|
|
The VPN 3002 works in either of two modes: Client mode or Network Extension mode. To view a brief interactive multimedia piece that explains the differences between the two modes, go to this url:
http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html
Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a free copy from:
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
Policy management on the VPN 3002 includes deciding whether you want the VPN 3002 to use Client Mode or Network Extension mode. This section lets you enable or disable PAT.
The Configuration | Policy Management screen introduces this section of the Manager.
To enable or disable PAT, click Traffic Management.
All traffic from the private network appears on the network behind the IKE peer with a single source IP address. This IP address is the one the central-site VPN Concentrator assigns to the VPN 3002. The IP addresses of the computers on the VPN 3002 private network are hidden. You cannot ping or access a device on the VPN 3002 private network from outside of that private network, or directly from a device on the private network at the central site.
In client mode, the tunnel establishes when data passes to the VPN Concentrator, or when you click Connect Now in the Monitoring | System Status screen.
You assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.
Traffic from the VPN 3002 to any destination other than those within the network list for that group on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps track of these mappings so that it can forward replies to the correct device.
The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed directly.
For the VPN 3002 to use PAT, these are the requirements for the central-site VPN Concentrator.
1. The VPN Concentrator at the central site must be running Software version 3.x or later.
2. Address assignment must be enabled, by whatever method you choose to assign addresses (for example, DHCP, address pools, per user, or client-specified). If the VPN Concentrator uses address pools for address assignment, make sure to configure the address pools your network requires. See Chapter 6, Address Management, in the VPN 3000 Series Concentrator Reference Volume I.
3. Configure a group to which you assign this VPN 3002. This includes assigning a group name and Password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference Volume I.
4. Configure one or more users for the group, including usernames and passwords.
In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned IP address). To use Network Extension mode, you must configure an IP address other than the default of 192.168.10.1 and disable PAT.
In Network Extension mode, the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator. However, if you enable interactive hardware client authentication, the tunnel establishes when you perform the following steps.
Step 1 Click the Connection/Login Status button on the VPN 3002 Hardware Client login screen. The Connection/Login screen displays.
Step 2 Click Connect Now in the Connection/Login screen.
Step 3 Enter the username and password for the VPN 3002.
Alternatively, you can initiate a tunnel by clicking Connect Now on the in the Monitoring | System Status screen.
You always assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.
Traffic from the VPN 3002 to any other destination than those within the network list on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface. Thus the network and addresses on the private side of the VPN 3002 are accessible over the tunnel, but are protected from the Internet, that is, they cannot be accessed directly.
For the VPN 3002 to use Network Extension mode, these are the requirements for the central-site VPN Concentrator.
1. The VPN Concentrator at the central site must be running Software version 3.0 or later.
2. Configure a group to which you assign this VPN 3002. This includes assigning a group name and password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference Volume I.
3. Configure one or more users for the group, including usernames and passwords.
4. Configure either a default gateway or a static route to the VPN 3002 private network. See
Chapter 8, "IP Routing" in the VPN 3000 Series Concentrator Reference Volume I.
5. If you want the VPN 3002 to be able to reach devices on other networks that connect to this VPN Concentrator, review your Network Lists. See Chapter 15, "Policy Management" in the VPN 3000 Series Concentrator Reference Volume I.
6. Enable Network Extension Mode. See the section that follows for details.
A network administrator can now restrict the use of network extension mode. VPN 3002 hardware clients can use network extension mode only if, on the VPN Concentrator, you enable network extension mode on a group basis for VPN 3002 hardware clients.
 |
Note If you disallow network extension mode, which is the default setting on the VPN Concentrator, the VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the equivalent of denial of service attack. |
In PAT mode, the tunnel establishes when data passes to the VPN Concentrator, or when you click Connect Now in the Monitoring | System Status screen.
In Network Extension mode, the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator.
In either Client or Network Extension mode, when you enable interactive hardware client authentication, the tunnel establishes when you perform the following steps.
Step 1 In the VPN 3002 Hardware Client login screen, click the Connection/Login Status button. The Connection/Login screen displays.
Step 2 Click Connect Now.
Step 3 Enter the username and password for the VPN 3002.
See the section, "Logging in With Interactive Hardware Client and Individual User Authentication" in Chapter 1 for detailed instructions.
Alternatively, you can click Connect Now on the in the Monitoring | System Status screen, after which the system prompts you to enter the username and password for the VPN 3002. See the section, "Monitoring | System Status" in the Monitoring chapter.
After the tunnel is established between the VPN 3002 and the central-site VPN Concentrator, the VPN Concentrator can initiate data exchange only in Network Extension mode with all traffic travelling through the tunnel. If you want the tunnel to remain up indefinitely, configure the VPN 3002 for Network Extension mode and do not use split tunneling.
Table 11-1 summarizes instances in which the VPN 3002 and the central-site VPN Concentrator can initiate data exchange.
| Mode | Tunneling Policy | VPN 3002 Can Send Data First | Central-Site VPN Concentrator Can Send Data First (after VPN 3002 initiates the tunnel) |
|---|---|---|---|
PAT | All traffic tunneled | Yes | No |
PAT | Split tunneling enabled | Yes | No |
Network Extension | All traffic tunneled | Yes | Yes |
Network Extension | Split tunneling enabled | Yes | No |
After you click Traffic Management on the Configuration | Policy Management screen, the Manager displays the Configuration | Policy Management | Traffic Management screen.
To configure PAT (Port Address Translation) click PAT.
The Configuration | Policy Management | Traffic Management | PAT screen displays.
PAT mode provides many-to-one translation; that is, it translates many private network addresses to the single address configured on the public network interface.
To enable PAT, click Enable.
This screen lets you enable or disable PAT, which applies PAT to all configured traffic flowing from the private interface to the public interface.
Check the box to enable Client Mode (PAT), or clear it to enable Network Extension Mode.
|
Note Remember that to use Network Extension Mode, you must configure an IP address other than the default for the private interface. If you do not change the IP address of the private interface, you can not disable PAT. |
To enable or disable PAT, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen.
Posted: Tue Oct 29 11:43:36 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.