SafeNet HighAssurance 4000 User manual
HighAssuranceTM
4000 Gateway
The Foundation of Internet Security
User's Guide
© 2004 SafeNet, Inc. All rights reserved.
SafeNet is a registered trademark and SafeEnterprise and HighAssurance are trademarks of
SafeNet, Inc.
All other product and company names may be the property of their respective owners.
SafeNet, Inc.
(800) 533-3958 Sales
(800) 545-6608 Customer Support
www.safenet-inc.com
SafeNet Proprietary
40001-00C 2/09/04
Contents iii
Contents
Chapter 1 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Product Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
LED Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Sample Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
FIPS 140-2 Level 2 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unpack the Shipping Carton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Location Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Required Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Mount the HA4000 in a Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Connect the Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Power On the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Save Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure the Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Log On to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Assign IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Prepare the Device for Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure the Remote Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Assign the Remote Port IP Address . . . . . . . . . . . . . . . . . . . . . . . . . 20
Set the Remote Port Auto-Negotiation and Flow Control . . . . . . . . . . . 20
Assign IKE Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IKE ID Validation for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the Local Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure the PMTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure DF Bit Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Set Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Set Session Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configure SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Name the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Administrative Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Set Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Save the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Reboot the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
View Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 4 Maintenance Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
System Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Back up the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Restore the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Install Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Contents iv
Configure the FTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Load Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Install Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Install a New Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Physical Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Audit Log Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Restore Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Restore HA4000 Factory Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Possible Problems and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
IPSec Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
show all Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 6 CLI Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Command Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Command Usage Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Appendix A MIB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Appendix B Product Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Appendix C Cable Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
DB-9 Null Modem Cable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
RJ-45 Ethernet Straight Through Cable . . . . . . . . . . . . . . . . . . . . . . . . . 88
RJ-45 Ethernet Crossover Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Appendix D Electrostatic Discharge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Appendix E Regulatory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Safety/Emissions/Immunity Specifications . . . . . . . . . . . . . . . . . . . . . . . 91
FCC Information (USA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Interference-Causing Equipment Standard Compliance Notice (Canada) . . 91
European Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
List of Figures v
List of Figures
Figure 1-1 HA4000 Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 3-1 Management Port and Network Management Station on Different Subnets 19
Figure 3-2 Two Remote Ports on the Same Subnet. . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3-3 Router Between Two HA4000 Gateways . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3-4 HA4000 Gateways Connected Back-to-Back (Transparent) . . . . . . . . . . . 27
Figure 3-5 ARP Used to Resolve Layer 2 MAC Addresses . . . . . . . . . . . . . . . . . . . . . 28
Figure 3-6 Packets Forwarded to a Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 4-1 Tamper Evident Seal on Back Panel of the Chassis . . . . . . . . . . . . . . . . . 45
Figure C-1 DB-9 Null Model Cable Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure C-2 RF-45 Ethernet Straight-Through Cable . . . . . . . . . . . . . . . . . . . . . . . . . 88
Figure C-3 RJ-45 Ethernet Crossover Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List of Tables vi
List of Tables
Table 1-1 Front Panel LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 3-1 SNMP Trap Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 3-2 HA4000 SNMP Agent Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 3-3 Show Command Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 5-1 HA4000 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 5-2 CLI IPSec Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 5-3 AES Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 5-4 HA4000 Security Association Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 5-5 SPD Selectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Table 6-1 CLI Command Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table B-1 System Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table C-1 Null Model Pin Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table C-2 Straight-Through Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table C-3 Crossover Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 1. Product Overview 7
Chapter 1
Product Overview
The SafeNet HighAssurance™ 4000 (HA4000) Gateway is a high-performance,
integrated security appliance that offers IPSec encryption at multi-Gigabyte rates.
Supporting wire speed Gigabit Ethernet, the HA4000 enables secure remote data
backup and disaster recovery, data replication, and storage hosting.
Housed in a tamper-evident chassis, the HA4000 has two Gigabit Ethernet ports.
Traffic on the local port is received in the clear, while traffic on the remote port has
security processing applied to it.
