Preface

This preface describes the purpose, objectives, audience, organization, and conventions of the Cisco IOS Enterprise VPN Configuration Guide and includes the following sections:

Purpose

This software configuration guide explains the basic considerations and tasks necessary to configure IP-based, multiservice site-to-site, and remote access Virtual Private Networks (VPNs) on your Cisco 7100 series router. VPNs integrate security and quality of service (QoS) through network technologies such as Generic Routing Encapsulation (GRE) and IP Security Protocol (IPSec) tunneling, and high-speed encryption to ensure private transactions over public data networks. This guide does not cover every available feature; it is not intended to be a comprehensive VPN configuration guide. Instead, this guide simply explains the basic tasks necessary to configure site-to-site and remote access VPNs on your Cisco 7100 series router.

Note For detailed information on configuring client-initiated and network access server (NAS)-initiated access VPNs using the L2F tunneling protocol, refer to the Access VPN Solutions Using Tunneling Technology publication. If you are a registered Cisco user, you can access the Access VPNs and IP Security Protocol Tunneling Technology publication.

The intranet, extranet, and remote access business scenarios introduced in this guide include specific tasks and configuration examples. The examples are the recommended methods for configuring the specified tasks. Although they are typically the easiest or the most straightforward method, they are not the only methods of configuring the tasks. If you know of another configuration method not presented in this guide, you can use it.

The network design considerations discussed in this guide are comprised of known factors that hinder or optimize network performance. The considerations are not solid rules, but rather suggestions and discussions that might be helpful in designing your VPN.

Note Use this guide after you install, power up, and initially configure your Cisco VPN gateway for network connectivity. For instructions on how to install, power up, and initially configure your Cisco VPN gateway, refer to the Installation and Configuration Guide that shipped with your VPN gateway.

Audience

This software configuration guide is intended primarily for the following audiences:

•

System administrators who are responsible for installing and configuring internetworking equipment, who are familiar with the fundamentals of router-based internetworking, and who are familiar with Cisco IOS software and Cisco products

•

System administrators who are familiar with the fundamentals of router-based internetworking and who are responsible for installing and configuring internetworking equipment, but who might not be familiar with the specifics of Cisco products or the routing protocols supported by Cisco products

Organization


Chapter	Title	Description
1	Using Cisco IOS Software	Provides helpful tips for understanding and configuring Cisco IOS software using the command-line interface (CLI).
2	Network Design Considerations	Provides an overview of the assumptions this guide makes, items you should consider to optimize performance on your Cisco VPN gateway, and a discussion of headend failover.
3	Site-to-Site and Extranet VPN Business Scenarios	Explains the basic tasks for configuring a site-to-site or extranet VPN on a Cisco VPN gateway using GRE or IPSec as the tunneling protocol.
4	Remote Access VPN Business Scenarios	Explains the basic tasks for configuring a remote access VPN on a Cisco VPN gateway and discusses client software, considerations, and configurations.
5	VPN Network Management Tools	Provides an overview of Cisco network management software, and IPSec with MIB.

Where to Get the Latest Version of This Guide

The hard copy of this guide is updated at major releases only and does not always contain the latest material for enhancements occurring between major releases. You are shipped separate release notes or configuration notes for spares, hardware, and software enhancements occurring between major releases.

The online copy of this guide is always up-to-date and integrates the latest enhancements to the product.

Related Documentation

Your Cisco gateway and the Cisco IOS software running on it contain extensive features and functionality, which are documented in the following resources:

•

For Cisco VPN gateway hardware installation and initial software configuration information, refer to the following publications:

•

For international agency compliance, safety, and statutory information for WAN interfaces for Cisco VPN gateways, refer to the Regulatory Compliance and Safety Information publication for your VPN gateway model.

•

For information on installing and replacing field-replaceable units (FRUs), refer to the Installing field-replaceable units publication for your VPN gateway model.

•

For information on using the Flash Disk, refer to the Using the Flash Disk publication for your VPN gateway model.

