / Communicator 4.5. VPN 3002 Hardware Client User Guide 1-9
  • Cisco 3002 | User Guide - Page 28
    OK and just connect to the VPN 3002 using SSL (see Step 7 on page 1-13). Figure 1-14: Netscape reinstallation note First-time installation The instructions below follow from Step 2 on New Certificate Authority screen, which further explains the process. 1-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 29
    3002 Hardware Client SSL certificate. Figure 1-17: Netscape New Certificate Authority screen 3 3 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default. VPN 3002 Hardware Client User Guide 1-11
  • Cisco 3002 | User Guide - Page 30
    the VPN 3002 Hardware to have the browser warn you about sending data to the VPN 3002. Figure 1-19: Netscape New Certificate Authority screen 5 5 Checking Manager screen, so it's probably less intrusive to manage the VPN 3002 without those warnings. Click Next> to proceed. Netscape displays the
  • Cisco 3002 | User Guide - Page 31
    of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN 3002 10.10.147.2. This name appears in the list of installed certificates; see dialog box 8 Click Continue. The VPN 3002 displays the HTTPS version of the Manager login screen. VPN 3002 Hardware Client User Guide 1-13
  • Cisco 3002 | User Guide - Page 32
    the latter case, you may see a Security Information Alert dialog box. Proceed to Logging in the VPN 3002 Hardware Client Manager on page 1-17 to log in as usual. Viewing certificates with Netscape There are Toolbar at the top of the Netscape window.) 1-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 33
    all the certificates that are stored in Netscape. On the Security Info window, select Certificates then Signers. The "nickname" you entered in Step 6 identifies the VPN 3002 Hardware Client SSL certificate. VPN 3002 Hardware Client User Guide 1-15
  • Cisco 3002 | User Guide - Page 34
    , https://10.10.147.2. The browser displays the VPN 3002 Hardware Client Manager HTTPS login screen. A locked-padlock icon on the browser status bar indicates an HTTPS session. Also, this login screen does not include the Install SSL Certificate link. 1-16 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 35
    Hardware Client Manager HTTPS login screen Logging in the VPN 3002 Hardware Client Manager Logging in the VPN 3002 Hardware Client Manager is the same for both types of *****.) 3 Click the Login button. The Manager displays the main welcome screen. VPN 3002 Hardware Client User Guide 1-17
  • Cisco 3002 | User Guide - Page 36
    and SSL parameters HTTP, HTTPS, and SSL are enabled by default on the VPN 3002, and they are configured with recommended parameters that should suit most administration tasks parameters, see the Configuration | System | Management Protocols | SSL screen. 1-18 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 37
    window items. The title bar and status bar also provide useful information. Figure 1-28: VPN 3002 Hardware Client Manager window. Title bar Top frame (Manager Left frame (Contents) Main frame explanatory messages for selected items and Manager activity. VPN 3002 Hardware Client User Guide 1-19
  • Cisco 3002 | User Guide - Page 38
    with links to Cisco support and documentation resources. Figure 1-29: Support screen Documentation Click this link to open a browser window on the Cisco Technical Documentation Web page for Virtual Private Networks. That page has links to VPN 3000 Concentrator Series and VPN 3002 Hardware Client
  • Cisco 3002 | User Guide - Page 39
    VPN 3002 Hardware Client Manager window [email protected] Click this link to open your configured email application and compose an email message to Cisco's Technical Assistance Center (TAC). When you finish, the application closes and returns to this Support VPN 3002 Hardware Client User Guide 1-21
  • Cisco 3002 | User Guide - Page 40
    : • Configuration: setting all the parameters for the VPN 3002 that govern its use and functionality as a VPN device: - Quick Configuration: supplying the minimal parameters needed to make the VPN 3002 operational. - Interfaces: Ethernet parameters. 1-22 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 41
    manual covers all these topics. For Quick Configuration, see the VPN 3002 Hardware Client Getting Started manual. Navigating the VPN 3002 Hardware Client Manager Your primary tool for navigating the VPN 3002 .) Figure 1-30: Complete Manager Table of Contents VPN 3002 Hardware Client User Guide 1-23
  • Cisco 3002 | User Guide - Page 42
  • Cisco 3002 | User Guide - Page 43
    2 Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters chapter in this manual for each section of the Manager. Online help is available for all sections. VPN 3002 Hardware Client User Guide 2-1
  • Cisco 3002 | User Guide - Page 44
  • Cisco 3002 | User Guide - Page 45
    the VPN 3002 to operate as a VPN device: the Private interface and the Public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, traffic. The table shows all installed interfaces and their status. VPN 3002 Hardware Client User Guide 3-1
  • Cisco 3002 | User Guide - Page 46
    3 Interfaces Figure 3-1: VPN 3002-8E Configuration | Interfaces screen To configure a module, either click the appropriate link in the status table; or Not Configured = Present but not configured. Waiting for DHCP = Waiting for DHCP to assign an IP address. 3-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 47
    modify any parameters of the Private interface that you are currently using to connect to the VPN 3002, you will break the connection, and you will have to restart the Manager from the you retain or change its configuration parameters while it is offline. VPN 3002 Hardware Client User Guide 3-3
  • Cisco 3002 | User Guide - Page 48
    Mbps = Fix the speed at 100 megabits per second (100Base-T networks) 10/100 auto = Let the VPN 3002 automatically detect and set the appropriate speed, either 10 or 100 Mbps (default). Be sure that the port : transmits or receives, but not at the same time. 3-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 49
    mask for this interface via DHCP. If you check this box, you don't make entries in the IP address and subnet mask parameters that follow. VPN 3002 Hardware Client User Guide 3-5
  • Cisco 3002 | User Guide - Page 50
    = Fix the speed at 100 megabits per second (100Base-T networks) 10/100 auto = Let the VPN 3002 automatically detect and set the appropriate speed, either 10 or 100 Mbps (default). Be sure that the The Manager returns to the Configuration | Interfaces screen. 3-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 51
    . • Events: handling system events via logs, SNMP traps, and syslog. • General: identifying the system and setting the time and date. Seethe appropriate chapter in this manual or the online help for each section. Figure 4-1: Configuration | System screen VPN 3002 Hardware Client User Guide 4-1
