Installing and Powering Up the VPN Concentrator

Before you begin, ensure that you have the requisite skill set and that your physical environment and software preferences are properly set, as described in the following sections.

User or Administrator Skills

We assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices may be new to you. You should be familiar with Windows system configuration and management and with Microsoft Internet Explorer or Netscape Navigator browsers.

Physical Site Requirements

The VPN Concentrator requires a normal computing-equipment environment.

Power	The VPN Concentrator requires only normal computing-equipment power. For maximum protection, we recommend connecting it to a conditioned power source or UPS (uninterruptible power supply). Be sure that the power source provides a reliable earth ground.
Cooling	In the VPN 3005, cooling intake vents are on the front, and fans are on the rear of the chassis. In the VPN 3015-3080, cooling intake vents are on the left side, and fans on the right side, of the chassis (looking at the front). Allow at least 3 inches (75 mm) of unobstructed space on all sides. If you install the device in an equipment rack, be sure there is adequate airflow.
Access	The VPN Concentrator requires access only to the front and back.
Cables and Connectors	The VPN Concentrator uses the following cables and connectors: The VPN Concentrator Ethernet interfaces take standard UTP/STP twisted-pair network cables, Category 5, with RJ-45 8-pin modular connectors. Cisco supplies two with the system. The console port takes a standard straight-through RS-232 serial cable with a female DB-9 connector, which Cisco supplies with the system.

Console and PC / Telnet / Browser Requirements

The VPN Concentrator requires a console by which you enter initial configuration parameters. You can also completely configure and manage the VPN Concentrator via the CLI from the console or a Telnet client. However, for easiest use, we strongly recommend using the VPN Concentrator Manager, which is HTML-based, from a PC and browser.

The PC must be able to run the recommended browser. The console can be the same PC that runs the browser.

Browser Requirements

The VPN Concentrator Manager requires one of the following browsers:

Microsoft Internet Explorer version 4.0 or higher
Netscape Navigator version 4.5-4.7, 6.0, or 7.0
Mozilla 1.1

For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.

JavaScript and Cookies

Be sure JavaScript and Cookies are enabled in the browser. Check these settings.

Browser	JavaScript	Cookies
Internet Explorer 4.0	1. On the View menu, choose Internet Options. 2. On the Security tab, click Custom (for expert users) then click Settings. 3. In the Security Settings window, scroll down to Scripting. 4. Click Enable under Scripting of Java applets. 5. Click Enable under Active scripting.	1. On the View menu, choose Internet Options. 2. On the Advanced tab, scroll down to Security then Cookies. 3. Click Always accept cookies.
Internet Explorer 5.0	1. On the Tools menu, choose Internet Options. 2. On the Security tab, click Custom Level. 3. In the Security Settings window, scroll down to Scripting. 4. Click Enable under Active scripting. 5. Click Enable under Scripting of Java applets.	1. On the Tools menu, choose Internet Options. 2. On the Security tab, click Custom Level. 3. In the Security Settings window, scroll down to Cookies. 4. Click Enable under Allow cookies that are stored on your computer. 5. Click Enable under Allow per-session cookies (not stored).
Netscape Navigator 4.5-4.7	1. On the Edit menu, choose Preferences. 2. On the Advanced screen, check the Enable JavaScript check box.	1. On the Edit menu, choose Preferences. 2. On the Advanced screen, click one of the Accept... cookies choices, and do not check the Warn me before accepting a cookie check box.
Netscape Navigator 6.0	1. On the Edit menu, choose Preferences. 2. On the Advanced screen, check the Enable JavaScript for Navigator check box.	1. On the Edit menu, choose Preferences. 2. Under the Advanced category, choose Cookies. 3. On the Cookies screen, choose Enable All Cookies. Do not check the Warn me before storing a cookie check box.

Navigation Toolbar

Do not use the browser navigation toolbar buttons Back, Forward, or Refresh / Reload with the VPN Concentrator Manager unless instructed to do so. To protect access security, clicking Refresh / Reload automatically logs out the Manager session. Clicking Back or Forward may display stale Manager screens with incorrect data or settings.

We recommend that you hide the browser navigation toolbar to prevent mistakes while using the VPN Concentrator Manager.