Fully compatible with existing IP networks, the HA4000 can be seamlessly
deployed into Gigabit Ethernet environments, including IP site-to-site VPNs and
storage over IP networks. Its high-speed Triple DES (3DES), IPSec processing
capabilities eliminate bottlenecks while providing data authentication, encryption
and integrity. The HA4000 supports both the Encapsulating Security Payload (ESP)
and Authentication Header (AH) protocols in tunnel mode.
The HA4000 gateway is ideal for bandwidth-intensive, latency-sensitive
applications that demand security and speed, such as storage over IP, site-to-site
VPNs, and the transfer of medical imaging over the Internet. The HA4000 provides
secure transport over private or public IP networks in protected tunnels between
local or remote sites.
Figure 1-1 shows the HA4000 gateway.
Figure 1-1 HA4000 Gateway
Product Features
Chapter 1. Product Overview 8
Product Features
zMounts in any standard 19-inch rack or on a tabletop
zTwo Gigabit Ethernet data ports for encrypting and decrypting network traffic
with single mode and multimode fiber GBIC interfaces
zFIPS 140-2 Level 2 compliant, validated by the National Institute of Standards
of Technology (NIST)
zTamper-evident chassis with no ability to insert probes
zHardware-based IPSec encryption processing
zLow latency
z8000 concurrent tunnels
zFull duplex, 1.8 Gbps 3DES encryption and decryption
zComprehensive security standards support
zKey management
Internet Key Exchange (IKE): RFC 2409, NIST FIPS PUB 186
Manual keys
Diffie-Hellman key exchange (groups 1, 2, and 5)
zEncryption
Advanced Encryption Standard (AES): FIPS 197 (256 bit keys)
3DES: ANSI X9.52 algorithm (168 bit keys), standard CBC mode
Data Encryption Standard (DES): FIPS 46-2 (56 bit keys), standard CBC
mode
zHMAC-SHA-1-96 and HMAC-MD5-96 Message Integrity
zSimple Network Management Protocol (SNMP), version 2c, MIB-managed
objects support
zAlarm condition detection and reporting
zSecure CLI access through the 10/100 Ethernet port
zSecure download of software updates
zX.509 v3 digital certificate support
Sample Deployments
Chapter 1. Product Overview 9
LED Indicators
Table 1-1 shows how to interpret the LEDs on the HA4000 gateway’s front panel.
Sample Deployments
The HA4000 device is deployed on either side of a WAN-routed interface, between
a switch and a router, securing the data transmitted across the untrusted WAN.
Data is sent from a web server through a Layer 2/3 switch. It is then encrypted by
an HA4000 for secure transfer over the WAN, where a second HA4000 decrypts
the data at its destination. The HA4000 forwards the clear data to the Layer 2/3
switch at the destination.
Table 1-1 Front Panel LED Indicators
Indicator Light State Definition
Power (green) Off Unit is powered off.
On Unit is powered on.
Remote Yellow (link status) Off Loss of signal on the remote interface.
On Normal operation.
Remote Green (traffic status) Off No traffic is passing over the remote
interface port.
Blinking Normal operation. Indicates the presence
of traffic on the remote interface.
Local Yellow (link status) Off Loss of signal on the local interface.
On Normal operation.
Local Green (traffic status) Off No traffic is passing over the local
interface port.
Blinking Normal operation; there is traffic on the
local interface.
Alarm (red) Off Normal operation.
Blinking System initialization is in progress. When
the boot process completes, the LED
state changes to Off.
Failure (red) Off Unit is initialized and operational.
On One of these problems was detected:
• Hardware error
• IPSec configuration error
• Security policy failure to load
• Other boot process failure.
Management
Chapter 1. Product Overview 10
In a branch-to-central office application, data is secured between each branch and
the central office. Additionally, a secure tunnel is established between the two
branch sites. This configuration can be used to transfer sensitive data between
remote sites or to back up remote servers to central storage devices.
