The VPN 3000 Concentrator Series Command-Line Interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN Concentrator. You use it via the system console, an SSH session, or Telnet (including SSL Telnet).
You can use the CLI to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3000 Concentrator Series Manager, except for IPSec LAN-to-LAN configuration.
Note Certificate upload is available only via SSH.
This chapter describes general features of the CLI and how to access and use it. It does not describe the individual menu items and parameter entries. For information on specific parameters and options, see the corresponding section of the VPN Concentrator Manager in the VPN 3000 Series Concentrator Reference. For example, to understand Ethernet interface configuration parameters and choices, see Configuration | Interfaces | Ethernet 1 2 3 in the "Interfaces" chapter of VPN 3000 Series Concentrator Reference Volume I: Configuration.
Accessing the CLI
You can access the CLI in three ways:
Via the system console.
Via a Telnet (or Telnet over SSL) client.
Via SSH.
Console access
To access the CLI via console:
Step 1 Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable (which Cisco supplies with the system) between the Console port on the VPN Concentrator and the serial port on the PC. For more information, see the VPN Concentrator Getting Started manual.
Step 2 Start a terminal emulator (e.g., HyperTerminal) on the PC. Configure a connection to COM1 with port settings of:
Bits per second = 9600.
Data bits= 8.
Parity = None.
Stop bit = 1.
Flow control = None.
Step 3 Set the emulator for VT100 emulation, or let it auto-detect the emulation type.
Step 4 Press Enter on the PC keyboard until you see the login prompt. (You might see a password prompt and error messages as you press Enter; ignore them and stop at the login prompt.)
Login: _
Telnet or Telnet/SSL Access
To access the CLI via a Telnet or Telnet/SSL client:
Step 1 Enable the Telnet or Telnet/SSL server on the VPN Concentrator. (They are both enabled by default.) See the Configuration | System | Management Protocols | Telnet screen on the VPN Concentrator Manager.
Step 2 Start the Telnet or Telnet/SSL client, and connect to the remote system using these parameters:
Host Name or Session Name = The IP address on the VPN Concentrator Ethernet 1 (Private) interface; e.g., 10.10.147.2
Port = Telnet (The default Telnet port is 23; the default Telnet/SSL port is 992.)
Terminal Type = VT100 or ANSI
Telnet/SSL only: If the client offers it, enable both SSL and SSL Only.
Step 3 The VPN Concentrator displays a login prompt:
Login: _
SSH Access
To access the CLI via an SSH client:
Step 1 Enable the SSH server on the VPN Concentrator. (It is enabled by default.) See the Configuration | System | Management Protocols | SSH screen on the VPN Concentrator Manager.
Step 2 Start the SSH client, and connect to the remote system using these parameters:
Host Name or Session Name = The IP address on the VPN Concentrator Ethernet 1 (Private) interface; e.g., 10.10.147.2
Port = SSH (The default SSH port is 22.)
Terminal Type = VT100 or ANSI
User name = admin
Step 3 A security warning might appear stating: "There is no entry for this server in your list of know hosts." If this warning appears, continue.
Step 4 Enter your administrative password, and connect to the VPN Concentrator. When your connection is established, you are already logged in.
Starting the CLI
You start the CLI by logging in.
CLI login usernames and passwords for console, Telnet, and SSH access are the same as those configured and enabled for administrators. See the Administration | Access Rights | Administrators screen. By default, only admin is enabled.
This example uses the factory-supplied default admin login and password. If you have changed them, use your entries.
At the prompts, enter the administrator login name and password. Entries are case-sensitive. (The CLI does not show your password entry.)
Login: admin
Password: admin
The CLI displays the opening welcome message, the main menu, and the Main -> prompt:
Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2002 Cisco Systems, Inc.
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> _
Using the CLI
This section explains how to:
Choose menu items.
Enter values for parameters and options.
Specify configured items by number or name.
Navigate quickly—using shortcuts—through the menus.
Display a brief help message.
Save entries to the system configuration file.
Stop the CLI.
Understand CLI administrator access rights.
The CLI displays menus or prompts at every level to guide you in choosing configurable options and setting parameters. The prompt always shows the menu context.
Choosing Menu Items
To use the CLI, enter a number at the prompt that corresponds to the desired menu item, and press Enter.
For example, this is the Configuration > System Management> General Config> System Identification menu:
1) Set System Name
2) Set Contact
3) Set Location
4) Back
General -> _
Enter 1 to set the system name.
Entering Values
The CLI shows any current or default value for a parameter in brackets [ ]. To change the value, enter a new value at the prompt. To leave the value unchanged, just press Enter.
