Manuals / Cisco Systems / Household Appliance / Home Safety Product

Cisco Systems VPN 3002 manual 8-10, Related information

Models: VPN 3002

1 282

Download 282 pages 2.25 Kb

Page 88

8-10

Chapter 8 Management Protocols

Configuration System Management Protocols SSL

Configuration System Management Protocols SSL

This screen lets you configure the VPN 3002 SSL (Secure Sockets Layer) protocol server. These settings apply to both HTTPS and Telnet over SSL. HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN 3002.

SSL creates a secure session between the client and the VPN 3002 server. The client first authenticates the server, they negotiate session security parameters, and then they encrypt all data passed during the session. If, during negotiation, the server and client cannot agree on security parameters, the session terminates.

SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots; or you can install in the VPN 3002 an SSL certificate that has been issued in a PKI context. This certificate must then be installed in the client (for HTTPS; Telnet does not usually require it). You need to install the certificate from a given VPN 3002 only once.

The default SSL settings should suit most administration tasks and network security requirements. We recommend that you not change them without good reason.

Note To ensure the security of your connection to the Manager, if you click Apply on this screen, even if you have made no changes, you break your connection to the Manager and you must restart the Manager session from the login screen.

Related information:

•For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1, “Using the VPN 3002 Hardware Client Manager”.

•To configure HTTPS parameters, see the Configuration System Management Protocols HTTP/HTTPS screen.

•To configure Telnet/SSL parameters, see the Configuration System Management Protocols Telnet screen.

•To manage SSL digital certificates, see the Administration Certificate Management screens.

