Activate the IKE Proposal

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. You must check the following three items before the LAN-to-LAN with digital certificates tunnel can be configured Active Internet Key Exchange (IKE) proposal list Check the Active Proposals list. By default, an RSA proposal should be present. The Concentrator requires the use of a RSA IKE proposal for LAN-to-LAN with digital certificates to work.

Add IPSec LANtoLAN

All rights reserved. Configuration of LAN-to-LAN connections cannot be done in Quick Configuration. Instead, the Concentrator provides a wizard for LAN-to-LAN connections. Choose Configuration> System> Tunneling Protocols> IPSec> LAN-to-LAN, and click Add to access the LAN-to-LAN wizard. The Configuration> System> Tunneling Protocols> IPSec LAN-to-LAN> Add window opens. The LAN-to-LAN wizard presents this one window to configure a LAN-to-LAN tunnel....

Add RSA SA

This section lets you add, configure, modify, and delete IPSec Security Associations (SAs). Security Associations use IKE Proposals to negotiate IKE parameters. This section lets you add, configure, modify, and delete IPSec Security Associations (SAs). Security Associations use IKE Proposals to negotiate IKE parameters. Click Add to add an SA, or select an SA and click Modify or Delete 2003, Cisco Systems, Inc. All rights reserved. Select the Security Association (SA). The SA is a template that...

Address Assignment

Configuration Quick Address Assignment Select at least one method of assigning IP addresses to clients as a tunnel is established. The methods are tried in the order listed. 1. V Client Specified This method lets the client specify its own IP address. 2 I- Per User assisns H5 addresses on a per-user basis. If you use an authentication server (which you configure next) that has IP addresses configured, we recommend selecting this method. 3. W DHCP Specify Server 1 O.D.I .1D 4. V Configured Pool...

Addressing Issue

All rights reserved. CSVPN 4.0 164 In the figure, there are two sites, site A and site B. Site A has one subnet 10.10.10.0 24. Site B has two subnets, 10.10.10.0 24 and 11.11.11.0 24. A PC at site A wants to access server B2. A PC packet is addressed to 11.11.11.23 and forwarded through the Cisco Virtual Private Network (VPN) 3000 Series Concentrators to server B2. From the remote end, the remote server responds to the PC's packet. Server B2 addresses the reply packet...

Adjusting the Peer Response Timeout Value

The Cisco VPN Client uses a keepalive mechanism called dead peer detection (DPD) to check the availability of the VPN device on the other side of an IPSec tunnel. If the network is unusually busy or unreliable, you might need to increase the number of seconds to wait before the Cisco VPN Client decides that the peer is no longer active. The default number of seconds to wait before terminating a connection is 90 seconds. The minimum number you can configure is 30 seconds, and the maximum is 480...

Administration Index

This section of the Manager lets you control VPN 3000 Concentrator administrative functions. In the left frame, or in the list of links below, click the function you want Administer Sessions -- statistics and logout for all sessions. Software Update -- update concentrator and client software. System Reboot system reboot options. Reboot Status -- active sessions, disconnected sessions, etc. Ping -- use ICMP ping to determine connectivity. Monitoring Refresh enable automatic refresh ofMomtoring...

Administration Sessions

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The Administration> Administer Sessions window provides the following information Session Summary table Shows the summary totals for LAN-to-LAN, remote access, and management sessions. LAN-to-LAN Sessions table Shows parameters and statistics for all active IPSec LAN-to-LAN sessions. Each session in this table identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host...

Administration Access Rights

The Administration> Access Rights window enables the administrator to configure access to and rights in the Concentrator Manager functional areas (Authentication or General), or via SNMP. Click the Authentication, General, and SNMP drop-down menus and choose from the following access rights None No access or rights. Stats Only Access to only the Monitoring section of the Concentrator Manager. No rights to change parameters. View Config Access to permitted functional areas of the Concentrator...

Administration Ping

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The Administration> Ping window enables you to use the ICMP ping utility to test network connectivity. Specifically, the Concentrator sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an echo reply message and the Manager displays a Success window. If the host is not reachable, the Manager displays an Error window.

Administrative Requirements for Installing Cisco Ssl Vpn Client

Cisco VPN 3000 Series Concentrator running version 4.7 or later. Altiga Networks VPN Concentrator running version 4.7 or later. Windows XP or Windows 2000 only. 2005 Cisco Systems, Inc. All rights reserved. CSVPN v1.0 1 The following table lists the administrative requirements for installing Cisco SSL VPN Client on the VPN 3000 Concentrator. Administrative Requirements for Installing Cisco SSL VPN Client Cisco VPN 3000 Concentrator running version 4.7 or later Altiga Networks VPN Concentrator...

Administrators

Ministration Access Rights Administrators This section presents administrator users. Any changes you make take effect immediately. Username Properties Administrator Enabled Username Properties Administrator Enabled 2003, Cisco Systems, Inc. All rights reserved. Administrators are special users who can access and change the configuration, administration, and monitoring functions on the Concentrator. Only administrators can use the Concentrator Manager. Cisco provides five predefined...

Advertising VPN Client Routes

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Load balancing enables the VPN client to connect to the least loaded Concentrator. The good news is the VPN client load is shared across multiple Concentrators. The bad news is how does a headend device connect to the client when it is connected to a different Concentrator each time a tunnel is established. The answer is RRI. Each time the VPN Client connects to a Concentrator, the Concentrator...