Recommended PC Monitor / Display Settings

For best legibility and ease of use, we recommend setting your monitor or display as follows:

Desktop area = 1024 x 768 pixels or greater. Minimum = 800 x 600 pixels.
Color palette = 256 colors or higher.

Unpacking

The VPN Concentrator ships with these items. Carefully unpack your device and check your contents against the list in Table 2-1 . Save the packing material in case you need to repack the unit.

Table 2-1 VPN Concentrator Packing List

Check	Quantity	Item
	1	VPN 3000 Series Concentrator
	2	Rack-mounting kits—one for model 3005; one for models 3015-3080
	1	RS-232 straight-through serial console cable with DB-9 female connectors on both ends
	2	UTP network cables with RJ-45 8-pin modular connectors
	1 or 2	Power cords
	1	Cisco VPN 3000 Series Concentrator CD
	1	Cisco VPN Software Client CD
	1	Evaluation copy of Zone Labs firewall software CD
	1	Cisco AVVID Solutions CD
	1	VPN 3000 Series Concentrator Getting Started (this manual)
	1	Release Notes for Cisco VPN 3000 Series Concentrator
	1	VPN 3000 Series Concentrator Software License Agreement
	1	Release Notes for Cisco VPN Client
	1	Cisco VPN Client Software License Agreement
	1	Export Compliance document
	1	Cisco Product Warranty and Information packet
	1	Documentation Ordering Instructions

Installing the VPN Concentrator Hardware

You can install the VPN Concentrator in a standard 19-inch equipment rack, or just place it on a table or shelf.

Tools Required

No. 1 Phillips screwdriver (if you install the rubber feet on the device).
No. 2 Phillips screwdriver (if you rack-mount the device).

Rack Mounting

Attach the rack-mounting brackets with 10-32 screws in the holes on the front left and right sides. Be sure to orient the brackets as shown in Figure 2-1.

Figure 2-1 Attaching Rack-Mounting Brackets Model 3005

Models 3015 to 3080

Mount the VPN Concentrator in the rack as shown in Figure 2-2. Use screws or fasteners appropriate for your equipment rack.

Figure 2-2 Rack Mounting a VPN Concentrator Model 3005

Models 3015 through 3080

Installing Rubber Feet

To place the VPN Concentrator on a table or shelf, locate the four indentations on the bottom of the chassis. Peel the removable tape off each rubber foot, and place one foot in each indentation. (See Figure 2-3.)

Some models of the VPN Concentrator use screws to attach the rubber feet. If the rubber feet have screws, attach them to the bottom of the chassis in the holes at each corner. (SeeFigure 2-4.)

Figure 2-3 Installing Rubber Feet

VPN 3005

VPN 3015 - 3080

Figure 2-4 Installing Rubber Feet with Screws Model 3005

Model 3015 through 3080

Connecting Hardware

Warning Be sure the console/PC is turned off before you connect cables to it. Do not connect power cables to the VPN Concentrator until instructed.

Connecting the Console/PC

Connect the RS-232 straight-through serial cable between the Console port on the back of the VPN Concentrator and the COM1 or serial port on the console/PC. See Figure 2-5.

If you are using a PC with a browser to manage the VPN Concentrator, be sure the PC is connected to the same private LAN as the VPN Concentrator.

Figure 2-5 Connecting the Console and Network Cables Model 3005

Model 3015 through 3080

Connecting Network Cables

Connect network patch cables between the Ethernet interface jacks on the back of the VPN Concentrator and your network patch panel or device. See Figure 2-5.

The interfaces are (left to right):

Private	Ethernet 1	VPN Concentrator interface to your private network (internal LAN)
Public	Ethernet 2	VPN Concentrator interface to the public network
External	Ethernet 3	VPN Concentrator interface to an additional LAN (present only on models 3015 - 3080)

To make the VPN Concentrator operational, you must connect at least two interfaces, usually Ethernet 1 and Ethernet 2.

Connecting Power Cable(s)

Warning Be sure the VPN Concentrator power switch is OFF (O depressed) before you connect a power cable. The power switch is on the power module, on the back of the VPN Concentrator.