VPN 3002 Hardware Client Reference

8-10	OL-1893-01

Image 88

Cisco Systems VPN 3002 manual 8-10, Related information

Contents

Release November Corporate HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CAVPN 3002 Hardware Client Reference Copyright 2001, Cisco Systems, IncConfiguration System ConfigurationConfiguration | System C O N T E N T SConfiguration | System | Servers | DNS Configuration | System | Tunneling ProtocolsConfiguration | System | IP Routing Configuration System Management ProtocolsConfiguration | Policy Management AdministrationAdministration | Ping Administration | Access RightsMonitoring Monitoring | Routing TableMonitoring | Live Event Log Monitoring | System StatusFiles for Troubleshooting A-1 LED IndicatorsMonitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II| IPContents viii78-13782-01 Preface PrerequisitesOrganization ChapterChapter TitleDescription ChapterRelated Documentation VPN 3002 Hardware Client DocumentationVPN 3000 Series Concentrator Documentation VPN Client DocumentationDocumentation conventions Other ReferencesConvention boldface fontObtaining Documentation Data FormatsWorld Wide Web Documentation CD-ROMObtaining technical assistance Ordering documentationDocumentation feedback Cisco.comTechnical Assistance Center Contacting TAC by using the Cisco TAC websiteContacting TAC by telephone VPN 3002 Hardware Client Reference Preface Obtaining technical assistanceOL-1893-01 VPN 3002 Hardware Client Browser Requirements Using the VPN 3002 Hardware Client ManagerC H A P T E R Connecting to the VPN 3002 Using HTTP Recommended PC Monitor/Display SettingsJavaScript and Cookies Navigation ToolbarInstalling the SSL Certificate in Your Browser Installing the SSL Certificate in Your BrowserVPN 3002 Hardware Client Reference OL-1893-01Figure 1-2Install SSL Certificate Screen 4.Click Install Certificate 5.Click Next to continue 7.Click Finish Viewing Certificates with Internet Explorer Installing the SSL Certificate with Netscape First-timeInstallation Reinstallation1-10 1-11 2.Click Next> to proceed1-12 8.Click Continue 1-13Viewing Certificates with Netscape 1-141-15 Click OK when finishedConfiguring HTTP, HTTPS, and SSL Parameters Connecting to the VPN 3002 Using HTTPS1-16 Logging into the VPN 3002 Hardware Client Manager 1-171-18 Figure 1-27Manager Main Welcome ScreenLogging into the VPN 3002 Hardware Client Manager VPN 3002 Hardware Client ReferenceInteractive Hardware Client Authentication Individual User Authentication1-19 VPN 3002 Hardware Client ReferenceStep 1 Click the Connection Login Status button 1-20The Connection/Login Status screen displays Step 1 Click the Connect Now buttonFigure 1-31Connection Login Status Screen 1-21Step 2 Click Connect Figure 1-32Individual User Authentication Screen 1-22Figure 1-33Connection/Login Status Screen VPN 3002 Hardware Client Reference 1-23OL-1893-01 Title bar Status barMouse pointer and tips Top frameReset RestoreTable of Contents ConfigurationOpen or expanded Main frameManager screen 1-261-27 –Interfaces: Ethernet parameters1-28 Navigating the VPN 3002 Hardware Client ManagerFigure 1-35Manager Table of Contents Configuration ConfigurationC H A P T E R VPN 3002 Hardware Client Reference Chapter 2 Configuration ConfigurationOL-1893-01 Interfaces Configuration | InterfacesC H A P T E R Interface Ethernet 1 Private, Ethernet 2 PublicDNS Servers DNS Domain NameDefault Gateway StatusIP Address Subnet MaskConfiguration | Interfaces | Private DisabledStatic IP Addressing IP AddressApply/Cancel Subnet MaskSpeed DuplexConfiguration | Interfaces | Public DHCP ClientPPPoE Client DisabledPPPoE Password Verify PPPoE PasswordPPPoE User Name Static IP AddressingDuplex Apply / CancelReminder Configuration | System System ConfigurationC H A P T E R Chapter 4 System Configuration Configuration | SystemVPN 3002 Hardware Client Reference OL-1893-01Configuration | System | Servers Configuration | System | Servers | DNSServers C H A P T E REnabled DomainPrimary DNS Server Secondary DNS ServerTimeout Period Timeout RetriesApply / Cancel Configuration | System | Servers | DNSConfiguration | System | Servers | DNS ChapterVPN 3002 Hardware Client Reference OL-1893-01Tunneling C H A P T E RConfiguration System Tunneling Protocols Backup Servers Remote ServerAbout Backup Servers IPSec over TCP IPSec over TCP PortUse Certificate Certificate