Manuals / Cisco Systems / Household Appliance / Home Safety Product

Cisco Systems VPN 3002 manual Network Extension Mode with Split Tunneling, 11-3

Models: VPN 3002

1 282

Download 282 pages 2.25 Kb

Page 121

Network Extension Mode with Split Tunneling

Chapter 11 Policy Management

Network Extension Mode

Network Extension Mode with Split Tunneling

You always assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.

Traffic from the VPN 3002 to any other destination than those within the network list on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface. Thus the network and addresses on the private side of the VPN 3002 are accessible over the tunnel, but are protected from the Internet, that is, they cannot be accessed directly.

VPN 3000 Series Concentrator Settings Required for Network Extension Mode

For the VPN 3002 to use Network Extension mode, these are the requirements for the central-site VPN Concentrator.

1.The VPN Concentrator at the central site must be running Software version 3.0 or later.

2.Configure a group to which you assign this VPN 3002. This includes assigning a group name and password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference Volume I.

3.Configure one or more users for the group, including usernames and passwords.

4.Configure either a default gateway or a static route to the VPN 3002 private network. See Chapter 8, “IP Routing” in the VPN 3000 Series Concentrator Reference Volume I.

5.If you want the VPN 3002 to be able to reach devices on other networks that connect to this VPN Concentrator, review your Network Lists. See Chapter 15, “Policy Management” in the VPN 3000 Series Concentrator Reference Volume I.