Connect the power cable(s) between the VPN Concentrator and an appropriate power outlet. Be sure the power outlet provides a reliable earth ground. See Figure 2-6.

Figure 2-6 Connecting Power Cable(s) Model 3005

Model 3015 through 3080

Powering Up

Power up the devices in this sequence:

Step 1 Power up the console / PC.

Step 2 Start a terminal emulator (e.g., HyperTerminal) on the console/PC. Configure a connection to COM1, with port settings of:

9600 bits per second
8 data bits
No parity
1 stop bit
Hardware flow control.

Set the emulator for VT100 emulation, or let it auto-detect the emulation type.

Step 3 Power up the VPN Concentrator by pressing ON ( I ) on the power switch on the back.

The LED(s) on the front panel will blink and change color as the system executes diagnostics. Watch for these LEDs (if present) on the VPN Concentrator front panel to stabilize and display:

System = green (This is the only front-panel LED on the Model 3005.)
Ethernet Link Status 1 2 3 = green for the Ethernet interfaces to which you connected patch cables
Expansion Modules 1 2 3 4

Insertion Status = green for the number of SEP modules in your device
Run Status = green for the number of SEP modules in your device
Fan Status = green

Power Supplies A B = green for the number of power supplies in your device

Ignore any other LEDs on the front panel.

Step 4 Watch for the following LEDs on the back of the device to display:

Private / Public / External Interfaces
Link = green for the interfaces connected to networks
SEP Modules (if installed): Power = green

If LEDs that should be green are amber, red, or off, please see Appendix A, "Troubleshooting and System Errors." Ignore any other LEDs on the back.

Step 5 The console displays initialization and boot messages such as:

 
Boot-ROM Initializing...

 
Boot configured 128Mb of RAM.

 
Image Loader Initializing...

 
Decompressing & loading image ............

 
Verifying image checksum ...........

 
Active image loaded and verified...

 
Starting loaded image...

 
Starting power-up diagnostics...

 
Initializing VPN Concentrator ...

 
Initialization Complete...Waiting for Network...

 
Login: _

Beginning Quick Configuration

You are now ready to begin quick configuration; that is, accepting default values when possible and configuring minimal parameters to make the VPN 3000 Concentrator operational.

Note You can go through the steps of quick configuration only once, unless you reboot the system with the Reboot with Factory/Default configuration option. In that case, you can and must go through all the steps again. See Administration | System Reboot in the VPN 3000 Concentrator Series User Guide.

Quick configuration consists of the following steps:

Step 1 Set the system time, date, and time zone, from the console.

Step 2 Configure the VPN Concentrator Ethernet 1 interface to your private network, from the console.

At this point you can use a browser to complete Quick Configuration with the VPN Concentrator Manager (see "Using the VPN Concentrator Manager for Quick Configuration"). While you can continue with the console instead (see "Using the Command-Line Interface for Quick Configuration"), we recommend using a browser.

Step 3 Configure the other Ethernet interfaces that are connected to a public network or an additional external network.

Step 4 Enter system identification information: system name, date, time, DNS, domain name, and default gateway.

Step 5 Specify tunneling protocols and encryption options.

Step 6 Specify methods for assigning IP addresses to clients as a tunnel is established.

Step 7 Choose and identify the user authentication server: the internal server, RADIUS, NT Domain, or SDI.

Step 8 If using the internal authentication server, populate the internal user database.

Step 9 If using IPSec tunneling protocol, assign a name and password to the IPSec tunnel group.

Step 10 Change the admin password for security.

Step 11 Save the configuration file. When you complete this step, quick configuration is done.

Quick Configuration Using Non-default Values

Although you can choose to accept the default values, where applicable, for many of the quick configuration parameters, you can instead specify particular values for one or more of these parameters. Table 2-2 lists the parameters you need for quick configuration and provides space for you to record the values you enter. Write those values here now to save time as you enter data.

