VPN 3002 Hardware Client Configuration

Because the 3002 is an actual client, it does not require as much configuration as the VPN 3000 Concentrator. This is especially true because the 3002 Hardware Client obtains several configuration policies pushed from the central concentrator. For instance, the hardware client obtains WINS, DNS, and default domain name information, in addition to split tunneling policies from the concentrator. However, certain parameters are still necessary to initialize the hardware client and establish connectivity to the head-end concentrator.

graphics/alert_icon.gif

Because the VPN 3002 is an actual client, it still receives several pushed parameters from the VPN 3000 Concentrator, such as WINS, DNS, default domain name, and split tunneling policies.


To begin the configuration process for the hardware client, you can access it via the RJ-45 console port or by utilizing several different management protocols. Specifically, Telnet, SSH, and HTTP all can be used to initially configure the hardware client. What's more, any of these protocols can be used without requiring any preliminary configuration steps. This is possible because the hardware client comes preconfigured with an IP address of 192.168.10.1 on its private Ethernet interface. By using this IP address, you can use Internet Explorer or Netscape Navigator browsers, as well as a Telnet or SSH client to gain access and begin the initial configuration.

graphics/alert_icon.gif

The 642-511 expects you to remember the default IP address of the Private Interface.


Similar to the VPN 3000 Concentrator, the 3002 Hardware Client contains a Quick Configuration setup dialog to configure minimal parameters for initializing the hardware client. This configuration can be accomplished by either a command-line interface (CLI) or by the HTML-based VPN 3002 Hardware Client Manager. For simplicity, the following section looks into the GUI configuration parameters.

3002 Hardware Client Manager Quick Config

The VPN 3002 Hardware Client Manager is a scaled down version of the VPN 3000 Concentrator Manager. It has a similar navigation screen, as well as navigation toolbars and icons to save the configuration, refresh, or reset current statistics. To gain access to the Client Manager you must first log in to the hardware client. Upon initial connection to the 3002 Hardware Client, you are presented with a login display screen similar to the one depicted in Figure 9.3.

Figure 9.3. 3002 Hardware Client login screen.

graphics/09fig03.gif

At this screen, you can install the SSL certificate to your browser to support HTTPS management. Utilizing HTTPS as a management protocol provides encrypted transactions so configuration information (including passwords) cannot be easily intercepted. Additionally, there is an extra hyperlink in the top-right corner of the login page that is for users who need to initiate the authentication features discussed earlier in this chapter (more on this later).

To begin the configuration process, log in to the hardware client, using the default username and password of admin. This brings up the next page, which prompts whether you want to initiate the Quick Configuration setup dialog or go directly to the main menu. Unlike the VPN 3000 Concentrator, you can access the Quick Configuration at any given point. However, for this demonstration, we will continue with the Quick Configuration.

The first Quick Configuration screen prompts you to set the time and date values for the hardware client system. This is followed by a screen option that asks whether you want to upload an existing configuration file. If you happen to have a saved configuration .txt file, you can click "Yes" and browse to the file and click the Upload button. Otherwise, you can click the No button to continue with the Quick Configuration setup.

The Private Interface Quick Configuration screen is one of the most pivotal screens during this setup. This screen, shown in Figure 9.4, displays the default configurations for the Private Interface. As you can see, the default IP address is 192.168.10.1 with a subnet mask of 255.255.255.0. Furthermore, the 3002 Hardware Client acts as a DHCP server for devices hanging off the private Interface. If you wish to change either or both of these attributes, answer the questions accordingly. For instance, if you already have a DHCP server on the network, answer No to the question Do you want to use the DHCP server on Interface 1 to provide addresses for the local LAN? If you decide to manipulate both parameters, you are prompted to a screen similar to the one shown in Figure 9.5.

Figure 9.4. Quick Configuration Private Interface screen.

graphics/09fig04.gif

Figure 9.5. Quick Configuration Private Interface modification.

graphics/09fig05.gif

graphics/note_icon.gif

If you are configuring the 3002-8E model, the 8-port switch is treated in the configuration as a single private interface. You cannot configure individual settings for each of the eight ports.


graphics/tip_icon.gif

If you plan to use the VPN 3002 Hardware Client in Network Extension mode, you must change the default IP address of the private Ethernet interface to match the IP address schema of your private network. However, be aware that any change to the private interface's IP address might disrupt your management connection to the hardware client.


