Administration Parameters

In the Administration division of the VPN 3000 Concentrator Manager, you can perform management and maintenance tasks that affect the entire concentrator. Access management and rights, file management, software updates, and system reboots are just some of the administrative functions that can be performed in this division of the concentrator's navigation menus. In addition, the Administration section contains the certificate management settings discussed in Chapter 5, "Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates." The following sections look into the majority of these tasks and explore what each administrative function provides.

Administer Sessions

In the Administration | Administer Sessions screen, you are presented with general statistics for any type of session that is connected to the VPN Concentrator. As shown in Figure 8.1, the top-right corner of this page presents you with the Reset icon to clear outdated statistics and the Refresh icon to update the screen so you can see the most current statistics. Keep in mind that this screen can also contain hundreds of sessions in the tables, and sorting through them can become a daunting task. For this very reason, this page contains a pull-down menu in which you can filter the statistics based on an individual group, the base group, or all groups.

Throughout your configuration of the VPN Concentrator, you may find that you need to make tunneling protocol changes that will directly affect sessions using that protocol. In those instances, the changes do not affect users that are already connected to the concentrator. To enforce those changes, you need to log out those sessions for those particular protocols so the new changes take effect when users reconnect. To address this conundrum, there are several hyperlinks under the Group pull-down menu that enable you to log out all sessions for IPSec, L2TP, PPTP, and IPSec LAN-to-LAN. Be advised, however, that if you click on one of the selected hyperlinks, there is no warning message and no way to undo this action. As such, all connected sessions for that protocol will disconnect and require reconnecting.

The Session Summary table displays overall summary totals for any session that has been established to the concentrator. These session statistics are further displayed by the three separate tables for LAN-to-LAN sessions, remote access sessions, and management sessions. Each of these tables contains a hyperlink to ping the connecting device to test network connectivity, as well as a hyperlink to log out individual sessions.

The LAN-to-LAN Sessions table shows tunnel statistics for all active IPSec tunnels that the concentrator is currently sustaining. The sessions are presented alphabetically by the session name. Remote Access Sessions display similar statistics as the LAN-to-LAN tunnels. These sessions are for all connected IPSec, PPTP, and L2TP clients that are currently utilizing a VPN tunnel for remote access. Because there can be quite a few of these types of sessions, the Administer Sessions page enables you to click on the table's column to sort according to username, IP, group name, tunnel protocol, tunnel duration, client type, or received/transmitted bytes. In the example in Figure 8.1, the user, Mr. Ed, from the Not-So-Human Resources group, is assigned an internal tunnel IP address of 10.1.1.100 and has a public IP address from his ISP of 172.16.1.2 for his remote access session. The IKE negotiations have chosen AES-128 as the bulk data encryption and NAT Transparency is enabled for Mr. Ed if IPSec over UDP is allowed. Furthermore, the Remote Access Sessions output even goes so far as to display the connection duration and the Unity client version. If Mr. Ed was complaining of slow connectivity, you could click on the Ping hyperlink to verify any latency on the remote access session. What's more, you can log out and disconnect Mr. Ed's session if his session becomes hung or you suspect inappropriate use of the network.

The Management Sessions table displays any active session to the concentrator for administrative purposes. In instances where there are several sessions with the same user (as in the admin session in Figure 8.1), the concentrator places a configuration lock on any session that follows the original one. For instance, in Figure 8.1, the admin from IP address 10.1.1.1 was the initial admin to log in to the concentrator. That admin has full privileges to do as he or she pleases; however, any successive admin logins (up to 10 by default) are allowed only read-only permissions until the original admin's sessions has timed out or is disconnected.

It is a good idea to remember that only one administrator is given full rights at one time. All successive admin logins are given read-only permissions.

Be careful when logging out management sessions. You can accidentally disconnect your own session and be forced to establish another tunnel.

Software Updates

One of the most important administrative tasks is to keep the VPN Concentrator, as well as the hardware and software clients, up to date to support the latest available features. To achieve this, you can download the latest software versions for clients and the concentrator from Cisco's Web page. However, you need a valid CCO login with a service contract to download the software. After the software is downloaded, the Administrative section of the concentrator's navigation pane enables you to upgrade the concentrator's software code to the newer version. In addition, you can use the Administration menus to send an update message to connected clients to upgrade their own client code.