  • Cisco 3002 | User Guide - Page 52
  • Cisco 3002 | User Guide - Page 53
    the system queries in order. DNS information that you add here is for the VPN 3002 only. PCs located behind the VPN 3002 on the private network get DNS information that is configured on the central-site Concentrator in the Group settings for the VPN 3002. VPN 3002 Hardware Client User Guide 5-1
  • Cisco 3002 | User Guide - Page 54
    is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN 3002 automatically appends this domain name to hostnames before sending them to a DNS server for resolution Timeout Period specified below, the system queries this server. 5-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 55
    Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers screen. VPN 3002 Hardware Client User Guide 5-3
  • Cisco 3002 | User Guide - Page 56
  • Cisco 3002 | User Guide - Page 57
    across the tunnel. • Manage data transfer inbound and outbound as a tunnel endpoint. The VPN 3002 functions as a bidirectional tunnel endpoint: it can receive plain packets from the private network, explains how to configure the IPSec tunneling protocol. VPN 3002 Hardware Client User Guide 6-1
  • Cisco 3002 | User Guide - Page 58
    on the SAs. The Cisco VPN 3002 supports these IPSec attributes, but they are configurable on the central-site Concentrator, not on the VPN 3002: • Main mode for Groups 1and 2 • Encryption Algorithms: - DES-56 - 3DES-168 • Extended Authentication (XAuth) 6-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 59
    . In the Group Password field, enter a unique password for this group. This is the group password configured on the Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive. The field displays only asterisks. VPN 3002 Hardware Client User Guide 6-3
  • Cisco 3002 | User Guide - Page 60
    user in this group. Maximum is 32 characters, case-sensitive.This is the user name configured on the central-site Concentrator to which this VPN 3002 connects. Maximum is 32 characters, case-sensitive. In the User Password field, enter the password for this user. This is the user password configured
  • Cisco 3002 | User Guide - Page 61
    -wide IP routing parameters. • Static Routes: manually configured routing tables. • Default Gateways: routes for otherwise unrouted traffic. • DHCP: Dynamic Host Configuration Protocol global parameters. • DHCP Options: facilities that allow the VPN 3002 DHCP server to respond with configurable
  • Cisco 3002 | User Guide - Page 62
    | System | IP Routing | Static Routes screen Static Routes The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound Save Needed icon at the top of the Manager window. 7-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 63
    | Add or Modify These Manager screens let you: Add: Configure and add a new static, or manual, route to the IP routing table. Modify: Modify the parameters for a configured static route. Figure will use it only if all high-speed routes are unavailable. VPN 3002 Hardware Client User Guide 7-3
  • Cisco 3002 | User Guide - Page 64
    to route these packets; that is, the IP address of the next hop between the VPN 3002 and the packet's ultimate destination. Use dotted decimal notation; e.g., 10.10.0.2. We recommend . Figure 7-4: Configuration | System | IP Routing | Default Gateways screen 7-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 65
    addresses for a fixed length of time, or lease period. Before the lease period expires, the VPN 3002 displays a message offering to renew it. If the lease is not renewed, the connection terminates IP addresses are considered valid on a particular network. VPN 3002 Hardware Client User Guide 7-5
  • Cisco 3002 | User Guide - Page 66
    is 120, maximum is 500000 minutes. DHCP servers "lease" IP addresses to clients on the VPN 3002's private network for this period of time. Address Pool Start/End Enter the range of IP addresses returns to the Configuration | System | IP Routing screen. 7-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 67
    System | IP Routing | DHCP Options screen DHCP Option DHCP Options are facilities that allow the VPN 3002 DHCP server to respond to with configurable parameters for specific kinds of devices such as PCs, Save Needed icon at the top of the Manager window. VPN 3002 Hardware Client User Guide 7-7
  • Cisco 3002 | User Guide - Page 68
    | Add or Modify These screens let you Add a new DHCP option to the list of DHCP options this VPN 3002 uses. Modify a configured DHCP option. Figure 7-7: Configuration | System | IP Routing | DHCP Options | Add 1 or 0 to enable or disable IP forwarding, etc. 7-8 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 69
    This section of the Manager lets you configure and enable built-in VPN 3002 servers that provide management functions using: • HTTP/HTTPS: Hypertext Transfer Protocol SSH: Secure Shell. Figure 8-1: Configuration | System | Management Protocols screen VPN 3002 Hardware Client User Guide 8-1
  • Cisco 3002 | User Guide - Page 70
    disable both HTTP and HTTPS, you cannot use a Web browser to connect to the VPN 3002. Use the Cisco Command Line Interface from the console or a Telnet session. Related information: • For information system management less convenient. See the notes above. 8-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 71
    the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen. Figure 8-3: Configuration | System | Management Protocols screen VPN 3002 Hardware Client User Guide 8-3
  • Cisco 3002 | User Guide - Page 72
    , you can use a Telnet client to communicate with the VPN 3002. You can fully manage and administer the VPN 3002 using the Cisco Command Line Interface via Telnet. Telnet server login usernames and passwords is 992, which is the well-known port number. 8-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 73
    agent. When enabled, you can use an SNMP manager to collect information from the VPN 3002 but not to configure it. To use SNMP, you must also configure an SNMP General and Trap Destinations). For those functions, the VPN 3002 acts as an SNMP client. VPN 3002 Hardware Client User Guide 8-5
  • Cisco 3002 | User Guide - Page 74
    Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen. 8-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 75
    the agent. To use the VPN 3002 SNMP agent, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP agent does If no strings have been configured, the list shows --Empty--. VPN 3002 Hardware Client User Guide 8-7
  • Cisco 3002 | User Guide - Page 76
    : Configure and add a new SNMP community string. Modify: Modify a configured SNMP community string. Figure 8-10: Configuration | System | Management Protocols | SNMP Communities | Add or Modify screen 8-8 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 77
