1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Basic Configuration for the VPN 3002

Basic Configuration for the VPN 3002

The Quick configuration ten-step process in either CLI or web-based Client Manager can be used to supply the minimal parameters needed to make the VPN 3002 operational. The Client Manager is used in this section, but it shouldn’t be any trick to follow along in the CLI.

The following discussion assumes a successful login and choosing Configuration | Quick Configuration in the left-side panel. The actual configuration is based on Figure 15-12, showing a small branch location connecting through a VPN 3002 client to a VPN Concentrator at the main office.

Click To expand
Figure 15-12: VPN 3002 configuration scenario

The scenario assumes the main office has reserved the networks 192.168.0.0 to 192.168.127.0 for its internal use. The other private class C addresses have been assigned as needed to the company’s branch locations. The figure shows a small branch location assigned the 192.168.145.0 network.

Set the System Time, Date, and Time Zone

The Client Manager window displays the Configuration | Quick | Time and Date screen.

Figure 15-13 shows the entry screen used to set the time and date on this device. The choices are self-explanatory. Notice all ten steps are listed at the top of the screen, allowing a person to jump to any feature. Click the Continue button to advance to the next screen.

Click To expand
Figure 15-13: Screen to set date, time, and time zone for the device

Optional—Upload an Existing Configuration File

The Client Manager window displays the Configuration | Quick | Upload Config screen.

Figure 15-14 shows the option screen used to use HTTP or HTTPS to transfer (upload) configuration files from a host to the VPN 3002 flash memory. This could be a time- saver if you need to restore a lost or damaged configuration.

Click To expand
Figure 15-14: Choice to upload an existing configuration file

Click No to continue to the next section or click Yes to upload an existing configuration file.

Configure the Private Interface

The Client Manager window displays the Configuration | Quick | Private Interface screen.

Figure 15-15 shows the screen used to configure the VPN 3002 private interface. This is the protected LAN interface of the network. The top portion of the screen displays the current configuration settings. The following is a possible example:

Click To expand
Figure 15-15: Configure the private interface

IP Address 192.168.1.10/ 255.255.255.0DHCP Server Enabled (192.168.1.21–192.168.1.254)

The first question determines whether to reconfigure the IP address for the private interface. The Yes/No choices are self-explanatory.

The second question deals with using DHCP to define the address for the private interface. The first choice ultimately brings up a screen to configure the DHCP server parameters, as shown in Figure 15-16. The second choice would be used while reviewing the settings. The third choice would be used to configure the interface address manually. Click the Continue button to implement the advance of the choice to the appropriate next screen.

Click To expand
Figure 15-16: Configuring the DHCP server

For the VPN 3002 to operate in Network Extension mode, you must change the private interface IP address from the default setting 192.168.10.1.

Configuring the DHCP Server

The Client Manager Configuration | Quick | Private Interface | DHCP Server screen is used to enable and configure the VPN 3002 private interface to serve as a DHCP server for the private network hosts. This allows IP hosts on the LAN to obtain IP addresses automatically from a limited pool of addresses for a fixed length of time or for a lease period. DHCP simplifies host configuration by allowing the network settings to be learned from the DHCP server rather than statically configured.

Check the Enabled box to enable DHCP services for the private interface.

The DHCP Lease Timeout field can be set between 5 and 500,000 minutes. The default is 120 minutes. After the lease time expires, the lease can be renewed or returned to the address pool. This Lease Timeout period applies only when the tunnel to the VPN Concentrator is established. When the tunnel isn’t established, the Lease Timeout period is five minutes.

The next two fields are used to define the starting and ending address of the DHCP. The example reflects the first 20 addresses were excluded from the pool, so they might be permanently assigned to shared resources, such as printers and servers. The default pool is 127 IP addresses and the start of the range is the next IP address after that of the current private interface.

If changes were made, the Manager displays the Configuration | Quick |

Private Interface | DHCP server address pool screen used confirms that the DHCP server address pool range was entered.

Configure the Public Interface

The Client Manager, displaying the Configuration | Quick | Public Interface screen, is shown in Figure 15-17.

Click To expand
Figure 15-17: Screen to configure the public interface

This is the interface used to connect to an ISP and to the central network. The public interface can obtain an IP address in one of three ways:

  • DHCP client

  • PPPoE

  • Static addressing

Once the choice is made, PPPoE and static addressing need some address information. The PPPoE information would generally be provided by the ISP.

The system name, also known as a host name, is optional unless DHCP is chosen to obtain an IP address and the ISP requires a host name. As a DHCP client, the upstream DHCP server assigns the public interface IP address, subnet mask, and default gateway.

Configure the IPSec

The Client Manager displays the Configuration | Quick | IPSec screen.

This screen lets you configure the IPSec parameters, enabling the VPN 3002 to connect to the VPN Concentrator or to other IPSec security gateways, such as the Cisco PIX firewall or Cisco IOS routers. Figure 15-18 shows the IPSec configuration screen.