Because the concentrator and client update process is such an important concept, it likely that it will be thoroughly covered in the exam. Be sure to pay close attention to the steps and syntaxes used in upgrading procedures.

Concentrator Software Update

To upgrade the concentrator's software code, proceed to the Administration | Software Update | Concentrator page. As illustrated in Figure 8.2, the screen enables you to specify the directory and filename to upload to the concentrator. There is a convenient Browse button next to the field where you can locate the file on your local machine. After you specify the location, click on the Upload button to begin the process. After the file is uploaded, you need to reboot the concentrator.

Be sure to note that the file directory and filename are case sensitive. It is easiest to use the Browse button and navigate to the file located on the local workstation. Also, be sure to not carry out any configuration functions while the concentrator is uploading. It may corrupt the imaging process.

Software Client Updates and Hardware Auto Updates

To update the hardware and software clients, the process is slightly different. The update process is actually located within the Configuration menu screens. In addition, the update process differs slightly for hardware clients versus software clients. When client software updates are configured, the software client receives a notification that includes the revision number of the software update as depicted in Figure 8.3. If the software client is not running the specified revision(s), the client can launch the HTTP URL from the notification window and download the latest version at the client's convenience. The VPN 3002 Hardware Client shares a similar process; however, the hardware client determines whether it needs the new revision and tries to download the image from a TFTP server automatically, as soon as the notification is received.

The exam refers to the VPN 3002 Hardware Client updates as auto updates because the Hardware Client automatically installs the software from the specified TFTP URL and reboots after the download is complete.

In the following sections, several page references of the VPN Concentrator Manger end with "Add or Modify." Just so you understand, the actual reference ends with either value. However, as a general rule for the VPN Concentrator Manager, most Add or Modify screens are identical except for the page title. "Add" simply means you are adding a new entry, as opposed to modifying an existing entry.

To create notifications to the hardware and software clients, navigate to the Configuration | System | Client Update | Enable screen and verify that the update notification is enabled (on by default). After this is verified, proceed to the Configuration |System | Client Update | Entries | Add or Modify screen depicted in Figure 8.4. At this screen, you must input a client type (case sensitive) in the appropriate field. The client types supported are the following:

• Windows All Microsoft implementations of Windows, including Windows 9x, Me, NT4.0, 2000, and XP.

• Win9x Any client currently running on Windows 95, 98, or Me operating systems.

• WinNT Includes Windows NT 4.0, 2000, and XP.

• vpn3002 Used for update notifications for the VPN 3002 Hardware Client. The URL must be a TFTP address.

In the URL, specify the HTTP URL (Cisco Unity software clients) or the TFTP URL (3002 Hardware Client). The URL must specify the protocol, the server address, and the directory link to the file (for example, http://10.2.2.2/vpnclient-win-msi-4.0.2.A-k9.exe). The Revision field is used in the notification update to tell the client what versions can be located at the URL. (The software image's version is located in between the dashes at the end of the filename.) You must at least specify the revision specified in the URL that pertains to the filename. In the example's URL, http://10.2.2.2/vpnclient10.2.2.2/vpnclient-win-msi-4.0.2.A-k9.exe, the version number is 4.0.2.A.

If an update message URL contains a TFTP address, it is a VPN 3002 Hardware Client auto update. If the message contains an HTTP URL, the message is for the Cisco VPN Unity client.

After you specify all the update entries, you need to send an alert to the clients to receive the notification. As depicted in the Administration | Software Update | Clients screen in Figure 8.5, you can choose to update specific groups, the base group, or all groups. It is recommended that you do this update a group at a time because the concentrator limits the number of updates to batches of 10. After you click on the Upgrade Clients Now button, the notifications are sent to connected clients.

An alternative method for this notification is to create the update notification for specific groups in the Configuration | User Management | Groups | Client Update screen (shown in Figure 8.6). This type of update notification is useful when you have VPN 3002 Hardware Clients and Cisco Unity Clients in separate groups that are not currently connected to the concentrator. By assigning different updates to the different groups, you can ensure that the clients receive the appropriate HTTP or TFTP URL in the update message as they log in to the concentrator.