    screen lets you configure the VPN 3002 SSL (Secure Sockets Layer) VPN 3002. SSL creates a secure session between the client and the VPN 3002 VPN 3002 creates a self-signed SSL server certificate when it boots; or you can install in the VPN 3002 certificate from a given VPN 3002 only once. The default
  • Cisco 3002 | User Guide - Page 78
    Protocols | SSL screen Encryption Protocols Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption. All are checked DES encryption with a 56-bit key and the SHA-1 hash function. 8-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 79
    only Microsoft Internet Explorer 5.0 supports this option. Generated Certificate Key Size Click the drop-down menu button and select the size of the RSA key that the VPN 3002 uses in its self-signed It is the most common, and requires the least processing. VPN 3002 Hardware Client User Guide 8-11
  • Cisco 3002 | User Guide - Page 80
    that you can use to manage the VPN 3002, using the Command Line Interface, over a remote connection. The SSH server supports SSH1 (protocol version 1.5), which uses uniquely identifies the VPN 3002 See Configuration | System | Management Protocols | SSL. 8-12 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 81
    is 10. Key Regeneration Period Enter the server key regeneration period in minutes. If the server key has been used for an SSH session, the VPN 3002 regenerates the key at the end of this period. Minimum is 0 (which disables key regeneration, default is 60 minutes, and maximum is 10080 minutes
  • Cisco 3002 | User Guide - Page 82
    Protocols Encryption Protocols Check the boxes for the encryption algorithms that the VPN 3002 SSH server can negotiate with a client and use for session Management Protocols screen. Figure 8-15: Configuration | System | Management Protocols screen 8-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 83
    affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events VPN 3002.Table 9-1 describes the event classes. Table 9-1: VPN 3002 event classes Class name Class description (event source) (*Cisco
  • Cisco 3002 | User Guide - Page 84
    9 Events 9-2 Table 9-1: VPN 3002 event classes (continued) Class name Class description (event source) (*Cisco-specific event class) DNS DNS subsystem DNSDBG DNS debugging decoding* L2TP L2TP subsystem L2TPDBG L2TP debugging* L2TPDECODE L2TP decoding* VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 85
    Table 9-1: VPN 3002 event classes (continued) Class name Class description (event source) (*Cisco-specific event class) LBSSF Load Balancing/Secure Session Failover subsystem* time (clock) VRRP VRRP subsystem WAN WAN module subsystem* Event class VPN 3002 Hardware Client User Guide 9-3
  • Cisco 3002 | User Guide - Page 86
    describes the severity levels. Table 9-2: VPN 3002 event severity levels Level Category Description 1 Fault A crash or non-recoverable error. 2 Warning A pending crash or severe problem that requires user intervention. 3 Warning A potentially serious problem that may require user action
  • Cisco 3002 | User Guide - Page 87
    Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it. The VPN 3002, troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN 3002 VPN 3002 Hardware Client User Guide 9-5
  • Cisco 3002 | User Guide - Page 88
    button and select the format for all events sent to UNIX syslog servers. Choices are: Original = Original VPN 3002 event format with information on one line. Cisco IOS Compatible == Event format that is compatible with Cisco syslog management applications. 9-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 89
    SNMP destination system parameters on the Configuration | System | Events | Trap Destinations screens. The VPN 3002 can send the standard, or "well-known," SNMP traps listed in Table 9-3. To have Trap 1 or higher 1-3 or higher 1-3 or higher 1-3 or higher VPN 3002 Hardware Client User Guide 9-7
  • Cisco 3002 | User Guide - Page 90
    the source of an event and refer to a specific hardware or software subsystem within the VPN 3002.Table 9-1 describes the event classes. Figure 9-3: Configuration | System | Events | Classes been configured for special handling, the list shows --Empty--. 9-8 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 91
    add and configure for special handling. (Please note that Select Class is an instruction reminder, not a class.)Table 9-1 describes the event classes. Modify screen: The field shows the configured event class you are modifying. You cannot change this field. VPN 3002 Hardware Client User Guide 9-9
  • Cisco 3002 | User Guide - Page 92
    on the Configuration | System | Events | Trap Destinations screens. To configure "well-known" SNMP traps, seeTable 9-3 under Severity to Trap for Configuration | System | Events | General. 9-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 93
    management system (NMS) receive any events, you must also configure the NMS to "see" the VPN 3002 as a managed device or "agent" in the NMS domain. Figure 9-5: Configuration | System | trap destinations have been configured, the list shows --Empty--. VPN 3002 Hardware Client User Guide 9-11
  • Cisco 3002 | User Guide - Page 94
    button and select the SNMP protocol version to use when formatting traps to this destination. Choices are SNMPv1 (version 1; the default) and SNMPv2 (version 2). 9-12 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 95
    messages. Syslog is a UNIX daemon, or background process, that records events. The VPN 3002 can send event messages in two syslog formats to configured syslog systems. If you configure handling, see the Configuration | System | Events | Classes screens. VPN 3002 Hardware Client User Guide 9-13
  • Cisco 3002 | User Guide - Page 96
    configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. 9-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 97
    subsystem. UUCP = UUCP (UNIX-to-UNIX Copy Program) subsystem. Reserved (9) through Reserved (14) = Outside the Local range, with no name or assignment yet, but usable. VPN 3002 Hardware Client User Guide 9-15
  • Cisco 3002 | User Guide - Page 98
    . To discard your entries, click Cancel. The Manager returns to the Configuration | System | Events | Syslog Servers screen, and the Syslog Servers list is unchanged. 9-16 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 99
    environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN 3002 parameters. • Identification: system name, contact person, system location. • Time and Date: system time and date. Figure 10-1: Configuration
  • Cisco 3002 | User Guide - Page 100
    | General | Identification screen System Name Enter a system name that uniquely identifies this VPN 3002 on your network; e.g., VPN01. Maximum 255 characters. Contact Enter the name of The Manager returns to the Configuration | System | General screen. 10-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 101