VPN 3002 Hardware Client Reference

	OL-1893-01	11-3

Image 121

Cisco Systems VPN 3002 manual Network Extension Mode with Split Tunneling, 11-3

Contents

Corporate Headquarters Release NovemberCisco Systems, Inc 170 West Tasman Drive San Jose, CACopyright 2001, Cisco Systems, Inc VPN 3002 Hardware Client ReferenceSystem Configuration ConfigurationConfiguration | System C O N T E N T SConfiguration | System | Tunneling Protocols Configuration | System | Servers | DNSConfiguration | System | IP Routing Configuration System Management ProtocolsAdministration Configuration | Policy ManagementAdministration | Ping Administration | Access RightsMonitoring | Routing Table MonitoringMonitoring | Live Event Log Monitoring | System StatusLED Indicators Files for Troubleshooting A-1Monitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II| IPContents viii78-13782-01 Prerequisites PrefaceOrganization ChapterTitle ChapterDescription ChapterVPN 3002 Hardware Client Documentation Related DocumentationVPN 3000 Series Concentrator Documentation VPN Client DocumentationOther References Documentation conventionsConvention boldface fontData Formats Obtaining DocumentationWorld Wide Web Documentation CD-ROMOrdering documentation Obtaining technical assistanceDocumentation feedback Cisco.comTechnical Assistance Center Contacting TAC by using the Cisco TAC websiteContacting TAC by telephone VPN 3002 Hardware Client Reference Preface Obtaining technical assistanceOL-1893-01 VPN 3002 Hardware Client Browser Requirements Using the VPN 3002 Hardware Client ManagerC H A P T E R Recommended PC Monitor/Display Settings Connecting to the VPN 3002 Using HTTPJavaScript and Cookies Navigation ToolbarInstalling the SSL Certificate in Your Browser Installing the SSL Certificate in Your BrowserVPN 3002 Hardware Client Reference OL-1893-01Figure 1-2Install SSL Certificate Screen 4.Click Install Certificate 5.Click Next to continue 7.Click Finish Viewing Certificates with Internet Explorer Installing the SSL Certificate with Netscape First-timeInstallation Reinstallation1-10 2.Click Next> to proceed 1-111-12 1-13 8.Click Continue1-14 Viewing Certificates with NetscapeClick OK when finished 1-15Configuring HTTP, HTTPS, and SSL Parameters Connecting to the VPN 3002 Using HTTPS1-16 1-17 Logging into the VPN 3002 Hardware Client ManagerFigure 1-27Manager Main Welcome Screen 1-18Logging into the VPN 3002 Hardware Client Manager VPN 3002 Hardware Client ReferenceIndividual User Authentication Interactive Hardware Client Authentication1-19 VPN 3002 Hardware Client Reference1-20 Step 1 Click the Connection Login Status buttonThe Connection/Login Status screen displays Step 1 Click the Connect Now buttonFigure 1-31Connection Login Status Screen 1-21Step 2 Click Connect Figure 1-32Individual User Authentication Screen 1-22Figure 1-33Connection/Login Status Screen VPN 3002 Hardware Client Reference 1-23OL-1893-01 Status bar Title barMouse pointer and tips Top frameRestore ResetTable of Contents ConfigurationMain frame Open or expandedManager screen 1-26–Interfaces: Ethernet parameters 1-271-28 Navigating the VPN 3002 Hardware Client ManagerFigure 1-35Manager Table of Contents Configuration ConfigurationC H A P T E R VPN 3002 Hardware Client Reference Chapter 2 Configuration ConfigurationOL-1893-01 Interfaces Configuration | InterfacesC H A P T E R Ethernet 1 Private, Ethernet 2 Public InterfaceDNS Servers DNS Domain NameStatus Default GatewayIP Address Subnet MaskDisabled Configuration | Interfaces | PrivateStatic IP Addressing IP AddressSubnet Mask Apply/CancelSpeed DuplexDHCP Client Configuration | Interfaces | PublicPPPoE Client DisabledVerify PPPoE Password PPPoE PasswordPPPoE User Name Static IP AddressingDuplex Apply / CancelReminder Configuration | System System ConfigurationC H A P T E R Configuration | System Chapter 4 System ConfigurationVPN 3002 Hardware Client Reference OL-1893-01Configuration | System | Servers | DNS Configuration | System | ServersServers C H A P T E RDomain EnabledPrimary DNS Server Secondary DNS ServerTimeout Retries Timeout PeriodApply / Cancel Configuration | System | Servers | DNSChapter Configuration | System | Servers | DNSVPN 3002 Hardware Client Reference OL-1893-01C H A P T E R TunnelingConfiguration System Tunneling Protocols Remote Server Backup ServersAbout Backup Servers IPSec over TCP Port IPSec over TCPCertificate