Configuring the 3002 Device

The VPN 3002 has been designed for simplicity and reliability of installation. It has few local setup parameters that must be configured. Basic configuration parameters, security policy, and even device upgrades are “pushed” to the device from the central site (head-end) device with the next connection. The user simply plugs the minimally configured VPN 3002 device into a DSL/cable connection, router, or other wide area networks (WANs) access device at the remote site.

This central control and management approach minimizes the need for skilled users or dedicated IT staff to deploy or maintain the connection. Troubleshooting aids and centralized monitoring features are built into the 3002 software to ensure proper operation after the unit has been set up.

The 3002 supports both a specialized command-line interface (CLI) and a Hardware Client Manager (web-based interface). In reality, they are similar to each other, much like the built-in web interface for routers like the 2600 series. From a practical standpoint, you can do exactly the same tasks with either interface. The primary difference is shown in Figure 15-4, where you can see the Explorer-like program structure on the left side and links to the three program modules in the upper-right corner. These two features make navigating the web-based interface significantly easier and quicker. The Help feature on the Hardware Client Manager is much better than the CLI.

Figure 15-4: VPN 3002 Hardware Client Manager

Command-Line Interface (CLI)

The VPN 3002 Hardware Client CLI is a built-in, menu-based configuration, administration, and monitoring system that can be accessed via the system console port or a Telnet (or Telnet over SSL) session. Both Telnet options are enabled by default on the private network interface. The CLI supports the same configuration options as the HTML- based VPN 3002 Hardware Client Manager covered in the section “The Hardware Client Manager.”

Note

The VPN 3002 uses a standard Cisco console kit and plugs into a RJ-45 interface on the device. The VPN 3000 concentrators use a straight- through jumper cable and needs one of the RJ-45 to DB-9 converters.

Console port access is similar to the IOS routers using a terminal emulator program, such as HyperTerminal. You might need to press ENTER until the login prompt appears. Login user names and passwords for both console and Telnet access are the same. The factory-supplied default is configured and enabled for administrators using admin for both the login and the password. Entries are case-sensitive. Access and user names/ passwords are set using the Administration | Access Rights | Administrators menus. The following output shows the initial login and main menu:

Login: admin
Password:                              (doesn't display)

                Welcome to
               Cisco Systems
         VPN 3002 Hardware Client
          Command Line Interface
Copyright (C) 1998-2003 Cisco Systems, Inc.

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main ->

Help

The Help menu system is somewhat limited, displaying only the following information when 5 is entered at the Main menu. Context-sensitive Help isn’t available and the familiar question mark (?) doesn’t activate Help features. The Help feature in the Hardware Client Manager is much better, offering context-sensitive assistance like most Windows applications.

Main -> 5
Cisco Systems.  Help information for the Command Line Interface

From any menu except the Main menu.
-- 'B' or 'b' for Back to previous menu.
-- 'H' or 'h' for Home back to the main menu.

For Data entry
-- Current values are in '[ ]'s. Just hit 'Enter' to accept value.

1) View Help Again
2) Back

Help ->

As it turns out, the B and H options—and particularly the H option—will come in handy when you navigate the Device menus. Pressing H returns you to the Main menu.

Saving Configuration File Changes

Configuration and administration changes made using menu options 1 and 2 on the Main menu take effect immediately and become a part of the active, or running, configuration. Like the Cisco routers, if the VPN 3002 is rebooted without saving the active configuration, any changes will be lost.

Saving changes to the system configuration (CONFIG) file is a one-step process from the Main menu. At the Main -> prompt, typing 4 will save changes without additional steps or confirmation.

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 4

The system writes the current (active) configuration to the CONFIG file and redisplays the main menu.

Second Level Menus

Familiarity with the menu system will come with experimentation and experience, but the following examples expand the menus one level. The following output reflects choosing the Configuration (1) option. Notice the prompt changes to reflect the new menu:

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 1

1) Quick Configuration
2) Interface Configuration
3) System Management
4) Policy Management
5) Back

Config ->

The following output reflects choosing the Administration (2) option from the Main menu:

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 2

1) Software Update
2) System Reboot
3) Ping
4) Access Rights
5) File Management
6) Certificate Management
7) Back

Admin ->

The following output reflects choosing the Monitoring (3) option from the Main menu:

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 3

1) Routing Table
2) Event Log
3) System Status
4) User Status
5) General Statistics
6) Back

Monitor ->

Shortcut Numbers

Once you become familiar with the structure of the CLI, you can quickly access any level by entering a series of numbers, corresponding to menu choices, separated by periods. For example, entering 2.2.2.1.2 at the Main-> prompt saves the configuration and reboots the device immediately. The result looks like the following, beginning at the Main menu:

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 2.2.2.1.2

Done

Login:

The following are the steps that were fast-forwarded through, beginning at the Main menu:

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 2

1) Software Update
2) System Reboot
3) Ping
4) Access Rights
5) File Management
6) Certificate Management
7) Back

Admin -> 2

1) Cancel Scheduled Reboot/Shutdown
2) Schedule Reboot
3) Schedule Shutdown
4) Back

Admin -> 2

1) Save active Configuration and use it at Reboot
2) Reboot without saving active Configuration file
3) Reboot ignoring the Configuration file
4) Back

Admin -> 1

1) Cancel Scheduled Reboot/Shutdown
2) Reboot Now
3) Reboot in X minutes
4) Reboot at time X
5) Reboot wait for sessions to terminate
6) Back

Admin -> 2

123 03/31/2003 15:41:12.460 SEV=1 REBOOT/1 RPT=1
Reboot scheduled immediately.
Done

The Hardware Client Manager (Web Interface)

The VPN 3002 Hardware Client Manager is an HTML-based interface that makes it possible to configure, administer, monitor, and manage the VPN 3002 device with a web browser. The easiest way to use the web interface is to connect to the VPN 3002, using any PC with a web browser on the private network behind the VPN 3002.

By default, the Client Manager uses HTTP, which is convenient, but messages are in clear text. If security requires it, the Client Manager supports a secure, encrypted HTTP connection over Secure Sockets Layer (SSL) protocol, known as HTTPS.

Browser Requirements

The VPN 3002 Hardware Client Manager supports either Microsoft Internet Explorer (IE) version 4.0 or higher or Netscape Navigator version 4.5–4.7. For the best results, Cisco recommends Internet Explorer, and JavaScript and cookies must be enabled in the browser. The other recommendation is that any updates and patches be installed.

Recommended Display Settings

Cisco recommends the following monitor display settings for best viewing:

Screen area 1,024 × 768 pixels or greater (Minimum 800 × 600 pixels)
Colors 256 colors or higher

Browser Navigation Toolbar

Earlier implementations of the Client Manager were basically the CLI converted simply to a web interface. Each new version includes much better Windows function integration. Help, a Java-based applet, in particular, is getting friendlier and more useful.

Cisco still doesn’t recommend using the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the Client Manager unless specifically instructed to do so. To maintain access security, clicking the Refresh/Reload button automatically logs out the Manager session and returns to the login screen. Using the Back or Forward buttons could possibly display old Manager displays with incorrect data or settings. If you’re concerned about this, the IE View | Full screen (F11) feature will eliminate the temptation.

Connecting to the Client Manager

To access the VPN 3002 Client Manager application using HTTP over a web browser, type the VPN 3002 private interface IP address (such as 192.168.1.10) in the browser Address or Location field. The browser will automatically supply the http:// prefix.

The browser displays the VPN 3002 Hardware Client Manager login screen, as shown in Figure 15-5.

Figure 15-5: VPN 3002 Hardware Client Manager login screen

Logging in to the Manager application is the same for clear-text HTTP or secure HTTPS. The 3002 supports three types of accounts that can access the device: Administrator, Config, and ISP. Only the Administrator account is enabled by default using admin/admin for the user name/password. Internet Explorer users can use the TAB key to move from field to field. The Clear button can be used to start over.

Figure 15-6 shows the opening screen that appears, offering access to the three main application modules. This screen provides a good overview of the various screen components and options to maneuver through the application. The application tree on the left-hand side offers Explorer-like navigation capabilities to move quickly from feature to feature. This feature alone makes the web interface significantly easier to use than the CLI.

Figure 15-6: Client Manager opening screen

The VPN 3002 Hardware Client Reference, available online or in the CD-ROM documentation that came with the device, covers how to set up the device for installing an SSL Certificate in the browser for HTTPS connectivity.

Client Manager Organization

The Client Manager, exactly like the CLI, is made up of three major sections and many second and third level subsections:

Configuration—Sets all VPN 3002 parameters that govern the unit’s use and functionality as a VPN device.

Quick Configuration—A series of steps that supply the minimal parameters needed to make the VPN 3002 operational.
Interfaces—Ethernet parameters for public (outside) and private (inside) interfaces.
System—Sets system-wide function parameters, such as server access, IPSec tunneling protocol, built-in management servers, event handling, IP-routing, and system identification.
Policy Management—Enables PAT and certificate validation.
Administration—Manages the higher-level functions that keep the 3002 unit operational and secure, such as who is allowed to configure the system and what software runs on it, as well as managing its configuration files and digital certificates.
Monitoring—Views routing tables, event logs, system LEDs and status, and statistics and user session data.

Help

Figure 15-7 shows the result of selecting Administration | Ping in the left panel, and then clicking on the Help button in the upper-right corner. The Help window works much like any Windows help document.

Figure 15-7: VPN 3002 Client Manager help system

Second-Level Menus

The Client Manager structure tree in the leftmost panel can be expanded using standard Windows techniques. Figure 15-8 shows the three menus expanded and the Configuration menu expanded to three levels.