After the Private Interface configuration is complete, the Quick Configuration displays the attributes for the public interface (Figure 9.6). Here you can assign a system name if required for your public DHCP server. The default IP setting for this interface is to obtain an IP address from a DHCP server; however, you can also set PPPoE parameters for DSL IP assignment or manually set the IP address. PPPoE is a layer 2 protocol based on PPP that is typically utilized for connectivity to Digital Subscriber Line providers. In Figure 9.6, the default setting of the DHCP client was changed to a static configuration of the IP address of 192.168.200.101 for the public interface.

Figure 9.6. Quick Configuration Public Interface screen.

graphics/09fig06.gif

The IPSec Quick Configuration page enables you to define the parameters necessary to connect to the VPN Concentrator, PIX firewall, or Cisco router. As shown in Figure 9.7, this screen initially prompts you for the IP address or hostname (requires DNS) of the IPSec device to which you want to connect. In addition, you can specify whether you want to encapsulate IPSec in TCP headers to allow IPSec to work over intermediary devices that implement NAT or PAT on the public network. If you require this functionality, be sure the far-end concentrator is also set for TCP NAT transparency and that the TCP port numbers match.

Figure 9.7. Quick Configuration IPSec screen.

graphics/09fig07.gif

graphics/note_icon.gif

NAT Transparency can take form in one of three ways. If both tunnel endpoints are configured with IPSec over TCP, that method takes precedence over the other two. If IPSec over TCP is not configured, starting with version 3.6, both sides try to detect a NAT or PAT device and negotiate NAT Traversal (NAT-T) parameters if enabled. The last option is to use IPSec over UDP if enabled for that particular group.


The authentication parameters of this screen address whether you want to use digital certificates or preshared keys. If you want to use a certificate, fill in the appropriate check box and specify whether you want to send the entire CA chain with the identity certificate. When you enable authentication with digital certificates, the Group field becomes inactive and is grayed out. To correctly be associated with a group when authenticating to the head-end concentrator, be sure that the OU field in the digital certificate matches a group name on the VPN Concentrator.

If you plan to utilize preshared keys, you must configure a group name and the group password that matches the configuration in the head-end concentrator. The group's password serves as the preshared key between the hardware client and the central concentrator. Additionally, you can input the hardware client's individual authentication parameters that will allow the hardware client to establish a tunnel automatically without any user intervention. These user authentication fields do not need to be completed if you plan to utilize the Interactive authentication feature. In Figure 9.7, the hardware client was configured to initiate the tunnel to the public IP of the central VPN concentrator (192.168.1.101). In addition, because the tunnel endpoints are using preshared keys for IKE device-level negotiations, the VPN3002 group and the preshared key was specified in the Group field to coincide with the central concentrator's group name and password. The VPN 3002 Hardware Client also requires a user account to authenticate itself to gain access to the network. In this example, the client was configured to use the Mr Ed user account that is configured on the VPN Concentrator and the central office.

Quick Configuration continues to initialize the hardware client by asking whether you want to enable PAT for IPSec communications. If you leave the default value of Yes, the hardware client operates in Client mode. If you want to utilize Network Extension mode, answer No to this question to disable PAT for the IPSec tunnel. The remaining three Quick Configuration screens walk you through specifying a DNS server, defining default and static routes, and changing the administrative password, respectively.

Table 9.1 summarizes the screens and parameters that are set during the Quick Configuration dialog.

Table 9.1. Cisco Quick Configuration Dialog Summary

Screen Name

Parameters

Configuration | Quick | Time and Date

System time, date, and time zone

Configuration | Quick | Upload Config

Upload existing configuration file

Configuration | Quick | Private Interface

Prompt to change private interface address, prompt to change DHCP provisioning defaults

Configuration | Quick | Private Interface | IP[*] and/or DHCP Server[**]

Private interface IP address assignment, DHCP address range for provisioning addresses on private interface

Configuration | Quick | Public Interface

System name, public interface IP address assignment via DHCP (default), PPPoE (DSL provider), or static configuration

Configuration | Quick | IPSec

Central-site VPN Concentrator IP address or hostname, NAT transparency via IPSec/TCP, digital certificate authentication configuration, group preshared key and user parameters

Configuration | Quick | PAT

Utilize PAT (Client Mode) or disable PAT (Network Extension mode)

Configuration | Quick | DNS

DNS server and domain name assignment

Configuration | Quick | Static Routes

Static routes for destination networks

Configuration | Quick | Admin Password

Change the default admin password

[*] Screen is displayed only if you answer yes to Do you want to configure the IP address of the Private Interface?

[**] Screen is displayed only if you answer yes to Do you want to use the DHCP server on Interface 1 to provide addresses for the local LAN?



CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net