Transmission Use CertificateGroup About IPSec over TCPUser PasswordVerify PasswordVPN 3002 Hardware Client Reference ChapterOL-1893-01 TunnelingIP Routing Configuration | System | IP RoutingC H A P T E R Add / Modify / Delete Static RoutesReminder Chapter 7 IP RoutingMetric Network AddressSubnet Mask Destination Add or Apply / CancelDestination Router Address InterfaceApply / Cancel Default GatewayMetric ReminderLease Timeout Configuration | System | IP Routing | DHCPAddress Pool Start/End EnabledAdd/Modify/Delete DHCP OptionApply/Cancel ReminderDHCP Option Option ValueReminder Nonconfigurable DHCP Options Chapter 7 IP Routing 7-10VPN 3002 Hardware Client Reference OL-1893-01Management Protocols Configuration | System | Management ProtocolsC H A P T E R About HTTP/HTTPS Enable HTTPEnable HTTPS on Public Enable HTTPSHTTP Port HTTPS PortChapter 8 Management Protocols Enable TelnetVPN 3002 Hardware Client Reference Telnet Port Enable Telnet/SSLTelnet/SSL Port Maximum ConnectionsSNMP Port Enable SNMPMaximum Queued Requests Apply / CancelReminder Communities | Add or Modify Community StringsAdd/Modify/Delete ReminderAdd or Apply / Cancel Community StringReminder Related information 8-10Encryption Algorithms Client Authentication8-11 Generated Certificate Key Size SSL Version8-12 Apply/CancelChapter 8 Management Protocols 8-13VPN 3002 Hardware Client Reference OL-1893-01Enable SSH on Public Enable SSHSSH Port Key Regeneration PeriodApply / Cancel 8-15To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen Reminder8-16 Enable XMLEnable HTTPS on Public Chapter 8 Management ProtocolsHTTPS Wildcard-mask HTTPS IP AddressSSH IP Address SSH Wildcard-maskChapter 8 Management Protocols 8-18VPN 3002 Hardware Client Reference OL-1893-01Event Class EventsClass Description Event Source Class NameClass Name Class Description Event SourceCisco-specificEvent Class EVENTMIBLevel Event Severity LevelCategory DescriptionEvent Log Data Event LogConfiguration System Events General Configuration | System | EventsFigure 9-1Configuration | System | Events Screen String Syslog FormatSeverity to Console Severity to LogSeverity to Syslog Cisco IOS SeverityConfigure either General event Configuration | System | Events | ClassesSeverity to Trap To send this “well-known”Add/Modify/Delete Configured Event ClassesReminder Class Name EnableModify screen 9-109-11 Add or Apply/CancelSeverity to Console Severity to Syslog9-12 Trap DestinationsAdd/Modify/Delete ChapterCommunity SNMP Version9-13 DestinationPort Configuration System Events Syslog Servers9-14 Add or Apply/Cancel9-15 Syslog ServersAdd/Modify/Delete ReminderFacility Syslog Server9-16 PortAdd or Apply/Cancel 9-17To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list ReminderChapter 9-18VPN 3002 Hardware Client Reference OL-1893-01General Configuration | System | General10-1 C H A P T E RSystem Name Configuration | System | General | IdentificationContact LocationEnable DST Support Configuration | System | General | Time and DateCurrent Time New TimeConfiguration | System | General | Time and Date 10-4Reminder Chapter 10 GeneralClient Mode/PAT Policy ManagementClient Mode with Split Tunneling 11-111-2 Network Extension ModeChapter 11 Policy Management Network Extension Mode11-3 Network Extension Mode with Split TunnelingData Initiation Tunnel InitiationStep 2 Click Connect Now 11-4Traffic Management Configuration | Policy ManagementMode Tunneling PolicyManagement | PAT Configuration Policy Management Traffic11-6 Enable11-7 PAT EnabledApply/Cancel ReminderChapter 11 Policy Management 11-8VPN 3002 Hardware Client Reference OL-1893-01Administration Administration12-1 C H A P T E R12-2 Administration | Software UpdateFigure 12-1Administration Screen Current Software Revision Upload/CancelBrowse 12-3Software Update Success Software Update ProgressSoftware Update Error 12-412-5 Administration | System RebootChapter 12 Administration Administration | System RebootAction Configuration12-6 Figure 12-6Administration | System Reboot ScreenWhen to Reboot/Shutdown Administration | Ping12-7 Apply/CancelError Ping Ping/CancelAddress/Hostname to Ping Success PingAdministration | Access Rights | Administrators Administration | Access Rights12-9 Figure 12-10Administration | Access Rights ScreenPassword AdministratorVerify 12-10Session Idle Timeout Administration | Access Rights | Access SettingsEncrypt