TransmissionGroup About IPSec over TCPPassword UserVerify PasswordChapter VPN 3002 Hardware Client ReferenceOL-1893-01 TunnelingIP Routing Configuration | System | IP RoutingC H A P T E R Static Routes Add / Modify / DeleteReminder Chapter 7 IP RoutingMetric Network AddressSubnet Mask Add or Apply / Cancel DestinationDestination Router Address InterfaceDefault Gateway Apply / CancelMetric ReminderConfiguration | System | IP Routing | DHCP Lease TimeoutAddress Pool Start/End EnabledDHCP Option Add/Modify/DeleteApply/Cancel ReminderDHCP Option Option ValueReminder Nonconfigurable DHCP Options 7-10 Chapter 7 IP RoutingVPN 3002 Hardware Client Reference OL-1893-01Management Protocols Configuration | System | Management ProtocolsC H A P T E R Enable HTTP About HTTP/HTTPSEnable HTTPS Enable HTTPS on PublicHTTP Port HTTPS PortChapter 8 Management Protocols Enable TelnetVPN 3002 Hardware Client Reference Enable Telnet/SSL Telnet PortTelnet/SSL Port Maximum ConnectionsEnable SNMP SNMP PortMaximum Queued Requests Apply / CancelReminder Community Strings Communities | Add or ModifyAdd/Modify/Delete ReminderAdd or Apply / Cancel Community StringReminder 8-10 Related informationEncryption Algorithms Client Authentication8-11 SSL Version Generated Certificate Key Size8-12 Apply/Cancel8-13 Chapter 8 Management ProtocolsVPN 3002 Hardware Client Reference OL-1893-01Enable SSH Enable SSH on PublicSSH Port Key Regeneration Period8-15 Apply / CancelTo apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen ReminderEnable XML 8-16Enable HTTPS on Public Chapter 8 Management ProtocolsHTTPS IP Address HTTPS Wildcard-maskSSH IP Address SSH Wildcard-mask8-18 Chapter 8 Management ProtocolsVPN 3002 Hardware Client Reference OL-1893-01Events Event ClassClass Description Event Source Class NameClass Description Event Source Class NameCisco-specificEvent Class EVENTMIBEvent Severity Level LevelCategory DescriptionEvent Log Event Log DataConfiguration System Events General Configuration | System | EventsFigure 9-1Configuration | System | Events Screen Syslog Format StringSeverity to Log Severity to ConsoleSeverity to Syslog Cisco IOS SeverityConfiguration | System | Events | Classes Configure either General eventSeverity to Trap To send this “well-known”Add/Modify/Delete Configured Event ClassesReminder Enable Class NameModify screen 9-10Add or Apply/Cancel 9-11Severity to Console Severity to SyslogTrap Destinations 9-12Add/Modify/Delete ChapterSNMP Version Community9-13 DestinationConfiguration System Events Syslog Servers Port9-14 Add or Apply/CancelSyslog Servers 9-15Add/Modify/Delete ReminderSyslog Server Facility9-16 Port9-17 Add or Apply/CancelTo add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list Reminder9-18 ChapterVPN 3002 Hardware Client Reference OL-1893-01Configuration | System | General General10-1 C H A P T E RConfiguration | System | General | Identification System NameContact LocationConfiguration | System | General | Time and Date Enable DST SupportCurrent Time New Time10-4 Configuration | System | General | Time and DateReminder Chapter 10 GeneralPolicy Management Client Mode/PATClient Mode with Split Tunneling 11-1Network Extension Mode 11-2Chapter 11 Policy Management Network Extension ModeNetwork Extension Mode with Split Tunneling 11-3Tunnel Initiation Data InitiationStep 2 Click Connect Now 11-4Configuration | Policy Management Traffic ManagementMode Tunneling PolicyConfiguration Policy Management Traffic Management | PAT11-6 EnablePAT Enabled 11-7Apply/Cancel Reminder11-8 Chapter 11 Policy ManagementVPN 3002 Hardware Client Reference OL-1893-01Administration Administration12-1 C H A P T E R12-2 Administration | Software UpdateFigure 12-1Administration Screen Upload/Cancel Current Software RevisionBrowse 12-3Software Update Progress Software Update SuccessSoftware Update Error 12-4Administration | System Reboot 12-5Chapter 12 Administration Administration | System RebootConfiguration Action12-6 Figure 12-6Administration | System Reboot ScreenAdministration | Ping When to Reboot/Shutdown12-7 Apply/CancelPing/Cancel Error PingAddress/Hostname to Ping Success PingAdministration | Access Rights Administration | Access Rights | Administrators12-9 Figure 12-10Administration | Access Rights ScreenAdministrator PasswordVerify 12-10Administration | Access Rights | Access Settings Session Idle TimeoutEncrypt Config File