cc/td/doc/product/vpn/vpn3000/4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Using the Command-Line Interface for
Quick Configuration

Configuring Ethernet Interfaces
Configuring System Information
Configuring Tunneling Protocols and Options
Configuring Address Assignment
Configuring Authentication
Configuring the IPSec Group
Changing the Admin Password
Completing Quick Configuration
Saving the Active Configuration
Exiting the CLI
What Next?

Using the Command-Line Interface for
Quick Configuration


This chapter tells you how to complete quick configuration of the system using the VPN 3000 Series command-line interface (CLI).

Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational. For example, a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely—in a VPN tunnel through the Internet—with resources on a private, internal corporate network.

The CLI is a menu-based configuration, administration, and monitoring system built into the VPN Concentrator. You can use it from the console or in a Telnet session. To use a Telnet session, connect to the IP address of the private Ethernet interface.

Before beginning the procedures in this section, you should have completed Steps 1 through 11 in the "Using the Console" section. As you proceed, refer to the data you recorded in Table 2-2.

About Quick Configuration

The CLI has the following characteristics:

Configuring Ethernet Interfaces

This section describes how to configure the VPN Concentrator Ethernet interfaces.

For the VPN Concentrator to become fully operational, you must configure the two interfaces you physically connected to your network in the "Connecting Network Cables" section.

To configure the VPN Concentrator Ethernet Interfaces, follow these steps:


Step 1   The system prompts you to configure the VPN Concentrator interfaces.

Model 3005 Menu
1) Modify Ethernet 1 IP Address (Private)
2) Modify Ethernet 2 IP Address (Public)
3) Save changes to Config file
4) Continue
5) Exit
Quick -> _
Model 3015-3080 Menu
1) Modify Ethernet 1 IP Address (Private)
2) Modify Ethernet 2 IP Address (Public)
3) Modify Ethernet 3 IP Address (External)
4) Save changes to Config file
5) Continue
6) Exit
Quick -> _

You entered values for Ethernet 1 under "Using the Console" section. You can change them now if you want; to do so, enter 1 at the cursor. To configure another interface, enter its number at the cursor.

Step 2   We assume you enter 2 to configure Ethernet 2. The CLI displays a table with the current IP addresses and subnet masks for all three Ethernet interfaces.

This table shows current IP addresses.
    Interface          IP Address/Subnet Mask     MAC Address
-----------------------------------------------------------------
Ethernet 1 - Private  | 10.10.4.6/255.255.0.0 | 00.10.5A.1F.4F.07
Ethernet 2 - Public   |   0.0.0.0/0.0.0.0     |
Ethernet 3 - External |   0.0.0.0/0.0.0.0     |
-----------------------------------------------------------------
> Enter IP Address for Ethernet 2 (Public)
Quick -> [ 0.0.0.0 ] _

At the cursor, enter the IP address for the VPN Concentrator Ethernet 2 (Public) interface, using dotted decimal notation; for example, 192.168.12.34. Be sure no other device is using this address on the network. (Note that Ethernet 3 appears on models 3015-3080 only.)

Step 3   The system prompts you for the subnet mask for the Ethernet 2 (Public) interface. The entry in brackets is the standard subnet mask for the IP address you entered above. For example, an IP address of 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0.

> Enter Subnet Mask for Ethernet 2
Quick -> [ 255.255.255.0 ] _

At the cursor, enter the subnet mask for Ethernet 2, using dotted decimal notation; for example, 255.255.255.0. To accept the default, press Enter.

Step 4   The system prompts with a menu to set the speed for the Ethernet 2 interface. You can let the VPN Concentrator automatically detect and set the appropriate speed (the default), or you can set fixed speeds of 10 or 100 Mbps per second (for 10BASE-T or 100BASE-T networks). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, select the appropriate fixed speed.

1) Ethernet Speed 10 Mbps
2) Ethernet Speed 100 Mbps
3) Ethernet Speed 10/100 Mbps Auto Detect
Quick -> [ 3 ]

At the cursor, enter the menu number for your selection; for example, 1. To accept the default (3), press Enter.

Step 5   The system prompts with a menu to set the transmission mode for the Ethernet 2 interface. You can let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can configure the interface for full duplex (transmission in both directions at the same time) or half duplex (transmission in only one direction at a time). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode.

1) Enter Duplex - Half/Full/Auto
2) Enter Duplex - Full Duplex
3) Enter Duplex - Half Duplex
Quick -> [ 1 ] _

At the cursor, enter the menu number for your selection; for example, 2. To accept the default (1), press Enter.

