Cisco Systems VPN 3000

Configuration | Policy Management | Traffic Management | Filters

13-29

VPN 3000 Concentrator Series User Guide

Configuring a filter involves two steps:

1Configuring its basic parameters (name, default action, etc.) by clicking Add Filter, Modify Filter, or

Copy Filter, and

2Assigning rules to a filter by clicking Assign Rules to Filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for

security since they govern all traffic through an interface. You also apply filters to groups and users

under Configuration | User Management, and thus govern tunn eled traffic through an interface.

Caution: The Cisco-supplied default filters and rules are intended as temp lates that you should examine and

configure to fit your network and security needs. If incorrectly configured, they could present security

risks. You should also be especially careful about adding rules to the Public (Default) filter, which allows

only tunneled and ICMP traffic.

Figure 13-13: Configuration | Policy Management | Traffic Management | Filters screen

Contents

Main VPN 3000 Concentrator Series User Guide Page CONTENTS Preface 1 Using the VPN 3000 Concentrator Series Manager 2 Configuration 3 Interfaces Page 4 System Configuration 5Servers 6 Address Management 7 Tunneling Proto cols 8IP Routing 9 Managemen t Protocols 10 Events Page 11 General 12 User Management Page 13 Policy Management Page Page 14 Administration Page Page 15 Monitoring Page Page Page Page Page Page Page Page Page Page 16 Using the Command Lin e Interface A Errors and troubleshooting B Copyrights, licenses, and not ices Index Tables Page Preface About this manual Prerequisites Organization Additional Documentation Other references Documentation Conventions Data Formats Contacting Cisco with questions Page Using the VPN 3000 Concentrator Series Manager Browser requirements JavaScript Cookies Navigation toolbar Recommended PC monitor / display settings Connecting to the VPN Concentrator using HTTP Installing the SSL certificate in your browser Installing the SSL certificate with Internet Explorer Page Page Page Page Viewing certificates with Internet Explorer Installing the SSL certificate with Netscape Reinstallation First-time installation Page Page Page Page Viewing certificates with Netscape Page Connecting to the VPN Concentrator using HTTPS Logging in the VPN Concentrator Manager Configuring HTTP, HTTPS, and SSL parameters Understanding the VPN Concentrator Manager window Title bar Status bar Mouse pointer and tips Top frame (Manager toolbar) Main tab Help tab Support tab Page Left frame (Table of contents) Main frame (Manager screen) Organization of the VPN Concentrator Manager Navigating the VPN Concentrator Manager Configuration Configuration Page Interfaces Configuration | Interfaces Page Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) WAN Interface in slot N, Port A B Power Supplies Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) module in back-panel image WAN Card Slot N module in back-panel image Configuration | Interfaces | Power Page Configuration | Interfaces | Ethernet 1 2 3 Enabled Public Interface MAC Address Speed Duplex RIP Parameters tab Inbound RIP Outbound RIP OSPF Parameters tab OSPF Enabled OSPF Area ID OSPF Priority OSPF Metric OSPF Retransmit Interval OSPF Hello Interval OSPF Dead Interval OSPF Authentication OSPF Password Configuration | Interfaces | WAN Card in Slot N Configuration | Interfaces | WAN Card in Slot N | Port A B | Select T1/E1 T1: up to 24 64-Kbps channels E1: up to 31 64-Kbps channels Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 IP Parameters tab Enabled Public Interface RIP Parameters tab Inbound RIP Outbound RIP OSPF Parameters tab OSPF Enabled OSPF Area ID OSPF Priority OSPF Metric OSPF Retransmit Interval OSPF Hello Interval OSPF Dead Interval OSPF Authentication OSPF Password WAN Parameters tab Line Coding Line Framing T1 selections: E1 selections: Buildout Clock Source Data Inversion Loopback Times lots PPP Multilink Parameters tab Enable PPP Multilink Page System Configuration Configuration | System Page Servers Configuration | System | Servers Configuration | System | Servers | Authentication Authentication Servers Add / Modify / Delete / Move / Test Configuration | System | Servers | Authentication | Add or Modify Server Type = RADIUS Authentication Server Server Secret Server Type = NT Domain Authentication Server Address Domain Controller Name Server Type = SDI Authentication Server Server Type = Internal Server Add / Cancel Configuration | System | Servers | Authentication | Delete Configuration | System | Servers | Authentication | Test User Name Password Authentication Server Test: Success Authentication Server Test: Authentication Rejected Error Authentication Server Test: Authentication Error Configuration | System | Servers | Accounting Accounting Servers Configuration | System | Servers | Accounting | Add or Modify Accounting Server Server Port Time out Retries Configuration | System | Servers | DNS Page Time out P erio d Timeout Retries Configuration | System | Servers | DHCP DHCP Servers Configuration | System | Servers | DHCP | Add or Modify DHCP Server Server Port Configuration | System | Servers | NTP Configuration | System | Servers | NTP | Parameters Sync Frequency Configuration | System | Servers | NTP | Hosts NTP Hosts Configuration | System | Servers | NTP | Hosts | Add or Modify NTP Host Page Address Management Configuration | System | Address Management 6 Configuration | System | Address Management | Assignment Use Client Address Use Address from Authentication Server Use DHCP Use Address Pools Configuration | System | Address Management | Pools IP Pool Entry 6 Configuration | System | Address Management | Pools | Range Start Range End Page Page Tunneling Protocols Configuration | System | Tunneling Protocols Configuration | System | Tunneling Protocols | PPTP Maximum Tunnel Idle Time Packet Window Size Limit Transmit to Window Max. Tunnels Max. Sessions/Tunnel Packet Processing Delay Configuration | System | Tunneling Protocols | L2TP Maximum Tunnel Idle Time Control Window Size Control Retransmit Interval Control Retransmit Limit Max. Tunnels Configuration | System | Tunneling Protocols | IPSec Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN LAN-to-LAN Connection Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | No Public Interfaces Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify Page Name Peer Digital Certificate Preshared Key Authentication IKE Proposal Network Autodiscovery Local Network Wildcard Mask Remote Network Wildcard Mask List Name Generate Local List Add Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done OK Configuration | System | Tunneling Protocols | IPSec | IKE Proposals 7-20 Cisco supplies default IKE proposals that you can use or modify; see Table 7-1. See Proposal Name Parameter IKE-3DES -MD5-RSA IKE-3DES -MD5-RSA -DH1 Active Proposals Inactive Proposals << Activate >> Deactivate Move Up / Move Down Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie-Hellman Group Lifetime Measurement Data Lifetime Time Lifetime Page IP Routing Configuration | System | IP Routing Configuration | System | IP Routing | Static Routes Static Routes Configuration | System | IP Routing | Static Routes | Network Address Destination Router Address Interface Configuration | System | IP Routing | Default Gateways Default Gateway Tunnel Default Gateway Override Default Gateway Configuration | System | IP Routing | OSPF Router ID Autonomous System Configuration | System | IP Routing | OSPF Areas OSPF Area Configuration | System | IP Routing | OSPF Areas | Add or Modify Area ID Area Summary External LSA Import Configuration | System | IP Routing | DHCP Lease Timeout Listen Port Time out P erio d Configuration | System | IP Routing | Redundancy Enable VRRP Group ID Group Password Role Advertisement Interval 2 (Public) 3 (External) Management Protocols Configuration | System | Management Protocols Configuration | System | Management Protocols | FTP Configuration | System | Management Protocols | HTTP/HTTPS Enable HTTP Enable HTTPS HTTP Port HTTPS Port Configuration | System | Management Protocols | TFTP Time out Configuration | System | Management Protocols | Telnet Enable Telnet Enable Telnet/SSL Teln et Por t Telnet/SSL Port Configuration | System | Management Protocols | SNMP Maximum Queued Requests Configuration | System | Management Protocols | SNMP