Table 2-2 Quick Configuration Parameters

Screen \| Parameter Name	Parameter Description and Use	Your Entry
IP Interfaces \| Ethernet 1 (Private)	Specify the IP address and subnet mask, speed, and duplex mode for the VPN Concentrator interface to your private network.
IP Interfaces \| Ethernet 2 (Public)	Specifies the IP address and subnet mask, speed, and duplex mode for the VPN Concentrator interface to the public network.
IP Interfaces \| Ethernet 3 (External)	(For models 3015-3080 only) If so connected, specify the IP address and subnet mask, speed, and duplex mode for the VPN Concentrator interface to an additional external network.
System Info \| System Name	Specify a device or system name for the VPN Concentrator (for example, VPN01).
System Info \| DNS Server	Specify the IP address of your local DNS (Domain Name System) server.
System Info \| Domain	Specify the registered Internet domain name to use with DNS (for example, cisco.com).
System Info \| Default Gateway	Specify the IP address or hostname of the default gateway for packets not otherwise routed.
Address Assignment \| DHCP \| Server	If you use DHCP (Dynamic Host Configuration Protocol) for remote address assignment, specify the IP address or hostname of the DHCP server.
Address Assignment \| Configured Pool \| Range Start and Range End	If you use the VPN Concentrator to assign addresses, specify the starting and ending IP addresses in its initial configured pool.
Authentication	Your choice here determines the parameters you see in the following screen. Possible values are: Internal Server Choosing Internal Server, means using the internal VPN Concentrator user authentication server. On the User Database screen, specify the username and password for each user. Additionally, if you specify per-user address assignment, specify the IP address and subnet mask for each user. RADIUS If you use an external RADIUS user authentication server, specify its IP address or hostname, port number, and server secret or password. NT Domain If you use an external Windows NT Domain user authentication server, specify its IP address, port number, and Primary Domain Controller hostname. SDI If you use an external SDI user authentication server, specify its IP address and port number.
User Database \| Group Name, Password, Verify	If you enable the IPSec tunneling protocol, specify a name and password for the IPSec tunnel group.	Note For security reasons, do not write your password here.

Using the Console

You must use the console for the first part of quick configuration—setting the system time and date, and configuring the private Ethernet interface, as described in the following steps. Then you can use the HTML-based VPN Concentrator Manager from a browser to complete quick configuration. Refer to the data you recorded in Table 2-2 .

Step 1 You started the terminal emulator window on the console in the "Powering Up" section; if not, start it now and press Enter on the console keyboard until you see the login prompt. (You may see a password prompt and other messages as you press Enter. Ignore them and stop at the login prompt.)

 
Login: _

Step 2 At the cursor, enter the default login name: admin. At the password prompt, enter the default password: admin.

 
Login: admin

 
Password: admin

Step 3 The system displays the opening message and prompts you to set the time on the VPN Concentrator. The correct time is very important, so that logging and accounting entries are accurate, and so that the system can create a valid security certificate. The time in brackets is the current device time.

 
                 Welcome to

 
               Cisco Systems

 
        VPN 3000 Concentrator Series

 
           Command Line Interface

 
Copyright (C) 1998-2003 Cisco Systems, Inc.

 
-- : Set the time on your device. ...

 
> Time

 
Quick -> [ 15:46:41 ] _

At the cursor, enter the correct device time in the format HH:MM:SS, using 24-hour notation. For example, enter 4:24 p.m. as 16:24:00.

Step 4 The system prompts you to set the date. The number in brackets is the current device date.

 
-- : Enter the date ...

 
> Date

 
Quick -> [ 03/26/2001 ] _

At the cursor, enter the correct date in the format MM/DD/YYYY. Use four digits to enter the year. For example, enter June 12, 2001 as 06/12/2001.

Step 5 The system prompts you to set the time zone. The time zone selections are offsets in hours relative to GMT (Greenwich Mean Time), which is the basis for Internet time synchronization. The number in brackets is the current time zone offset.

 
-- : Set the time zone on your device. ...

 
-- : Enter the time zone using the hour offset from GMT: ...

 
> Time Zone

 
Quick -> [ 0 ] _

At the cursor, enter the time zone offset in the format +/-NN. For example, enter -5 for U.S. Eastern Standard Time.

Step 6 The system prompts you with a menu to enable DST (Daylight-Saving Time) support. During DST, clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time. If your system is in a time zone that uses DST, you must enable DST support.

 
1) Enable Daylight Savings Time Support

 
2) Disable Daylight Savings Time Support

 
Quick -> [ 2 ] _

At the cursor, enter 2 to disable DST support, or enter 1 to enable DST support.

