Cisco VPN 3000 Series

Notice Copyright Notice Copyright 2002-present by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19. Liability Disclaimer Aprisma Management Technologies, Inc. ( Aprisma ) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES. Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to: http://www.aprisma.com/manuals/trademark-list.htm All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to spectrum-docs@aprisma.com; we will do our best to help. Restricted Rights Notice (Applicable to licenses to the United States government only.) This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license. Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free. Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA Phone: 603.334.2100 U.S. toll-free: 877.468.1448 Web site: http://www.aprisma.com Page 2

Contents Notice... 2 Preface... 5 Intended Audience... 5 How to Use This Guide... 5 Text Conventions... 6 Document Feedback... 6 Online Documents... 6 Required Reading... 7 Overview... 8 Device Support... 8 Model Types... 9 Firmware Information... 9 Application Support... 9 Alarms and Events... 10 Trap Support...10 Hardware Status... 11 CPU/Memory...11 Power Supply...11 Board/Chassis...11 Fan Modules...11 Scalable Encryption Processor...12 SEP Information...12 VPN Status... 13 Cisco IPSec...13 Cisco IPSec Extensions...13 Point-to-Point Tunnel Protocol...13 Layer 2 Tunnel Protocol...14 Session Information...14 Page 3

Global Statistics...14 Active Sessions...14 Session Sub-Entry...14 Hardware Client User...14 Admin Authentication Server...14 RADIUS Authentication...15 RADIUS Accounting...15 Web Administration... 16 Index... 17 Page 4

Preface Welcome to the user guide for SPECTRUM s Cisco 3000 VPN (SM-CIS1017) management module. Please take a moment to read through this short preface, which explains how the information in this guide is organized and presented and lets you know how to access information about other SPECTRUM products. In this section: Intended Audience How to Use This Guide Text Conventions [Page 6] Document Feedback [Page 6] Online Documents [Page 6] Required Reading [Page 7] Intended Audience This guide is intended for users of SPECTRUM s (SM-CIS1017) management module. How to Use This Guide Use this document as a guide for managing the Cisco devices described on [Page 8] with SPECTRUM management module SM-CIS1017. The guide is organized as follows: Overview [Page 8] Alarms and Events [Page 10] Hardware Status [Page 11] VPN Status [Page 13] Only information specific to SM-CIS1017 is included in this guide. For general information about device management using SPECTRUM and Page 5

explanations of SPECTRUM functionality and navigation techniques, refer to the topics listed under Required Reading [Page 7]. Text Conventions The following text conventions are used in this document: Element Convention Used Example User-supplied parameter names Courier and Italic in angle brackets <>. The user needs to type the password in place of <password>. On-screen text Courier The following line displays: path= /audit User-typed text Courier Type the following path name: C:\ABC\lib\db Cross-references References to SPECTRUM documents (title and number) Functionality enabled by SPECTRUM Alarm Notification Manager (SANM) Underlined and hypertextblue Italic SANM in brackets []. See Document Feedback [Page 6]. SPECTRUM Installation Guide (0675) [SANM] AGE_FIELD_ID Document Feedback Please send feedback regarding SPECTRUM documents to the following e-mail address: spectrum-docs@aprisma.com Thank you for helping us improve our documentation. Online Documents SPECTRUM documents are available online at: http://www.aprisma.com/manuals Check this site for the latest updates and additions. Page 6

Required Reading To use this documentation effectively, you must be familiar with the information covered by the SPECTRUM documents listed below. Getting Started with SPECTRUM for Operators (1763) Getting Started with SPECTRUM for Administrators (0985) How to Manage Your Network with SPECTRUM (1909) SPECTRUM Views (2517) SPECTRUM Menus (2519) SPECTRUM Icons (2518) Application View and MIBs (2560) SPECTRUM Software Release Notice (0743) Page 7

Overview This section introduces the SPECTRUM documentation for the VPN 3000 series of devices manufactured by Cisco. In this section: Device Support Firmware Information [Page 9] Application Support [Page 9] Device Support SPECTRUM management module SM-CIS1017 currently provides modeling for the following devices. Cisco VPN Client 3002 The Cisco VPN Client 3002 is used to establish secure, end-to-end encrypted tunnels to concentrators. Access policies are created and stored on the 3002 and are given to the concentrator when a connection is established. Cisco VPN 3005 The Cisco VPN 3005 Concentrator is designed for small to medium sized businesses. The two 10/100 ports provide up to full-duplex T1/E1 (4Mbps max) bandwidth for up to 100 simultaneous sessions. Encryption is done through software. The 3005 cannot be upgraded. Cisco VPN 3015 The Cisco VPN 3015 is designed for small to medium sized businesses. The three 10/100 ports provide T1/E1 (4Mbps max) bandwidth for up to 100 simultaneous sessions. Encryption is performed through software. The 3015 can be field upgraded to a Cisco VPN 3030 or Cisco VPN 3060. Page 8

Cisco VPN 3030 The Cisco VPN 3030 Concentrator is designed for medium to large sized businesses. The three 10/100 ports provide T1/E1 through T3/E3 (50Mbps max) bandwidth for up to 1500 simultaneous sessions. Encryption is done through hardware by the single Scalable Encryption Processor (SEP) module. The 3030 is field-upgradeable to the Cisco VPN 3060. Cisco VPN 3060 The Cisco VPN 3060 is designed for large businesses. The three 10/100 ports provide fractional T3 through full T3/E3 or more (100Mbps max) bandwidth for up to 5000 simultaneous sessions. Two onboard Scalable Encryption Processor (SEP) modules handle encryption duties. Cisco VPN 3080 The Cisco VPN 3080 is designed for large businesses. The 3080 will support up to 10000 simultaneous sessions. The 4 onboard Scalable Encryption Processor (SEP) modules handle encryption duties. Model Types The model type for models of Cisco VPN 3000 series devices is Cisco3xxxVPN. Firmware Information This management module was tested against firmware version 3.5. Application Support This management module supports the CiscIPSecApp and CiscIPSecExtApp applications. See the Cisco Applications (5127) document for information. Page 9

Alarms and Events This section describes any device-specific alarms supported by the Cisco VPN 3000 (SM-CIS1017) management module. Trap Support The following standard traps are supported for the Cisco VPN 3000. Trap Name OID coldstart 0.0 warmstart 1.0 linkdown 2.0 linkup 3.0 authenticationfailure 4.0 egpneighborloss 5.0 The Cisco VPN 3000 management module does not currently provide device specific alarms in addition to the built-in alarm support provided by SPECTRUM. Note: Additional trap support is provided by the CiscIPSecApp and CiscIPSecExtApp applications. See the Cisco Applications (5127) document for more information. Page 10

Hardware Status Hardware Status views are accessible from the icon subviews menu of the Cisco VPN 3000 device icon by choosing Hardware Status -> and one of the following subviews: CPU/Memory Power Supply Board/Chassis Fan Modules Scalable Encryption Processor CPU/Memory This view provides Voltage, RAM Size, Temperature and Utilization information. Power Supply This view provides Type and Voltage information for Power Supply 1 and 2. Board/Chassis This view provides Slot, Voltage, Chassis Type and Temperature information for the chassis. Fan Modules This view provides RPM information for Fan1, Fan2 and Fan3. Page 11

Scalable Encryption Processor Cisco Scalable Encryption Processor (SEP) modules provide hardwarebased encryption. This view provides a list of SEP modules installed in the device. Double-clicking an entry in the table opens an SEP Information view for that entry. SEP Information This view contains the same information as the Scalable Encryption Processor for a single entry. Row Status can be set in this view. Page 12

VPN Status VPN Status views are accessible from the icon subviews menu of the Cisco VPN 3000 device icon by choosing VPN Status -> and one of the following subviews: Cisco IPSec Cisco IPSec Extensions Point-to-Point Tunnel Protocol Layer 2 Tunnel Protocol [Page 14] Session Information [Page 14] Admin Authentication Server [Page 14] RADIUS Authentication [Page 15] RADIUS Accounting [Page 15] Web Administration [Page 16] Cisco IPSec This view provides access to CiscIPSecApp views. Note: The CiscIPSecApp application is described in the Cisco Applications (5127) document. Cisco IPSec Extensions This view provides access to CiscIPSecExtApp views. Note: The CiscIPSecExtApp application is described in the Cisco Applications (5127) document. Point-to-Point Tunnel Protocol This view (PPTP Tunnel Information) provides information from the Point-to-Point Tunnel Protocol (PPTP) tunnel status and statistics table. Page 13

Layer 2 Tunnel Protocol This view (L2TP Tunnel Information) provides information from the Layer 2 Tunnel Protocol (L2TP) tunnel status and statistics table. Session Information This view provides button access to the following subviews: Global Statistics Active Sessions Session Sub-Entry Hardware Client User Global Statistics The Global Session Statistics view provides global session information. Active Sessions The Active Session Information view provides a list of active sessions. Double-clicking an entry in this table opens an Active Session Information view for that entry. Row Status can be set in this view. Session Sub-Entry This view provides session sub-entry information. Double-clicking an entry in this table opens an Session Sub-Entry view for that entry. Row Status can be set in this view. Hardware Client User This view provides hardware client user information. Double-clicking an entry in this table opens an Hardware Client User view for that entry. Row Status can be set in this view. Admin Authentication Server The Administrator Authentication Server Information view provides a table listing the Terminal Access Controller Access Control System (TACACS) authentication servers with which the client shares a secret. Page 14

RADIUS Authentication The RADIUS Authentication Information view provides Invalid Server Addresses and Client Identifier fields as well as a Server Table. The Server Table contains a listing of the RADIUS authentication servers with which the client shares a secret. Note: Cisco VPN 3000 devices support draft versions of RFC2618 and RFC2620 (RADIUS Authentication and RADIUS Accounting). RADIUS Accounting The RADIUS Accounting Information view provides Invalid Server Addresses and Client Identifier fields as well as a Server Table. The Server Table contains a listing of the RADIUS accounting servers with which the client shares a secret. Note: Cisco VPN 3000 devices support draft versions of RFC2618 and RFC2620 (RADIUS Authentication and RADIUS Accounting). Page 15

Web Administration The Cisco web-based administration application can be launched from the Cisco VPN 3000 device model. To launch the Cisco VPN Concentrator Manager (the HTML management interface) for the Cisco 3000 series device, right click on the device icon of the device model in the Topology view and choose Web Administration. Note: By default, the Web Admin URL is http:// <0x1027f> (the Network_Address attribute). You can use the Global Attribute Editor in Search Manager to change this. See the Global Attribute Editor section of the Search Manager User Guide (2383) for more information. Page 16

Index A Accessing views Hardware Status [11] VPN Status [13] Alarms and Events [10] C CiscIPSecApp [9], [10], [13] CiscIPSecExtApp [9], [10], [13] Cisco VPN Concentrator Manager [16] Cisco3xxxVPN [9] F Firmware Version Tested Against [9] M Model Types [9] R RADIUS Accounting [15] Authentication [15] RFC2618 [15] RFC2620 [15] S Scalable Encryption Processor (SEP) [12] T Terminal Access Controller Access Control System (TACACS) [14] Trap Support [10] Page 17

W Web Administration [16] Page 18