Step 6   The system prompts with a menu giving choices for proceeding. You can configure other interfaces, save your current entries, continue on to other quick configuration parameters, or exit the CLI. We recommend that you save first.

Model 3005 Menu
1) Modify Ethernet 1 IP Address (Private)
2) Modify Ethernet 2 IP Address (Public)
3) Configure Expansion Cards
4) Save changes to Config file
5) Continue
6) Exit
Quick -> _
Model 3015-3080 Menu
1) Modify Ethernet 1 IP Address (Private)
2) Modify Ethernet 2 IP Address (Public)
3) Modify Ethernet 3 IP Address (External)
4) Configure Expansion Cards
5) Save changes to Config file
6) Continue
7) Exit
Quick -> _

At the cursor, enter the number for Save changes to Config file.



Configuring System Information

To configure basic information that identifies your VPN Concentrator on the network, follow these steps:


Step 1   The system prompts you to assign a system name to the VPN Concentrator.

-- : Assign a system name to this device.
> System Name
Quick -> _

At the cursor, enter a name such as VPN01. This name must uniquely identify this device on your network.

Step 2   The system prompts you to specify a local DNS (Domain Name System) server, which lets you enter Internet hostnames (for example, mail01) rather than IP addresses for servers as you configure and manage the VPN Concentrator. While hostnames are easier to remember, using IP addresses avoids problems that might arise with the DNS server offline, congested, or otherwise indisposed.

-- : Specify a local DNS server, ...
> DNS Server
Quick -> [ 0.0.0.0 ]

At the cursor, enter the IP address of your local DNS server in dotted decimal notation; for example, 10.10.0.11.

Step 3   The system prompts you to enter the registered Internet domain name in which the VPN Concentrator is located (sometimes called the domain name suffix or subdomain).

-- : Enter your Internet domain name; ...
> Domain
Quick -> _

At the cursor, enter your domain name; for example, cisco.com.

Step 4   The system prompts you to specify a default gateway, which is the system to which the VPN Concentrator routes packets that are not explicitly routed. In other words, if the VPN Concentrator has no IP routing parameters (RIP, OSPF, static routes) that specify where to send packets, it will send them to this gateway. (And when you first start the VPN Concentrator, it has no IP routing parameters.)

> Default Gateway
Quick -> _

At the cursor, enter the IP address of the default gateway (for example, 10.10.0.1). This address must not be the same as the IP address configured on any VPN Concentrator interface. To specify no default gateway—which means the VPN Concentrator drops unrouted packets—leave this entry blank.



Configuring Tunneling Protocols and Options

This section describes how to enable, disable, and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator. You must enable at least one of the following protocols for the device to function as a VPN device. The protocol choices are PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol), with or without Microsoft encryption required; and IPSec (IP Security protocol). PPTP and L2TP are popular with Microsoft Windows-based clients, and the Cisco VPN Client uses IPSec.

To enable, disable, and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator, follow these steps:


Step 1   The system shows default settings for PPTP and L2TP—both enabled, both with no encryption required. It then prompts you to enable or disable PPTP.

-- : Configure protocols and encryption options.
-- : This table shows current protocol settings
         PPTP         |        L2TP         |
---------------------------------------------
| Enabled | Enabled |
| No Encryption Req | No Encryption Req |
---------------------------------------------
1) Enable PPTP
2) Disable PPTP
Quick -> [ 1 ]

At the cursor, enter 2 to disable PPTP, or press Enter to accept the default (1), which enables PPTP.

Step 2   If you enable PPTP, the system prompts you to select the encryption option.

1) PPTP Encryption Required
2) No Encryption Required
Quick -> [ 2 ]

At the cursor, enter 1 to require encryption, or press Enter to accept the default (2), which does not require encryption. Accept the default if you disabled PPTP.

Step 3   The system prompts you to enable or disable L2TP.

1) Enable L2TP
2) Disable L2TP
Quick -> [ 1 ]

At the cursor, enter 2 to disable L2TP, or press Enter to accept the default (1), which enables L2TP.

Step 4   If you enable L2TP, the system prompts you to select the encryption option.

1) L2TP Encryption Required
2) No Encryption Required
Quick -> [ 2 ] _

At the cursor, enter 1 to require encryption, or press Enter to accept the default (2), which does not require encryption.

Step 5   The system prompts you to enable or disable IPSec.

1) Enable IPSec
2) Disable IPSec
Quick -> [ 1 ] _

At the cursor, enter 2 to disable IPSec, or press Enter to accept the default (1), which enables IPSec.



Configuring Address Assignment

Configuring address assignment applies, and its menus appear, only when you enable at least one tunneling protocol. If you disabled all protocols, skip to the "Configuring Authentication" section.