•

For information on installing and replacing the integrated service module (ISM), refer to the integrated service adapter and integrated service module installation and configuration publication for your VPN gateway model.

•

For information on installing and replacing the VPN Acceleration Module (VAM), refer to the VAM installation and configuration publication for your VPN gateway model.

•

For information on the port adapter installed in the gateway, refer to the individual installation and configuration notes that ship with each port adapter. For example, if you ordered a PA-4E Ethernet port adapter, the PA-4E Ethernet 10BaseT Port Adapter Installation and Configuration note is the reference document.

•

For configuration information and support, refer to the modular configuration and modular command reference publications in the Cisco IOS software configuration documentation set that corresponds to the software release installed on your Cisco hardware. Access these documents at: http://www.cisco.com/en/US/products/sw/iosswrel/index.html.

Note

Select Translated documentation is available at http://www.cisco.com/ by selecting the topic `Select a Location / Language' at the top of the page.

–

To determine the minimum Cisco IOS software requirements for your router, Cisco maintains the Software Advisor tool on Cisco.com. This tool does not verify whether modules within a system are compatible, but it does provide the minimum IOS requirements for individual hardware modules or components. Registered Cisco Direct users can access the Software Advisor at: http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl.

–

For detailed information on configuring access VPNs using the L2F tunneling protocol, refer to the Access VPN Solutions Using Tunneling Technology publication.

–

For information on Cisco Secure VPN Client software, refer to the Cisco Secure VPN Client Solutions Guide publication.

–

For information on interfaces, refer to the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference publications:

–

For information on IP, refer to the Network Protocols Configuration Guide, Part 1 and the Network Protocols Command Reference, Part 1 publications.

–

You can also refer to the Cisco IOS software release notes for the version of software you are using on your hardware.

•

If you're a registered Cisco Direct Customer, you can access the following tools:

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS Release 12.0

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS Release 12.1

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS Release 12.2

•

To view Cisco documentation or obtain general information about the documentation, see the "Obtaining Documentation" section and the Obtaining Technical Assistance, or call customer service at 800 553-6387 or 408 526-7208. Customer service hours are 5:00 a.m. to 6:00 p.m. Pacific time, Monday through Friday (excluding Cisco-observed holidays). You can also send e-mail to cs-rep@cisco.com.

Note We no longer ship the entire router documentation set automatically with each system. You must specifically order the documentation as part of the sales order. If you ordered documentation and did not receive it, we will ship the documents to you within 24 hours. To order documents, contact a customer service representative.

Conventions


Convention	Description
boldface font	Commands and keywords are in boldface.
italic font	Arguments for which you supply values are in italics.
[ ]	Elements in square brackets are optional.
{x \| y \| z}	Alternative keywords are grouped in braces and separated by vertical bars.
[x \| y \| z]	Optional alternative keywords are grouped in brackets and separated by vertical bars.
string	A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
`screen` font	Terminal sessions and information the system displays are in `screen` font.
boldface screen font	Information you must enter is in boldface screen font.
italic screen font	Arguments for which you supply values are in italic screen font.
	`This pointer highlights an important line of text in an example.`
^	The symbol ^ represents the key labeled Control—for example, the key combination ^D in a screen display means hold down the Control key while you press the D key.
< >	Nonprinting characters, such as passwords, are in angle brackets.
[ ]	Default responses to system prompts are in square brackets.
!, #	An exclamation point ( ! ) or a pound sign ( # ) at the beginning of a line of code indicates a comment line.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

Ordering Documentation

•

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

•

Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

To obtain customized information and service, you can self-register on Cisco.com at this URL:

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

•

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

•

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

•

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•

The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

•

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

•

Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:

•

iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:

•

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

•

Training—Cisco offers world-class networking training, with current offerings in network training listed at this URL:

Table Of Contents

Preface

Purpose

Audience

Organization

Where to Get the Latest Version of This Guide

Related Documentation

Conventions

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Website

Cisco TAC Escalation Center

Obtaining Additional Publications and Information