Communities Community Strings Configuration | System | Management Protocols | SNMP Communities | Add or Modify Community String Configuration | System | Management Protocols | SSL Page Encryption Protocols Client Authentication SSL Version Generated Certificate Key Size Page Events Event class Page Page Event severity level Event log Event log data Configuration | System | Events Configuration | System | Events | General Save Log on Wrap Save Log Format FTP Saved Log on Wrap Email Source Address Syslog Format Severity to Log Severity to Console Severity to Syslog Severity to Email Severity to Trap Configuration | System | Events | FTP Backup FTP S erv er FTP Directory FTP Username FTP P ass word Configuration | System | Events | Classes Configured Event Classes Configuration | System | Events | Classes | Add or Modify Class Name Severity to Log Severity to Console Severity to Syslog Severity to Email Severity to Trap Configuration | System | Events | Trap Destinations Trap Destinations Configuration | System | Events | Trap Destinations | Destination SNMP Version Community Configuration | System | Events | Syslog Servers Syslog Servers Configuration | System | Events | Syslog Servers | Add or Modify Syslog Server Facility Configuration | System | Events | SMTP Servers SMTP Servers Configuration | System | Events | SMTP Servers | Add or Modify SMTP Server Configuration | System | Events | Email Recipients Email Recipients Configuration | System | Events | Email Recipients | Email Address Max Severity Page Page General Configuration | System | General 11 Configuration | System | General | Identification System Name Contact Location Configuration | System | General | Time and Date Current Time New Time Enable DST Support Page User Management Page Configuration | User Management Configuration | User Management | Base Group Page Minimum Password Length Allow Alphabetic-Only Passwords Primary DNS Secondary DNS Primary WINS Secondary WINS SEP Card Assignment Page Tunnel Type Remote Access Parameters Group Lock Mode Configuration Mode Configuration Parameters Banner Allow Password Storage on Client Split Tunneling Network List Default Domain Name IPSec through NAT IPSec through NAT UDP Port Page PPTP Encryption L2TP Encryption Page Configuration | User Management | Groups Current Groups Page Configuration | User Management | Groups | Add or Modify (Internal) Identity Parameters tab Group Name Password Type Page Minimum Password Length Allow Alphabetic-Only Passwords Primary DNS Secondary DNS Primary WINS Secondary WINS Page Page Tunnel Type Remote Access Parameters Group Lock Mode Configuration Mode Configuration Parameters Banner Allow Password Storage on Client Split Tunneling Network List Default Domain Name IPSec through NAT IPSec through NAT UDP Port Page PPTP Encryption L2TP Encryption Configuration | User Management | Groups | Modify (External) Group Name Password Type Configuration | User Management | Users Current Users Configuration | User Management | Users | Add or Modify Identity Parameters tab Page Page Page Page Store Password on Client Page Page Page Page Policy Management Configuration | Policy Management Configuration | Policy Management | Access Hours Current Access Hours Configuration | Policy Management | Access Hours | Name Sunday - Saturday Configuration | Policy Management | Traffic Management Network Lists Add / Modify / Copy / Delete Network Lists | Add, Modify, or Copy List Name Generate Local List Configuration | Policy Management | Traffic Management | Rules Filter Rules Page Add / Modify / Copy / Delete Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Page Rule Name Direction event class). See note below. Protocol or Other TCP Connection Source Address Wildcard-mask Destination Address Wildcard-mask TCP/UDP Source Port Port or Range TCP/UDP Destination Port Port or Range ICMP Packet Type Configuration | Policy Management | Traffic Management | Rules | Delete Configuration | Policy Management | Traffic Management | Security Associations Page Page Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify SA Name Inheritance IPSec Parameters Authentication Algorithm Encryption Algorithm Encapsulation Mode Perfect Forward Secrecy Lifetime Measurement