The Quick configuration ten-step process in either CLI or web-based Client Manager can be used to supply the minimal parameters needed to make the VPN 3002 operational. The Client Manager is used in this section, but it shouldn’t be any trick to follow along in the CLI.
The following discussion assumes a successful login and choosing Configuration | Quick Configuration in the left-side panel. The actual configuration is based on Figure 15-12, showing a small branch location connecting through a VPN 3002 client to a VPN Concentrator at the main office.
The scenario assumes the main office has reserved the networks 192.168.0.0 to 192.168.127.0 for its internal use. The other private class C addresses have been assigned as needed to the company’s branch locations. The figure shows a small branch location assigned the 192.168.145.0 network.
The Client Manager window displays the Configuration | Quick | Time and Date screen.
Figure 15-13 shows the entry screen used to set the time and date on this device. The choices are self-explanatory. Notice all ten steps are listed at the top of the screen, allowing a person to jump to any feature. Click the Continue button to advance to the next screen.
The Client Manager window displays the Configuration | Quick | Upload Config screen.
Figure 15-14 shows the option screen used to use HTTP or HTTPS to transfer (upload) configuration files from a host to the VPN 3002 flash memory. This could be a time- saver if you need to restore a lost or damaged configuration.
Click No to continue to the next section or click Yes to upload an existing configuration file.
The Client Manager window displays the Configuration | Quick | Private Interface screen.
Figure 15-15 shows the screen used to configure the VPN 3002 private interface. This is the protected LAN interface of the network. The top portion of the screen displays the current configuration settings. The following is a possible example:
IP Address 192.168.1.10/ 255.255.255.0DHCP Server Enabled (192.168.1.21–192.168.1.254)
The first question determines whether to reconfigure the IP address for the private interface. The Yes/No choices are self-explanatory.
The second question deals with using DHCP to define the address for the private interface. The first choice ultimately brings up a screen to configure the DHCP server parameters, as shown in Figure 15-16. The second choice would be used while reviewing the settings. The third choice would be used to configure the interface address manually. Click the Continue button to implement the advance of the choice to the appropriate next screen.
For the VPN 3002 to operate in Network Extension mode, you must change the private interface IP address from the default setting 192.168.10.1.
The Client Manager Configuration | Quick | Private Interface | DHCP Server screen is used to enable and configure the VPN 3002 private interface to serve as a DHCP server for the private network hosts. This allows IP hosts on the LAN to obtain IP addresses automatically from a limited pool of addresses for a fixed length of time or for a lease period. DHCP simplifies host configuration by allowing the network settings to be learned from the DHCP server rather than statically configured.
Check the Enabled box to enable DHCP services for the private interface.
The DHCP Lease Timeout field can be set between 5 and 500,000 minutes. The default is 120 minutes. After the lease time expires, the lease can be renewed or returned to the address pool. This Lease Timeout period applies only when the tunnel to the VPN Concentrator is established. When the tunnel isn’t established, the Lease Timeout period is five minutes.
The next two fields are used to define the starting and ending address of the DHCP. The example reflects the first 20 addresses were excluded from the pool, so they might be permanently assigned to shared resources, such as printers and servers. The default pool is 127 IP addresses and the start of the range is the next IP address after that of the current private interface.
If changes were made, the Manager displays the Configuration | Quick |
Private Interface | DHCP server address pool screen used confirms that the DHCP server address pool range was entered.
The Client Manager, displaying the Configuration | Quick | Public Interface screen, is shown in Figure 15-17.
This is the interface used to connect to an ISP and to the central network. The public interface can obtain an IP address in one of three ways:
Once the choice is made, PPPoE and static addressing need some address information. The PPPoE information would generally be provided by the ISP.
The system name, also known as a host name, is optional unless DHCP is chosen to obtain an IP address and the ISP requires a host name. As a DHCP client, the upstream DHCP server assigns the public interface IP address, subnet mask, and default gateway.
The Client Manager displays the Configuration | Quick | IPSec screen.
