|
|
To access this dialog box, select WAN/Physical Configuration from the Device View.
This set of radio buttons determines whether this interface will use the asynchronous or synchronous mode of communication.
Interfaces set for asynchronous operation do not use parity, and use one stop bit.
Some high-speed WAN interfaces (i.e. V.35) may only support synchronous communications. This set of radio buttons will not appear in the Manager's Physical Configuration: WAN Dialog Box for these interfaces.
This parameter determines whether the interface will source a clock signal or expect to receive an external clock.
In addition to this setting, some WAN interfaces require internal hardware jumpers to be changed in order to source a clock signal. Check the Installation Reference Guide for the device.
This pull-down menu determines the speed of the port's internal clock. In Async operation, this value must match the baud rate of the external communications device. In Sync operation this value is ignored unless Tx Clock Internal is checked, in which case it determines the speed of the clock which is sourced.
This setting determines the type of flow control used on interfaces set for Async operation.
You may also need to configure your communications device (through switch settings or internal registers) to run with software flow control. Software flow control is not recommended at speeds above 9600 Baud.
To access this dialog box, select WAN/Physical Configuration from the Device View.
Since many of the settings for a T1 line are dependent upon the service provided by your ISP or telco, you may need to contact them to find out the appropriate specifications. Unless otherwise noted, both ends of a T1 WAN connection should have the same physical configuration settings.
This set of radio buttons determines whether this interface will source clock onto the T1 line (dry line operation) or accept clock from an external source on a T1 line.
Units connected to telco lines should always be set for slave mode. Units driving a dry line should have one end set to master and the other set to slave.
This parameter determines the type of T1 framing to be used on the interface. Both ends of a WAN connection must be configured with the same framing format
This parameter determines the type of T1 encoding to be used on the
interface.
This checkbox enables fractional T1 operation, where the device's built-in CSU/DSU will not use all of the T1 channels in the T1 data stream.
This pair of edit boxes determines which T1 channel the internal CSU/DSU will use as the beginning of its T1 fraction, and how many channels it will occupy.
This set of radio buttons determine whether the T1 fraction will occupy every channel starting with the requested channel, or every other channel. If more than 12 channels will be used, the Contiguous Channels radio button must be selected.
These two radio buttons determine whether the internal CSU/DSU will use 64Kbps channels or 56Kbps channels. The default is 64Kbps.
This checkbox instructs the CSU/DSU to invert the data it transmits and to expect to receive inverted data on the line. This is sometimes done to insure ones density on the line. The default setting is unchecked.
This checkbox enables sending and receiving of Performance Report Messages (PRM) on the Facility Data Link (FDL). This is only possible when ESF framing has been selected. The default is enabled.
This pulldown sets the expected signal range for the CSU/DSU's receiver. 0db is the default and will be satisfactory in virtually all telco applications. Other settings may be necessary for dry line applications.
This checkbox instructs the CSU/DSU to respond to V.54 style loopup commands received over the line. The default setting is on.
This checkbox instructs the CSU/DSU to respond to ATT 64211 style loopup commands received over the line. The default setting is on.
To access this dialog box, select WAN/Physical Configuration from the Device View.
This parameter determines whether the interface will source a clock signal or expect to receive an external clock.
This pull-down menu determines the speed of the port's internal clock when Tx Clock Internal is checked.
To access this dialog box, select WAN/Physical Configuration from the Device View.
These radio buttons set whether the DSU will use its own internal clock or obtain the clock from the network to use for the DSU's DS3 transmit signal towards the network.
These radio buttons should be set based on the distance between the device and the DS3 terminal located in your building.
These radio buttons control whether the DSU will use a 16-bit or 32-bit frame check sequence. Both ends of a DS3 connection must use the same CRC (Cyclical Redundancy Check) setting. The default is 16 bit.
This checkbox determines whether data will be inverted. Data inversion can be used to meet pulse density requirements. Always leave this unchecked unless otherwise instructed by your ISP.
This pull-down menu allows you to select the data rate for the CSU/DSU. This can be used to set the throughput to match the bandwidth provided by your NSP (Network Service Provider). The values are specified in megabits per second, using an underscore ( _ ) as the decimal point (e.g., 3_158 is 3.158 Mbps). Both ends of the DS3 connection must have the same rate specified. Unless the remote end is a Larscom CSU/DSU (or equivalent) or another Cisco VPN 5000 series DS3 interface, the default setting of 44_210 must be used.
To access this dialog box, select Global/System Configuration from the Device View.
This is the name which is used to advertise this device on both AppleTalk and IPX networks. Thus, it is the name the VPN 5000 Manager displays in the Open - Device screen (accessed from the File menu).
This is the main password used to access the device from the Manager and from the command line (either Telnet or auxiliary port operation). This login level will allow a user to display tables and statistics, but does not permit a user to view or make any changes to the configuration.
This box is used to confirm the entered Password.
This password will enable supervisor mode for viewing or making changes to a device's configuration. If no Enable Password is created, then the Password will be used.
This box is used to confirm the entered Enable Password.
The information in this dialog box is returned by the device in response to SNMP (Simple Network Management Protocol) queries from SNMP consoles for the SNMP MIB-II System Group, as specified in RFC 1213. Each of the entries may be up to 255 characters.
This is the name of the contact person for this device, together with information on how to contact the administrator.
This is the administratively assigned name for this device. By convention, this is the fully qualified domain name for the device.
This is the physical location of the device (e.g. telephone closet, 3rd floor).
To access this dialog box, select Global/System Configuration from the Device View, and then select the ADVANCED button.
This dialog box displays Community Strings and Traps, but is not used to add or modify the entries.
To add or modify entries, you must access the Community Strings and/or Traps Dialog Boxes by selecting the Add... or Modify... buttons in the Advanced SNMP Configuration Dialog Box.
This checkbox controls whether Advanced SNMP management of the device can be done.
This checkbox controls whether SNMP Sets can be done to the device.
This setting controls whether SNMP Traps will be done by the device when trap conditions are encountered.
This device supports the following SNMP Traps (as outlined in RFC 1157):
This dialog box is used to add or modify entries in the Advanced SNMP Dialog box.
This is the string associated with the administrator(s) who have access to the SNMP console. It is included in every message and is used, along with the IP address(es) configured below, for access authentication.
This set of radio buttons controls the type of access the administrator(s) within the Community String will have to this device.
This is the IP address, or addresses, of the SNMP console. The address is used, along with the Community String, for access authentication. Up to four IP addresses may be entered.
They should be entered in standard IP dotted-decimal notation (e.g. 198.41.9.1). An address with all zeros (0.0.0.0) can be used as a wildcard to allow the Community String access from any console.
This is the IP address of the SNMP console to which the device will transmit a Trap message whenever one is generated.
It should be entered in standard IP dotted-decimal notation (e.g. 198.41.9.1).
This is the Community String on the SNMP console to which the Trap message will be sent.
To access this dialog box, select Global/Domain Name Server from the device view.
DNS allows the device to report DNS names instead of raw IP addresses when using the Traceroute command, and also allows the Ping command to be optionally issued with a DNS name.
The Traceroute and Ping commands themselves are not supported from the VPN 5000 Manager. To access these commands, use the command line interface via Telnet or the Console port.
This is the IP address of the DNS server which should be queried first for the identity of a name or an IP address.
This address should be entered directly into the edit box as four decimal numbers separated by periods - for example 198.238.9.1
These are the IP addresses of other DNS servers which should be queried for the identity of a name or an IP address.
Use the Move Up and Move Down buttons to manipulate the addresses in this list.
To add or modify this list, click on the appropriate button to access the Add TCP/IP DNS Server Dialog Box.
Enter the IP address of other DNS servers which should be queried for the identity of a name or an IP address.
To access this dialog box, select Global/Time Server Configuration from the Device View.
This dialog box is used to enable the setting of the device's internal clock from a network time server. The device's time server will connect to most UNIX systems running "inetd" using either the time server port (UDP 37) or NTP port (UDP 123). Automatic daylight savings adjustment is not supported.
This pulldown identifies the type of time server protocol to use. In most cases, the time server being used will dictate the protocol type. UNIX servers generally use Timed. Windows servers generally use SNTP (Simple Network Time Protocol). The default is Timed.
This field is used to specify the IP address of the primary time server. It is recommended that you use a time server which is local to your network.
This field is used to specify the IP address of the backup time server. All time requests go to the primary server first. If there is no response the backup will be used. This address is optional.
Most time servers return GMT. You can use this option to set the device to local time. Accepted values range from -720 to 720 minutes.
RADIUS (Remote Authentication Dial In User Service) can be used for remote access authentication using PAP or CHAP and for remote access accounting. The device acts as a client and exchanges packets with a RADIUS server running on an external host computer.
The device can be configured with a primary and a secondary server. If the device is unable to reach the primary server, it will attempt to use the secondary server if one has been configured.
To access this dialog box, select Global/RADIUS from the Device View.
RADIUS servers are available in the public domain, and can also be purchased from a variety of commercial suppliers.
This pulldown allows the selection of an interface on the device. The interface selected will act as the local end point for the tunnels defined by this configuration.
This setting determines whether the device will attempt to exchange user accounting information with a RADIUS server.
This edit box allows you to set the UDP port on the RADIUS server(s) on which accounting information will be exchanged. The default is 1646.
This value sets the attribute number for the reporting of the actual IP address of a VPN 5000 concentrator user. This attribute number must also be set up in the RADIUS server's dictionary file. If this number has been set both here and in the RADIUS server's dictionary file, then the actual IP address of a user will be reported by the VPN Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 66.
This value sets the attribute number for the reporting of the IP address which the concentrator assigns to a concentrator user. This attribute number must also be set up in the RADIUS server's dictionary file. If this number has been set both here and in the RADIUS server's dictionary file, then the assigned IP address will be reported by the VPN Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 67.
This setting determines whether the device will exchange user authentication information with a RADIUS server.
This edit box allows you to set the UDP port on the RADIUS server(s) on which authentication information will be exchanged. The default is 1645.
This value sets the attribute number for the VPN tunnel secret. The tunnel secret is a shared secret between the VPN Client and the RADIUS server which is used for authentication of tunnel connections. This attribute number must also be set up in the RADIUS server's dictionary file. The value may range between 64 and 191. The default is 69.
This value sets the attribute number for the VPN group configuration. The group configuration defines tunneling profiles for a group of one or more VPN Client users. This attribute number must also be set up in the RADIUS server's dictionary file. The value may range between 64 and 191. The default is 77.
This pulldown menu sets the authentication protocol to be used for validation of remote VPN Client users to the RADIUS server.
This is the secret used to authenticate and encrypt packets before they are passed on to the RADIUS server. The PAP authentication secret can be a string from 1 to 255 ASCII characters in length.
The device will attempt to contact this RADIUS server first when it needs to exchange RADIUS information. The address should be entered in dotted-decimal notation (e.g. 198.238.41.7).
The device will try to resend a packet if the primary RADIUS server doesn't acknowledge it within a timeout period. The timeout period for packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5.
If the retry limit is reached and a secondary server is configured, the device will attempt to communicate with the secondary server.
Possible values range between 1 and 10 with a default of 5.
Some RADIUS servers calculate packet validation checksums using both the secret value and the packet data. Earlier RADIUS servers typically do not. Check the documentation for your RADIUS server to determine whether this parameter should be set.
The device may be configured to use a secondary server if the primary server cannot be contacted.
The device will attempt to contact this RADIUS server if the primary server does not respond after the configured number of primary server retries. The address should be entered in dotted-decimal notation (i.e. 198.238.41.7).
The device will try to resend a packet if the secondary RADIUS server doesn't acknowledge it within a timeout period. The timeout period for packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5.
Possible values range between 1 and 10 with a default of 5.
Some RADIUS servers calculate packet validation checksums using both the secret value and the packet data. Earlier RADIUS servers typically do not. Check the documentation for your RADIUS server to determine whether this parameter should be set.
The secret is the shared secret used by the device and RADIUS server to validate packets exchanged between them. This secret must match the client secret configured in the RADIUS server. It can be from 1 to 31 ASCII characters in length.
To access this dialog box, select Global/SecurID from the Device View.
All VPN 5000 concentrators and the VPN 5000 Client software are SecurID-ready. SecurID is Security Dynamic's proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic two-factor authentication.
This checkbox determines whether SecurID authentication will be performed by the device.
This edit box allows you to set which UDP port on the ACE/Server will be used to exchange information. The default is 5500. The value may range between 1 and 65,535.
This edit box allows you to select the encryption algorithm for data exchanged between the concentrator and the ACE/Server. DES specifies that the DES algorithm will be used to scramble the data in both directions. SDI specifies that Security Dynamic's propriety algorithm will be used. The default is DES.
The device will attempt to contact this SecurID server first when attempting to authenticate a user. The address should be entered in dotted-decimal notation (i.e. 198.238.41.7).
If the timeout period is reached and a secondary server is configured, the device will attempt to communicate with the backup server.
The device will attempt to contact this SecurID server if the primary server does not respond after the configured timeout period. The address should be entered in dotted-decimal notation (i.e. 198.238.41.7).
This edit box allows you to set which UDP port on the ACE/Server will be used to exchange information. the number of seconds the device will wait before trying the backup ACE/Server. The default is 5. The value may range between 1 and 75.
This pulldown allows the selection of an interface on the device. The interface selected will act as the local end point for the tunnels defined by this configuration.
To access this dialog box, select Global/NAT Configuration from the Device View.
NAT allows internal networks which use private IP addresses to be translated into a valid external "global" IP address (or addresses). (See RFC 1918 "Address Allocation for Private Internets" for more information about private IP addresses.) This can allow a private network to provide Internet access through a single "official" IP address. It can also function as a minimal firewall by limiting access to the internal network from external networks while allowing the internal network easy access to the Internet.
This checkbox enables NAT globally for this device.
Select the External NAT Port from this pull-down menu.
This is the address range of the internal NAT network. This range will be translated into the range of IP addresses defined by the External Range. Any interface or subinterface on the device which is part of the same network as the Internal Range is considered to be an internal NAT port.
This window displays a list of all entered Internal Range but is not used to add or modify the entries. To add or modify the entries, you must access the NAT Map Dialog Box by selecting the New or Modify buttons above the Internal Range window.
This is the address range of the external NAT network. This range will be translated into the range of IP addresses defined by the Internal Range. The address or range of addresses specified must be a valid, globally recognized Internet address (or addresses) which can be routed on the network.
If only a single Internet IP address is available, then the External Range must be the same as the IP address on the IP port communicating with the Internet. In this case, care must be taken not to create a one-to-one translation pair using this IP address in the NAT Mapping Dialog Box (under Global/Nat Mapping). If a range of addresses is specified, the NAT software makes the decision about which Internet address is assigned to outgoing packets.
This window displays a list of all entered External Range but is not used to add or modify the entries. To add or modify the entries, you must access the NAT Map Dialog Box by selecting the New or Modify buttons above the External Range window.
This is the address range which may pass through the external NAT port without being translated. This is used when the NAT router has an IP interface (or interfaces), in addition to the NAT internal port and NAT external port, which is connected to part of the local network which is configured with global IP addresses.
If an IP address or range of addresses is included in both the External Range and PassThru Range, NAT will treat the IP address(es) as being members of the External Range only.
This window displays a list of all entered PassThru Range but is not used to add or modify the entries. To add or modify the entries, you must access the NAT Map Dialog Box by selecting the New or Modify buttons next to the PassThru Range window.
This edit box allows you to set the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active NAT session for TCP. The value may range from 0 to 172,800 seconds (48 hours). A value of zero will cause TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 86,400 seconds (24 hours).
This edit box allows you to set the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active non-TCP NAT session. The value may range from 0 to 3600 seconds (1 hour). A value of zero will cause non-TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 300 seconds (5 minutes).
This edit box allows you to set the amount of time to lapse without a response to a SYN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).
This edit box allows you to set the amount of time to lapse without a response to a FIN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).
This checkbox allows communication with the router through the IP addresses of the router's ports. This allows the user to communicate with the router (e.g., establish a telnet session with the router). The default is checked.
This checkbox allows external workstations/routers to ping workstations/routers in the internal NAT network if a one-to-one translation pair allowing such a translation has been set using the NAT Mapping Dialog Box. The default is checked. The workstation/router on the internal NAT network will not be allowed to respond to a ping if this parameter is unchecked.
You can access the NAT Range Dialog Box by selecting one of the New or Modify buttons in the NAT Configuration Dialog Box (under Global/NAT Configuration). This dialog box allows you to enter a NAT address range. It can be a single IP address or a range of addresses.
The address range may be specified in several different ways:
To add or modify the entries, you must access the NAT Range Dialog Box by selecting the Add... or Modify... buttons.
These one-to-one translation pairs allow the user to provide access from the internal or external network to selected parts of the NAT internal network, such as a web server.
Each translation pair must be entered using the following syntax:
<internal IP address> [ /<bits> | :<port> ] [ -> | = ] <external IP address> [ /<bits> | :<port> ] <internal IP address> This is the IP address on the internal network to be mapped to the external IP address. It must be entered first, followed by " -> " or " = " and the external IP address. The internal IP address must be within the range (or ranges) of IP addresses defined by the Internal Range Addresses. IP addresses must be specified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (e.g., 128.138.12.0 includes all devices on the 128.138.12 subnet). <external IP address> This is the IP address on the external network to be mapped to the internal IP address. The external IP address must be within the range of IP addresses defined by the External Range Addresses.
If only a single external IP address is available for the NAT router, do not map that IP address to an internal IP address because you will no longer be able to communicate with the router. Mapping single ports of the single external IP address to internal IP address:port combinations (e.g., creating access to a web server in the internal NAT network) is acceptable, however.
:<port>
The :port option allows an individual socket (IP address and port combination) to be mapped as part of a translation pair.
An IP address:port combination cannot be paired with an IP address range (even if that range is a single IP address). It can only be paired with another IP address:port combination.