    DST Support To enable DST support, check the box. During DST (Daylight-Saving Time), clocks are set one hour ahead of standard time. Enabling DST support means that the VPN 3002 automatically adjusts returns to the Configuration | System | General screen. VPN 3002 Hardware Client User Guide 10-3
  • Cisco 3002 | User Guide - Page 102
  • Cisco 3002 | User Guide - Page 103
    applying IPSec. NAT translates the network addresses of the devices connected to the VPN 3002 Private interface to the assigned IP address of the Public interface and also keeps the private side of the VPN 3002 are hidden, and cannot be accessed directly. VPN 3002 Hardware Client User Guide 11-1
  • Cisco 3002 | User Guide - Page 104
    in the VPN 3000 Concentrator Series User Guide. 3 Configure a Group to which you assign this VPN 3002. This VPN 3002 private network to the address of the VPN 3002 Public interface. Thus the network and addresses on the private side of the VPN 3002 are accessible via the tunnel, but are protected
  • Cisco 3002 | User Guide - Page 105
    | Policy Management 5 If you want the VPN 3002 to be able to reach devices on other networks that connect to this Concentrator, review your Network Lists. See Chapter 15, Policy Management in the VPN 3000 Concentrator Series User Guide. Configuration | Policy Management The Configuration | Policy
  • Cisco 3002 | User Guide - Page 106
    Configuration | Policy Management | Traffic Management | PAT The Configuration | Policy Management | Traffic Management | PAT screen displays. Figure 11-3: Configuration | Policy Management | Traffic Management | PAT screen Enable PAT mode provides many-to-one translation; that is, it translates
  • Cisco 3002 | User Guide - Page 107
    window. To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen. VPN 3002 Hardware Client User Guide 11-5
  • Cisco 3002 | User Guide - Page 108
  • Cisco 3002 | User Guide - Page 109
    3002. • Certificate Management: install and manage digital certificates. - Enrollment: create a certificate request to send to a Certificate Authority. - Installation: install digital certificates. - Certificates: view, modify, and delete digital certificates. VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 110
    using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.com, under Service & Support > Software Center. It the Save Needed icon in the Manager window. 12-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 111
    or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3002 software image files are named: The Major and Minor Version numbers are always present; . Click the highlighted link to stop it and clear the message. VPN 3002 Hardware Client User Guide 12-3
  • Cisco 3002 | User Guide - Page 112
    may have selected the wrong file. Click the highlighted link to return to the Administration | Software Update screen and try the update again, or contact Cisco support. Figure 12-5: Administration | Software Update Error screen 12-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 113
    ) the VPN 3002 with various options. We strongly recommend that you shut down the VPN 3002 before you warning and prevents new user sessions. The VPN 3002 automatically saves the current event log file as only one action. Reboot = Reboot the VPN 3002. Rebooting terminates all sessions, resets the
  • Cisco 3002 | User Guide - Page 114
    file. You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual, including setting the system date and time and supplying an IP address for the Ethernet does not cancel a scheduled reboot or shutdown.) 12-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 115
    a Success screen with the name of the tested host. Figure 12-8: Administration | Ping | Success screen Continue To return to the Administration | Ping screen, click Continue. VPN 3002 Hardware Client User Guide 12-7
  • Cisco 3002 | User Guide - Page 116
    displays an Error screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you know are working. Manager lets you configure and control administrative access to the VPN 3002. • Administrators: configure administrator usernames, passwords, and rights
  • Cisco 3002 | User Guide - Page 117
    the only administrator who can log in to, and use, the VPN 3002 Hardware Client Manager as supplied by Cisco. • config = Configuration administrator with access rights to Quick Configuration and if you reboot the system with the factory configuration file. VPN 3002 Hardware Client User Guide 12-9
  • Cisco 3002 | User Guide - Page 118
    . Maximum is 31 characters. The field displays only asterisks. Note: The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. : Administration | Access Rights | Access Settings screen 12-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 119
    Rights screen. Administration | File Management This section of the Manager lets you manage config files and view crash dump files in VPN 3002 flash memory. (Flash memory acts like a disk.) Figure 12-13: Administration | Config File Management screen VPN 3002 Hardware Client User Guide 12-11
  • Cisco 3002 | User Guide - Page 120
    are: Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new browser window, as above. 12-12 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 121
    Your system will prompt for a filename and location. The default filename is the same as on the VPN 3002. When you are finished viewing or saving the file, close the new browser window. To delete the Administration | Access Rights | Administrators screen. VPN 3002 Hardware Client User Guide 12-13
  • Cisco 3002 | User Guide - Page 122
    navigation window, find the file, and select it. Upload / Cancel To upload the file to the VPN 3002, click Upload. The Manager opens the File Upload Progress window. To cancel your entries on this screen, upload is cancelled, the progress window closes. 12-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 123
    to verify their authenticity. The systems on each end of the VPN tunnel must have trusted certificates from the same CA, or from different CAs in a hierarchy of trusted relationships; e.g., "A" trusts "B," and "B" trusts "C," therefore "A" trusts "C." VPN 3002 Hardware Client User Guide 12-15
  • Cisco 3002 | User Guide - Page 124
    value; if the hash values match, the client is authenticated. The VPN 3002 supports X.509 digital certificates (International Telecommunications Union Recommendation X.509), including SSL ( Administration | Certificate Management | Installation screen to: 12-16 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 125
    generate a certificate request to send to a CA (Certificate Authority), to enroll the VPN 3002 in a PKI. The entries you make on this screen are governed by PKI standards the Administration | Certificate Management | Enrollment | Request Generated screen. VPN 3002 Hardware Client User Guide 12-17
  • Cisco 3002 | User Guide - Page 126
