|
|
Introduction to Accessing a ConcentratorNow that I've covered the different 3000 models and provided a brief overview of the features of the concentrators, I'll give a quick overview on how to access a concentrator and navigate through its screens. The remaining chapters in Parts II and III will cover the specifics of how to set up remote access (IPsec, PPTP, L2TP/IPsec, and WebVPN) and site-to-site sessions that terminate on the VPN 3000 concentrators. You can access the concentrator out-of-band by using its console port. The console port is a DB-9 interface. When using a terminal package, such as HyperTerminal or TeraTerm, set its communications properties to the following:
In-band management is supported with the following protocols:
The concentrators support two types of management interfaces: character-based interface, commonly called a command-line interface (CLI), and graphical user interface (GUI). The following sections will discuss these two interfaces. Command-Line InterfaceWhen you receive a concentrator from the factory, it has no configuration on it; therefore, you need to use the menu-driven CLI to put a basic configuration on it. Once you have, at the minimum, an IP address on the private interface of the concentrator, administrators typically use a web browser from there on out to manage it. To help you understand the initial access to the CLI, and additional tasks you can perform from the CLI, the following sections cover these topics:
Bootup ProcessTo see the bootup process of the VPN 3000 concentrator, you need to use its console, as shown in Example 6-1. Example 6-1. Concentrator Bootup ProcessBoot-ROM Initializing... Boot configured 32Mb of RAM. ... Loading image .......... Verifying image checksum ........... Active image loaded and verified... Starting loaded image... Starting power-up diagnostics... ... pSH+ Copyright (c) Integrated Systems, Inc., 1992. Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.7.A Oct 18 2004 18:51:42 Features: Initializing VPN 3000 Concentrator ... Waiting for CAPI initialization to complete... Initialization Complete...Waiting for Network... Login: Otherwise, you can access the CLI remotely via Telnet or SSH. Initial ConfigurationWhen you boot up the concentrator for the first time, you'll need to use a username of admin and a password of admin to log in to the concentrator at the Login: prompt. At this point, the concentrator will lead you through a quick-configuration mode script to put a base configuration on it. Typically, I answer only enough questions to put an IP address on the private interface; once this is done, I stop the quick configuration script from the CLI and proceed to using the GUI with a web browser. Example 6-2 displays how to answer enough questions for the quick configuration process to put an IP address on the concentrator's private interface: Example 6-2. Concentrator CLI Partial Quick Configuration ProcessLogin: admin Password: admin Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright © 1998-2004 Cisco Systems, Inc. -- : Set the time on your device. The correct time is very important, -- : so that logging and accounting entries are accurate. -- : Enter the system time in the following format: -- : HH:MM:SS. Example 21:30:00 for 9:30 PM > Time Quick -> [ 10:25:46 ] 10:27:00 -- : Enter the date in the following format. -- : MM/DD/YYYY Example 06/12/1999 for June 12th 1999. > Date Quick -> [ 11/11/2004 ] -- : Set the time zone on your device. The correct time zone is very -- : important so that logging and accounting entries are accurate. -- : Enter the time zone using the hour offset from GMT: -- : -12 : Kwajalein -11 : Samoa -10 : Hawaii -9 : Alaska -- : -8 : PST -7 : MST -6 : CST -5 : EST -- : -4 : Atlantic -3 : Brasilia -3.5 : Newfoundland -1 : Mid-Atlantic -- : -1 : Azores 0 : GMT +1 : Paris +2 : Cairo -- : +3 : Kuwait +3.5 : Tehran +4 : Abu Dhabi +4.5 : Kabul -- : +5 : Karachi +5.5 : Calcutta +5.75 : Kathmandu +6 : Almaty -- : +6.5 : Rangoon +7 : Bangkok +8 : Singapore +9 : Tokyo -- : +9.5 : Adelaide +10 : Sydney +11 : Solomon Is. +12 : Marshall Is. > Time Zone Quick -> [ 0] -5 1) Enable Daylight Savings Time Support 2) Disable Daylight Savings Time Support Quick -> [ 1 ] This table shows current IP addresses. Intf Status IP Address/Subnet Mask MAC Address ------------------------------------------------------------------------------- Ether1-Pri|Not Configured| 0.0.0.0/0.0.0.0 | Ether2-Pub|Not Configured| 0.0.0.0/0.0.0.0 | ------------------------------------------------------------------------------- DNS Server(s): DNS Server Not Configured DNS Domain Name: Default Gateway: Default Gateway Not Configured ** An address is required for the private interface. ** > Enter IP Address Quick Ethernet 1 -> [ 0.0.0.0 ] 192.168.101.99 Waiting for Network Initialization... > Enter Subnet Mask Quick Ethernet 1 -> [ 255.255.255.0 ] 1) Ethernet Speed 10 Mbps 2) Ethernet Speed 100 Mbps 3) Ethernet Speed 10/100 Mbps Auto Detect Quick Ethernet 1 -> [ 3 ] 1) Enter Duplex - Half/Full/Auto 2) Enter Duplex - Full Duplex 3) Enter Duplex - Half Duplex Quick Ethernet 1 -> [ 1 ] > MTU (68 - 1500) Quick Ethernet 1 -> [ 1500 ] 1) Modify Ethernet 1 IP Address (Private) 2) Modify Ethernet 2 IP Address (Public) 3) Save changes to Config file 4) Continue 5) Exit Quick -> 3 1) Modify Ethernet 1 IP Address (Private) 2) Modify Ethernet 2 IP Address (Public) 3) Save changes to Config file 4) Continue 5) Exit Quick -> 5 Done Login: In this example, I first logged in to the admin account. During the quick configuration process, many of the parameters have default values listed in brackets ("[ ]"). To accept a default value, just press ENTER on a blank line. In this example, I changed the time, the time zone offset, and the IP address on the private interface. At this point I saved the configuration and then exited the quick configuration script. From this point, I can use a web browser to manage the concentrator. Note Please note that when you make changes to a concentrator, they are not automatically saved to Flash memory. You must manually save your changes; however, when you do make a change, it immediately becomes active in the concentrator's RAM. CLI Menu AccessFrom this point onward, if you would log in to the concentrator to access the CLI, you would see a menu like that in Example 6-3: Example 6-3. CLI main menu1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> Within any menu option, you can enter the letter "h" to take you back to the main menu. This option does not work when you are prompted to enter a value for a concentrator configuration parameter. Password RecoveryTypically, the only time you would access the concentrator's CLI after putting an initial configuration on it would be for:
To perform the password recovery procedure, you need to use the console port of the concentrator (this is true of any Cisco product). To do so, reboot the concentrator and when you see the message "Starting power-up diagnostics ...", press CNTRL-c or send a break signal, depending on your terminal emulation program. You'll see the output shown in Example 6-4. Example 6-4. Password recovery procedureBoot-ROM Initializing...
Boot configured 32Mb of RAM.
...
Loading image ..........
Verifying image checksum ...........
Active image loaded and verified...
Starting loaded image...
Starting power-up diagnostics...
...
CNTRL-C
Main Menu Options
-----------------
1 - Reset Administrator Accounts
Q - Quit Main Menu
Choose Option 1 to reset the password for the administrator accounts. Note The account concentrator's configurationsnames and passwordsare not stored in the concentrator's configuration file in Flash memory; instead, these are stored in NVRAM. The only way to reset these is to use the procedure in Example 6-4. Also, if you have an Altiga concentrator running an earlier version than 2.5.1, you'll have to contact TAC to get instructions for the password recovery process. Graphical User InterfaceAfter you have configured an IP address on the concentrator's private interface, you can access it from your desktop using a web browser. One component of the GUI, the Live Event Log, uses Java, and therefore your browser should have Java enabled; otherwise, there's no real restriction on the brand of browser that you want to use. Throughout this book, I'll be using Internet Explorer 6.0 with SP1. Also, the concentrator I'm using is a 3005 running 4.1.7A and the first release of 4.7. In the following sections, I explain:
HTTP AccessTo gain access to the concentrator's private interface, in your web browser's address text box, enter: http://private_IP_address_of_concentrator When you do this, you should see a login screen like that in Figure 6-4. Enter a user name and password to log in to the concentrator. Figure 6-4. Concentrator Login Screen
Quick ConfigurationIf you didn't complete quick configuration from the CLI, the first time you log in to the concentrator via the admin account, you'll see the screen shown in Figure 6-5. From here, you can continue the quick configuration process or abort it and go to the concentrator's main menu. Figure 6-5. Quick Configuration: Start
Figure 6-6 shows the first quick configuration screen. From this screen you can see the configuration and statuses of the interfaces on the concentrator. This example shows a 3005 concentrator (only two interfaces). To change the configuration on an interface, click the name of the interface under the "Interface" column. Figure 6-6. Quick Configuration: Interfaces
When I clicked the name of the concentrator's public interface in Figure 6-6, my screen then resembled Figure 6-7 (it will look slightly different in 4.7). For the public interface, you can specify that the interface acquires its IP address from a DHCP server (directly connected to a cable modem, for example) or statically configure it. I've chosen the latter option in this example. Figure 6-7. Quick Configuration: Public Interface