AH Authentication and Integrity

All rights reserved. The Authentication Header (AH) function is applied to the entire datagram, except for any mutable IP header fields that change in transit (for example, Time To Live TTL fields that are modified by the routers along the transmission path). AH supports two algorithms HMAC-SHA-1 AH works as follows Step 1 The IP header and data payload is hashed. Step 2 The hash is used to build an AH header, which is appended to the original packet. Step 3 The new...

Allowing Local LAN Access

In a multiple-NIC configuration, local LAN access pertains only to network traffic on the interface on which the tunnel was established. The Allow Local LAN Access parameter gives you access to the resources on your local LAN (printer, fax, shared files, and other systems) when you are connected through a secure gateway to a central-site VPN device. When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected. When this...

Among the most difficult to completely eliminate

All rights reserved. CSVPN 4.0 2-29 DoS attacks are different from most other attacks because they are not targeted at gaining access to your network or the information on your network. These attacks focus on making a service unavailable for normal use, which is typically accomplished by exhausting some resource limitation on the network or within an operating system or application. These attacks require little effort to execute because they typically take advantage...

Application Layer Attacks

Application layer attacks have the following characteristics Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 2-37...

Authentication

All rights reserved. There are two types of authentication in the VPN network Concentrator authentication Used to set up user rights and privileges as they relate to the Concentrator (for example, hours of operation, simultaneous logins, filters, and inactivity timeout). Network authentication Used to control access to the corporate network. Corporations typically require a secondary level of authentication before allowing users onto their networks network...

Authentication Header

Provides origin authentication (ensures packets definitely came from the peer) Does not provide confidentiality (no encryption) 2003, Cisco Systems, Inc. All rights reserved. Authentication is achieved by applying a keyed one-way hash function to the packet to create a hash or message digest. The hash is combined with the text and transmitted. Changes in any part of the packet that occur during transit are detected by the receiver when it performs the same oneway hash function on the received...

Auto Initiation Administrative Requirements

Auto-initiation Administrative Requirements Auto-initiation Administrative Requirements 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 8-7 In the VPNClient.ini file, the network administrator can configure a list of up to 64 matched networks (IP address subnet masks) and corresponding connection profiles (.pcf files). Typically, the administrator enters one network address and .PCF filename per site. When the Software Client detects that the PC resides on one of the networks in the...

Auto Initiation Feature

All rights reserved. CSVPN 4.0 8-4 Wireless LAN connections are often insecure. Using a Software Client to connect to the concentrator over an encrypted wireless connection resolves the security problem. However, the local wireless users must be burdened with establishing the encrypted wireless VPN connection on the corporate LAN. The auto-initiation feature intends to alleviate this burden from the user by providing an automated method for establishing VPN network...

AYT Feature

All rights reserved. CSVPN 4.0 7-7 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 7-7 Often network administrators require remote access PCs to run a firewall application before allowing VPN tunnels to be built. The network administrator can configure the Concentrator to require all Software Clients in a group to have a specific firewall operating on the PC. The Software Client monitors the firewall to ensure that it is running. If the firewall stops...

Backup Server

All rights reserved. CSVPN 4.0 12-4 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 12-4 IPSec backup servers enable a Hardware Client and a VPN Software Client to connect to a backup Concentrator when its primary Concentrator is unavailable. You configure backup servers, either on the Hardware Client and the VPN Software Client, or on a group-basis on the Concentrator. The following is an example of what happens when you configure a backup server Step 1 The...

Backup Server Concentrator Configuration

All rights reserved. CSVPN 4.0 12-5 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 12-5 The IPSec backup server feature enables a Hardware Client and VPN Software Client to connect to a backup Concentrator when its primary Concentrator is unavailable. During tunnel negotiation, the VPN Clients ask for a policy from the Concentrator. The Concentrator responds to the request via a Mode Config policy message. The VPN Clients check the policy message and respond...

Backup Server Hardware Client Configuration

All rights reserved. CSVPN 4.0 12-6 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 12-6 If the Concentrator IPSec backup server option is set for Use Client Configured List, the Hardware Client uses the backup server addresses configured in the Hardware Client. To configure backup servers on a Hardware Client, go to the Configuration> System> Tunneling Protocols> IPSec window. In the backup server window, enter up to ten backup servers listed from high...

Backup Server Software Client Configuration

All rights reserved. CSVPN 4.0 12-7 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 12-7 If the Concentrator IPSec backup server option is set to Use Client Configured List, the VPN Software Client uses the backup server addresses configured in the VPN Software Client. Go to Start> Programs> Cisco Systems VPN Client> VPN Client to configure backup servers on a VPN Client. The VPN Software Client window opens. Right-click the connection entry you wish to...

Bandwidth Aggregation

All rights reserved. Choose the Configuration> System> Tunneling Protocols> IPSec> IPSec LAN-to-LAN window and select the connection you wish to modify by choosing the Modify button. From the bandwidth policy drop-down menu, select a bandwidth policy to apply to this IPSec LAN-to-LAN connection from the drop-down list. If you do not want to select a policy here, select none. When the bandwidth reservation policy is applied to a LAN-to-LAN connection, the...

