Cisco Systems
Copyright © 2001 Cisco Systems, Inc. All Rights Reserved.
Page 3 of 6
Figure 1 Cisco VPN 3002 Hardware Client Application
Client and Network Extension Modes
For security and easy configuration, the Cisco VPN 3002
includes two modes: Client and Network Extension. In
Client mode, the Cisco VPN 3002 emulates the operation
of VPN client software. The stations behind the Cisco
VPN 3002 are non-routable (invisible to the central site)
and acquire their IP addresses from a built-in DHCP
server. The VPN 3002 public port can acquire its IP
addressfromanInternetserviceprovider(ISP)byusing its
DHCP client capability.
In Network Extension mode the private address must be
set manually but the stations behind the VPN 3002 are
routable.This isimportantin applicationswherereaching
a server, printer, POS terminal or other deviceis critical to
the business. Push policy is still implementedand security
is maintained at the central site.
Securing the Network in Client Mode
To secure the network in Client mode, the Cisco VPN
3002 uses Port Address Translation (PAT). The Cisco
VPN 3002 can only make outbound connections;
therefore, no outside source can connect with the Cisco
VPN3002or the stationsbehindit.Split tunneling, which
is the ability to have a secure tunnel to the central site and
simultaneouscleartexttunnelstotheInternet,canalsobe
prohibited by creating a policy that is pushed from the
central site. The Cisco VPN 3002 uses PAT to protect the
stations it serves during split tunneling operations to the
Internet.
Securing the Network in Network Extension Mode
In Network Extension mode, the stations behind the
Cisco VPN 3002 are fully routable because the Cisco
VPN 3002 now uses a secure site-to-site connection with
the central site. However, when split tunneling is used to
the Internet, the stations behind the Cisco VPN 3002 are
still PAT protected. Outbound PAT on the Cisco VPN
3002 provides centralized security control because there
are no configuration parameters for local users to adjust
which might otherwise cause the central site to be
compromised.All policiesarepushedfromaconcentrator
at the central site, eliminating the need or ability of local
users to affect company security policies.
Cisco VPN 3030
Concentrator
Central Site
Remote Office/
Branch
Yahoo Site
Mobile User with Cisco VPN Client Rel. 3.0
Software Client Dialing in
(3002 can co-exist with networks also
using the software client)
ISP
Cable Modem,
Router, Etc.
Cisco VPN 3002
Hardware Client
As DHCP Client,
3002 Acquires
Address from the ISP
3002 Supports Split Tunneling
as a Push Policy
3002 Receives Push
Policy, Concentrator
Assigned IP Address
and SA from VPN 3030
As a DHCP Server,
VPN 3002 Maintains a Pool of
Up to 253 Addresses to Assign to
Stations on the Private Network
In Network Extension
Mode, an IP Phone Can
be Plugged Directly into
One of the 3002 Switch
Ports
NAPT: One Address for
Entire Network Behind
3002 in Client Mode
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals