The VPN 3000 Concentrator and the VPN 3002 Hardware Client support both a specialized command-line interface (CLI) and a web-based interface (Concentrator or Client Manager). You can do exactly the same tasks with either interface. The choice ultimately boils down to personal preference but, in general, the Manager web-based interface might be easier to learn and navigate if you’re familiar with the Windows interface and browsers. The Help feature on the Concentrator Manager is much better than the CLI.
To manage the device with something other than the console cable, the CLI must be used to configure at least the private interface to be part of a network accessible by one or more hosts with either a web browser or Telnet capabilities.
The Quick Configuration Wizard that appears at initial startup allows configuring the minimal parameters needed to make the VPN Concentrator functional. While optional, this wizard and a console connection provide a relatively quick and easy way to add enough configuration to allow access from a network PC. Quick Configuration can be performed entirely from the CLI or switched to the Concentrator Manager any time after the first two steps. The Quick Configuration options, as shown in the following output, appear only once and can only be used once, unless the device is rebooted with the Reboot with Factory/Default option.
Login: admin Password: ?????????????????????????????(doesn't display) ???????????????Welcome to ??????????????Cisco Systems ??????VPN 3000 Concentrator Series ?????????Command Line Interface Copyright (C) 1998-2003 Cisco Systems, Inc. -- : Set the time on your device. ... > Time Quick -> [ 10:13:37 ]
The CLI Quick Configuration Wizard prompts guide you through the following configurations steps:
Set the system time, date, time zone, and daylight saving time values.
Configure the VPN Concentrator private network interface (Ethernet 1) by responding to the following prompts:
This table shows current IP addresses. ???Interface ????????????IP Address/Subnet Mask ???MAC Address --------------------------------------------------------------- | Ethernet 1 - Private ?| ???0.0.0.0/0.0.0.0 ????| | Ethernet 2 - Public ??| ???0.0.0.0/0.0.0.0 ????| | Ethernet 3 - External | ???0.0.0.0/0.0.0.0 ????| --------------------------------------------------------------- ** An address is required for the private interface. ** > Enter IP Address Quick Ethernet 1 -> [ 0.0.0.0 ] 192.168.1.1 > Enter Subnet Mask Quick Ethernet 1 -> [ 255.0.0.0 ] 255.255.255.0 1) Ethernet Speed 10 Mbps 2) Ethernet Speed 100 Mbps 3) Ethernet Speed 10/100 Mbps Auto Detect Quick -> [ 3 ] 1) Enter Duplex - Half/Full/Auto 2) Enter Duplex - Full Duplex 3) Enter Duplex - Half Duplex Quick -> [ 1 ]
Once these settings are made, the remainder of the Quick Configuration can be completed with the VPN Concentrator Manager (Cisco’s recommended method). If the CLI method is used, similar prompts would guide the configuration through the following features:
Configure any other interfaces. At a minimum, the Ethernet 2 public interface must be configured. An additional Ethernet 3 interface could be on models 3015-3080 and/or optional WAN interface2.
Define information that identifies your VPN Concentrator on the network, such as the system name, IP address of the DNS, registered Internet domain name, and default gateway to which the VPN will forward unknown packet3.
Define which tunneling protocols and encryption options are to be use4.
Define the method(s) for assigning IP addresses to protected clients on the private interface as the defined tunnel is establishe5.
Specify one of five types of servers to authenticate users: the concentrator’s internal server, the external RADIUS server, the external NT Domain server, external server, or the external SDI (RSA Security Inc. SecurID) server, or Kerberos/Active Directory serve6.
When using the VPN Concentrator internal authentication server, populate the internal user database with at least one user, each with a user name and password, and, if per-user address assignment is specified, an IP address and subnet mas
When using IPSec tunneling protocol, the remote-access client connects to the VPN Concentrator via a group name and password, which needs to be configure8.
Change the admin password to improve system securit9.
Save the configuration file (menu option) to complete quick configuratio
Note? |
The maximum number of entries (groups and users combined) varies by model: Model 3005/3015–100Model 3030–500Model 3060/3080–1,000 |
The Concentrator Manager Quick Configuration assumes the first two steps of the CLI Quick Configuration were performed, so the private interface can be accessed by a web browser. As with the CLI version, you can only go through the quick configuration steps one time, unless the device is rebooted ignoring the Configuration File option.