Tunnels
A security tunnel is the network path inside which data is encrypted. Tunnels can
begin and terminate at various points in the network:
zClient workstation, either the desktop or remote access, such as dial-in
zEdge device, such as a router or an edge switch
zSwitch or router inside the service provider network, typically at the
point-of-presence (POP)
The HA4000 can be deployed in a variety of locations and topologies, depending
on the application. Several examples are a geographically remote Storage Area
Network (SAN) environment, a site-to-site VPN, a gigabit Ethernet Metropolitan
Area Network (MAN), or a campus building-to-building environment.
In an IPSec deployment, identify the communication endpoints and the secure
tunnel endpoints. A communication endpoint is the entity that is being protected
by the HA4000. This can be a host, a server, or a subnet. The secure tunnel
endpoints are the HA4000 gateways or other IPSec peer.
Management
The HA4000 gateway is managed from the SafeEnterprise Security Management
Center (SMC). It also has a command line interface (CLI) to configure the HA4000
operating parameters. CLI sessions are managed through a direct serial link to the
HA4000.
For information on configuring and working with the HA4000 from the SMC, refer
to the SafeEnterprise Security Management Center User’s Guide.
Software Requirements
Make sure that these customer-provided software products are installed on the
management workstation:
zVT-100 terminal emulation utility, such as HyperTerminal, to connect to the CLI
through a serial link.
zOptional. Telnet client to remotely configure the HA4000 through the
gateway’s 10/100 Ethernet management port.
FIPS 140-2 Level 2 Operation
The National Institute of Standards and Technology (NIST) validated the HA4000
gateway as FIPS 140-2 Level 2 compliant. To meet FIPS 140-2 Level 2
requirements, configure the HA4000 using these guidelines:
zDES, 3DES, or AES encryption
FIPS 140-2 Level 2 Operation
Chapter 1. Product Overview 11
zHMAC-SHA1-06 authentication
zManual keys or IKE key management
Caution
MD5 is not a FIPS-approved authentication algorithm. Therefore, using MD5
authentication in a security policy removes the HA4000 from FIPS-compliant
Note:
operation.
Chapter 2. Installation 12
Chapter 2
Installation
Perform the tasks in this chapter in the sequence they are presented.
Unpack the Shipping Carton
Remove all product components from the shipping carton and compare the
contents to the packing list. Keep all packaging in case it is necessary to return
the unit. The HA4000 is packaged with these items:
zHA4000 chassis
The HA4000 firmware and software is preinstalled on the unit.
zAccessory Kit:
Rack mount kit containing two mounting brackets and eight screws
Power supply cable (US or European)
Shielded DB-9 null modem cable (female to male)
Shielded Category 5 cable with RJ-45 connector (STP)
CD-ROM containing this user’s guide, MIBs, and a backup copy of the
HA4000 software
zOptions:
GBIC-MM Kit: Contains two multimode Gigabit Ethernet Interface
transceivers and two 3-meter multimode fiber cables.
GBIC-SM Kit: Contains two single mode Gigabit Ethernet Interface
transceivers and two 3-meter single mode fiber cables.
Location Considerations
The HA4000 can be mounted in a standard 19-inch rack using the mounting kit, or
placed on a rack shelf or solid surface.
Before installing the HA4000 in a 19-inch rack, consider these rack-mounting
guidelines:
zAmbient temperature
Install the HA4000 in an environment compatible with the 40ºC maximum
recommended ambient temperature. Extra clearance above or below the unit
on the rack is not required; however, be aware that equipment placed in the
rack beneath the HA4000 can add to the heat load. Therefore, avoid installing
the device in an overly congested rack. Air flowing to or from other equipment
in the rack can interfere with the normal flow of cooling air through the
HA4000, increasing the potential for overheating.
Required Hardware
Chapter 2. Installation 13
zAir flow
Make sure that there is sufficient flow of air around the HA4000 so that safe
operation is not compromised. Maintain a clearance of at least three
inches (7.62 cm) on each side of the HA4000 gateway to ensure adequate air
intake and exhaust. If installing the device in an enclosed rack, make sure that
the rack has adequate ventilation or an exhaust fan.
