-
VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7
-
A PDF Version of the Entire Book
-
Preface
-
Using the VPN Concentrator Manager
-
Configuration
-
Interfaces
-
System Configuration
-
Servers
-
Address Management
-
IP Routing
-
Management Protocols
-
Events
-
General
-
Client Update
-
Load Balancing Cisco VPN Clients
-
User Management
-
Policy Management
-
Tunneling and Security
-
Configuring an External Server for VPN Concentrator User Authorization
-
Configuring the VPN Concentrator for WebVPN
-
WebVPN End User Set-up
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - R - S - T - U - V - W - X - Z
Index
Numerics
A
Access Control List (ACL)
WebVPN 13-44
Port Forwarding 13-42
access hours, configuring 14-3
add 14-4
modify 14-4
accessing the VPN Concentrator using SSL B-2
accounting record attributes, RADIUS 5-24
accounting servers
configuring
add 5-25
accounting servers, configuring 5-23
ACS 14-61
ActiveX
filtering 13-44
add
access hours 14-4
accounting server 5-25
address pool 6-5
authentication server 5-5, 5-17
DHCP server 5-28
email recipient of events 9-23
event class 9-14
filter (traffic management) 14-31
filter rule (traffic management) 14-11
IKE proposal 15-25
IPSec LAN-to-LAN connection 15-13
NAT rule 14-40
network list 14-7
NTP host 5-35
OSPF area 7-9
Port Forwarding 15-53
security association (traffic management) 14-22
security association to rule on filter 14-35
SMTP server for events 9-21
SNMP community 8-8
SNMP event destination 9-17
static route for IP routing 7-4
syslog server to receive events 9-19
user on internal server (user management) 13-101
address management, configuring 6-1
address pools
configuring 6-4
add 6-5
modify 6-5
alarm thresholds, power 3-5
alerts, IPSec 15-31
application access
and e-mail proxy C-7
and hosts file errors C-9
and Web Access C-7
configuring 15-55
configuring client applications for C-5
enabling cookies on browser C-4
privileges C-4
re-enabling C-10
using e-mail C-7
with IMAP client C-7
Application Access See also Port Forwarding
Application Access window 13-99
Are You There (AYT) firewall policy 13-26, 13-29
assignment of IP addresses, configuring 6-2
assign rules to filter (traffic management) 14-32
authenticating
clients with digital certificates B-4
WebVPN users with digital certificates B-5
authentication
feature summary 13-34
SSL Client 15-36
authentication parameters
changing group delimiter 10-7
global 10-6
order of checking 13-2
authentication servers
configuring 5-2
internal 5-11
Kerberos/Active Directory 5-9, 13-73
NT Domain 5-7
RADIUS 5-5
internal 13-2
authorization, WebVPN 13-14
authorization parameters
authorization required 13-14
authorization type 13-14
DN field 13-14
authorization servers
Auto Applet Download
enabling 13-42
autodiscovery, network 15-8, 15-18
automatic software update, See client update 11-1
automatic switchover (redundancy) 7-12
B
Backup LAN-to-LAN, See IPSec LAN-to-LAN, redundancy
bandwidth management
bandwidth aggregation 14-50
bandwidth policing 14-49, 14-51
bandwidth reservation 14-49
burst size 14-51
configuring 14-51
enabling on interface 3-14, 14-48, 14-51
in LAN-to-LAN configuration 14-50, 14-52
overview of 14-49
policing rate 14-51
policy
assigning to group 13-92, 14-51
assigning to interface 3-15, 14-51
assigning to LAN-to-LAN 14-51, 15-17
specifying the link rate 3-15, 14-51
bandwidth policies, configuring 14-48
banner for IPSec clients, configuring 13-24
base group
configuring (user management) 13-4
global preshared secret 13-14
bibliography xviii
bootcode, upgrading xviii
browser
installing SSL certificate 1-3
navigation toolbar, do not use with Manager 1-2
requirements 1-1
built-in servers, configuring
See management protocols 8-1
burst size 14-51
C
Central Protection Policy (CPP) 13-26, 13-29, 14-11
certificate group matching 14-55
defining rules 14-55
fields 14-58
policy 14-60
configuring 14-55
rules
assigning to groups 14-58
deleting 14-56
enabling 14-58
reordering 14-56
certificates See digital certificates
change security association on rule 14-36
Cisco IP Phone Bypass 13-31
CiscoSecure ACS server 5-2, 13-1
Cisco Secure Desktop
installing images 15-39, 15-59
Manager 15-61
Cisco VPN Client
IPSec attributes 14-18
IPSec support 13-8
route advertisement 7-15
supports Mode Configuration 13-16
Citrix MetaFrame
enabling 13-42
CLI, WebVPN capture tool B-10
client authentication, SSL 15-36
client authentication using digital certificates B-4
Are You There (AYT) policy 13-26, 13-29
Central Protection Policy (CPP) 13-26, 13-29, 14-11
configuring rules for firewall filters 13-26, 14-11, 14-13, 14-14, 14-16
custom 13-28
local 13-26
supported products 13-28
vendor and product codes 13-28
Zone Labs Integrity Server 13-26, 13-29
client update 11-1
enabling 11-2
image files 11-2
compression
IPComp 13-14
configuration section of Manager 2-1
connecting to VPN Concentrator
using HTTP 1-2
using HTTPS 1-17
conventions
documentation xvii
typographic xvii
cookies, enabling for WebVPN B-4
copy
filter (traffic management) 14-31
filter rule (traffic management) 14-11
IKE proposal 15-25
network list 14-7
crash, system, saves log file 9-8
D
data
formats xx
date and time, configuring 10-3
Daylight-Saving Time, enabling 10-3
default
event handling, configuring 9-7
filter rules
table 14-9
using 14-8
filters
table 14-30
using 14-28
gateways, configuring for IP routing 7-5
IKE proposals
table 15-23
security associations, table 14-19, 14-20
tunnel gateway, configuring 7-5
delete
filter rule (traffic management) 14-17
group (user management) 13-49
internal authentication server 5-12
security association (traffic management) 14-27
user on internal server (user management) 13-101
DHCP
functions within the VPN Concentrator, configuring 7-10
IP address range 13-8
servers, configuring 5-27
add 5-28
modify 5-28
digital certificates
authenticating clients B-4
authenticating WebVPN users 13-13, 15-36, B-5
configuring for WebVPN B-4
for authenticating e-mail users B-4
for e-mail proxy B-4
IPSec LAN-to-LAN 15-15
transmission 15-15
display settings 1-2
DNS
configuring for group 13-53
servers, configuring 5-26
split DNS 13-25
DNS, configuring for WebVPN B-6
documentation
additional xvii
conventions xvii
DST (Daylight-Saving Time), enabling 10-3
dynamic filters 14-1
E
e-mail, configuring for WebVPN B-9
e-mail proxy
and WebVPN C-7
configuring C-11
Eudora 5.2 on Windows 2000 C-21
Netscape Mail on Windows 2000 C-26
Outlook Express on Windows 2000 C-13
digital certificates B-4
WebVPN B-9
Ethernet
configuring interfaces 3-6
bandwidth 3-14
General tab 3-7
OSPF 3-12
RIP 3-11
WebVPN 3-16
event classes
configuring for special handling 9-13
add 9-14
modify 9-14
table 9-1
tracking specific 9-10
event identifier, tracking events by 9-10
event log 9-5
capacity 9-5
deleting from flash memory 9-8
file size 9-8
save 9-8
saved at system reboot 9-8
saved if system crashes 9-8
saving in flash memory 9-8
events
configuring email recipients 9-22
add or modify 9-23
section of Manager 9-1
tracking specific 9-10
event severity levels
table 9-4
tracking events of a specific severity 9-10
event trap destinations, configuring 9-16
Extended Authentication in IPSec 13-13
F
file access, enabling for WebVPN 13-41
filter 14-1
ActiveX 13-44
add (traffic management) 14-31
add security association to rule on 14-35
assign rules to (traffic management) 14-32
configuring
base group 13-7
configuring (traffic management) 14-28
configuring on interface
Ethernet 3-8
copy (traffic management) 14-31
default
table 14-30
using 14-28
HTML elements 13-44
Java 13-44
modify (traffic management) 14-31
filter rules 14-1
add (traffic management) 14-11
configuring 14-8
copy (traffic management) 14-11
default
table 14-9
using 14-8
delete (traffic management) 14-17
modify (traffic management) 14-11
filters
dynamic 14-1
firewall 14-11
firewall
client 13-58
client, See also client firewall
definition 13-26
flash memory, saving log files in 9-8
formats
data xx
fragmentation policy, IPSec 3-10, 15-17
FTP
configuring internal server 8-2
using to save log files 9-9, 9-12
G
gateways, default 7-5
general parameters, configuring 10-1
global authentication parameters 10-6
global authentication parameters, WebVPN B-5
global authorization parameters, WebVPN B-5
global parameters, WebVPN B-5
group delimiter, changing 10-7
group parameters, WebVPN B-5
groups
configuring user
modifying internal 13-50
configuring users 13-48
deleting 13-49
modifying external 13-66
H
hold down routes, adding to routing table 7-15
host key, SSH 15-32
hostnames vs. IP addresses 13-97
hosts file 13-100
errors C-9
WebVPN 15-56
HTTP
configuring internal server 8-3
using with Manager 1-2
HTTP/HTTPS Web VPN proxy, setting B-4
HTTPS
configuring internal server 8-3
connecting using 1-17
Ethernet interface 3-17
login screen 1-18
WebVPN requirement 15-34
HTTPS management for WebVPN B-2
I
identification, system 10-2
idle time allowed in keepalive monitoring 13-12
IKE keepalives 13-11
Easy VPN compliant clients 13-12
IKE proposals
active 15-23
add 15-25
configuring 15-22
add 15-25
copy 15-25
modify 15-25
copy 15-25
default
table 15-23
inactive 15-24
in security association 14-18
IPSec LAN-to-LAN 15-16
modify 15-25
IKE security association
See security associations
IMAP4S 3-17
installing SSL certificate
with Internet Explorer 1-4
with Netscape 1-10
Install SSL Certificate (screen) 1-4
interfaces
bandwidth management 3-14
configuring 3-1
Ethernet
WebVPN 3-16
Ethernet, configuring 3-6
OSPF 3-12
RIP 3-11
speed 3-9
transmission mode 3-9
filter
Ethernet 3-8
section of Manager 3-1
status 3-4
internal authentication server
configuring 5-11
deleting 5-12
maximum groups and users 13-2
Internet Explorer, requirements 1-1
Internet Explorer proxy server 13-19, 13-23
IP addresses
configuring assignment of 6-2
IPComp data compression 13-14
IP Phone Bypass 13-31
IP routing
configuring 7-2
section of Manager 7-1
IPSec
alerts 15-31
backup servers 13-17
banner for clients 13-24
Cisco VPN Client 13-8, 14-18, 15-7
configuring 15-7
base group 13-8
client parameters 13-16
group (internal) 13-53
user (internal server) 13-105
WebVPN parameters 13-53
data compression 13-14
discussion 15-7
fragmentation policy 3-10, 15-17
maximum active sessions 10-4
Mode Configuration 13-15
rules 14-5
security associations
See security associations
XAUTH 13-13
IPSec LAN-to-LAN
automatic parameters 14-13, 15-13, 15-21
configuring 15-8
add or modify connection 15-13
bandwidth management policy 15-17
no public interfaces screen 15-12
parameters for redundant systems 7-12
digital certificates 15-15
Done (screen) 15-21
redundancy 15-9
and load balancing 15-9
configuring 15-10
example 15-10
VRRP 15-9
rules that apply IPSec 14-13
using network lists 15-13, 15-18, 15-19
IPSec NAT-T 15-17
IPSec over TCP 15-28
IPSec through NAT, configuring base group 13-22
J
Java
filtering 13-44
JavaScript, requirements 1-1
K
Kerberos/Active Directory authentication
on Linux server 13-73
Kerberos/Active Directory authentication, configuring
on Linux server 5-10
L
L2TP
configuring
group (internal) 13-61
system-wide parameters 15-5
user (internal server) 13-106
data compression 13-39
L2TP/IPSec, maximum active sessions 10-4
L2TP over IPSec
configuring
base group 13-8
default security association to use 13-10
do not use Mode Configuration 13-15
IKE proposal required 15-24
no IPSec user authentication 13-13
Windows 2000 client support 13-8, 15-1
LAN-to-LAN
See IPSec LAN-to-LAN
Layer 2 Tunneling Protocol, SeeL2TP
LDAP authorization servers, configuring 5-20, 13-81
LEAP Bypass
configuring 13-31
explanation 13-33
Linux server and Kerberos/Active Directory authentication 5-10, 13-73
load balancing 12-1
configuring 12-3
cluster 12-3
device 12-3
preliminary steps 12-2
device priority 12-5
defaults 12-5
virtual cluster 12-1
local LAN access for VPN client 13-19
log files
See event log
logging in the VPN Concentrator Manager 1-18
login
name
factory default (Manager) 1-18
password, factory default (Manager) 1-18
screen 1-3
HTTPS 1-18
Internet Explorer 1
Netscape 1
M
management protocols, configuring 8-1
MAPI proxy
about 13-43
enabling 13-42
maximum active sessions 10-6
examples 10-5
IPSec, PPTP and L2TP/IPSec 10-4
maximum permitted sessions 10-4
maximum sessions
ratios of WebVPN to IPSec, PPTP and L2TP/IPSec sessions 10-5
WebVPN or IPSec, PPTP, and L2TP (table) 10-4
MD5 15-16
memory, upgrading xviii
MIB-II, system object 10-2
Mode Configuration in IPSec 13-15
Cisco VPN Client supports 13-16
split tunneling 13-15
modify
access hours 14-4
accounting server 5-25
address pool 6-5
authentication server 5-5
authorization server 5-17
DHCP server 5-28
email recipient of events 9-23
event class 9-14
filter (traffic management) 14-31
filter rule (traffic management) 14-11
group (external) (user management) 13-66
group (internal) (user management) 13-50
IKE proposal 15-25
IPSec LAN-to-LAN connection 15-13
NAT rule 14-40
network list 14-7
NTP host 5-35
OSPF area 7-9
Port Forwarding 15-53
security association (traffic management) 14-22
SMTP server for events 9-21
SNMP community 8-8
SNMP event trap destination 9-17
static route, for IP routing 7-4
syslog server to receive events 9-19
user on internal server (user management) 13-101
monitor / display settings 1-2
movian
VPN client support 13-10, 14-24, 14-26, 15-16, 15-27
MPPC data compression 13-38, 13-39
MTU 3-9
N
NAC
about 14-61
configuring
base group 13-46
global policy 14-62
group (internal) 13-65
NAT
configuring 14-37
enable 14-38
no public interfaces screen 14-40
NAT rules, configuring 14-39
add 14-40
modify 14-40
NAT-T (NAT Traversal) 15-17, 15-28
NAT transparency 15-28
navigating the VPN Concentrator Manager 1-20
NetBIOS Name, configuring 5-31
Netscape Navigator
requirements 1-1
network autodiscovery 15-8, 15-18
network lists 14-1
configuring 14-6
add 14-7
automatic generation 14-8
copy 14-7
modify 14-7
IPSec LAN-to-LAN 15-13, 15-18, 15-19
network time, configuring
See NTP 5-32
No Public Interfaces screen
IPSec LAN-to-LAN 15-12
NAT 14-40
NT Domain, configuring authentication server 5-7
NTP, configuring 5-32
hosts (servers) 5-34
add 5-35
modify 5-35
synchronization 5-33
O
organization of the VPN Concentrator Manager 1-19
configuring
on Ethernet interface 3-12
system-wide parameters 7-7
with reverse route injection 7-14
OSPF areas, configuring 7-8
add 7-9
modify 7-9
Outlook/Exchange Proxy
about 13-43
enabling 13-42
Outlook Web Access (OWA) and WebVPN C-7
P
password
factory default (Manager) 1-18
policing rate 14-51
policy management
configuring 14-2
section of Manager 14-1
POP3S 3-17
Port Forwarding
add or modify 15-53
configuring client applications for C-5
enabling 13-41
posture validation 14-61
power thresholds, configuring 3-5
PPTP
configuring
group (internal) 13-61