The web browser session is opened using the admin/admin case-sensitive user name/password combination. The one-time screen, as shown in Figure 14-1, allows using the Quick Configuration Wizard to add additional settings.
The wizard then leads you through the same configuration options offered earlier in the CLI section. While they aren’t identical, the Quick Configuration Wizard is similar to the one used by the VPN 3002 Hardware Client device, covered in detail in Chapter 15. The example about preshared keys in the section “Remote Access VPNs with Preshared Keys” assumes the Quick Configuration wasn’t done, and it covers the screens and settings at that time.
STUDY TIP? |
VPN, PIX, and IDS technologies, features, and versions are quickly changing and improving. In some cases, three versions were released in the past year. Because the Cisco web site no longer specifies the versions covered, confirming as many processes as possible with the online documentation makes sense. For the latest information on the Quick Configuration Wizards, go to www.cisco .com and search for VPN Quick Configuration. Then look for the most recent version of the Getting Started Guide. This guide has step-by-step instructions with the most current screen features. Similar searches on any technologies that you can’t work with hands-on would be good way to avoid being surprised in this rapidly changing environment. |
The VPN 3000 Concentrator CLI is a built-in, menu-driven configuration, administration, and monitoring system, which can be accessed via the device console port or a Telnet (or Telnet over SSL) session. Both Telnet options are enabled by default on the private network interface once the interface is configured with an IP address in the LAN. The CLI supports the same configuration options as the HTML-based VPN 3000 Concentrator Manager covered in the section “Concentrator Manager (Web Interface).”
Note? |
The VPN 3000 concentrators use a straight-through serial connection. A serial cable with 9-pin adapter can be used on the concentrator end, and then whatever connection is required for the serial interface on the PC. To use a straight-through jumper cable, one of the Cisco 9-pin adapters (gray posts) from a Cisco console configuration kit is required on the concentrator. The VPN 3002 uses a standard Cisco console kit with a roll-over cable that plugs into an RJ-45 interface on the device. |
Console port access is similar to the IOS routers using a terminal emulator program, such as HyperTerminal. Pressing ENTER few times might be necessary to get the login prompt to appear. Login user names and passwords for both console and Telnet access are the same. The factory-supplied default is configured and enabled for administrators using admin for both the login and password. Entries are case-sensitive. The following output shows the initial login and the main menu:
Login: admin Password: ?????????????????????????????(doesn't display) ???????????????Welcome to ??????????????Cisco Systems ??????VPN 3000 Concentrator Series ?????????Command Line Interface Copyright (C) 1998-2003 Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main ->
Making changes typically involves making one or more menu choices, and then answering any appropriate prompts. The following are some things to remember about the CLI interface:
Password entries are case-sensitive.
The interface displays current or default entries in brackets, for example, [192.168.1.1 ].
Use the ENTER key on the console keyboard to complete a choice.
Any configuration changes take effect as soon as they’re entered. These changes are part of the active, or running, configuration. To make this theboot configuration used when the device is rebooted, you must save the configuration (Main menu option #4).
The Help menu system is somewhat limited, displaying only the following information when 5 is entered at the Main menu. Context-sensitive Help is unavailable and the familiar question mark (?) doesn’t activate help features. The Help feature in the Hardware Client Manager is much better and offers context-sensitive assistance like most Windows applications.
Main -> 5 Cisco Systems. ?Help information for the Command Line Interface From any menu except the Main menu. -- 'B' or 'b' for Back to previous menu. -- 'H' or 'h' for Home back to the main menu. For Data entry -- Current values are in '[ ]'s. Just hit 'Enter' to accept value. 1) View Help Again 2) Back Help ->
The B and H options (and especially the H option) come in handy when you’re navigating the device menus. Pressing H returns you to the Main menu.
Configuration and administration changes made using Options 1 and 2 on the Main menu take effect immediately and become a part of the active, or running, configuration. Like the Cisco routers, if the VPN 3000 is rebooted without saving the active configuration, any changes will be lost.
Saving changes to the system configuration (CONFIG) file is a one-step process from the Main menu. At the Main -> prompt, typing the numeral 4 will save changes without additional steps or confirmation.
1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> 4
The system writes the current (active) configuration to the CONFIG file and redisplays the main menu.