Note: An enclosed rack with a ventilation system that is too powerful can
prevent proper cooling by creating negative air pressure around the HA4000.
zMechanical loading
Keep the center of gravity in the rack as low as possible. This ensures that the
weight of the HA4000 will not make the rack unstable. Make sure that the rack
is secured; use the proper mounting hardware to secure the HA4000 to the
rack.
zCircuit loading
Consider the connection of an HA4000 to the supply circuit and the effect that
overloading of circuits could have on overcurrent protection and supply wiring.
Consult the voltage and amperage ratings on the UL label affixed to the unit’s
rear panel when addressing this concern.
zGrounding
Maintain reliable grounding of a rack-mounted HA4000 gateway. Pay particular
attention to supply connections other than direct connections to the branch
circuit, such as the use of power strips.
zMaintenance
Allow at least 19 inches (48.3 cm) of clearance at the front of the rack for
maintenance. Use a cable management system to help keep cables organized,
out of the way, and free from kinks or bends that degrade cable performance.
Required Hardware
To mount the HA4000 in a standard 19-inch equipment rack, have these tools and
materials available:
zTwo mounting brackets, supplied in the Accessory Kit
zFour small screws and four large screws, supplied in the Accessory Kit
z#1 Phillips and #2 Phillips screwdrivers (user-supplied)
Mount the HA4000 in a Rack
1. With the four small screws (#1 Phillips) provided in the Accessory Kit, attach
one mounting bracket to each front side of the HA4000 unit.
2. With the four large screws (#2 Phillips), attach the unit to the rack’s front
supports.
Mount the HA4000 in a Rack
Chapter 2. Installation 14
Connect the Cables
Before beginning, make sure that the necessary cables are available. For more
information on cabling requirements and specifications, see Appendix C, "Cable
Specifications."
1. Connect the HA4000 RS-232 craft port directly to a PC or workstation using a
DB-9 null modem cable.
2. Connect the HA4000 management port to a LAN or directly to a PC using a
Category 5 STP cable with an RJ-45 connector.
3. When connecting the device directly to a PC, use a shielded Category 5
crossover cable, and make sure that the PC and management port IP
addresses are on the same subnet.
4. After taking the necessary precautions to prevent damage from electrostatic
discharge (ESD), plug a GBIC module into the HA4000 gateway’s remote port,
and then connect it to the WAN. For more information on ESD protection, see
Appendix D, "Electrostatic Discharge."
5. Plug a second GBIC module into the HA4000 gateway’s local port, and then
connect it to the local device, such as a server or switch.
Warning:
WarningWarning
Warning
When the dust covers are removed and no cable is connected, radiation can be
emitted from aperture ports of single- or multi-mode interfaces. Avoid exposure,
Note:
and do not stare into the open apertures.
Power On the HA4000
Applying power to the HA4000 initializes the system, which includes these actions:
zInitializes the components.
zPerforms hardware diagnostics.
zLoads the software. The software is preinstalled on the HA4000; it can,
however, be reinstalled if it is corrupted or accidentally deleted.
zVerify power supply voltage.
To power on the HA4000, take these steps:
1. Connect the unit’s power adapter on the HA4000 rear panel.
2. Apply power to the unit.
The power LED illuminates when the unit is powered up.
About a minute after power up, the alarm LED begins blinking and
continues to blink for several minutes until the boot process is complete.
The green power LED remains lit until the unit is powered off.
If the boot process fails, the failure LED illuminates, and the HA4000
gateway generates a “critical error” trap.
Mount the HA4000 in a Rack
Chapter 2. Installation 15
Notes:
zIf you experience a problem during system initialization, go to Chapter 5,
"Troubleshooting."
zUntil you configure your security policies, the HA4000 gateway’s default mode
of operation passes all packets in the clear.