Bandwidth Management

Bandwidth reservation Site B 2003, Cisco Systems, Inc. All rights reserve) By default, the Concentrator line does not equitably manage packet traffic on a per-group or peruser basis. This means that any one group or user, given infinite bandwidth capability, could effectively steal almost all available bandwidth capacity of a Concentrator. This can cause all other logged in users to experience slower connections. In the figure, the customer has a T1, 1.544 Mbps, of bandwidth at the central...

Bandwidth Monitoring Statistics

Monitoring Statistics Bandwidth Management This screen shows bandwidth management information. To refresh the statistics, click Refresh. Select a Group to filter the users. Group --All- 3 This screen shows bandwidth management information. To refresh the statistics, click Refresh. Select a Group to filter the users. Group --All- 3 Traffic Rate (kbps) Traffic Volume (bytes) 2003, Cisco Systems, Inc. All rights reserved. Choose the Monitoring> Statistics> Bandwidth Management window to view...

Bandwidth Policing Overview

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. For the bandwidth policing feature, the Concentrator provides a maximum data transfer rate. Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. For example, all system engineers can transfer data up to a sustained rate of 56 Kbps while remotely accessing the Concentrator. The Concentrator transmits traffic it receives below this rate it drops traffic above this rate....

Bandwidth Reservation Policy Configuration Group

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Not all remote users have the same bandwidth requirements. The administrator can configure additional policies with different bandwidth reservations. In the figure, the administrator created a policy for the executive group. Each member of the executive group requires more bandwidth than the minimum allocation of 64 Kbps. A policy was defined which allocates 128 Kbps of bandwidth upon connection to...

Bandwidth Reservation Policy ConfigurationLANtoLAN

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. In mixed environments where there are both remote access and site-to-site connections, it is also possible to reserve bandwidth for the site-to-site tunnels. For site-to-site policies, the minimum bandwidth field assigns the bandwidth reservation to the site-to-site tunnel rather than allocating bandwidth per user connecting through the tunnel. In the LAN-to-LAN policy example above, when a...

Bandwidth Reservation Policy Configuration System Wide

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Configuring bandwidth reservation is a two-step process. First, the bandwidth reservation policies are defined. Next, the policies are assigned to an interface, a LAN-to-LAN connection, and optionally to groups. Choose the Configuration> Policy Management> Traffic Management> Bandwidth Policies window to configure bandwidth reservation policies. The bandwidth policy window consists of two parts,...

Bandwidth Reservation Group Configuration

All rights reserved. For those groups that have different bandwidth requirements, the administrator can define group-based bandwidth requirements. Choose the Configuration> User Management> Groups window, select a group, and select Bandwidth Assignment. From the Policy drop-down menu, select the appropriate policy. In the figure, the policy assigned to the interface reserved 64 Kbps of bandwidth for each remote user. This is fine for the system engineers, but the...

Bandwidth Session Statistics

Authentication Mo de Pre - Share d K eys 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 9-57 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 9-57 Choose the Administration> Administer Sessions> Detail window to view individual session bandwidth management statistics. This window shows details of the effects of bandwidth management policies on each tunnel. Only tunnels on which bandwidth management policies are enabled appear on this screen. The bandwidth statistics...

CA Support Overview

The topic presents an overview of how Certificate Authority (CA) support works. CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. 2003, Cisco Systems, Inc. All rights reserved. With a CA, you do not need to configure keys between all of the encrypting IPSec peers. Instead, you individually enroll each participating peer with the CA and request a certificate. When this has been accomplished, each participating peer can dynamically...

Certificate Generation Process

All rights reserved. An end-user (or end-entity) must obtain a digital certificate from the CA to participate in a certificate exchange. This is known as the enrollment process. It requires three steps Step 1 Each user generates a private and public key pair. Step 2 The requestor generates a certificate request and sends it to the CA. Step 3 The CA transforms the certificate request into a digital certificate and returns both a root and identity digital certificate to...

Certificate Management

This section lets you view and manage certificates on the VPN 3000 Concentrator. Installation of a CA certificate is required before identity and SSL certificates can be installed Click here to install a CA certificate Click here to enroll with a Certificate Authority Click here to install a certificate Certificate Authorities r View All crl caches Clear All CRL caches l (current 0, maximum 6) Administration Certificate Management Subject I Issuer No Certif cate Authorities Identity...

Certificate Renewal

Administration Certificate Management Renewal This section allows you to re-enroll one-key a certificate, so that the VPN 3000 Concentrator up dates its certificate. The certificate request can be sent to a CA, which in turn, sends back a certificate Please wait for the operation to finish. Certificate SSL Certificate pxpwal Tvnp Select the type of renewal. A re-enrollment uses the saine key for the certificate. A re-key generates a new key for the certificate. Enrollment Method (AUSTIN at...

Certificate Request Message PKCS

Name (CN) student1 Organizational Unit (OU) (training Administration Certificate Management Enroll Identity Certificate PKCS10 Enter the information to be included in the certificate request. The CA's certificate must be installed as a Certificate Authority before installing the certificate you requested. Please wait for the operation to - Enter the common name for the VPN J 3000 Concentrator to be used in this PKI. Enter the department. Enter the Organization or company. Enter the city or...

