beautypg.com

Network extension mode – Cisco VPN 3002 User Manual

Page 120

background image

11-2

VPN 3002 Hardware Client Reference

OL-1893-01

Chapter 11 Policy Management

Network Extension Mode

The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed
directly.

VPN 3000 Series VPN Concentrator Settings Required for PAT

For the VPN 3002 to use PAT, these are the requirements for the central-site VPN Concentrator.

1.

The VPN Concentrator at the central site must be running Software version 3.x or later.

2.

Address assignment must be enabled, by whatever method you choose to assign addresses (for
example, DHCP, address pools, per user, or client-specified). If the VPN Concentrator uses address
pools for address assignment, make sure to configure the address pools your network requires. See
Chapter 6, Address Management, in the VPN 3000 Series Concentrator Reference Volume I.

3.

Configure a group to which you assign this VPN 3002. This includes assigning a group name and
Password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference
Volume I
.

4.

Configure one or more users for the group, including usernames and passwords.

Network Extension Mode

Network Extension mode allows the VPN 3002 to present a single, routable network to the remote
private network over the VPN tunnel. IPSec encapsulates all traffic from the VPN 3002 private network
to networks behind the central-site VPN Concentrator. PAT does not apply. Therefore, devices behind
the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel,
and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is
up, either side can initiate data exchange.

In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it
does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned
IP address). To use Network Extension mode, you must configure an IP address other than the default
of 192.168.10.1 and disable PAT.

In Network Extension mode, the VPN 3002 automatically attempts to establish a tunnel to the VPN
Concentrator. However, if you enable interactive hardware client authentication, the tunnel establishes
when you perform the following steps.

Step 1

Click the Connection/Login Status button on the VPN 3002 Hardware Client login screen. The
Connection/Login screen displays.

Step 2

Click Connect Now in the Connection/Login screen.

Step 3

Enter the username and password for the VPN 3002.

Alternatively, you can initiate a tunnel by clicking Connect Now on the in the Monitoring | System
Status screen.