Tài liệu CSPFA Remote Lab Instructor Guide 2.0 doc

4 Equipment List ...4 Physical Connections...5 Initial student PC Configuration ...5 Classroom Router Configuration ...6 REMOTE LAB SETUP .... 8 Establishing and Testing Connectivity t

CSPFA Remote Lab

Instructor Guide 2.0

Table of Contents

NETWORK TOPOLOGY 2

Remote Lab Description 2

Local Classroom Description 2

CLASSROOM SETUP 4

Equipment List 4

Physical Connections 5

Initial student PC Configuration 5

Classroom Router Configuration 6

REMOTE LAB SETUP 8

Establishing and Testing Connectivity to the Remote Lab 8

Telneting to the Remote Terminal Server 9

PIX Initial Configurations 10

Router Initial Configurations 10

Turning Secondary PIXen On and Off 12

CSPFA LAB SETTINGS AND CHANGES 17

Peer Pods 17

Chapter 5—Configure the PIX Firewall and Execute General Maintenance Commands 17

Chapter 6—Configuring Access Through the PIX Firewall 18

Chapter 7—Configure Inside Multiple Interfaces 18

Chapter 8—Configure the PIX Firewall’s DHCP Server and Client Features 19

Chapter 9—Configuring Syslog 20

Chapter 10—Configure ACLs in the PIX Firewall 20

Chapter 11—Configure and Test Advanced Protocol Handling on the Cisco PIX Firewall 21

Chapter 12—Configure the PIX Firewall to Use IDS Signatures 21

Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT 22

Network Topology

The following is the network topology diagram for the CSPFA remote lab

© 2001, Cisco Systems, Inc www.cisco.com

RL-PIX-CSPFA RL-LCL CLASSROOM

.50

WEB/FTP

172.26.26.0

172.17.P.0 172.16.P.0 7 1

.7 7 1

pPs

.1

.2 172.17.P.0

RL-RTS-CSPFA

CSACS DHCP

.10 100

RL-RTS-CSPFA

.100

RL-RTS-CSPFA

.2 1

10.93.93.0

.102 102

Remote Lab Description

The remote lab is accessed via a PIX firewall, RL-PIX-CSPFA, from the Internet The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-CSPFA RL- PIX-CSPFA forwards all traffic to a router, RL-RMT-CSPFA, which routes traffic based on the source IP address to one of three routers, RL-RMT1-CSPFA, RL- RMT2-CSPFA, or RL-RTS-CSPFA These routers will perform IP address NATing and route the traffic to the necessary student pod

Local Classroom Description

The classroom topology consists of ten (10) student PCs running Windows 2000 Server and all the required applications used in the labs Another PC running Windows 2000 Server will be the CA server All PCs are directly connected to a Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards If using

a Cisco FastHub 400, a Cisco 2611 router is connected to the hub If using Cisco Aironet, then the Aironet access point is connected to the Cisco 2611 router In either case, the other interface of the Cisco 2611 router is connected to an Internet accessible network

Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION SEE CLASSROOM ROUTER CONFIGURATION LATER IN THIS DOCUMENT

Classroom Setup

This section covers the list of equipment and their physical connections as well as the configuration of student PCs and the classroom router that the Cisco Learning Partner will be required to perform when teaching this course

Equipment List

LIST PRICE /EACH Student Laptop/PC and CA Server (varies) 11 (varies)

• Windows 2000 Server Microsoft 11 (varies)

• Internet Explorer 5.5 Microsoft 11 (varies)

• Internet Information Services 5.0 Microsoft 11 (varies)

• Pentium III 800 MHz (or better) Intel 11 (varies)

• 256 MB RAM (or better) (varies) 11 (varies)

• 8 GB Hard Drive (or better) NTFS partitioned

(varies) 11 (varies)

• CD-ROM/Floppy Drive (varies) 11 (varies)

• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)

350 Series PC Card w/Integrated Diversity Antenna,128-bitWEP

Cisco AIR-PCM352 11 199

340 Series 11Mbps DSSS AP w/128-bit WEP and 2 Int Ant

• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0

• 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series

Physical Connections

© 2001, Cisco Systems, Inc www.cisco.com

Connections with Aironet

ETHERNET 0/0 ETHERNET 0/1

Cisco 2611

CONSOLE

Internet

© 2001, Cisco Systems, Inc www.cisco.com

Connections with Hub

1 2 3 4 5 6 7 8 9 10

1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X

FastHub 400

ETHERNET 0/0 ETHERNET 0/1

Classroom Router Configuration

You will need the following parameters from Cisco’s ILSG lab administrator before configuring the classroom router:

Note The classroom router is configured to get a DHCP address, including a default route, on the outside interface (Ethernet 0/1) If DHCP is not supported at your location then a manually enter IP address and default route must be configured

RL-LCL-2611 Configuration

! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption

! hostname RL-LCL-2611

authentication pre-share group 2

crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>

! crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac

! crypto map RL-MAP 22 ipsec-isakmp

set peer <RL-PIX-CSPFA IP ADDRESS>

set security-association lifetime seconds 86400 set transform-set RL-TRANS

set pfs group2 match address TO-RMT

! interface Ethernet0/0

ip address dhcp

no cdp enable crypto map RL-MAP

no cdp run

! line con 0 transport input none line aux 0

line vty 0 4 login

!

no scheduler allocate end

Remote Lab Setup

This section covers the procedures required to connect to the remote lab and to setup and test the lab devices before the beginning of class

Establishing and Testing Connectivity to the Remote Lab

Perform the following procedures to establish and test connectivity to the remote lab

From the console of your RL-LCL-2611 router:

If unsuccessful

• check physical Internet connectivity

• check ethernet link from RL-LCL-2611 to your Internet connection

• check IP address received from DHCP:

RL-LCL-2611# show ip interface brief ethernet0/1

• check Aironet link or ethernet link from the PC to Aironet access point or hub

• check ethernet link from RL-LCL-2611 to Aironet access point or hub

• check IP address/netmask settings on the student PC

• check Aironet configuration and range

• check RL-LCL-2611 configuration

Step 4 C:\> ping 10.90.90.1

This will initiate the VPN tunnel to the remote PIX It will take a few ping tries before the VPN tunnel is established and the ping is successful

If unsuccessful

• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel

• check default gateway setting on the student PC

• check the ISAKMP settings on RL-LCL-2611:

crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>

• check the IPSEC settings on RL-LCL-2611:

crypto map RL-MAP 22 ipsec-isakmp

set peer <RL-PIX-CSPFA IP ADDRESS>

• clear all security associations (SAs) on the RL-LCL-2611:

RL-LCL-2611# clear crypto sa

From each student PC (1 through 10)

If unsuccessful

• check Aironet link or ethernet link from the PC to Aironet access point or hub

• check IP address/netmask/default gateway settings on the student PC

• check Aironet configuration and range

• check RL-LCL-2611 configuration

Telneting to the Remote Terminal Server

Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION

PIX Initial Configurations

The PIX firewalls are resetted to default before each class Check that all pod PIX firewalls are resetted

Note Pods 1 through 10 access their PIX from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> pPp (where P = pod number)

Translating "pPp"

Trying pPp (10.93.93.1, 2033) Open

pixfirewall> enable Password: <enter>

pixfirewall#

To reset a PIX firewall:

pixP# write erase Erase PIX configuration in flash memory? [confirm] <enter>

pixP# reload Proceed with reload? [confirm] <enter>

Rebooting

Router Initial Configurations

The student routers should already by configured with a default configuration before each class Check that all student routers are already configured

Note Pods 1 through 10 access their router console from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> rP (where P = pod number)

Translating "rP"

Trying rP (10.91.91.1, 2033) Open

rP> enable Password: cisco rP#

Router Default Configuration

Note Remember to replace the Ps with the actual pod number

! version 12.1 service timestamps debug uptime service timestamps log uptime

aaa new-model aaa authentication login LOCAL line enable enable password cisco

! memory-size iomem 15

ip address 10.0.P.2 255.255.255.0

! interface Serial0/0

no ip address shutdown

no fair-queue

! interface Ethernet0/1

ip address 172.30.P.2 255.255.255.0

! router eigrp 1 network 10.0.0.0 network 172.30.0.0

line vty 0 4 password cisco

!

no scheduler allocate end

Turning Secondary PIXen On and Off

Note The secondary PIXen used for Chapter 14’s failover lab MUST be OFF at all times,

except when doing the lab To turn them ON or OFF, you connect to manageable power strips that control power to the secondary PIXen units

Note Access the manageable power strip for Pods 1 through 8 from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> apc1

Translating "apc1"

Trying sP (10.93.93.1, 2063) Open

User Name : instructor Password : cisco

Access the manageable power strip for Pods 9 and 10 from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> apc2

Translating "apc2"

Trying sP (10.93.93.1, 2064) Open

User Name : instructor Password : cisco

TO TURN SECONDARY PIXEN OFF:

American Power Conversion Web/SNMP Management Card AOS v2.5.4 (c) Copyright 2000 All Rights Reserved MasterSwitch APP v2.1.0

-

Name : Unknown Date : 11/28/2001 Contact : Unknown Time : 10:08:53 Location : Unknown Up Time : 6 Days 22 Hours 38 Minutes Status : P+ N+ A+ User : Outlet User MasterSwitch : Serial Communication Established - Control Console -

1- Device Manager 2- Network 3- System 4- Logout ?- Help, <ESC>- Main Menu, <ENTER>- Refresh > 1 - Device Manager -

1- P1S ON

2- P2S ON

3- P3S ON

4- P4S ON

5- P5S ON

6- P6S ON

7- P7S ON

8- P8S ON

9- ALL Accessible Outlets <ESC>- Back, <ENTER>- Refresh > 9 or 3 (enter 9 or 3 for ALL Accessible Outlets or select a specific PIX) - ALL Accessible Outlets -

Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur -

1: ON P1S Immediate Immediate 05 Seconds 2: ON P2S Immediate Immediate 05 Seconds 3: ON P3S Immediate Immediate 05 Seconds 4: ON P4S Immediate Immediate 05 Seconds 5: ON P5S Immediate Immediate 05 Seconds 6: ON P6S Immediate Immediate 05 Seconds 7: ON P7S Immediate Immediate 05 Seconds 8: ON P8S Immediate Immediate 05 Seconds 1- Immediate On

2- Immediate Off

3- Immediate Reboot

4- Delayed On

5- Delayed Off

6- Sequenced Reboot

7- Delayed Reboot 8- Delayed Sequenced Reboot 9- Cancel Pending Commands ?- Help, <ESC>- Back, <ENTER>- Refresh

> 2

- Immediate Off

Turn all outlets OFF immediately

Enter 'YES' to continue or <ENTER> to cancel : YES (enter YES exactly)

Command successfully issued

Press <ENTER> to continue <ENTER>

- ALL Accessible Outlets - Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur - 1: OFF P1S Immediate Immediate 05 Seconds 2: OFF P2S Immediate Immediate 05 Seconds 3: OFF P3S Immediate Immediate 05 Seconds 4: OFF P4S Immediate Immediate 05 Seconds 5: OFF P5S Immediate Immediate 05 Seconds 1- Immediate On

2- Immediate Off 3- Immediate Reboot 4- Delayed On 5- Delayed Off 6- Sequenced Reboot 7- Delayed Reboot 8- Delayed Sequenced Reboot 9- Cancel Pending Commands ?- Help, <ESC>- Back, <ENTER>- Refresh

> <ESC> (keep hitting <ESC> until you exit back to Control Console)

- Control Console - 1- Device Manager

2- Network 3- System 4- Logout ?- Help, <ESC>- Main Menu, <ENTER>- Refresh

> 4

You are now in passthru mode

TO TURN SECONDARY PIXEN ON:

American Power Conversion Web/SNMP Management Card AOS v2.5.4 (c) Copyright 2000 All Rights Reserved MasterSwitch APP v2.1.0

-

Name : Unknown Date : 11/28/2001 Contact : Unknown Time : 10:03:33 Location : Unknown Up Time : 6 Days 22 Hours 33 Minutes Status : P+ N+ A+ User : Outlet User MasterSwitch : Serial Communication Established - Control Console -

1- Device Manager 2- Network 3- System 4- Logout ?- Help, <ESC>- Main Menu, <ENTER>- Refresh > 1 - Device Manager -

1- P1S OFF

2- P2S OFF

3- P3S OFF

4- P4S OFF

5- P5S OFF

6- P6S OFF

7- P7S OFF

8- P8S OFF

9- ALL Accessible Outlets <ESC>- Back, <ENTER>- Refresh > 9 or 3 (enter 9 or 3 for ALL Accessible Outlets or select a specific PIX) - ALL Accessible Outlets -

Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur -

1: OFF P1S Immediate Immediate 05 Seconds 2: OFF P2S Immediate Immediate 05 Seconds 3: OFF P3S Immediate Immediate 05 Seconds 4: OFF P4S Immediate Immediate 05 Seconds 5: OFF P5S Immediate Immediate 05 Seconds 6: ON P6S Immediate Immediate 05 Seconds 7: ON P7S Immediate Immediate 05 Seconds 8: ON P8S Immediate Immediate 05 Seconds 1- Immediate On

2- Immediate Off

3- Immediate Reboot

4- Delayed On

5- Delayed Off

6- Sequenced Reboot

- Immediate On

Turn all outlets ON immediately

Enter 'YES' to continue or <ENTER> to cancel : YES (enter YES exactly)

Command successfully issued

Press <ENTER> to continue <ENTER>

- ALL Accessible Outlets - Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur - 1: ON P1S Immediate Immediate 05 Seconds 2: ON P2S Immediate Immediate 05 Seconds 3: ON P3S Immediate Immediate 05 Seconds 4: ON P4S Immediate Immediate 05 Seconds 5: ON P5S Immediate Immediate 05 Seconds 6: ON P6S Immediate Immediate 05 Seconds 7: ON P7S Immediate Immediate 05 Seconds 8: ON P8S Immediate Immediate 05 Seconds 1- Immediate On

2- Immediate Off 3- Immediate Reboot 4- Delayed On 5- Delayed Off 6- Sequenced Reboot 7- Delayed Reboot 8- Delayed Sequenced Reboot 9- Cancel Pending Commands ?- Help, <ESC>- Back, <ENTER>- Refresh

> <ESC> (keep hitting <ESC> until you exit back to Control Console)

- Control Console - 1- Device Manager

2- Network 3- System 4- Logout ?- Help, <ESC>- Main Menu, <ENTER>- Refresh

> 4

You are now in passthru mode