Config File Session LimitView Save Administration | File ManagementDelete 12-12Config File Upload via HTTP Swap Config FilesOK/Cancel 12-13File Upload Progress Local Config File/Browse12-14 Upload/CancelFile Upload Success File Upload Error12-15 Certificate Management Enrolling and Installing Digital Certificates12-16 12-17 12-18 12-19 Installing CA Certificates ManuallyRecommended Content Enrolling and Installing Identity CertificatesAbbrev Field NameVerify Challenge Password 12-2112-22 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA 12-2312-24 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure 12-25Certificate Obtained via Enrollment Screen 12-2612-27 Obtaining SSL Certificates 12-29 Enabling Digital Certificates on the VPN12-30 Deleting Digital CertificatesCertificate Authority Administration | Certificate Management12-31 Certificate Authorities Table ContentIdentity Certificates Table Fields12-33 SSL Certificate Table GenerateContent 12-34Subject/Issuer FieldsRemove All Enrollment Status Table12-35 ContentContent 12-36Field StatusIdentity Certificate Administration | Certificate Management | EnrollSSL Certificate 12-37Type Install a New SA Using SCEP before EnrollingEnroll via PKCS10 Request Manual Enroll via SCEP at Name of SCEP CAFields Enroll / Cancel12-39 Go to Certificate Enrollment Go to Certificate Management12-40 Chapter 12 Administration12-41 Go to Certificate InstallationFields Enroll / Cancel 12-42Chapter 12 Administration VPN 3002 Hardware Client ReferenceEnroll Cancel12-43 FieldsInstall CA Certificate Administration | Certificate Management | InstallInstall SSL Certificate with Private Key Install Certificate Obtained via EnrollmentEnrollment Status Table 12-45Certificate Obtained via Enrollment Screen Cut & Paste Text SCEP Simple Certificate Enrollment ProtocolUpload File from Workstation 12-46CA Descriptor Retrieve / Cancel12-47 Certificate Text Install / Cancel12-48 Password12-49 Filename / BrowsePassword Install / Cancel12-50 Administration | Certificate Management | ViewChapter 12 Administration Administration | Certificate Management | View12-51 Certificate FieldsContent Field12-52 BackContent FieldConfigure CA Certificate Administration | Certificate Management |SCEP Configuration CertificatePolling Limit Administration | Certificate Management | Renewal12-54 Apply / CancelVerify Challenge Password Challenge PasswordRenew / Cancel Renewal TypeGo to Certificate Installation 12-56Status Go to Certificate Management12-57 Administration | Certificate Management | DeleteFields Yes / No View Enrollment Request12-58 Administration | Certificate Management |12-59 Enrollment Request FieldsContent Field12-60 Cancel Enrollment RequestAdministration Certificate Management Content12-61 Delete Enrollment RequestAdministration | Certificate Management | FieldsFields 12-62Yes / No To delete this enrollment request, click Yes13-1 MonitoringC H A P T E R Figure 13-1Monitoring ScreenClear Routes Monitoring | Routing TableValid Routes AddressMetric Monitoring | Filterable Event Log13-3 Event Class Select Filter OptionsSeverities Client IP AddressGet Log Event Log FormatClear Log There is no undoEvent Time Monitoring | Live Event LogEvent Severity Event Class/NumberPause Display/Resume Display TimerClear Display RestartRestore ResetMonitoring | System Status 13-8Refresh Bootcode RevVPN Client Type Software RevTunnel Established to AuthenticationDuration Security AssociationsBack Panel Front PanelOther 13-11Restore 13-12Refresh BackTx Unicast Rx UnicastRx Multicast Tx MulticastLogin Time Cisco IP Phone Bypass Enabled/DisabledMonitoring | User Status Username13-15 Monitoring | Statistics13-16 Monitoring Statistics IPSecReset RestoreActive Tunnels IKE Phase 1 StatisticsTotal Tunnels Received BytesSent Phase-2Exchanges Received Phase-2ExchangesInvalid Phase-2Exchanges Received Invalid Phase-2Exchanges SentAuthentication Failures Phase-2SA Delete Requests SentInitiated Tunnels Failed Initiated TunnelsReceived Packets Dropped Anti-Replay IPSec Phase 2 Statistics13-20 Active TunnelsFailed Inbound Authentications Inbound AuthenticationsOutbound Authentications Failed Outbound AuthenticationsProtocol Use Failures Monitoring Statistics HTTP13-22 System Capability FailuresPackets Sent/Received Octets Sent/ReceivedPackets Sent Sockets/Sessions PeakLogin Time Login NameHTTP Sessions Max ConnectionsActive Sessions