Below the addressing section, you can define a filter for the interface. There are already some default filters defined on the concentrator, including one for the public interface. This is currently applied to the interface. Filters function like ACLs on Cisco routers or PIX or ASA security appliancesthey're simple packet filters. The public filter already allows for VPN connections. You can also change speed, duplexing, and MTU frame size. When you are done, click the "Apply" button; this will take you back to the screen in Figure 6-6. Note If you remove the filter from the public interface, you will no longer be able to terminate VPN sessions on this interface. This is a security feature developed by Cisco. Likewise, I highly recommend that if you'll be using a default filter for an interface, you go in and remove any unnecessary rules that allow traffic that you don't want: for example, if you're not using PPTP, then remove the associated rules from your public and other filters. From the screen in Figure 6-7, you can click the "Continue" button. You are then taken to the screen shown in Figure 6-8. In the "System Name" field, enter the name of the concentrator. Below this you can change the date, time, and daylight saving time configuration. Below these parameters, you can enter a primary DNS server, a domain name, and a default gateway address for the concentratorthis is typically a next-hop address off of the public interface. If your concentrator is a DHCP client, the concentrator will learn this when acquiring its address information. Figure 6-8. Quick Configuration: System Information
Note If you'll be using certificates, your concentrator needs a system name and domain namethese two parameters are fed into the RSA algorithm to generate a public/private key pair; if you don't define these values here, you can define them from the concentrator's main menu system. You can click the "Continue" button to continue to the next screen, which is shown in Figure 6-9. Figure 6-9 allows you to select which remote access tunneling protocols will be enabled for your users. By default all protocols are enabled; however, you can selectively disable ones you don't want or need. Please note that you can enable or disable these protocols for remote access from the main configuration screens of the concentrator. However, if you know that your remote access users will be using only one tunneling protocol, such as IPsec, you can disable the rest, forcing your users to use the one you selected. You can always override this setting on a group-by-group basis. Figure 6-9. Quick Configuration: Tunneling Protocols
Note You cannot add site-to-site connections from quick configurationyou must use the concentrator's main configuration screens to do this. Click the "Continue" button to continue to the next screen, which is the address assignment screen (shown in Figure 6-10). This screen lets you define how users will be assigned their addresses (such as the internal address for IPsec). Your options include the following:
Figure 6-10. Quick Configuration: Address Assignment
Note My personal preference is not to assign a global pool, but to have different pools for each group of remote access users; for example, one for marketing, one for programmers, and one for engineers. By using this approach, it is easier to implement filtering policies on Layer-3 addressing information. The concentrators give you this ability from the group area of the configuration section from the main access page, but not Quick configuration. You can click the "Continue" button to continue to the next screen, shown in Figure 6-11. This is the authentication screen. This screen defines how remote access clients will be authenticated. You have the following options to choose from to determine where the user's login credentials are stored:
Figure 6-11. Quick Configuration: Authentication
In this example, I left the "Server Type" parameter as the default: Internal Server. If you chose an external authentication method, you'd need to specify access parameters for the server. For example, if you chose RADIUS, you'd enter information such as the RADIUS server's IP address and the key used to encrypt passwords in the payload of RADIUS messages; for NT Domain, you'd enter the IP address and name of the domain controller; for Kerberos/Active Directory, you'd enter the IP address and realm of the AD server; and for SDI, you'd enter the IP address and version number of the SDI server. Note The VPN 3000 concentrators support a maximum combination of 1,000 users and groups defined locally on the concentrator (this number varies by platform). Therefore, to get the maximum number of supported users on the 3030, 3060, and 3080 concentrators, you'll need to define the users on an external authentication server and have the concentrator look up the user's access credentials on the external server. The goal of Cisco is to encourage people to use external authentication servers for large, scalable deployments. Plus, if you use one of the Windows options, this can serve as a single login process to the Windows network and to the concentrator for remote access. Most non-Windows-centric companies typically use an AAA RADIUS server such as Cisco Secure Access Control Server (CSACS). Cisco also allows you to use different authentication methods on a group-by-group basis. You can click the "Continue" button to continue to the next screen, which is shown in Figure 6-12. This is the IPsec group screen. Here you can add a remote access group for IPsec, along with its pre-shared key. This isn't necessary, though, since you cannot configure the properties of the group here. Therefore, you can skip this step and perform this later from the main configuration screens. Figure 6-12. Quick Configuration: IPsec Group