System Reboot

Throughout the course of your administration, it is possible that you may need to reboot the concentrator (for example, when you upgrade the software version). This task can be performed at the Administration | System Reboot screen, as illustrated in Figure 8.7. On this screen, you are presented with several actions. The default is to reboot the concentrator; however, you can also bring the system to a halt so you can power it off by choosing the Shutdown Without Automatic Reboot option. This option terminates all sessions except the management sessions and prevents new users from connecting. The last action you can choose is to cancel a scheduled reboot/shutdown if you scheduled the concentrator to reboot at a designated time other than that particular moment.

When the concentrator performs the reboot, the configuration may have changed and might need to be saved. The first option in the Configuration section addresses this issue by saving the configuration at the time of the reboot. The default setting is to reboot without saving the active configuration. This means that any changes that were performed from the last save will be lost. The final option is useful to return the concentrator back to the factory default configuration (except the password). The Reboot Ignoring the Configuration File option reboots the concentrator and requires that you connect a console session into the concentrator to perform the Quick Configuration parameters again. Mind you, this option is not erasing your current configuration file; nevertheless, it does bypass the configuration file during the startup process. If you save your configuration after this process, that configuration is active when you reboot the concentrator. What's more, because this option bypasses your configuration, you will no longer have an IP address assigned to the Private interface; thus, you must be physically connected to the concentrator to reconfigure your settings.

If you decide to use the default setting, Reboot Without Saving the Active Configuration, the system does not prompt the administrator with any alerts or warnings concerning the configuration. As such, be mindful about the state of your active configuration when rebooting.

The last section of the Reboot screen entails when to reboot or perform whatever action you specified on the top of the screen. The default value is "Now," which implements the action automatically. You can delay the action by a number of minutes to give proper notice to all connected users. Additionally, if you want to perform the action after peak hours, you can program the time (in 24-hour time format) to reboot or shut down. Finally, the concentrator can shut down or reboot as soon as all the sessions have been terminated. This option does not allow new users to connect and lets the currently connected users finish their session.

Be sure you comprehend the different options and actions you can implement when rebooting the concentrator. It is likely that you will encounter these options on the exam.

Ping and Monitor Refresh

To ensure that you have IP connectivity to other devices, you can utilize the ping utility in the concentrator. In Figure 8.8, the screen displays the Administration | Ping screen. In the address field, specify an IP address or hostname. To ping a hostname, you must have DNS servers specified in the Configuration | System | Servers | DNS screen. Recall that you can also ping tunnel endpoints in the Administer Sessions page by clicking on the Ping hyperlink for that specific session.

When monitoring the statistics of the concentrator in the Monitoring division, you have to click manually on the refresh icon under the navigation bar to update the statistics on the screen. In the Administration | Monitor Refresh screen (Figure 8.9), you can have the VPN Concentrator automatically refresh the screen statistics after the specified number of seconds. This feature is disabled by default.

The Four A's: Access Rights, Administrative Accounts, ACLs, and AAA Servers

A very important aspect of configuring security parameters is to secure the concentrator itself. In the Access Rights configuration menus, you are able to enforce security measures to ensure that the correct administrators are connecting to the concentrator. Furthermore, you can determine what permissions they have when they log in. The next few sections explore how to define this limited access and how to modify privileges associated with those who are logging into the concentrator for administrative purposes.

Administrators

Recall that in Chapter 4 you logged into the concentrator as admin who was given full access to all configuration, administration, and monitoring services. The admin account is one of the five default accounts of administrators who are allowed access to the VPN Concentrator Manager and the only account that is enabled by default. The five administrator accounts are as follows:

• admin This account is enabled by default. The admin account is given full access to all functions of the concentrator. This is true in all cases except when multiple users log in as admin. In these instances, the first admin logged in has full permissions until his or her session is disconnected or times out. The remaining admins have only read-only privileges.

• config The config account is disabled by default and has full privileges except SNMP permissions.

• isp The ISP administrative account has limited functionality in configuration. It cannot modify the authentication parameters, change SNMP configurations, or manipulate configuration files. This account is disabled by default.

• mis The mis account is exactly like the isp except it can change authentication parameters.

• user This is a limited account that is permitted only to view statistics and have read-only access to all parameters. It too is disabled by default.