To access the Concentrator using the Manager web interface, you must have the workstation in the same subnet at the private interface. If the Quick Configuration Wizard wasn’t used for a new or unconfigured Concentrator, the CLI is used to configure the interface. The following output shows the steps from the Main menu:
1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> 1 1) Interface Configuration 2) System Management 3) User Management 4) Policy Management 5) Back Config -> 1 ?????????????????????????????(shows the current settings) This table shows current IP addresses. ?Intf ????????Status ??????IP Address/Subnet Mask ?????????MAC Address ------------------------------------------------------------------------- Ether1-Pri| ?????UP ?????| 192.168.10.1/255.255.255.0 | 00.03.A0.88.CE.AC Ether2-Pub|Not Configured| ?????0.0.0.0/0.0.0.0 ??????| ------------------------------------------------------------------------- DNS Server(s): DNS Server Not Configured DNS Domain Name: Default Gateway: Default Gateway Not Configured 1) Configure Ethernet #1 (Private) 2) Configure Ethernet #2 (Public) 3) Configure Power Supplies 4) Back Interfaces -> 1 ???????????????????????(to set the Private interface) 1) Interface Setting (Disable, DHCP or Static IP) 2) Set Public Interface 3) Select IP Filter 4) Select Ethernet Speed 5) Select Duplex 6) Set MTU 7) Set Port Routing Config 8) Set Bandwidth Management 9) Set Public Interface IPSec Fragmentation Policy 10) Back Ethernet Interface 1 -> 1 ?????????????????(to set a Static IP address) 1) Disable 2) Enable using DHCP Client 3) Enable using Static IP Addressing Ethernet Interface 1 -> [ 3 ] 3 > Enter IP Address ?????????????????(current value appears in brackets) Ethernet Interface 1 -> [ 192.168.10.1 ] 192.168.1.10 > Enter Subnet Mask Ethernet Interface 1 -> [ 255.255.255.0 ] Ethernet Interface 1 -> h ????????????????????????(return to Main menu)
The VPN 3000 Concentrator Manager (Manager) is an HTML-based interface application that makes configuring, administering, monitoring, and managing the VPN 3000 device possible with a web browser on a PC in the private network.
By default, the Manager uses HTTP, which is convenient, but messages are transmitted in Cleartext. If security requires it, the Manager supports secure, encrypted HTTP connection over Secure Sockets Layer (SSL) protocol, known as HTTPS.
The Manager application supports either Microsoft Internet Explorer (IE) version 4.0 or higher or Netscape Navigator version 4.5–4.7. For the best results, Cisco recommends Internet Explorer. JavaScript and Cookies need to be enabled in the browser. Another recommendation is to install any updates and patches.
Cisco recommends the following monitor display settings for the best viewing:
Screen area—1024 ? 768 pixels or greater. (Minimum 800 ? 600 pixels)
Colors—256 colors or higher.
Earlier implementations of the Manager were the CLI converted simply to a web interface. Each new version includes better Windows function integration. In particular, Help, a Java-based applet, is getting friendlier and more useful.
Cisco doesn’t recommend using the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the Manager, unless you’re specifically instructed to do so. To maintain access security, clicking the Refresh/Reload button automatically logs out the Manager session and returns to the login screen. Using the Back or Forward buttons could possibly display old Manager displays with incorrect data or settings. If you’re concerned, the IE View | Full screen (F11) feature will eliminate the temptation.
To access the VPN 3000 Concentrator Manager application using HTTP over a web browser, type the VPN 3000 private interface IP address (such as 192.168.1.10) in the browser Address or Location field. The browser automatically supplies the http:// prefix.
The browser displays the login screen shown in Figure 14-2.
Logging in to the Manager application is the same for Cleartext HTTP or secure HTTPS. At this point, a valid user name/password combination can be entered to gain access. Both entries are case-sensitive. Internet Explorer users can use the TAB key to move from field to field. The Clear button can be used to start over.
An unconfigured unit will have the default Administrator combination admin/ admin for initial entry.
Figure 14-3 shows the opening screen that appears, offering access to the three main application modules: Configuration, Administration, and Monitoring. The application tree on the left-hand side offers explorer-like navigation capabilities to move quickly from feature to feature. The menu tree can be expanded and contracted as needed. The figure shows the Configuration section expanded to show the second-tier choices. The same three choices are displayed in the upper-right corner for times when the left-side panel isn’t displayed. The upper-right corner also offers quick access to the Main menu and the Help system, as well as support phone numbers and web pages.