    for the department or other organizational unit to which this VPN 3002 belongs; e.g., CPU Design. Spaces are allowed. Organization (O) Enter the name for the company or organization to which this VPN 3002 belongs; e.g., Cisco Systems. Spaces are allowed. 12-18 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 127
    3002 that identifies it in this PKI; e.g., vpn3030.altiga.com. This field is optional. The alternative name is an additional data field in the certificate, and it provides interoperability with many Cisco the Administration | Certificate Management screen. VPN 3002 Hardware Client User Guide 12-19
  • Cisco 3002 | User Guide - Page 128
    system also generates the private key used in the PKI process. That key remains on the VPN 3002, and it is not visible. You must complete the enrollment and certificate installation process within this as a root certificate, with a .txt extension. 12-20 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 129
    CA in a PKI (where the private key is generated on-and stays hidden on-the VPN 3002). Note: You must install the CA root certificate first, then install any other subordinate certificates (via Enrollment) = SSL certificate obtained via enrollment in a PKI. VPN 3002 Hardware Client User Guide 12-21
  • Cisco 3002 | User Guide - Page 130
    | Certificate management | Certificates screen. To discard your entries and cancel the operation, click Cancel. The Manager returns to the Administration | Certificate Management screen. 12-22 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 131
    | Certificates This screen shows all the certificates installed in the VPN 3002 and lets you view and delete certificates. You can also fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View. VPN 3002 Hardware Client User Guide 12-23
  • Cisco 3002 | User Guide - Page 132
    | Certificates | View screen; see below. To delete this certificate from the VPN 3002, click Delete. The Manager opens the Administration | Certificate Management | Certificates | Delete For a CA root certificate, the Subject and Issuer are the same. 12-24 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 133
    , or other entity. This is the lowest (most specific) level in the identification hierarchy. For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at CA or other issuer used to sign this certificate. VPN 3002 Hardware Client User Guide 12-25
  • Cisco 3002 | User Guide - Page 134
    , and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. This field displays only if the FQDN extension is present. Back To return to the Administration | Certificate Management | Certificates screen, click Back. 12-26 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 135
    shows the remaining certificates. To retain this certificate, click No. The Manager returns to the Administration | Certificate Management | Certificates screen, and the certificates are unchanged. VPN 3002 Hardware Client User Guide 12-27
  • Cisco 3002 | User Guide - Page 136
  • Cisco 3002 | User Guide - Page 137
    available in standard MIB-II data objects. Monitoring This section of the Manager lets you view VPN 3002 status, sessions, statistics, and event logs. • Routing Table: current valid routes, protocols, the data on the screen. Figure 13-1: Monitoring screen VPN 3002 Hardware Client User Guide 13-1
  • Cisco 3002 | User Guide - Page 138
    display of static routing entries. Valid Routes The total number of current valid routes that the VPN 3002 knows about. This number includes all valid routes, and it may be greater than the number the Address field. 0.0.0.0 indicates the default gateway. 13-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 139
    the event log file. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN 3002 records events in nonvolatile memory, See the Administration | Administrators | Modify Properties screen. VPN 3002 Hardware Client User Guide 13-3
  • Cisco 3002 | User Guide - Page 140
    key, and select the other classes. By default, the Manager displays All Classes of events.Table 9-1 under Configuration | System | Events describes the event classes. 13-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 141
    next page (screen) of the event log, click this button. Last Page To display the last page (screen) of the event log, click this button. VPN 3002 Hardware Client User Guide 13-5
  • Cisco 3002 | User Guide - Page 142
    Log. The Manager opens a new browser window to display the file. The browser address bar shows the VPN 3002 address and log file default filename; for example, http://10.10.4.6/LOG/ vpn3002log.txt. To save a continues with event or 257 overwriting event 1. 13-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 143
    reference number assists Cisco support personnel if they need to examine a log file. Event repeat The number of times that this specific event has occurred since the VPN 3002 was last booted above, "New administrator login: admin" describes the event. VPN 3002 Hardware Client User Guide 13-7
  • Cisco 3002 | User Guide - Page 144
    0 and stops. You can still scroll through the event log. Click the button to resume the display of new events and restart the timer. 13-8 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 145
    displays. From this screen you can also display the status of the IPSec tunnel SAs, tunnel duration, plus front and rear panel displays of the VPN 3002. Figure 13-5: Monitoring | System Status screen VPN 3002 Hardware Client User Guide 13-9
  • Cisco 3002 | User Guide - Page 146
    Cisco support personnel can do so. Software Rev The version name, number, and date of the VPN 3002 VPN 3002 is running in Network Extension mode, because the central-site Concentrator does not assign an IP address to the VPN 3002 in Network Extension mode. 13-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 147
    has been up. Security Associations: This table describes the following attributes of the SAs for this VPN 3002. Type The type of tunnel for this SA, either IPSec or IKE (the control tunnel up. Other Additional information about this SA, including mode. VPN 3002 Hardware Client User Guide 13-11
  • Cisco 3002 | User Guide - Page 148
    inactive link. Back Panel The back panel image includes active links for the VPN 3002 Private and Public interfaces Use the mouse pointer to select either the private Status screen, click Back. The VPN 3002 Ethernet interface number: Private interface 13-12 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 149
    were received by this interface since the VPN 3002 was last booted or reset. Unicast this interface for transmission since the VPN 3002 was last booted or reset, by this interface since the VPN 3002 was last booted or reset. this interface for transmission since the VPN 3002 was last booted or reset,
  • Cisco 3002 | User Guide - Page 150