system-wide parameters 15-3
user (internal server) 13-106
data compression 13-38
maximum active sessions 10-4
preshared key 15-15
pre-shared secret 13-14
product codes for client firewalls 13-28
proxy, Internet Explorer 13-19, 13-23
R
RADIUS
accounting, configuring 5-23
accounting record attributes 5-24
authentication server, configuring 5-5
authorization server, configuring 5-17, 13-79
Cisco Secure ACS RADIUS server 13-1
Class attribute format to authenticate group name 13-48
ratios of WebVPN to IPSec, PPTP and L2TP/IPSec sessions 10-5
RC4 encryption, WebVPN 15-37
reboot system, saves log file 9-8
redundancy
configuring, system 7-12
IPSec LAN-to-LAN 15-9
references (bibliography) xviii
regeneration, SSH server key 15-32
requirements
browser 1-1
Internet Explorer 1-1
JavaScript 1-1
Netscape Navigator 1-1
reverse route injection 7-14, 15-18
configuring on Ethernet interface 3-11
with network autodiscovery 15-18
with reverse route injection 7-14
routes
adding to routing table
network autodiscovery 15-18
reverse route injection 15-18
routes, adding to routing table
reverse route injection 7-14
RRI See reverse route injection
rules 14-1
add security association to, on filter 14-35
assign to filter (traffic management) 14-32
change security association on 14-36
filter, configuring 14-8
rules, NAT, configuring 14-39
add 14-40
modify 14-40
S
SAs See security associations
SAVELOG.TXTfile 9-8screen
login 1-3
login, using HTTPS 1-18
SecurID, configuring authentication server 5-8, 13-71
security associations 14-1
add to rule on filter 14-35
change on rule 14-36
configuring 14-18
add 14-22
delete 14-27
modify 14-22
IKE proposals in 14-18
negotiation phases 14-18
server key
SSH 15-32
regeneration 15-32
servers 5-1
configuring
authentication 5-2
DNS 5-26
firewall 5-29
internal authentication 5-11
Kerberos/Active Directory authentication 5-9, 13-73
LDAP authorization 5-20, 13-81
NetBIOS NAME 5-31
NT Domain authentication 5-7
NTP 5-32
RADIUS accounting 5-23
RADIUS authentication 5-5
RADIUS authorization 5-17, 13-79
SDI authentication 5-8
system access to 5-1
deleting internal authentication 5-12
testing
authentication 5-12
servers and URLs, WebVPN 13-94
session key, SSH 15-32
sessions
maximum active 10-6
examples 10-5
WebVPN or IPSec, PPTP and L2TP/IPSec 10-4
maximum active WebVPN 10-6
maximum permitted 10-4
changing 10-4
WebVPN or IPSec, PPTP, and L2TP (table) 10-4
ratios of WebVPN to IPSec, PPTP and L2TP/IPSec sessions 10-5
SHA 15-16
SMTPS 3-17
SMTP servers, configuring for events 9-20
add 9-21
modify 9-21
SNMP
configuring internal server 8-6
event trap destinations, configuring 9-16
add 9-17
modify 9-17
traps, configuring "well-known" 9-10
SNMP communities, configuring 8-7
add 8-8
modify 8-8
software update, automatic 11-1
enabling 11-2
image files 11-2
speed, configuring Ethernet interface 3-9
split DNS 13-25
split tunneling
firewalls 13-26
IPSec
requires Mode Configuration 13-15
network list 13-25
policy 13-19
SSH
host key 15-32
server key 15-32
server key regeneration 15-32
session key 15-32
SSL
client authentication 15-36
configuring WebVPN session 15-34
used to access the VPN Concentrator B-2
SSL/TLS
WebVPN tunneling protocols 13-8
SSL/TLS encryption protocols, configuring B-3
SSL certificate
installing in browser 1-3
installing with Internet Explorer 1-4
installing with Netscape 1-10
viewing with Internet Explorer 1-9
viewing with Netscape 1-15
VPN Concentrator 1-3
SSL certificate, checking certificate currency B-4
SSL Tunnel Client
enabling 13-42
installing images 15-39
requiring 13-43
SSL VPN Client
installing images 15-57
static routes, configuring for IP routing 7-3
add 7-4
modify 7-4
strip realm 13-8
Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN C-4
switchover, automatic (redundancy) 7-12
syslog servers, configuring for events 9-18
add 9-19
modify 9-19
system configuration section of Manager 4-1
system identification, configuring 10-2
T
Telnet, configuring internal server 8-5
TFTP
and automatic software update 11-1
configuring internal server 8-4
time and date, configuring 10-3
timeout 13-31
time zone, configuring 10-3
traffic management, configuring 14-5
transmission mode, configuring Ethernet interface 3-9
transparency, NAT 15-28
traps, configuring
"well-known" 9-10
destination systems 9-16, 9-17
general events 9-10
specific events 9-15
troubleshooting, consulting the event log
tunnel default gateway, configuring 7-5
tunneling protocols
configuring 15-2
section of Manager 15-1
typographic conventions xvii
U
upgrading
bootcode xviii
memory xviii
URL entry
use with WebVPN 13-40
URLs, WebVPN capture tool B-10
user attributes, default
See base group 13-4
user management
configuring 13-3
section of Manager 13-1
users
configuring on internal server (user management) 13-100
add 13-101
delete 13-101
modify 13-101
V
vendor codes for client firewalls 13-28
viewing SSL certificates
with Internet Explorer 1-9
with Netscape 1-15
virtual cluster 12-1
configuration 12-3
IP address 12-2
master 12-1
VPN 3002 Hardware Client
route advertisement 7-15
software update 11-1
VPN Client, IPSec attributes 15-7
VPN Concentrator Manager
logging in 1-18
navigating 1-20
organization of 1-19
VPN Concentrator SSL certificate, checking B-4
VRRP 7-12
VRRP, configuring 7-12
W
web browsing with WebVPN C-6
web e-Mail (Outlook Web Access)
Outlook Web Access B-9
WebVPN
Access Control List (ACL)
Port Forwarding 13-42
user sessions 13-44
Application Access window 13-99, 15-55
authenticating with digital certificates 13-13, 15-36, B-5
authorization 13-14
Auto Applet Download
enabling 13-42
capture tool B-10
Cisco Secure Desktop
Manager 15-61
Citrix MetaFrame
enabling 13-42
client application requirements C-2
client requirements C-2
for e-mail C-7
for file management C-6
for network browsing C-6
for web browsing C-6
start-up C-3
configuration options B-7
DNS 13-7
DNS globally B-6
e-mail B-9
E-mail proxy 15-45
home page 15-41
HTTP/HTTPS proxy 15-40
IPSec parameters 13-9
logo 15-43
Port Forwarding 15-51
add or modify 1
servers and urls 15-49
add or modify 1
SSL options 15-34
with VPN Concentrator Manager B-7
cookies B-4
e-mail proxy B-9
enable cookies for C-4
enabling file access 13-41
enabling URL entry 13-40
end user set-up C-1
global and group settings B-5
global authentication and authorization settings B-5
hosts file 15-56
HTTP/HTTPS proxy, setting B-4
HTTPS required 15-34
IPSec parameters,configuring 13-53
maximum active sessions 10-4, 10-6
Outlook/Exchange Proxy
about 13-43
enabling 13-42
parameters 13-39
Port Forwarding
enabling 13-41
printing and C-4
RC4 encryption 15-37
Secure Desktop 15-59
security tips C-2
servers and URLs 13-94
servers and URLs, configuring 13-49
session limits and throughput 10-4
SSL Tunnel Client
enabling 13-42
requiring 13-43
SSL VPN Client 15-57
supported applications C-2
supported browsers C-3
supported types of Internet connections C-3
troubleshooting C-9
tunneling protocols 13-8
URL C-3
username and password required C-3
WebVPN session
configuring
SSL 15-34
SSL parameters 15-2
welcome text for IPSec clients, configuring 13-24
wildcard masks 14-7, 14-15, 15-18, 15-20
Windows 2000 client
configure transport mode 14-24
L2TP over IPSec support 13-8, 15-1
Mode Configuration 13-16
WINS, configuring for group 13-53
wireless support See movianVPN client support 15-27
X
XML, configuring as system management protocol 8-9
Z