Continuing the example above, this is the prompt to enter a value for the system name:
> Host Name
General -> [ Lab VPN ] _
You can enter a new name at the prompt, or just press Enter to keep the current name.
Specifying Configured Items
Many menus give choices that act on configured items—such as groups, users, filter rules, etc.—and the CLI lists those items with a number and their name. To specify an item, you can usually enter either its number or its name. The CLI indicates when you must use a specific identifier (usually the item's number).
For example, the Configuration > User Management > Groups menu lists configured groups:
To delete QuickGroup, enter 3 at the prompt. The CLI displays:
> Enter the Group to Delete
Groups -> _
At the prompt you can enter either its number (1) or its name (QuickGroup).
However, this next example shows the prompt for a specific identifier. The Configuration > System Management > Servers > Authentication Servers menu lists configured servers:
To delete the RADIUS server, enter 3 at the prompt. The CLI displays:
> Delete Server (number)
Authentication -> _
At the prompt, you must enter 2 for the RADIUS server.
Navigating Quickly through the CLI
There are two ways to move quickly through the CLI: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry.
Using Shortcut Numbers
Once you become familiar with the structure of the CLI—which parallels the HTML-based VPN Concentrator Manager—you can quickly access any level by entering a series of numbers separated by periods. For example, suppose you want to change the General Parameters for the Base Group. The series of menus that gets to that level from the main menu is:
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> 1(Configuration)
1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back
Config -> 3 (User Management)
1) Base Group
2) Groups
3) Users
4) Back
User Management -> 1 (Base Group)
1) General Parameters
2) Server Parameters
3) IPSec Parameters
4) VPN Client Firewall Parameters
5) Hardware Client Parameters
6) PPTP/L2TP Parameters
7) Back
Base Group -> 1 (General Parameters)
1) Access Parameters
2) Tunneling Protocols
3) SEP Config
4) Back
Base Group -> _
As a shortcut, you can just enter 1.3.1.1 at the Main-> prompt, and move directly to the Base Group General Parameters menu:
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> 1.3.1.1
1) Access Parameters
2) Tunneling Protocols
3) SEP Config
4) Back
Base Group -> _
The prompt always shows the current context in the menu structure.
Using Back and Home
Most menus include a numbered Back choice. Instead of entering a number, you can just enter b or B to move back to the previous menu.
Also, at any menu level, you can just enter h or H to move home to the main menu.
Getting Help Information
To display a brief help message, enter 5 at the main menu prompt. The CLI explains how to navigate through menus and enter values. This help message is available only at the main menu.
Cisco Systems. Help information for the Command Line Interface
From any menu except the Main menu.
-- 'B' or 'b' for Back to previous menu.
-- 'H' or 'h' for Home back to the main menu.
For Data entry
-- Current values are in '[ ]'s. Just hit 'Enter' to accept value.
1) View Help Again
2) Back
Help -> _
To return to the main menu from this help menu, enter h (for home), or 2 or b (for back) at the prompt.
Saving the Configuration File
Configuration and administration entries take effect immediately and are included in the active, or running, configuration. However, if you reboot the VPN Concentrator without saving the active configuration, you lose all changes.
To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt, enter 4 for Save changes to Config file.
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> 4
The system writes the active configuration to the CONFIG file and redisplays the main menu.
Stopping the CLI
To stop the CLI, navigate to the main menu and enter 6 for Exit at the prompt:
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> 6
Done
Make sure you save any configuration changes before you exit from the CLI.
Understanding CLI Access Rights
What you see and can configure with the CLI depends on administrator access rights. If you don't have permission to configure an option, you see the designation "-)" (rather than a number) in menus.
For example, here is the main menu for the default User administrator:
-) Configuration
-) Administration
3) Monitoring
-) Save changes to Config file
5) Help Information
6) Exit
Main -> _
The default user administrator can only monitor the VPN Concentrator, not configure system parameters or administer the system.
This section of the documentation shows all the menus in the first three levels below the CLI main menu. (There are many additional menus below the third level; and within the first three levels, there are some non-menu parameter settings. To keep this chapter at a reasonable size, we show only the menus here.)
The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For example, entering 1.3.1 at the main menu prompt takes you to the Configuration > User Management> Base Group menu.
Note The CLI menus and options—and thus the keyboard shortcuts—may change with new software versions.
Please check familiar shortcuts carefully when using a new release.
Note Models 3015-3080 have more interfaces than the Model 3005. They also have additional SEP capacity.
Therefore, CLI menu shortcuts differ by model where they involve interface and expansion card
selections. We note some differences here, but please note carefully the system you are using.