Certificate Store

A certificate store is a location in your local file system that contains personal certificates. 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 6-54 A certificate store is a location in your local file system that contains personal certificates. The major store for the VPN Client is the Cisco store, which contains certificates you have enrolled for through the Simple Certificate Enrollment Protocol (SCEP). Your system also includes a Microsoft certificate store that may contain...

Certificate

Certificate tab used to enroll and manage personal certificates 2003, Cisco Systems, Inc. All rights reserved. You can use the Certificate Tab to enroll and manage personal certificates. Specifically, you can use the Certificate Tab to do the following Manage certificates by viewing, verifying, deleting, or exporting them. Obtain personal certificates through enrollment with a CA. You can enroll automatically through the network or manually via a file exchange.

Certificate Validation

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Digital certificate validation is based on trust relationships within the PKI. If you trust A, and A says that B is valid, then you should trust B. This is the underlying premise when validating certificates. When enrolling into a PKI, you must first obtain and install the CA certificates on the Concentrator. In doing so, you implicitly establish a trust relationship where any documents signed by...

Certificate Based Authentication

All rights reserved. Digital certificates are used to authenticate users. They can be used to identify a person, company, or server. They are the equivalent of a passport or driver's license. The following example illustrates how this works Step 1 User A and B register separately with the CA Each user generates a public and private key. Certificate requests are completed by both users and forwarded to the CA. A CA issues separate certificates and digitally signs them...

Check IKE Proposal

Configuration System Tunneling Protocols IPSec IKE Proposals Modify Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie-HelLman Group Lifetime Measurement Data Lifetime Time Lifetime Preshared Keys (XAUTH) MD5 HMAC-128 zi Specify the name of this IKE Proposal. T Select the authentication mode to use. Select the packet authentication algorithm to use. Select the encryption algorithm to use. Select the Diffie Hellman Group to use. Select the lifetime measurement...

Cisco Ssl Vpn ClientAn Overview

This topic provides an overview of Cisco SSL VPN Client. This topic provides an overview of Cisco SSL VPN Client. Cisco SSL VPN Client is an application that is dynamically downloaded on a remote system when a user attempts to connect to the corporate network through Cisco VPN 3000 Concentrator. Cisco SSL VPN Client provides secure access to the corporate network by establishing end-to-end, encrypted VPN tunnels. This enables a user to gain secure access to the corporate network without...

Cisco VPN 3000 Concentrator Series

All rights reserved. The Cisco VPN 3000 Concentrator Series includes models to support a range of enterprise customers, from small businesses with 100 or fewer remote access sessions to large organizations with up to 10,000 simultaneous remote sessions. The Cisco VPN 3000 Concentrator Series table can be used to determine which model is best for your environment. The top row lists the five models in the Cisco VPN 3000 Concentrator Series family. The left column lists...

Cisco VPN 3000 Series Concentrator IPSec LANtoLAN

This topic presents an overview of the Cisco Virtual Private Network (VPN) 3000 Series Concentrator LAN-to-LAN feature. 2003, Cisco Systems, Inc. All rights reserve) 2003, Cisco Systems, Inc. All rights reserve) In the figure, a corporation wants to tie remote sites together via a VPN. At each remote site, there are 500 people. One option is to run a remote VPN where the VPN Client is installed on every PC. This is a logistical and administrative nightmare. The better option is to use the VPN...

Cisco VPN 3005 Concentrator

All rights reserved. CSVPN 4.0 4-7 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 4-7 The following hardware features are supported on the Cisco VPN 3005 Concentrator Memory 32 MB SRAM, which is standard Data Encryption Standard (DES) Advanced Encryption Standard (AES) Scalability Up to 100 simultaneous sessions Network interface Two auto-sensing, full duplex 10 100BaseT Ethernet interfaces. The public interface connects to the Internet. The private...

Cisco VPN Linux and Solaris Software Clients

All rights reserved. CSVPN 4.0 4-28 The Cisco VPN software client was expanded to include Linux, Solaris, and Mac operating systems. The system requirements for Linux and Solaris client types are as follows Linux Red Hat version 6.2 Linux (Intel), or compatible distribution, using kernel version 2.2.12 or later Connection type Point-to-Point Protocol (PPP) and Ethernet User Authentication RADIUS, Rivest, Shamir, and Adleman (RSA) SecurID, NT Domain, VPN Internal user...

Cisco VPN Mac OS X Software Client

All rights reserved. The Cisco VPN Mac OS X Client supports both a command line interface (CLI) and a graphical user interface (GUI). The system requirements for the Mac OS X client are as follows Mac OS X version 10.1.0 or later Connection type Ethernet only User Authentication RADIUS, RSA SecurID, NT Domain, VPN Internal user list, and PKI digital certificates VPN Client Administration GUI and CLI The GUI enables the user to manage the VPN connections quickly and...

Cisco VPN Portfolio Summary

Cisco now provides the industry's broadest VPN solution set. 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 3-20 Cisco now provides the industry's broadest VPN solution set. Cisco provides solutions from SOHO and small branch offices to the medium and large enterprise customers. Cisco provides solutions for remote access, site-to-site, and firewall-based VPN solutions. The top row of the table in the figure lists the three VPN solutions. The left column of the table lists the four...