This screen lets you configure the IPSec parameters, enabling the VPN 3002 to connect to the VPN Concentrator or to other IPSec security gateways, such as the Cisco PIX firewall or Cisco IOS routers. Figure 15-18 shows the IPSec configuration screen.
The Remote Server field is for the IP address or host name of the VPN Concentrator to which this VPN 3002 hardware client connects. If a host name is used, a DNS server must be available to resolve the name.
As mentioned previously, NAT-T is the default, but you can check the IPSec over TCP box to use TCP. The TCP feature must also be enabled on the VPN Concentrator to which this VPN 3002 connects.
Specify the IPSec over TCP port number; only one port number can be specified. The VPN 3002 port must also be configured on the VPN Concentrator to which this VPN 3002 connects.
The Use Certificate box specifies digital certificates for authentication. With digital certificates, you needn’t enter a group name and group password.
You have two Select a Certificate Transmission options:
Entire certificate chain—to send the peer the identity certificate and all issuing certificates, including the root certificate and any subordinate CA certificates.
Identity certificate only—to send the peer only the identity certificate.
The following information has to be consistent with that configured for this VPN 3002 on the central-site VPN Concentrator.
Group Name field—unique name for this group (up to 32 characters, case-sensitive).
Group Password field—unique password for this group (4 to 32 characters, case-sensitive). The field displays only asterisks.
Group Verify field—reenter the group password.
User Name field—unique name for this user in the group (up to 32 characters, case-sensitive).
User Password field—unique password for this user (4 to 32 characters, case-sensitive). The field displays only asterisks.
User Verify field—reenter the user password.
The Client Manager displays the Configuration | Quick | PAT screen.
The next screen is used to specify either Client (PAT) mode or Network Extension mode. The default Yes selects Client mode; No selects Network Extension mode. Figure 15-19 shows the selection screen.
The Client Manager displays the Configuration | Quick | DNS screen.
As shown in Figure 15-20, this screen is used to specify a DNS server for the local ISP, so Internet host names can be used instead of IP addresses for servers when configuring and managing the VPN 3002. While host names are easier to remember, using IP addresses avoids problems that might occur with the DNS server offline or congested.
If a host name was used to identify the central-site VPN Concentrator on the IPSec configuration screen, a DNS server must be configured on the VPN 3002.
If used, the IP address of the local DNS server is entered in the DNS Server field. The local ISP domain name is entered in the Domain field.
The Client Manager displays the Configuration | Quick | Static Routes screen.
The Static Routes list shown in Figure 15-21 displays any existing static IP routes that were configured. The format is destination network address/subnet mask -> outbound destination. Use this screen to add or delete static routes for IP routing.
Clicking the Add button displays the Configuration | Quick | Static Routes | Add screen, as shown in Figure 15-22. This screen lets you add a new static route to the IP routing table. The options are pretty straightforward. The Subnet Mask automatically defaults to a standard classful subnet mask, but it can be changed as needed.
The Metric field allows assigning a cost for the route. The range is 1 to 16, where 1 is the lowest cost. The device always tries to use the least costly route. This makes creating floating static routes possible, where two routes to the same network can be given different metrics to reflect a preference.
The last choice is between using a next-hop address or the local VPN 3002 interface. For the Interface option, the drop-down menu button can be used to select a configured VPN 3002 interface as the outbound destination.
The Client Manager displays the Configuration | Quick | Admin Password screen.
The screen is used to change the password for the administrator account (admin). The default password is also admin. Obviously, this isn’t secure for the most powerful account on the device. Changing this password makes sense to improve device security.
When the password is set, the Quick configuration is done and a message screen much like the opening screen confirms that.
The Quick configuration can be used again to make changes or the Configuration menu can be used to change specific features or add options.
The Quick configuration is used to configure the minimum requirements for connecting to a VPN Concentrator. Modifying or adding options later to a VPN Concentrator is easy. For example, when the DHCP server was configured on the private interface, only minimal features were defined. Once the initial configuration is in place, use the Configuration menu to set additional features. Figure 15-23 shows the DHCP Options screen and the left-side panel shows how to get there. This is where additional servers could be defined.