Step 7 The system prompts you to enter an IP address for Ethernet 1, which is the VPN Concentrator interface to your private network (internal LAN). Be sure no other device is using this address on your private network. You must enter this address to continue quick configuration.

 
This table shows current IP addresses.

 
    Interface             IP Address/Subnet Mask    MAC Address

 
---------------------------------------------------------------

 
| Ethernet 1 - Private  |    0.0.0.0/0.0.0.0     |

 
| Ethernet 2 - Public   |    0.0.0.0/0.0.0.0     |

 
| Ethernet 3 - External |    0.0.0.0/0.0.0.0     |

 
---------------------------------------------------------------

 
** An address is required for the private interface. **

 
> Enter IP Address

 
Quick Ethernet 1 -> [ 0.0.0.0 ] _

At the cursor, enter the IP address using dotted decimal notation; for example, 10.10.4.6.

Note Ethernet 3 appears only on Models 3015 - 3080.

Step 8 The system initializes its network subsystems, which takes a few seconds. It then prompts you for the subnet mask for the Ethernet 1 (Private) interface. The entry in brackets is the standard subnet mask for the IP address you just entered. For example, an IP address of 10.10.4.6 is a Class A address, and the standard subnet mask is 255.0.0.0.

 
> Enter Subnet Mask

 
Quick Ethernet 1 -> [ 255.0.0.0 ] _

At the cursor, enter the subnet mask appropriate for your private network addressing scheme, using dotted decimal notation; for example, 255.255.0.0. To accept the default, press Enter.

Step 9 The system prompts you with a menu to set the speed for the Ethernet 1 interface. You can let the VPN Concentrator automatically detect and set the appropriate speed (the default), or you can set fixed speeds of 10 or 100 Mbps (for 10BASE-T or 100BASE-T networks). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, select the appropriate fixed speed.

 
1) Ethernet Speed 10 Mbps

 
2) Ethernet Speed 100 Mbps

 
3) Ethernet Speed 10/100 Mbps Auto Detect

 
Quick -> [ 3 ] _

At the cursor, enter the menu number for your selection; for example, 1. To accept the default (3), press Enter.

Step 10 The system prompts you with a menu to set the transmission mode for the Ethernet 1 interface. You can let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can configure the interface for full duplex (transmission in both directions at the same time) or half duplex (transmission in only one direction at a time). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode.

 
1) Enter Duplex - Half/Full/Auto

 
2) Enter Duplex - Full Duplex

 
3) Enter Duplex - Half Duplex

 
Quick -> [ 1 ] _

At the cursor, enter the menu number for your selection; for example, 2. To accept the default (1), press Enter.

Step 11 The system prompts you to enter a value for the maximum transmission unit (packet size) for this interface. Either accept the default value, 1500 bytes or specify a value in the range 68 to 1500. The standard MTU for Ethernet is 1500 bytes.

 
> MTU [68-1500)

 
Quick --> [1500]_

Step 12 The system now has enough information so that you can exit the CLI and continue configuring with a browser. the system displays one of the following menus, depending on the model of the Concentrator being configured:

Model 3005 menu

 
1) Modify Ethernet 1 IP Address (Private)

 
2) Modify Ethernet 2 IP Address (Public)

 
3) Save changes to Config file

 
4) Continue

 
5) Exit

 
Quick -> _

Model 3015-3080 menu

 
1) Modify Ethernet 1 IP Address (Private)

 
2) Modify Ethernet 2 IP Address (Public)

 
3) Modify Ethernet 3 IP Address (External)

 
4) Save changes to Config file

 
5) Continue

 
6) Exit

 
Quick -> _

First, we recommend that you save your entries to the configuration file. At the cursor, enter the number for Save changes to Config file. The system redisplays the same menu.

For easiest use, we recommend exiting and using the Manager. To do so, enter the number for Exit at the cursor and continue with the next step.
To continue using the CLI for quick configuration, enter the number for Continue at the cursor and see Chapter 4.

Step 13 We assume you chose Exit. The system displays:

 
Done

Continue quick configuration with the VPN Concentrator Manager in Chapter 3.

Table of Contents