/<bits>
The /bits option allows a range of IP addresses to be mapped as part of a translation pair. The bits field denotes the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indicate a range from 192.15.32.1 to 192.15.63.255.
The following example shows one IP address being translated into another.
[ NAT Mapping ] 10.5.3.20 -> 198.41.9.194
The following example shows individual sockets (IP address and port combination) being mapped as a translation pair.
[ NAT Mapping ] 10.5.3.10:80 -> 198.41.9.195:80
The following example shows a range of IP addresses being mapped as a translation pair.
[ NAT Mapping ] 10.5.3.0/29 -> 198.41.9.200/29
To access this dialog box, select Logging from the Device View.
This setting determines whether the internetworking device will output logging information via any of the possible output methods (as discussed below). Logging is on by default.
This pull-down menu selects the detail of the logging information provided.
This checkbox determines whether the auxiliary port will receive logging messages.
This checkbox determines whether the logging messages will be sent to a UNIX host system running the syslog daemon.
This is the IP address of the UNIX system which is running the syslog daemon, in dotted-decimal notation (i.e. 198.238.41.7).
This pull-down menu determines which syslogd file the device's logging messages will be written into.
This list shows the ports for which logging information will be generated. If an interface is highlighted, logging information will be generated for that interface. To select or deselect more than one interface, press Control while clicking on the interface.
This section configures LDAP (Lightweight Directory Access Protocol) parameters into a device. LDAP can be used to serve configurations to any Cisco VPN 5000 series device. LDAP configuration server settings are set in the LDAP Server Dialog Box.
LDAP can also be used for VPN user authentication. LDAP user authentication is configured with the LDAP Authentication Dialog Box.
Each LDAP configuration specifies an LDAP server and information about the configuration to be served. The configuration can be a full device configuration, or just a portion of one. When new configurations are added, the device's configuration is rebuilt to include the one that was just added.
This dialog box displays a list of previously defined LDAP configuration servers.
To access this dialog box, select Global/LDAP Server from the Device View.
To add to or modify this list, click on the appropriate button to open the Add LDAP Server Dialog Box.
This specifies a name which uniquely defines this LDAP configuration. It can be up to 16 characters long.
This checkbox enables this entire section. If checked, the settings from this section will be used to get a configuration from an LDAP server. If left unchecked, no settings from this section will be used.
This sets the IP address (e.g., 192.168.9.99) or fully qualified domain name (e.g., monkeywrench.com) of the primary LDAP server which contains the configuration.
This string is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The Primary Password may be up to 32 characters long.
This sets the IP address (e.g., 192.168.9.99) or fully qualified domain name (e.g., monkeywrench.com) of the secondary LDAP server which contains the configuration.
This string is used to authenticate the device to the secondary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The Secondary Password may be up to 32 characters long.
This specifies the portion of the LDAP tree where the configuration is located.
This string specifies the relative distinguished name used in the LDAP server to identify the entry which contains the configuration.
This value is the number of seconds the device will wait for a response from the LDAP server.
This value specifies which configurations take precedence. When new configurations are added, the device's configuration is rebuilt to include the one that was just added.
If a new configuration contains a section which contains a higher priority than one already in place, The new configuration (or configuration portion) is added above the one that is already there. This enables higher priority sections to take precedence.
LDAP authentication is done only if the user cannot be found in the VPN User Authentication Database first. The device acts as a client and exchanges packets with an LDAP server.
To access this dialog box, select Global/LDAP Authentication from the Device View.
This checkbox enables this entire section. If checked, the settings from this section will be used to get a VPN user authentication from an LDAP server. If left unchecked, no settings from this section will be used.
This sets the IP address (e.g., 192.168.9.99) or fully qualified domain name (e.g., monkeywrench.com) of the primary LDAP server which contains the authentication information.
This string is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The Primary Password may be up to 32 characters long.
This sets the IP address (e.g., 192.168.9.99) or fully qualified domain name (e.g., monkeywrench.com) of the secondary LDAP server which contains the authentication information.
This string is used to authenticate the device to the secondary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The Secondary Password may be up to 32 characters long.
This specifies the portion of the LDAP tree where the authentication information is located.
This value specifies the attribute name given to the VPN group attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this attribute, so you must specify one. If this field is left blank, the device will assume the attribute name to be "vpngroupattr".
This value specifies the name given to the VPN shared secret attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this attribute, so you must specify one. If this field is left blank, the device will assume the attribute name to be "sharedsecret".
This value is the number of seconds the device will wait for a response from the LDAP server.
Posted: Wed Sep 27 12:11:32 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.