This section lets you configure prioritized methods for assigning IP addresses to clients as a tunnel is established. The methods are configured, and used, in this order:

You must enable at least one method. You can enable any and all methods. By default, no method is enabled.

To configure address assignment, follow these steps:


Step 1   The system prompts you to enable or disable client-specified address assignment. If you enable IPSec, do not enable only this method; IPSec does not allow client-specified IP addresses.

-- : Configure address assignment for PPTP, L2TP and IPSec.
1) Enable Client Specified Address Assignment
2) Disable Client Specified Address Assignment
Quick -> [ 2 ]

At the cursor, enter 1 to enable client-specified address assignment, or press Enter to accept the default (2), disabled.

Step 2   The system prompts you to enable or disable per-user address assignment.

1) Enable Per User Address Assignment
2) Disable Per User Address Assignment
Quick -> [ 2 ] _

At the cursor, enter 1 to enable per-user address assignment, or press Enter to accept the default (2), disabled.

Step 3   The system prompts you to enable or disable DHCP address assignment.

1) Enable DHCP Address Assignment
2) Disable DHCP Address Assignment
Quick -> [ 2 ] _

At the cursor, enter 1 to enable DHCP address assignment, or press Enter to accept the default (2), disabled. If you enable DHCP, continue with the next step. If you disable DHCP, skip the next step.

Step 4   If you enable DHCP address assignment, the system prompts for the server address. If you disable DHCP, this prompt does not appear.

> DHCP Server
Quick -> _

At the cursor, enter the IP address or hostname of the DHCP server.

Step 5   The system prompts you to enable or disable configured pool address assignment.

1) Enable Configured Pool Address Assignment
2) Disable Configured Pool Address Assignment
Quick -> [ 2 ] _

At the cursor, enter 1 to enable configured pool assignment, or press Enter to accept the default (2), disabled. If you enable configured pool, continue with the next two steps; otherwise, skip them.

Step 6   If you enable configured pool address assignment, the system prompts for the starting IP address available in the initial pool.

> Configured Pool Range Start Address
Quick -> _

At the cursor, enter the starting IP address available in the initial configured pool. Use dotted decimal notation; for example, 10.10.1.77.

Step 7   If you enable configured pool address assignment, the system prompts for the ending IP address available in the initial pool.

> Configured Pool Range End Address
Quick -> [ 0.0.0.0 ] _

At the cursor, enter the ending IP address available in the initial configured pool. Use dotted decimal notation; for example, 10.10.1.177.



Configuring Authentication

You can choose and configure one of five types of servers to authenticate users:

You must select one authentication server type; there is no default. You can configure additional authentication servers on regular Configuration menus.

Before you configure an external server here, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or hostname, TCP/UDP port, secret/password, and so forth.). The VPN Concentrator functions as the client of these servers.

The system prompts you to select an authentication server type.

-- : Specify how to authenticate users.
1) Internal
2) RADIUS
3) NT Domain
4) SDI
5) Kerberos/Active Directory
6) Continue
Quick -> _

Step 1   At the cursor, enter the menu number for your selection; for example, 1, and skip to the step in the following section that describes your authentication server selection.

To bypass this step and continue quick configuration, enter 5. If you enabled IPSec tunneling protocol, skip to the "Configuring the IPSec Group" section; otherwise skip to the "Changing the Admin Password" section.



Configuring Internal Authentication Server and User Database

The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database, which is adequate for a small user base. For larger numbers of users, we recommend using a RADIUS authentication server.

To use the internal server, you must create a database with at least one user, each with a user name and password, and—if you specified per-user address assignment—an IP address and subnet mask. To do so, follow these steps:


Step 1   You selected the VPN concentrator internal authentication server, and the system prompts you to add users to the internal authentication server database. When you start quick configuration, the user database is empty.

Current Users
-------------------------------------------------------------------------
No Users
-------------------------------------------------------------------------
1) Add a User
2) Delete a User
3) Continue
Quick -> _

At the cursor, enter 1 to add a user.

Step 2   The system prompts you to enter the user name. To be authenticated, the user must log in from the client using this name.

> User Name
Quick -> _

At the cursor, enter a unique user name; for example, simonz. The maximum is 32 characters, case-sensitive.

Step 3   The system prompts you to enter the password for this user. To be authenticated, the user must log in from the client using this password. Each user name and password combination must be unique.

> Password
Quick -> _

At the cursor, enter the user password; for example, 9se7pt14. It must be at least 8 characters long; the maximum is 32 characters, case-sensitive. The system displays only asterisks.

Step 4   The system prompts you to verify the password for this user.

Verify -> _

At the cursor, re-enter the user password. The system displays only asterisks.

If you specified per-user address assignment, continue with the next two steps. Otherwise, skip them.

Step 5   If you specified per-user address assignment, the system prompts you to enter the IP address for this user. This is the IP address assigned to this user as a client.

> User IP Address
Quick -> [ 0.0.0.0 ]

At the cursor, enter the user IP address in dotted decimal notation; for example, 10.10.1.35.

Step 6   If you specified per-user address assignment, the system prompts you to enter the subnet mask for this user. This is the subnet mask assigned to this user as a client.

> User Subnet Mask
Quick -> [ 0.0.0.0 ]

At the cursor, enter the user subnet mask in dotted decimal notation; for example, 255.255.0.0.

Step 7   The system redisplays the user database with the new user added. You can add more users, delete users, or continue with quick configuration.

Quick -> [ 0.0.0.0 ] 255.255.0.0
Current Users
-------------------------------------------------------------------------
| 1. simonz | |
-------------------------------------------------------------------------
1) Add a User
2) Delete a User
3) Continue
Quick -> _

At the cursor, enter the menu number for your selection; for example, 1. To add more users, repeat Step 1 through Step 6 in this section. To delete a user (2), see the next step. To continue (3), skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.

Step 8   If you choose to delete a user from the internal database, the system prompts you to enter the name of the user to delete.

> User to Delete
Quick -> _

At the cursor, enter the name of the existing user you want to delete; for example, simonz. You must enter the name exactly as listed in the table. After deleting the user, the system redisplays the user database as in the previous step, but without the deleted user.



Configuring RADIUS Authentication Server

External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator; other authentication servers do not. The VPN Concentrator software CD-ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator.

To configure an external RADIUS user authentication server, follow these steps to supply the required server IP address or hostname, server secret, and port number:


Step 1   You selected the external RADIUS authentication server, and the system prompts you to enter its hostname or IP address.

> RADIUS Server (Name/IP Address)
Quick ->

At the cursor, enter the RADIUS server hostname or IP address; for example, 192.168.56.78. The maximum length is 32 characters.

Step 2   The system prompts you to enter the RADIUS server secret, also called the shared secret, that allows access to the server.

> RADIUS Server Secret
Quick -> _

At the cursor, enter the RADIUS server secret; for example, B8y077E. The maximum length is 64 characters. The system displays only asterisks.

Step 3   The system prompts you to reenter the RADIUS server secret to verify it.

Verify -> _

At the cursor, reenter the RADIUS server secret. The system displays only asterisks.

Step 4   The system prompts you to enter the UDP port number by which you access the RADIUS server.

> RADIUS Server Port
Quick -> [ 0 ] _

At the cursor, enter the RADIUS port number; for example, 1645. To have the system supply the default port number (1645), press Enter to accept 0 (the default).



To continue quick configuration, skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.

Configuring NT Domain Authentication Server

To configure an external Windows NT Domain user authentication server, follow these steps:


Step 1   You selected the external Windows NT Domain authentication server, and the system prompts you to enter its IP address.

> NT Domain Server Address
Quick -> _

At the cursor, enter the NT Domain server IP address in dotted decimal notation; for example, 192.168.56.78.

Step 2   The system prompts you to enter the NT Primary Domain Controller hostname for this server. You must enter this name, and it must be the correct hostname for the server whose IP address you entered in Step 1; if it is incorrect, authentication will fail.

> Primary Domain Controller
Quick -> _

At the cursor, enter the NT Primary Domain Controller hostname for this server; for example, PDC01. The maximum length is 16 characters.

Step 3   The system prompts you to enter the TCP port number by which you access the NT Domain server.

> NT Domain Server Port
Quick -> [ 0 ]

At the cursor, enter the NT Domain port number; for example, 139. To have the system supply the default port number (139), press Enter to accept 0 (the default).



To continue quick configuration, skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.

Configuring SDI Authentication Server

To configure an external SDI (RSA Security Inc. SecurID) user authentication server, follow these steps:


Step 1   You selected the external SDI authentication server, and the system prompts you to enter its hostname or IP address.

> SDI Server Name
Quick -> _

At the cursor, enter the SDI server hostname or IP address; for example, 192.168.56.78. The maximum length is 32 characters.

Step 2   The system prompts you to enter the UDP port number by which you access the SDI server.

> SDI Server Port
Quick -> [ 0 ] _

At the cursor, enter the SDI port number; for example, 5500. To have the system supply the default port number (5500), press Enter to accept 0 (the default).