    The number of broadcast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset, including those that were discarded or not sent. Broadcast , Ethernet, and SNMP. Figure 13-7: Monitoring | Statistics screen 13-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 151
    This screen shows statistics for IPSec activity-including the current IPSec tunnel-on the VPN 3002 since it was last booted or reset. These statistics conform to the IETF peers establish control tunnels through which they negotiate Security Associations. VPN 3002 Hardware Client User Guide 13-15
  • Cisco 3002 | User Guide - Page 152
    should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. Received Notifies The cumulative total of notify packets received IKE tunnels. See comments for Received Notifies above. 13-16 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 153
    failures, such as configuration problems. Rejected Sent Phase-2 Exchanges The cumulative total of IPSec Phase-2 exchanges that were initiated by this VPN 3002, sent, and rejected, Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated. VPN 3002 Hardware Client User Guide 13-17
  • Cisco 3002 | User Guide - Page 154
    failed, by all currently and previously active IKE tunnels. Authentication failures indicate problems with preshared keys, digital certificates, or user-level authentication. Decryption Failures of all currently and previously active IPSec Phase-2 tunnels. 13-18 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 155
    zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. Inbound Authentications The cumulative total number of corrupted packets or a potential security attack ("man in the middle"). VPN 3002 Hardware Client User Guide 13-19
  • Cisco 3002 | User Guide - Page 156
    may indicate synchronization problems. Protocol Use Failures The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate errors parsing IPSec packets. 13-20 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 157
    The total number of HTTP packets sent since the VPN 3002 was last booted or reset. Packets Received The total number of HTTP packets received since the VPN 3002 was last booted or reset. Active Connections The number of currently active HTTP connections. VPN 3002 Hardware Client User Guide 13-21
  • Cisco 3002 | User Guide - Page 158
    Sessions The total number of attempts to establish Telnet sessions on the VPN 3002 since it was last booted or reset. Successful Sessions The total number of Telnet sessions successfully established on the VPN 3002 since it was last booted or reset. 13-22 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 159
    for DNS (Domain Name System) activity on the VPN 3002 since it was last booted or reset. To configure the VPN 3002 to communicate with DNS servers, see the Configuration | System | Servers | DNS screen. Figure 13-11: Monitoring | Statistics | DNS screen VPN 3002 Hardware Client User Guide 13-23
  • Cisco 3002 | User Guide - Page 160
    updated. Requests The total number of DNS queries the VPN 3002 made since it was last booted or reset. This server is not reachable according to the VPN 3002's routing table. Other Failures The number (Secure Sockets Layer) protocol traffic on the VPN 3002 since it was last booted or reset. To
  • Cisco 3002 | User Guide - Page 161
    sessions. Active Sessions The number of currently active SSL sessions. Max Active Sessions The maximum number of SSL sessions simultaneously active at any one time. VPN 3002 Hardware Client User Guide 13-25
  • Cisco 3002 | User Guide - Page 162
    Each row of the table shows data for each IP address handed out to a DHCP client (PC) on the VPN 3002 private network. To configure the DHCP server, see Configuration | System | IP Routing | DHCP. Figure 13-13: the leased IP address to the remote client. 13-26 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 163
    or reset. Total Sessions The total number of SSH sessions since the VPN 3002 was last booted or reset. Active Sessions The number of currently active SSH sessions. Max Sessions The maximum number of simultaneously active SSH sessions on the VPN 3002. VPN 3002 Hardware Client User Guide 13-27
  • Cisco 3002 | User Guide - Page 164
    on the VPN 3002. MIB-II query the VPN 3002 to gather the data. Each subsequent screen displays the data for a standard MIB-II group of objects: • Interfaces: packets sent and received on network interfaces and VPN enable the VPN 3002's SNMP -II objects for VPN 3002 interfaces since the
  • Cisco 3002 | User Guide - Page 165
    click Refresh. The date and time indicate when the screen was last updated. Interface The VPN 3002 interface: Private Public Status The operational status of this interface: UP = configured and enabled are those addressed to a specific group of hosts. VPN 3002 Hardware Client User Guide 13-29
  • Cisco 3002 | User Guide - Page 166
    MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN 3002 since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects for what is casually called a data packet. 13-30 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 167
    . TCP Connection Limit The limit on the total number of TCP connections that the system can support. A value of -1 means there is no limit. TCP Active Opens The number of TCP TCP connections that are currently established or are gracefully terminating. VPN 3002 Hardware Client User Guide 13-31
  • Cisco 3002 | User Guide - Page 168
    for what is casually called a data packet. Monitoring | Statistics | MIB-II | IP This screen shows statistics in MIB-II objects for IP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines IP MIB objects. Figure 13-18: Monitoring | Statistics | MIB-II | IP screen 13-32
  • Cisco 3002 | User Guide - Page 169
    and forwarded to destinations other than the VPN 3002. Outbound Packets Discarded The number of outbound IP data packets that had no problems preventing their transmission to a destination, but that were discarded (e.g., for lack of buffer space). VPN 3002 Hardware Client User Guide 13-33
  • Cisco 3002 | User Guide - Page 170
    be found to transmit them to their destination. This number includes any packets that the VPN 3002 could not route because all of its default routers are down. Packets Transmitted (Requests) data packet fragments that have been generated by the VPN 3002. 13-34 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 171
    checksums, bad length, etc.). The number of ICMP messages that the VPN 3002 did not send due to problems within ICMP such as a lack of buffers. Destination Unreachable Received / the Don't Fragment flag set for a packet that must be fragmented. VPN 3002 Hardware Client User Guide 13-35
  • Cisco 3002 | User Guide - Page 172
    a packet within a time limit. Parameter Problems Received / Transmitted The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages indicate a syntactic or semantic error in , to measure propagation delay in the network. 13-36 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 173