Cisco VPN Router Portfolio Large Enterprise and Service Provider

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The Cisco VPN Router portfolio adds High-end VPN connectivity with Cisco 7100, 7200, 7400 series routers, and the Cisco Catalyst 6500 IPSec Services module. VPN-optimized routers and Cisco Catalyst 6500 IPSec VPN Services module provide VPN solutions for large-scale hybrid VPN environments where modularity, high performance, and flexibility are required. Enterprise Size and Service Provider Cisco VPN...

Cisco VPN Software Client for Windows

Cisco VPN Software Client for Windows 2003, Cisco Systems, Inc. All rights reserved. The Software Client works with the Concentrator to create a secure connection, called a tunnel, between your computer and the private network. It uses Internet Key Exchange (IKE) and IPSec tunneling protocols to make and manage the secure connection. Some of the operations that the Software Client performs, which are mostly invisible to you, include the following Negotiating tunnel parameters addresses,...

Cisco VPN Software Client Parameters

I Enable automatic VPN initiation Retri) Interval j (1 to 10 minutes) I Enable automatic VPN initiation Retri) Interval j (1 to 10 minutes) 2003, Cisco Systems, Inc. All rights reserved. The Options pop-up menu has an Automatic VPN Initiation dialog menu item. The Automatic VPN Initiation menu allows the user to enable or disable the auto-initiation feature, as well as modify the retry interval. The retry interval specifies, in minutes, the amount of time the client will wait before retrying an...

Cisco VPN Windows Client Smartcard Support

All rights reserved. CSVPN 4.0 4-27 A Smartcard can be used to store information, such as a digital certificate. Unlike most digital certificates that are stored on a computer, with a Smartcard, you bring your authentication with you (the user, not just the computer, can be authenticated). To use a Smartcard, a user must have a Smartcard reader installed in their computer as well as driver software required to support the Smartcard reader. When a Smartcard is inserted...

Cisco VPN Windows Software Client

All rights reserved. The following are system requirements for the Cisco VPN Client Microsoft Windows 98 or Windows 98 (second edition) Microsoft Windows NT 4.0 Running service pack 6 or higher Microsoft Windows XP (Cisco VPN Client release 3.1 or higher) Cisco VPN minimum sytem requirements Cisco VPN 3000 Series Concentrator (release 3.0) Hard disk space 50 MB Memory 32 MB for Microsoft Windows 95 and 98 64 MB for Microsoft Windows NT 32-64 MB for Microsoft Windows...

Client Configuration Parameters

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Most of the configuration issues in a remote access network originate at the remote PC. There are a large number of parameters to be programmed on the remote user PC. Not everyone could perform the needed changes. The Internet Engineering Task Force (IETF) IPSec Working Group Internet solved the issues by using mode configuration. The end user or IT department loads a minimum IPSec configuration in...

Client RRIRouting Table

All rights reserved. In the example in the figure, Client RRI is enabled at the Concentrator and the Hardware Client is running in PAT mode. When the tunnel is launched, the Concentrator assigns the Hardware Client a virtual IP address 10.10.10.11. Notice in the top routing table, 10.10.10.11 is listed and is advertised through the private interface on the Concentrator. When the tunnel is disconnected, the host entry is deleted from the routing table. Notice in the...

Client Support

All rights reserved. Another feature of the Cisco VPN 3000 Concentrator Series is the broad client support. The following clients and protocols are supported by the Concentrator PPTP client in Windows Dial-up Networking 1.3 L2TP over IPSec client in Windows 2000 Unlimited Cisco VPN Client software licenses

ClienttoLAN

All rights reserved. CSVPN 4.0 5-4 Consider the following scenario. Remote users need to dial into the corporate office and access e-mail, corporate presentations, order entry, and engineering. In addition, Corporate Information Services wants remote users to access corporate resources fast, inexpensively, and as securely as possible. Implementing a remote-access virtual private network (VPN) with the Cisco VPN 3000 Series Concentrator and the Cisco VPN Software...

Concentrator Backup LANtoLAN

All rights reserved. The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN each provide ways of establishing continuity of service if a Concentrator fails, the Backup LAN-to-LAN feature provides certain advantages over VRRP as follows You can configure Backup LAN-to-LAN...

Concentrator Certificate Manual Loading Process

Generate root and identity certificate Generate root and identity certificate Download root and identity certificate 2003, Cisco Systems, Inc. All rights reserved. The Concentrator certificate manual loading process consists of the following Step 1 Generate the certificate request and upload it to a CA. Step 2 The CA generates the identity and root certificates. Each is downloaded to a PC. Step 3 The certificates are loaded onto the Concentrator. 2003, Cisco Systems, Inc. All rights reserved....

Concentrator Configuration IPSec over UDP

All rights reserved. En er ie LHP pon to be used for IPSec through MAT (40C1 - 9151, except port 45C0, - hich is resenrad for NAT-T). Configuring IPSec over UDP in the Concentrator is a two-step process. IPSec over UDP must be enabled first. Complete the following steps to configure IPSec over UDP Step 1 Choose Configuration> User Management> Groups. The Groups window opens. Step 2 Select a group. Step 3 Within the Client Config tab, select the IPSec over UDP...