Data Lifetime Time Lifetime IKE Parameters IKE Peer Negotiation Mode Digital Certificate IKE Proposal Configuration | Policy Management | Traffic Management | Security Associations | Delete Configuration | Policy Management | Traffic Management | Filters Page Filter List Add Filter Assign Rules to Filter Modify Filter Copy Filter Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy Filter Name Default Action event class). See note below. Source Routing Fragments Description Configuration | Policy Management | Traffic Management | Assign Rules to Filter Filter Name: Current Rules in Filter Available Rules << Add << Insert Above >> Remove Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule Add SA to Rule on Filter: Apply Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule Change SA on Rule in Filter: Configuration | Policy Management | Traffic Management | NAT Configuration | Policy Management | Traffic Management | NAT | Enable Configuration | Policy Management | Traffic Management | NAT | Rules NAT Rules NAT | Rules | No Public Interfaces Configuration | Policy Management | Traffic Management | NAT | Rules | Add or Modify Private Address Page Administration Administration Page Administration | Sessions Logout All: PPTP | L2TP | IPSec User | L2TP/IPSec | IPSec/NAT | IPSec/LAN-to-LAN Session Summary table Active LAN-to-LAN Sessions Active Remote Access Sessions Active Management Sessions LAN-to-LAN Sessions table Remote Access Sessions table Management Sessions table Protocol, Encryption, Login Time, Duration, Actions Configuration locked by Administration | Sessions | Detail Page Page Page Back to Sessions Administration | Sessions | Detail parameters Page Administration | Software Update Current Software Revision Browse... Upload Software Update Progress Software Update Success Software Update Error Administration | System Reboot Configuration When to Reboot/Shutdown Administration | Ping Address/Hostname to Ping Ping / Cancel Success (Ping) Error (Ping) Administration | Monitoring Refresh Refresh Period Administration | Access Rights Administration | Access Rights | Administrators Group Number Properties / Modify Administrator Administration | Access Rights | Administrators | Modify Properties Password Access Rights General SNMP Files Apply / Default / Cancel Administration | Access Rights | Access Control List Manager Workstations Administration | Access Rights | Access Control List | Priority (Modify screen only) IP Mask Access Group Administration | Access Rights | Access Settings Session Idle Timeout Session Limit Encrypt Config File Administration | File Management Administration | File Management | Files Total, Used, Free KB Filename Size (bytes) Date/Time Actions View (Save) Delete Copy Administration | File Management | Swap Configuration Files Administration | File Management | TFTP Transfer Concentrator File TFTP Server TFTP Server File Success (TFTP) Error (TFTP) Administration | Certificate Management Page Installing digital certificates on the VPN Concentrator Administration | Certificate Management | Enrollment Common Name (CN) Organizational Unit (OU) Organization (O) Locality (L) State/Province (SP) Country (C) Subject Alternative Name (Fully Qualified Domain Name) Key Size Administration | Certificate Management | Enrollment | Request Generated Enrolling with a Certificate Authority Administration | Certificate Management | Installation Certificate Type Certificate Password Local File / Browse Administration | Certificate Management | Certificates Certificate Authorities Identity Certificates SSL Certificate / [ Generate ] Subject / Issuer Expiration Actions / View / CRL / Delete Administration | Certificate Management | Certificates | View Subject Issuer CN= Serial Number Signing Algorithm Public Key Type Certificate Usage MD5 Thumbprint Administration | Certificate Management | Certificates | CRL Certificate Enable CRL Checking Server Page Administration | Certificate Management | Certificates | Delete Page Monitoring Monitor Monitor | Routing Table Valid Routes Address Mask Next Hop Age Monitor | Event Log Select Filter Options Event Class Severities Client IP Address Events/Page First Page Previous Page Next Page Last Page Get Log Clear