The main body of the window provides a good overview of the various screen components and options of the application, including explanations for service icons that will appear in the upper-right corner.
The VPN 3000 Concentrator Reference, available online or on the documentation CD-ROM that came with the device, covers how to set up the device for installing an SSL Certificate in the browser for HTTPS connectivity.
The Manager, exactly like the CLI, is made up of three major sections and many second- and third-level subsections:
Configuration
Administration
Monitoring
The Configuration menu is used to set all parameters that govern the unit’s use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses. Figure 14-4 shows the Configuration menu fully expanded. The insert graphic shows the four second-tier options.
The Configuration section provides access to configure all VPN 3000 Concentrator features:
Interfaces—Ethernet interfaces, DNS servers, domain name, and power supplies
System—system-wide parameters: servers, address assignment, tunneling protocols, IP routing, IPSec, management protocols, events, identification, and the Client autoupdate feature
User Management—create and modify groups and users
Policy Management—access hours, network lists, rules, security associations, filters, and NAT and group matching
The Administration menu manages the higher level functions that keep the 3000 unit operational and secure, such as who is allowed to configure the system, what software runs on it, and managing its configuration files and digital certificates. Only the administrator account can use the VPN Concentrator Manager. Figure 14-5 shows the Administration menu fully expanded out.
The Administration section provides access to control VPN 3000 Concentrator administrative functions:
Administer Sessions—statistics and logout capability for all sessions
Software Update—update concentrator and VPN client software
System Reboot—system reboot options, including save and scheduling choices
Ping—use ICMP ping to determine connectivity to an address
Monitoring Refresh—enable automatic refresh of Monitoring screens
Access Rights—configure administrator profiles, access, sessions, and AAA
File Management—view, save, delete, swap, and transfer files
Certificate Management—install, enroll, and manage digital certificates
The Monitoring menu is used to track many statistics and the status of many items essential to system administration and management. You can see the state of any LEDs that show the status of hardware subsystems in the device, as well as statistics stored and available in standard MIB-II data objects. Figure 14-6 shows the Monitoring menu fully expanded. The insert graphic shows the five second-tier options.
The Monitoring section of the Manager displays the VPN Concentrator status, sessions, statistics, and event logs. The Monitoring screens are read-only “snapshots” of data or status at the time the selection was made. These aren’t real-time monitors. Most screens offer a Refresh button in the upper-right corner of the screen, which can be used to get a fresh image. The data on the screen can’t be modified.
This section of the Manager lets you view VPN 3000 Concentrator status, sessions, statistics, and event logs.
Routing Table—current valid routes and protocols
Filterable Event Log—event logging with filtering capabilities
System Status—current software revisions, uptime, front-panel LEDs, network interfaces, SEP modules, and power supplies
Sessions—all active sessions and “top ten” sessions, encryption and protocol data
Statistics—accounting, address pools, administrative AAA, authentication, bandwidth management, compression, DHCP, DNS, events, filtering, HTTP, IPSec, L2TP, load balancing, NAT, PPTP, SSH, SSL, Telnet, and VRRP and MIB-II statistics
Figure 14-7 shows an example of a Monitoring screen using the Monitoring | System Status menu option. This screen shows the current version of the software, device serial number, the time the unit has been up, as well as CPU and Fan statistics. The device images show LED status and optional components, plus interface, modules, and power supplies with embedded links that display component statistics if clicked on.
Figure 14-8 shows the result of selecting Configuration | Interfaces in the left panel, and then clicking the Help button in the upper-right corner. The context-sensitive Help window works like any Windows help document.
Note? |
Help is a Java application, so Java must be enabled to see it and you might need to turn off any pop-up window protection software. |
The Manager application takes advantage of the graphical interface to display as much information as feasible. Figure 14-9 shows the result of selecting Configuration | Interfaces from the menu. Notice the application map in the left-side panel shows where the screen is located in the structure. The figure might not show this, but the actual selection is highlighted.
In the upper-right corner, two icons remind you that changes must be saved and the screen needs to be refreshed—the data has timed out and is considered stale. This is a most useful reminder when counters and statistics are displayed. Clicking the icon activates the indicated service.
In the example figure, the back side of the device is displayed. In larger models, this would indicate any options that were added to the device.