Concentrator ConfigurationNATT

Configuration System Tunneling Protocols IPSec Configuration System Tunneling Protocols IPSec This section of the Manager lets you configure system-wide IP Sec parameters. In the left frame, or in the list of links below, click the parameters you want This section of the Manager lets you configure system-wide IP Sec parameters. In the left frame, or in the list of links below, click the parameters you want 2003, Cisco Systems, Inc. All rights reserved. For NAT-T to work, it must be enabled in...

Concentrator Enrollment Support

All rights reserved. CSVPN 4.0 6-29 For the Concentrator to participate in the certificate exchange, a certificate needs to be loaded on the Concentrator, which is called Concentrator certificate enrollment. There are two types of Concentrator certificate enrollments File based enrollment This is a manual process. You can enroll by creating a request file, PKCS 10. When you have created a request file, you can either e-mail it to the CA and receive a certificate back,...

Concentrator Load Balancing Configuration

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The second step in load balancing is to configure each Concentrator in the cluster for load balancing. There are two parts to the configuration cluster and device configuration. Cluster configuration must be the same for all Concentrators in the cluster. Device configuration parameters can vary across the cluster. The device parameters are Concentrator specific. To configure load balancing on the...

Concentrator Monitor Session

All rights reserved. The statistics can also be viewed at the Concentrator. To do this, select the Monitoring Sessions window. The encapsulation type is visible in the Protocol column within the Remote Access Sessions section. In the example in the figure, TCP over IPSec is used. Click the student1 link in the Protocol column within the Remote Access Sessions section to get more information on the port number.

Concentrator Network Lists Site A

All rights reserved. The NAT rule types were selected, NAT rules were defined, and the LAN-to-LAN Tunnel NAT rule was enabled. The last step is to tie the translated addresses to the Concentrator. The Concentrator must know how to route the translated addresses. The translated addresses are defined at their respective ends of the tunnel with network lists. Concentrator A needs to know that 10.10.10.0 24 and 20.20.20.0 24 are considered to be local addresses....

Concentrator Network Lists Site B

All rights reserved. The NAT rule types were selected, NAT rules were defined, and the LAN-to-LAN Tunnel NAT rule was enabled. The last step is to tie the translated addresses to the Concentrator B. Concentrator B must know how to route the translated addresses. Concentrator B needs to know that 10.10.10.0 24 and 30.30.30.0 24 are considered to be local addresses. 20.20.20.0 24 is considered to be a remote address. To reach 20.20.20.0 24 from site B, traffic is routed...

Concentrator Product Comparison

All rights reserved. CSVPN 4.0 4-16 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 4-16 The table can be used to determine which model is best for your environment. The top row lists the five models in the Concentrator family. The left column lists some of the Concentrator's features. Note For planning purposes, a simultaneous user is considered to be a remote access VPN user connected in all tunneling modes. A session includes 1 (Internet Key Exchange) IKE...

Concentrator User Status

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. On the Concentrator, individual user information is added to the Administration> Sessions> Detail display window. When multiple authentications execute for a given IKE tunnel, the central site Concentrator displays the username and login duration information. The user's MAC and IP addresses are visible only on the Hardware Client.

Concentrator Hardware Client

, 192.168.10.31 26.26.11 0,192.168.10.32 192.168.10.10 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. By default, a Hardware Client cannot automatically connect to a Concentrator. The administrator must allow remote Hardware Clients using network extension to connect to a Concentrator on a group-by-group basis. From the Concentrator, go to Configuration> User Management> Groups> Modify to enable network extension mode. Under the HW Client...

ConcentratorIPSec over TCP Configuration

Configuration System Tunneling Protocols IPSec Configuration System Tunneling Protocols IPSec This section of the Manager lets you configure system-wide IPSec parameters. In the left frame, or in the list of links below, click the parameters you want This section of the Manager lets you configure system-wide IPSec parameters. In the left frame, or in the list of links below, click the parameters you want 2003, Cisco Systems, Inc. All rights res The last configuration example is IPSec over TCP....

Concentrator Monitor Session Detail

,192.168.10.31 9,192.168.10.32 192.168.10.10 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The Monitoring> Session> Details window enables the administrator to view more in-depth information about the session, such as the hashing algorithm, authentication mode, encryption algorithm, and DH group. The top line is the remote access session entry from the previous window, Monitoring> Sessions> Remote Access Sessions. Below the remote entry...

Concentrator Monitor Session Details

L, Public DP Assigned IP . . ,L , - -r- r. Bvtes Bites US e Address A Lss UgtnTtme Duration student l72.2i.26.1 Il0.0.1.70 IPSec 3DES-168 g o Q4 09 109840 31936 Pie-Shared Keys (XAUTH) HCE Negotiation Mode Aggressive 86400 seconds Hashing Algorithm Encapsulation Mode Tunnel Rekey Time Intetval 2SS00 seconds Hashing Algorithm Rekey Time Intetval Bytes Received MDi Encapsulation Mode Tunnel 31792 Bytes Transmitted 112043 2003, Cisco Systems, Inc. All rig hts reseived. CSVPN 4 J) 10-25 2003, Cisco...