Log Event log format Event sequence Event date Event time Event class / number Event repeat Event IP address Event string Monitor | System Status Page Page Monitor | System Status | Ethernet Interface Rx Unicast Tx Unicast Rx Multicast Tx Multicast Rx Broadcast Monitor | System Status | Dual T1/E1 WAN Slot N T1/E1 Statistics Slot Port Status Up Time Seconds Errored Seconds Severely Errored Seconds Synchronous Statistics Page Page Monitor | System Status | Power CPU Power Supply A, B Board 1.9/2.5V Status, 3.3V Status, 5V Status Monitor | System Status | SEP SEP redundancy SEP DSP Code Version Inbound Hash: Octets / Packets Outbound Hash: Octets / Packets Encrypted: Octets / Packets Decrypted: Octets / Packets Page Page Monitor | System Status | LED Status [LED selector button] Monitor | Sessions Session Summary table LAN-to-LAN Sessions table Remote Access Sessions table Management Sessions table [ LAN-to-LAN Sessions | Remote Access Sessions ] Administrator Protocol, Encryption, Login Time, Duration Monitor | Sessions | Detail Page Page Page Back to Sessions Monitor | Sessions | Detail parameters Page Monitor | Sessions | Protocols Bar Graph Percentage Monitor | Sessions | SEPs Active Sessions Total Sessions SEP Monitor | Sessions | Encryption Bar Graph Percentage Monitor | Sessions | Top Ten Lists Monitor | Sessions | Top Ten Lists | Data Page Monitor | Sessions | Top Ten Lists | Duration Login Time Monitor | Sessions | Top Ten Lists | Throughput Login Time Avg. Throughput (bytes/sec) Monitor | Statistics Monitor | Statistics | PPTP Total Tunnels Active Tunnels Maximum Tunnels Page Page Flow Monitor | Statistics | L2TP Page Rx Packets Control / Data Rx Discards Control / Data Tx Octets Control / Data Tx Packets Control / Data L2TP Sessions Page Monitor | Statistics | IPSec IKE (Phase 1) Statistics Page Page IPSec (Phase 2) Statistics Page System Capability Failures No-SA Failures Protocol Use Failures Monitor | Statistics | HTTP Octets Sent Octets Received Monitor | Statistics | Events Event Class Event Number Count of Events Monitor | Statistics | Telnet Active Sessions Attempted Sessions Successful Sessions Telnet Sessions Monitor | Statistics | DNS Monitor | Statistics | Authentication Server IP Address:Port Requests Retransmissions Accepts Page Monitor | Statistics | Accounting Monitor | Statistics | Filtering Page Monitor | Statistics | VRRP VRID Errors VRID Virtual Routers Interface: 1 (Private), 2 (Public), 3 (External) Status Page Monitor | Statistics | SSL Monitor | Statistics | DHCP Monitor | Statistics | Address Pools Max Allocated Addresses Monitor | Statistics | MIB-II Monitor | Statistics | MIB-II | Interfaces Page Monitor | Statistics | MIB-II | TCP/UDP Page Monitor | Statistics | MIB-II | IP Page Page Monitor | Statistics | MIB-II | RIP Global Route Changes Global Queries Interfaces Interface Address Page Monitor | Statistics | MIB-II | OSPF Page Interface Address Interface Name Designated Router Backup Designated Router Neighbors Router ID State Areas Area ID SPF Runs AS Border Routers Area Border Routers External LSAs Monitor | Statistics | MIB-II | ICMP Total Received / Transmitted Errors Received / Transmitted Destination Unreachable Received / Transmitted Page Address Mask Requests Received / Transmitted Address Mask Replies Received / Transmitted Monitor | Statistics | MIB-II | ARP Table Physical Address Mapping Type Action / Delete Monitor | Statistics | MIB-II | Ethernet Page Monitor | Statistics | MIB-II | SNMP Page Page Using the Command Line Interface Accessing the CLI Console access Telnet or Telnet/SSL access Starting the CLI Using the CLI Choosing menu items Entering values Specifying configured items Navigating quickly through the CLI Using shortcut numbers Using Back and Home Getting Help Information Saving the configuration file Stopping the CLI Understanding CLI access rights CLI menu reference Main menu 1 Configuration 16-9 1.1 Configuration > Interface Configuration Model 3005 only 1.1.1, 1.1.2, or 1.1.3 Configuration > Interface Configuration > Configure Ethernet #1 or #2 or #3 Only 1.1.1 and 1.1.2 on Model 3005 1.1.4 Configuration > Interface Configuration > Configure Power Supplies 1.1.3 Configuration > Interface Configuration > Configure Power Supplies Model 3005 only 1.1.5 Configuration > Interface Configuration > Configure Expansion Cards 1.1.4 Configuration > Interface Configuration > Configure Expansion Cards Model 3005 only 1.2.1 Configuration > System Management > Servers 1.2.2 Configuration > System Management > Address Management 1.2.3 Configuration > System Management > Tunneling Protocols Note: The CLI does not include IPSec LAN-to-LAN configuration. 