    II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the date and time indicate when the screen was last updated. VPN 3002 Hardware Client User Guide 13-37
  • Cisco 3002 | User Guide - Page 174
    . Invalid = an invalid mapping. Dynamic = a learned mapping. Static = a static mapping on the VPN 3002. Action / Delete To remove a dynamic, or learned, mapping from the table, click Delete. There | Administrators. You cannot delete static mappings. 13-38 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 175
    II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC when trying to transmit a frame on this interface. VPN 3002 Hardware Client User Guide 13-39
  • Cisco 3002 | User Guide - Page 176
    failed due to an internal MAC sublayer receive error. This number does not include Alignment Errors, FCS Errors, or Frame Too Long Errors. 13-40 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 177
    when the screen was last updated. Requests Received The total number of SNMP messages received by the VPN 3002. Bad Version The total number of SNMP messages received that were for an unsupported SNMP version. The VPN 3002 supports SNMP version 2. VPN 3002 Hardware Client User Guide 13-41
  • Cisco 3002 | User Guide - Page 178
    | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN 3002 does not include the usual default public community string. Parsing Errors The target failed for some reason (other than a timeout). C 13-42 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 179
    VPN 3002 via an RJ-45 serial cable (which Cisco supplies with the system) between the Console port on the VPN 3002 and the COM1 or serial port on the PC. For more information, see the VPN 3002 Hardware Client Getting Started manual login prompt.) Login: _ VPN 3002 Hardware Client User Guide 14-1
  • Cisco 3002 | User Guide - Page 180
    the Main -> prompt. Welcome to Cisco Systems VPN 3002 Hardware Client Command Line Interface Copyright (C) 1998-2001 Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> _ 14-2 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 181
    rights. The CLI displays menus or prompts at every level to guide you in choosing configurable options and setting parameters. The prompt always General -> [ Lab VPN ] _ You can enter a new name at the prompt, or just press Enter to keep the current name. VPN 3002 Hardware Client User Guide 14-3
  • Cisco 3002 | User Guide - Page 182
    you become familiar with the structure of the CLI-which parallels the HTML-based VPN 3002 Hardware Client Manager-you can quickly access any level by entering a series of admin Yes config No isp No 1) Modify Administrator 2) Back Admin -> 1 14-4 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 183
    b or B to move back to the previous menu. Also, at any menu level, you can just enter h or H to move home to the main menu. VPN 3002 Hardware Client User Guide 14-5
  • Cisco 3002 | User Guide - Page 184
    how to navigate through menus and enter values. This help message is available only at the main menu. Cisco Systems. Help information for the Command Line Interface From any menu except the Main menu. -- 'B' to the CONFIG file and redisplays the main menu. 14-6 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 185
    Help Information 6) Exit Main -> _ The default Monitor administrator can only monitor the VPN 3002, not configure system parameters or administer the system. See Administration | Access Rights check familiar shortcuts carefully when using a new release. VPN 3002 Hardware Client User Guide 14-7
  • Cisco 3002 | User Guide - Page 186
    2) Interface Configuration 3) System Management 4) Policy Management 5) Back Config -> _ 1.1 Configuration > Quick Configuration See the VPN 3002 Hardware Client Getting Started guide for complete information about Quick Config. 1.2 Configuration > Interface Configuration This table shows current IP
  • Cisco 3002 | User Guide - Page 187
    -> _ 1.2.4 Configuration > System Management > Management Protocols 1) Configure HTTP/HTTPS 2) Configure Telnet 3) Configure SNMP 4) Configure SNMP Community Strings 5) Configure SSL 6) Configure SSH 7) Back Network -> _ CLI menu reference VPN 3002 Hardware Client User Guide 14-9
  • Cisco 3002 | User Guide - Page 188
    ? [phoenix3002dc.bin] IP address of the host where the file resides? [10.10.66.10] (M)odify any of the above (C)ontinue or (E)xit? [M] 14-10 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 189
    active Configuration file 3) Shutdown, ignoring the Configuration file at next reboot 4) Back Admin -> _ 2.3 Ping > Ping host Admin -> 2.4 Administration > Access Rights 1) Administrators 2) Access Settings 3) Back Admin -> _ VPN 3002 Hardware Client User Guide 14-11
  • Cisco 3002 | User Guide - Page 190
    .BAK 1) View Config File 2) Delete Config File 3) View Backup Config File 4) Delete Backup Config File 5) Swap Config Files 6) Upload Config File 7) Back File -> _ 14-12 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 191
    Identity Certificate (from Enrollment) 5) Back Certificates -> _ 2.6.3 Administration > Certificate Management > Certificate Authorities Certificate Authorities . . . 1) View Certificate 2) Delete Certificate 4) Back Certificates -> _ CLI menu reference VPN 3002 Hardware Client User Guide 14-13
  • Cisco 3002 | User Guide - Page 192
    Quit, '' to Continue -> . Serial Number . . 1) Delete Certificate 2) Generate Certificate 3) Back Certificates -> _ 3 Monitoring 1) Routing Table 2) Event Log 3) System Status 4) General Statistics 5) Back Monitor -> _ 14-14 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 193
    Page 2) Previous Page 3) Next Page 4) Last Page 5) Back Log -> _ 3.3 Monitoring > System Status System Status . . . 1) Refresh System Status 2) Connect Now 3) Disconnect Now 4) Back Status -> _ Card Status -> _ VPN 3002 Hardware Client User Guide CLI menu reference 14-15
  • Cisco 3002 | User Guide - Page 194
    6) Back General -> _ 3.4.2 Monitoring > General Statistics > Server Statistics 1) DHCP Statistics 2) Back General -> _ 3.4.3 Monitoring > General Statistics > MIB II Statistics 1) Interface-based 2) System-level 3) Back MIB2 -> _ 14-16 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 195
    and using the system, and how to correct them. Files for troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers, when troubleshooting errors and problems: • Event log. • SAVELOG.TXT = Event log that is automatically saved
  • Cisco 3002 | User Guide - Page 196
    be useful for troubleshooting. See Administration | File Management for information on managing files in flash memory. LED indicators LED indicators on the VPN 3002 are normally green or flashing amber. LEDs that are solid amber or off may indicate an error condition. Contact Cisco support if any
  • Cisco 3002 | User Guide - Page 197