Concentrator Physical Connections

All rights reserved. The Concentrator is equipped with universal power factor correction 100-240 VAC. A power cable with the correct plug is supplied. When the Concentrator arrives from the factory, plug it in and power it up. Connect the corporate LAN to the Concentrator's private interface. Cable the Internet side of the corporate network to the public interface of the Concentrator. LAN ports can be programmed for 10M or 100M Ethernet. The Concentrator is not...

Concentrator Software Update

Administration Software Update Concentrator This section lets you update the software on your VPN 3000 Concentrator. The VPN 3000 Concentrator will verily the integrity of the software image that you download. It will take a few minutes for the upload and verification to take place. Please wait for the operation to finish. Cisco Systems, Inc. VPN 3000 Concentrator Version 3.6.Beta_2 Jun26 2002 13 32 36 (DEBUG_MASK 0, NDEBUG ofi Type in the name of the image file below. The current image file is...

Configuration Management

Configuration management protocols include SSH, SSL, and Telnet. Telnet issues include the following - The data within a Telnet session is sent as clear text, and may be intercepted by anyone with a packet sniffer located along the data path between the device and the management server. - The data may include sensitive information, such as the configuration of the device itself, passwords, and so on. 2DD3, Cisco Systems, Inc. All rights reserved. CSVPN 4JD 2-4S If the managed device does not...

Configuration Management Recommendations

When possible, the following practices are advised Use IPSec, SSH, SSL, or any other encrypted and authenticated transport. ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged. RFC 2827 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the addresses of the management hosts. 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 2-49 Regardless...

Configuration Options

Cisco Systems VPN 3000 Concentrator Series Command Line Interface 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4X1 4-33 The Concentrator supports two configuration options CLI and GUI. To use these options, they have to be configured correctly. For the CLI configuration option, the terminal is set for the following The web interface supports both HTTP and HTTP over secure socket layer (SSL). Operators can use either Internet Explorer or Netscape Navigator. With Internet Explorer and...

Configure Cacrl Caching Backup and HTTP Support

All rights reserved. CSVPN 4.0 6-43 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 6-43 CRLs are issued by Certificate Authorities (CAs) to identify revoked certificates. A CRL-DP specifies the location of a CRL on a server from which it can be downloaded. In order to verify the revocation status, the Concentrator retrieves the CRL from the primary or one of the backup CRL-DPs. The Concentrator checks the peer certificate serial number against the list of...

Configure CPP

Configuration User Management Groups Modify training Check the Merit bos base group values. a field that you want to default to the base group value. Uncheckthe Inherit box and ei Wo Firewall Firewall Re quired f Firewall Optional Select whether or not to require that the client firewall specified below be installed and active. Refer to the client documentation for details about using this feature. Sslect the firewall vendor and product required for clients in this group. For client firewalls...

Configure System Events

Configuration System Events General This section lets you configure default event handling. Save Log oil Wrap Save Log Format FTP Saved Log on Wrap Email Source Address Syslog Format. Severity to Log Severity to Console Severity to Syslog Check to save the event log to a file on wrap. Multiline Select the format of the saved log files. V Check to automatically FTP the saved log to a remote destination. Enter the email address that appears in the From field. * I Select the format of Syslog...

Configure The Cisco Virtual Private Network 3000 Series Concentrator For Remote Access Using Digital Certificates

Configuring the Cisco VPN 3000 Series Concentrator for CA Support 6-27 Summary 6-71 Lab Exercise Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Digital Certificates Lab 6-1 CONFIGURE THE CISCO VIRTUAL PRIVATE NETWORK FIREWALL FEATURE FOR THE IPSEC SOFTWARE CLIENT_7-1 Overview of the Software Client's Firewall Feature 7-4 The Software Client's AYT Feature 7-6 The Software Client's Stateful Firewall Feature 7-15 The Software Client's CPP Feature 7-17 Software Client...

Configure The Cisco Vpn 3qq2 Hardware Client For Remote

Cisco VPN 3002 Hardware Client Remote Access with Pre-Shared Keys 10-3 Summary 10-36 Lab Exercise Configuring Cisco VPN 3002 Hardware Client Remote Access Lab 10-1 CONFIGURE THE CISCO VIRTUAL PRIVATE NETWORK 3QQ2 HARDWARE CLIENT FOR UNIT AND USER AUTHENTICATION_11-1 Overview of the Hardware Client Interactive Unit and User Authentication Features 11-3 Configuring the Hardware Client Interactive Unit Authentication Feature 11-5 Configuring the Hardware Client User Authentication Feature 11-12...

Configuring Certificate Authority

Certificate Authorities r View AU CRL Caches I Cleaj AU CRL Caches 1 (current 3, ma dmura 6) Subject Issuer Expiration SCEP Issuer Actions aUSTIN at TRAINING AUSHN at TRAINING 07 29 2005 Yes Iview I ConBara I Delete I SCEP I Show RA 2003, Cisco Systems, Inc. All rights reserved. There are three sections to the Administration> Certificate Management> Configure CA Certificate window CRL retrieval policy, CRL caching, and CRL-distribution points (CRL-DPs). Enabling CRL checking means that...

Configuring CRL DPs

CRL Distribution Pointe Protocols p HTTP 7 LDAP LDAP Distribution Point Defaults Choose a distribution point proto col to use to retrieve the CRL. If you choose HTTP, be sure to assign HTTP roles to the public interface filter (For more information, click Help.) If you choose LDAP, configure the LDAP distribution point defaults b elow. Enter the hostname or IP address of the germ. Enter the port number of the server. The default port is 389. Enter the login DN for acce ss to the CRL on the...