1.2.4 Configuration > System Management > IP Routing 1.2.5 Configuration > System Management > Management Protocols 1.2.6 Configuration > System Management > Event Configuration 1.2.7 Configuration > System Management > General Config 1.3 Configuration > User Management 16-13 1.3.1 Configuration > User Management > Base Group 1.3.2 Configuration > User Management > Groups 1.3.3 Configuration > User Management > Users 1.4 Configuration > Policy Management 16-14 2 Administration 2.1 Administration > Administer Sessions 16-15 2.3 Administration > System Reboot 2.3.2 Administration > System Reboot > Schedule Reboot 2.3.3 Administration > System Reboot > Schedule Shutdown 2.5 Administration > Access Rights 2.5.1 Administration > Access Rights > Administrators 2.5.2 Administration > Access Rights > Access Control List 2.5.3 Administration > Access Rights > Access Settings 2.6 Administration > File Management 2.6.6 Administration > File Management > Swap Configuration File 16-17 2.7 Administration > Certificate Management 2.7.2 Administration > Certificate Management > Installation 2.7.3 Administration > Certificate Management > Certificate Authorities 2.7.4 Administration > Certificate Management > Identity Certificates 16-18 3 Monitoring 3.1 Monitoring > Routing Table 16-19 3.2 Monitoring > Event Log 3.2.2 Monitoring > Event Log > View Event Log 3.3 Monitoring > System Status 3.3.2 Monitoring > System Status > View Card Status Model 3005 only 3.4 Monitoring > Sessions Model 3005 only 3.4.1 Monitoring > Sessions > View Session Statistics 3.4.2 Monitoring > Sessions > View Top Ten Lists 3.4.3 Monitoring > Sessions > View Session Protocols 3.4.4 Monitoring > Sessions > View Session SEPs 3.4.5* Monitoring > Sessions > View Session Encryption 3.5 Monitoring > General Statistics 3.5.1 Monitoring > General Statistics > Protocol Statistics 16-22 3.5.2 Monitoring > General Statistics > Server Statistics End of Chapter 3.5.3 Monitoring > General Statistics > Event Statistics 3.5.4 Monitoring > General Statistics > MIB II Statistics APPENDIX A Errors and troubleshooting Files for troubleshooting Event logs Crash dump file VPN Concentrator Manager errors Browser Back or Forward button displays an incorrect screen or incorrect data Browser Refresh / Reload button logs out the Manager Invalid Login or Session Timeout Error / An error has occurred while attempting to perform... You are using an old browser or have disabled JavaScript Not Allowed / You do not have sufficient authorization... Not Found / An error has occurred while attempting to access... Microsoft Internet Explorer Script Error: No such interface supported Command Line Interface errors ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. ERROR:-- The Passwords do not match. Please try again. ERROR:-- Out of Range value entered. Try again. Page VPN Concentrator LEDs (front) VPN Concentrator LEDs (rear) SEP (Scalable Encryption Processing) Module LEDs (Model 30153080 only) WAN Interface Module LEDs Page Page APPENDIX B-1 B Copyrights, licenses, and notices Software License Agreement of Cisco Systems, Inc. Ownership of the Software Grant of License Limited Warranty B-3 Other licenses BSD software B-4 DHCP client DNS Resolver (client) B-5 IPSec B-6 LDAP Outline style table of contents in JavaScript B-7 RSA software SecureID Server SNMP Client SNMP B-8 SSL Plus TCP compression / uncompression Teln et ser ver Regulatory Agency Notices B-10 Notice to Users of Certified Component Devices Port ID REN/SOC FIC USOC Port 0, 1 6.0N 04DU9-1SN RJ48C Regulatory Agency Notices B-11 Affidavit (Appendix A) ____________________________________________ B-12 WAN Module: CS03 Canadian Requirements Equipment Attachment Limitations End of Appendix INDEX Numerics A B C D E F G H I J L M N O P Q R S T U V W X Y