To continue quick configuration, proceed to the next section, "Configuring the IPSec Group," or to the "Changing the Admin Password" section.

Configuring Kerberos/Active Directory Authentication Server

To configure an external Kerberos/Active Directory Authentication server, follow these steps:


Step 1   You selected the Kerberos/Active Directory authentication server, and the system prompts you to enter its hostname or IP address.

> Kerberos Server Address/Name
Quick -->_

At the cursor, enter the Kerberos/Active Directory server hostname or IP address; for example, 192.168.56.78.

Step 2   The system prompts you to enter the Kerberos server port number by which you access the server.

> Kerberos Server Port
Quick --> [0]_

At the cursor, enter the Kerberos server port number. To have the system supply the default port number (88), press Enter to accept 0 (the default).

Step 3   The system prompts you to enter the Timeout period. Enter the number of seconds the VPN Concentrator should wait after sending a query to the server and receiving no response, before trying again. The minimum is 1 second. The default is 4 seconds. The maximum is 30 seconds.

> Timeout
Quick --> [4]_

Step 4   The system prompts you to enter Retries. Enter the number of times the VPN Concentrator should try sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator considers this server inoperative. The minimum is 0 retries. The default is 2 retries. The maximum is 10 retries.

> Retries
Quick --> [2]_

Step 5   The system prompts you to enter the realm name for this server, for example: US.ACME.COM. You must enter this name, and it must be the correct realm name for the server for which you entered the IP address previously. If it is incorrect, authentication will fail.

The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows .NET. For these types of servers, if the letters are not uppercase, authentication will fail.

> Realm
Quick -->



To continue quick configuration, proceed to the next section, "Configuring the IPSec Group," or to the "Changing the Admin Password" section.

Configuring the IPSec Group

This section appears only if you enable the IPSec tunneling protocol.

The remote-access IPSec client connects to the VPN Concentrator via this group name and password, which are automatically configured on the internal authentication server. This is the IPSec group that creates the tunnel. Users then log in, and are authenticated, by means of their usernames and passwords.

To configure the IPSec group name and password, follow these steps:


Step 1   The system prompts you to enter the IPSec group name.

> IPSec Group Name
Quick -> _

At the cursor, enter a unique name for this group. Maximum is 32 characters, case-sensitive; for example, Group1.

Step 2   The system prompts you to enter the group password.

> IPSec Group Password
Quick -> _

At the cursor, enter a unique password for this group. The minimum is 4, and the maximum is 32 characters, case-sensitive. The system displays only asterisks.

Step 3   The system prompts you to reenter the group password to verify it.

Verify -> _

At the cursor, reenter the group password. The system displays only asterisks.



Changing the Admin Password

You can change the password for the admin administrator user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin. Since the admin user has full access to all management and administration functions on the device, we strongly recommend you change this password to improve device security. You can further configure all administrators with the regular Administration menus.


Step 1   The system prompts you to change the admin password.

-- : We strongly recommend that you change the password ...
> Reset Admin Password
Quick -> [ ***** ] _

At the cursor, enter a new password for admin. Remember that entries are case sensitive. For maximum security, the password should be at least 8 characters long, a mixture of upper- and lower-case alphabetic and numeric characters, and not easily guessed; for example, W8j9Haq3. The system displays only asterisks. To keep the default, press Enter.

Step 2   The system prompts you to re-enter the password to verify it.

Verify -> _

At the cursor, reenter the new password. The system displays only asterisks. To keep the default, press Enter.



Completing Quick Configuration

You have finished quick configuration, and your entries constitute the active or running configuration. The VPN Concentrator now has enough information, and it is operational. For example, a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securely—in a VPN tunnel through the Internet—with resources on a private, internal corporate network.

We strongly recommend that you save the active configuration before you exit. Should you need to restart the VPN Concentrator, it will then boot with your configured parameters.

Saving the Active Configuration

The system displays the final quick configuration menu.

1) Goto Main Configuration Menu
2) Save changes to Config file
3) Exit
Quick -> 2

At the cursor, enter 2 to save the active configuration in the system config file.

Exiting the CLI

You are now ready to exit the CLI.


Step 1   The system redisplays the final quick configuration menu.

1) Goto Main Configuration Menu
2) Save changes to Config file
3) Exit
Quick -> 3

At the cursor, enter 3 to exit the CLI.

Step 2   The system displays:

Done



If you wish to use the CLI for other functions, enter 1 at the cursor in Step 1 above. For information on using the CLI, see the VPN 3000 Concentrator Series User Guide.

What Next?

Now that the VPN Concentrator is operational, you can do the following:


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu May 1 22:15:06 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.