If you want to enable and manipulate the administrator settings, click to the Administration | Access Rights | Administrators screen depicted in Figure 8.10. Here you can enable the default accounts by checking the Enabled check boxes. In addition, you can rename the default accounts if you want to create a custom account. The Administrator column to the right of the usernames enables you to define which account is the administrator, and it is the administrator who can modify the configurations on this screen (default is admin).

If you want to change a user's permissions, click on the Modify button for that particular user and change the parameters as demonstrated in Figure 8.11. In this screen, you can set the password and access rights for that user. In addition, you can associate an AAA TACACS+ access level with this user in instances where you are using TACACS+ as an authentication protocol for administrator access.

Access Control Lists (ACLs)

Anybody who has access to the administrator usernames and passwords can access the concentrator. With ACLs, you can specify management stations or networks that are allowed to access the device for administration. By default, the ACL list is empty, which allows all IP addresses to gain access. This access list applies to all the management protocols that can gain access to the concentrator, including HTTP, HTTPS, Telnet, SSH, SSL, SNMP, XML, TFTP, and FTP.

In the Administration | Access Rights | Access Control List | Add or Modify screen (Figure 8.12), you can specify the management workstation or network in the IP Address and IP Mask fields. If you want to specify a single station, use the 255.255.255.255 IP mask. Furthermore, be sure to specify what level of access this network or station contains. In the example shown in Figure 8.12, only management station 192.168.1.254 is given admin access to the VPN 3000 Concentrator.

AAA Servers

If your company has a TACACS+ server on location, you can utilize the server to authenticate admin access to the concentrator and even specify the administrator access rights associated with the user. This parameter can be set in the Administration | Access Rights | AAA Servers | Authentication | Add or Modify screen displayed in Figure 8.13. Make certain that you specify the TACACS+ server's IP or hostname (requires DNS). If you need to modify the port, timeout, and retry parameters, set them to match the parameters on the server. Finally, be sure to specify the shared secret password that is used as a key to encrypt/decrypt traffic between the concentrator and the TACACS+ server. If these values do not match, the TACACS+ server and the VPN 3000 Concentrator cannot communicate.

File Management

The File Management section of the Administration navigation menus enables you to view, copy, delete, and manipulate files contained in the Flash memory of the VPN 3000 Concentrator. These files are all listed in the Administration | File Management screen as shown in Figure 8.14. This screen shows you the amount of Flash memory that is in use and the amount of Flash memory free. In the table, it lists all the files that are currently stored in Flash memory in 8.3 (eight-character filename with three-character extension) filename convention. Some common files you might see are the following:

• CONFIG This is your current active configuration.

• CONFIG.BAK This is the previous configuration that was saved before your active configuration was saved. Every time you save your configuration, the VPN 3000 Concentrator backs up the old configuration to a .BAK file.

• CRSHDUMP.TXT In cases where the concentrator crashes, it dumps the contents of NVRAM to this Flash file. This file is useful for Cisco engineers to assist in troubleshooting a crashing concentrator.

• SAVELOG.TXT Also used for debugging crashing systems, the SAVELOG.TXT file is automatically saved when the system crashes and is rebooted.

• Created files (for example, MYBACKUP) You can create files in Flash memory by using the copy hyperlink, uploading files via TFTP or HTTP, and exporting the CONFIG file as an XML file.

• PKCS0003.TXT This file may have different revision numbers; however, this is the PKCS request file used for digital certificate PKCS#10 requests.

You are able to view, delete, and copy the files located in the Flash memory. For example, you can view the config file that will open another browser window. In that window, you can save the file as a .TXT file to store locally in case you want to upload the file with TFTP or HTML in the future. Additionally, you can backup your configuration to a file via TFTP, as well as export the configuration to an XML file.

Swap Config File

Have you ever said something and wished you could take it back? That may not work in real life, but it works just fine in the VPN 3000 Concentrator. With this utility in the Administration | File Management | Swap Configuration Files screen, you can basically "undo" a configuration. Recall that every time you save the configuration, a backup copy called CONFIG.BAK is created. With this utility, you can copy the backup file to be the active configuration again. When you enable this function, you need to reboot the concentrator to make the backup file the active boot file. In fact, the VPN Concentrator Manager immediately takes you to the Reboot screen when you initiate the file swap. Figure 8.15 illustrates the concept of the Swap Config File feature.