Three major categories of activities that should be performed on network devices are configuration, administration, and monitoring. The browser-based VPN 3000 Concentrator Series Manager was designed with those functions in mind. The remainder of this chapter focuses on the configuration capabilities
of the VPN concentrator.
Remote access VPNs can be established with minimal equipment. Most of your users connect through the Internet, so their infrastructure costs are minimal. While you should place the concentrator behind or in parallel with a firewall, you could establish a robust VPN network with just a border router and your concentrator.
Administration requirements for the Cisco VPN 3000 Concentrator Series are fairly standard. You could configure the concentrators completely from the CLI using either a directly connected console monitor or by Telnetting to the concentrator. However, the best option for configuring this series of concentrators is through the GUI that you access through a web browser.
You need to attach a console for the initial configuration. The console port takes a standard straight-through RS-232 serial cable with a female DB-9 connector, which Cisco supplies with the system. Once the Private interface has been configured, you can access the concentrator from your administrator workstation using a web browser such as Internet Explorer or Netscape Navigator.
In addition to the physical connections, you also need to plan your IKE phase 1 and phase 2 settings. If you are going to be using preshared keys, you must select that key as well. The following is a list of the data values you need to obtain to completely configure your Cisco VPN
3000 Series Concentrator:
• Private interface IP address, subnet mask, speed, and duplex mode.
• Public interface IP address, subnet mask, speed, and duplex mode.
• VPN concentrator’s device or system name.
• System date and time of day.
• VPN tunnel protocol that you will use, either IPSec, PPTP, or L2TP.
• Your local DNS server’s IP address.
• Your registered domain name.
• The IP address or host name for the concentrator’s default gateway.
• (Optional) Additional interfaces (for example, for a DMZ, on models 3015—3080 only),
IP addresses, subnet masks, speed, and duplex mode.
• (Optional) IP address or host name of your DHCP server, if your concentrator will be using DHCP to assign addresses to remote users.
• (Optional) A pool of IP addresses if the VPN concentrator will be assigning addresses to remote users.
• (Optional) For external RADIUS user authentication, the IP address or host name, port number, and server secret or password for the RADIUS server.
• (Optional) For external Windows NT Domain user authentication, the IP address, port number, and Primary Domain Controller (PDC) host name for your domain.
• (Optional) For external SDI user authentication, the IP address and port number for the SDI server.
• (Optional) For internal VPN concentrator user authentication, the username and password for each user. If you specify per-user address assignment, you also need the IP address and subnet mask for each user.
• (Optional) For the IPSec tunneling protocol, a name and password for the IPSec tunnel group.
Cisco VPN 3000 Concentrator Initial Configuration
When the Cisco VPN 3000 Concentrator is powered on for the first time, it boots up the factory default configuration, which offers a Quick Configuration option. The data requested by the Quick Configuration mode are enough to make the concentrator operational. Once you have the basic configuration entered through this mode, you can fine-tune the configuration through normal menu options.
The Quick Configuration can be accomplished from the CLI, but the HTML version of the concentrator manager provides a more intuitive tool for performing the essential configuration of the concentrator. The Quick Configuration steps are as follows:
Step 1 CLI: Set the system time, date, and time zone.
Step 2 CLI: Enable network access for your web browser by setting the Private interface’s IP address, subnet mask, speed, and duplex mode.
Step 3 Browser: Configure the Public interface and any other Ethernet or WAN interfaces of the concentrator. To do that, you need to set the IP address, subnet mask, speed, and duplex mode for each of these interfaces.
Step 4 Browser: Identify the system by supplying system name, date, time, DNS, domain name, and default gateway.
Step 5 Browser: Select the tunneling protocol to use and the encryption options.
Step 6 Browser: Identify the method the concentrator is to use for assigning IP addresses to clients as a tunnel is established.
Step 7 Browser: Select the type of user authentication to use, and provide the identity of the authentication server. You can choose to authenticate from the internal server, RADIUS, NT Domain, or SDI.
Step 8 (Optional) Browser: When using the internal authentication server, populate the internal user database with group and user identities.
Step 9 (Optional) Browser: When using IPSec as the tunneling protocol, assign a name and password to the IPSec tunnel group.
Step 10 (Optional, but recommended) Browser: Change the admin password for security.
Step 11 Browser: Save the configuration settings.
In part three of this technical article Cisco Press teaches you quick configurations.