Note In 4.0 and earlier versions, quick configuration would prompt you to add remote access users before the IPsec group screen; however, this process had a downside: the users were not associated with the group you added during quick configuration, but with the global group. In 4.1, there is no option in quick configuration to add usersthis must be done from the main configuration screens. You can click the "Continue" button to continue to the next screen, shown in Figure 6-13. This is the WebVPN screen, which is new for quick configuration in 4.1. You'll only see this screen if you selected the "WebVPN" check box on the screen in Figure 6-9. Here you specify the types of proxies the concentrator will perform. I only selected HTTPS proxying; if you select one of the others, you'll need to specify the e-mail server the concentrator is proxying for. Figure 6-13. Quick Configuration: WebVPN
Click the "Continue" button to continue to the next screen, shown in Figure 6-14. This is the WebVPN home page screen. The information you enter on this screen will be shown to the users after they authenticate via WebVPN (SSL). At the top you can enter a title and a login banner. Below this, you can enter up to four hyperlinks that will appear on this page. Optionally, you can have a URL text box appear on the WebVPN access page that allows users to enter their own URLsselect the check box at the bottom for this option. Again, you'll only see this screen if you selected the "WebVPN" check box on the screen in Figure 6-9. Figure 6-14. Quick Configuration: WebVPN Home Page
Click the "Continue" button to continue to the next screen, shown in Figure 6-15. This last screen of the quick configuration process allows you to change the password for the admin account. I highly stress that you should change the password to something different than "admin." Once you are done, you can click the "Continue" button. This will take you to the main access screen of the concentrator. If you need to change something, click the "Back" button at the bottom to go back one screen at a time. By default, your configuration is not saved when you leave quick configurationyou'll need to do this manually. I discuss this process in the next section. Figure 6-15. Quick Configuration: Administrator Password
Caution Cisco does not require you to change the password for the admin account; however, I highly stress, again, the importance of changing this password as soon as possible, since this account and password are commonly found in password cracking programs. Note Quick configuration occurs only once on the concentratorsafter you go through it, you must use the main configuration screens to make any additions, modifications, or deletions to your configuration. Please note that quick configuration only puts a very minimal configuration on the concentratorthere are a lot of other things you'll still need to configure on your concentrator. Main MenuAfter completing quick configuration, or every time after this process when logging in to the concentrator, you'll be taken to the screen shown in Figure 6-16. Figure 6-16. Concentrator's Main Access Page
The screen in Figure 6-16 is broken into three sections:
At the top of the page there are four hyperlinks:
This information also appears in the middle of the main page. Tip I highly recommend that you log out of the concentrator gracefully by clicking the Logout hyperlink. I've experienced a bug in a couple of older releases of the concentrator software where if you closed down the web browser window without logging out, the concentrator assumed you were still logged in. There is a limit of five administrative login sessions allowed; once this limit is reached, no more login sessions are permitted. The only way to fix this was to log in via the console and remove the ghost sessions or reboot the concentrator. Below the first row of hyperlinks you can see which account you're using to log in to the concentrator. In this example it's "admin." And below this is a second row of hyperlinks. These will take you to the three main areas of the concentrator:
You'll notice that this information appears three times on the screen: at the top, at the left-hand side, and in the middle of the page. The left side is an expandable selector of concentrator access options: by clicking a particular hyperlink, like "Configuration," you'll see the configuration options expand below this. They'll also appear in the middle of the window. Figure 6-17 shows an example of this where I clicked "Configuration" on the left-hand side of the screen. You see options below this and the same options listed in the middle window. Figure 6-17. Concentrator's Main Access Page: Left Side Expandable Options
The middle window is where you change configuration options and parameters. At the top is a light-blue shaded bar. This bar tells you what you clicked to get this screen. In Figure 6-17, it displays "Configuration," denoting that I clicked "Configuration" from a previous screen. I like to refer to this bar as the "locator" bar. How information appears in the middle of the screen is different from screen to screen. The last part of the main access screen I want to discuss is the icons you might see appearing below the locator bar in the upper right-hand corner. The bottom of Figure 6-16 gives a description of these icons:
Note Remember that the concentrator does not automatically save its configuration file to Flash memoryyou must do this by clicking the Save Needed icon, which looks like a blue floppy diskette. This icon will not appear on Monitoring screens. |
|
|