Chapter 3. Configuration 16
Chapter 3
Configuration
HA4000 management is performed out of band. Use the management interface to
configure the device remotely through the command line interface (CLI) and
monitor SNMP-based performance.
This chapter describes the tasks required to configure the HA4000’s management
interface and prepare the device for operation. Administrative configuration tasks
are also included.
Before You Start
This section provides general information on using the HA4000 CLI commands
that are used to configure the HA4000’s management interfaces. For details on
each command, go to Chapter 6, "CLI Command Reference."
Save Configurations
zWhen you change configuration settings on the HA4000—after you complete
all the configuration commands or after each individual command—make sure
that you save the settings. If the HA4000 device is rebooted or the power is
recycled, unsaved configurations are lost.
zTo save the running configuration, enter this command:
copy system:running nvram:config
zSome commands don’t take effect until the HA4000 is rebooted with the
reboot command. Refer to the specific command in Chapter 6, "CLI Command
Reference," for this information.
CLI Hierarchy
zCommand mode is the logon hierarchy level. The command line prompt
indicates the hierarchy level. The copy and show commands and most
maintenance commands are accessed at this level.
zConfiguration mode is where commands are entered to configure the
HA4000. To go into command mode, enter this command:
configure terminal
zInterface configuration mode, where the local, remote, and management
interfaces are configured, is entered from configuration mode. To go into this
mode from configuration mode, enter this command:
interface {local | remote | management}
The exit command leaves the current CLI mode and returns to the previous
hierarchy level.
Configure the Management Port
Chapter 3. Configuration 17
Command Shortcuts
Some CLI commands have specific shortcuts. For a list, go to Table 6-1 on
page 65. Shortcuts are also included in the detailed information available on each
CLI command in Chapter 6, "CLI Command Reference."
For other commands, type enough letters to uniquely identify an HA4000 CLI
command, and then press Tab. For more information, refer to the aforementioned
“Command Shortcuts” on page 65.
User Types
The HA4000 has two levels of logon privileges, identified by user type:
zThe Network Manager configures the HA4000. The Network Manager’s
username is admin.
zThe Administrator sets passwords and logon restrictions. The Administrator’s
username is super.
Configure the Management Port
The HA4000 management interface port must be configured to connect the device
to the SMC.
Log On to the CLI
The HA4000 gateway’s CLI is accessible through a serial link connected to the
HA4000 RS-232 craft port. Typically, the craft port is used only to set the
management port IP address. The rest of the configuration is performed using the
10/100 Ethernet between the management port and the SMC. You can, however,
perform all configuration tasks through the serial port.
1. Connect the HA4000 RS-232 craft port directly to the terminal’s serial port
using a DB-9 null modem cable. For cable specifications, see Appendix C,
"Cable Specifications."
2. Open a terminal session through a VT-100 terminal emulation program, such
as HyperTerminal.
3. Enter the connection name, the appropriate serial port (usually COM1 or
COM2), and these communication parameters:
115,200 bps
No parity
8 data bits
1 stop bit
No flow control
4. Press Enter. The CLI username prompt displays:
User Access Verification
Username:
5. Enter the Network Manager’s username, admin.
Configure the Management Port
Chapter 3. Configuration 18
Note: Usernames and passwords are case-sensitive.
6. At the password prompt, enter the default password, safenet. The password
you type does not display.
Note: Change the default password when you configure the HA4000 gateway.
7. When you are successfully logged on, the command line prompt displays:
Username: admin
Password:
admin>
Assign IP Addresses
The 10/100 Ethernet management interface is the communication channel
between the HA4000 and SMC. To securely manage the HA4000, its management
interface must be correctly configured.
There are potentially three IP addresses to configure, using the ip address
command, on the management port:
zThe 10/100 Ethernet management port IP address identifies the HA4000
gateway to SMC. This is used for remote configuration of the HA4000 and
SNMP-based performance monitoring.
zThe subnet mask is the portion of the IP address that identifies the network
or subnetwork for routing purposes.
zThe default gateway, assigned only when the HA4000 and SMC are on
different subnets, identifies the local router port on the same subnet as the
HA4000 gateway’s management port. The HA4000 sends all packets to the
specified router to be forwarded to SMC.