Session LimitAdministration | File Management View SaveDelete 12-12Swap Config Files Config File Upload via HTTPOK/Cancel 12-13Local Config File/Browse File Upload Progress12-14 Upload/CancelFile Upload Success File Upload Error12-15 Certificate Management Enrolling and Installing Digital Certificates12-16 12-17 12-18 Installing CA Certificates Manually 12-19Enrolling and Installing Identity Certificates Recommended ContentAbbrev Field Name12-21 Verify Challenge Password12-22 12-23 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA12-24 12-25 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure12-26 Certificate Obtained via Enrollment Screen12-27 Obtaining SSL Certificates Enabling Digital Certificates on the VPN 12-29Deleting Digital Certificates 12-30Certificate Authority Administration | Certificate Management12-31 Content Certificate Authorities TableIdentity Certificates Table FieldsSSL Certificate Table Generate 12-3312-34 ContentSubject/Issuer FieldsEnrollment Status Table Remove All12-35 Content12-36 ContentField StatusAdministration | Certificate Management | Enroll Identity CertificateSSL Certificate 12-37Install a New SA Using SCEP before Enrolling TypeEnroll via PKCS10 Request Manual Enroll via SCEP at Name of SCEP CAFields Enroll / Cancel12-39 Go to Certificate Management Go to Certificate Enrollment12-40 Chapter 12 Administration12-41 Go to Certificate InstallationFields 12-42 Enroll / CancelChapter 12 Administration VPN 3002 Hardware Client ReferenceCancel Enroll12-43 FieldsAdministration | Certificate Management | Install Install CA CertificateInstall SSL Certificate with Private Key Install Certificate Obtained via EnrollmentEnrollment Status Table 12-45Certificate Obtained via Enrollment Screen SCEP Simple Certificate Enrollment Protocol Cut & Paste TextUpload File from Workstation 12-46CA Descriptor Retrieve / Cancel12-47 Install / Cancel Certificate Text12-48 PasswordFilename / Browse 12-49Password Install / CancelAdministration | Certificate Management | View 12-50Chapter 12 Administration Administration | Certificate Management | ViewCertificate Fields 12-51Content FieldBack 12-52Content FieldAdministration | Certificate Management | Configure CA CertificateSCEP Configuration CertificateAdministration | Certificate Management | Renewal Polling Limit12-54 Apply / CancelChallenge Password Verify Challenge PasswordRenew / Cancel Renewal Type12-56 Go to Certificate InstallationStatus Go to Certificate Management12-57 Administration | Certificate Management | DeleteFields View Enrollment Request Yes / No12-58 Administration | Certificate Management |Enrollment Request Fields 12-59Content FieldCancel Enrollment Request 12-60Administration Certificate Management ContentDelete Enrollment Request 12-61Administration | Certificate Management | Fields12-62 FieldsYes / No To delete this enrollment request, click YesMonitoring 13-1C H A P T E R Figure 13-1Monitoring ScreenMonitoring | Routing Table Clear RoutesValid Routes AddressMetric Monitoring | Filterable Event Log13-3 Select Filter Options Event ClassSeverities Client IP AddressEvent Log Format Get LogClear Log There is no undoMonitoring | Live Event Log Event TimeEvent Severity Event Class/NumberTimer Pause Display/Resume DisplayClear Display RestartReset RestoreMonitoring | System Status 13-8Bootcode Rev RefreshVPN Client Type Software RevAuthentication Tunnel Established toDuration Security AssociationsFront Panel Back PanelOther 13-1113-12 RestoreRefresh BackRx Unicast Tx UnicastRx Multicast Tx MulticastCisco IP Phone Bypass Enabled/Disabled Login TimeMonitoring | User Status UsernameMonitoring | Statistics 13-15Monitoring Statistics IPSec 13-16Reset RestoreIKE Phase 1 Statistics Active TunnelsTotal Tunnels Received BytesReceived Phase-2Exchanges Sent Phase-2ExchangesInvalid Phase-2Exchanges Received Invalid Phase-2Exchanges SentPhase-2SA Delete Requests Sent Authentication FailuresInitiated Tunnels Failed Initiated TunnelsIPSec Phase 2 Statistics Received Packets Dropped Anti-Replay13-20 Active TunnelsInbound Authentications Failed Inbound AuthenticationsOutbound Authentications Failed Outbound AuthenticationsMonitoring Statistics HTTP Protocol Use Failures13-22 System Capability FailuresOctets Sent/Received Packets Sent/ReceivedPackets Sent Sockets/Sessions PeakLogin Name Login TimeHTTP Sessions Max ConnectionsMonitoring | Statistics | Telnet Active Sessions13-25 ResetInbound Octets Command Attempted SessionsSuccessful Sessions Telnet SessionsMonitoring | Statistics | DNS RequestsResponses 13-27Timeouts Monitoring | Statistics | SSLServer Unreachable Other FailuresUnencrypted Inbound Octets Encrypted Inbound OctetsUnencrypted Outbound Octets Encrypted Outbound OctetsMonitoring | Statistics | DHCP Active LeasesMaximum Active Leases 13-30Pool Start Pool EndLeased IP Address Time LeftMonitoring | Statistics | SSH 13-32Reset RestoreSSH Sessions Remote IP Address:Port13-33 Login NameMonitoring | Statistics | NAT Packets In/Out13-34 ResetNAT Sessions Translations ActiveTranslations Peak Translations TotalMonitoring | Statistics | PPPoE Translated Bytes/Packets13-36 ResetPPPoE Access Concentrator PADI TimeoutsPADR Timeouts User NameGeneric Errors Rx PADT RxPADT Tx Malformed Packets RxMonitoring | Statistics | MIB-II 13-39Monitoring | Statistics | MIB-II| Interfaces 13-40Reset RestoreUnicast In Unicast OutMulticast In Multicast OutMonitoring | Statistics | MIB-II| TCP/UDP TCP Segments Received13-42 ResetTCP Timeout Min TCP Timeout MaxTCP Segments Transmitted TCP Segments RetransmittedTCP Established Resets UDP Errored DatagramsTCP Current Established UDP Datagrams ReceivedMonitoring | Statistics | MIB-II| IP 13-45Reset RestorePackets Received Header Errors Packets Received Address ErrorsPackets Received Total Packets Received Unknown ProtocolsFragments Needing Reassembly Reassembly SuccessesReassembly Failures Outbound Packets with No RouteMonitoring Statistics MIB-II ICMP Total Received/Transmitted13-48 ResetErrors Received/Transmitted Parameter Problems Received/TransmittedDestination Unreachable Received/Transmitted Time Exceeded Received/TransmittedTimestamp Requests Received/Transmitted Timestamp Replies Received/TransmittedAddress Mask Requests Received/Transmitted Address Mask Replies Received/TransmittedMonitoring | Statistics | MIB-II| ARP Table 13-51Refresh Chapter 13 MonitoringPhysical Address Mapping TypeAction/Delete 13-52Monitoring | Statistics | MIB-II| Ethernet 13-53Reset RestoreAlignment Errors FCS ErrorsCarrier Sense Errors SQE Test ErrorsMAC Errors: Transmit MAC Errors: ReceiveExcessive Collisions Speed MbpsMonitoring | Statistics | MIB-II| SNMP Requests ReceivedBad Version 13-56Parsing Errors Bad Community StringSilent Drops Proxy Drops13-58 Chapter 13 MonitoringMonitoring | Statistics | MIB-II| SNMP VPN 3002 Hardware Client ReferenceUsing the Command-LineInterface Accessing the Command-lineInterfaceConsole Access 14-1Telnet or Telnet/SSL access Starting the Command-lineInterface14-2 Using the Command-lineInterface Choosing Menu ItemsEntering Values 14-3Navigating Quickly Using Shortcut Numbers14-4 Getting Help Information Using Back and Home14-5 Saving the Configuration File Stopping the Command-lineInterfaceUnderstanding Access Rights 14-61Configuration 1.1 Configuration > Quick Configuration1.2 Configuration > Interface Configuration Menu Reference1.3Configuration > System Management 1.3.1Configuration > System Management > Servers1.4Configuration > Policy Management 2Administration2.1 Administration > Software Update 2.2Administration > System Reboot 2.3Administration > Ping2.4Administration Access Rights 14-102.5 Administration > File Management 2.6Administration > Certificate Management3 Monitoring 3.1 Monitoring > Routing Table 3.2Monitoring > Event Log3.2.2 Monitoring > Event Log > View Event Log 3.3 Monitoring > System Status3.4 Monitoring > User Status 3.5Monitoring > General StatisticsTroubleshooting and System Errors Files for TroubleshootingEvent Logs Crash Dump FileLED Indicators Configuration FilesVPN 3002 Front LEDs Crash Dump FileSystem Errors Problem or SymptomPossible Solution VPN 3002 Rear LEDsSettings on the VPN Concentrator Series Concentrator Reference Volumethe VPN 3002 Hardware Client User Reference on Connect NowVPN 3002 Hardware Client Manager Errors Invalid Login or Session TimeoutProblem SolutionLogin Manager Logs OutError Message Incorrect DisplayBack or Forward on Possible causeNot Allowed Message ProblemSolution Possible causeNot Found interface supportedProblem SolutionCommand-lineInterface Errors ErrorA-10 ProblemI N D E NumericsIN-1 See CLI IN-2errors A-10 help commandIN-3 IN-4 IN-5 IN-6 IN-7 See also tunnel IN-8IN-9 IN-10 IN-11 IN-12 IndexVPN 3002 Hardware Client Reference OL-1893-01