Monitoring | Statistics | Telnet13-25 ResetAttempted Sessions Inbound Octets CommandSuccessful Sessions Telnet SessionsRequests Monitoring | Statistics | DNSResponses 13-27Monitoring | Statistics | SSL TimeoutsServer Unreachable Other FailuresEncrypted Inbound Octets Unencrypted Inbound OctetsUnencrypted Outbound Octets Encrypted Outbound OctetsActive Leases Monitoring | Statistics | DHCPMaximum Active Leases 13-30Pool End Pool StartLeased IP Address Time Left13-32 Monitoring | Statistics | SSHReset RestoreRemote IP Address:Port SSH Sessions13-33 Login NamePackets In/Out Monitoring | Statistics | NAT13-34 ResetTranslations Active NAT SessionsTranslations Peak Translations TotalTranslated Bytes/Packets Monitoring | Statistics | PPPoE13-36 ResetPADI Timeouts PPPoE Access ConcentratorPADR Timeouts User NamePADT Rx Generic Errors RxPADT Tx Malformed Packets Rx13-39 Monitoring | Statistics | MIB-II13-40 Monitoring | Statistics | MIB-II| InterfacesReset RestoreUnicast Out Unicast InMulticast In Multicast OutTCP Segments Received Monitoring | Statistics | MIB-II| TCP/UDP13-42 ResetTCP Timeout Max TCP Timeout MinTCP Segments Transmitted TCP Segments RetransmittedUDP Errored Datagrams TCP Established ResetsTCP Current Established UDP Datagrams Received13-45 Monitoring | Statistics | MIB-II| IPReset RestorePackets Received Address Errors Packets Received Header ErrorsPackets Received Total Packets Received Unknown ProtocolsReassembly Successes Fragments Needing ReassemblyReassembly Failures Outbound Packets with No RouteTotal Received/Transmitted Monitoring Statistics MIB-II ICMP13-48 ResetParameter Problems Received/Transmitted Errors Received/TransmittedDestination Unreachable Received/Transmitted Time Exceeded Received/TransmittedTimestamp Replies Received/Transmitted Timestamp Requests Received/TransmittedAddress Mask Requests Received/Transmitted Address Mask Replies Received/Transmitted13-51 Monitoring | Statistics | MIB-II| ARP TableRefresh Chapter 13 MonitoringMapping Type Physical AddressAction/Delete 13-5213-53 Monitoring | Statistics | MIB-II| EthernetReset RestoreFCS Errors Alignment ErrorsCarrier Sense Errors SQE Test ErrorsMAC Errors: Receive MAC Errors: TransmitExcessive Collisions Speed MbpsRequests Received Monitoring | Statistics | MIB-II| SNMPBad Version 13-56Bad Community String Parsing ErrorsSilent Drops Proxy DropsChapter 13 Monitoring 13-58Monitoring | Statistics | MIB-II| SNMP VPN 3002 Hardware Client ReferenceAccessing the Command-lineInterface Using the Command-LineInterfaceConsole Access 14-1Telnet or Telnet/SSL access Starting the Command-lineInterface14-2 Choosing Menu Items Using the Command-lineInterfaceEntering Values 14-3Navigating Quickly Using Shortcut Numbers14-4 Getting Help Information Using Back and Home14-5 Stopping the Command-lineInterface Saving the Configuration FileUnderstanding Access Rights 14-61.1 Configuration > Quick Configuration 1Configuration1.2 Configuration > Interface Configuration Menu Reference1.3.1Configuration > System Management > Servers 1.3Configuration > System Management1.4Configuration > Policy Management 2Administration2.1 Administration > Software Update 2.3Administration > Ping 2.2Administration > System Reboot2.4Administration Access Rights 14-102.6Administration > Certificate Management 2.5 Administration > File Management3 Monitoring 3.2Monitoring > Event Log 3.1 Monitoring > Routing Table3.2.2 Monitoring > Event Log > View Event Log 3.3 Monitoring > System Status3.5Monitoring > General Statistics 3.4 Monitoring > User StatusFiles for Troubleshooting Troubleshooting and System ErrorsEvent Logs Crash Dump FileConfiguration Files LED IndicatorsVPN 3002 Front LEDs Crash Dump FileProblem or Symptom System ErrorsPossible Solution VPN 3002 Rear LEDsSeries Concentrator Reference Volume Settings on the VPN Concentratorthe VPN 3002 Hardware Client User Reference on Connect NowInvalid Login or Session Timeout VPN 3002 Hardware Client Manager ErrorsSolution ProblemLogin Manager Logs OutIncorrect Display Error MessageBack or Forward on Possible causeProblem Not Allowed MessageSolution Possible causeinterface supported Not FoundProblem SolutionError Command-lineInterface ErrorsA-10 ProblemI N D E NumericsIN-1 IN-2 See CLIerrors A-10 help commandIN-3 IN-4 IN-5 IN-6 IN-7 IN-8 See also tunnelIN-9 IN-10 IN-11 Index IN-12VPN 3002 Hardware Client Reference OL-1893-01