Main Menu
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> _
1 Configuration
1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back
Config -> _
1.1 Configuration > Interface Configuration
This table shows current IP addresses.
.
.
.
Note The following menu appears on models 3015-3080 only.
1) Configure Ethernet #1 (Private)
2) Configure Ethernet #2 (Public)
3) Configure Ethernet #3 (External)
4) Configure Power Supplies
5) Back
Interfaces -> _
Note The following menu appears on model 3005 only.
1) Configure Ethernet #1 (Private)
2) Configure Ethernet #2 (Public)
3) Configure Power Supplies
4) Back
Interfaces -> _
1.1.1, 1.1.2, or 1.1.3 Configuration > Interface Configuration > Configure Ethernet #1 or #2 or #3
Note The Configuration > Interface Configuration > Configure Ethernet #3 menu appears only on models
3015-3080. It does not appear on model 3005.
1) Interface Setting (Disable, DHCP or Static IP)
2) Set Public Interface
3) Select IP Filter
4) Select Ethernet Speed
5) Select Duplex
6) Set MTU
7) Set Port Routing Config
8) Set Bandwidth Management
9) Set Public Interface IPSec Fragmentation Policy
10) Back
Ethernet Interface 1 -> _
1.1.4 Configuration > Interface Configuration > Configure Power Supplies
Note The following menu appears on models 3015-3080 only.
Alarm Thresholds in centivolts (e.g. 361 = 3.61V)
Voltages will be adjusted to conform to the hardware.
1) Configure CPU voltage thresholds
2) Configure Power Supply 1 voltage thresholds
3) Configure Power Supply 2 voltage thresholds
4) Configure Board voltage thresholds
5) Back
Interfaces -> _
1.1.3 Configuration > Interface Configuration > Configure Power Supplies
Note The following menu appears on model 3005 only.
Alarm Thresholds in centivolts (e.g. 361 = 3.61V)
Voltages will be adjusted to conform to the hardware.
1) Configure CPU voltage thresholds
2) Configure Power Supply voltage thresholds
3) Configure Board voltage thresholds
4) Back
Interfaces -> _
1.2 Configuration > System Management
1) Servers (Authentication, Accounting, etc.)
2) Address Management
3) Tunneling Protocols (PPTP, L2TP, etc.)
4) IP Routing (static routes, OSPF, etc.)
5) Management Protocols (Telnet, TFTP, FTP, etc.)
6) Event Configuration
7) General Config (system name, time, etc.)
8) Client Update
9) Load Balancing Configuration
10) Back
System -> _
1.2.1 Configuration > System Management > Servers
1) Authentication Servers
2) Accounting Servers
3) DNS Servers
4) DHCP Servers
5) Firewall Server
6) NTP Servers
7) Back
Servers -> _
1.2.2 Configuration > System Management > Address Management
1) Address Assignment
2) Address Pools
3) Back
Address -> _
1.2.3 Configuration > System Management > Tunneling Protocols
1) PPTP
2) L2TP
3) IPSec
4) Back
Tunnel -> _
Note The CLI does not include IPSec LAN-to-LAN configuration.
1.2.4 Configuration > System Management > IP Routing
1) Static Routes
2) Default Gateways
3) OSPF
4) OSPF Areas
5) DHCP
6) Redundancy
7) Reverse Route Injection
8) DHCP Relay
9) Back
Routing -> _
1.2.5 Configuration > System Management > Management Protocols
1) Configure FTP
2) Configure HTTP/HTTPS
3) Configure TFTP
4) Configure Telnet
5) Configure SNMP
6) Configure SNMP Community Strings
7) Configure SSL
8) Configure SSH
9) Configure XML
10) Back
Network -> _
1.2.6 Configuration > System Management > Event Configuration
1) General
2) FTP Backup
3) Classes
4) Trap Destinations
5) Syslog Servers
6) SMTP Servers
7) Email Recipients
8) Back
Event -> _
1.2.7 Configuration > System Management > General Config
1) System Identification
2) System Time and Date
3) Session Configuration
4) Global Authentication Parameters
5) Back
General -> _
1.2.8 Configuration > System Management > Client Update
1) Client Update Enable
2) Client Update Entries
3) Back
Client Update -> _
1.2.9 Configuration > System Management > Load Balancing
1) Cluster Configuration
2) Device Configuration
3) Back
Load Balancing -> _
1.3 Configuration > User Management
1) Base Group
2) Groups
3) Users
4) Back
User Management -> _
1.3.1 Configuration > User Management > Base Group