Click To expand
Figure 15-18: IPSec configuration screen

The Remote Server field is for the IP address or host name of the VPN Concentrator to which this VPN 3002 hardware client connects. If a host name is used, a DNS server must be available to resolve the name.

As mentioned previously, NAT-T is the default, but you can check the IPSec over TCP box to use TCP. The TCP feature must also be enabled on the VPN Concentrator to which this VPN 3002 connects.

Specify the IPSec over TCP port number; only one port number can be specified. The VPN 3002 port must also be configured on the VPN Concentrator to which this VPN 3002 connects.

The Use Certificate box specifies digital certificates for authentication. With digital certificates, you needn’t enter a group name and group password.

Digital Certificates

You have two Select a Certificate Transmission options:

  • Entire certificate chain—to send the peer the identity certificate and all issuing certificates, including the root certificate and any subordinate CA certificates.

  • Identity certificate only—to send the peer only the identity certificate.

Preshared Keys

The following information has to be consistent with that configured for this VPN 3002 on the central-site VPN Concentrator.

  • Group Name field—unique name for this group (up to 32 characters, case-sensitive).

  • Group Password field—unique password for this group (4 to 32 characters, case-sensitive). The field displays only asterisks.

  • Group Verify field—reenter the group password.

  • User Name field—unique name for this user in the group (up to 32 characters, case-sensitive).

  • User Password field—unique password for this user (4 to 32 characters, case-sensitive). The field displays only asterisks.

  • User Verify field—reenter the user password.

Choose Client (PAT) Mode or Network Extension Mode

The Client Manager displays the Configuration | Quick | PAT screen.

The next screen is used to specify either Client (PAT) mode or Network Extension mode. The default Yes selects Client mode; No selects Network Extension mode. Figure 15-19 shows the selection screen.

Click To expand
Figure 15-19: Client mode or Network Extension mode choice

Configure DNS

The Client Manager displays the Configuration | Quick | DNS screen.

As shown in Figure 15-20, this screen is used to specify a DNS server for the local ISP, so Internet host names can be used instead of IP addresses for servers when configuring and managing the VPN 3002. While host names are easier to remember, using IP addresses avoids problems that might occur with the DNS server offline or congested.

Click To expand
Figure 15-20: Define ISP DNS server and domain name (optional)

If a host name was used to identify the central-site VPN Concentrator on the IPSec configuration screen, a DNS server must be configured on the VPN 3002.

If used, the IP address of the local DNS server is entered in the DNS Server field. The local ISP domain name is entered in the Domain field.

Configure Static Routes

The Client Manager displays the Configuration | Quick | Static Routes screen.

The Static Routes list shown in Figure 15-21 displays any existing static IP routes that were configured. The format is destination network address/subnet mask -> outbound destination. Use this screen to add or delete static routes for IP routing.

Click To expand
Figure 15-21: Existing static routes

Clicking the Add button displays the Configuration | Quick | Static Routes | Add screen, as shown in Figure 15-22. This screen lets you add a new static route to the IP routing table. The options are pretty straightforward. The Subnet Mask automatically defaults to a standard classful subnet mask, but it can be changed as needed.

Click To expand
Figure 15-22: Adding a static route to the VPN 3002

The Metric field allows assigning a cost for the route. The range is 1 to 16, where 1 is the lowest cost. The device always tries to use the least costly route. This makes creating floating static routes possible, where two routes to the same network can be given different metrics to reflect a preference.

The last choice is between using a next-hop address or the local VPN 3002 interface. For the Interface option, the drop-down menu button can be used to select a configured VPN 3002 interface as the outbound destination.

Change the Admin Password

The Client Manager displays the Configuration | Quick | Admin Password screen.

The screen is used to change the password for the administrator account (admin). The default password is also admin. Obviously, this isn’t secure for the most powerful account on the device. Changing this password makes sense to improve device security.

When the password is set, the Quick configuration is done and a message screen much like the opening screen confirms that.

The Quick configuration can be used again to make changes or the Configuration menu can be used to change specific features or add options.

Modifying Options

The Quick configuration is used to configure the minimum requirements for connecting to a VPN Concentrator. Modifying or adding options later to a VPN Concentrator is easy. For example, when the DHCP server was configured on the private interface, only minimal features were defined. Once the initial configuration is in place, use the Configuration menu to set additional features. Figure 15-23 shows the DHCP Options screen and the left-side panel shows how to get there. This is where additional servers could be defined.

Click To expand
Figure 15-23: DHCP Options configuration screen



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Chapter 11: Cisco IOS IPSec Certificate Authority Support
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
The VPN 3002 in the Network
Configuring the 3002 Device
Common Configuration Tasks
Basic Configuration for the VPN 3002
Other VPN 3002 Software Features
Auto-Update Feature
Chapter Review
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars