CISCO VPN 3000 Basic Setup Question 2

[Gumby5]

I recently moved into a new position that supports VPN through a CISCO VPN 3000 Concentrator. I am not familiar with this device and am trying to at least get a basic feel for it and the connections it's maintaining. I'm actually hoping I've completely missed something and this question gets a chuckle.

The unit in place is a model 3005. The device sits in parallel with our PIX 515E however it isn't in the PIX DMZ (something I'm now wondering about after reading so many threads). The device has a "public" and "private" interface to which from what I've read the private is to be configured with the internal LAN address (i.e. 192.168.x.x) and the public to be configured with a public address. No problem, what I found configured in the device met that criteria. Where my question centers is that in from what I've read it is that the web based configuration management tool should be available on the LAN side. For example, if I wanted to configure the device using the web based configuration management tool I would be on the inside of the network and I would point my browser to the IP assigned to the private interface. However, the only way I'm able to bring up the configuration management tool is to point my browser at the public IP. Am I misunderstanding something here? If I am, so be it. Please let me know and I'll move on. If not, any ideas as to why I might be having this problem?

 

[Arisap]

Interesting. By default the concentrator is set to allow management from the PRIVATE interface only. You have to actually create a Rule List to allow management from the PUBLIC interface. I would back the config up to a TFTP server and wipe the config and start again. If you cant wipe the config, check to make sure what Rule List is bound to the PRIVATE and PUBLIC interface. The concentrator comes with two default Rule lists, one for each interface. I would make sure that the default Rule Lists are applied.

Also, I would recommend placing the PRIVATE interface on a PIX DMZ and the PUBLIC interface facing the Internet unprotected. This will allow you to control access to "inside" resources much easier since it will be done from the PIX. The PUBLIC interface of the concentrator can protect itself pretty well (although I would place some simple ACL's on your border router that can help protect the concentrator from malicious attacks).

 

[Gumby5]

Arisap,

Thank you for your reply. I was really hoping I just didn't understand something but it sounds like there is good reason for me to suspect this device has at least one serious configuration issue and that leaves me feeling very unsettled.

As I stated in my original post, I freely admit I have no background with this device. While I have a technical background centered primarily in application programming and design the vast majority of my 18 years in IT has been in executive management (i.e. I'm really good at surrounding myself with people much smarter than me and then provide them direction that ultimately keeps the ship moving along a path I've chosen.) We've got 4 lan to lan connections running that I really don't have the luxury of having go down while I try to work my way through this (unless it's felt that even at a novice level I should have little problem accomplishing what you've suggested). I've hired a couple Cisco certified people in the past with mixed results so any additional insight as to any specifics of what I may want to look for in a contractor / service provider to help out with this would certainly be appreciated.

Thanks again the reply and please, anyone else who feels they can contribuite advice please do so.

 

[amwoolf]

check the private IP config to make certain that it is configured to permit HTTP management. I beleive there is a check box that enables this. Sounds like it might be enabled for the public intereface but not the private.

 

[Gumby5]

Would it be to much to ask if you could walk me to the screen in the configuration manager where I would find that. I understand what your asking me to do and I have found a screen in one section of the configurator that flags for HTTP management but it's not a simple enable on private interface or not type of deal.

 

[amwoolf]

OK - first of all make certain the internal ethernet adaopter is permited to accept management sessions...

Under Configuration - Interfaces - click Private Interface and then click on the interface and then click WebVPN to see Configuring Ethernet Interface 1 (Private).

Allow Management HTTPS sessions Check to enable management HTTP and HTTPS sessions on this interface. Disabling will prevent managing the device through a web browser on this interface.

Make certain above is clicked.

Then go to Administration - Access Rights - Access Control List and make certain the internal network IP address are included to enable an internal computer to manags the VPN 3000 device.

Hope this helps...