Release Notes for Cisco VPN 3002 Hardware Client Release 3.1 CCO August 20, 2001 Note You can find the most current documentation for the Cisco VPN 3002 on CCO. These release notes describe the features of the Cisco VPN 3002 Hardware Client and the caveats that apply for Release 3.1. Read the release notes carefully prior to installation.
Introduction Caveats, page 12 Obtaining Documentation, page 15 Obtaining Technical Assistance, page 17 Introduction The Cisco VPN 3002 Hardware Client (referred to in these Release Notes as the VPN 3002) communicates with a VPN 3000 Series Concentrator to create a virtual private network across a TCP/IP network (such as the Internet). The VPN 3002: • Provides an alternative to deploying the VPN Client at remote locations. • Is located at a remote site (like the VPN Client).
System Description System Description The following sections describe the VPN 3002 hardware. Physical Site Requirements The VPN 3002 requires a normal computing-equipment environment, including power requirements. For maximum protection, we recommend connecting it to a conditioned power source or UPS (uninterruptible power supply). Be sure that the power source provides a reliable Earth ground. Physical Specifications • Width: 8.85 inches (22.48 cm) • Depth: 7 inches (17.78 cm) • Height: 2.
Installation Notes Installation Notes For complete installation information, refer to the VPN 3002 Hardware Client Getting Started guide. To install and configure the VPN 3002 using default values, see the VPN 3002 Quick Start card, which ships with the VPN 3002. Initial Configuration You must meet these requirements to configure the VPN 3002. Central-site Concentrator Requirements To interoperate with a VPN 3002, the VPN 3000 Series Concentrator to which it connects must: be running software version 3.
Initial Configuration Browser Requirements The VPN 3002 Hardware Client Manager works with the following browsers: Internet Explorer version 4.x and higher • Netscape version 4.5 and higher Be sure JavaScript and cookies are enabled in the browser. Whatever browser and version you use, install the latest patches and service packs for it. • Do not use the browser navigation toolbar buttons Back, Forward, or Refresh / Reload with the VPN 3002 Hardware Client Manager unless instructed to do so.
Features Summary Features Summary The VPN 3002 Hardware Client has the following features: Hardware Features The VPN 3002 comes in two models, differentiated by number and type of Ethernet connections: • VPN 3002 — two 10/100 BaseT Ethernet ports (one public and one private port). • VPN 3002-8E — one 10/100 BaseT Ethernet port on the public interface and a built-in 8-port 10/100 BaseT Ethernet switch at its private network connection.
Features Summary • Multiple management interfaces: HTML and command-line interface. • An auto-update feature that lets you upgrade software for multiple hardware clients from a single, central-site location. • IPSec as the tunneling protocol. • UDP NAT/FW Transparent IPSec, which enables secure transmission between the VPN 3002 Hardware Client and the central-site Concentrator through a device, such as a firewall, that is performing Network Address Translation (NAT).
Features Summary Modes The VPN 3002 works in either of two modes: Client mode or Network Extension mode. • Client mode, also called PAT (Port Address Translation) mode, isolates all devices on the private network from the public network. In Client mode, all traffic from the private network appears on the public network with a single source IP address, which is the IP address assigned for tunneled traffic from the central-site VPN Concentrator.
Features Summary You always assign the VPN 3002 to a client group on the central-site Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site Concentrator. PAT does not apply. Traffic from the VPN 3002 to any other destination than those within the network list on the central-site Concentrator travels in the clear without applying IPSec.
Features Summary The following table summarizes instances in which the VPN 3002 and the central-site Concentrator can initiate data exchange.
Features Summary • The VPN 3002 Command Line Interface (CLI) is a menu- and command-line based interface that you can use with the local system console or remotely—from the private LAN or through the VPN tunnel— using: – Telnet connections – Telnet over SSL secure connections – SSH secure connections The amount of time remaining until the current IP address lease expires, shown as HH:MM:SS.
Caveats • The central-site group on the Concentrator must be configured to support it. For an example, refer to the VPN Concentrator Manager, Configuration | User Management | Groups | IPSec tab (see VPN 3000 Concentrator Series Reference volumes or refer to the VPN Concentrator Manager Help). • Cisco does not support a topology with multiple VPN 3002s behind one NAT device. Caveats Caveats describe unexpected behavior or defects in Cisco software releases.
Caveats • CSCdt21080 Unable to unlock a locked configuration If you are managing a device and do not log out properly, the configuration file is locked by any other IP Address of the managing device until that session expires. For a VPN 30xx Concentrator, you can physically log out this admin user, but with a VPN 3002, the problem persists until the session expires (the default is 10 minutes) or you reboot the unit.
Caveats • CSCdt49326, CSCdu57255 When the VPN 3002 is configured for 10 Mbps and the duplex mode is configured for auto, the duplex mode made be incorrectly displayed in the Monitor | Statistics | MIB II | Interfaces | Ethernet screen as "half" duplex even though it is running at "full" duplex. • CSCdu40803 The 3002 may reboot after several hours of failed authentication attempts during PPPoE negotiation. Make sure the correct name and password are configured.
Obtaining Documentation Resolved Caveats The following problems have been resolved as of version 3.0.1. • CSCdt42413 We have added more information, including port numbers and protocol, to the event messages that are logged when packets that come in over the VPN 3002 tunnel are rejected because there is no applicable NAT rule.
Obtaining Documentation • The VPN 3002 Hardware Client Quick Start card summarizes information for Quick Configuration. This quick reference card is provided with the VPN 3002, and is also available online. For easiest use, print it on 8 1/2” x 11” paper, in duplex mode. Current customers who obtain version 3.1 software from CCO can also order the 3.1 version of the card from CCO. When ordering the card, use product number DOC-7812273=.
Obtaining Technical Assistance http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).
Obtaining Technical Assistance Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.
Obtaining Technical Assistance In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/ If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.
Obtaining Technical Assistance Release Notes for Cisco VPN 3002 Hardware Client Release 3.