Configuring Global Parameters

The topic describes the process involved in configuring system-wide parameters. 2005 Cisco Systems, Inc. All rights reserved 2005 Cisco Systems, Inc. All rights reserved You can configure several global parameters on the sections available in Configuration > System. Using these sections you can configure servers, address management, IP routing, management protocols, and load balancing. Servers This section enables you to configure parameters for servers that authenticate users. The key...

Configuring Secure Desktop Manager Options

This topic describes how to configure the Secure Desktop Manager options. Configuring Secure Desktop Manager Options 2005 Cisco Systems, Inc. All rights reserved 2005 Cisco Systems, Inc. All rights reserved To configure the secure desktop manager options, you need to click Windows Location Settings and define the different locations that users will connect from. Then define the settings for each of the locations using the locations subtree items. Click Mac & Linux Cache Cleaner to configure...

Configuring the AYT Feature

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Go to the Configuration> User Management> Groups> Modify window and select the Client FW tab. AYT, CIC, and CPP features are configurable from this window. Over the next topics, you will configure each feature individually. AYT is the first feature you will configure. Complete the following steps to configure the AYT feature Step 1 Select a firewall setting from the Firewall Setting row. Step 2...

Configuring the Concentrator LANtoLan Nat Feature

This topic presents an overview of how to configure the LAN-to-LAN Network Address Translation (NAT) feature. Configuring LAN-to-LAN NAT is a three-step process configure the LAN-to-LAN rule, enable the rule, then tie the translated addresses to the Concentrator. Configuring the LAN-to-LAN rule is covered first.

Configuring the Windows Location Settings

By configuring the Windows locations, you can allow CSD to deploy an appropriate secure environment for the hosts that connect through the VPN. It is in the administrator's best interests to increase security on hosts that are likely to be insecure, while offering flexibility to hosts that are deemed secure. Configuring the Windows Location Settings Configuring the Windows Location Settings 2005 Cisco Systems, Inc. All rights reserved 2005 Cisco Systems, Inc. All rights reserved You can use the...

Configuring VPN 3000 Series Concentrator v

This topic describes the several options that can be configured on the VPN 3000 Series Concentrator v 4.7. Configuring VPN 3000 Series Concentrator v4.7 2005 Cisco Systems, Inc. All rights reserved 2005 Cisco Systems, Inc. All rights reserved Cisco VPN 3000 Series Concentrator v 4.7 provides several options that can be configured to meet customized requirements. For example, to enhance security, you can restrict a remote user to access the corporate network only during business hours or...

Connection Methods

- VPN Client Type 3002-8E Serial Number CAMO148174 9 Bootcode Rev Cisco Systems, Inc. VPN 3002 Hardware Client Version 3.0.RelFeb 26 2001 10 39 17 Software Rev Cisco Systems, Inc. VPN 3002 Hardware Client Version 4.0.1.Rel May 06 2003 12 46 35 Up For 26 57 21 Up Since 06 30 20 03 10 47 24 RAM Size 16 MB (Memory Status Green) - VPN Client Type 3002-8E Serial Number CAMO148174 9 Bootcode Rev Cisco Systems, Inc. VPN 3002 Hardware Client Version 3.0.RelFeb 26 2001 10 39 17 Software Rev Cisco...

Course Objectives

Upon completion of this course, you will be able to perform the following tasks Describe the features, functions, and benefits of Cisco VPN products. Explain the IPSec and IKE component technologies that are implemented in Cisco VPN products. Install and configure the Cisco VPN Software Client. Configure the Cisco VPN 3000 Series Concentrators for remote access using digital certificates. Configure the Cisco VPN Client for auto-initiation. Configure the Cisco VPN 3000 Series Concentrator...

Course Objectives cont

Configure the Cisco VPN Client for software auto-update. Configure the Cisco VPN 3002 Hardware Client for interactive unit and individual user authentication. Configure the Cisco VPN Client for a backup server and load balancing. Configure the Cisco VPN 3000 Series Concentrator for IPSec over TCP or IPSec over UDP. Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with pre-shared keys. Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with NAT. Configure the Cisco...

Creating a New Connection Transport

& VPN Client I Create New VPN Connection Entry Authentication I Transport Backup Servers Enable Transparent Tunneling IPSec over UDP NAT PAT C IPSec over TCP TCP Port l 0000 V Allow Local LAN Access Peer response timeout (seconds) fio 2003, Cisco Systems, Inc. All rights reserved.

Creating a New Connection Backup Servers

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The private network may include one or more backup VPN servers to use if the primary server is not available. Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the Concentrator, or you can manually enter this information. 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. To...

CRL Distribution Point Location

All rights reserved. A number of CRL-DPs are accessible from the Web. Because the Web is a large place, it is difficult for the Concentrator to check a particular certificate to see if it is valid or revoked. As part of the X.509 certificate, the CRL extension includes the CRL-DP. The CRL-DP information is included in the X.509 extension fields. If you double-click the CRL-DPs icon in the certificate, the URL of the CRL-DP is included. Load and validate identity...