    problem. Also, use the next section of this Appendix to check the settings on the Concentrator to which this VPN 3002 connects. Problem/ VPN 3002 and a power outlet. Unit has failed diagnostics. Contact Cisco Support immediately. 1 Verify that the VPN 3000 Series Concentrator to which this VPN 3002
  • Cisco 3002 | User Guide - Page 198
    A Errors and troubleshooting Problem/symptom Connect Now worked. LED(s) for the Private your network administrator. Settings on the VPN 3000 Series Concentrator If your VPN 3002 experiences connectivity problems, check the configuration of the VPN 3000 Series Concentrator. 1 Configure the
  • Cisco 3002 | User Guide - Page 199
    -based VPN 3002 Hardware Client Manager with a browser. Browser Refresh / Reload button logs out the Manager Problem You clicked the Refresh or Reload button on the browser's navigation toolbar, and the Manager logged out. The main login screen appears. Possible cause To protect access security
  • Cisco 3002 | User Guide - Page 200
    A Errors and troubleshooting Invalid Login or Session Timeout The Manager displays the Invalid Login or Session Timeout screen Problem You entered an invalid administrator login change the Session Timeout interval to a larger value and click Apply. A-6 VPN 3002 Hardware Client Getting Started
  • Cisco 3002 | User Guide - Page 201
    VPN 3002 Hardware Client Manager errors Error / An error has occurred while attempting to perform... The Manager displays a screen with the message: Error / An error has occurred while attempting to perform the operation. An additional error message describes the erroneous operation. Problem You
  • Cisco 3002 | User Guide - Page 202
    A Errors and troubleshooting Problem You tried to access an area of the Manager that you do not have authorization to access. to access the specified page. The screen includes additional information that identifies system activity and parameters. A-8 VPN 3002 Hardware Client Getting Started
  • Cisco 3002 | User Guide - Page 203
    VPN 3002 Hardware Client Manager errors Problem The Cisco support personnel for assistance. Microsoft Internet Explorer Script Error: No such interface supported Microsoft Internet Explorer displays a Script Error dialog box that includes the error message: No such interface supported. Problem
  • Cisco 3002 | User Guide - Page 204
    troubleshooting Command Line Interface errors These errors may occur while using the menu-based Command Line Interface from a console or Telnet session. ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. Problem verification at the prompts. A-10 VPN 3002 Hardware Client Getting Started
  • Cisco 3002 | User Guide - Page 205
    materials are owned or licensed by Cisco Systems and are protected by United States copyright laws, laws of other nations, and/or international treaties. Grant of License 2. Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000 Concentrator product. To this end
  • Cisco 3002 | User Guide - Page 206
    or assign the right to use the Software, except as stated in this paragraph. 5. You may not export the Software, even as part of the Cisco product, to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining
  • Cisco 3002 | User Guide - Page 207
    wish to contact Cisco Systems for any reason, please call (508) 541-7300, or write to Cisco Systems, Inc. the subject transaction. Other licenses The VPN 3000 Concentrator Series contains and uses BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  • Cisco 3002 | User Guide - Page 208
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  • Cisco 3002 | User Guide - Page 209
    IPSec Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of
  • Cisco 3002 | User Guide - Page 210
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  • Cisco 3002 | User Guide - Page 211
    granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific
  • Cisco 3002 | User Guide - Page 212
    notice and this permission notice appear in supporting documentation. This software is provided " licensed under U.S. patent 5,600,725. Protected by U.S. patents 5,787,028; Katie Stevens ([email protected]) University of California, Davis Computing Services - 01-31-90 PPP.05 PPP.08 PPP.15 PPP.16
  • Cisco 3002 | User Guide - Page 213
    networks 1996 All rights reserved SID: 1.1 Revision History: 1.1 97/06/23 21:17:43 root Regulatory Standards Compliance The VPN 3002 Hardware Client complies with these regulatory standards. Item Regulatory Compliance Safety EMC Description Products bear CE Marking indicating compliance with the
  • Cisco 3002 | User Guide - Page 214
  • Cisco 3002 | User Guide - Page 215
    VPN 3002 Hardware Client User Guide INDEX See digital certificates certificate management 12-15 Cisco Connection Online Web page 1-20 Cisco troubleshooting A-2 configuration section of Manager 2-1 Configuration (tab on Manager screen) 1-21 configuring VPN Concentrator with CLI 14-1 connecting to VPN
  • Cisco 3002 | User Guide - Page 216
    DNS servers, configuring 5-1 statistics 13-23 documentation additional xii Cisco Web page 1-20 conventions xvi E enrolling with a supported (IE) A-9 not allowed A-7 not found A-8 out of range value A-10 passwords do not match A-10 session timeout A-6 errors and troubleshooting A-1 CLI A-10 VPN 3002
  • Cisco 3002 | User Guide - Page 217
    using 1-16 login screen 1-17 I ICMP MIB-II statistics 13-35 icon Cisco Systems logo 1-22 closed or collapsed 1-22 open or expanded 1-22 Refresh 1- Explorer 1-4 with Netscape 1-9 interfaces configuring 3-1 VPN 3002 Hardware Client User Guide Index Ethernet, configuring speed 3-6 transmission mode
  • Cisco 3002 | User Guide - Page 218
    navigating CLI menus 14-4 the VPN Concentrator Manager 1-23 Netscape Navigator, requirements 1-1 Network Extension mode 11-2 No such interface supported (error) A-9 nonvolatile memory 12 image filenames 12-3, 13-10 update on VPN Concentrator 12-2 stopping 12-3 VPN 3002 Hardware Client User Guide
  • Cisco 3002 | User Guide - Page 219
    support, Cisco 1-20 Support (tab on Manager screen) 1-20 swap configuration files 12-13 syslog servers, configuring for events 9-13 VPN 3002 Hardware Client User Guide systems 9-11, 9-12 general events 9-7 specific events 9-10 troubleshooting A-1 consult event log 9-5, 13-3 files created for A-1
  • Cisco 3002 | User Guide - Page 220
    Manager errors A-5 VPN Concentrator Manager logging in 1-17 logging out 1-21 navigating 1-23 organization of 1-22 understanding the window 1-19 using 1-1 W wildcard masks, format xvi window, Manager, understanding 1-19 X X.509 digital certificates 12-16 Index-6 VPN 3002 Hardware Client User Guide
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Cisco Systems, Inc.
Corporate Headquarters
Tel:
800 553-NETS (6387)
408 526-4000
Fax: 408 526-4100
VPN 3002 Hardware Client
User Guide
Release 3.0
March 2001
Customer Order Number: OL-0874-=
Text Part Number: OL-0874-01