Note: If the HA4000 gateway’s management port is directly connected to SMC,
the host’s IP address and the management port IP address must be on the same
subnet.
Configure the Management Port Default Gateway
When the HA4000 and SMC are on different subnets, the HA4000 uses a default
gateway to route packets to SMC.
In Figure 3-1, Network Management Host #1’s IP address is 192.168.1.10. The
HA4000 #1’s management port (192.168.10.10) is not on the same subnet as the
management host. To successfully route packets between HA4000 #1 and
Network Management Host #1, the local port on Router #1 is its default
gateway (192.168.10.1).
Prepare the Device for Operation
Chapter 3. Configuration 19
Figure 3-1 Management Port and Network Management Station on Different Subnets
Example
This example configures the default gateway for Router #1 in Figure 3-1. The
example enters configuration mode for the management interface, assigns a
default gateway IP address, and saves the configuration. In this example, the
management interface is configured through the RS-232 craft port.
admin> configure terminal
config> interface management
config-ifMan> ip address 192.168.10.1 255.255.255.0 192.168.10.1
config-ifMan> exit
config> exit
admin> copy system:running nvram:config
Prepare the Device for Operation
Configure the Remote Interface
Follow the procedures described in this section to configure the HA4000 for
operation. The HA4000 can be configured through the CLI, which can be accessed
through the serial port or through the management port.
Save configuration settings when you complete configuring the HA4000 or after
entering each command. When the HA4000 is rebooted or the power is recycled,
unsaved configurations are lost.
Configure these components on the remote interface:
zRemote port IP address and subnet mask
zAuto-negotiation and flow control
zDefault gateway for IKE negotiation traffic
Prepare the Device for Operation
Chapter 3. Configuration 20
Assign the Remote Port IP Address
The remote port IP address identifies the HA4000 to the untrusted network,
typically a WAN, campus LAN, or MAN. Changing the remote port IP address
directly affects the HA4000 gateway’s IPSec policies, including the default policies
that ship with the HA4000.
Previously configured policies will not recognize a new remote port IP address until
the HA4000 is rebooted or reloaded. After you finish configuring the HA4000, save
the configuration, and then reboot the unit to activate the new settings, as
described in “Reboot the HA4000” on page 38. Or, if the remote port IP address is
the only parameter that you changed, you can enter the reload policies
command, as described on page 80.
1. Log on as Network Manager.
2. Enter configuration mode; enter this command:
configure terminal
3. At the config> prompt, enter this command:
interface remote
4. At the config-ifRemote> prompt, enter this command:
ip address <ipAddress> [<subnet_mask>]
For parameter descriptions, go to “ip address” on page 74.
Example
This example sets the remote port IP address during initial HA4000 configuration:
admin> config terminal
config> interface remote
config-ifRemote> ip address 192.168.144.125 255.255.255.0
Set the Remote Port Auto-Negotiation and Flow
Control
Auto-negotiation and flow control is configured on a per port basis. If the device
that the HA4000 is connected to on the remote, untrusted network side does not
support auto-negotiation or flow control, disable one or both of these functions on
the HA4000 gateway’s remote port.
This command requires a reboot to take effect. Reboot the HA4000 after you
complete configuring the device; for instructions, go to “Reboot the HA4000” on
page 38.
zAt the config-ifRemote> prompt, enter this command:
autoNegotiateFlowControl enable | {disable {enable | disable}}
The first parameter specifies whether the HA4000 negotiates flow control
settings. To have the HA4000 negotiate flow control settings, specify enable.
When auto-negotiation is enabled, the second parameter is unnecessary.If you
disable auto-negotiation, however, specify whether to enable flow control. To
have the HA4000 use flow control, specify enable; otherwise, specify disable.
This manual suits for next models
1
Table of contents
